--- 1/draft-ietf-sipping-uri-services-03.txt 2006-02-04 17:19:27.000000000 +0100 +++ 2/draft-ietf-sipping-uri-services-04.txt 2006-02-04 17:19:27.000000000 +0100 @@ -1,20 +1,20 @@ SIPPING Working Group G. Camarillo Internet-Draft Ericsson -Expires: October 10, 2005 A. Roach +Expires: April 24, 2006 A. Roach Estacado Systems - April 8, 2005 + October 21, 2005 Framework and Security Considerations for Session Initiation Protocol (SIP) Uniform Resource Identifier (URI)-List Services - draft-ietf-sipping-uri-services-03.txt + draft-ietf-sipping-uri-services-04.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -25,57 +25,57 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on October 10, 2005. + This Internet-Draft will expire on April 24, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document describes the need for SIP URI-list services and provides requirements for their invocation. Additionaly, it defines a framework for SIP URI-List services which includes security considerations applicable to these services. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 3.1 Requirements for URI-List Services Using + 3.1. Requirements for URI-List Services Using Request-Contained Lists . . . . . . . . . . . . . . . . . 4 - 3.2 General Requirements for URI-List Services . . . . . . . . 4 + 3.2. General Requirements for URI-List Services . . . . . . . . 4 4. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 4.1 Carrying URI-Lists in SIP . . . . . . . . . . . . . . . . 4 - 4.2 Processing of URI-Lists . . . . . . . . . . . . . . . . . 5 - 4.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 4.1. Carrying URI-Lists in SIP . . . . . . . . . . . . . . . . 4 + 4.2. Processing of URI-Lists . . . . . . . . . . . . . . . . . 5 + 4.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 - 5.1 List Integrity and Confidentiality . . . . . . . . . . . . 6 - 5.2 Amplification Attacks . . . . . . . . . . . . . . . . . . 6 - 5.3 Unsolicited Requests . . . . . . . . . . . . . . . . . . . 8 - 5.4 General Issues . . . . . . . . . . . . . . . . . . . . . . 8 + 5.1. List Integrity and Confidentiality . . . . . . . . . . . . 6 + 5.2. Amplification Attacks . . . . . . . . . . . . . . . . . . 6 + 5.3. Unsolicited Requests . . . . . . . . . . . . . . . . . . . 8 + 5.4. General Issues . . . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledges . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 8.1 Normative References . . . . . . . . . . . . . . . . . . . 9 - 8.2 Informational References . . . . . . . . . . . . . . . . . 9 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 10 - Intellectual Property and Copyright Statements . . . . . . . . 12 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 + 8.2. Informational References . . . . . . . . . . . . . . . . . 9 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 + Intellectual Property and Copyright Statements . . . . . . . . . . 12 1. Introduction Some applications require that, at a given moment, a SIP [3] UA (User Agent) performs a similar transaction with a number of remote UAs. For example, an instant messaging application that needs to send a particular message (e.g., "Hello folks") to n receivers needs to send n MESSAGE requests; one to each receiver. When the transacton that needs to be repeated consists of a large @@ -119,29 +119,29 @@ RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [1] and indicate requirement levels for compliant implementations. 3. Requirements Section 3.1 discusses requirements that only apply to URI-list services that use request-contained lists and Section 3.2 discusses requirements that also apply services using external lists. -3.1 Requirements for URI-List Services Using Request-Contained Lists +3.1. Requirements for URI-List Services Using Request-Contained Lists REQ 1: The URI-list service invocation mechanism MUST allow the invoker to provide a list of destination URIs to the URI-list service. REQ 2: The invocation mechanism SHOULD NOT require more than one RTT (Round-Trip Time). -3.2 General Requirements for URI-List Services +3.2. General Requirements for URI-List Services GEN 1: A URI-list service MAY include services beyond sending requests to the URIs in the URI-list. That is, URI-list services can be modelled as application servers. For example, a URI-list service handling INVITE requests may behave as a conference server and perform media mixing for all the participants. GEN 2: The interpretation of the meaning of the URI-list sent by the invoker MUST be at the discretion of the application to which the list is sent. GEN 3: It MUST be possible for the invoker to find out about the @@ -152,21 +152,21 @@ without authenticating the invoker. 