[Docs] [txt|pdf] [Tracker] [Email] [Nits] [IPR]
Versions: 00
P2PSIP Working Group E. Cooper
Internet-Draft A. Johnston
Intended status: Standards Track P. Matthews
Expires: August 28, 2007 Avaya
February 24, 2007
Bootstrap Mechanisms for P2PSIP
draft-matthews-p2psip-bootstrap-mechanisms-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 28, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes mechanisms that a peer can use to locate and
establish a Peer Protocol connection to an admitting peer in order to
join an overlay network. In the first mechanism, the joining peer
uses multicast to locate a bootstrap peer; in the second, the node
uses one or more bootstrap servers to locate a bootstrap peer; in
both cases, the bootstrap peer then proxies the request by the
joining peer on to the admitting peer. Each mechanism has its
Cooper, et al. Expires August 28, 2007 [Page 1]
Internet-Draft Bootstrap Mechanisms February 2007
advantages and disadvantages, and a node can utilize both.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of the Mechanisms . . . . . . . . . . . . . . . . . . 5
2.1. Multicast Mechanism . . . . . . . . . . . . . . . . . . . 5
2.2. Bootstrap Server Mechanism . . . . . . . . . . . . . . . . 6
2.3. Common Procedures . . . . . . . . . . . . . . . . . . . . 6
2.4. Multicast Example . . . . . . . . . . . . . . . . . . . . 7
2.5. Bootstrap Server Example . . . . . . . . . . . . . . . . . 8
2.6. Pros and Cons of the Two Mechanisms . . . . . . . . . . . 10
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1. Peer Protocol and Signaling Protocol . . . . . . . . . . . 11
3.2. URI Format . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3. Reducing the Load on Proxies . . . . . . . . . . . . . . . 13
4. Detailed Description of the Multicast Mechanism . . . . . . . 13
4.1. The Mechanism . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Discussion (Informative) . . . . . . . . . . . . . . . . . 14
5. Detailed Description of Bootstrap Server Mechanism . . . . . . 15
5.1. The Bootstrap Server . . . . . . . . . . . . . . . . . . . 15
5.2. Registering with the Bootstrap Server . . . . . . . . . . 15
5.3. Forming the Initial INVITE . . . . . . . . . . . . . . . . 16
5.4. Sending the INVITE . . . . . . . . . . . . . . . . . . . . 16
5.5. Handling the INVITE at the Bootstrap Server . . . . . . . 17
6. Detailed Description of Common Procedures . . . . . . . . . . 18
6.1. Handling the INVITE at the Bootstrap Peer . . . . . . . . 18
6.2. Handing the INVITE at the Admitting Peer . . . . . . . . . 18
6.3. Sending the ACK . . . . . . . . . . . . . . . . . . . . . 19
6.4. Forming the Initial Offer and Answer . . . . . . . . . . . 19
6.5. Sending a new INVITE with Replaces . . . . . . . . . . . . 19
6.6. Replying to the new INVITE . . . . . . . . . . . . . . . . 21
6.7. Keepalives . . . . . . . . . . . . . . . . . . . . . . . . 21
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
7.1. Credentials . . . . . . . . . . . . . . . . . . . . . . . 22
Cooper, et al. Expires August 28, 2007 [Page 2]
Internet-Draft Bootstrap Mechanisms February 2007
7.2. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 22
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9.1. Normative References . . . . . . . . . . . . . . . . . . . 23
9.2. Informative References . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . . . 26
Cooper, et al. Expires August 28, 2007 [Page 3]
Internet-Draft Bootstrap Mechanisms February 2007
1. Introduction
A peer wishing to join an existing P2PSIP overlay needs to somehow
locate and contact one or more peers in the overlay and then exchange
messages with these peers to add itself to the overlay. In addition,
the joining peer may be asked to prove that it is authorized to join
the overlay, and may wish to confirm for itself that the other nodes
really are the overlay they say they are.
As described in the P2PSIP Concepts and Terminology document
[I-D.willis-p2psip-concepts], a peer that serves as the initial point
of contact into the overlay is known as a bootstrap peer. With the
help of the bootstrap peer, the joining peer can locate and contact
the other peers in the network. However, in many cases it is more
efficient for the bootstrap peer to immediately forward the request
from the joining peer on to another peer which is better able to help
the joining peer join the overlay. This second peer, called the
admitting peer, might be, for example, a neighbor of the joining peer
in the overlay. In those cases where the referral is not done, the
first peer simply plays both roles: bootstrap peer and admitting
peer.
The protocol used by peers to construct and maintain an overlay is
known as the Peer Protocol. Work on this protocol is just beginning,
and many details are not yet known, but one thing that is established
is that the protocol must work through NATs to the greatest extent
possible. In order to do this, the peer protocol needs the concept
of a "control connection" between two peers over which the peer
protocol can run. This is the transport connection (e.g. TCP, UDP,
or some other transport) over which the peer protocol runs. The
peers at each end of the control connection need to establish this
connection and then take steps to maintain it in the presence of NATs
(e.g., by sending keep-alives).
Thus the goal of a bootstrap mechanism is to establish a control
connection between the joining peer and the admitting peer. Once
this connection is established, the joining peer can communicate with
the admitting peer using the peer protocol and do whatever is
required to become a fully functional member of the overlay.
Since the nature of the Peer protocol is still under debate, this
document is careful to make as few assumptions as possible about the
nature of the Peer Protocol. In particular, this document takes NO
POSITION on the question of whether the Peer Protocol is SIP-based.
