Diff: draft-ietf-sipping-uri-services-07.txt

	draft-ietf-sipping-uri-services-07.txt	rfc5363.txt


	SIPPING Working Group G. Camarillo	Network Working Group G. Camarillo
	Internet-Draft Ericsson	Request for Comments: 5363 Ericsson
	Intended status: Standards Track A. Roach	Category: Standards Track A.B. Roach
	Expires: May 16, 2008 Estacado Systems	Tekelec
	November 13, 2007	October 2008

	Framework and Security Considerations for Session Initiation Protocol
	(SIP) Uniform Resource Identifier (URI)-List Services
	draft-ietf-sipping-uri-services-07.txt

	Status of this Memo

	By submitting this Internet-Draft, each author represents that any
	applicable patent or other IPR claims of which he or she is aware
	have been or will be disclosed, and any of which he or she becomes
	aware will be disclosed, in accordance with Section 6 of BCP 79.

	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF), its areas, and its working groups. Note that
	other groups may also distribute working documents as Internet-
	Drafts.

	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."

	The list of current Internet-Drafts can be accessed at
	http://www.ietf.org/ietf/1id-abstracts.txt.

	The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.


	This Internet-Draft will expire on May 16, 2008.	Framework and Security Considerations for
		Session Initiation Protocol (SIP) URI-List Services


	Copyright Notice	Status of This Memo


	Copyright (C) The IETF Trust (2007).	This document specifies an Internet standards track protocol for the
		Internet community, and requests discussion and suggestions for
		improvements. Please refer to the current edition of the "Internet
		Official Protocol Standards" (STD 1) for the standardization state
		and status of this protocol. Distribution of this memo is unlimited.

	Abstract	Abstract

	This document describes the need for SIP URI-list services and	This document describes the need for SIP URI-list services and

	provides requirements for their invocation. Additionaly, it defines	provides requirements for their invocation. Additionally, it defines
	a framework for SIP URI-List services, which includes security	a framework for SIP URI-list services, which includes security
	considerations applicable to these services.	considerations applicable to these services.

	Table of Contents	Table of Contents


	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3	1. Introduction ....................................................2
	2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3	2. Terminology .....................................................2
	3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3	3. Requirements ....................................................2
	3.1. Requirements for URI-List Services Using	3.1. Requirements for URI-List Services Using

	Request-Contained Lists . . . . . . . . . . . . . . . . . 4	Request-Contained Lists ....................................3
	3.2. General Requirements for URI-List Services . . . . . . . . 4	3.2. General Requirements for URI-List Services .................3
	4. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 4	4. Framework .......................................................3
	4.1. Carrying URI Lists in SIP . . . . . . . . . . . . . . . . 4	4.1. Carrying URI Lists in SIP ..................................3
	4.2. Processing of URI Lists . . . . . . . . . . . . . . . . . 5	4.2. Processing of URI Lists ....................................4
	4.3. Results . . . . . . . . . . . . . . . . . . . . . . . . . 6	4.3. Results ....................................................5
	5. Security Considerations . . . . . . . . . . . . . . . . . . . 6	5. Security Considerations .........................................5
	5.1. List Integrity and Confidentiality . . . . . . . . . . . . 6	5.1. List Integrity and Confidentiality .........................5
	5.2. Amplification Attacks . . . . . . . . . . . . . . . . . . 6	5.2. Amplification Attacks ......................................5
	5.3. General Issues . . . . . . . . . . . . . . . . . . . . . . 8	5.3. General Issues .............................................7
	6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8	6. IANA Considerations .............................................7
	7. Acknowledges . . . . . . . . . . . . . . . . . . . . . . . . . 9	7. Acknowledgements ................................................8
	8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9	8. References ......................................................8
	8.1. Normative References . . . . . . . . . . . . . . . . . . . 9	8.1. Normative References .......................................8
	8.2. Informative References . . . . . . . . . . . . . . . . . . 9	8.2. Informative References .....................................8
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
	Intellectual Property and Copyright Statements . . . . . . . . . . 11

	1. Introduction	1. Introduction

	Some applications require that, at a given moment, a SIP [RFC3261] UA	Some applications require that, at a given moment, a SIP [RFC3261] UA
	(User Agent) performs a similar transaction with a number of remote	(User Agent) performs a similar transaction with a number of remote
	UAs. For example, an instant messaging application that needs to	UAs. For example, an instant messaging application that needs to
	send a particular message (e.g., "Hello folks") to n receivers needs	send a particular message (e.g., "Hello folks") to n receivers needs
	to send n MESSAGE requests; one to each receiver.	to send n MESSAGE requests; one to each receiver.


