Network Working Group R. Gellens Request for Comments: 2604 Qualcomm Category: Informational June 1999 Wireless Device Configuration (OTASP/OTAPA) via ACAP Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract Wireless carriers today are faced with creating more efficient distribution channels, increasing customer satisfaction, while also improving margin and profitability. Industry trends are pushing the sale of handsets further into the retail channel. The cost and effort of provisioning handsets, activating users, and updating handset parameters can be greatly reduced by using over-the-air activation mechanisms. A comprehensive and extensible means for over-the-air provisioning and handset parameter updating is required. One approach is to purchase EIA/TIA/IS-683A (Over-the-air Service Provisioning of Mobile Stations in Spread Spectrum Systems) equipment. The cost of this has led carriers to seek alternative solutions. A very viable means for providing over-the-air (OTA) provisioning is to leverage the rollout of IS-707 data services equipment, which most carriers are in the process of deploying. This paper presents an approach to OTA provisioning that utilizes the deployment of IS-707 to deliver OTA provisioning and parameter upgrading. IS-707 data services makes available several methods of providing over-the-air provisioning and parameter updating. A well thought-out approach utilizing Internet-based open standard mechanisms can provide an extensible platform for further carrier service offerings, enhanced interoperability among back-end services, and vendor independence. This paper describes a viable and attractive means to provide OTASP/OTAPA via IS-707, using the ACAP [ACAP] protocol. Gellens Informational [Page 1] RFC 2604 OTASP/OTAPA via ACAP June 1999 Table of Contents 1. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Feature Descriptions . . . . . . . . . . . . . . . . . . . 6 2.1. OTASP Feature Description . . . . . . . . . . . . . . . 6 2.2. OTAPA Feature Description . . . . . . . . . . . . . . . 6 3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Initial Provisioning Activity . . . . . . . . . . . . . 7 3.2. OTASP for Authorized Users . . . . . . . . . . . . . . . 8 3.3. OTAPA Activity . . . . . . . . . . . . . . . . . . . . 8 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. General Requirements . . . . . . . . . . . . . . . . . 9 4.2. OTASP Requirements . . . . . . . . . . . . . . . . . . . 9 4.3. OTAPA Requirements . . . . . . . . . . . . . . . . . . 10 4.4. Provisioning Server Requirements . . . . . . . . . . . . 10 4.5. Security Requirements . . . . . . . . . . . . . . . . . 11 5. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 11 5.1. ACAP over TCP/IP . . . . . . . . . . . . . . . . . . . 11 5.1.1. Mobile Authentication and A-Key Generation . . . . . 12 5.1.2. Mobile Identification . . . . . . . . . . . . . . . 12 5.1.3. ACAP Server . . . . . . . . . . . . . . . . . . . . 12 5.1.4. Overview of ACAP Structure . . . . . . . . . . . . 13 5.1.5. Data Organization and Capabilities . . . . . . . . . 13 5.1.5.1. Structure . . . . . . . . . . . . . . . . . . . 14 5.1.5.2. Conventions . . . . . . . . . . . . . . . . . . 15 5.1.6. Dataset . . . . . . . . . . . . . . . . . . . . . . 15 5.1.6.1. Entries and Attributes . . . . . . . . . . . . . 15 5.1.6.2. NAM Records . . . . . . . . . . . . . . . . . . 16 5.1.6.3. Server Roaming Lists . . . . . . . . . . . . . . 17 5.1.6.4. Requested-Data Record . . . . . . . . . . . . . 18 5.1.6.5. Sample Server Entry . . . . . . . . . . . . . . 18 5.1.7. Administrative Client . . . . . . . . . . . . . . . 19 5.1.8. Mobile Client . . . . . . . . . . . . . . . . . . . 20 5.2. WAP with ACAP . . . . . . . . . . . . . . . . . . . . . 22 5.3. Network-Resident vs. Configuration Data . . . . . . . . 23 5.4. Intellectual Property Issues . . . . . . . . . . . . . 23 6. Handset Protocol Suites . . . . . . . . . . . . . . . . . . 23 6.1. ACAP over TCP/IP . . . . . . . . . . . . . . . . . . . 23 7. IS-683A Compatibility . . . . . . . . . . . . . . . . . . . 24 7.1. OTASP Operations . . . . . . . . . . . . . . . . . . . 24 7.2. OTASP Call Flow . . . . . . . . . . . . . . . . . . . . 24 7.3. OTAPA Operations . . . . . . . . . . . . . . . . . . . 24 7.4. OTAPA Call Flow . . . . . . . . . . . . . . . . . . . . 25 8. Alternative Methods . . . . . . . . . . . . . . . . . . . . 25 8.1. IS-683A over TCP/IP . . . . . . . . . . . . . . . . . . 25 8.1.1. OTAF Server . . . . . . . . . . . . . . . . . . . . 25 8.1.2. Interface Application . . . . . . . . . . . . . . . 26 8.1.3. Protocol Handset Suite . . . . . . . . . . . . . . 26 Gellens Informational [Page 2] RFC 2604 OTASP/OTAPA via ACAP June 1999 8.2. Browser-Based Forms . . . . . . . . . . . . . . . . . . 26 9. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . 27 10. References . . . . . . . . . . . . . . . . . . . . . . . . 28 11. Security Considerations . . . . . . . . . . . . . . . . . 28 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 28 13. Author's Address . . . . . . . . . . . . . . . . . . . . 28 14. Full Copyright Statement . . . . . . . . . . . . . . . . . 29 1. Terms Application Configuration Access Protocol (ACAP) -- An Internet protocol (RFC-2244) that provides remote storage and access of configuration and preference information. Activation -- A process in which a mobile station and network become programmed so that a mobile station becomes operable and can be used for cellular service once authorized by the service provider. Authentication -- A procedure used to validate a mobile station's identity. Authentication Center -- An entity that manages the authentication information related to the mobile station. Authentication Key (A-key) -- A secret 64-bit pattern stored in the mobile station. It is used to generate and update the mobile station's shared secret data. The A-key is used in the authentication process. Authorization -- An action by a service provider to make cellular service available to a subscriber. Call -- A temporary communication between telecommunications users for the purpose of exchanging information. A call includes the sequence of events that allocates and assigns resources and signaling channels required to establish a communications connection. Cellular Service Provider -- A licensee of the responsible government agency (in the U.S. a licensee of the Federal Communications Commission) authorized to provide Cellular Radiotelephone Service. Challenge/Response Authentication Mechanism using Message Digest 5 (CRAM-MD5) -- An authentication mechanism which is easy to implement, and provides reasonable security against various attacks, including replay. Supported in a variety of Internet protocols. Specified as baseline mechanism in ACAP. CRAM-MD5 is published as Gellens Informational [Page 3] RFC 2604 OTASP/OTAPA via ACAP June 1999 RFC 