Internet-Draft | UAS RID Arch | February 2020 |
Card, et al. | Expires 8 August 2020 | [Page] |
This document defines an architecture for Trustworthy Multipurpose Remote Identification (tm-rid) protocols and services to support Unmanned Aircraft System Remote Identification (UAS RID), including its building blocks and their interfaces, all to be standardized.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 August 2020.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Many safety and other considerations dictate that UAS be remotely identifiable. Civil Aviation Authorities (CAAs) worldwide are mandating UAS RID. The European Union Aviation Safety Agency (EASA) has published Commision Delegated Regulation 2019/945 and Commission Implementing Regulation 2019/947. The United States (US) Federal Aviation Administration (FAA) has published a Notice of Proposed Rule Making (NPRM). CAAs currently promulgate performance-based regulations that do not specify techniques, but rather cite industry consensus technical standards as acceptable means of compliance.¶
ASTM International, Technical Committee F38 (UAS), Subcommittee F38.02 (Aircraft Operations), Work Item WK65041 (UAS Remote ID and Tracking), is a Proposed New Standard [WK65041]. It defines 2 means of UAS RID. Network RID defines a set of information for UAS to make available globally indirectly via the Internet. Broadcast RID defines a set of messages for Unmanned Aircraft (UA) to transmit locally directly one-way over Bluetooth or Wi-Fi. Network RID depends upon Internet connectivity, in several segments, from the UAS to the observer. Broadcast RID should need Internet (or other Wide Area Network) connectivity only for UAS registry information lookup using the directly locally received UAS ID as a key.¶
[WK65041] specifies 3 UAS ID types. Type 1 is a static, manufacturer assigned, hardware serial number per ANSI/CTA-2063-A "Small Unmanned Aerial System Serial Numbers" [CTA2063A]. Type 2 is a CAA assigned (presumably static) ID. Type 3 is a UAS Traffic Management (UTM) system assigned UUID [RFC4122], which can but need not be dynamic. The EU allows only Type 1; the US allows Types 1 and 3, but requires Type 3 IDs (if used) each to be used only once. [WK65041] Broadcast RID transmits all information in the clear as plaintext, so Type 1 static IDs enable trivial correlation of patterns of use, unacceptable in many applications, e.g. package delivery routes of competitors.¶
An ID is not an end in itself; it exists to enable lookups and provision of services complementing mere identification.¶
Minimal specified information must be made available to the public; access to other data, e.g. UAS operator Personally Identifiable Information (PII), must be limited to strongly authenticated personnel, properly authorized per policy. [WK65041] specifies only how to get the UAS ID to the observer; how the observer can perform these lookups, and how the registries first can be populated with information, is unspecified.¶
Although using UAS RID to facilitate related services, such as Detect And Avoid (DAA) and other applications of Vehicle to Vehicle or Vehicle to Infrastructure (V2V, V2I, collectively V2X) communications, is an obvious application (explicitly contemplated in the FAA NPRM), it has been ommitted from [WK65041] (explicitly declared out of scope in the ASTM working group discussions based on a distinction between RID as a security standard vs DAA as a safety application). Although dynamic establishment of secure communications between the observer and the UAS pilot seems to have been contemplated by the FAA Aviation Rulemaking Committee (ARC), it is not addressed in any of the subsequent proposed regulations or technical specifications.¶
The need for near-universal deployment of UAS RID is pressing. This implies the need to support use by observers of already ubiquitous mobile devices (smartphones and tablets). UA onboard RID devices are severely constrained in Size, Weight and Power (SWaP). Cost is a significant impediment to the necessary near-universal adoption of UAS send and observer receive RID capabilities. To accomodate the most severely constrained cases, all these conspire to motivate system design decisions, especially for the Broadcast RID data link, which complicate the protocol design problem: one-way links; extremely short packets; and Internet-disconnected operation of UA onboard devices. Internet-disconnected operation of observer devices has been deemed by ASTM F38.02 too infrequent to address, but for some users is important and presents further challenges. Heavyweight security protocols are infeasible, yet trustworthiness of UAS RID information is essential. Under [WK65041], even the most basic datum, the UAS ID string (typically number) itself can be merely an unsubstantiated claim.¶
