[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 RFC 4488

SIP                                                             O. Levin
Internet-Draft                                     Microsoft Corporation
Expires: August 24, 2005                               February 20, 2005


    Suppression of Session Initiation Protocol REFER Method Implicit
                              Subscription
              draft-ietf-sip-refer-with-norefersub-01.txt

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 24, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This specification defines a way to suppress an implicit subscription
   with the Session Initiation Protocol (SIP) REFER method.  A new SIP
   extension tag 'norefersub' is defined to indicate support for this
   extension.





Levin                    Expires August 24, 2005                [Page 1]

Internet-Draft          SIP REFER with norefersub          February 2005


Table of Contents

   1.   Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.   Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.   Definition . . . . . . . . . . . . . . . . . . . . . . . . . . 4
   5.   Preventing Forking of REFER Requests . . . . . . . . . . . . . 4
   6.   Example  . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   7.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 5
   8.   Security Considerations  . . . . . . . . . . . . . . . . . . . 5
   9.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
   10.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     10.1   Normative References . . . . . . . . . . . . . . . . . . . 6
     10.2   Informational References . . . . . . . . . . . . . . . . . 6
        Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7
        Intellectual Property and Copyright Statements . . . . . . . . 8



































Levin                    Expires August 24, 2005                [Page 2]

Internet-Draft          SIP REFER with norefersub          February 2005


1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

   To simplify discussions of the REFER method and its extensions, three
   new terms are being used throughout the document:
   o  REFER-Issuer: the UA issuing the REFER request
   o  REFER-Recipient: the UA receiving the REFER request
   o  REFER-Target: the UA designated in the Refer-To URI

2.  Introduction

   The REFER specification specifies that every REFER creates an
   implicit subscription between the REFER-Issuer and the
   REFER-Recipient.  This document defines a new option tag,
   "norefersub", which specifies that an implicit subscription for event
   package refer should not be created as a result of accepting this
   REFER request.

3.  Motivation

   The REFER specification mandates that every REFER creates an implicit
   subscription between the REFER-Issuer and the REFER-Recipient.  This
   subscription results in at least one NOTIFY being sent from the
   REFER-Recipient to the REFER-Issuer.  The REFER-Recipient may choose
   to cancel the implicit subscription with this NOTIFY.  The
   REFER-Issuer may choose to cancel this implicit subscription with an
   explicit SUBSCRIBE (Expires: 0) after receipt of the initial NOTIFY.

   One purpose of requiring the implicit subscription and initial NOTIFY
   is to allow for the situation where the REFER request gets forked and
   the REFER-Issuer needs a way to see the multiple dialogs that may be
   established as a result of the forked REFER.  This is the same
   approach used to handle forking of SUBSCRIBE [4] requests.  Where the
   REFER-Issuer explicitly specifies that forking not occur, the
   requirement that an implicit subscription be established is
   unnecessary.

   Another purpose of the NOTIFY is to inform the REFER-Issuer of the
   progress of the SIP transaction that results from the REFER at the
   REFER-Recipient.  In the case where the REFER-Issuer is already aware
   of the progress of the requested operation, such as when the
   REFER-Issuer has an explicit subscription to the dialog event package
   at the REFER-Recipient, the implicit subscription and resultant
   NOTIFY traffic related to the REFER can create an unnecessary network
   overhead.



Levin                    Expires August 24, 2005                [Page 3]

Internet-Draft          SIP REFER with norefersub          February 2005


4.  Definition

   This document defines a new option tag, "norefersub", which specifies
   that an implicit subscription for event package refer should not be
   created as a result of accepting this REFER request.  Note that when
   using this extension, the REFER remains a target refresh request (as
   in the default case - when the option tag "norefersub" is not used).

   The "norefersub" option tag MUST be used by the REFER-Issuer only
   when the REFER-Issuer can be certain that the REFER request will not
   be forked.

   The REFER-Issuer can place the "norefersub" option tag either in the
   Require header or in the Supported header of the REFER request,
   subject to application requirements.

   If the REFER-Issuer inserts the option tag in the Supported header
   but the REFER-Recipient doesn't grant the suggestion (i.e.  does not
   insert the "norefersub" option tag neither in the Supported nor in
   the Require header), an implicit subscription is created as in
   default case.

   If the REFER-Issuer inserts the option tag in the Require header but
   the REFER-Recipient is not willing to grant the request, the REFER
   request is rejected by sending "420 Bad Extension" response back to
   the REFER-Issuer.

   If the REFER-Recipient is willing to grant the "norefersub" behavior
   for the issued REFER request, it MUST insert a Require: norefersub
   header in the 2xx response to the REFER-Issuer.  In this case no
   implicit subscription is created.  Consequently, no new dialog is
   created if this REFER was issued outside any existing dialog.

