DRIP S. Card, Ed. Internet-Draft A. Wiethuechter Intended status: Informational AX Enterprize Expires: 20 August 2021 R. Moskowitz HTT Consulting A. Gurtov Linköping University 16 February 2021 Drone Remote Identification Protocol (DRIP) Requirements draft-ietf-drip-reqs-08 Abstract This document defines terminology and requirements for Drone Remote Identification Protocol (DRIP) Working Group solutions to support Unmanned Aircraft System Remote Identification and tracking (UAS RID) for security, safety, and other purposes. Complementing external technical standards as regulator-accepted means of compliance with UAS RID regulations, DRIP will facilitate use of existing Internet resources to support RID and to enable enhanced related services, and will enable online and offline verification that RID information is trustworthy. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 20 August 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. Card, et al. Expires 20 August 2021 [Page 1] Internet-Draft DRIP Requirements February 2021 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Motivation and External Influences . . . . . . . . . . . 2 1.2. Concerns and Constraints . . . . . . . . . . . . . . . . 7 1.3. DRIP Scope . . . . . . . . . . . . . . . . . . . . . . . 9 1.4. Document Scope . . . . . . . . . . . . . . . . . . . . . 10 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 10 2.1. Requirements Terminology . . . . . . . . . . . . . . . . 10 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 11 3. UAS RID Problem Space . . . . . . . . . . . . . . . . . . . . 18 3.1. Network RID . . . . . . . . . . . . . . . . . . . . . . . 20 3.2. Broadcast RID . . . . . . . . . . . . . . . . . . . . . . 23 3.3. USS in UTM and RID . . . . . . . . . . . . . . . . . . . 26 3.4. DRIP Focus . . . . . . . . . . . . . . . . . . . . . . . 27 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 28 4.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 28 4.2. Identifier . . . . . . . . . . . . . . . . . . . . . . . 30 4.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 31 4.4. Registries . . . . . . . . . . . . . . . . . . . . . . . 33 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34 7. Privacy and Transparency Considerations . . . . . . . . . . . 35 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 8.1. Normative References . . . . . . . . . . . . . . . . . . 36 8.2. Informative References . . . . . . . . . . . . . . . . . 36 Appendix A. Discussion and Limitations . . . . . . . . . . . . . 39 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 1. Introduction 1.1. Motivation and External Influences Many considerations (especially safety and security) necessitate Unmanned Aircraft Systems (UAS) Remote Identification and tracking (RID). Card, et al. Expires 20 August 2021 [Page 2] Internet-Draft DRIP Requirements February 2021 Unmanned Aircraft (UA) may be fixed wing, rotary wing (e.g., helicopter), hybrid, balloon, rocket, etc. Small fixed wing UA typically have Short Take-Off and Landing (STOL) capability; rotary wing and hybrid UA typically have Vertical Take-Off and Landing (VTOL) capability. UA may be single- or multi-engine. The most common today are multicopters: rotary wing, multi engine. The explosion in UAS was enabled by hobbyist development, for multicopters, of advanced flight stability algorithms, enabling even inexperienced pilots to take off, fly to a location of interest, hover, and return to the take-off location or land at a distance. UAS can be remotely piloted by a human (e.g., with a joystick) or programmed to proceed from Global Navigation Satellite System (GNSS) waypoint to waypoint in a weak form of autonomy; stronger autonomy is coming. Small UA are "low observable" as they: * typically have small radar cross sections; * make noise quite noticeable at short range but difficult to detect at distances they can quickly close (500 meters in under 17 seconds at 60 knots); * typically fly at low altitudes (e.g., for those to which RID applies in the US, under 400 feet Above Ground Level (AGL) as per [Part107]); * are highly maneuverable so can fly under trees and between buildings. UA can carry payloads including sensors, cyber and kinetic weapons, or can be used themselves as weapons by flying them into targets. They can be flown by clueless, careless, or criminal operators. Thus the most basic function of UAS RID is "Identification Friend or Foe" (IFF) to mitigate the significant threat they present. Diverse other applications can be enabled or facilitated by RID. Consider the importance of identifiers in many Internet protocols and services, e.g., Fully Qualified Domain Names (FQDNs), transport protocol identifiers, UDP and TCP ports, Uniform Resource Identifiers (URIs), X.509 public key identifiers, E.164 numbers, Network Access Identifiers (NAIs), email addresses, Digital Object Identifiers (DOIs), and pretty much anything for which IANA is responsible. The general UAS RID usage scenario is illustrated in Figure 1. Card, et al. Expires 20 August 2021 [Page 3] Internet-Draft DRIP Requirements February 2021 UA1 UA2 x x x x xxxxx xxxxx General x x Public Public xxxxx xxxxx Safety Observer x x Observer x x x x ---------+ +---------- x x x x | | x x | | + + xxxxxxxxxx x x +----------+x Internet x+------------+ | x x | UA1 x | xxxxxxxxxx | x UA2 Pilot/ xxxxx + + + xxxxx Pilot/ Operator x | | | x Operator x | | | x x x | | | x x x x | | | x x | | | +----------+ | | | +----------+ | |------+ | +-------| | | Public | | | Private | | Registry | +-----+ | Registry | | | | DNS | | | +----------+ +-----+ +----------+ Figure 1: "General UAS RID Usage Scenario" Figure 1 illustrates a typical case where there may be: multiple Observers, some of them members of the general public, others government officers with public safety/security responsibilities; multiple UA in flight within observation range, each with its own pilot/operator; at least one registry each for lookup of public and (by authorized parties only) private information regarding the UAS and their pilots/operators; and in the DRIP vision, DNS resolving various identifiers and locators of the entities involved. Note the absence of any links to/from the UA in the figure; this is because UAS RID and other connectivity involving the UA varies as described below. An Observer of UA may need to classify them, as illustrated notionally in Figure 2, for basic airspace Situational Awareness (SA). An Observer who classifies a UAS: as Taskable, can ask it to Card, et al. Expires 20 August 2021 [Page 4] Internet-Draft DRIP Requirements February 2021 do something useful; as Low Concern, can reasonably assume it is not malicious and would cooperate with requests to modify its flight plans for safety concerns that arise; as High Concern or Unidentified, can focus surveillance on it. xxxxxxx +--------------+ x x No | | x ID? x+---->| Unidentified | x x | | xxxxxxx +--------------+ + | Yes v xxxxxxx x x +---------+x Type? x+----------+ | x x | | xxxxxxx | | + | v v v +--------------+ +--------------+ +--------------+ | | | | | | | Taskable | | Low Concern | | High Concern | | | | | | | +--------------+ +--------------+ +--------------+ Figure 2: "Notional UAS Classification" ASTM International, Technical Committee F38 (UAS), Subcommittee F38.02 (Aircraft Operations), Work Item WK65041, developed the widely cited Standard Specification for Remote ID and Tracking [F3411-19]: the published standard is available for purchase from ASTM and as an ASTM membership premium; early drafts are freely available as [OpenDroneID] specifications. [F3411-19] is frequently referenced in DRIP, where building upon its link layers and both enhancing support for and expanding the scope of its applications are central foci. In many applications, including UAS RID, identification and identifiers are not ends in themselves; they exist to enable lookups and provision of other services. Card, et al. Expires 20 August 2021 [Page 5] Internet-Draft DRIP Requirements February 2021 Using UAS RID to facilitate vehicular (V2X) communications and applications such as Detect And Avoid (DAA), which would impose tighter latency bounds than RID itself, is an obvious possibility, explicitly contemplated in the United States (US) Federal Aviation Administration (FAA) Remote Identification of Unmanned Aircraft rule [FRUR]. However, applications of RID beyond RID itself, including DAA, have been declared out of scope in ASTM F38.02 WK65041, based on a distinction between RID as a security standard vs DAA as a safety application. [Opinion1] and [WG105] cite the Direct Remote Identification (DRI) previously required and specified, explicitly stating that whereas DRI is primarily for security purposes, the "Network Identification Service" [Opinion1] (in the context of U-space [InitialView]) or "Electronic Identification" [WG105] is primarily for safety purposes (e.g., Air Traffic Management, especially hazards deconfliction) and also is allowed to be used for other purposes such as support of efficient operations. These emerging standards allow the security and safety oriented systems to be separate or merged. In addition to mandating both Broadcast and Network one-way to Observers, they will use V2V to other UAS (also likely to and/or from some manned aircraft). These reflect the broad scope of the European Union (EU) U-space concept, as being developed in the Single European Sky ATM Research (SESAR) Joint Undertaking, the U-space architectural principles of which are outlined in [InitialView]. ASD-STAN is an Associated Body to CEN (European Committee for Standardization) for Aerospace Standards. It is publishing an EU standard "Aerospace series - Unmanned Aircraft Systems - Part 002: Direct Remote Identification; English version prEN 4709-002:2020" [ASDRI]. It will provide compliance to cover the identical DRI requirements applicable to drones of classes C1 - [Delegated] Part 2, C2 - [Delegated] Part 3, C3 - [Delegated] Part 4, C5 - [Amended] Part 16, and C6 - [Amended] Part 17. [ASDRI] provides UA capability to be identified in real time during the whole duration of the flight, without specific connectivity or ground infrastructure link, utilizing existing mobile devices within broadcast range. It uses Bluetooth 4, Bluetooth 5, Wi-Fi NAN and/or Wi-Fi Beacon