	When the transacton that needs to be repeated consists of a large	When the transaction that needs to be repeated consists of a large
	request, the number of recipients is high, or both, the access	request, or when the number of recipients is high, or both, the
	network of the UA needs to carry a considerable amount of traffic.	access network of the UA needs to carry a considerable amount of
	Completing all the transactions on a low-bandwidth access would	traffic. Completing all the transactions on a low-bandwidth access
	require a long time. This is unacceptable for a number of	would require a long time. This is unacceptable for a number of
	applications.	applications.

	A solution to this problem consists of introducing URI-list services	A solution to this problem consists of introducing URI-list services
	in the network. The task of a SIP URI-list service is to receive a	in the network. The task of a SIP URI-list service is to receive a
	request that contains or references a URI list (i.e., a list of one	request that contains or references a URI list (i.e., a list of one
	or more URIs) and send a number of similar requests to the	or more URIs) and send a number of similar requests to the
	destinations in this list. Once the requests are sent, the URI-list	destinations in this list. Once the requests are sent, the URI-list
	service typically informs the UA about their status. Effectively,	service typically informs the UA about their status. Effectively,

	the URI-list service behaves as a B2BUA (Back-To-Back-User-Agent).	the URI-list service behaves as a B2BUA (Back-to-Back-User-Agent).


	A given URI-list service can take as an input a URI-list contained in	A given URI-list service can take as an input a URI list contained in
	the SIP request sent by the client or an external URI list (e.g., the	the SIP request sent by the client or an external URI list (e.g., the

	Request-URI is a SIP URI which is associated with a URI list at the	Request-URI is a SIP URI that is associated with a URI list at the
	server). External URI lists are typically set up using out-of-band	server). External URI lists are typically set up using out-of-band

	mechanisms (e.g., XCAP [RFC4825]). An example of a URI-list service	mechanisms (e.g., XML Configuration Access Protocol (XCAP)
	for SUBSCRIBE requests that uses stored URI lists is described in	[RFC4825]). An example of a URI-list service for SUBSCRIBE requests
	[RFC4662].	that uses stored URI lists is described in [RFC4662].

	The remainder of this document provides requirements and a framework	The remainder of this document provides requirements and a framework
	for URI-list services using request-contained URI lists, external URI	for URI-list services using request-contained URI lists, external URI
	lists, or both.	lists, or both.

	2. Terminology	2. Terminology

	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
	document are to be interpreted as described in [RFC2119].	document are to be interpreted as described in [RFC2119].

	3. Requirements	3. Requirements

	Section 3.1 discusses requirements that only apply to URI-list	Section 3.1 discusses requirements that only apply to URI-list

	services that use request-contained lists and Section 3.2 discusses	services that use request-contained lists, and Section 3.2 discusses
	requirements that also apply services using external lists.	requirements that also apply to services using external lists.

	3.1. Requirements for URI-List Services Using Request-Contained Lists	3.1. Requirements for URI-List Services Using Request-Contained Lists

	REQ 1: The URI-list service invocation mechanism MUST allow the	REQ 1: The URI-list service invocation mechanism MUST allow the
	invoker to provide a list of destination URIs to the URI-list	invoker to provide a list of destination URIs to the URI-list
	service.	service.


	REQ 2: The invocation mechanism SHOULD NOT require more than one RTT	REQ 2: The invocation mechanism SHOULD NOT require more than one
	(Round-Trip Time).	transaction.

	3.2. General Requirements for URI-List Services	3.2. General Requirements for URI-List Services

	GEN 1: A URI-list service MAY include services beyond sending	GEN 1: A URI-list service MAY include services beyond sending

	requests to the URIs in the URI list. That is, URI-list services	requests to the URIs in the URI list. That is, URI-list
	can be modelled as application servers. For example, a URI-list	services can be modeled as application servers. For example,
	service handling INVITE requests may behave as a conference server	a URI-list service handling INVITE requests may behave as a
	and perform media mixing for all the participants.	conference server and perform media mixing for all the
		participants.

