Dispatch Working Group
Internet Engineering Task Force (IETF)                     A. Allen, Ed.
Internet-Draft
Request for Comments: 7255                                    Blackberry
Intended status:
Category: Informational                         February 26, 2014
Expires: August 30,                                         May 2014
ISSN: 2070-1721

    Using the International Mobile station Equipment Identity (IMEI)
             Uniform Resource Name (URN) as an Instance ID
             draft-allen-dispatch-imei-urn-as-instanceid-13

Abstract

   This specification specifies defines how the Uniform Resource Name (URN)
   reserved for the GSMA (GSM Association) Global System for Mobile Communications Association
   (GSMA) identities and its sub-
   namespace sub-namespace for the IMEI (International International Mobile
   station Equipment
   Identity) Identity (IMEI) can be used as an instance-id.  Its
   purpose is to fulfil fulfill the requirements for defining how a specific
   URN needs to be constructed and used in the "+sip.instance" '+sip.instance' Contact
   header field parameter for outbound behavior.

Status of this This Memo

   This Internet-Draft document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a maximum candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of six months this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 30, 2014.
   http://www.rfc-editor.org/info/rfc7255.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3 ....................................................2
   2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 .....................................................3
   3. Background  . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ......................................................3
   4. 3GPP Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . 5 ..................................................5
   5. User Agent Client Procedures  . . . . . . . . . . . . . . . . . 6 ....................................5
   6. User Agent Server Procedures  . . . . . . . . . . . . . . . . . 7 ....................................6
   7. 3GPP SIP Registrar Procedures . . . . . . . . . . . . . . . . . 7 ...................................6
   8.  IANA considerations . . . . . . . . . . . . . . . . . . . . . . 7

   9. Security considerations . . . . . . . . . . . . . . . . . . . . 7

   10. Considerations .........................................7
   9. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8

   11. ................................................7
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     11.1. .....................................................8
      10.1. Normative references . . . . . . . . . . . . . . . . . . . 8
     11.2. References ......................................8
      10.2. Informative references . . . . . . . . . . . . . . . . . . 9

   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 9 References ....................................8

1.  Introduction

   This specification specifies defines how the Uniform Resource Name (URN)
   reserved for GSMA the Global System for Mobile Communications Association
   (GSMA) identities and its sub-namespace for the IMEI (International International Mobile
   station Equipment Identity) Identity (IMEI) as specified in
   draft-montemurro-gsma-imei-urn-20 RFC 7254 [1] can be
   used as an instance-id as specified in RFC 5626 [2] and also as used
   by RFC 5627 [3].

   RFC 5626 [2] specifies the "+sip.instance" '+sip.instance' Contact header field
   parameter that contains a URN as specified in RFC 2141 [4].  The
   instance-id uniquely identifies a specific UA User Agent (UA) instance.
   This instance-id is used as specified in RFC 5626 [2] so that the SIP
   (Session
   Session Initiation Protocol) Protocol (SIP) registrar (as specified in RFC 3261
   [5])
   [9]) can recognize that the contacts from multiple registrations
   correspond to the same UA.  The instance-id is also used as specified
   by RFC 5627 [3] to create Globally Routable User Agent URIs (GRUUs)
   that can be used to uniquely address a UA when multiple UAs are
   registered with the same Address of Record (AoR).

   RFC 5626 [2] requires that a UA SHOULD create a Universally Unique
   Identifier (UUID) URN as specified in RFC 4122 [6] as its instance-id
   but allows for the possibility to use other URN schemes.  Per
   RFC 5626, "If a URN scheme other than UUID is used, the UA MUST only
   use URNs for which an RFC (from the IETF stream) defines how the
   specific URN needs to be constructed and used in the "+sip.instance"
   Contact header field parameter for outbound behavior." behavior".  This
   specification meets this requirement by specifying how the GSMA IMEI
   URN is used in the
   "+sip.instance" '+sip.instance' Contact header field parameter for
   outbound behavior, and draft-montemurro-gsma-imei-urn-20 RFC 7254 [1]  specifies how the GSMA IMEI URN
   is constructed.