modes. The EU standard emphasis was compatibility with [F3411-19], although there are differences in mandatory and optional message types and fields. The DRI system broadcasts locally: 1. the UAS operator registration number; 2. the [CTA2063A] compliant unique serial number of the UA; Card, et al. Expires 20 August 2021 [Page 6] Internet-Draft DRIP Requirements February 2021 3. a time stamp, the geographical position of the UA, and its height AGL or above its take-off point; 4. the UA ground speed and route course measured clockwise from true north; 5. the geographical position of the remote pilot, or if that is not available, the geographical position of the UA take-off point; and 6. for Classes C1, C2, C3, the UAS emergency status. The data is sent in plain text and the UAS operator registration number is represented as a 16-byte string including the state code. The private id part contains 3 characters which are not broadcast but used by authorities to access regional registration databases for verification. The target is to revise the current standard with additional functionality (e.g., DRIP) to be published before 2022. Security oriented UAS RID essentially has two goals: enable the general public to obtain and record an opaque ID for any observed UA, which they can then report to authorities; enable authorities, from such an ID, to look up information about the UAS and its operator. Safety oriented UAS RID has stronger requirements. Aviation community Standards Development Organizations (SDOs) set a higher bar for safety than for security, especially with respect to reliability. Although dynamic establishment of secure communications between the Observer and the UAS pilot seems to have been contemplated by the FAA UAS ID and Tracking Aviation Rulemaking Committee (ARC) in their [Recommendations], it is not addressed in any of the subsequent regulations or technical specifications. 1.2. Concerns and Constraints Disambiguation of multiple UA flying in close proximity may be very challenging, even if each is reporting its identity, position, and velocity as accurately as it can. Card, et al. Expires 20 August 2021 [Page 7] Internet-Draft DRIP Requirements February 2021 The origin of all information in UAS RID is operator self-reports. Reports may be initiated by the remote pilot at the Ground Control Station (GCS) console, by a software process on the GCS, or by a process on the UA. Data in the reports may come from the UA (e.g., an on-board GNSS receiver), the GCS (e.g., dead reckoning UA location based on takeoff location and piloting commands given since takeoff), and/or sensors available to the operator (e.g., radar or cameras). Whether information comes proximately from the operator, or from automated systems configured by the operator, there are possibilities not only of unintentional error in, but also of intentional falsification of, this data. Minimal specified information must be made available to the public. Access to other data, e.g., UAS operator Personally Identifiable Information (PII), must be limited to strongly authenticated personnel, properly authorized in accordance with applicable policy. The balance between privacy and transparency remains a subject for public debate and regulatory action; DRIP can only offer tools to expand the achievable trade space and enable trade-offs within that space. [F3411-19], the basis for most current (2021) thinking about and efforts to provide UAS RID, specifies only how to get the UAS ID to the Observer: how the Observer can perform these lookups and how the registries first can be populated with information are unspecified therein. The need for nearly universal deployment of UAS RID is pressing: consider how negligible the value of an automobile license plate system would be if only 90% of the cars displayed plates. This implies the need to support use by Observers of already ubiquitous mobile devices (typically smartphones and tablets). Anticipating Civil Aviation Authority (CAA) requirements to support legacy devices, especially in light of [Recommendations], [F3411-19] specifies that any UAS sending Broadcast RID over Bluetooth must do so over Bluetooth 4, regardless of whether it also does so over newer versions; as UAS sender devices and Observer receiver devices are unpaired, this implies extremely short "advertisement" (beacon) frames. Wireless data links on the UA are challenging due to low altitude flight amidst structures and foliage over terrain, as well as the severe Cost, Size, Weight, and Power (CSWaP) constraints of devices onboard UA. CSWaP is a burden not only on the designers of new UA for production and sale, but also on owners of existing UA that must be retrofit. Radio Controlled (RC) aircraft modelers, "hams" who use licensed amateur radio frequencies to control UAS, drone hobbyists, and others who custom build UAS, all need means of participating in UAS RID, sensitive to both generic CSWaP and application-specific considerations. Card, et al. Expires 20 August 2021 [Page 8] Internet-Draft DRIP Requirements February 2021 To accommodate the most severely constrained cases, all these conspire to motivate system design decisions that complicate the protocol design problem. All UA are constrained by their batteries (both instantaneous power and total energy) and small UA imply small antennas, so wireless air to ground links will generally be slow and unreliable. Densely populated volumes will suffer from link congestion: even if UA in an airspace volume are few, other transmitters nearby on the ground, sharing the same license free spectral band may be many. Broadcast RID uses one-way data links. Bluetooth 4 restricts broadcast messages to fit in extremely short "advertisement" packets. UA onboard devices may have Internet connectivity only intermittently, or not at all, during flight. Internet-disconnected operation of Observer devices has been deemed by ASTM F38.02 too infrequent to address, but for some users is important and presents further challenges. As RID must often operate within these constraints, heavyweight cryptographic security protocols or even simple cryptographic handshakes are infeasible, yet trustworthiness of UAS RID information is essential. Under [F3411-19], _even the most basic datum, the UAS ID itself, can be merely an unsubstantiated claim_. Observer devices being ubiquitous, thus popular targets for malware or other compromise, cannot be generally trusted (although the user of each device is compelled to trust that device, to some extent); a "fair witness" functionality (inspired by [Stranger]) is desirable. Despite work by regulators and SDOs, there are substantial gaps in UAS standards generally and UAS RID specifically. [Roadmap] catalogs UAS related standards, ongoing standardization activities and gaps (as of 2020); Section 7.8 catalogs those related specifically to UAS RID. DRIP will address the most fundamental of these gaps, as foreshadowed above. 1.3. DRIP Scope DRIP's initial goal is to make RID immediately actionable, in both Internet and local-only connected scenarios (especially emergencies), in severely constrained UAS environments, balancing legitimate (e.g., public safety) authorities' Need To Know trustworthy information with UAS operators' privacy. By "immediately actionable" is meant information of sufficient precision, accuracy, timeliness, etc. for an Observer to use it as the basis for immediate decisive action, whether that be to trigger a defensive counter-UAS system, to attempt to initiate communications with the UAS operator, to accept the presence of the UAS in the airspace where/when observed as not requiring further action, or whatever, with potentially severe consequences of any action or inaction chosen based on that Card, et al. Expires 20 August 2021 [Page 9] Internet-Draft DRIP Requirements February 2021 information. For further explanation of the concept of immediate actionability, see [ENISACSIRT]. Note that UAS RID must achieve nearly universal adoption, but DRIP can add value even if only selectively deployed. Authorities with jurisdiction over more sensitive airspace volumes may set a higher than generally mandated RID requirement for flight in such volumes. Those with a greater need for high-confidence IFF can equip with DRIP, enabling strong authentication of their own aircraft and allied operators without regard for the weaker (if any) authentication of others. DRIP (originally Trustworthy Multipurpose Remote Identification, TM- RID) potentially could be applied to verifiably identify other types of registered things reported to be in specified physical locations, and providing timely trustworthy identification data is also prerequisite to identity-oriented networking, but the urgent motivation and clear initial focus is UAS. Existing Internet resources (protocol standards, services, infrastructure, and business models) should be leveraged. 1.4. Document Scope This document describes the problem space for UAS RID conforming to proposed regulations and external technical standards, defines common terminology, specifies numbered requirements for DRIP, identifies some important considerations (IANA, security, privacy and transparency), and discusses limitations. A natural Internet based approach to meet these requirements is described in a companion architecture document [drip-architecture] and elaborated in other DRIP documents. 2. Terms and Definitions 2.1. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Card, et al. Expires 20 August 2021 [Page 10] Internet-Draft DRIP Requirements February 2021 2.2. Definitions This section defines a non-comprehensive set of terms expected to be used in DRIP documents. This list is meant to be the DRIP terminology reference; as such, some of the terms listed below are not used in this document. [RFC4949] provides a glossary of Internet security terms that should be used where applicable. In the UAS community, the plural form of acronyms generally is the same as the singular form, e.g., Unmanned Aircraft System (singular) and Unmanned Aircraft Systems (plural) are both represented as UAS. On this and other terminological issues, to encourage comprehension necessary for adoption of DRIP by the intended user community, that community's norms are respected herein, and definitions are quoted in cases where they have been found in that community's documents. Most of the listed terms are from that community (even if specific source documents are not cited); any that are DRIP-specific or invented by the authors of this document are marked "(DRIP)". 