IETF can help by providing expertise as well as mature and evolving standards. Existing Internet resources (business models, infrastructure and protocol standards) should be leveraged. Host Identity Protocol (HIPv2) [RFC7401] and its Domain Name System (DNS) extensions [RFC8005], together with the Registry Data Access Protocl (RDAP) and the Extensible Provisioning Protocol (EPP), can complement emerging external standards for UAS RID. This will facilitate utilization of existing and provision of enhanced network services, and enable verification that UAS RID information is trustworthy (to some extent, even in the absence of Internet connectivity at the receiving node). The natural Internet architecture for UAS RID described herein addresses requirements defined in a companion UAS RID Requirements document.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Any tm-rid solutions for UAS RID must fit into the UTM system. This implies interaction with entities including UA, GCS, USS, NETSP, NETDP, Observers, Operators, Pilots In Command, Remote Pilots, etc. The only additional entities introduced by tm-rid are registries, required but not specified by the regulations and [RFC7401], and optionally CS-RID SDSP and Finder nodes.¶
UAS RID registries hold both public and private information. The public information is primarily pointers to the repositories of, and keys for looking up, the private information. Given these different uses, and to improve scalability, security and simplicity of administration, the public and private information can be stored in different registries, indeed different types of registry.¶
The private information required for UAS RID is similar to that required for Internet domain name registration. This facilitates leveraging existing Internet resources, including domain name registration protocols, infrastructure and business models. This implies a further derived requirement: a tm-rid UAS ID MUST be amenable to handling as an Internet domain name (at an arbitrary level in the heirarchy), MUST be registered in at least a pseudo-domain (e.g. .ip6 for reverse lookup), and MAY be registered as a sub-domain (for forward lookup).¶
A tm-rid private information registry MUST support essential Internet domain name registry operations (e.g. add, delete, update, query) using interoperable open standard protocols. It SHOULD support the Extensible Provisioning Protocol (EPP) and the Registry Data Access Protocol (RDAP) with access controls. It MAY use XACML to specify those access controls. It MUST be listed in a DNS: that DNS MAY be private; but absent any compelling reasons for use of private DNS, SHOULD be the definitive public Internet DNS heirarchy. The tm-rid private information registry in which a given UAS is registered MUST be locatable, starting from the UAS ID, using the methods specified in [RFC7484].¶
The public information required to be made available by UAS RID is transmitted as clear plaintext to local observers in Broadcast RID and is served to a client by a NETDP in Network RID. Therefore, while IETF can offer e.g. [RFC6280] as one way to implement Network RID, the only public information required to support essential tm-rid functions for UAS RID is that required to look up Internet domain hosts, services, etc.¶
A tm-rid public information registry MUST be a standard DNS server, in the definitive public Internet DNS heirarchy. It MUST support NS, MX, SRV, TXT, AAAA, PTR, CNAME and HIP RR types.¶
A CS-RID SDSP MUST appear (i.e. present the same interface) to a NETSP as a NETDP. A CS-RID SDSP MUST appear to a NETDP as a NETSP. A CS-RID SDSP MUST NOT present a standard GCS-facing interface as if it were a NETSP. A CS-RID SDSP MUST NOT present a standard client-facing interface as if it were a NETDP. A CS-RID SDSP MUST present a TBD interface to a CS-RID Finder; this interface SHOULD be based upon but readily distinguishable from that between a GCS and a NETSP.¶