4. Framework This framework is not restricted to application servers that only provide request fan-out services. Per GEN 1, this framework also deals with application servers that provide a particular service that includes a request fan-out (e.g., a conference server that INVITEs several participants which are chosen by a user agent). -4.1 Carrying URI-Lists in SIP +4.1. Carrying URI-Lists in SIP The requirements that relate to URI-list services that use request- contained lists identify the need for a mechanism to provide a SIP URI-list service with a URI-list in a single RTT. We define a new disposition type [2] for the Content-Disposition header field: recipient-list. Both requests and responses MAY carry recipient-list bodies. Bodies whose disposition type is recipient-list carry a list of URIs that contains the final recipients of the requests to be generated by a URI-list service. @@ -183,37 +183,37 @@ A UA server receiving a recipient-list URI-list which contains a URI more than once MUST behave as if that URI appeared in the URI-list only once. The UA server uses the comparison rules specific to the URI scheme of each of the URIs in the URI-list to determine if there is any URI which appears more than once. The way a UA server receiving a URI-list interprets it is service specific, as described in Section 4.2. -4.2 Processing of URI-Lists +4.2. Processing of URI-Lists According to GEN 1 and GEN 2, URI-list services can behave as application servers. That is, taking a URI-list as an input, they can provide arbitrary services. So, the interpretation of the URI- list by the server depends on the service to be provided. For example, for a conference server, the URIs in the list may identify the initial set of participants. On the other hand, for a server dealing with MESSAGEs, the URIs in the list may identify the recipients of an instant message. At the SIP level, this implies that the behavior of application servers receiving requests with URI-lists SHOULD be specified on a per service basis. Examples of such specifications are [10] for INVITE, [11] for REFER, [12] for MESSAGE, and [13] for SUBSCRIBE. -4.3 Results +4.3. Results According to GEN 3, user agents should have a way to obtain information about the operations performed by the application server. Since these operations are service specific, the way user agents are kept informed is also service specific. For example, a user agent establishing an adhoc conference with an INVITE with a URI-list may discover which participants were successfully brought in into the conference by using the conference package [8]. 5. Security Considerations @@ -223,31 +223,31 @@ all types of URI-list services. By definition, a URI-list service takes one request in and sends a potentially large number of them out. Attackers may attempt to use URI-list services as traffic amplifiers to launch DoS (Denial of Service) attacks. In addition, malicious users may attempt to use URI-list services to distribute unsolicited messages (i.e., SPAM) or to make unsolicited VoIP calls. This section provides guidelines to avoid these attacks. -5.1 List Integrity and Confidentiality +5.1. List Integrity and Confidentiality Attackers may attempt to modify URI-lists sent from clients to servers. This would cause a different behavior at the server than expected by the client (e.g., requests being sent to different recipients as the ones specified by the client). To prevent this attack, clients SHOULD integrity protect URI-lists using mechanisms such as S/MIME, which can also provide URI-list confidentiality if needed. -5.2 Amplification Attacks +5.2. Amplification Attacks URI-list services take a request in and send a potentially large number of them out. Given that URI-list services are typically implemented on top of powerful servers with high-bandwidth access links, we should be careful to keep attackers from using them as amplification tools to launch DoS (Denial of Service) attacks. Attackers may attempt to send a URI-list containing URIs whose host parts route to the victims of the DoS attack. These victims do not need to be SIP nodes; they can be non-SIP endpoints or even routers. @@ -315,31 +315,31 @@ Consent-Based Communications in SIP [14] avoids this type of attack by having the client generate roughly the same amount of traffic towards the URI-list service as the service generates towards the destinations. In order to have an interoperable way to meet the requirements related to opt-in lists described in this section, URI-list services MUST implement, and SHOULD use, The Framework for Consent-Based Communications in SIP [14]. -5.3 Unsolicited Requests +5.3. Unsolicited Requests Opt-in lists should help