4-D Four-dimensional. Latitude, Longitude, Altitude, Time. Used especially to delineate an airspace volume in which an operation is being or will be conducted. AAA Attestation, Authentication, Authorization, Access Control, Accounting, Attribution, Audit, or any subset thereof (uses differ by application, author, and context). (DRIP) ABDAA AirBorne DAA. Accomplished using systems onboard the aircraft involved. Supports "self-separation" (remaining "well clear" of other aircraft) and collision avoidance. ADS-B Automatic Dependent Surveillance - Broadcast. "ADS-B Out" equipment obtains aircraft position from other on-board systems (typically GNSS) and periodically broadcasts it to "ADS-B In" equipped entities, including other aircraft, ground stations, and satellite based monitoring systems. AGL Above Ground Level. Relative altitude, above the variously defined local ground level, typically of a UA, measured in feet or meters. Should be explicitly specified as either barometric (pressure) or geodetic (GNSS) altitude. Card, et al. Expires 20 August 2021 [Page 11] Internet-Draft DRIP Requirements February 2021 ATC Air Traffic Control. Explicit flight direction to pilots from ground controllers. Contrast with ATM. ATM Air Traffic Management. A broader functional and geographic scope and/or a higher layer of abstraction than ATC. "The dynamic, integrated management of air traffic and airspace including air traffic services, airspace management and air traffic flow management - safely, economically and efficiently - through the provision of facilities and seamless services in collaboration with all parties and involving airborne and ground-based functions" [ICAOATM]. Authentication Message [F3411-19] Message Type 2. Provides framing for authentication data, only. Basic ID Message [F3411-19] Message Type 0. Provides UA Type, UAS ID Type, and UAS ID, only. BVLOS Beyond Visual Line Of Sight. See VLOS. CAA Civil Aviation Authority of a regulatory jurisdiction. Often so named, but other examples include the United States Federal Aviation Administration (FAA) and the Japan Civil Aviation Bureau. CSWaP Cost, Size, Weight, and Power. C2 Command and Control. Previously mostly used in military contexts. Properly refers to a function, exercisable over arbitrary communications; but in the small UAS context, often refers to the communications (typically RF data link) over which the GCS controls the UA. DAA Detect And Avoid, formerly Sense And Avoid (SAA). A means of keeping aircraft "well clear" of each other and obstacles for safety. "The capability to see, sense or detect conflicting traffic or other hazards and take the appropriate action to comply with the applicable rules of flight" [ICAOUAS]. Card, et al. Expires 20 August 2021 [Page 12] Internet-Draft DRIP Requirements February 2021 DRI (not to be confused with DRIP) Direct Remote Identification. EU regulatory requirement for "a system that ensures the local broadcast of information about a UA in operation, including the marking of the UA, so that this information can be obtained without physical access to the UA". [Delegated] that presumably can be satisfied with appropriately configured [F3411-19] Broadcast RID. DSS Discovery and Synchronization Service. Formerly Inter-USS. The UTM system overlay network backbone. Most importantly, it enables one USS to learn which other USS have UAS operating in a given 4-D airspace volume, for strategic deconfliction of planned operations and Network RID surveillance of active operations. [F3411-19] EUROCAE European Organisation for Civil Aviation Equipment. Aviation SDO, originally European, now with broader membership. Cooperates extensively with RTCA. GBDAA Ground Based DAA. Accomplished with the aid of ground based functions. GCS Ground Control Station. The part of the UAS that the remote pilot uses to exercise C2 over the UA, whether by remotely exercising UA flight controls to fly the UA, by setting GNSS waypoints, or otherwise directing its flight. GNSS Global Navigation Satellite System. Satellite based timing and/or positioning with global coverage, often used to support navigation. GPS Global Positioning System. A specific GNSS, but in the UAS context, the term is typically misused in place of the more generic term GNSS. GRAIN Global Resilient Aviation Interoperable Network. ICAO managed IPv6 overlay internetwork based on IATF, dedicated to aviation (but not just aircraft). Currently (2021) in design, accommodating the proposed DRIP identifier. Card, et al. Expires 20 August 2021 [Page 13] Internet-Draft DRIP Requirements February 2021 IATF International Aviation Trust Framework. ICAO effort to develop a resilient and secure by design framework for networking in support of all aspects of aviation. ICAO International Civil Aviation Organization. A United Nations specialized agency that develops and harmonizes international standards relating to aviation. LAANC Low Altitude Authorization and Notification Capability. Supports ATC authorization requirements for UAS operations: remote pilots can apply to receive a near real-time authorization for operations under 400 feet in controlled airspace near airports. US partial stopgap until UTM comes. Location/Vector Message [F3411-19] Message Type 1. Provides UA location, altitude, heading, speed, and status. LOS Line Of Sight. An adjectival phrase describing any information transfer that travels in a nearly straight line (e.g., electromagnetic energy, whether in the visual light, RF, or other frequency range) and is subject to blockage. A term to be avoided due to ambiguity, in this context, between RF LOS and VLOS. Message Pack [F3411-19] Message Type 15. The framed concatenation, in message type index order, of at most one message of each type of any subset of the other types. Required to be sent in Wi-Fi NAN and in Bluetooth 5 Extended Advertisements, if those media are used; cannot be sent in Bluetooth 4. MSL Mean Sea Level. Shorthand for relative altitude, above the variously defined mean sea level, typically of a UA (but in [FRUR] also for a GCS), measured in feet or meters. Should be explicitly specified as either barometric (pressure) or geodetic (e.g., as indicated by GNSS, referenced to the WGS84 ellipsoid). Net-RID DP Network RID Display Provider. [F3411-19] logical entity that aggregates data from Net-RID SPs as needed in response to user queries regarding UAS operating within specified airspace volumes, to enable display by a user application on a user device. Potentially could provide not only information sent via UAS RID Card, et al. Expires 20 August 2021 [Page 14] Internet-Draft DRIP Requirements February 2021 but also information retrieved from UAS RID registries or information beyond UAS RID. Under superseded [NPRM], not recognized as a distinct entity, but a service provided by USS, including Public Safety USS that may exist primarily for this purpose rather than to manage any subscribed UAS. Net-RID SP Network RID Service Provider. [F3411-19] logical entity that collects RID messages from UAS and responds to NetRID-DP queries for information on UAS of which it is aware. Under superseded [NPRM], the USS to which the UAS is subscribed ("Remote ID USS"). Network Identification Service EU regulatory requirement in [Opinion1] and [WG105] that presumably can be satisfied with appropriately configured [F3411-19] Network RID. Observer An entity (typically but not necessarily an individual human) who has directly or indirectly observed a UA and wishes to know something about it, starting with its ID. An observer typically is on the ground and local (within VLOS of an observed UA), but could be remote (observing via Network RID or other surveillance), operating another UA, aboard another aircraft, etc. (DRIP) Operation A flight, or series of flights of the same mission, by the same UAS, separated by at most brief ground intervals. (Inferred from UTM usage, no formal definition found) Operator "A person, organization or enterprise engaged in or offering to engage in an aircraft operation" [ICAOUAS]. Operator ID Message [F3411-19] Message Type 5. Provides CAA issued Operator ID, only. Operator ID is distinct from UAS ID. PIC Pilot In Command. "The pilot designated by the operator, or in the case of general aviation, the owner, as being in command and charged with the safe conduct of a flight" [ICAOUAS]. PII Personally Identifiable Information. In the UAS RID context, typically of the UAS Operator, Pilot In Command (PIC), or Remote Pilot, but possibly of an Observer or other party. Card, et al. Expires 20 August 2021 [Page 15] Internet-Draft DRIP Requirements February 2021 Remote Pilot A pilot using a GCS to exercise proximate control of a UA. Either the PIC or under the supervision of the PIC. "The person who manipulates the flight controls of a remotely-piloted aircraft during flight time" [ICAOUAS]. RF Radio Frequency. Adjective, e.g., "RF link", or noun. RF LOS RF Line Of Sight. Typically used in describing a direct radio link between a GCS and the UA under its control, potentially subject to blockage by foliage, structures, terrain, or other vehicles, but less so than VLOS. RTCA Radio Technical Commission for Aeronautics. US aviation SDO. Cooperates extensively with EUROCAE. Self-ID Message [F3411-19] Message Type 3. Provides a 1 byte descriptor and 23 byte ASCII free text field, only. Expected to be used to provide context on the operation, e.g., mission intent. SDO Standards Development Organization. ASTM, IETF, et al. SDSP Supplemental Data Service Provider. An entity that participates in the UTM system, but provides services beyond those specified as basic UTM system functions (e.g., weather data). [FAACONOPS] System Message [F3411-19] Message Type 4. Provides general UAS information, including remote pilot location, multiple UA group operational area, etc. U-space EU concept and emerging framework for integration of UAS into all classes of airspace, specifically including high density urban areas, sharing airspace with manned aircraft [InitialView]. UA Unmanned Aircraft. In popular parlance, "drone". "An aircraft which is intended to operate with no pilot on board" [ICAOUAS]. Card, et al. Expires 20 August 2021 [Page 16] Internet-Draft DRIP Requirements February 2021 UAS Unmanned Aircraft System. Composed of UA, all required on-board subsystems, payload, control station, other required off-board subsystems, any required launch and recovery equipment, all required crew members, and C2 links between UA and control station [F3411-19]. UAS ID UAS identifier. Although called "UAS ID", unique to the UA, neither to the operator (as some UAS registration numbers have been and for exclusively recreational purposes are continuing to be assigned), nor to the combination of GCS and UA that comprise the UAS. _Maximum length of 20 bytes_ [F3411-19]. UAS ID Type UAS Identifier type index. 