However, this document does assume that SIP is the protocol used to
Cooper, et al. Expires August 28, 2007 [Page 4]
Internet-Draft Bootstrap Mechanisms February 2007
establish the connections over which the Peer Protocol runs. There
are a number of reasons for making this assumption:
o As argued in [I-D.matthews-p2psip-nats-and-overlays], the joining
peer and the admitting peer may both be behind (different) NATs.
In this case, TCP or UDP by itself is not sufficient, and an out-
of-band signaling protocol is required. SIP is one such out-of-
band signaling protocol;
o SIP is well-suited for setting up, modifying, and tearing down
connections;
o SIP has a number of security mechanisms, which can be used to
provide appropriate security for each bootstrap mechanism;
o There has been a lot of work recently to define SIP mechanisms for
setting up and maintaining connections through NATs; and
o It is likely that many peers in a P2PSIP network will need to
support SIP for other reasons (e.g., establishing multimedia
sessions).
The use of indirect SIP signaling to establish direct Peer Protocol
connections is analogous to the use of indirect SIP signaling to
create direct RTP streams.
2. Overview of the Mechanisms
The current version of this document describes two bootstrap
mechanisms: the Multicast mechanism and the Bootstrap Peer mechanism.
These two mechanisms are not rivals. On the contrary, an eminently
sensible approach is for a joining peer to first try the multicast
mechanism, and try the bootstrap server mechanism if the multicast
mechanism fails.
Two other bootstrap mechanisms are mentioned briefly in
[I-D.willis-p2psip-concepts]. These will be discussed in future
versions of this document. This section is non-normative.
2.1. Multicast Mechanism
The Multicast mechanism is intended to allow the joining peer locate
a bootstrap peer on the same subnet. It will also work between
subnets if the two subnets are joined in the same multicast domain -
typically, these will be adjacent subnets operated by the same
organization.
Cooper, et al. Expires August 28, 2007 [Page 5]
Internet-Draft Bootstrap Mechanisms February 2007
In the Multicast mechanism, the joining peer begins by multicasting
an SIP OPTIONS message addressed to the pseudo-user "bootstrap" and
specifying the name of the overlay the peer wishes to join (see the
section on URIs below). Peers willing to be a bootstrap peer reply
and list their unicast address in the reply. The joining peer then
selects one of these bootstrap peers, and unicasts an INVITE message
to it. The bootstrap peer, in turn, selects a peer to act as the
admitting peer and proxies the INVITE to that peer.
2.2. Bootstrap Server Mechanism
A P2PSIP Bootstrap Server is a SIP registrar and proxy, typically
located in the public Internet, that acts as an intermediary to
introduce the joining peer to a bootstrap peer. The Bootstrap Server
is not a part of the overlay, but is simply a well-known node that
acts as an "introduction service". Peers must know the URL of one or
more bootstrap servers: this might happen through configuration, for
example.
This mechanism begins with one or more bootstrap peers registering
with the bootstrap server. Each peer registers, using the standard
SIP registration mechanism, as the pseudo-user "bootstrap" and
specifies the name of the overlay with which it is associated (see
the section on URIs below).
Later on, a peer that wishes to join the overlay sends an INVITE
message to a bootstrap server address to "bootstrap" and specifying
the name of the overlay it wishes to join. If the bootstrap server
knows of one or more bootstrap peers in that overlay, it selects one
and proxies the INVITE onward to a bootstrap peer. The selected
bootstrap peer, in turn, selects a peer to act as the admitting peer
and proxies the INVITE to that peer.
2.3. Common Procedures
Both bootstrap mechanisms use ICE for help with setting up a control
connection through any NATs that may lie between the joining peer and
the admitting peer. Following the procedures of ICE, the joining
peer and the admitting peer include ICE candidates in their SDP offer
and answer, and then try all the various candidate pair combinations
to see which combinations work. The best working combination is then
selected as the path for the control connection.
At this point, the new control connection has been established, but
the SIP dialog for the connection still goes through the intermediate
proxies (the bootstrap server and/or bootstrap peer). If one of
these intermediaries was to crash or otherwise leave, then the
signaling channel would be broken, and it is common behavior for SIP
Cooper, et al. Expires August 28, 2007 [Page 6]
Internet-Draft Bootstrap Mechanisms February 2007
entities to tear down the bearer channel if they detect that the
signaling channel is broken. To handle this case, one endpoint
(usually the joining peer) sends an INVITE with a Replaces header
down the new connection. This causes the old dialog to be torn down
and replaced with a new dialog that runs along the control connection
itself.
2.4. Multicast Example
In this multicast mechanism example, a Peer A ("the joining peer")
wants to join a particular overlay. Peer A multicasts out an OPTIONS
message. Peers B and C, which happen to be on the same subnet as A,
are already members of the overlay in question, and thus respond to
the OPTIONS request. By chance, peer C responds first, and is
therefore selected as the bootstrap peer for the rest of the
exchange. Peer A then unicasts an INVITE to peer C. Based on peer
A's peer-id, peer C decides that peer D, rather than itself, is the
best peer to help peer A join the overlay. Thus peer C forwards the
INVITE to peer D ("the admitting peer") through the existing
connections in the overlay.
Peers A and D complete the INVITE transaction, and then execute the
ICE connectivity checks (in reality, these two steps would be done in
parallel). Once a working path for the new Peer Protocol connection
is selected, peer A sends an INVITE w/ a Replaces header on the
working path. This establishes a new dialog between peers A and D,
and causes peer D to send a BYE for the old dialog.