2195. Code Division Multiple Access -- A technique for spread-spectrum multiple-access digital communications that creates channels through the use of unique code sequences. Customer Service Center -- An entity of a service provider that provides user support and assistance to subscribers. Customer Service Representative -- A person that operates from a customer service center and provides user support and assistance to subscribers. Diffie-Hellman Algorithm -- A public-key cryptography algorithm for exchanging secret keys. Uses the equation , where k is the secret key. The equation is executed by each party of the session based on the exchange of independently generated public values. Digits -- Digits consist of the decimal integers 0,1,2,3,4,5,6,7,8, and 9. Dual-mode Mobile Station -- A mobile station capable of both analog and digital operation. Electronic Serial Number (ESN) -- A 32-bit number assigned by the mobile station manufacturer used to identify a mobile station. The ESN is unique for each legitimate mobile station. Home Location Registry (HLR) -- The location register or database to which a MIN is assigned for record purposes such as subscriber information. Message Digest 5 (MD5) -- A one-way cryptographic hash function. Widely deployed in Internet protocols. Published as RFC 1321. Mobile Identification Number (MIN) -- The 10-digit number that represents a mobile station's directory number. Mobile Station (MS) -- A station, fixed or mobile, which serves as the end user's wireless communications link with the base station. Mobile stations include portable units (e.g., hand-held personal units) and units installed in vehicles. Mobile Switching Center (MSC) -- A configuration of equipment that provides cellular radiotelephone service. Mobile Terminal Authorizing System (MTAS) -- A control system that provides the capability to load the CDMA network HLR with mobile Gellens Informational [Page 4] RFC 2604 OTASP/OTAPA via ACAP June 1999 station profile information. Number Assignment Module (NAM) -- The mobile station's electronic memory module where the MIN and other subscriber-specific parameters are stored. Mobile stations that have multi-NAM features offer users the option of using their units in several different markets by registering with a local number in each location. Over-the-air Service Provisioning Function (OTAF) -- A configuration of network equipment that controls OTASP functionality and messaging protocol. Over-the-air Parameter Administration (OTAPA) -- Network initiated OTASP process of provisioning mobile station operational parameters over the air interface. Over-the-air Service Provisioning (OTASP) -- A process of provisioning mobile station operational parameters over the air interface. Quick-Net-Connect (QNC) -- An IS-707 data service capability that utilizes the Async Data Service Option number but bypasses the modem connection for a direct connection to an IP-based internet. Roamer -- A mobile station operating in a cellular system or network other than the one from which service was subscribed. Simple Authentication and Security Layer (SASL) -- An Internet protocol (RFC-2222) that provides a framework for negotiating authentication and encryption mechanisms. Service Provider -- A company, organization, business, etc. which sells, administers, maintains, and charges for the service. The service provider may or may not be the provider of the network. Shared Secret Data (SSD) -- A 128-bit pattern stored in the mobile station (in semi-permanent memory) and known by the network. The A-key is used to generate the SSD at the network and in the mobile station for comparison. Wireless Application Protocol (WAP) -- A set of network and application protocols including a datagram protocol (WDP), Transport Layer Security (WTLS), Transaction Protocol (WTP), Session Protocol (WSP), and Application Environment (WAE), which use carrier-based gateways to enable wireless devices to access Web resources. See for specifications and details. Gellens Informational [Page 5] RFC 2604 OTASP/OTAPA via ACAP June 1999 2. Feature Descriptions 2.1. OTASP Feature Description The Over the Air Service Provisioning (OTASP) feature allows a potential wireless service subscriber to activate new wireless services, and allows an existing wireless subscriber to make services changes without the intervention of a third party. OTASP includes the following: * A way to establish a user profile. * "Over-The-Air" programming of a Number Assignment Module (NAM), IMSI and Roaming Lists, including Data option parameters, and optionally, service provider or manufacturer specific parameters (e.g., lock code, call timer). * An Authentication Key (A-key) Generation procedure. * A-key storage 2.2. OTAPA Feature Description The Over-the-Air Parameter Administration (OTAPA) feature allows wireless service providers to update a NAM, IMSI, and Roaming List information in the mobile station remotely without the intervention of a third party. This capability increases flexibility and reduces costs for carriers involved with mass changes that affect every handset, such as area-code splits. OTAPA includes the following: * Update a user's Number Assignment Module (NAM) * Update Data option parameters * Update service provider or manufacturer specific parameters (e.g., Server address(es), lock code, call timer). * Update roaming lists Gellens Informational [Page 6] RFC 2604 OTASP/OTAPA via ACAP June 1999 3. Operation 3.1. Initial Provisioning Activity A new subscriber needs to give the intended service provider sufficient information (e.g., name, address, etc.) to prove credit- worthiness and establish a record within the service provider's billing system. In addition, the ESN of the mobile station needs to be given to the provider. This may occur in three ways: Voice scenario -- A customer care representative collects credit information during a voice conversation. This call is made from a different phone (e.g., wired service) or is initiated using the IS- 683A OTASP dialing scheme (i.e., *228xx). Once the user has been authorized, the customer care representative creates a record in the CDMA network HLR, thus allowing use of the CDMA network. In addition, a limited-time N-digit password is created which is tied to the ESN. The choice of N (how many digits) is up to the carrier (as a trade-off between security and user inconvenience). All required provisioning information (including the limited-time password) is loaded into the provisioning server. The user is then told to hang up and call a special number, of the form *228 XX SEND (the XX code is the same as used in the initial voice call). This causes the mobile station to initiate a provisioning session. The mobile station and the provisioning server authenticate, and all required provisioning information is downloaded into the mobile station. The user