HTT Consulting

Oak Park MI 48237 USA rgm@labs.htt-consult.com

AX Enterprize

4947 Commercial Drive Yorkville NY 13495 USA adam.wiethuechter@axenterprize.com

Internet drip Working Group Internet-Draft This document describes a way for an Internet connected device to forward/proxy received Broadcast Remote ID into UAS Traffic Management (UTM). This is done through a Supplemental Data Service Provider (SDSP) that takes Broadcast Remote ID in from Finder and provides an aggregated view using Network Remote ID data models and protocols. This enables more comprehensive situational awareness and reporting of Unmanned Aircraft (UA) in a "crowd sourced" manner.

Introduction

• Note: This document is directly related and builds from . That draft is a "top, down" approach to understand the concept and high level design. This document is a "bottom, up" implementation of the CS-RID concept. The content of this draft is subject to change and adapt as further development continues.

This document defines a mechanism to capture Broadcast Remote ID (RID) messages on any Internet connected device that receives them and can forward them to Supplemental Data Service Providers (SDSPs) responsible for the geographic area the UA and receivers are in. This data can be aggregated and further decimated to other entities in Unmanned Aircraft Systems (UAS) Traffic Management (UTM) similar to Network RID. It builds upon the introduction of the concepts and terms found in . We call this service Crowd Sourced RID (CS-RID).

Role of Finders These Internet connected devices are herein called "Finders", as they find UAs by listening for Broadcast RID. The Finders are Broadcast RID forwarding proxies. Their potentially limited spacial view of RID messages could result in bad decisions on what messages to send to the SDSP and which to drop. Thus they SHOULD send all received messages and the SDSP will make any filtering decisions in what it forwards into the UTM. Finders can be smartphones, tablets, connected cars, special purpose devices or any computing platform with Internet connectivity that can meet the requirements defined in this document. It is not expected, nor necessary, that Finders have any information about a UAS beyond the content found in Broadcast RID.

Role of Supplemental Data Service Providers The SDSP provides a gateway service for supplemental data into UTM. This document focuses on RID exclusively, other types of supplemental data is out of scope for this document. The primary role of a CS-RID SDSP is to aggregate reports from Finders and forward them as a subscription based service to UTM clients. These clients MAY be a USS or another SDSP. An CS-RID SDSP SHOULD NOT proxy raw data/reports into UTM. An CS-RID SDSP MAY provide such a service, but it is out of scope for this document. An SDSP MAY have its coverage constrained to a manageable area that has value to its subscribers. An CS-RID SDSP MAY not allow public reports of Broadcast RID due to policy. Policies of SDSPs is out of scope for this document. Network RID is the defined interface (protocol and model) for an SDSP to provide Broadcast RID as supplemental data to UTM.

Relationship between Finders & SDSPs Finders MAY only need a loose association with SDSPs. The SDSP MAY require a stronger relationship to the Finders. The relationship MAY be completely open, but still authenticated to requiring encryption. The transport MAY be client-server based (using things like HIP or DTLS) to client push (using things like UDP or HTTPS).

Document Objectives This document standardizes transports between the Finder and SDSP. It also gives an overview of Network RID. Specific details of Network RID is out scope for this document. All models are specified in CDDL .

Terms and Definitions

Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses terms defined in and .

Definitions

ECIES:

Elliptic Curve Integrated Encryption Scheme. A hybrid encryption scheme which provides semantic security against an adversary who is allowed to use chosen-plaintext and chosen-ciphertext attacks.

Finder:

In Internet connected device that can receive Broadcast RID messages and forward them to an SDSP.

Multilateration:

Multilateration (more completely, pseudo range multilateration) is a navigation and surveillance technique based on measurement of the times of arrival (TOAs) of energy waves (radio, acoustic, seismic, etc.) having a known propagation speed.

Problem Space Broadcast and Network RID formats are both defined in using the same data dictionary. Network RID is specified in JSON sent over HTTPS while Broadcast RID is octet structures sent over wireless links.

Advantages of Broadcast Remote ID Advantages over Network RID include:

• more readily be implemented directly in the UA. Network RID will more frequently be provided by the GCS or a pilot's Internet connected device.
  • If Command and Control (C2) is bi-directional over a direct radio connection, Broadcast RID could be a straight-forward addition.
  • Small IoT devices can be mounted on UA to provide Broadcast RID.
• also be used by the UA to assist in Detect and Avoid (DAA).
• is available to observers even in situations with no Internet like natural disaster situations.