The following figure illustrates the call flow for this example. In
this figure, we use two diagramming conventions from : the labeling
of dialogs on the left-hand-side, and the collapsing of a multi-
message transaction into a single line.
Cooper, et al. Expires August 28, 2007 [Page 7]
Internet-Draft Bootstrap Mechanisms February 2007
Peer A Peer B Peer C Peer D
(Joining) (Bootstrap) (Admitting)
| | | |
| OPTIONS (multicast)| | |
|------------------->|----------------->| |
| | 200 OK | |
|<--------------------------------------| |
| 200 OK | | |
|<-------------------| | |
| INVITE | | |
dialog1|-------------------------------------->| |
| | | INVITE |
dialog1| | |----------------->|
| | | 200 OK |
dialog1| |<-----------------|
| | 200 OK | |
dialog1|<--------------------------------------| |
| ACK | | |
dialog1|-------------------------------------->| |
| | | ACK |
| | |----------------->|
| ICE Connectivity Checks |
|<-------------------------------------------------------->|
| Peer Protocol connection from A to D established |
|==========================================================|
| | | |
| INVITE (Replaces) | | |
dialog2|--------------------------------------------------------->|
| | | 200 OK |
dialog2|<---------------------------------------------------------|
| ACK | | |
dialog2|--------------------------------------------------------->|
| | BYE/200 OK | BYE/200 OK |
dialog1|<--------------------------------------|<-----------------|
| | | |
Figure 1: Message Flow for Multicast Example
2.5. Bootstrap Server Example
In this example, server X (a SIP proxy and registrar) acts as a
Bootstrap Server for a variety of different overlays, including
overlay "O". A URL for server X is known, through configuration, to
a number of nodes, including those interested in forming overlay "O".
At the start of this example, peer C, which is already a member of
overlay "O", registers with server X as a bootstrap peer for the
Cooper, et al. Expires August 28, 2007 [Page 8]
Internet-Draft Bootstrap Mechanisms February 2007
overlay.
Then, later, peer A decides to join the overlay. Peer A sends an
INVITE to server X specifying overlay "O", and server X proxies this
INVITE onward to peer C. When peer C receives the INVITE, it decides,
based on A's peer-id (given in the INVITE), that peer D (already a
member of the overlay) is the best peer to help peer A join the
network. Thus it forwards the INVITE to peer D (through the existing
connections of the overlay).
As in the multicast example, peers A and D complete the INVITE
transaction and then select a working path using ICE. Peer A then
sends an INVITE with a Replaces header on the working path. This
establishes a new dialog between peers A and D, and causes peer D to
send a BYE for the old dialog.
Cooper, et al. Expires August 28, 2007 [Page 9]
Internet-Draft Bootstrap Mechanisms February 2007
Peer A Server X Peer C Peer D
(Joining) (Bootstrap server) (Bootstrap) (Admitting)
| | | |
| | REGISTER/200 OK | |
| |<-----------------| |
| | | |
| INVITE | | |
dialog1|------------------->| | |
| | INVITE (R-R:X) | |
dialog1| |----------------->| |
| | | INVITE |
dialog1| | |----------------->|
| | | 200 OK |
dialog1| | |<-----------------|
| | 200 OK | |
dialog1| |<-----------------| |
| 200 OK | | |
dialog1|<-------------------| | |
| ACK | | |
dialog1|------------------->| | |
| | ACK | |
| |----------------->| |
| | | ACK |
| | |----------------->|
| | | |
| ICE Connectivity Checks |
|<-------------------------------------------------------->|
| Peer Protocol connection from A to D established |
|==========================================================|
| | | |
| INVITE (Replaces) | | |
dialog2|--------------------------------------------------------->|
| | | 200 OK |
dialog2|<---------------------------------------------------------|
| ACK | | |
dialog2|--------------------------------------------------------->|
| | | |
| BYE/200 OK | BYE/200 OK | BYE/200 OK |
dialog1|<-------------------|<-----------------|<-----------------|
| | | |
Figure 2: Message Flow for Bootstrap Server Example
2.6. Pros and Cons of the Two Mechanisms
The Multicast mechanism only works in the joining peer shares a
multicast domain with a bootstrap peer in the overlay. Most often,
Cooper, et al. Expires August 28, 2007 [Page 10]
Internet-Draft Bootstrap Mechanisms February 2007
this means that the two must be on the same subnet, though there are
situations where the two can be farther apart in Internet distance.
This means that the Multicast mechanism is particularly appropriate
when a number of peers are located on the same or perhaps nearby
subnets (for example, in an office or conference situation).
By contrast, the Bootstrap Server mechanism will work regardless of
the distance between the joining peer and the bootstrap peer. This
means that it is very appropriate when the joining peer is somewhat
isolated from other peers. However, this mechanism requires the use
of a well-known, publicly reachable third party (the bootstrap
server). To make the Bootstrap Server mechanism practical, it is
highly desirable to minimize the load on the bootstrap server to the
greatest extent possible, so that a single bootstrap server can serve
many different overlays.
3. Assumptions
This section lists and motivates the various assumptions this
document makes about the nature of a solution to the bootstrap
problem.
3.1. Peer Protocol and Signaling Protocol
As described in the Introduction, this document assumes that SIP is
used to signal Peer Protocol connections, but does not assume that
the Peer Protocol is based on SIP.
