Internet-Draft | DRIP Reqs | October 2020 |
Card, et al. | Expires 19 April 2021 | [Page] |
This document defines terminology and requirements for Drone Remote Identification Protocol (DRIP) Working Group protocols to support Unmanned Aircraft System Remote Identification and tracking (UAS RID) for security, safety and other purposes. Complementing external technical standards as regulator-accepted means of compliance with UAS RID regulations, DRIP will:¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 April 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Many considerations (especially safety and security) necessitate Unmanned Aircraft Systems (UAS) Remote Identification and tracking (RID).¶
Unmanned Aircraft (UA) may be fixed wing Short Take-Off and Landing (STOL), rotary wing (e.g., helicopter) Vertical Take-Off and Landing (VTOL), or hybrid. They may be single- or multi-engine. The most common today are multicopters: rotary wing, multi engine. The explosion in UAS was enabled by hobbyist development, for multicopters, of advanced flight stability algorithms, enabling even inexperienced pilots to take off, fly to a location of interest, hover, and return to the take-off location or land at a distance. UAS can be remotely piloted by a human (e.g., with a joystick) or programmed to proceed from GNSS waypoint to waypoint in a weak form of autonomy; stronger autonomy is coming. UA are "low observable": they typically have small radar cross sections; they make noise quite noticeable at short range but difficult to detect at distances they can quickly close (500 meters in under 17 seconds at 60 knots); they typically fly at low altitudes (for the small UAS to which RID applies in the US, under 400 feet AGL); they are highly maneuverable so can fly under trees and between buildings.¶
UA can carry payloads including sensors, cyber and kinetic weapons, or can be used themselves as weapons by flying them into targets. They can be flown by clueless, careless or criminal operators. Thus the most basic function of UAS RID is "Identification Friend or Foe" (IFF) to mitigate the significant threat they present. Numerous other applications can be enabled or facilitated by RID: consider the importance of identifiers in many Internet protocols and services. The general scenario is illustrated in Figure 1.¶
Note the absence of any links to/from the UA in Figure 1. This is because UAS RID and other connectivity involving the UA varies as described below.¶
Inherently, any responsible Observer of UA must classify them, as illustrated notionally in Figure 2. For basic airspace Situational Awareness (SA), an Observer who classifies an UAS: as Taskable, can ask it to do something useful; as Low Concern, can reasonably assume it is not malicious, and would cooperate with requests to modify its flight plans for safety concerns that arise; as High Concern or Unidentified, can focus surveillance on it. These classes are not standard, but derive from first principles.¶
An ID is not an end in itself; it exists to enable lookups and provision of services complementing mere identification.¶
Using UAS RID to facilitate vehicular (V2X) communications and applications such as Detect And Avoid (DAA), which would impose tighter latency bounds than RID itself, is an obvious possibility, explicitly contemplated in the United States (US) Federal Aviation Administration (FAA) Notice of Proposed Rule Making [NPRM]. However, applications of RID beyond RID itself, including DAA, have been explicitly declared out of scope in ASTM International, Technical Committee F38 (UAS), Subcommittee F38.02 (Aircraft Operations), Work Item WK65041, working group discussions, based on a distinction between RID as a security standard vs DAA as a safety application. Although dynamic establishment of secure communications between the Observer and the UAS pilot seems to have been contemplated by the FAA UAS ID and Tracking Aviation Rulemaking Committee (ARC) in their [Recommendations], it is not addressed in any of the subsequent proposed regulations or technical specifications.¶
[Opinion1] and [WG105] cite the Direct Remote Identification previously required and specified, explicitly stating that whereas Direct RID is primarily for security purposes, "Electronic Identification" (or the "Network Identification Service" in the context of U-space) is primarily for safety purposes (e.g. air traffic management, especially hazards deconfliction) and also is allowed to be used for other purposes such as support of efficient operations. These emerging standards allow the security and safety oriented systems to be separate or merged. In addition to mandating both Broadcast and Network one-way to Observers, they will use V2V to other UAS (also likely to and/or from some manned aircraft). These reflect the broad scope of the EU U-space concept, as being developed in the Single European Sky ATM Research (SESAR) Joint Undertaking, whose U-space architectural principles are outlined in [InitialView].¶