Meeting the needs of Network Remote ID The USA Federal Aviation Administration (FAA), in the January 2021 Remote ID Final rule , postponed Network Remote ID and focused on Broadcast Remote ID. This was in response to the UAS vendors comments that Network RID places considerable demands on then currently used UAS. However, Network RID, or equivalent, is necessary for UTM knowing what soon may be in an airspace and is mandated as required in the EU. A method that proxies Broadcast RID into UTM can function as an interim approach to Network RID and continue adjacent to Network RID.

Trustworthiness of Proxy Data When a proxy is introduced in any communication protocol, there is a risk of corrupted data and DOS attacks. The Finders, in their role as proxies for Broadcast RID, SHOULD be authenticated to the SDSP (see ). The SDSP can compare the information from multiple Finders to isolate a Finder sending fraudulent information. SDSPs can additionally verify authenticated messages that follow . The SPDP can manage the number of Finders in an area (see ) to limit DOS attacks from a group of clustered Finders.

Defense against fraudulent RID Messages The strongest defense against fraudulent RID messages is to focus on conforming messages. Unless this behavior is mandated, an SDSP will have to use assorted algorithms to isolate messages of questionable content.

Crowd Sourced RID Protocol

Protocol Overview o SDSP o<----------------o USS | +--------+ HTTPS, +--o---+ Network RID +-----+ UDP, HIP, : DTLS : : Network RID v +------o------+ | UTM Clients | +-------------+ ]]>

This document will focus on the general protocol specification between the Finder and the SDSP. Transport specification and use is provided in . A normative appendix () provides background to Network RID. Another normative appendix () provides all the CDDL models for CS-RID including one for data. For all data models CBOR MUST be used for encoding. JSON MAY be supported but its definition is out of scope for this document.

Detection & Report Models The CS-RID model is for Finders to send "batch reports" to one or more SDSPs they have a relationship with. This relationship can be highly anonymous with little prior knowledge of the Finder to very well defined and pre-established. is the report object, defined in CDDL, that is translated and adapted depending on the specific transport. It carries a batch of detections (up to a max of 10), the CDDL definition of which is shown in . Discussion on the optional fields are found in .

Detection CDDL

Unsigned Report CDDL

Special Fields The position and radius fields of both and are OPTIONAL. If multiple sets of these are present the deepest nested values take precedence. For example if position is used in both the Report and Detection structures then the value found in the individual Detections take precedence. This extends to the Endorsement model where the position (seen in the model as #6.103) and radius are optionally included as part of the Endorsement scope. The fields of priority and track_id are OPTIONAL but MUST be included when they are set from a command. When not present the SDSP MUST assume them to be their default values of 0. The values of these fields a coordinated between the Finder and SDSP using commands. Either party may set these values and SHOULD announce them via a command before using them in report. They MAY be used over other transports and initialized by a Finder but such operation is out of scope for this document.

Command Models Some transports give an added benefit of allowing for control operations to be sent from the SDSP to the Finder. Finders MUST NOT send commands to an SDSP. A Finder MAY choose to ignore commands.

Command CDDL any},) ; parameter update command-id = uint .size(1) ]]>

HHIT Endorsements for CS-RID Integrity of the report from a Finder is important. When using DETs, the report or command SHOULD be part of an HHIT Endorsement as seen in . The Endorsement MAY be used over transports that inherently provide integrity and other protections (such as HIP or DTLS) though it is NOT RECOMMENDED. The Endorsement Type of TBD is reserved for CS-RID Endorsements.

Endorsement CDDL

Session Security Both Finder and SDSP SHOULD use EdDSA keypairs as the base for their identities. These identities SHOULD be in the form of registered DRIP Entity Tags . Registration is covered in . An SDSP MAY have its own DRIP Identity Management Entity (DIME) or share one with other entities in UTM. An SDSP MUST NOT ignore Finders with DETs outside the DIME it is aware of, and SHOULD use to obtain public key information. ECIES is the preferred method to initialize a session between the Finder and SDSP. The following steps MUST be followed to setup ECIES for CS-RID:

1. Finder uses to obtain SDSP EdDSA key
2. EdDSA keys are converted to X25519 keys per Curve25519 to use in ECIES
3. ECIES can be used with a unique nonce to authenticate each message sent from a Finder to the SDSP
4. ECIES can be used at the start of some period (e.g. day) to establish a shared secret that is then used to authenticate each message sent from a Finder to the SDSP sent during that period
5. HIP can be used to establish a session secret that is then used with ESP to authenticate each message sent from a Finder to the SDSP
6. DTLS can be used to establish a secure connection that is then used to authenticate each message sent from a Finder to the SDSP

Transports CS-RID transport from Finder to SDSP can vary from highly unidirectional with no acknowledgements to strong authenticated and encrypted sessions. Some transports, such as HIP and DTLS, MAY support bi-directional communication to enable control operations between the SDSP and Finder. The section contains a variety of transports that MAY be supported by an SDSP. CoAP is the RECOMMENDED transport.