However, we do assume that the Peer Protocol either provides a way to
transport SIP messages, or there is a way to multiplex SIP messages
with the Peer Protocol messages on the same connection. This allows
us to send SIP messages along control connections for the purposes of
setting up and tearing down other control connections in the overlay.
Furthermore, we assume that ICE is used as the SIP/SDP extension for
setting up connections in the presence of NATs. As presently
defined, ICE supports setting up connections where the transport
protocol is either UDP or TCP - if a different transport protocol is
chosen for the Peer Protocol, then an appropriate ICE extension will
need to be defined. Since ICE, in turn, specifies that the STUN
protocol is used for keep-alives on connections established by ICE,
this implies that STUN messages will be multiplexed with the other
traffic on control connections.
Finally, we assume that there is a way to signal a Peer Protocol
connection in the SDP in the SIP message body. The details of how
this is done is not important to this document, but we assume that
Cooper, et al. Expires August 28, 2007 [Page 11]
Internet-Draft Bootstrap Mechanisms February 2007
this is done using some sort of new media type like "application/
p2psip-peer".
Our goal with the current version of this document is to specify
mechanisms to establish a Peer Protocol connection between the
joining node and the admitting node using SIP extended with ICE. Our
goal is to do this using existing SIP mechanisms wherever possible,
and avoid new extensions to SIP unless absolutely necessary.
3.2. URI Format
At present, there is no agreed-upon format for URIs related to P2PSIP
overlays. The current version of this document does not attempt to
provide one. Instead, this document merely assumes that whatever URI
format is chosen by the Working Group is sufficiently expressive to
describe the following concepts:
URI-format 1: A specific peer X in a specific overlay Y. This
document assumes that this is done by having the URI somehow
include both the peer-ID of peer X and the name of overlay Y. It
also assumes that (perhaps optionally) there is a way to indicate
an IP address associated with peer.
URI-format 2: The bootstrap service for a specific overlay Y. This
form does not specify the peer that should provide this service,
and is used when the joining peer wishes to contact any peer that
is willing to provide the bootstrap service.
URI-format 3: The bootstrap service for a specific overlay Y as
provided by a specific peer P. We assume that this format provides
a way (perhaps optionally) to indicate an IP address associated
with the peer. This format is used when a format-2 URI has been
proxied or redirected to a specific peer that will provide the
service.
A format 2 or format 3 URI expresses the fact that the goal of the
SIP request is to setup a connection for the purpose of admitting a
new peer into the overlay. Thus a peer receiving an INVITE with such
a URI knows that it should proxy the INVITE onward if it believes it
is not the most appropriate peer to handle the request - in this way,
the bootstrap peer proxies the INVITE onward to the admitting peer.
By contrast, a format 1 URI expresses the fact that the SIP request
is for the specific peer listed in the URI.
Future versions of this document may specify a particular URI scheme.
Cooper, et al. Expires August 28, 2007 [Page 12]
Internet-Draft Bootstrap Mechanisms February 2007
3.3. Reducing the Load on Proxies
The bootstrap server (if present) and the bootstrap peer act as
proxies in the signaling path between the joining peer and the
admitting peer. This document assumes that we want to remove these
proxies from the signaling path as soon as practical, leaving the
signaling to go directly from the joining peer to the admitting peer.
There are two motivations for this. First, leaving these proxies in
the signaling path is a burden on them. If they are stateful, this
consumes state. Even if they are stateless, they are still in the
path of any signaling adjustments.
Second, if the connection is long-lived, then leaving these proxies
in the signaling path would mean that the connection would be
dependent on their continuing availability. As a minimum, it would
be impossible to make any changes to the connection if the peer or
server crashed or otherwise became unavailable - many SIP UA today go
further and tear down the direct connection if they detect the
signaling path is broken.
To further reduce the load on bootstrap peers (beyond removing them
from the signaling path as soon as possible), this document assumes
that the usage of bootstrap peers should be spread as evenly as
possible. That is, if a number of different peers try to join at
approximately the same time, then with high probability they should
use different bootstrap peers to the extent possible.
4. Detailed Description of the Multicast Mechanism
This section contains the normative description of the multicast
mechanism.
4.1. The Mechanism
The procedure starts with the joining peer multicasting a SIP OPTIONS
message. The To header and Request URI use URI-format 2; that is,
the URI specifies the "bootstrap" service and the name of the
overlay, but does not specify a particular peer. The joining peer
lists its peer URI (i.e., URI-format 1) in the From and Contact
fields of the message. The message is sent on the well-known "all
SIP servers" multicast address "sip.mcast.net" (224.0.1.75 for IPv4).
Peers willing to act as bootstrap peers listen on this multicast
address. If an OPTIONS message arrives, the peer MUST verify that
the message is addressed to the "bootstrap" service and specifies the
name of the overlay that the peer is serving as bootstrap peer for;
Cooper, et al. Expires August 28, 2007 [Page 13]
Internet-Draft Bootstrap Mechanisms February 2007
if these conditions are not met, then the peer MUST silently discard
the message.
If these conditions are satisfied, then the peer SHOULD reply using a
200 OK, but MAY reply using a 302 Moved Temporarily if it wishes to
indicate other peers. In either case, the peer MUST include, in the
Contact header, a URI in format 3 specifying itself as the peer.