4 bits, see Section 3, Paragraph 6 for currently defined values 0-3. [F3411-19] UAS RID UAS Remote Identification and tracking. System to enable arbitrary Observers to identify UA during flight. UAS RID Verifier Service System component designed to handle the authentication requirements of RID by offloading verification to a web hosted service [F3411-19]. USS UAS Service Supplier. "A USS is an entity that assists UAS Operators with meeting UTM operational requirements that enable safe and efficient use of airspace" and "... provide services to support the UAS community, to connect Operators and other entities to enable information flow across the USS Network, and to promote shared situational awareness among UTM participants" [FAACONOPS]. UTM UAS Traffic Management. "A specific aspect of air traffic management which manages UAS operations safely, economically and efficiently through the provision of facilities and a seamless set of services in collaboration with all parties and involving airborne and ground-based functions" [ICAOUTM]. In the US, according to the FAA, a "traffic management" ecosystem for "uncontrolled" low altitude UAS operations, separate from, but complementary to, the FAA's ATC system for "controlled" operations of manned aircraft. Card, et al. Expires 20 August 2021 [Page 17] Internet-Draft DRIP Requirements February 2021 V2V Vehicle-to-Vehicle. Originally communications between automobiles, now extended to apply to communications between vehicles generally. Often, together with Vehicle-to- Infrastructure (V2I) etc., generalized to V2X. VLOS Visual Line Of Sight. Typically used in describing operation of a UA by a "remote" pilot who can clearly directly (without video cameras or any aids other than glasses or under some rules binoculars) see the UA and its immediate flight environment. Potentially subject to blockage by foliage, structures, terrain, or other vehicles, more so than RF LOS. 3. UAS RID Problem Space Civil Aviation Authorities (CAAs) worldwide are mandating UAS RID. The European Union Aviation Safety Agency (EASA) has published [Delegated] and [Implementing] Regulations. The US FAA has published a "final" rule [FRUR] and has described the key role that UAS RID plays in UAS Traffic Management (UTM) in [FAACONOPS] (especially Section 2.6). CAAs currently (2021) promulgate performance-based regulations that do not specify techniques, but rather cite industry consensus technical standards as acceptable means of compliance. The most widely cited such industry consensus technical standard for UAS RID is [F3411-19], which defines two means of UAS RID: Network RID defines a set of information for UAS to make available globally indirectly via the Internet, through servers that can be queried by Observers. Broadcast RID defines a set of messages for UA to transmit locally directly one-way over Bluetooth or Wi-Fi (without IP or any other protocols between the data link and application layers), to be received in real time by local Observers. UAS using both means must send the same UAS RID application layer information via each [F3411-19]. The presentation may differ, as Network RID defines a data dictionary, whereas Broadcast RID defines message formats (which carry items from that same data dictionary). The interval (or rate) at which it is sent may differ, as Network RID can accommodate Observer queries asynchronous to UAS updates (which generally need be sent only when information, such as location, changes), whereas Broadcast RID depends upon Observers receiving UA messages at the time they are transmitted. Card, et al. Expires 20 August 2021 [Page 18] Internet-Draft DRIP Requirements February 2021 Network RID depends upon Internet connectivity in several segments from the UAS to each Observer. Broadcast RID should need Internet (or other Wide Area Network) connectivity only for UAS registry information lookup using the directly locally received UAS Identifier (UAS ID) as a key. Broadcast RID does not assume IP connectivity of UAS; messages are encapsulated by the UA without IP, directly in Bluetooth or Wi-Fi Neighbor Awareness Networking [WiFiNAN] link layer frames. [F3411-19] specifies three UAS ID types: TYPE-1 A static, manufacturer assigned, hardware serial number as defined in ANSI/CTA-2063-A "Small Unmanned Aerial System Serial Numbers" [CTA2063A]. TYPE-2 A CAA assigned (generally static) ID, like the registration number of a manned aircraft. TYPE-3 A UTM system assigned UUID [RFC4122], which can but need not be dynamic. Per [Delegated], the EU allows only Type 1. Under [FRUR], the US allows Types 1 and 3. [NPRM] proposed that a Type 3 "Session ID" would be "e.g., a randomly-generated alphanumeric code assigned by a Remote ID USS on a per-flight basis designed to provide additional privacy to the operator", but given the omission of Network RID from [FRUR], how this is to be assigned in the US is still to be determined. As yet apparently there are no CAA public proposals to use Type 2. In the preamble of [FRUR], the FAA argues that registration numbers should not be sent in RID, insists that the capability of looking up registration numbers from information contained in RID should be restricted to FAA and other Government agencies, and implies that Session ID would be linked to the registration number only indirectly via the serial number in the registration database. The possibility of cryptographically blinding registration numbers, such that they can be revealed under specified circumstances, does not appear to be mentioned in applicable regulations or external technical standards. Under [Delegated], the EU also requires an operator registration number (an additional identifier distinct from the UAS ID) that can be carried in an [F3411-19] optional Operator ID message. [FRUR] allows RID requirements to be met by either the UA itself, which is then designated a "standard remote identification unmanned aircraft", or by an add-on "remote identification broadcast module". Relative to a standard RID UA, the different requirements for a Card, et al. Expires 20 August 2021 [Page 19] Internet-Draft DRIP Requirements February 2021 module are that the latter: must transmit its own serial number (neither the serial number of the UA to which it is attached, nor a Session ID); must transmit takeoff location as a proxy for the location of the pilot/GCS; need not transmit UA emergency status; and is allowed to be used only for operations within VLOS of the remote pilot. Jurisdictions may relax or waive RID requirements for certain operators and/or under certain conditions. For example, [FRUR] allows operators with UAS not equipped for RID to conduct VLOS operations at counter-intuitively named "FAA-recognized identification areas" (FRIA); radio controlled model aircraft flying clubs and other eligible organizations can apply to the FAA for such recognition of their operating areas. 3.1. Network RID x x UA xxxxxxx | \ | \ | \ | \ ******************** | \* ------*---+------------+ | *\ / * | NET_Rid_SP | | * ------------/ +---*--+------------+ | RF */ | * | / INTERNET | * +------------+ | /* +---*--| NET_Rid_DP | | / * +----*--+------------+ + / * | * x / ****************|*** x xxxxx | xxxxx x +------- x x x x x Operator's GCS Observer x x x x x x Figure 3: "Network RID Information Flow" Figure 3 illustrates Network RID information flows. Only two of the three typically wireless links shown involving the UAS (UA-GCS, UA- Internet, and GCS-Internet) need exist. All three may exist, at the same or different times, especially in Beyond Visual Line Of Sight (BVLOS) operations. There must be some information flow path (direct or indirect) between the GCS and the UA, for the former to exercise C2 over the latter. If this path is two-way (as increasingly it is, even for inexpensive small UAS), the UA will also send its status Card, et al. Expires 20 August 2021 [Page 20] Internet-Draft DRIP Requirements February 2021 (and position, if suitably equipped, e.g., with GNSS) to the GCS. There also must be some path between at least one subsystem of the UAS (UA or GCS) and the Internet, for the former to send status and position updates to its USS (serving _inter alia_ as a Net-RID SP). Direct UA-Internet wireless links are expected to become more common, especially on larger UAS, but currently (2021) are rare. Instead, the RID data flow typically originates on the UA and passes through the GCS, or originates on the GCS. Network RID data makes three trips through the Internet (GCS-SP, SP-DP, DP-Observer, unless any of them are colocated), implying use of IP (and other middle layer protocols) on those trips. IP is not necessarily used or supported on the UA-GCS link (if indeed that direct link exists, as it typically does now, but in BVLOS operations often will not). Network RID is publish-subscribe-query. In the UTM context: 1. The UAS operator pushes an "operational intent" (the current term in UTM corresponding to a flight plan in manned aviation) to the USS (call it USS#1) that will serve that UAS (call it UAS#1) for that operation, primarily to enable deconfliction with other operations potentially impinging upon that operation's 4-D airspace volume (call it Volume#1). 2. Assuming the operation is approved and commences, UAS#1 periodically pushes location/status updates to USS#1, which serves _inter alia_ as the Network RID Service Provider (Net-RID SP) for that operation. 