   The GSMA IMEI is a URN for the IMEI -- a globally unique identifier
   that identifies mobile devices used in the Global System for Mobile
   communications(GSM), GSM, Universal Mobile
   Telecommunications System
   (UMTS) (UMTS), and 3GPP LTE (Long 3rd Generation Partnership
   Project (3GPP) Long Term Evolution)networks. Evolution (LTE) networks.  The IMEI
   allocation is managed by the GSMA to ensure that the IMEI values are
   globally unique.  Details of the formatting of the IMEI as a URN are
   specified in draft-montemurro-gsma-imei-urn-20 [1] RFC 7254 [1], and the definition of the IMEI is
   contained in 3GPP TS 23.003 [10].  Further details about the GSMA GSMA's
   role in allocating the IMEI IMEI, and the IMEI allocation
   guidelines guidelines, can
   be found in GSMA PRD TS.06 [11].

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [7].

3.  Background

   GSM, UMTS UMTS, and LTE capable mobile devices represent 90% of the mobile
   devices in use worldwide.  Every manufactured GSM, UMTS UMTS, or LTE
   mobile device has an allocated IMEI that uniquely identifies this
   specific mobile device.  Amongst  Among other things things, in some regulatory
   jurisdictions the IMEI is used to identify that a stolen mobile
   device is being used, to help to identify the subscription that is
   using it it, and to prevent use of the mobile device.  Whilst  While GSM was
   originally a circuit switched system, enhancements such as GPRS (General the
   General Packet Radio Service) Service (GPRS) and UMTS have added IP data
   capabilities which that, along with the definition of the IP (Internet Protocol) Multimedia
   Subsystem (IMS) (IMS), have made SIP based SIP-based calls and IP multimedia sessions
   from mobile devices possible.

   The latest enhancement enhancement, known as LTE LTE, introduces even higher data
   rates and dispenses with the circuit switched infrastructure
   completely.  This means that with LTE networks, voice calls will need
   to be conducted using IP and IMS.  However, the transition to all IP, SIP
   based IP
   SIP-based IMS networks worldwide will take a great many years years, and
   mobile
   devices devices, being mobile mobile, will need to operate in both IP/SIP/IMS
   mode and circuit switched mode.  This means that calls and sessions
   will need to be handed over between IP/SIP/IMS mode and circuit
   switched mode mid-call or mid-session.  Also  Also, since many existing GSM
   and UMTS radio access networks are unable to support IP/SIP/IMS based IP/SIP/IMS-based
   voice services in a commercially acceptable manner, some sessions
   could have some media types delivered via IP/IMS simultaneously with
   voice media delivered via the circuit switched domain to the same
   mobile device.  To achieve this this, the mobile device is needs to be
   simultaneously attached via both the IP/SIP/IMS domain and the
   circuit switched domain.

   To meet this need need, the 3GPP has specified how to maintain session
   continuity between the IP/SIP/IMS domain and the circuit switched
   domain in 3GPP TS 24.237 [12] [12], and in 3GPP TS 24.292 [13] has
   specified how to access IMS hosted services via both the IP/SIP/IMS
   domain and the circuit switched domain in
   3GPP TS 24.292 [13]. domain.

   In order for the mobile device to access SIP/IMS services via the
   circuit switched domain domain, the 3GPP has specified a MSC (Mobile Mobile Switching
   Center)
   Center (MSC) server enhanced for ICS (IMS centralized services) IMS Centralized Services (ICS) and a
   MSC server enhanced for SR-VCC (Single Single Radio Voice Call Continuity) Continuity (SR-VCC)
   that control mobile voice call setup over the circuit switched radio
   access while establishing the corresponding voice session in the core
   network using SIP/IMS.  To enable this, the MSC server enhanced for
   ICS or the MSC server enhanced for SR-VCC, perform SR-VCC performs SIP registration
   on behalf of the mobile device device, which is also simultaneously directly
   registered with the IP/SIP/IMS domain.  The only mobile device
   identifier that is transportable using GSM/UMTS/LTE signaling is the
   IMEI therefore
   IMEI; therefore, the instance-id included by the MSC server enhanced
   for ICS or the MSC server enhanced for SR-VCC when acting on behalf
   of the mobile device, and the instance-id directly included by the
   mobile device device, both need to be based on the IMEI.