CoAP When using CoAP with UDP, a payload MUST be a CS-RID Endorsement (). If running DTLS the payload MAY be any of the following: CS-RID Endorsement, CS-RID Finder Report/Detection () or CS-RID Command (). DTLS is the RECOMMENDED underlying transport for CoAP and uses a DET as the identity. A Finder MUST ACK when accepting and RST when ignoring/rejecting a command from an SDSP. As CoAP is designed with a stateless mapping to HTTP; such proxies are RECOMMENDED for CS-RID to allow as many Finders as possible to provide reports.

HIP The use of HIP imposes a strong authentication and Finder onboarding process. It is attractive for well defined deployments of CS-RID, such as being used for area security. A DET MUST be used as the primary identity when using this transport method. When ESP is not in use the data MUST be a CS-RID Endorsement (). An ESP link MAY any of the following: CS-RID Endorsement, CS-RID Finder Report/Detection () or CS-RID Command (). The use of HIP as an underlying transport for CoAP is out of scope for this document.

IANA Considerations TBD

Security Considerations TBD

Acknowledgments The Crowd Sourcing idea in this document came from the Apple "Find My Device" presentation at the International Association for Cryptographic Research's Real World Crypto 2020 conference.

References Normative References This document defines terminology and requirements for solutions produced by the Drone Remote Identification Protocol (DRIP) Working Group. These solutions will support Unmanned Aircraft System Remote Identification and tracking (UAS RID) for security, safety, and other purposes (e.g., initiation of identity-based network sessions supporting UAS applications). DRIP will facilitate use of existing Internet resources to support RID and to enable enhanced related services, and it will enable online and offline verification that RID information is trustworthy. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References AX Enterprize, LLC RTFM llp This document describes the high level architecture for the registration and discovery of DRIP Entity Tags (DETs) using DNS. Discovery of DETs and their artifacts is performed via DRIP specific DNS structures and standard DNS methods. A general overview of the interfaces required between involved components is described in this document with future supporting documents giving technical specifications. AX Enterprize, LLC AX Enterprize, LLC HTT Consulting The Drone Remote Identification Protocol (DRIP), plus trust policies and periodic access to registries, augments Unmanned Aircraft System (UAS) Remote Identification (RID), enabling local real time assessment of trustworthiness of received RID messages and observed UAS, even by Observers lacking Internet access. This document defines DRIP message types and formats to be sent in Broadcast RID Authentication Messages to verify that attached and recent detached messages were signed by the registered owner of the DRIP Entity Tag (DET) claimed. HTT Consulting AX Enterprize AX Enterprize Intel Fraunhofer SIT This document describes using the ASTM Broadcast Remote ID (B-RID) specification in a "crowd sourced" smart phone or fixed receiver asset environment to provide much of the ASTM and FAA envisioned Network Remote ID (Net-RID) functionality. This crowd sourced B-RID (CS-RID) data will use multilateration to add a level of reliability in the location data on the Uncrewed Aircraft (UA). The crowd sourced environment will also provide a monitoring coverage map to authorized observers. This document specifies the use of Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP). DTLS provides communications privacy for applications that use datagram transport protocols and allows client/server applications to communicate in a way that is designed to prevent eavesdropping and detect tampering or message forgery. DCCP is a transport protocol that provides a congestion-controlled unreliable datagram service. [STANDARDS-TRACK] This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK] The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. This document specifies the details of the Host Identity Protocol (HIP). HIP allows consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses, thereby enabling continuity of communications across IP address changes. HIP is based on a Diffie-Hellman key exchange, using public key identifiers from a new Host Identity namespace for mutual peer authentication. The protocol is designed to be resistant to denial-of-service (DoS) and man-in-the-middle (MitM) attacks. When used together with another suitable security protocol, such as the Encapsulating Security Payload (ESP), it provides integrity protection and optional encryption for upper-layer protocols, such as TCP and UDP. This document obsoletes RFC 5201 and addresses the concerns raised by the IESG, particularly that of crypto agility. It also incorporates lessons learned from the implementations of RFC 5201. This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. This document describes the use of Hierarchical Host Identity Tags (HHITs) as self-asserting IPv6 addresses, which makes them trustable identifiers for use in Unmanned Aircraft System Remote Identification (UAS RID) and tracking. Within the context of RID, HHITs will be called DRIP Entity Tags (DETs). HHITs provide claims to the included explicit hierarchy that provides registry (via, for example, DNS, RDAP) discovery for third-party identifier endorsement. This document updates RFCs 7401 and 7343. This document describes an architecture for protocols and services to support Unmanned Aircraft System Remote Identification and tracking (UAS RID), plus UAS-RID-related communications. This architecture adheres to the requirements listed in the Drone Remote Identification Protocol (DRIP) Requirements document (RFC 9153). United States Federal Aviation Administration (FAA) ASTM International Unknown