3. When users of any other USS (whether they be other UAS operators or Observers) develop an interest in any 4-D airspace volume (e.g., because they wish to submit an operational intent or because they have observed a UA), they query their own USS on the volumes in which they are interested. 4. Their USS query, via the UTM Discovery and Synchronization Service (DSS), all other USS in the UTM system, and learn of any USS that have operations in those volumes (including any volumes intersecting them); thus those USS whose query volumes intersect Volume#1 (call them USS#2 through USS#n) learn that USS#1 has such operations. 5. Interested parties can then subscribe to track updates on that operation of UAS#1, via their own USS, which serve as Network RID Display Providers (Net-RID DP) for that operation. Card, et al. Expires 20 August 2021 [Page 21] Internet-Draft DRIP Requirements February 2021 6. USS#1 (as Net-RID SP) will then publish updates of UAS#1 status and position to all other subscribed USS in USS#2 through USS#n (as Net-RID DP). 7. All Net-RID DP subscribed to that operation of UAS#1 will deliver its track information to their users who subscribed to that operation of UAS#1, via unspecified (generally presumed to be web browser based) means. Network RID has several variants. The UA may have persistent onboard Internet connectivity, in which case it can consistently source RID information directly over the Internet. The UA may have intermittent onboard Internet connectivity, in which case the GCS must source RID information whenever the UA itself is offline. The UA may not have Internet connectivity of its own, but have instead some other form of communications to another node that can relay RID information to the Internet. In this last case, the relay would typically be the GCS (which to perform its function must know where the UA is, although C2 link outages do occur). The UA may have no means of sourcing RID information, in which case the GCS or some other interface available to the operator must source it. In the extreme case, this could be the pilot using a web browser/application to designate, to a UAS Service Supplier (USS) or other UTM entity, a time-bounded airspace volume in which an operation will be conducted. This is referred to as a "non-equipped network participant". This may impede disambiguation of ID if multiple UAS operate in the same or overlapping 4-D volumes. In most cases in the near term (2021), the Network RID first hop data link is likely to be cellular Long Term Evolution (LTE), which can also support BVLOS C2 over existing large coverage areas, or Wi-Fi, which can also support Broadcast RID. However, provided the data link can support at least UDP/IP and ideally also TCP/IP, its type is generally immaterial to higher layer protocols. The UAS, as the ultimate source of Network RID information, feeds a Network RID Service Provider (Net-RID SP, typically the USS to which the UAS operator subscribes), which proxies for the UAS and other data sources. An Observer or other ultimate consumer of Network RID information obtains it from a Network RID Display Provider (Net-RID DP, also typically a USS), which aggregates information from multiple Net-RID SPs to offer airspace Situational Awareness (SA) coverage of a volume of interest. Network RID Service and Display providers are expected to be implemented as servers in well-connected infrastructure, communicating with each other via the Internet, and accessible by Observers via means such as web Application Programming Interfaces (APIs) and browsers. Card, et al. Expires 20 August 2021 [Page 22] Internet-Draft DRIP Requirements February 2021 Network RID is the less constrained of the defined UAS RID means. [F3411-19] specifies only Net-RID SP to Net-RID DP information exchanges. It is presumed that IETF efforts supporting the more constrained Broadcast RID (see next section) can be generalized for Network RID and potentially also for UAS to USS or other UTM communications. 3.2. Broadcast RID x x UA xxxxx | | | app messages directly over one-way RF data link | | + x xxxxx x x x x Observer's device (e.g., smartphone) x x Figure 4: "Broadcast RID Information Flow" Figure 4 illustrates Broadcast RID information flow. Note the absence of the Internet from the figure. This is because Broadcast RID is one-way direct transmission of application layer messages over a RF data link (without IP or other middle layer protocols) from the UA to local Observer devices. Internet connectivity is involved only in what the Observer chooses to do with the information received, such as verify signatures using a web based verifier service and look up information in registries using the UAS ID as the primary unique key. Broadcast RID is conceptually similar to Automatic Dependent Surveillance - Broadcast (ADS-B). However, for various technical and other reasons, regulators including the EASA have not indicated intent to allow, and FAA has explicitly prohibited, use of ADS-B for UAS RID. [F3411-19] specifies four Broadcast RID data links: Bluetooth 4.x, Bluetooth 5.x with Extended Advertisements and Long Range Coded PHY (S=8), Wi-Fi with Neighbor Awareness Networking (NAN) at 2.4 GHz, and Wi-Fi NAN at 5 GHz. A UA must broadcast (using advertisement mechanisms where no other option supports broadcast) on at least one of these. If sending on Bluetooth 5.x, it is also required Card, et al. Expires 20 August 2021 [Page 23] Internet-Draft DRIP Requirements February 2021 concurrently to do so on 4.x (referred to in [F3411-19] as Bluetooth Legacy); current (2021) discussions in ASTM F38.02 on revising the standard include reversing this. If broadcasting Wi-Fi NAN at 5 GHz, it is also required concurrently to do so at 2.4 GHz; current discussions in F38.02 include relaxing this. Wi-Fi Beacons are also under consideration. Future revisions of [F3411-19] may allow other data links. The selection of the Broadcast media was driven by research into what is commonly available on 'ground' units (smartphones and tablets) and what was found as prevalent or 'affordable' in UA. Further, there must be an Application Programming Interface (API) for the observer's receiving application to have access to these messages. As yet only Bluetooth 4.x support is readily available, thus the current focus is on working within the 25 byte limit of the Bluetooth 4.x "Broadcast Frame" transmitted on beacon channels. After nominal overheads, this limits the UAS ID string to a maximum length of 20 bytes, and precludes the same frame carrying position, velocity, and other information that should be bound to the UAS ID, much less strong authentication data. This requires segmentation ("paging") of longer messages and correlation of short messages (anticipated by ASTM to be done on the basis of MAC address, which is weak and unverifiable) on Bluetooth 4.x; data elements are not so detached on other media (see Message Pack below). [F3411-19] Broadcast RID specifies several message types. The 4 bit message type field in the header can index up to 16 types. Only 7 are currently defined. Only 2 are mandatory. All others are optional, unless required by a jurisdictional authority, e.g., a CAA. To satisfy EASA and FAA rules, all types are needed, except Self-ID and Authentication. The Message Pack (type 0xF) is not actually a message, but the framed concatenation of at most one message of each type of any subset of the other types, in type index order; it is the sole frame type on links that can encapsulate it (Bluetooth 5.x and Wi-Fi). Card, et al. Expires 20 August 2021 [Page 24] Internet-Draft DRIP Requirements February 2021 +-----------------------+-----------------+-----------+-----------+ | Index | Name | Req | Notes | +-----------------------+-----------------+-----------+-----------+ | 0x0 | Basic ID | Mandatory | - | +-----------------------+-----------------+-----------+-----------+ | 0x1 | Location/Vector | Mandatory | - | +-----------------------+-----------------+-----------+-----------+ | 0x2 | Authentication | Optional | paged | +-----------------------+-----------------+-----------+-----------+ | 0x3 | Self-ID | Optional | free text | +-----------------------+-----------------+-----------+-----------+ | 0x4 | System | Optional | - | +-----------------------+-----------------+-----------+-----------+ | 0x5 | Operator | Optional | - | +-----------------------+-----------------+-----------+-----------+ | 0xF | Message Pack | - | BT5 and | | | | | Wi-Fi | +-----------------------+-----------------+-----------+-----------+ | See Section 5.4.5 and | - | - | - | | Table 3 of [F3411-19] | | | | +-----------------------+-----------------+-----------+-----------+ Table 1: F3411-19 Message Types [F3411-19] Broadcast RID specifies very few quantitative performance requirements: static information must be transmitted at least once per 3 seconds; dynamic information (the Location/Vector message) must be transmitted at least once per second and be no older than one second when sent. [FRUR] requires all information be sent at least once per second. [F3411-19] Broadcast RID transmits all information as cleartext (ASCII or binary), so static IDs enable trivial correlation of patterns of use, unacceptable in many applications, e.g., package delivery routes of competitors. Any UA can assert any ID using the [F3411-19] required Basic ID message, which lacks any provisions for verification. The Position/ Vector message likewise lacks provisions for verification, and does not contain the ID, so must be correlated somehow with a Basic ID message: the developers of [F3411-19] have suggested using the MAC addresses on the Broadcast RID data link, but these may be randomized by the operating system stack to avoid the adversarial correlation problems of static identifiers. The [F3411-19] optional Authentication Message specifies framing for authentication data, but does not specify any authentication method, and the maximum length of the specified framing is too short for Card, et al. Expires 20 August 2021 [Page 25] Internet-Draft DRIP Requirements February 2021 conventional digital signatures and far too short for conventional certificates. The one-way nature of Broadcast RID precludes challenge-response security protocols (e.g., observers sending nonces to UA, to be returned in signed messages). An Observer would be seriously challenged to validate the asserted UAS ID or any other information about the UAS or its operator looked up therefrom. 