A CS-RID Finder MUST present a TBD interface to a CS-RID SDSP; this interface SHOULD be based upon but readily distinguishable from that between a GCS and a NETSP. A CS-RID Finder must implement, integrate or accept outputs from a Broadcast RID receiver. A CS-RID Finder MUST NOT interface directly with a GCS, NETSP, NETDP or Network RID client.¶
A tm-rid UAS ID MUST be a HHIT. It SHOULD be self-generated by the UAS (either UA or GCS) and MUST be registered with the Private Information Registry identified in its heirarchy fields. Each UAS ID HHIT MUST NOT be used more than once, with one exception as follows.¶
Each UA MAY be assigned, by its manufacturer, a single HI and derived HHIT encoded as a hardware serial number per [CTA2063A]. Such a static HHIT SHOULD be used only to bind one-time use UAS IDs (other HHITs) to the unique UA. Depending upon implementation, this may leave a HI private key in the posession of the manufacturer (see Security Considerations).¶
Each UA equipped for Broadcast RID MUST be provisioned not only with its HHIT but also with the HI public key from which the HHIT was derived and the corresponding private key, to enable message signature. Each UAS equipped for Network RID MUST be provisioned likewise; the private key SHOULD reside only in the ultimate source of Network RID messages (i.e. on the UA itself if the GCS is merely relaying rather than sourcing Network RID messages). Each observer device MUST be provisioned with public keys of the UAS RID root registries and MAY be provisioned with public keys or certificates for subordinate registries.¶
Operators and Private Information Registries MUST possess and other UTM entities MAY possess UAS ID style HHITs. When present, such HHITs SHOULD be used with HIP to strongly mutually authenticate and optionally encrypt communications.¶
Each Operator MUST generate a "HIo" and derived "HHITo", register them with a Private Information Registry along with whatever Operator data (inc. PII) is required by the cognizant CAA and the registry, and obtain a certificate "Cro" signed with "HIr(priv)" proving such registration.¶
To add an UA, an Operator MUST generate a "HIa" and derived "HHITa", create a certificate "Coa" signed with "HIo(priv)" to associate the UA with its Operator, register them with a Private Information Registry along with whatever UAS data is required by the cognizant CAA and the registry, obtain a certificate "Croa" signed with "HIr(priv)" proving such registration, and obtain a certificate "Cra" signed with "HIr(priv)" proving UA registration in that specific registry while preserving Operator privacy. The operator then MUST provision the UA with "HIa", "HIa(priv)", "HHITa" and "Cra".¶
UA engaging in Broadcast RID MUST use "HIa(priv)" to sign Auth Messages and MUST periodically broadcast "Cra". UAS engaging in Network RID MUST use "HIa(priv)" to sign Auth Messages. Observers MUST use "HIa" from received "Cra" to verify received Broadcast RID Auth messages. Observers without Internet connectivity MAY use "Cra" to identify the trust class of the UAS based on known registry vetting. Observers with Internet connectivity MAY use "HHITa" to perform lookups in the Public Information Registry and MAY then query the Private Information Registry, which MUST enforce access control policy on Operator PII and other sensitive information.¶
It is likely that an IPv6 prefix will be needed for the HHIT (or other identifier) space; this will be specified in other drafts.¶
UAS RID is all about safety and security, so content pertaining to such is not limited to this section. The security provided by asymmetric cryptographic techniques depends upon protection of the private keys. A manufacturer that embeds a private key in an UA may have retained a copy. A manufacturer whose UA are configured by a closed source application on the GCS which communicates over the Internet with the factory may be sending a copy of a UA or GCS self-generated key back to the factory. Compromise of a registry private key could do widespread harm. Key revocation procedures are as yet to be determined. These risks are in addition to those involving Operator key management practices.¶
The work of the FAA's UAS Identification and Tracking (UAS ID) Aviation Rulemaking Committee (ARC) is the foundation of later ASTM and proposed IETF efforts. The work of ASTM F38.02 in balancing the interests of diverse stakeholders is essential to the necessary rapid and widespread deployment of UAS RID.¶