   Additionally

   Additionally, in order to meet the above requirements, the same IMEI
   that is obtained from the circuit switched signaling by the MSC
   server needs to be obtainable from SIP signaling so that that it can be
   determined that both the SIP signaling and circuit switched signaling
   originate from the same mobile device.

   For these reasons, 3GPP TS 24.237 [12] and 3GPP TS 24.292 [13]
   already specify the use of the URN namespace for the GSMA IMEI URN as
   specified in
   draft-montemurro-gsma-imei-urn-20 RFC 7254 [1] as the instance-id used by GSM/
   UMTS/LTE GSM/UMTS/LTE
   mobile devices, the MSC server enhanced for SR-VCC SR-VCC, and the MSC
   server enhanced for ICS, for SIP/IMS registrations and emergency emergency-
   related SIP requests for these reasons. requests.

4.  3GPP Use Cases

   1.  The mobile device includes its IMEI in the SIP REGISTER request
       so that the SIP registrar can perform a check of the Equipment
       Identity Register (EIR) to verify if whether this mobile device is
       allowed or
   barred from accessing to access the network for non-emergency services or is
       barred from doing so (e.g., because it the device has been stolen).
       If the mobile device is not allowed to access the network for
       non-emergency services services, the SIP registrar can reject the registration.  Thus
       registration and thus prevent a barred mobile device is prevented from accesssing
       accessing the network for non-emergency services.

   2.  The mobile device includes its IMEI in SIP INVITE requests used
       to establish emergency sessions.  This is so that the PSAP (Public Public
       Safety Answering Point) Point (PSAP) can obtain the IMEI of the mobile
       device for identification purposes if required by regulations.

   3.  The inclusion by the mobile device of its IMEI that is included in SIP INVITE requests by the mobile
       device and used to establish emergency sessions is also used in the
       cases of unauthenticated emergency sessions to enable the network
       to identify the mobile device.  This is especially important if
       the unauthenticated emergency session is handed over from the
       packet switched domain to the circuit switched domain.  In this scenario
       scenario, the IMEI is the only identifier that is common to both domains that
       domains, so the Emergency Access Transfer Function (EATF) in the
       network, that which in such cases coordinates the transfer between
       domains, can use the IMEI to identify determine that the circuit switched
       call is from the same mobile device that was in the emergency
       session in the packet switched domain.

5.  User Agent Client Procedures

   A UAC User Agent Client (UAC) that has an IMEI as specified in 3GPP TS
   23.003 [10] and that is registering with a 3GPP IMS network MUST
   include in the "sip.instance" media feature tag the GSMA IMEI URN
   according to the syntax specified in draft-montemurro-gsma-imei-urn-20 RFC 7254 [1] when performing the
   registration procedures specified in RFC 5626 [2] or RFC 5627 [3] [3], or
   any other procedure requiring the inclusion of the "sip.instance"
   media feature tag.  The UAC SHOULD NOT include the optional "svn" 'svn'
   parameter in the GSMA IMEI URN in the "sip.instance" media feature
   tag, since the software version can change as a result of upgrades to
   the device firmware which that would create a new instance-id.  Any future non zero
   non-zero values of the "vers" 'vers' parameter, or the future definition of
   additional parameters for the GSMA IMEI URN that are intended to be
   used as part of an instance-id instance-id, will require that an update to be made
   to this RFC.  The UAC MUST provide character-by-
   character character-by-character identical
   URNs in each registration according to RFC 5626 [2].  Hence, any
   optional or variable components of the URN (e.g., the "vers" 'vers'
   parameter) MUST be presented with the same values and in the same
   order in every registration as in the first registration.

   A UAC MUST NOT use the GSMA IMEI URN as an instance-id instance-id, except when
   registering with a 3GPP IMS network.  When a UAC is operating in IMS
   mode
   mode, it will obtain the domain of the network to register with from the UICC Universal Integrated Circuit Card
   (UICC) (commonly known as the SIM card). card) the domain of the network
   with which to register.  This is a carrier's IMS network domain.  The
   UAC will also obtain the address of the IMS edge proxy to send the
   REGISTER request containing the IMEI using information elelments elements in
   the Attach response when it attepts attempts to connect to the carriers carrier's
   packet data network.  When registering with a non-3GPP IMS network network, a
   UAC SHOULD use a UUID as an instance-id as specified in RFC 5626 [2].