	GEN 2: The interpretation of the meaning of the URI list sent by the	GEN 2: The interpretation of the meaning of the URI list sent by the

	invoker MUST be at the discretion of the application to which the	invoker MUST be at the discretion of the application to which
	list is sent.	the list is sent.

	GEN 3: It MUST be possible for the invoker to find out about the	GEN 3: It MUST be possible for the invoker to find out about the

	result of the operations performed by the URI-list service with	result of the operations performed by the URI-list service
	the URI list. An invoker may, for instance, be interested in the	with the URI list. An invoker may, for instance, be
	status of the transactions initiated by the URI-list service.	interested in the status of the transactions initiated by the
		URI-list service.

	GEN 4: URI-list services MUST NOT send requests to any destination	GEN 4: URI-list services MUST NOT send requests to any destination
	without authenticating the invoker.	without authenticating the invoker.

	4. Framework	4. Framework

	This framework is not restricted to application servers that only	This framework is not restricted to application servers that only
	provide request fan-out services. Per GEN 1, this framework also	provide request fan-out services. Per GEN 1, this framework also
	deals with application servers that provide a particular service that	deals with application servers that provide a particular service that
	includes a request fan-out (e.g., a conference server that INVITEs	includes a request fan-out (e.g., a conference server that INVITEs

	several participants which are chosen by a user agent).	several participants that are chosen by a user agent).

	4.1. Carrying URI Lists in SIP	4.1. Carrying URI Lists in SIP

	The requirements related to URI-list services that use request-	The requirements related to URI-list services that use request-
	contained lists identify the need for a mechanism to provide a SIP	contained lists identify the need for a mechanism to provide a SIP

	URI-list service with a URI list in a single RTT. We define a new	URI-list service with a URI list in a single transaction. We define
	disposition type [RFC2183] for the Content-Disposition header field:	a new disposition type [RFC2183] for the Content-Disposition header
	recipient-list. Both requests and responses MAY carry recipient-list	field: recipient-list. Both requests and responses MAY carry
	bodies. Bodies whose disposition type is recipient-list carry a list	recipient-list bodies. Bodies whose disposition type is recipient-
	of URIs that contains the final recipients of the requests to be	list carry a list of URIs that contains the final recipients of the
	generated by a URI-list service.	requests to be generated by a URI-list service.

	The default format for recipient-list bodies is service specific.	The default format for recipient-list bodies is service specific.
	So, URI-list services specifications MUST specify a default format	So, URI-list services specifications MUST specify a default format
	for recipient-list bodies used within a particular service. In any	for recipient-list bodies used within a particular service. In any
	case, clients SHOULD NOT include any particular URI more than once in	case, clients SHOULD NOT include any particular URI more than once in
	a given URI list.	a given URI list.

	A UA server receiving a request with more than one recipient-list	A UA server receiving a request with more than one recipient-list
	body parts (e.g., each body part using a different URI-list format)	body parts (e.g., each body part using a different URI-list format)

	MUST behave as if it had received a single URI-list which contains	MUST behave as if it had received a single URI list that contains all
	all the URIs present in the different body parts.	the URIs present in the different body parts.


	A UA server receiving a recipient-list URI list which contains a URI	A UA server receiving a recipient-list URI list that contains a URI
	more than once MUST behave as if that URI appeared in the URI list	more than once MUST behave as if that URI appeared in the URI list
	only once. The UA server uses the comparison rules specific to the	only once. The UA server uses the comparison rules specific to the
	URI scheme of each of the URIs in the URI list to determine if there	URI scheme of each of the URIs in the URI list to determine if there

	is any URI which appears more than once. Additionally, Section 4 of	is any URI that appears more than once. Additionally, Section 4 of
	the XML Format Extension for Representing Copy Control Attributes in	"Extensible Markup Language (XML) Format Extension for Representing
	Resource Lists [I-D.ietf-sipping-capacity-attribute] discusses cases	Copy Control Attributes in Resource Lists" [RFC5364] discusses cases
	where duplicated URI entries are tagged with different values of the	where duplicated URI entries are tagged with different values of the
	'copyControl' attribute. Naturally, URI-list services using the	'copyControl' attribute. Naturally, URI-list services using the

	'copyControl' attribute defined in	'copyControl' attribute defined in [RFC5364] need to follow the
	[I-D.ietf-sipping-capacity-attribute] need to follow the	recommendations in [RFC5364] with respect to avoiding sending
	recommendations in [I-D.ietf-sipping-capacity-attribute] with respect	duplicated requests.
	to avoiding sending duplicated requests.