fighting SPAMMERS. Still, if a URI-list service is used to send unsolicited requests to one or several destinations, it should be possible to track down the sender of such requests. To do that, URI-list services MAY provide information about the identity of the original sender of the request in their outgoing requests by using the SIP identity mechanism [7]. A detailed study of SPAM in SIP can be found in [16]. -5.4 General Issues +5.4. General Issues URI-list services MAY have policies that limit the number of URIs in the lists they accept, as a very long list could be used in a denial of service attack to place a large burden on the URI-list service to send a large number of SIP requests. The general requirement GEN 4, which states that URI-list services need to authenticate their clients, and the previous rules apply to URI-list services in general. In addition, specifications dealing with individual methods MUST describe the security issues that relate @@ -355,90 +355,90 @@ recipient-list the body contains a list of URIs 7. Acknowledges Duncan Mills and Miguel A. Garcia-Martin supported the idea of 1 to n MESSAGEs. Jon Peterson, Dean Willis, and Jonathan Rosenberg provided useful comments. 8. References -8.1 Normative References +8.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Troost, R., Dorner, S., and K. Moore, "Communicating Presentation Information in Internet Messages: The Content- Disposition Header Field", RFC 2183, August 1997. [3] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. -8.2 Informational References +8.2. Informational References [4] Bradner, S., "A Proposal for an MOU-Based ICANN Protocol Support Organization", RFC 2690, September 1999. [5] Roach, A., Rosenberg, J., and B. Campbell, "A Session Initiation Protocol (SIP) Event Notification Extension for Resource Lists", draft-ietf-simple-event-list-07 (work in progress), January 2005. [6] Rosenberg, J., "Advanced Instant Messaging Requirements for the Session Initiation Protocol (SIP)", draft-rosenberg-simple-messaging-requirements-01 (work in progress), February 2004. - [7] Peterson, J., "Enhancements for Authenticated Identity - Management in the Session Initiation Protocol (SIP)", - draft-ietf-sip-identity-04 (work in progress), February 2005. + [7] Peterson, J. and C. Jennings, "Enhancements for Authenticated + Identity Management in the Session Initiation Protocol (SIP)", + draft-ietf-sip-identity-05 (work in progress), May 2005. [8] Rosenberg, J., "A Session Initiation Protocol (SIP) Event Package for Conference State", - draft-ietf-sipping-conference-package-10 (work in progress), - March 2005. + draft-ietf-sipping-conference-package-12 (work in progress), + July 2005. [9] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", - draft-ietf-simple-xcap-06 (work in progress), February 2005. + draft-ietf-simple-xcap-07 (work in progress), June 2005. [10] Camarillo, G. and A. Johnston, "Conference Establishment Using Request-Contained Lists in the Session Initiation Protocol - (SIP)", draft-ietf-sipping-uri-list-conferencing-02 (work in - progress), December 2004. + (SIP)", draft-ietf-sipping-uri-list-conferencing-03 (work in + progress), April 2005. [11] Camarillo, G., "Refering to Multiple Resources in the Session Initiation Protocol (SIP)", - draft-ietf-sipping-multiple-refer-02 (work in progress), - December 2004. + draft-ietf-sipping-multiple-refer-03 (work in progress), + April 2005. [12] Garcia-Martin, M. and G. Camarillo, "Multiple-Recipient MESSAGE Requests in the Session Initiation Protocol (SIP)", - draft-ietf-sipping-uri-list-message-02 (work in progress), - December 2004. + draft-ietf-sipping-uri-list-message-03 (work in progress), + April 2005. [13] Camarillo, G. and A. Roach, "Subscriptions to Request-Contained Resource Lists in the Session Initiation Protocol (SIP)", - draft-ietf-sipping-uri-list-subscribe-02 (work in progress), - January 2005. + draft-ietf-sipping-uri-list-subscribe-03 (work in progress), + April 2005. [14] Rosenberg, J., "A Framework for Consent-Based Communications in the Session Initiation Protocol (SIP)", - draft-ietf-sipping-consent-framework-01 (work in progress), - February 2005. + draft-ietf-sipping-consent-framework-02 (work in progress), + July 2005. [15] Rosenberg, J., "Requirements for Consent-Based Communications in the Session Initiation Protocol (SIP)", - draft-ietf-sipping-consent-reqs-00 (work in progress), - October 2004. + draft-ietf-sipping-consent-reqs-01 (work in progress), + July 2005. [16] Rosenberg, J. and C. Jennings, "The Session Initiation Protocol (SIP) and Spam", draft-rosenberg-sipping-spam-01 (work in progress), October 2004. Authors' Addresses Gonzalo Camarillo Ericsson Hirsalantie 11