Security oriented UAS RID essentially has two goals: enable the general public to obtain and record an opaque ID for any observed UA, which they can then report to authorities; enable authorities, from such an ID, to look up information about the UAS and its operator. Safety oriented UAS RID has stronger requirements. Aviation community SDOs set a higher bar for safety than for security, especially with respect to reliability.¶
Disambiguation of multiple UA flying in close proximity may be very challenging, even if each is reporting its identity, position and velocity as accurately as it can. As the origin of all information in UAS RID is self-reports from operators, there are possibilities not only of unintentional error, but also of intentional falsification, of this data.¶
Minimal specified information must be made available to the public; access to other data, e.g., UAS operator Personally Identifiable Information (PII), must be limited to strongly authenticated personnel, properly authorized per policy. The balance between privacy and transparency remains a subject for public debate and regulatory action; DRIP can only offer tools to expand the achievable trade space and enable trade-offs within that space. [F3411-19] specifies only how to get the UAS ID to the Observer: how the Observer can perform these lookups, and how the registries first can be populated with information, is unspecified.¶
The need for near-universal deployment of UAS RID is pressing. This implies the need to support use by Observers of already ubiquitous mobile devices (typically smartphones and tablets). Anticipating likely CAA requirements to support legacy devices, especially in light of [Recommendations], [F3411-19] specifies that any UAS sending Broadcast RID over Bluetooth must do so over Bluetooth 4, regardless of whether it also does so over newer versions; as UAS sender devices and Observer receiver devices are unpaired, this implies extremely short "advertisement" (beacon) frames.¶
Wireless data links on the UA are challenging due to low altitude flight amidst structures and foliage over terrain, as well as the severe Cost, Size, Weight and Power (CSWaP) constraints of devices onboard UA. CSWaP is a burden not only on the designers of new UA for production and sale, but also on owners of existing UA that must be retrofit. Radio Controlled (RC) aircraft modelers, "hams" who use licensed amateur radio frequencies to control UAS, drone hobbyists, and others who custom build UAS, all need means of participating in UAS RID, sensitive to both generic CSWaP and application-specific considerations.¶
To accommodate the most severely constrained cases, all these conspire to motivate system design decisions, especially for the Broadcast RID data link, which complicate the protocol design problem: one-way links; extremely short packets; and Internet-disconnected operation of UA onboard devices. Internet-disconnected operation of Observer devices has been deemed by ASTM F38.02 too infrequent to address, but for some users is important and presents further challenges.¶
As RID must often operate with limited bandwidth, short packet payload length limits, and one-way links, heavyweight cryptographic security protocols or even simple cryptographic handshakes are infeasible, yet trustworthiness of UAS RID information is essential. Under [F3411-19], even the most basic datum, the UAS ID string (typically number) itself can be merely an unsubstantiated claim.¶
Observer devices being ubiquitous, thus popular targets for malware or other compromise, cannot be generally trusted (although the user of each device is compelled to trust that device, to some extent); a "fair witness" functionality (inspired by [Stranger]) is desirable.¶
Despite work by regulators and Standards Development Organizations (SDOs), there are substantial gaps in UAS standards generally and UAS RID specifically. [Roadmap] catalogs UAS related standards, ongoing standardization activities and gaps (as of early 2020); Section 7.8 catalogs those related specifically to UAS RID. DRIP will address the most fundamental of these gaps, as foreshadowed above.¶
DRIP's initial goal is to make RID immediately actionable, in both Internet and local-only connected scenarios (especially emergencies), in severely constrained UAS environments, balancing legitimate (e.g., public safety) authorities' Need To Know trustworthy information with UAS operators' privacy. By "immediately actionable" is meant information of sufficient precision, accuracy, timeliness, etc. for an Observer to use it as the basis for immediate decisive action, whether that be to trigger a defensive counter-UAS system, to attempt to initiate communications with the UAS operator, to accept the presence of the UAS in the airspace where/when observed as not requiring further action, or whatever, with potentially severe consequences of any action or inaction chosen based on that information. For further explanation of the concept of immediate actionability, see [ENISACSIRT]. Note that UAS RID must achieve near universal adoption, but DRIP can add value even if only selectively deployed, as those with jurisdiction over more sensitive airspace volumes may set a higher than generally mandated RID bar for flight in those volumes. Providing timely trustworthy identification data is also prerequisite to identity-oriented networking.¶