3.3. USS in UTM and RID UAS RID and UTM are complementary; Network RID is a UTM service. The backbone of the UTM system is comprised of multiple USS: one or several per jurisdiction; some limited to a single jurisdiction, others spanning multiple jurisdictions. USS also serve as the principal or perhaps the sole interface for operators and UAS into the UTM environment. Each operator subscribes to at least one USS. Each UAS is registered by its operator in at least one USS. Each operational intent is submitted to one USS; if approved, that UAS and operator can commence that operation. During the operation, status and location of that UAS must be reported to that USS, which in turn provides information as needed about that operator, UAS, and operation into the UTM system and to Observers via Network RID. USS provide services not limited to Network RID; indeed, the primary USS function is deconfliction of airspace usage by different UAS and other (e.g., manned aircraft, rocket launch) operations. Most deconfliction involving a given operation is hoped to be completed prior to commencing that operation, and is called "strategic deconfliction". If that fails, "tactical deconfliction" comes into play; ABDAA may not involve USS, but GBDAA likely will. Dynamic constraints, formerly called UAS Volume Restrictions (UVR), can be necessitated by local emergencies, extreme weather, etc., specified by authorities on the ground, and propagated in UTM. No role for USS in Broadcast RID is currently specified by regulators or [F3411-19]. However, USS are likely to serve as registries (or perhaps registrars) for UAS (and perhaps operators); if so, USS will have a role in all forms of RID. Supplemental Data Service Providers (SDSP) are also likely to find roles, not only in UTM as such but also in enhancing UAS RID and related services. Whether USS, SDSP, etc. are involved or not, RID services, narrowly defined, provide regulator specified identification information; more broadly defined, RID services may leverage identification to facilitate related services or functions, likely beginning with V2X. Card, et al. Expires 20 August 2021 [Page 26] Internet-Draft DRIP Requirements February 2021 3.4. DRIP Focus In addition to the gaps described above, there is a fundamental gap in almost all current or proposed regulations and technical standards for UAS RID. As noted above, ID is not an end in itself, but a means. Protocols specified in [F3411-19] etc. provide limited information potentially enabling, and no technical means for, an Observer to communicate with the pilot, e.g., to request further information on the UAS operation or exit from an airspace volume in an emergency. The System Message provides the location of the pilot/ GCS, so an observer could physically go to the asserted location to look for the remote pilot; this is at best slow and may not be feasible. What if the pilot is on the opposite rim of a canyon, or there are multiple UAS operators to contact, whose GCS all lie in different directions from the Observer? An Observer with Internet connectivity and access privileges could look up operator PII in a registry, then call a phone number in hopes someone who can immediately influence the UAS operation will answer promptly during that operation; this is at best unreliable and may not be prudent. Should pilots be encouraged to answer phone calls while flying? Internet technologies can do much better than this. Thus complementing [F3411-19] with protocols enabling strong authentication, preserving operator privacy while enabling immediate use of information by authorized parties, is critical to achieve widespread adoption of a RID system supporting safe and secure operation of UAS. DRIP will focus on making information obtained via UAS RID immediately usable: 1. by making it trustworthy (despite the severe constraints of Broadcast RID); 2. by enabling verification that a UAS is registered for RID, and if so, in which registry (for classification of trusted operators on the basis of known registry vetting, even by observers lacking Internet connectivity at observation time); 3. by facilitating independent reports of UA aeronautical data (location, velocity, etc.) to confirm or refute the operator self-reports upon which UAS RID and UTM tracking are based; 4. by enabling instant establishment, by authorized parties, of secure communications with the remote pilot. Card, et al. Expires 20 August 2021 [Page 27] Internet-Draft DRIP Requirements February 2021 The foregoing considerations, beyond those addressed by baseline UAS RID standards such as [F3411-19], imply the following requirements for DRIP. 4. Requirements The following requirements apply to DRIP as a set of related protocols, various subsets of which, in conjunction with other IETF and external technical standards, may suffice to comply with the regulations in any given jurisdiction or meet any given user need. It is not intended that each and every DRIP protocol alone satisfy each and every requirement. 4.1. General GEN-1 Provable Ownership: DRIP MUST enable verification that the UAS ID asserted in the Basic ID message is that of the actual current sender of the message (i.e., the message is not a replay attack or other spoof, authenticating, e.g., by verifying an asymmetric cryptographic signature using a sender provided public key from which the asserted ID can be at least partially derived), even on an Observer device lacking Internet connectivity at the time of observation. GEN-2 Provable Binding: DRIP MUST enable binding all other [F3411-19] messages from the same actual current sender to the UAS ID asserted in the Basic ID message. GEN-3 Provable Registration: DRIP MUST enable verification that the UAS ID is in a registry and identification of which one, even on an Observer device lacking Internet connectivity at the time of observation; with UAS ID Type 3, the same sender may have multiple IDs, potentially in different registries, but each ID must clearly indicate in which registry it can be found. GEN-4 Readability: DRIP MUST enable information (regulation required elements, whether sent via UAS RID or looked up in registries) to be read and utilized by both humans and software. GEN-5 Gateway: DRIP MUST enable Broadcast RID to Network RID application layer gateways to stamp messages with precise date/time received and receiver location, then relay them to a network service (e.g., SDSP or distributed ledger). Card, et al. Expires 20 August 2021 [Page 28] Internet-Draft DRIP Requirements February 2021 GEN-6 Finger: DRIP MUST enable dynamically establishing, with AAA, per policy, end-to-end strongly encrypted communications with the UAS RID sender and entities looked up from the UAS ID, including at least the remote pilot and USS. GEN-7 QoS: DRIP MUST enable policy based specification of performance and reliability parameters, such as maximum message transmission intervals and delivery latencies. GEN-8 Mobility: DRIP MUST support physical and logical mobility of UA, GCS and Observers. DRIP SHOULD support mobility of essentially all participating nodes (UA, GCS, Observers, Net- RID SP, Net-RID DP, Private Registry, SDSP, and potentially others as RID and UTM evolve). GEN-9 Multihoming: DRIP MUST support multihoming of UA and GCS, for make-before-break smooth handoff and resiliency against path/ link failure. DRIP SHOULD support multihoming of essentially all participating nodes. GEN-10 Multicast: DRIP SHOULD support multicast for efficient and flexible publish-subscribe notifications, e.g., of UAS reporting positions in designated airspace volumes. GEN-11 Management: DRIP SHOULD support monitoring of the health and coverage of Broadcast and Network RID services. Requirements imposed either by regulation or [F3411-19] are not reiterated here, but drive many of the numbered requirements listed here. The [FRUR] regulatory QoS requirement currently would be satisfied by ensuring information refresh rates of at least 1 Hertz, with latencies no greater than 1 second, at least 80% of the time, but these numbers may vary between jurisdictions and over time. So instead the DRIP QoS requirement is that performance, reliability, etc. parameters be user policy specifiable, which does not imply satisfiable in all cases, but (especially together with the management requirement) implies that when specifications are not met, appropriate parties are notified. Card, et al. Expires 20 August 2021 [Page 29] Internet-Draft DRIP Requirements February 2021 The "provable ownership" requirement addresses the possibility that the actual sender is not the claimed sender (i.e., is a spoofer). The "provable binding" requirement addresses the MAC address correlation problem of [F3411-19] noted above. The "provable registration" requirement may impose burdens not only on the UAS sender and the Observer's receiver, but also on the registry; yet it cannot depend upon the Observer being able to contact the registry at the time of observing the UA. The "readability" requirement may involve machine assisted format conversions, e.g., from binary encodings. The "gateway" requirement is in pursuit of three objectives: (1) mark up a RID message with where and when it was actually received, which may agree or disagree with the self-report in the set of messages; (2) defend against replay attacks; and (3) support optional SDSP services such as multilateration, to complement UAS position self- reports with independent measurements. This is the only instance in which DRIP transports [F3411-19] messages; most of DRIP pertains to the authentication of such messages and identifiers carried in them. 4.2. Identifier ID-1 Length: The DRIP entity identifier MUST NOT be longer than 20 bytes, to fit in the UAS ID field of the Basic ID message of [F3411-19]. ID-2 Registry ID: The DRIP identifier MUST be sufficient to identify a registry in which the entity identified therewith is listed. ID-3 Entity ID: The DRIP identifier MUST be sufficient to enable lookups of other data associated with the entity identified therewith in that registry. ID-4 Uniqueness: The DRIP identifier MUST be unique within the applicable global identifier space from when it is first registered therein until it is explicitly de-registered therefrom (due to, e.g., expiration after a specified lifetime, revocation by the registry, or surrender by the operator). ID-5 Non-spoofability: The DRIP identifier MUST NOT be spoofable within the context of a minimal Remote ID broadcast message set (to be specified within DRIP to be sufficient collectively to prove sender ownership of the claimed identifier). Card, et al. Expires 20 August 2021 [Page 30] Internet-Draft DRIP Requirements February 2021 ID-6 Unlinkability: The DRIP identifier MUST NOT facilitate adversarial correlation over multiple operations. If this is accomplished by limiting each identifier to a single use or brief period of usage, the DRIP identifier MUST support well- defined, scalable, timely registration methods. The DRIP identifier can refer to various entities. In the primary initial use case, the entity to be identified is the UA. Entities to be identified in other likely use cases include but are not limited to the operator, USS, and Observer. In all cases, the entity identified must own (have the exclusive capability to use, such that receivers can verify its ownership of) the identifier. The DRIP identifier can be used at various layers. In Broadcast RID, it would be used by the application running directly over the data link. In Network RID, it would be used by the application running over HTTPS (and possibly other protocols). In RID initiated V2X applications such as DAA and C2, it could be used between the network and transport layers (e.g., with HIP or DTLS). Registry ID (which registry the entity is in) and Entity ID (which entity it is, within that registry) are requirements on a single DRIP entity identifier, not separate (types of) ID. In the most common use case, the entity will be the UA, and the DRIP identifier will be the UAS ID; however, other entities may also benefit from having DRIP identifiers, so the entity type is not prescribed here. Whether a UAS ID is generated by the operator, GCS, UA, USS, registry, or some collaboration thereamong, is unspecified; however, there must be agreement on the UAS ID among these entities. 4.3. Privacy PRIV-1 Confidential Handling: DRIP MUST enable confidential handling of private information (i.e., any and all information designated by neither cognizant authority nor the information owner as public, e.g., personal data). Card, et al. Expires 20 August 2021 [Page 31] Internet-Draft DRIP Requirements February 2021 PRIV-2 Encrypted Transport: DRIP MUST enable selective strong encryption of private data in motion in such a manner that only authorized actors can recover it. If transport is via IP, then encryption MUST be end-to-end, at or above the IP layer. DRIP MUST NOT encrypt safety critical data to be transmitted over Broadcast RID in any situation where it is unlikely that local Observers authorized to access the plaintext will be able to decrypt it or obtain it from a service able to decrypt it. DRIP MUST NOT encrypt data when/ where doing so would conflict with applicable regulations or CAA policies/procedures, i.e., DRIP MUST support configurable disabling of encryption. PRIV-3 Encrypted Storage: DRIP SHOULD facilitate selective strong encryption of private data at rest in such a manner that only authorized actors can recover it. PRIV-4 Public/Private Designation: DRIP SHOULD facilitate designation, by cognizant authorities and information owners, which information is public and which private. By default, all information required to be transmitted via Broadcast RID, even when actually sent via Network RID, is assumed to be public; all other information contained in registries for lookup using the UAS ID is assumed to be private. PRIV-5 Pseudonymous Rendezvous: DRIP MAY enable mutual discovery of and communications among participating UAS operators whose UA are in 4-D proximity, using the UAS ID without revealing pilot/operator identity or physical location. In some jurisdictions, the configurable enabling and disabling of encryption may need to be outside the control of the operator. [FRUR] mandates manufacturers design RID equipment with some degree of tamper resistance; the preamble and other FAA commentary suggest this is to reduce the likelihood that an operator, intentionally or unintentionally, might alter the values of the required data elements or disable their transmission in the required manner (e.g., as cleartext). How information is stored on end systems is out of scope for DRIP. Encouraging privacy best practices, including end system storage encryption, by facilitating it with protocol design reflecting such considerations, is in scope. Similar logic applies to methods for designating information as public or private. The privacy requirements above are for DRIP, neither for [F3411-19] (which requires obfuscation of location to any Network RID subscriber engaging in wide area surveillance, limits data retention periods, Card, et al. Expires 20 August 2021 [Page 32] Internet-Draft DRIP Requirements February 2021 etc., in the interests of privacy), nor for UAS RID in any specific jurisdiction (which may have its own regulatory requirements). The requirements above are also in a sense parameterized: who are the "authorized actors", how are they designated, how are they authenticated, etc.? 4.4. Registries REG-1 Public Lookup: DRIP MUST enable lookup, from the UAS ID, of information designated by cognizant authority as public, and MUST NOT restrict access to this information based on identity or role of the party submitting the query. REG-2 Private Lookup: DRIP MUST enable lookup of private information (i.e., any and all information in a registry, associated with the UAS ID, that is designated by neither cognizant authority nor the information owner as public), and MUST, according to applicable policy, enforce AAA, including restriction of access to this information based on identity or role of the party submitting the query. REG-3 Provisioning: DRIP MUST enable provisioning registries with static information on the UAS and its operator, dynamic information on its current operation within the U-space/UTM (including means by which the USS under which the UAS is operating may be contacted for further, typically even more dynamic, information), and Internet direct contact information for services related to the foregoing. REG-4 AAA Policy: DRIP AAA MUST be specifiable by policies; the definitive copies of those policies must be accessible in registries; administration of those policies and all DRIP registries must be protected by AAA. Registries are fundamental to RID. Only very limited information can be Broadcast, but extended information is sometimes needed. The most essential element of information sent is the UAS ID itself, the unique key for lookup of extended information in registries. Beyond designating the UAS ID as that unique key, the registry information model is not specified herein, in part because regulatory requirements for different registries (UAS operators and their UA, each narrowly for UAS RID and broadly for U-space/UTM) and business models for meeting those requirements are in flux. However those may evolve, the essential registry functions remain the same, so are specified herein. Card, et al. Expires 20 August 2021 [Page 33] Internet-Draft DRIP Requirements February 2021 5. IANA Considerations This document does not make any IANA request. 6. Security Considerations DRIP is all about safety and security, so content pertaining to such is not limited to this section. This document does not define any protocols, so security considerations of such are speculative. Potential vulnerabilities of DRIP solutions to these requirements include but are not limited to: * Sybil attacks * confusion created by many spoofed unsigned messages * processing overload induced by attempting to verify many spoofed signed messages (where verification will fail but still consume cycles) * malicious or malfunctioning registries * interception of (e.g., Man In The Middle attacks on) registration messages * UA impersonation through private key extraction, improper key sharing, or carriage of a small (presumably harmless) UA, i.e., as a "false flag", by a larger (malicious) UA It may be inferred from the general requirements (Section 4.1) for provable ownership, provable binding, and provable registration, together with the identifier requirements (Section 4.2), that DRIP must provide: * message integrity * non-repudiation * defense against replay attacks * defense against spoofing One approach to so doing involves verifiably binding the DRIP identifier to a public key. Providing these security features, whether via this approach or another, is likely to be especially challenging for Observers without Internet connectivity at the time of observation. For example, checking the signature of a registry on a public key certificate received via Broadcast RID in a remote area Card, et al. Expires 20 August 2021 [Page 34] Internet-Draft DRIP Requirements February 2021 presumably would require that the registry's public key had been previously installed on the Observer's device, yet there may be many registries and the Observer's device may be storage constrained, and new registries may come on-line subsequent to installation of DRIP software on the Observer's device. Thus there may be caveats on the extent to which requirements can be satisfied in such cases, yet strenuous effort should be made to satisfy them, as such cases, e.g., firefighting in a national forest, are important. 