receives some form of notification once the activity is complete. This notification can be an audible tone or a text message on the mobile station display. (The form and content of this notification can be part of the provisioning data downloaded by the mobile station.) Once this initial provisioning activity is complete the user has a fully authorized mobile station ready for use. Forms scenario -- An interactive user interface is presented via a browser on the mobile station. The subscriber fills in the requested information. (Note that entering non-numeric data presents some user interface challenges on many mobile devices.) A back-end server validates the information, and if possible, the customer is authorized, a limited-time password is generated, HLR and provisioning server records are created and the actual OTASP operation begins. Otherwise, a voice call is made to a customer care representative. Gellens Informational [Page 7] RFC 2604 OTASP/OTAPA via ACAP June 1999 Desktop scenario -- The subscriber uses a desktop (or in-store kiosk) web browser to contact the carrier, and enters the usual personal information. The carrier's server validates the information, and if possible, the customer is authorized, a limited-time password is generated, HLR and provisioning server records are created, and the subscriber is told to dial a special number on the handset. Once this code is entered, the actual OTASP operation begins. Otherwise, the user is asked to make a voice call to a customer care representative. 3.2. OTASP for Authorized Users Users already authorized for use of the CDMA network can also initiate provisioning activity. This could happen after being directed to do so by a Customer Care representative, either from a phone conversation or via mail notification. This type of OTASP activity is needed in cases where the carrier desires to upgrade CDMA parameters in the mobile stations or in cases where mobile station troubleshooting is needed. This type of OTASP occurs in similar fashion to the initial OTASP activity. The mobile station downloads the new provisioning information in the same way. 3.3 OTAPA Activity Typical OTAPA capability involves upgrading a large number of mobile stations. OTAPA activity needs to be performed in a manner that does not impose on revenue bearing CDMA network activity. OTAPA operations are initiated at the customer care center. This can be accomplished by queuing a notification to the mobile station (via 1-way SMS or special caller-ID) after the provisioning server has the updated configuration data. OTAPA activity will not occur until the mobile station has acquired CDMA service on the carrier's network and the notification has reached the mobile station. Alternatively, OTAPA can be handled by including a recheck interval in the set of data used to provision the mobile station. When using a low-overhead protocol, such as ACAP [ACAP], it is reasonable to have a mobile station check in periodically to see if anything has changed. The time of day and/or day of week that such rechecks should occur could be included in the provisioning data. OTAPA activity can be terminated at any time due to user call activity. Gellens Informational [Page 8] RFC 2604 OTASP/OTAPA via ACAP June 1999 4. Requirements 4.1. General Requirements IS-683A OTASP operations occur between a mobile station and an over-the-air service provisioning function (OTAF) using IS-95A traffic channel data burst messages. OTASP/OTAPA via data services require that the CDMA carrier have an IS-707 data services capable network. The IS-707 service must be either Packet Data Service (IS-707.5) or Quick-Net-Connect (QNC). The mobile station must support: * IS-707 Data Service capability * Packet/QNC RLP protocol * PPP protocol to peer to the IS-707 IWF * IP protocol to provide the network layer for routing to the provisioning server * A transport layer for end-to-end communication (such as TCP) * Authentication and optionally encryption * Application software to handle the provisioning protocol and memory access. * Domain Name System (DNS) query capabilities sufficient to obtain the (IP) address of the provisioning server (or the provisioning server's address could be provided during PPP negotiation). Lastly, the ability must exist for the mobile to make a data call (optionally) a voice call without a MIN. 4.2. OTASP Requirements The OTASP function requires the mobile station to originate an IS- 707 data call and (optionally) a voice call using a completely unprovisioned mobile station. The CDMA network must support this capability. OTASP via data services uses a provisioning server that contains the parameter information for mobile stations. The authorizing agent (or software) at the customer care center must be able to add user and mobile station information into both the CDMA network HLR and Gellens Informational [Page 9] RFC 2604 OTASP/OTAPA via ACAP June 1999 the provisioning server during the initial authorizing process. The provisioning server must be capable of servicing a mobile as soon as its record is created. 4.3. OTAPA Requirements IS-683A OTAPA is performed by a mobile-terminated call that downloads parameters to the mobile station. OTAPA calls occur without user interaction. In order to perform OTAPA via data services the network needs to direct the mobile station to initiate a special-purpose data call. Several existing methods can be used to implement this capability, for example, a mobile-terminated one-way SMS message. The SMS message content can contain any information required by the mobile station. The mobile station would need a simple parser of SMS messages in order to know when to originate an OTAPA call, as opposed to normal SMS message processing. The OTAPA call would be performed in similar fashion to a registration call. More specifically, the user would not be informed of the call activity. There are alternative means that can be employed to initiate OTAPA activity; for example, a mobile-terminated voice call with caller-ID using a specialized telephone number. Another alternative is for mobile stations to periodically check in with the provisioning server to check for updated information. ACAP, for example, is designed for such a model. The recheck interval, as well as the time of day and/or day of week that such checks should be used, can be part of the provisioning data sent to the mobile stations. 