This URI MUST include a unicast address at which the peer can be
reached; the address included MUST be reachable from any node located
in the multicast domain. The peer SHOULD NOT include contacts for
other peers unless the peer knows, through some unspecified
mechanism, that those peers are currently members of the overlay and
are willing to act as bootstrap peers.
The joining peer will receive zero or more of these replies. As
specified in SIP [RFC3261], the second and subsequent replies to the
multicast request must be taken as retransmissions of the first reply
and will be discarded. Thus the joining peer selects a Contact URI
from the first reply and uses this as the bootstrap peer.
The joining peer then forms an INVITE message and unicasts it to the
selected bootstrap peer.
The INVITE message uses URI-format 2 in the To header, and URI-format
3 in its Request URI, where the latter specifies the selected
bootstrap peer. The URI of the joining peer (URI-format 1) is placed
in the From and Contact headers (see section 4.2).
To indicate that the bootstrap peer should proxy the INVITE onward to
an admitting peer (rather than redirecting with a 302 Moved
Temporarily), the joining peer includes a Request-Disposition header
with a "proxy" directive.
Further processing after this point follows the procedures in section
7.
4.2. Discussion (Informative)
It is important that peers that do not want to be a bootstrap peer
for the specified overlay not reply to the multicast OPTIONS message.
If they were to reply with an error message and if this was the first
reply received, then this reply would mask all subsequent replies.
For similar reasons, the authors have elected to use a OPTIONS
message for this mechanism, rather than an INVITE message. If the
mechanism used an INVITE, and if multiple peers replied with a 302,
then the joining peer would need to send ACK messages to each of
these peers - but this is contrary to the base multicast mechanism
Cooper, et al. Expires August 28, 2007 [Page 14]
Internet-Draft Bootstrap Mechanisms February 2007
specified in SIP [RFC3261] which says that subsequent replies are
ignored. The OPTIONS message avoids this problem because it does not
require an ACK.
5. Detailed Description of Bootstrap Server Mechanism
This section contains the normative description of the bootstrap
server mechanism.
5.1. The Bootstrap Server
A P2PSIP Bootstrap Server behaves as a standard SIP registrar and
proxy [RFC3261] except as described below.
The SIP registrar and proxy MUST understand the URI format used by
P2PSIP (see the section on URI formats). The SIP registrar SHOULD
support multiple registrations (i.e., contacts) for a "bootstrap"
service for a given overlay. The SIP proxy MUST obey the "redirect",
"proxy" and "no-fork" directives in the Request-Disposition header
[RFC3841].
A P2PSIP Bootstrap Server may act as either a stateful or stateless
SIP proxy. Acting as a stateless proxy may provide scalability
advantages.
A P2PSIP Overlay may use multiple independent Bootstrap Servers at
the same time, and a single Bootstrap Server may serve multiple
independent P2PSIP Overlays at the same time.
5.2. Registering with the Bootstrap Server
Using some mechanism, not specified here, the peers of a P2PSIP
Overlay select one or more peers to register with a given Bootstrap
Server. The set of peers selected to register with one Bootstrap
Server may be different than the set selected to register with a
different Bootstrap Server.
We also assume there is some mechanism, not specified here, by which
each bootstrap peer learns a URI for each P2PSIP Bootstrap Server it
needs to contact.
For each such URI, a peer uses standard SIP mechanisms [RFC3263] to
locate the proxy portion of the Bootstrap Server.
For each bootstrap server and bootstrap peer combination, the peer
registers as a bootstrap peer for the overlay. This is done with a
REGISTER message where the To and From headers contain a URI in
Cooper, et al. Expires August 28, 2007 [Page 15]
Internet-Draft Bootstrap Mechanisms February 2007
format 2, the Contact header contains a URI in format 3 (specifying
the specific bootstrap peer), and the Request URI contains the URI
used to reach the bootstrap server.
The peer SHOULD use a q value of 1 for the registration.
As part of the registration process, the peer SHOULD use the
mechanism specified in [I-D.ietf-sip-outbound] to establish and keep
a connection to the Bootstrap Server alive through any intervening
NATs. (A reason not to use this mechanism might be because the
bootstrap peer is in the same address domain as the bootstrap
server).
5.3. Forming the Initial INVITE
A peer that wishes to join an overlay begins by forming a SIP INVITE
message.
The To header of the INVITE message contains a URI in format 2 and
specifying the overlay the peer would like to join. The From and
Contact headers contain a format 1 URI specifying the joining peer.
To indicate that the bootstrap server should proxy the INVITE onward
to a bootstrap peer (rather than redirecting with a 302 Moved
Temporarily), the joining peer SHOULD include a Request-Disposition
header with a "proxy" directive. To indicate that the bootstrap
server should not fork the INVITE but rather select just one of the
bootstrap peers, the joining peer SHOULD include a "no-fork"
directive in the Request-Disposition header.
Since the joining peer may be located behind a NAT, the INVITE MUST
include the "rport" parameter defined in [RFC3581].
See section 7.4 for how the SDP body is constructed.
5.4. Sending the INVITE
We assume there is some mechanism, not specified here, by which a
peer that wishes to join an overlay learns the URIs of one or more
P2PSIP Bootstrap Servers. It is RECOMMENDED that the peer try these
bootstrap servers in some unspecified order until the peer succeeds
in locating a server that knows about the overlay.
For each bootstrap server, the joining peer adds a Route header to
the INVITE containing that bootstrap server, then uses standard SIP
mechanisms [RFC3263] to locate the proxy portion of the Bootstrap
Server, and sends the INVITE message to it.