5.  Preventing Forking of REFER Requests

   The REFER specification allows for the possibility of forking a REFER
   request which is sent outside of an existing dialog.  The
   REFER-Issuer can ensure that REFER doesn't get forked by sending
   REFER to a REFER-Recipient which has GRUU properties according to
   definitions of [5].

   The REFER specification allows for the possibility of forking a REFER
   request which is sent outside of an existing dialog.  In addition, a
   proxy may fork an unknown method type.  Should forking occur, the
   sender of the REFER with "norefsub" will not be aware as only a
   single 2xx response will be forwarded by the forking proxy.  As a
   result, the responsibility is on the issuer of the REFER with
   "norefersub" to ensure that no forking will result.



Levin                    Expires August 24, 2005                [Page 4]

Internet-Draft          SIP REFER with norefersub          February 2005


   The best way that the REFER-Issuer can ensure that REFER doesn't get
   forked is by only sending a REFER with "norefersub" with a
   Request-URI which has GRUU properties according to definitions of
   [5].

   If this is not known, the only other way to ensure that forking will
   not occur is to ensure that there are no proxies between the
   REFER-Issuer and the REFER-Recipient.  This could be done by sending
   the REFER with a Max-Forwards: 0 header field.  Any proxy receiving
   this request will return a "483 Too Many Hops" response, indicating
   that it is not safe to use the "norefersub" extension.

6.  Example

   An example of REFER which suppresses the implicit subscription is
   shown below:

   REFER sip:pc-b@example.com SIP/2.0
   Via: SIP/2.0/TCP issuer.example.com;branch=z9hG4bK-a-1
   From: <sip:a@example.com>;tag=1a
   To: <sip:pc-b@example.com>
   Call-ID: 1@issuer.example.com
   CSeq: 234234 REFER
   Max-Forwards: 70
   Refer-To: <sip:c@example.com;method=INVITE>
   Require: norefersub
   Contact: sip:a@issuer.example.com
   Content-Length: 0


7.  IANA Considerations

   This document defines a new option tag, "norefersub", which specifies
   that no implicit subscription should be created as a result of
   accepting the REFER request.  This option tag is only meaningful for
   the REFER request defined in RFC 3515 [3].

8.  Security Considerations

   The purpose of this SIP extension is to modify the expected behavior
   of the REFER-Recipient.  The change in behavior is for the
   REFER-Recipient to not establish a dialog and to not send NOTIFY
   messages back to the REFER-Issuer.  As such, a malicious inclusion of
   a Require:norefersub header field reduces the processing and state
   requirements on the recipient.  As a result, its use in a denial of
   service attack seems limited.

   Should an intermediary maliciously insert a Require:norefsub header



Levin                    Expires August 24, 2005                [Page 5]

Internet-Draft          SIP REFER with norefersub          February 2005


   field, two possibilities may occur.  If the REFER-Recipient does not
   support the extension, the REFER will fail with a "420 Bad Extension"
   response.  The REFER-Issuer will be confused as no Require was in the
   request, and the resulting request will fail.  Should the
   REFER-Recipient support the extension, the 2xx response will contain
   the Supported: norefsub header field.  In any case, the
   REFER-Recipient will not establish a new dialog and send NOTIFYs.  As
   a result the REFER-Recipient will not learn the outcome of the
   operation on the Refer-To URI.

   Should an intermediary maliciously remove a Require:norefsub header
   field, the REFER-Recipient will try to sent notifications over the
   "explicitly established" dialog.  It may confuse the REFER-Issuer,
   unless the Man in the Middle (MitM) has the motivation and the
   ability to intercept the notifications.

   To protect against these kinds of MitM attacks, integrity protection
   should be used.  For example, the REFER-Issuer could use S/MIME as
   discussed in RFC 3261 [2] to protect against these kinds of attacks.

9.  Acknowledgements

   The SIP community would like to thank Sriram Parameswar for his ideas
   being originally presented in draft-parameswar-sipping-norefersub-00
   and incorporated in this document.

10.  References

10.1  Normative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [3]  Sparks, R., "The Session Initiation Protocol (SIP) Refer
        Method", RFC 3515, April 2003.

   [4]  Roach, A., "Session Initiation Protocol (SIP)-Specific Event
        Notification", RFC 3265, June 2002.

10.2  Informational References

   [5]  Rosenberg, J., "Obtaining and Using Globally Routable User Agent
        (UA) URIs (GRUU) in the  Session Initiation Protocol (SIP)",
        Internet-Draft draft-ietf-sip-gruu-02, July 2004.



Levin                    Expires August 24, 2005                [Page 6]

Internet-Draft          SIP REFER with norefersub          February 2005


Author's Address

   Orit Levin
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052
   USA

   Phone: 425-722-2225
   Email: oritl@microsoft.com









































Levin                    Expires August 24, 2005                [Page 7]

Internet-Draft          SIP REFER with norefersub          February 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Levin                    Expires August 24, 2005                [Page 8]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/