7. Privacy and Transparency Considerations Privacy and transparency are important for legal reasons including regulatory consistency. [EU2018] states "harmonised and interoperable national registration systems... should comply with the applicable Union and national law on privacy and processing of personal data, and the information stored in those registration systems should be easily accessible." Privacy and transparency (where essential to security or safety) are also ethical and moral imperatives. Even in cases where old practices (e.g., automobile registration plates) could be imitated, when new applications involving PII (such as UAS RID) are addressed and newer technologies could enable improving privacy, such opportunities should not be squandered. Thus it is recommended that all DRIP work give due regard to [RFC6973] and more broadly [RFC8280]. However, privacy and transparency are often conflicting goals, demanding careful attention to their balance. DRIP information falls into two classes: that which, to achieve the purpose, must be published openly as cleartext, for the benefit of any Observer (e.g., the basic UAS ID itself); and that which must be protected (e.g., PII of pilots) but made available to properly authorized parties (e.g., public safety personnel who urgently need to contact pilots in emergencies). How properly authorized parties are authorized, authenticated, etc. are questions that extend beyond the scope of DRIP, but DRIP may be able to provide support for such processes. Classification of information as public or private must be made explicit and reflected with markings, design, etc. Classifying the information will be addressed primarily in external standards; herein it will be regarded as a matter for CAA, registry, and operator policies, for which enforcement mechanisms will be defined within the scope of DRIP WG and offered. Details of the protection mechanisms will be provided in other DRIP documents. Mitigation of adversarial correlation will also be addressed. Card, et al. Expires 20 August 2021 [Page 35] Internet-Draft DRIP Requirements February 2021 8. References 8.1. Normative References [F3411-19] ASTM International, "Standard Specification for Remote ID and Tracking", February 2020, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 8.2. Informative References [Amended] European Union Aviation Safety Agency (EASA), "Commission Delegated Regulation (EU) 2020/1058 of 27 April 2020 amending Delegated Regulation (EU) 2019/945", April 2020. [ASDRI] ASD-STAN, "Introduction to the European UAS Digital Remote ID Technical Standard", January 2021. [CPDLC] Gurtov, A., Polishchuk, T., and M. Wernberg, "Controller- Pilot Data Link Communication Security", MDPI Sensors 18(5), 1636, 2018, . [CTA2063A] ANSI, "Small Unmanned Aerial Systems Serial Numbers", September 2019. [Delegated] European Union Aviation Safety Agency (EASA), "Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned aircraft systems and on third-country operators of unmanned aircraft systems", March 2019. [drip-architecture] Card, S., Wiethuechter, A., Moskowitz, R., Zhao, S., and A. Gurtov, "Drone Remote Identification Protocol (DRIP) Architecture", Work in Progress, Internet-Draft, draft- ietf-drip-arch-08, 21 January 2021, . Card, et al. Expires 20 August 2021 [Page 36] Internet-Draft DRIP Requirements February 2021 [ENISACSIRT] European Union Agency for Cybersecurity (ENISA), "Actionable information for Security Incident Response", November 2014, . [EU2018] European Parliament and Council, "2015/0277 (COD) PE-CONS 2/18", February 2018. [FAACONOPS] FAA Office of NextGen, "UTM Concept of Operations v2.0", March 2020. [FRUR] Federal Aviation Administration, "Remote Identification of Unmanned Aircraft", January 2021. [I-D.maeurer-raw-ldacs] Maeurer, N., Graeupl, T., and C. Schmitt, "L-band Digital Aeronautical Communications System (LDACS)", Work in Progress, Internet-Draft, draft-maeurer-raw-ldacs-06, 2 October 2020, . [ICAOATM] International Civil Aviation Organization, "Doc 4444: Procedures for Air Navigation Services: Air Traffic Management", November 2016. [ICAOUAS] International Civil Aviation Organization, "Circular 328: Unmanned Aircraft Systems", February 2011. [ICAOUTM] International Civil Aviation Organization, "Unmanned Aircraft Systems Traffic Management (UTM) - A Common Framework with Core Principles for Global Harmonization, Edition 2", November 2019. [Implementing] European Union Aviation Safety Agency (EASA), "Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft", May 2019. [InitialView] SESAR Joint Undertaking, "Initial view on Principles for the U-space architecture", July 2019. Card, et al. Expires 20 August 2021 [Page 37] Internet-Draft DRIP Requirements February 2021 [NPRM] United States Federal Aviation Administration (FAA), "Notice of Proposed Rule Making on Remote Identification of Unmanned Aircraft Systems", December 2019. [OpenDroneID] Intel Corp., "Open Drone ID", March 2019, . [Opinion1] European Union Aviation Safety Agency (EASA), "Opinion No 01/2020: High-level regulatory framework for the U-space", March 2020. [Part107] United States Federal Aviation Administration, "Code of Federal Regulations Part 107", June 2016. [Recommendations] FAA UAS Identification and Tracking Aviation Rulemaking Committee, "UAS ID and Tracking ARC Recommendations Final Report", September 2017. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, . [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280, October 2017, . [Roadmap] American National Standards Institute (ANSI) Unmanned Aircraft Systems Standardization Collaborative (UASSC), "Standardization Roadmap for Unmanned Aircraft Systems draft v2.0", April 2020, . [Stranger] Heinlein, R.A., "Stranger in a Strange Land", June 1961. Card, et al. Expires 20 August 2021 [Page 38] Internet-Draft DRIP Requirements February 2021 [WG105] EUROCAE, "WG-105 draft Minimum Operational Performance Standards (MOPS) for Unmanned Aircraft System (UAS) Electronic Identification", June 2020. [WiFiNAN] Wi-Fi Alliance, "Wi-Fi Aware™ Specification Version 3.2", October 2020. Appendix A. Discussion and Limitations This document is largely based on the process of one SDO, ASTM. Therefore, it is tailored to specific needs and data formats of this standard. Other organizations, for example in EU, do not necessary follow the same architecture. The need for drone ID and operator privacy is an open discussion topic. For instance, in the ground vehicular domain each car carries a publicly visible plate number. In some countries, for nominal cost or even for free, anyone can resolve the identity and contact information of the owner. Civil commercial aviation and maritime industries also have a tradition of broadcasting plane or ship ID, coordinates, and even flight plans in plain text. Community networks such as OpenSky and Flightradar use this open information through ADS-B to deploy public services of flight tracking. Many researchers also use these data to perform optimization of routes and airport operations. Such ID information should be integrity protected, but not necessarily confidential. In civil aviation, aircraft identity is broadcast by a device known as transponder. It transmits a four-digit squawk code, which is assigned by a traffic controller to an airplane after approving a flight plan. There are several reserved codes such as 7600 which indicate radio communication failure. The codes are unique in each traffic area and can be re-assigned when entering another control area. The code is transmitted in plain text by the transponder and also used for collision avoidance by a system known as Traffic alert and Collision Avoidance System (TCAS). The system could be used for UAS as well initially, but the code space is quite limited and likely to be exhausted soon. The number of UAS far exceeds the number of civil airplanes in operation. Card, et al. Expires 20 August 2021 [Page 39] Internet-Draft DRIP Requirements February 2021 The ADS-B system is utilized in civil aviation for each "ADS-B Out" equipped airplane to broadcast its ID, coordinates, and altitude for other airplanes and ground control stations. If this system is adopted for drone IDs, it has additional benefit with backward compatibility with civil aviation infrastructure; then, pilots and dispatchers will be able to see UA on their control screens and take those into account. If not, a gateway translation system between the proposed drone ID and civil aviation system should be implemented. Again, system saturation due to large numbers of UAS is a concern. Wi-Fi and Bluetooth are two wireless technologies currently recommended by ASTM specifications due to their widespread use and broadcast nature. However, those have limited range (max 100s of meters) and may not reliably deliver UAS ID at high altitude or distance. Therefore, a study should be made of alternative technologies from the telecom domain (WiMAX / IEEE 802.16, 5G) or sensor networks (Sigfox, LORA). Such transmission technologies can impose additional restrictions on packet sizes and frequency of transmissions, but could provide better energy efficiency and range. In civil aviation, Controller-Pilot Data Link Communications (CPDLC) is used to transmit command and control between the pilots and ATC. It could be considered for UAS as well due to long range and proven use despite its lack of security [CPDLC]. L-band Digital Aeronautical Communications System (LDACS) is being standardized by ICAO and IETF for use in future civil aviation [I-D.maeurer-raw-ldacs]. It provides secure communication, positioning, and control for aircraft using a dedicated radio band. It should be analyzed as a potential provider for UAS RID as well. This will bring the benefit of a global integrated system creating a global airspace use awareness. Acknowledgments The work of the FAA's UAS Identification and Tracking (UAS ID) Aviation Rulemaking Committee (ARC) is the foundation of later ASTM [F3411-19] and IETF DRIP efforts. The work of Gabriel Cox, Intel Corp., and their Open Drone ID collaborators opened UAS RID to a wider community. The work of ASTM F38.02 in balancing the interests of diverse stakeholders is essential to the necessary rapid and widespread deployment of UAS RID. IETF volunteers who have extensively reviewed or otherwise contributed to this document include Amelia Andersdotter, Carsten Bormann, Mohamed Boucadair, Toerless Eckert, Susan Hares, Mika Jarvenpaa, Daniel Migault, Alexandre Petrescu, Saulo Da Silva and Shuai Zhao. Authors' Addresses Card, et al. Expires 20 August 2021 [Page 40] Internet-Draft DRIP Requirements February 2021 Stuart W. Card (editor) AX Enterprize 4947 Commercial Drive Yorkville, NY 13495 United States of America Email: stu.card@axenterprize.com Adam Wiethuechter AX Enterprize 4947 Commercial Drive Yorkville, NY 13495 United States of America Email: adam.wiethuechter@axenterprize.com Robert Moskowitz HTT Consulting Oak Park, MI 48237 United States of America Email: rgm@labs.htt-consult.com Andrei Gurtov Linköping University IDA SE-58183 Linköping Sweden Email: gurtov@acm.org Card, et al. Expires 20 August 2021 [Page 41]