Network RID Overview This appendix is normative and an overview of the Network RID portion of . This appendix is intended a guide to the overall object of Network RID and generally how it functions in context with a CS-RID SDSP. Please refer to the actual standard of for specifics in implementing said protocol. For CS-RID the goal is for the SDSP to act as both a Network RID Service Provider (SP) and Network RID Display Provider (DP). The endpoints and models MUST follow the specifications for these roles so UTM clients do not need to implement specific endpoints for CS-RID and can instead leverage existing endpoints. An SDSP SHOULD use Network RID, as it is able, to query a USS for UAS sending telemetry in a given area to integrate into the Broadcast RID it is receiving from Finders. How the SDSP discovers which USS to query is out of scope for this document. An SDSP MUST provide the Network RID DP interface for clients that wish to subscribe for updates on aircraft in the SDSP aggregated coverage area.

Additional SDSP Functionality This appendix is informative.

Multilateration The SDSP can confirm/correct the UA location provided in the Location/Vector message by using multilateration on data provided by at least 3 Finders that reported a specific Location/Vector message (Note that 4 Finders are needed to get altitude sign correctly). In fact, the SDSP can calculate the UA location from 3 observations of any Broadcast RID message. This is of particular value if the UA is only within reception range of the Finders for messages other than the Location/Vector message. This feature is of particular value when the Finders are fixed assets with highly reliable GPS location, around a high value site like an airport or large public venue.

Finder Map The Finders are regularly providing their SDSP with their location. With this information, the SDSP can maintain a monitoring map. That is a map of approximate coverage range of their registered and active Finders.

Managing Finders Finder density will vary over time and space. For example, sidewalks outside an urban train station can be packed with pedestrians at rush hour, either coming or going to their commute trains. An SDSP may want to proactively limit the number of active Finders in such situations. Using the Finder mapping feature, the SDSP can instruct Finders to NOT proxy Broadcast RID messages. These Finders will continue to report their location and through that reporting, the SDSP can instruct them to again take on the proxying role. For example a Finder moving slowly along with dozens of other slow-moving Finders may be instructed to suspend proxying. Whereas a fast-moving Finder at the same location (perhaps a connected car or a pedestrian on a bus) would not be asked to suspend proxying as it will soon be out of the congested area. Such operation SHOULD be using transports such as HIP or DTLS.

GPS Inaccuracy This appendix is informative. Single-band, consumer grade, GPS on small platforms is not accurate, particularly for altitude. Longitude/latitude measurements can easily be off by 3M based on satellite position and clock accuracy. Altitude accuracy is reported in product spec sheets and actual tests to be 3x less accurate. Altitude accuracy is hindered by ionosphere activity. In fact, there are studies of ionospheric events (e.g. 2015 St. Patrick's day ) as measured by GPS devices at known locations. Thus where a UA reports it is rarely accurate, but may be accurate enough to map to visual sightings of single UA. Smartphones and particularly smartwatches are plagued with the same challenge, though some of these can combine other information like cell tower data to improve location accuracy. FCC E911 accuracy, by FCC rules is NOT available to non-E911 applications due to privacy concerns, but general higher accuracy is found on some smart devices than reported for consumer UA. The SDSP MAY have information on the Finder location accuracy that it can use in calculating the accuracy of a multilaterated location value. When the Finders are fixed assets, the SDSP may have very high trust in their location for trusting the multilateration calculation over the UA reported location.

CDDL Definitions This appendix is normative.