Cooper, et al. Expires August 28, 2007 [Page 16]
Internet-Draft Bootstrap Mechanisms February 2007
5.5. Handling the INVITE at the Bootstrap Server
When the proxy portion of the P2PSIP Bootstrap Server receives the
INVITE, it handles it using normal proxy procedures as specified in
section 16 of the SIP specification [RFC3261]. As part of this
processing, it checks to see if it has one or more bootstrap peers
registered for the given overlay. If it does, it selects one of
these peers and forwards the INVITE to it (thus obeying the "proxy,
no-fork" directive in the Request-Disposition header). If there are
multiple bootstrap peers registered for the same overlay, the proxy
SHOULD select one of these peers in such a way that subsequent
INVITEs in the same dialog attempt go to the same bootstrap peer,
while subsequent INVITEs for different dialog attempts are likely to
select a different bootstrap peer.
The goal here is to spread the load across bootstrap peers. This
makes sure that no bootstrap peer gets overloaded, which means
that even less-capable peers can serve as bootstrap peers. In
addition, this allows an overlay to select only a small number of
bootstrap peers to register with the bootstrap server, thus
reducing the load on the bootstrap server.
However, in a Challenge-Response scenario, when the selected
bootstrap peer replies with a 401 containing a nonce, and the
joining peer then resends the INVITE with the appropriate
credentials, it would be nice if the bootstrap server routed this
new INVITE to the same bootstrap peer. If the bootstrap server
routed this new INVITE to a different bootstrap peer, this
bootstrap peer will reject the INVITE unless this second bootstrap
peer would have generated the same nonce for the INVITE. Though
there are nonce-sharing schemes that solve this problem, such
nonce-sharing schemes may not be appropriate in P2PSIP systems.
By ensuring that the new INVITE goes back to the same bootstrap
peer, we avoid the need for such nonce-sharing systems.
One way this selection might be done is to hash on the contents of
the From and Call-ID headers and use this hash value to select the
bootstrap peer. This approach will select the same bootstrap peer
for all transactions within the same dialog, but will usually
select a different bootstrap peer for different dialogs.
In many situations where either the joining node or the bootstrap
peer are behind NATs, the bootstrap server will need to remain in the
path of future transactions on this dialog to ensure that the
messages can traverse the intervening NATs. Thus the bootstrap
server MUST add a Record-Route header field to the INVITE, unless it
knows, through some outside mechanism, that this is not necessary.
Similarly, the bootstrap server MUST add the "rport" parameter
Cooper, et al. Expires August 28, 2007 [Page 17]
Internet-Draft Bootstrap Mechanisms February 2007
defined in [RFC3581] unless it knows, through some unspecified
mechanism, that this is not necessary.
Further processing after this point follows the procedures in section
7.
6. Detailed Description of Common Procedures
This section describes normative procedures that are common to both
mechanisms.
6.1. Handling the INVITE at the Bootstrap Peer
When the bootstrap peer received the INVITE, it selects a peer in the
overlay to act as the admitting peer.
The details of how this selection is done is outside the scope of
this document, since it depends on the nature of the Peer Protocol
and the nature of the algorithm used to select connections for the
overlay. However, one reasonable choice might be a peer that will
become the neighbor of the joining peer in the overlay.
A bootstrap peer MAY select itself as the admitting peer, in which
case the INVITE is handled as described in the next section.
If the bootstrap peer does not select itself as the admitting peer,
then the bootstrap peer forwards the INVITE to the admitting peer,
using the Peer Protocol's ability to transport SIP messages from one
peer to another as described in the P2PSIP Concepts document
[I-D.willis-p2psip-concepts]. Note that the details of how this is
done have not been agreed to yet - one possibility is that one or
more peers will act as intermediaries. It is expected that, as part
of these Peer Protocol forwarding procedures, the bootstrap peer add
a Record-Route header to force future requests in the dialog to pass
through the bootstrap peer - failure to do so would likely mean that
future requests would not make it through intervening NATs.
6.2. Handing the INVITE at the Admitting Peer
When the admitting peer receives the INVITE, it recognizes that the
INVITE is a request to set up a control connection for the bootstrap
mechanism because of the format of the Request URI (namely, a URI in
either format 2 or 3). It then processes the INVITE according to the
SIP specification [RFC3261], possibly sending preliminary responses
before the 2xx final response.
It is expected that the Peer Protocol will define rules for how
Cooper, et al. Expires August 28, 2007 [Page 18]
Internet-Draft Bootstrap Mechanisms February 2007
responses are sent and routed through the overlay. Once the response
gets back to the bootstrap peer, the rules of [RFC3261] take over for
routing the response back to the joining peer - in the case of the
bootstrap server mechanism, this means that the response is routed
back through the bootstrap server.
6.3. Sending the ACK
On receipt of the 2xx, the joining peer sends an ACK in response.
Because of the Record-Route header(s) added to the INVITE message,
the ACK is sent along the path of the original INVITE to the
bootstrap peer, which forwards it through the overlay to the
admitting peer.
6.4. Forming the Initial Offer and Answer
Associated with the INVITE transaction is an SDP offer-answer
exchange [RFC3264]. Typically, the SDP offer is contained in the
initial INVITE and the SDP answer is contained in the 200 OK
response, but the SIP specification [RFC3261] also allows other
possibilities. This document does not restrict the placement of the
SDP offer and answer beyond what is specified in [RFC3261].