4.4. Provisioning Server Requirements IS-683A utilizes an over-the-air service provisioning function (OTAF) to perform the network-side provisioning activity. OTASP/OTAPA via data services replaces the OTAF with a provisioning server. The provisioning server resides on an IP network within the controlled confines of the carrier. The provisioning server must perform all the service provisioning and parameter administration functions that the OTAF provides. The provisioning server must also have an interface to the carrier's Mobile Terminal Authorizing System (MTAS). This interface serves to synchronize the provisioning server with the information in the MTAS. The specific requirements of this interface depend on the capabilities and interfaces of the carrier's customer care center system(s). The provisioning server must be capable of receiving dynamic updates from the MTAS and have the provisioning information immediately Gellens Informational [Page 10] RFC 2604 OTASP/OTAPA via ACAP June 1999 available for downloading into the chosen mobile station. A standard ACAP server provides an excellent means to meet these requirements. The provisioning server must be capable of performing an authentication procedure with the mobile station. This authentication mechanism must be capable of authenticating both the mobile station and the provisioning server. 4.5. Security Requirements OTASP requires that an authentication procedure be performed to validate the mobile station to the provisioning server, while OTAPA requires a mechanism where the mobile validates the server. The provisioning server must be capable of either: * OTAF A-key generation using a Diffie-Hellman mechanism Or: * Receiving A-keys from the carrier network. Since data OTASP/OTAPA operates over IP within the carrier's network, end-to-end encryption between the mobile station and the provisioning server should be considered as a future enhancement. End-to-end encryption protects against attacks from within a carrier's network, and safeguards the provisioning data (for example, roaming lists). 5. Architecture 5.1. ACAP over TCP/IP Figure 1 shows a provisioning server in the carrier's intranet which supports the Application Configuration Access Protocol (ACAP, RFC 2244). An administrative client in the customer care domain updates this server using ACAP. Handsets are provisioned and configured using a small ACAP client. [Figure 1 -- see PostScript version] ACAP is an open Internet protocol designed to solve the problem of client access to configuration and related data. Among its primary goals are protocol simplicity, support for thin clients, and ease of operation over limited bandwidth. ACAP provides a high degree of extensibility, especially in authentication mechanisms, specialized attribute handling, and data management. Gellens Informational [Page 11] RFC 2604 OTASP/OTAPA via ACAP June 1999 5.1.1. Mobile Authentication and A-Key Generation The mobile client authenticates with the ACAP server prior to performing any activities. Authentication uses the mobile's ESN and a shared secret. Provisioned mobiles derive the shared secret from the A-Key; unprovisioned mobiles use a limited-time password as the secret. The limited-time password is provided to the user by the Customer Care representative during the initial call (as instructions to dial a specific number). This code is N digits long. The carrier selects the number of digits, as a trade-off between security and user convenience. The baseline ACAP authentication mechanism uses the shared secret plus a random challenge from the server as input to a one-way cryptographic hash function (specifically, keyed-MD5). This is analogous to the existing IS-683A authentication mechanism which uses a random challenge and the CAVE algorithm. An A-Key is generated using a Diffie-Hellman exchange, as is done in IS-683A. 5.1.2. Mobile Identification Provisioning records are identified using the ESN and the current NAM in use. 5.1.3. ACAP Server As a standard ACAP server, the provisioning server includes configurable datasets and dataset inheritance for the management of the data stores. The administrative client can use the same simple ACAP protocol to load and modify the ACAP server as the mobile stations uses for provisioning. While any implementation-specific mechanisms available from the server vendor could instead be used for this purpose, the ability to use ACAP can greatly simplify the administrative client, as well as make it independent of the server. ACAP includes an authentication framework (Simple Authentication and Security Layer, SASL, RFC 2222)[SASL]. SASL allows any standard or custom authentication and encryption mechanism to be used. One of the most important features of SASL is that it is designed for a world in which what is "good enough" security today isn't good enough tomorrow. As the threat model changes, SASL allows higher- strength mechanisms to be easily added while supporting already Gellens Informational [Page 12] RFC 2604 OTASP/OTAPA via ACAP June 1999 deployed clients and servers. SASL is achieving widespread deployment in a number of Internet protocols. Strongpoints: Since the ACAP protocol was designed for precisely this type of provisioning activity, its adoption can greatly reduce the cost, time to market, and support required for the provisioning server. Additionally, the ACAP protocol provides an open standard method for mobile stations and other systems to access the provisioning server. Commercial ACAP servers are being developed by numerous companies. The ACAP client code is very small and simple, and thus can be incorporated into virtually any mobile device at minimal cost. As an open standard, the ACAP protocol has benefited from years of review and experience. 5.1.4. Overview of ACAP Structure ACAP organizes data by datasets. The structure of a dataset is defined by the dataset class. Generally, ACAP servers do not have knowledge of dataset classes. This allows the dataset to be expanded without modifying the server in any way. A dataset is an instantiation of the dataset class, which is a logical definition of what is in a dataset, and how it is used. Datasets contain entries. Entries contain attributes and values. Attributes and values are actually metadata, such as name, length, and value. Any entry can also be a dataset (datasets are hierarchical). For example, consider the ACAP addressbook dataset class, designed to hold names, email addresses, phone numbers, and related information for a person's contacts. A given user may have one or more addressbook datasets. Each entry holds information about one person or entity. Attributes in the entry hold specific items of information, such as the given name, surname, various email addresses, phone numbers, and so forth. If an entry is a list of people (such as a mailing list or specific group of people), it is a subdataset, containing its own entries. Some clients may look at only a subset of the attributes. For example, a mobile handset ACAP client may download only the alias (nickname), name, primary phone number and email address of each entry, while a desktop client may access all attributes. 