F3411 Message Set

UAS Data

Complete CDDL any},) ; parameter update ufr-tag = #6.xxx(ufr) ufr = { timestamp: time,   ? priority: uint .size(2), ; For HIP/DTLS   ? track_id: uint .size(2), ; For HIP/DTLS, 0=Mixed Detections ? position: #6.103, ? radius: float, ; meters   detection_count: 1..10, detections: [+ #6.xxx(detection)], } detection-tag = #6.xxx(detection) detection = { timestamp: time, ? position: #6.103(array), ? radius: float, ; meters interface: [+ i-face], data: bstr / #6.xxx(astm-message) / #6.xxx(uas-data) } uas-tag = #6.xxx(uas-data) uas-data = { ? uas_type: uas-type, ? uas_id_type: uas-id-type, ? uas_id: uas-id, ? ua_status: status, ? track_direction: track-direction, ? ua_geo_position: #6.103(array) ? ua_baro_altitude: baro-alt, ? ua_height: height, ? vertical_speed: vert-spd, ? horizontal_speed: horz-spd, ? auth_type: a-type, ? auth_data: a-data, ? additional_data: add-data, ? self_id: desc, ? ua_classification: class-type ? operator_type: op-type, ? operator_geo_position: #6.103(array) ? area_count: area-count, ? area_radius: area-radius, ? area_floor: area-floor, ? area_ceiling: area-ceiling, ? eu_class: eu-class, ? eu_category: eu-cat, ? system_timestamp: utc-timestamp, ? operator_id: op-id } astm-tag = #6.xxx(astm-message) astm-message = b-message / mp-message ; Message (m-type) ; Message Pack (0xF) mp-message = [ m-counter, m-type, p-ver, m-size, num-messages, [+ b-message] ] b-message = [m-counter, m-type, p-ver, $$b-data] ; Basic ID (0x0), Location (0x1) $$b-data //= (uas-type, uas-id-type, uas-id) $$b-data //= ( status, height-type, track-direction, horz-spd, vert-spd, lat, lon, geo-alt baro-alt, height, h-acc, v-acc, b-acc, s-acc, t-acc, timemark ) ; Authentication (0x2) $$b-data //= (page-num, a-type, lpi, length, auth-ts, pg-data) ; Self ID (0x3), System (0x4), Operator ID (0x5) $$b-data //= (desc-type, desc) $$b-data //= (op-type, class-type, lat, lon, area-count, area-radius, area-floor, area-ceiling, geo-alt, eu-class, eu-cat, utc-timestamp ) $$b-data //= (op-id-type, op-id) ; Basic ID (0x0) Fields uas-type = nibble-field uas-id-type = nibble-field uas-id = bstr .size(20) ; Location (0x1) Fields status = nibble-field height-type = bool track-direction = uint horz-spd = uint .size(1) vert-spd = uint .size(1) baro-alt = uint .size(2) height = uint .size(2) h-acc = nibble-field v-acc = nibble-field b-acc = nibble-field s-acc = nibble-field t-acc = nibble-field timemark = uint .size(2) ; tenths of seconds since current hour ; Authentication (0x2) Fields page-num = nibble-field a-type = nibble-field lpi = nibble-field length = uint .size(1) auth-ts = time ; converted from ASTM F3411-22a epoch pg-data = bstr .size(23) a-data = bstr .size(0..255) adl = uint .size(1) add-data = bstr .size(0..255) ; Self ID (0x3) Fields desc-type = uint .size(1) desc = tstr .size(23) ; System (0x4) Fields op-type = 0..3 class-type = 0..8 area-count = 1..255 area-radius = float area-floor = float area-ceiling = float eu-class = nibble-field eu-cat = nibble-field utc-timestamp = time ; converted from ASTM F3411-22a epoch ; Operator ID (0x5) Fields op-id-type = uint .size(1) op-id = tstr .size(20) ; Message Pack (0xF) Fields m-size = uint .size(1) ; always set to decimal 25 num-messages = 1..9 ; Other fields m-counter = uint .size(1) m-type = nibble-field p-ver = nibble-field lat = uint .size(4) ; scaled by 10^7 lon = uint .size(4) ; scaled by 10^7 geo-alt = uint .size(2) ; WGS84-HAE in meters nibble-field = 0..15 i-face = (bcast-type, mac-addr) bcast-type = 0..3 ; BLE Legacy, BLE Long Range, Wi-Fi NAN, 802.11 Beacon mac-addr = #6.48(bstr) command-id = uint .size(1) ]]>