The offer-answer exchange is used by the joining and admitting peers
to negotiate the parameters for the resulting Peer Protocol
connection. To do this, both the offer and answer SHOULD specify
exactly one media stream, and the media type for that stream MUST
specify the P2PSIP Peer Protocol. The details of how this is done
are outside the scope of this document.
The offer or answer MUST NOT include any of the following attributes:
"a=recvonly", "a=sendonly", or "a=inactive".
Peers SHOULD use ICE ([I-D.ietf-mmusic-ice] and
[I-D.ietf-mmusic-ice-tcp]) to determine a pair of transport addresses
to use for the Peer Protocol connection. This implies that both the
offer and answer should contain a set of ICE candidates - whether
these candidates are UDP candidates, TCP candidates, or other
candidate types depends on the transport selected for the Peer
Protocol.
6.5. Sending a new INVITE with Replaces
During the offer/answer exchange, both the joining peer and the
admitting peer use the rules described in ICE for deciding whether
ICE connectivity checks can be run or not.
If ICE connectivity checks can be run, then one or more connectivity
Cooper, et al. Expires August 28, 2007 [Page 19]
Internet-Draft Bootstrap Mechanisms February 2007
checks will then be executed to find working transmission paths
between the two peers. Following the rules in ICE
[I-D.ietf-mmusic-ice], as part of this process the two peers will
select one of them to be the controlling peer and the other to be the
controlled peer (in ICE terminology, these are called the
"controlling agent" and "controlled agent"). The controlling peer is
responsible for choosing the candidate pair to use for the connection
from amongst the working pairs, where a candidate pair consists of a
local candidate (= local IP address and port) and a remote candidate
(= remote IP address and port).
Once the controlling peer has selected a candidate pair to use for
the connection, it forms a new INVITE to send to the controlled peer.
The purpose of this INVITE is to establish a new dialog that goes
directly between the joining peer and the admitting peer, replacing
the dialog that goes via the bootstrap peer (and the bootstrap
server, if present).
The INVITE contains a Replaces header [RFC3891] that specifies the
dialog being replaced. The Replaces header contains the call-id, to-
tag, and from-tag of the dialog established by the initial INVITE; it
MUST NOT contain the "early-only" parameter, since that dialog may be
in the confirmed state. In addition, the pair (from-tag, call-id)
for this new INVITE must be distinct from the pair used in the
initial INVITE.
The INVITE contains the URI of the controlling peer (learned from the
Contact field in the previous INVITE transaction) as the Request URI
and as the URI in the To field, and the URI of the controlled peer in
the From and Contact fields.
The INVITE MUST contain an updated offer, since ICE requires that the
updated offer come from the controlling endpoint. Following the
procedures of ICE, the offer MUST include the local candidate from
the selected candidate pair and MUST NOT contain any other
candidates. This local candidate MUST also be placed in the m/c-line
of the offer.
In this way, this INVITE serves both to carry the Replaces and to
carry the updated offer needed for ICE.
This INVITE is sent using the selected candidate pair; that is, it is
addressed to the remote candidate in the pair and sent from the local
candidate in the pair. Following ICE procedures, the remote peer
must be prepared to receive this INVITE, since ICE requires that both
endpoints be prepared to receive STUN requests and "media" (in this
case, Peer Protocol and/or SIP messages) on a candidate as soon as
they advertise it.
Cooper, et al. Expires August 28, 2007 [Page 20]
Internet-Draft Bootstrap Mechanisms February 2007
If ICE connectivity checks are NOT run, then the two endpoints use
the address and port given in the m and c lines of the SDP for the
control connection, and it is the joining peer that sends the new
INVITE. The INVITE is formed as described above, except that updated
offer does not contain any of the attributes defined by ICE, since
ICE cannot be used for this connection. The updated offer MUST keep
the IP address and port in m and c lines unchanged.
6.6. Replying to the new INVITE
When the controlled peer receives the new INVITE, it replies with a
2xx that contains an updated answer. This 2xx is sent back along the
same new control connection as it was received. This updated answer
is formed in the same way as the updated offer: if ICE is used, the
updated answer MUST include the local candidate from the selected
candidate pair, MUST NOT contain any other candidates, and must
contain the local candidate in the m/c-line; if ICE is not used, the
updated answer MUST NOT contain any attributes defined by ICE, and
MUST keep the IP address and port in the m and c lines unchanged.
The receipt of the INVITE with the Replaces header triggers the
receiving peer to tear down the dialog that goes via the bootstrap
peer (and the bootstrap server if present). The is done by the
receiving peer sending a BYE on the existing dialog. Note that the
receiving peer may need to wait before sending the BYE if there is a
transaction outstanding on the old dialog - this might happen, for
example, if the admitting peer receives the INVITE for the new dialog
before receiving the ACK for the old dialog.
Once the new INVITE transaction is completed, the control connection
is ready for use as a Peer Protocol connection.
6.7. Keepalives
Keep-alives must be run on the control connection to maintain it in
the presence of NATs. To do this, control connections SHOULD use the
STUN Binding Indication method described in ICE
[I-D.ietf-mmusic-ice].
7. Security Considerations
The security details of the mechanisms presented in this document
have not yet been worked out in detail, so this section simply
presents some initial thoughts. Revisions to this document will
expand on the thoughts here.