5.1.5. Data Organization and Capabilities ACAP provides custom hierarchical datasets. Server data can be organized to fit the needs of the applications using the dataset. Gellens Informational [Page 13] RFC 2604 OTASP/OTAPA via ACAP June 1999 In OTASP/OTAPA over ACAP, data on the server is organized to both take advantage of ACAP capabilities and to use items that are identical to IS-683A, allowing for reuse of IS-683A handset engines. ACAP servers also support data inheritance. All data items which are physically in the inherited dataset and not in the inheriting dataset logically also exist in the inheriting dataset. This is recursive, as the inherited dataset can itself inherit from another dataset. This powerful concept allows potentially large groups of mobile stations to inherit items from a single common entity. For example, preferred roaming lists can be stored in datasets based on geographic areas, and automatically inherited by an individual mobile station in that area. The roaming lists could be further subdivided, for example based on tiers of free NVRAM in the mobile. The mobile client need not be aware of this; it happens entirely on the server. ACAP uses trees to provide the data hierarchy. These data trees can be viewed as similar to the directory/file structure used with all common operating systems. The built-in inheritance mechanism, together with the hierarchical structure, makes it extremely easy to update general data without disturbing specific data. Datasets exist within the user, group, and host hierarchies. The user hierarchy holds datasets which belong to individual users. The group hierarchy holds datasets which belong to groups (for example, the "Region." groups in section 5.1.6.3 Server Roaming Lists). The host hierarchy holds datasets which are for specific machines or systems. In addition to providing customizable data trees, ACAP also provides several standard datasets for all clients. There is a capabilities dataset that contains information on custom functionality and enhanced features available to a specific client or at the site generally. This allows a server to advertise any protocol extensions, specialized attribute handling, or other enhanced functionality it supports. A client that needs to use these features can thus easily determine what is available before trying to use them. 5.1.5.1. Structure We divide the data accessed by the client into provisioning items, group items, and client state items. Provisioning data contains NAM items and requested-data items. Group items (such as preferred roaming lists), are not specific to any mobile device. Group items physically exist in their own datasets, but through inheritance logically appear in client datasets. Gellens Informational [Page 14] RFC 2604 OTASP/OTAPA via ACAP June 1999 The mobile stations always read data from provisioning entries and write data to client state entries. This structure makes both mobile clients and server configuration easy and simple, while allowing for extensive custom and diagnostic capabilities. 5.1.5.2. Conventions "" This signifies the empty string (used here for ACAP entries). ~ This is shorthand for "user/". It is part of the ACAP protocol. 5.1.6 Dataset Provisioning information is located in the "OTAP" dataset class. (The full specification of this dataset will be published in a subsequent document.) The prefix "Provision." is used for items that are to be downloaded to the mobile, and the prefix "Client." is used for items which the client stores on the server. Provisioning data within the OTAP dataset is organized as a series of items, each of which is stored in its own entry. The entry name is the item name, and the "OTAP.VALUE" attribute contains the item value. This structure permits change notification on a per-item basis. We chose the "Provision" and "Client" names to simplify various operations. For example, the mobile client can easily download all changed provisioning items by performing a search which returns the "OTAP.VALUE" attribute of all entries whose name begins with "Provision" and whose modtime is greater than the last time the client retrieved data. An administrative client can easily generate a report of all clients which have not received the most recent update by searching for all entries named "Client" whose "OTAP.modtime" attribute is less than the desired value. A partial list of items follows. 5.1.6.1. Entries and Attributes dataset.inherit This is a standard ACAP attribute that identifies the location of inherited data. It exists in the "" entry (the entry with the empty name) within each dataset. Gellens Informational [Page 15] RFC 2604 OTASP/OTAPA via ACAP June 1999 5.1.6.2. NAM Records The OTAP dataset class contains an entry for each provisioned mobile. The standard location for provisioning records is: /OTAP/USER/// This tree format allows multiple NAMs per ESN. The specific entries contain data in IS-683A parameter block types. For example, the CDMA NAM would be stored in an entry called: /OTAP/USER///Provision.CDMA-NAM/ The entries below show how NAM records would be organized on the ACAP server: CDMA/Analog NAM Entry-Path: /OTAP/USER///Provision.CDMA-AMPS-NAM/ OTAP.Value: {17} xx xx xx ... xx The CDMA/Analog NAM entry from IS-683A (section 4.5.2.1) consists of at least 129 information bits, depending on the number of SID NID list entries. This is stored as 17 (or more) octets of binary data (padding is used to ensure an integral number of octets). Mobile Directory Number Entry-Path: /OTAP/USER///Provision.MOBILE-DN/ OTAP.Value: {10} nnnnnnnnnn The Mobile Directory Number from IS-683A contains BCD-encoded digits representing the phone number. This is stored as a string of 10 or more ASCII digits, e.g., "6195551212". CDMA NAM Entry-Path: /OTAP/USER/// Provision.CDMA-NAM/ OTAP.Value: {13} xx xx xx ... xx Gellens Informational [Page 16] RFC 2604 OTASP/OTAPA via ACAP June 1999 The CDMA-NAM entry from IS-683A (section 4.5.2.3) consists of at least 100 information bits, depending on the number of SID-NID list entries. This is stored as 13 (or more) octets of binary data (padding is used to ensure an integral number of octets). IMSI_T Entry-Path: /OTAP/USER/// Provision.IMSI_T/ OTAP.Value: {7} xx xx xx xx xx xx xx The IMSI_T entry from IS-683A (section 4.5.2.4) consists of 55 bits of information in five fields. This is stored left- justified in 7 octets of binary data. 5.1.6.3. Server Roaming Lists The ACAP Server will have an entry for each different roaming list configuration for a carrier. The example below assumes that the desired differentiation for the roaming list is geographic, with subdivisions for tiers of mobile free NVRAM It shows that for each region there exists a set of roaming lists per free NVRAM range. Note that a carrier can easily implement different or further differentiation (e.g., by phone vendor or product type) by simply changing the dataset tree and assigned the appropriate value to the "dataset.inherit" attribute in the provisioning