DRIP (originally Trustworthy Multipurpose Remote Identification, TM-RID) potentially could be applied to verifiably identify other types of registered things reported to be in specified physical locations, but the urgent motivation and clear initial focus is UAS. Existing Internet resources (protocol standards, services, infrastructure, and business models) should be leveraged. A natural Internet based architecture for UAS RID conforming to proposed regulations and external technical standards is described in a companion architecture document [drip-architecture] and elaborated in other DRIP documents; this document describes only relevant requirements and defines terminology for the set of DRIP documents.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section defines a set of terms expected to be used in DRIP documents. This list is meant to be the DRIP terminology reference. Some of the terms listed below are not used in this document. [RFC4949] provides a glossary of Internet security terms that should be used where applicable. In the UAS community, the plural form of acronyms generally is the same as the singular form, e.g. Unmanned Aircraft System (singular) and Unmanned Aircraft Systems (plural) are both represented as UAS. On this and other terminological issues, to encourage comprehension necessary for adoption of DRIP by the intended user community, that community's norms are respected herein, and definitions are quoted in cases where they have been found in that community's documents. Most of the listed terms are from that community (even if specific source documents are not cited); any that are DRIP-specific or invented by the authors of this document are marked "(DRIP)".¶
Civil Aviation Authorities (CAAs) worldwide are mandating UAS RID. The European Union Aviation Safety Agency (EASA) has published [Delegated] and [Implementing] Regulations. The US FAA has described the key role that UAS RID plays in UAS Traffic Management (UTM) in [NPRM] and [FAACONOPS] (especially Section 2.6 of the latter). CAAs currently (2020) promulgate performance-based regulations that do not specify techniques, but rather cite industry consensus technical standards as acceptable means of compliance.¶
ASTM developed a widely cited Standard Specification for Remote ID and Tracking [F3411-19] (early drafts are freely available as [OpenDroneID] specifications). It defines two means of UAS RID:¶
UAS using both means must send the same UAS RID application layer information via each per [F3411-19] and [NPRM]. The presentation may differ, as Network RID defines a data dictionary, whereas Broadcast RID defines message formats (which carry items from that same data dictionary). The interval (or rate) at which it is sent may differ, as Network RID can accommodate Observer queries asynchronous to UAS updates (which generally need be sent only when information, such as location, changes), whereas Broadcast RID depends upon Observers receiving UA messages at the time they are transmitted. Network RID depends upon Internet connectivity in several segments from the UAS to each Observer. Broadcast RID should need Internet (or other Wide Area Network) connectivity only for UAS registry information lookup using the directly locally received UAS Identifier (UAS ID) as a key. Broadcast RID does not assume IP connectivity of UAS; messages are encapsulated by the UA without IP, directly in Bluetooth or WiFi link layer frames.¶
Per [Delegated], the EU allows only Type 1. Per [NPRM], the US allows Types 1 and 3, but requires Type 3 IDs (if used) each to be used only once as a "Session ID" (for a single UAS flight, which in the context of UTM is called an "operation"). Per [Delegated], the EU also requires an operator registration number (an additional identifier distinct from the UAS ID) that can be carried in an [F3411-19] optional Operator ID message. Per [NPRM], the US allows but does not require that operator registration numbers be sent. As yet apparently there are no CAA public proposals to use Type 2.¶
Note the data flow typically originates on or at least passes through the Ground Control Station (GCS), rather than comes direct from the UA as in Broadcast RID (below), and makes up to 3 trips through the Internet, implying use of IP (and other middle layer protocols) on those trips, but not necessarily on the UA-GCS link (if indeed the Network RID data even flows across that link).¶