	The way a UA server receiving a URI list interprets it is service	The way a UA server interprets a URI list that it has received is
	specific, as described in Section 4.2.	service specific, as described in Section 4.2.

	4.2. Processing of URI Lists	4.2. Processing of URI Lists

	According to GEN 1 and GEN 2, URI-list services can behave as	According to GEN 1 and GEN 2, URI-list services can behave as
	application servers. That is, taking a URI list as an input, they	application servers. That is, taking a URI list as an input, they
	can provide arbitrary services. So, the interpretation of the URI	can provide arbitrary services. So, the interpretation of the URI
	list by the server depends on the service to be provided. For	list by the server depends on the service to be provided. For
	example, for a conference server, the URIs in the list may identify	example, for a conference server, the URIs in the list may identify
	the initial set of participants. On the other hand, for a server	the initial set of participants. On the other hand, for a server
	dealing with MESSAGEs, the URIs in the list may identify the	dealing with MESSAGEs, the URIs in the list may identify the
	recipients of an instant message.	recipients of an instant message.

	At the SIP level, this implies that the behavior of application	At the SIP level, this implies that the behavior of application

	servers receiving requests with URI-lists SHOULD be specified on a	servers receiving requests with URI lists SHOULD be specified on a
	per service basis. Examples of such specifications are	per-service basis. Examples of such specifications are [RFC5366] for
	[I-D.ietf-sip-uri-list-conferencing] for INVITE,	INVITE, [RFC5365] for MESSAGE, and [RFC5367] for SUBSCRIBE.
	[I-D.ietf-sip-uri-list-message] for MESSAGE, and
	[I-D.ietf-sip-uri-list-subscribe] for SUBSCRIBE.

	4.3. Results	4.3. Results

	According to GEN 3, user agents should have a way to obtain	According to GEN 3, user agents should have a way to obtain
	information about the operations performed by the application server.	information about the operations performed by the application server.
	Since these operations are service specific, the way user agents are	Since these operations are service specific, the way user agents are
	kept informed is also service specific. For example, a user agent	kept informed is also service specific. For example, a user agent

	establishing an adhoc conference with an INVITE with a URI-list may	establishing an ad hoc conference with an INVITE with a URI list may
	discover which participants were successfully brought in into the	discover which participants were successfully brought into the
	conference by using the conference package [RFC4575].	conference by using the conference package [RFC4575].

	5. Security Considerations	5. Security Considerations

	Security plays an important role in the implementation of any URI-	Security plays an important role in the implementation of any URI-
	list service. In fact, it is the most important common area across	list service. In fact, it is the most important common area across
	all types of URI-list services.	all types of URI-list services.

	By definition, a URI-list service takes one request in and sends a	By definition, a URI-list service takes one request in and sends a
	potentially large number of them out. Attackers may attempt to use	potentially large number of them out. Attackers may attempt to use

	URI-list services as traffic amplifiers to launch DoS (Denial of	URI-list services as traffic amplifiers to launch DoS (denial-of-
	Service) attacks. This section provides guidelines to avoid these	service) attacks. This section provides guidelines to avoid these
	attacks.	attacks.

	5.1. List Integrity and Confidentiality	5.1. List Integrity and Confidentiality

	Attackers may attempt to modify URI lists sent from clients to	Attackers may attempt to modify URI lists sent from clients to
	servers. This would cause a different behavior at the server than	servers. This would cause a different behavior at the server than
	expected by the client (e.g., requests being sent to different	expected by the client (e.g., requests being sent to different

	recipients as the ones specified by the client). To prevent this	recipients than the ones specified by the client). To prevent this
	attack, clients SHOULD integrity protect URI lists using mechanisms	attack, clients SHOULD integrity protect URI lists using end-to-end
	such as S/MIME, which can also provide URI-list confidentiality if	mechanisms such as S/MIME or, if not available, hop-by-hop mechanisms
	needed.	such as TLS. Both S/MIME and TLS can also provide URI-list
		confidentiality if needed.