Cooper, et al. Expires August 28, 2007 [Page 21]
Internet-Draft Bootstrap Mechanisms February 2007
7.1. Credentials
The authors envision the use of credentials to authorize four
different operations which form the bootstrap mechanisms described
here. Listing these in order of increasing privilege, these are:
1. The credentials required to send an INVITE through a bootstrap
server to a bootstrap peer.
2. The credentials required to register a new overlay with a
bootstrap peer and/or register a new contact for an existing
overlay.
3. The credentials required to have a bootstrap peer proxy an INVITE
through the overlay to the admitting peer.
4. The credentials required to set up a Peer Protocol connection for
bootstrap purposes.
Note that operations 1 and 2 are associated with the bootstrap
server, while operations 3 and 4 are associated with the overlay. It
is quite possible that the individual or group providing the
bootstrap server is distinct and only very loosely associated with
the group creating and using the overlay. In this case, the
credentials for operations 1 and 2 may be very different from the
credentials for operations 3 and 4.
Also note that credentials for operation 4 are likely to be the same
as those required to set up an arbitrary Peer Protocol connection.
If this is the case, then defining the format of these credentials
may be out-of-scope for this document.
Depending on the format of credentials chosen, peers might provide
the appropriate credentials in their initial messages, or provide
them only after being challenged. The mechanisms described in this
document have been designed to work with either approach (e.g. the
discussion in section 6.5).
7.2. Attacks
The bootstrap mechanisms described in this document do not introduce
any new SIP or SDP mechanisms, but merely use existing SIP and SDP
mechanisms in new ways. For that reason, none of the attacks against
these bootstrap mechanisms are new - they are simply applications of
existing attacks against the existing SIP and SDP mechanisms.
However, existing attacks can become more important in a bootstrap
context. Some attacks, which previously affected only a single user,
Cooper, et al. Expires August 28, 2007 [Page 22]
Internet-Draft Bootstrap Mechanisms February 2007
can now affect an entire overlay. For example, consider attacks
that, in a client-server SIP context, hinder a user from registering
with a registrar. If these attacks can be translated into a
bootstrap server context, then they can hinder an overlay from
registering with a bootstrap server, and thus potentially prevent the
overlay from forming. Similarly, attacks that, in a client-server
SIP context, hinder INVITEs from being proxied through a SIP proxy to
a specified user, will in a bootstrap server context, hinder peers
from joining the overlay, again potentially preventing the overlay
from forming.
8. IANA Considerations
This document raises no IANA considerations.
9. References
9.1. Normative References
[I-D.ietf-mmusic-ice]
Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Methodology for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols",
draft-ietf-mmusic-ice-13 (work in progress), January 2007.
[I-D.ietf-mmusic-ice-tcp]
Rosenberg, J., "TCP Candidates with Interactive
Connectivity Establishment (ICE)",
draft-ietf-mmusic-ice-tcp-02 (work in progress),
October 2006.
[I-D.ietf-sip-outbound]
Jennings, C. and R. Mahy, "Managing Client Initiated
Connections in the Session Initiation Protocol (SIP)",
draft-ietf-sip-outbound-07 (work in progress),
January 2007.
[I-D.willis-p2psip-concepts]
Bryan, D., Matthews, P., Shim, E., and D. Willis, "P2PSIP
Concepts and Terminology",
I-D draft-willis-p2psip-concepts-04 (work in progress),
February 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Cooper, et al. Expires August 28, 2007 [Page 23]
Internet-Draft Bootstrap Mechanisms February 2007
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation
Protocol (SIP): Locating SIP Servers", RFC 3263,
June 2002.
[RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
with Session Description Protocol (SDP)", RFC 3264,
June 2002.
[RFC3581] Rosenberg, J. and H. Schulzrinne, "An Extension to the
Session Initiation Protocol (SIP) for Symmetric Response
Routing", RFC 3581, August 2003.
[RFC3841] Rosenberg, J., Schulzrinne, H., and P. Kyzivat, "Caller
Preferences for the Session Initiation Protocol (SIP)",
RFC 3841, August 2004.
[RFC3891] Mahy, R., Biggs, B., and R. Dean, "The Session Initiation
Protocol (SIP) "Replaces" Header", RFC 3891,
September 2004.
9.2. Informative References
[I-D.ietf-sipping-cc-transfer]
Sparks, R., Johnston, A., and D. Petrie, "Session
Initiation Protocol Call Control - Transfer",
I-D draft-ietf-sipping-cc-transfer-07 (work in progress),
October 2006.
[I-D.matthews-p2psip-nats-and-overlays]
Cooper, E. and P. Matthews, "The Effect of NATs on P2PSIP
Overlay Architecture",
I-D draft-matthews-p2psip-nats-and-overlays (work in
progress), February 2007.
Cooper, et al. Expires August 28, 2007 [Page 24]
Internet-Draft Bootstrap Mechanisms February 2007
Authors' Addresses
Eric Cooper
Avaya
1135 Innovation Drive
Ottawa, Ontario K2K 3G7
Canada
Phone: +1 613 592 4343 x228
Email: ecooper@avaya.com
Alan Johnston
Avaya
St. Louis, MO 63124
USA
Email: alan@sipstation.com
Philip Matthews
Avaya
100 Innovation Drive
Ottawa, Ontario K2K 3G7
Canada
Phone: +1 613 592 4343 x224
Email: philip_matthews@magma.ca
Cooper, et al. Expires August 28, 2007 [Page 25]
Internet-Draft Bootstrap Mechanisms February 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Cooper, et al. Expires August 28, 2007 [Page 26]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/