Network RID is essentially publish-subscribe-query. In the typical UTM context... First the UAS operator pushes an operation plan to the USS that will serve that UAS for that operation, for deconfliction with other operations. Assuming the plan receives approval and the operation commences, that UAS periodically pushes location/status updates to that USS (call it USS#1), which serves as the Network RID Service Provider (Net-RID SP) for that operation. If users of any other USS (whether they be other UAS operators or Observers) develop an interest in any 4-D airspace volume intersecting the 4-D volume containing that UAS operation, they query their own USS (call them USS#2 through USS#n). Their USS query, via the UTM Discovery and Synchronization Service (DSS), all other USS in the UTM system, and learn that USS#1 has such operations. Observers or other interested parties can then subscribe to track updates, via their own USS, which serve as Network RID Display Providers (Net-RID DP) for that surveillance session. The Net-RID SP (USS#1) will then publish updates of the UAS position/status to all subscribed Net-RID DP (USS#2 through USS#n), which in turn will deliver the information to their users via unspecified (but expected to be web browser based) means.¶
Network RID has several variants. The UA may have persistent onboard Internet connectivity, in which case it can consistently source RID information directly over the Internet. The UA may have intermittent onboard Internet connectivity, in which case the GCS must source RID information whenever the UA itself is offline. The UA may not have Internet connectivity of its own, but have instead some other form of communications to another node that can relay RID information to the Internet; this would typically be the GCS (which to perform its function must know where the UA is, although C2 link outages do occur).¶
The UA may have no means of sourcing RID information, in which case the GCS must source it; this is typical under FAA NPRM Limited RID proposed rules, which require providing the location of the GCS (not that of the UA). In the extreme case, this could be the pilot using a web browser/application to designate, to an UAS Service Supplier (USS) or other UTM entity, a time-bounded airspace volume in which an operation will be conducted; this may impede disambiguation of ID if multiple UAS operate in the same or overlapping spatio-temporal volumes.¶
In most cases in the near term, if the RID information is fed to the Internet directly by the UA or GCS, the first hop data links will be cellular Long Term Evolution (LTE) or Wi-Fi, but provided the data link can support at least UDP/IP and ideally also TCP/IP, its type is generally immaterial to the higher layer protocols. An UAS as the ultimate source of Network RID information feeds an USS acting as a Network RID Service Provider (Net-RID SP), which essentially proxies for that and other sources; an observer or other ultimate consumer of Network RID information obtains it from a Network RID Display Provider (Net-RID DP), which aggregates information from multiple Net-RID SPs to offer airspace Situational Awareness (SA) coverage of a volume of interest. Network RID Service and Display providers are expected to be implemented as servers in well-connected infrastructure, accessible via typical means such as web APIs/browsers.¶
Network RID is the more flexible and less constrained of the defined UAS RID means, but is only partially specified in [F3411-19]. It is presumed that IETF efforts supporting Broadcast RID (see next section) can be easily generalized for Network RID.¶
Note the absence of the Internet from this information flow sketch. This is because Broadcast RID is one-way direct transmission of application layer messages over a RF data link (without IP or other middle layer protocols) from the UA to local Observer devices. Internet connectivity is involved only in what the Observer chooses to do with the information received, such as verify signatures using a web based verifier service and look up information in registries using the UAS ID as the primary unique key.¶
Broadcast RID is conceptually similar to Automatic Dependent Surveillance - Broadcast (ADS-B). However, for various technical and other reasons, regulators including the EASA and FAA have not indicated intent to allow, and FAA has proposed explicitly to prohibit, use of ADS-B for UAS RID.¶
[F3411-19] specifies three Broadcast RID data links: Bluetooth 4.X; Bluetooth 5.X Long Range; and Wi-Fi with Neighbor Awareness Networking (NAN). For compliance with [F3411-19], an UA must broadcast (using advertisement mechanisms where no other option supports broadcast) on at least one of these; if broadcasting on Bluetooth 5.x, it is also required concurrently to do so on 4.x (referred to in [F3411-19] as Bluetooth Legacy). Future revisions may allow other data links.¶
The selection of the Broadcast media was driven by research into what is commonly available on 'ground' units (smartphones and tablets) and what was found as prevalent or 'affordable' in UA. Further, there must be an Application Programming Interface (API) for the observer's receiving application to have access to these messages. As yet only Bluetooth 4.X support is readily available, thus the current focus is on working within the 26 byte limit of the Bluetooth 4.X "Broadcast Frame" transmitted on beacon channels. After nominal overheads, this limits the UAS ID string to a maximum length of 20 bytes, and precludes the same frame carrying position, velocity and other information that should be bound to the UAS ID, much less strong authentication data. This requires segmentation ("paging") of longer messages or message bundles ("Message Pack"), and/or correlation of short messages (anticipated by ASTM to be done on the basis of Bluetooth 4 MAC address, which is weak and unverifiable).¶