records. /OTAP/GROUP/region.NorthEast/free-nv.128-512/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.NorthEast/free-nv.512-1024/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.SouthEast/free-nv.128-512/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.SouthEast/free-nv.512-1024/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.NorthWest/free-nv.128-512/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.NorthWest/free-nv.512-1024/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.SouthWest/free-nv.128-512/ preferred.roaming.list/OTAP.Value /OTAP/GROUP/region.SouthWest/free-nv.512-1024/ preferred.roaming.list/OTAP.Value Gellens Informational [Page 17] RFC 2604 OTASP/OTAPA via ACAP June 1999 5.1.6.4. Requested-Data Record Inside the OTAP dataset is an entry with the name "Provision.Requested-Data", which contains one attribute called "OTAP.Requested-Data". This attribute is multi-valued. It is either NIL or contains a list of strings. Each string is the name of one element of data that the server requests the client to supply. After authenticating, the ACAP client issues a SEARCH command to retrieve the values of the "OTAP.Requested-Data" attribute of the "Provision.Requested-Data" entry. The client processes the returned values (if any) by issuing a STORE command to set one or more attributes in the "Client" entry. The value of each attribute is either the corresponding mobile value (which may be an empty string if the item has no value), or the special value "[N/A]" if the item does not exist or is unknown on the mobile. This mechanism is quite general, and can be used in the normal OTASP case to modify the mobile's dataset as appropriate for the condition of the mobile. For example, the inheritance could be set based on the amount of NVRAM available, to cause one set of preferred roaming list data or another to be used. This mechanism can also be used in other situations, such as to retrieve a complete set of mobile configuration parameters for diagnostic reasons. 5.1.6.5. Sample Server Entry The entry below is an excerpt of a sample ACAP server dataset entry for a single mobile station, with an ESN of FB9876E and using NAM 1: /OTAP/USER/FB9876E/1/ entry = "" dataset.inherit = "/OTAP/GROUP/region.NorthEast/ free-nv.128-512/preferred.roaming.list/ OTAP.Value/" entry = "Provision.Requested-Data" OTAP.Requested-Data = ("Phone-Make" "Phone-Model" "SW-Rev" "Free-NVRAM") entry = "Client" OTAP.Phone-Make = "Qualcomm" OTAP.Phone-Model = "pdQ1900" OTAP.SW-Rev = "001.030.0908" OTAP.Free-NVRAM = "65536" OTAP.Last-Modtime = "199812181703" Gellens Informational [Page 18] RFC 2604 OTASP/OTAPA via ACAP June 1999 entry = "Provision.Mobile-DN" OTAP.Value = {10} 619 555 1234 entry = "Provision.CDMA-NAM" OTAP.Value = {13} xx xx xx xx xx xx xx xx xx xx xx xx xx This dataset shows not only provisioning data which was downloaded into the mobile station, but also the items of client data requested by the server (the Requested-Data attribute) and the values of those items (the "Client" entry). It also indicates that the mobile client successfully stored the values associated with the modtime "199812181703". In addition, it shows that this client inherits data (i.e., roaming lists) from the "NorthEast" region. 5.1.7. Administrative Client The administrative client loads initial provisioning information into the server, including specifying the roaming list to inherit. The administrative client also updates provisioning server records as needed, and retrieves data for reports (such as a list of clients which have not yet been updated). Data is loaded into provisioning records by using the ACAP STORE command. The administrative client authenticates to the ACAP server using credentials that permit access to datasets for mobiles. When a new mobile is authorized for service, the administrative client creates the dataset by storing into it values that are specific for the device. It also sets the "dataset.inherit" attribute so that values which are not tied to the specific mobile are inherited as appropriate. * Updates to user records Existing user records may need updating from time to time. For example, a user may change service plans or purchase an additional or replacement mobile device, or the carrier may need to modify some aspect of provisioned data. * Perusal and editing of provisioning records The administrative client can provide general browse and edit capability for user records. Gellens Informational [Page 19] RFC 2604 OTASP/OTAPA via ACAP June 1999 * Report generation The administrative client can extract data from the ACAP server in order to generate reports. For example, after OTAPA activity, a carrier may wish to identify those mobiles which have not yet been updated. * Queuing of OTAPA sessions Depending on the OTAPA update procedures chosen (e.g., SMS, CLID, periodic recheck), the administrative client may be involved in initiating the activity. This may or may not use an interface to the provisioning server. 5.1.8. Mobile Client The ACAP mobile client is implemented as a state machine that performs the equivalent of IS-683A provisioning parameter information exchange and non-volatile memory storage. The ACAP Client state machine diagram (Figure 2) and descriptions are below. [Figure 2 -- see PostScript version] * Establish Transport Layer/Authenticate Authentication and/or encryption can occur at the application layer and/or at the network/transport layer. Basic ACAP authentication occurs in the application layer (i.e., within the ACAP session), and in its baseline form uses the CRAM-MD5[CRAM-MD5] mechanism. If desired, other mechanisms can be used which provide more protection and encryption. This occurs after the transport layer is established, as shown in the client state machine diagram above Figure 3 shows the CRAM-MD5 authentication mechanism for an unprovisioned mobile. In the case of provisioned mobiles, the shared secret is derived from the A-Key, instead of the limited-time N-digit code used for unprovisioned devices. Use of basic ACAP authentication is preferred for initial implementations of data-OTASP because it is simple, easy to implement, and all procedures and methods are in place. Stronger SASL mechanisms and/or IPSec can be rolled out in the future without disrupting the deployed base. [Figure 3 -- see PostScript version] Gellens Informational [Page 20] RFC 2604 OTASP/OTAPA via ACAP June 1999 * Requested-data SEARCH The mobile ACAP client issues a search command asking the server to return the attribute "OTAP.Requested-Data" in the entry "Requested-Data". * Receive requested-data values The server instructs the client to store attributes by returning one or more values of requested-data in response to the Requested-Data SEARCH. For example, the attribute "OTAP.Requested-Data" in the entry "Requested-Data" might contain four values: "phone-make", "phone-model", "SW-Rev", and "Free-NVRAM". * STORE attribute list If the response to the requested-data SEARCH returns any values, the client issues a STORE command. Each attribute in the STORE command corresponds to one item of requested-data. If the client does not recognize an item, it stores the string "[n/a]". Continuing with our example, the client uses this STORE command to write four attributes into the "Client" entry. Each attribute name is identical to one value of the OTAP.Requested-Data" attribute (with the prefix "OTAP." added). Each attribute value is determined by the respective mobile value. In our example, this STORE command sets the following attributes and values: - "OTAP.Phone-Make" = "Qualcomm - "OTAP.Phone-Model" = "pdQ1900 - "OTAP.SW-Rev" = "001.030.0908" - "OTAP.Free-NVRAM" = "65536" * Provisioning data SEARCH The mobile ACAP client issues a search command to retrieve any items of provisioning data that have changed since it last checked in (which in the initial session retrieves all provisioning data). Gellens Informational [Page 21] RFC 2604 OTASP/OTAPA via ACAP June 1999 This SEARCH command asks the server to return the "OTAP.Value" attribute of any entries whose name starts with "provision." (case-insensitive) and whose modtime is greater than the supplied value (which is zero for an unprovisioned mobile). * Receive provisioning data and modtime The server returns the provisioning items, each as one entry name and one attribute value. The server response to the SEARCH command includes the modtime of the latest entry returned. * Save values The mobile writes the returned values into NVRAM. * STORE modtime The ACAP client stores the returned modtime on the server as an acknowledgement that the data was received and NVRAM updated. * LOGOUT The client issues the LOGOUT command. * Close transport layer The client closes the TCP connection. * End call The data call is terminated. 5.2. WAP with ACAP An advantage of the ACAP solution is that is can easily coexist with a WAP-based mechanism, giving carriers more options. A carrier can deploy handsets into its service area which use WAP- based provisioning, if desired, alongside those which use ACAP provisioning. All that is required is that the WAP server contain a small ACAP client (or an interface to an ACAP server). Figure 4 shows how mobile stations can be configured using a WAP browser. By using an ACAP server for provisioning, carriers are free to simultaneously deploy mobile stations that use either WAP or ACAP, as desired. In either case, the ACAP server is the source for provisioning data. Gellens Informational [Page 22] RFC 2604 OTASP/OTAPA via ACAP June 1999 [Figure 4 -- see PostScript version] 5.3. Network-Resident vs. Configuration Data It is useful to recognize that wireless devices access two different types of carrier-provided data: network-resident and configuration. Network-resident data exists primarily within the carrier's network. Examples include account status, billing detail, service plan options, etc. While mobiles may access this information for user display, it resides in the network. Configuration data, in contrast, affects the operation of the handset, is usually not shown to the user, and must persist in the device. For network-resident data access, the obvious choice is the web. The data is highly interactive and time-variant, making web browsers a reasonable solution. Any appropriate web browser can be used. There are many good reasons for having a web browser in a wireless device which contains a display and is capable of user interaction. For configuration data, the best solution is to use ACAP. ACAP is optimized for the job, can be implemented quickly, requires a very small amount of memory, and does not depend on a display or any user interaction capability. Trying to use the same access method for both types of data unnecessarily complicates the solution, leading to increased design, development, and debug time and expense. It makes it more difficult to offer low-cost devices. Since the two types of data fundamentally differ, it is good engineering practice to select optimal code and protocols for each. 5.4. Intellectual Property Issues There are no known intellectual property issues with the ACAP solution. The ACAP specification was developed within the IETF, and no ownership, patent, or other IP claims have been asserted. Multiple independent vendors are developing ACAP clients and servers, in addition to the existing usage in deployed products. 6. Handset Protocol Suites 6.1. ACAP over TCP/IP Figure 5 depicts the mobile station protocol suite for the ACAP over TCP/IP solution. The mobile station is capable of supporting both IS-683A OTASP and OTASP over ACAP. [Figure 5 -- see PostScript version] Gellens Informational [Page 23] RFC 2604 OTASP/OTAPA via ACAP June 1999 7. IS-683A Compatibility 7.1. OTASP Operations To maximize compatibility and allow for reuse of IS-683A handset code, the data formats used in OTASP over ACAP are identical to those used in IS-683A. Section 5.1.5 Data Organization and Capabilities discusses this in more detail. OTASP via IS-683A requires custom design and development for the specific CDMA infrastructure used by a carrier. This can greatly limit the data management capabilities and significantly reduces the extensibility of the solution. Conversely, OTASP over data can be implemented on a generic IP network using an Internet standards- based capability that provides extensible provisioning activities for carriers. OTASP over data uses a traffic channel whereas IS-683A OTASP runs over the limited-bandwidth signaling channel. IS-683A OTASP operations are inherently simultaneous voice and data. This allows the customer care representative to extract information from the mobile station while conversing with the user. OTASP over data services is a data-only solution (at least for now). This makes OTASP operations slightly more sequential and potentially problematic. Simultaneous voice and data will alleviate this issue. 