   A UAC MUST NOT include the "sip.instance" media feature tag
   containing the GSMA IMEI URN in the Contact header field of non-
   REGISTER requests requests, except when the request is related to an emergency
   session.  Regulatory requirements can require that the IMEI to be
   provided to the Public Safety Answering Point (PSAP). PSAP.  Any future exceptions to this prohibition will
   require a the publication of an RFC that addresses how privacy is not
   violated by such a usage.

6.  User Agent Server Procedures

   A UAS User Agent Server (UAS) MUST NOT include its "sip.instance" media
   feature tag containing the GSMA IMEI URN in the Contact header field
   of responses responses, except when the response is related to an emergency
   session.  Regulatory requirements can require that the IMEI to be
   provided to the
   Public Safety Answering Point(PSAP). PSAP.  Any future exceptions to this prohibition will
   require a the publication of an RFC that addresses how privacy is not
   violated by such a usage.

7.  3GPP SIP Registrar Procedures

   In 3GPP IMS IMS, when the SIP Registrar registrar receives in the Contact header
   field a "sip.instance" media feature tag containing the GSMA IMEI URN
   according to the syntax specified in
   draft-montemurro-gsma-imei-urn-20 RFC 7254 [1] the SIP registrar
   follows the procedures specified in RFC 5626 [2].  The IMEI URN MAY
   be validated as described in draft-montemurro-gsma-imei-urn-20 RFC 7254 [1].  If the UA indicates that
   it supports the extension in RFC 5627 [3] and the SIP
   Registrar registrar
   allocates a public GRUU according to the procedures specified in
   RFC 5627 [3] [3], the instance-id MUST be obfuscated when creating the "gr"
   'gr' parameter in order not to reveal the IMEI to other UAs when the
   public GRUU is included in non-REGISTER requests and responses.  3GPP
   TS 24.229 [8] subclause 5.4.7A.2 specifies the mechanism for
   obfuscating the IMEI when creating the "gr" 'gr' parameter.

8.  IANA considerations

   This document defines no items requiring action by IANA.

9.  Security considerations Considerations

   Because IMEIs IMEIs, like other formats of instance-ids instance-ids, can be correlated
   to a user, they are they are personally identifiable informationneed information and therefore
   MUST be treated in the same way as any other personally identifiable
   information.  In particular, the "sip.instance" media feature tag
   containing the GSMA IMEI URN MUST NOT be included in requests or
   responses intended to convey any level of anonymity, as this could
   violate the users user's privacy.  RFC 5626 [2] states that "One case where
   a UA could prefer to omit the "sip.instance" media feature tag is
   when it is making an anonymous request or some other privacy concern
   requires that the UA not reveal its identity".  The same concerns
   apply when using the GSMA IMEI URN as an instance-id.  Publication of
   the GSMA IMEI URN to networks that to which the UA is not attached to attached, or
   with which the UA does not have a service relationship with relationship, is a security breach
   breach, and the "sip.instance" media feature tag MUST NOT be
   forwarded by the service provider's network elements when forwarding
   requests or responses towards the destination UA.  Additionally, an
   instance-id containing the GSMA IMEI URN identifies a mobile device
   and not a user.  The instance-id containing the GSMA IMEI URN MUST
   NOT be used alone as an address for a user or as an identification
   credential for a user.  The GRUU mechanism specified in RFC 5627 [3]
   provides a means to create URIs that address the user at a specific
   device or User Agent.

   Entities that log the instance ID instance-id need to protect them as personally
   identifiable information.  Regulatory requirements can require that
   carriers to log SIP IMEIs.

   In order to protect the "sip.instance" media feature tag containing
   the GSMA IMEI URN from being tampered with, those REGISTER requests
   containing the GSMA IMEI URN MUST be sent using a security mechanism
   such as TLS Transport Layer Security (TLS) (RFC 4346 5246 [5]) or another
   security mechanism that provides equivalent levels of protection such
   as hop-by-hop security based upon IPSec.