[F3411-19] Broadcast RID specifies several message types: Basic, Location, Authentication, Self-ID, System and Operator ID. To satisfy EASA and FAA proposed rules, all types are needed, except Authentication and Self-ID.¶
[F3411-19] Broadcast RID specifies very few quantitative performance requirements: static information must be transmitted at least once per 3 seconds; dynamic information (the Location message) must be transmitted at least once per second and be no older than one second when sent. [NPRM] proposes all information be sent at least once per second.¶
[F3411-19] Broadcast RID transmits all information as cleartext (ASCII or binary), so static IDs enable trivial correlation of patterns of use, unacceptable in many applications, e.g., package delivery routes of competitors.¶
Any UA can assert any ID using the [F3411-19] required Basic ID message, which lacks any provisions for verification. The Position/Vector message likewise lacks provisions for verification, and does not contain the ID, so must be correlated somehow with a Basic ID message: the developers of [F3411-19] have suggested using the MAC addresses on the Broadcast RID data link, but these may be randomized by the operating system stack to avoid the adversarial correlation problems of static identifiers.¶
The [F3411-19] optional Authentication Message specifies framing for authentication data, but does not specify any authentication method, and the maximum length of the specified framing is too short for conventional digital signatures and far too short for conventional certificates. The one-way nature of Broadcast RID precludes challenge-response security protocols (e.g., observers sending nonces to UA, to be returned in signed messages). An observer would be seriously challenged to validate the asserted UAS ID or any other information about the UAS or its operator looked up therefrom.¶
In addition to the gaps described above, there is a fundamental gap in almost all current or proposed regulations and technical standards for UAS RID. As noted above, ID is not an end in itself, but a means. [F3411-19] etc. provide very limited choices for an observer to communicate with the pilot, e.g., to request further information on the UAS operation or exit from an airspace volume in an emergency. The System Message provides the location of the pilot/GCS, so an observer could physically go to the asserted location to look for the remote pilot; this is at best slow, and may not be feasible -- what if the pilot is on the opposite rim of a canyon, or there are multiple UAS operators to be contacted whose GCS all lie in different directions from the Observer? An observer with Internet connectivity and access privileges could look up operator PII in a registry, then call a phone number in hopes someone who can immediately influence the UAS operation will answer promptly during that operation; this is unreliable. Internet technologies can do much better than this.¶
Thus complementing [F3411-19] with protocols enabling strong authentication, preserving operator privacy while enabling immediate use of information by authorized parties, is critical to achieve widespread adoption of a RID system supporting safe and secure operation of UAS.¶
DRIP will focus on making information obtained via UAS RID immediately usable:¶
Requirements imposed either by regulation or [F3411-19] are not reiterated here, but drive many of the numbered requirements listed here. The QoS requirement currently would be satisfied generally by ensuring information refresh rates of at least 1 Hertz, with latencies no greater than 1 second, at least 80% of the time; but these numbers may change, so instead the DRIP requirement is that they be user policy specifiable (which does not imply satisfiable in all cases, but implies that when the specs are not met, appropriate parties are notified). The "provable ownership" requirement addresses the possibility that the actual sender is not the claimed sender (i.e. is a spoofer). The "provable binding" requirement addresses the MAC address correlation problem of [F3411-19] noted above. The "provable registration" requirement may impose burdens not only on the UAS sender and the Observer's receiver, but also on the registry; yet it cannot depend upon the Observer being able to contact the registry at the time of observing the UA. The "readability" requirement may involve machine assisted format conversions, e.g. from binary encodings. The "gateway" requirement is the only instance in which DRIP transports [F3411-19] messages; most of DRIP pertains to the authentication of such messages and the identifier carried within them.¶