7.2 OTASP Call Flow The call flow diagram (Figure 6) depicts the message sequence and operations for a typical IS-683A OTASP (provisioning) call. Any data-OTASP solution must perform all the functions of the IS-683A OTASP call. The proposed solution meets these requirements. [Figure 6 -- see PostScript version] 7.3. OTAPA Operations Data-OTAPA requires the ability to instruct mobiles to originate a data call to the provisioning server. Several viable approaches are discussed in sections 3.3 OTAPA Activity and 4.3 OTAPA Requirements. OTAPA over data has the potential to require far less channel resources to download new information to mobile stations. The ACAP server inherently only communicates changes to the clients, thus only changed information needs to be downloaded to the mobile stations using OTAPA over data via ACAP. Gellens Informational [Page 24] RFC 2604 OTASP/OTAPA via ACAP June 1999 7.4. OTAPA Call Flow The call flow diagram (Figure 7) depicts the message sequence for a typical IS-683A OTAPA operation. Any data-OTAPA solution must perform all the functions of the IS-683A OTAPA call. The proposed solution meets these requirements. [Figure 7 -- see PostScript version] 8. Alternative Methods 8.1. IS-683A over TCP/IP One alternative is to port IS-683A to TCP, remaining as close as possible to the IS-683A protocol exchange. Figure 8 depicts the architecture and communications backbone to support OTASP/OTAPA via IS-707 data services with a provisioning server based on the IS-683A OTAF function. [Figure 8 -- see PostScript version] 8.1.1. OTAF Server This provisioning server is modeled after the IS-683A OTAF. The OTAF server performs the specific operations and messaging of IS- 683A OTAF. This includes A-key reauthentication procedures. Strongpoints: (1) OTAF and mobile station behavior mirrors IS-683A (reduced duplicate software in mobile station). Nearly all procedures fully defined. Drawbacks: (1) The OTAF server would need to be custom-designed and built. (2) No inherent data manipulation capabilities in the OTAF server. All required or desired data management activities would have to be built from scratch. (3) Interface application would require a non-standard interface (and therefore proprietary) to OTAF server. (4) End-to-end encryption scheme still needed for full security. Gellens Informational [Page 25] RFC 2604 OTASP/OTAPA via ACAP June 1999 8.1.2. Interface Application This function loads all required provisioning-related information from the CDMA network information system to the OTAF server. This includes the queuing of provisioning transactions and data. 8.1.3. Protocol Handset Suite Figure 9 depicts the mobile station protocol suite for the IS-683A over TCP/IP solution. The OTASP client is capable of supporting both IS-683A OTASP activities or OTASP activities over the data transport. [Figure 9 -- see PostScript version] 8.2. Browser-Based Forms Another alternative is to use forms embedded in web pages. Encapsulating the provisioning data into custom tags embedded in a web form is an idea that at first seems attractive. There are a lot of advantages in having a browser in the handset, web servers are very widely deployed, and everyone is familiar on some level with the web. However, a meta-protocol for this would need to be designed, and a fully detailed specification produced. This solution requires custom software on the provider side to handle the meta-protocol. It additionally requires handset vendors to add custom software in the handset browser to handle this protocol. This solution would require a provisioning-capable browser in every phone. While it may be desirable to have a browser, the decision to require it needs to be considered carefully, especially in light of the memory requirements it would impose on all devices. This solution would complicate the handset browser, by requiring it to handle provisioning as well as browsing. As provisioning and browsing are functionally dissimilar, this code is not a natural fit within the browser. Implementing this solution would require a significant increase in development and debug resources, and thus negatively impact time-to-market and cost. Also because the web is functionally dissimilar, a high level of carrier-side customization would be needed, leading to reduced vendor choice and increased deployment costs. Gellens Informational [Page 26] RFC 2604 OTASP/OTAPA via ACAP June 1999 This approach would layer custom data on top of a standard protocol. This would require design work, and would not have much time for open review before deployment, greatly increasing the risk. By contrast, ACAP has had years of open review and refinement. This approach also limits the extensibility of the solution. ACAP, conversely, is very extensible. Because ACAP is such a simple protocol, it can be added to a wide variety of applications at low cost. This allows increasing numbers of applications on the mobile device to share information with servers as well as desktop applications. 9. Conclusion ACAP provides a high degree of extensibility, especially in authentication mechanisms, custom attribute handling, and data management. By using an Internet standard protocol, interoperability and integration with a variety of equipment is possible, and carriers are not locked into any vendor. It is also easier to add new levels of service and capabilities, especially integration with future subscriber devices and applications (e.g., email). Since an ACAP client is so small, it can be incorporated into virtually any device, even low-end ones without displays, and can be added without sacrificing other features. The simplicity of the client and protocol directly translate to shorter development cycles and faster time-to-market. Because the ACAP protocol was designed for precisely this type of provisioning activity, its adoption can greatly reduce the cost, time to market, and support required for the provisioning server as well as the handsets. As an open standard, the ACAP protocol has benefited from years of review and experience. Another advantage of the ACAP solution is that is can easily coexist with a WAP-based mechanism, giving carriers more options and reducing the minimal requirement burden on mobile devices. A carrier can deploy handsets into its service area which use WAP- based provisioning, if desired, alongside those which use ACAP provisioning. By using an ACAP server for provisioning, carriers are free to simultaneously deploy mobile stations that use either WAP or ACAP, as desired. The lack of intellectual-property issues further adds to ACAP's appeal. Gellens Informational [Page 27] RFC 2604 OTASP/OTAPA via ACAP June 1999 10. References [ACAP] Newman, C. and J. Myers, "ACAP -- Application Configuration Access Protocol", RFC 2244, November 1997. [CRAM-MD5] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, September 1997. [SASL] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. 11. Security Considerations Security is discussed in many sections of this document. In particular, the need and methods to guard against unauthorized updating of handsets, usurpation of newly-created accounts, compromise of handset security values, and disclosure of carrier proprietary data and handset parameters is covered. 12. Acknowledgments Jim Willkie and Marc Phillips contributed greatly to this document. Their help is very much appreciated. 13. Author's Address Randall Gellens QUALCOMM Incorporated 6455 Lusk Boulevard San Diego, CA 92121-2779 Phone: +1 619 651 5115 EMail: randy@qualcomm.com Gellens Informational [Page 28] RFC 2604 OTASP/OTAPA via ACAP June 1999 14. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Gellens Informational [Page 29]