10. IPsec.

9.  Acknowledgements

   The author would like to thank Paul Kyzivat, Dale Worley, Cullen
   Jennings, Adam Roach, Keith Drage, Mary Barnes, Peter Leis, James Yu,
   S. Moonesamy, Roni Even, and Tim Bray for reviewing this draft document and
   providing their comments.

11.

10.  References

11.1.

10.1.  Normative references References

   [1]  Montemurro, M., Ed., Allen, A., McDonald, D., and P.  Gosden, "A
        Uniform Resource Name Namespace For The for the Global System for Mobile communications
        Communications Association (GSMA) and the International Mobile
        station Equipment Identity(IMEI), work
         in progress", Internet Draft draft-montemurro-gsma-imei-urn-20,
         February Identity (IMEI)", RFC 7254, May 2014.

   [2]  Jennings, C., Mahy, R., and F. Audet, "Managing Client-
        Initiated Connections in the Session Initiation Protocol (SIP)",
        RFC 5626, October 2009.

   [3]  Rosenberg, J., "Obtaining and Using Globally Routable User Agent
        URIs (GRUUs) in the Session Initiation Protocol (SIP)", RFC
        5627, October 2009.

   [4]  Moats, R., "URN Syntax", RFC 2141, May 1997.

   [5]  Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
        Protocol Version 1.1", 1.2", RFC 4346, April 2006. 5246, August 2008.

   [6]  Leach, P., Mealling, M., and R. Salz, "A Universally Unique
        IDentifier (UUID) URN Namespace", RFC 4122, July 2005.

   [7]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [8]  3GPP, "TS 24.229: IP "IP multimedia call control protocol based on Session
        Initiation Protocol (SIP) and Session Description Protocol
        (SDP); Stage 3 (Release 8)", 3", 3GPP 24.229,
         September 2013,
         <ftp://ftp.3gpp.org/Specs/archive/24_series/24.229/>. TS 24.229 (Release 8), March 2014,
        <ftp://ftp.3gpp.org/Specs/archive/24_series/ 24.229/>.

   [9]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M., and E.  Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

11.2.

10.2.  Informative references References

   [10] 3GPP, "TS 23.003: Numbering, "Numbering, addressing and identification
         (Release 8)", identification", 3GPP 23.003, September 2013,
         <ftp://ftp.3gpp.org/Specs/archive/23_series/23.003/>. TS 23.003
        (Release 8), March 2014, <ftp://ftp.3gpp.org/Specs/
        archive/23_series/23.003/>.

   [11]  GSMA GSM Association, "IMEI Allocation and Approval Guidelines", PRD
        TS.06 (DG06) version Version 6.0, July 2011, <http://www.gsma.com/
         newsroom/wp-content/uploads/2012/06/
        <http://www.gsma.com/newsroom/wp-content/uploads/2012/06/
        ts0660tacallocationprocessapproved.pdf>.

   [12] 3GPP, "TS 24.237: Mobile "Mobile radio interface Layer 3 specification; Core
        network protocols; Stage 3 (Release 8)", 3", 3GPP 24.237, TS 24.237 (Release 8),
        September 2013,
         <ftp://ftp.3gpp.org/Specs/archive/24_series/24.237/>. <ftp://ftp.3gpp.org/Specs/archive/
        24_series/24.237/>.

   [13] 3GPP, "TS 24.292: IP "IP Multimedia (IM) Core Network (CN) subsystem
        Centralized Services (ICS); Stage 3 (Release 8)", 3", 3GPP 24.292, June TS 24.292 (Release
        8), December 2013,
         <ftp://ftp.3gpp.org/Specs/archive/24_series/24.292/>. <ftp://ftp.3gpp.org/Specs/
        archive/24_series/24.292/>.

Author's Address

   Andrew Allen (editor)
   Blackberry
   1200 Sawgrass Corporate Parkway
   Sunrise, Florida  33323
   USA

   Email:

   EMail: aallen@blackberry.com