The DRIP identifier can be used at various layers: in Broadcast RID, it would be used by the application running directly over the data link; in Network RID, it would be used by the application running over HTTPS (and possibly other protocols); and in RID initiated V2X applications such as DAA and C2, it could be used between the network and transport layers (with HIP or DTLS).¶
Registry ID (which registry the entity is in) and Entity ID (which entity it is, within that registry) are requirements on a single DRIP entity Identifier, not separate (types of) ID. In the most common use case, the Entity will be the UA, and the DRIP Identifier will be the UAS ID; however, other entities may also benefit from having DRIP identifiers, so the Entity type is not prescribed here.¶
Whether a UAS ID is generated by the operator, GCS, UA, USS or registry, or some collaboration thereamong, is unspecified; however, there must be agreement on the UAS ID among these entities.¶
How information is stored on end systems is out of scope for DRIP. Encouraging privacy best practices, including end system storage encryption, by facilitating it with protocol design reflecting such considerations, is in scope. Similar logic applies to methods for designating information as public or private.¶
The privacy requirements above are for DRIP, neither for [F3411-19] (which requires obfuscation of location to any Network RID subscriber engaging in wide area surveillance, limits data retention periods, etc. in the interests of privacy), nor for UAS RID in any specific jurisdiction (which may have its own regulatory requirements). The requirements above are also in a sense parameterized: who are the "authorized actors", how are they designated, how are they authenticated, etc.?¶
Registries are fundamental to RID. Only very limited information can be Broadcast, but extended information is sometimes needed. The most essential element of information sent is the UAS ID itself, the unique key for lookup of extended information in registries. Beyond designating the UAS ID as that unique key, the registry information model is not specified herein, in part because regulatory requirements for different registries (UAS operators and their UA, each narrowly for UAS RID and broadly for U-space / UTM) and business models for meeting those requirements are in flux. However those may evolve, the essential registry functions remain the same, so are specified herein.¶
This document does not make any IANA request.¶
DRIP is all about safety and security, so content pertaining to such is not limited to this section. Potential vulnerabilities of DRIP include but are not limited to:¶
It may be inferred from the Section 4.1 General requirements for Provable Ownership, Provable Binding and Provable Registration, together with the Section 4.2 Identifier requirements, that DRIP must provide:¶
One approach to so doing involves verifiably binding the DRIP identifier to a public key. Providing these security features, whether via this approach or another, is likely to be especially challenging for Observers without Internet connectivity at the time of observation. E.g. checking the signature of a registry on a public key certificate received via Broadcast RID in a remote area presumably would require that the registry's public key had been previously installed on the Observer's device, yet there may be many registries and the Observer's device may be storage constrained, and new registries may come on-line subsequent to installation of DRIP software on the Observer's device. Thus there may be caveats on the extent to which requirements can be satisfied in such cases, yet strenuous effort should be made to satisfy them, as such cases, e.g. firefighting in a national forest, are important.¶
Privacy is closely related to but not synonymous with security, and conflicts with transparency. Privacy and transparency are important for legal reasons including regulatory consistency. [EU2018] [EU2018] states "harmonised and interoperable national registration systems... should comply with the applicable Union and national law on privacy and processing of personal data, and the information stored in those registration systems should be easily accessible."¶
Privacy and transparency (where essential to security or safety) are also ethical and moral imperatives. Even in cases where old practices (e.g. automobile registration plates) could be imitated, when new applications involving PII (such as UAS RID) are addressed and newer technologies could enable improving privacy, such opportunities should not be squandered. Thus it is recommended that all DRIP documents give due regard to [RFC6973] and more broadly [RFC8280].¶
DRIP information falls into two classes: that which, to achieve the purpose, must be published openly as cleartext, for the benefit of any Observer (e.g., the basic UAS ID itself); and that which must be protected (e.g., PII of pilots) but made available to properly authorized parties (e.g., public safety personnel who urgently need to contact pilots in emergencies). How properly authorized parties are authorized, authenticated, etc. are questions that extend beyond the scope of DRIP, but DRIP may be able to provide support for such processes. Classification of information as public or private must be made explicit and reflected with markings, design, etc. Classifying the information will be addressed primarily in external standards; herein it will be regarded as a matter for CAA, registry and operator policies, for which enforcement mechanisms will be defined within the scope of DRIP WG and offered. Details of the protection mechanisms will be provided in other DRIP documents. Mitigation of adversarial correlation will also be addressed.¶
This document is largely based on the process of one SDO, ASTM. Therefore, it is tailored to specific needs and data formats of this standard. Other organizations, for example in EU, do not necessary follow the same architecture.¶
The need for drone ID and operator privacy is an open discussion topic. For instance, in the ground vehicular domain each car carries a publicly visible plate number. In some countries, for nominal cost or even for free, anyone can resolve the identity and contact information of the owner. Civil commercial aviation and maritime industries also have a tradition of broadcasting plane or ship ID, coordinates and even flight plans in plain text. Community networks such as OpenSky and Flightradar use this open information through ADS-B to deploy public services of flight tracking. Many researchers also use these data to perform optimization of routes and airport operations. Such ID information should be integrity protected, but not necessarily confidential.¶
In civil aviation, aircraft identity is broadcast by a device known as transponder. It transmits a four-digit squawk code, which is assigned by a traffic controller to an airplane after approving a flight plan. There are several reserved codes such as 7600 which indicate radio communication failure. The codes are unique in each traffic area and can be re-assigned when entering another control area. The code is transmitted in plain text by the transponder and also used for collision avoidance by a system known as Traffic alert and Collision Avoidance System (TCAS). The system could be used for UAS as well initially, but the code space is quite limited and likely to be exhausted soon. The number of UAS far exceeds the number of civil airplanes in operation.¶
The ADS-B system is utilized in civil aviation for each "ADS-B Out" equipped airplane to broadcast its ID, coordinates and altitude for other airplanes and ground control stations. If this system is adopted for drone IDs, it has additional benefit with backward compatibility with civil aviation infrastructure; then, pilots and dispatchers will be able to see UA on their control screens and take those into account. If not, a gateway translation system between the proposed drone ID and civil aviation system should be implemented. Again, system saturation due to large numbers of UAS is a concern.¶
Wi-Fi and Bluetooth are two wireless technologies currently recommended by ASTM specifications due to their widespread use and broadcast nature. However, those have limited range (max 100s of meters) and may not reliably deliver UAS ID at high altitude or distance. Therefore, a study should be made of alternative technologies from the telecom domain (WiMAX, 5G) or sensor networks (Sigfox, LORA). Such transmission technologies can impose additional restrictions on packet sizes and frequency of transmissions, but could provide better energy efficiency and range. In civil aviation, Controller-Pilot Data Link Communications (CPDLC) is used to transmit command and control between the pilots and ATC. It could be considered for UAS as well due to long range and proven use despite its lack of security [cpdlc].¶
L-band Digital Aeronautical Communications System (LDACS) is being standardized by ICAO and IETF for use in future civil aviation [I-D.maeurer-raw-ldacs]. It provides secure communication, positioning and control for aircraft using a dedicated radio band. It should be analyzed as a potential provider for UAS RID as well. This will bring the benefit of a global integrated system creating a global airspace use awareness.¶
The work of the FAA's UAS Identification and Tracking (UAS ID) Aviation Rulemaking Committee (ARC) is the foundation of later ASTM [F3411-19] and IETF DRIP efforts. The work of Gabriel Cox, Intel Corp. and their Open Drone ID collaborators opened UAS RID to a wider community. The work of ASTM F38.02 in balancing the interests of diverse stakeholders is essential to the necessary rapid and widespread deployment of UAS RID. IETF volunteers who have extensively reviewed or otherwise contributed to this document include Amelia Andersdotter, Carsten Bormann, Mohamed Boucadair, Toerless Eckert, Susan Hares, Mika Jarvenpaa, Daniel Migault, Alexandre Petrescu, Saulo Da Silva and Shuai Zhao.¶