	5.2. Amplification Attacks	5.2. Amplification Attacks

	URI-list services take a request in and send a potentially large	URI-list services take a request in and send a potentially large
	number of them out. Given that URI-list services are typically	number of them out. Given that URI-list services are typically
	implemented on top of powerful servers with high-bandwidth access	implemented on top of powerful servers with high-bandwidth access
	links, we should be careful to keep attackers from using them as	links, we should be careful to keep attackers from using them as

	amplification tools to launch DoS (Denial of Service) attacks.	amplification tools to launch DoS attacks.

	Attackers may attempt to send a URI list containing URIs whose host	Attackers may attempt to send a URI list containing URIs whose host
	parts route to the victims of the DoS attack. These victims do not	parts route to the victims of the DoS attack. These victims do not
	need to be SIP nodes; they can be non-SIP endpoints or even routers.	need to be SIP nodes; they can be non-SIP endpoints or even routers.
	If this attack is successful, the result is that an attacker can	If this attack is successful, the result is that an attacker can

	flood with traffic a set of nodes, or a single node, without needing	flood a set of nodes, or a single node, with traffic without needing
	to generate a high volume of traffic itself.	to generate a high volume of traffic itself.


	Note, in any case, that this problem is not specific to SIP URI-	In any case, note that this problem is not specific to SIP URI-
	list services; it also appears in scenarios which relate to	list services; it also appears in scenarios that relate to
	multihoming where a server needs to contact a set of IP addresses	multihoming where a server needs to contact a set of IP addresses
	provided by a client.	provided by a client.

	There are several measures that need to be taken to prevent this type	There are several measures that need to be taken to prevent this type
	of attack. The first one is keeping unauthorized users from using	of attack. The first one is keeping unauthorized users from using
	URI-list services. So, URI-list services MUST NOT perform any	URI-list services. So, URI-list services MUST NOT perform any
	request explosion for an unauthorized user. URI-list services MUST	request explosion for an unauthorized user. URI-list services MUST
	authenticate users and check whether they are authorized to request	authenticate users and check whether they are authorized to request
	the service before performing any request fan-out.	the service before performing any request fan-out.

	Note that the risk of this attack also exists when a client uses	Note that the risk of this attack also exists when a client uses
	stored URI lists. Application servers MUST use authentication and	stored URI lists. Application servers MUST use authentication and
	authorization mechanisms with equivalent security properties when	authorization mechanisms with equivalent security properties when
	dealing with stored and request-contained URI lists.	dealing with stored and request-contained URI lists.

	Even though the previous rule keeps unauthorized users from using	Even though the previous rule keeps unauthorized users from using

	URI-list services, authorized users may still launch attacks using a	URI-list services, authorized users may still launch attacks using
	these services. To prevent these attacks, we introduce the concept	these services. To prevent these attacks, we introduce the concept
	of opt-in lists. That is, URI-list services should not allow a	of opt-in lists. That is, URI-list services should not allow a
	client to place a user (identified by his or her URI) in a URI list	client to place a user (identified by his or her URI) in a URI list
	unless the user has previously agreed to be placed in such a URI	unless the user has previously agreed to be placed in such a URI
	list. So, URI-list services MUST NOT send a request to a destination	list. So, URI-list services MUST NOT send a request to a destination

	which has not agreed to receive requests from the URI-list service	that has not agreed to receive requests from the URI-list service
	beforehand. Users can agree to receive requests from a URI-list	beforehand. Users can agree to receive requests from a URI-list
	service in several ways, such as filling a web page, sending an	service in several ways, such as filling a web page, sending an

	email, signing a contract, or using the Framework for Consent-Based	email, signing a contract, or using "A Framework for Consent-Based
	Communications in SIP [I-D.ietf-sipping-consent-framework], whose	Communications in the Session Initiation Protocol (SIP)" [RFC5360],
	requirements are discussed in [RFC4453]. Additionally, users MUST be	whose requirements are discussed in [RFC4453]. Additionally, users
	able to further describe the requests they are willing to receive.	MUST be able to further describe the requests they are willing to
	For example, a user may only want to receive requests from a	receive. For example, a user may only want to receive requests from
	particular URI-list service on behalf of a particular user.	a particular URI-list service on behalf of a particular user.
	Effectively, these rules make URI lists used by URI-list services	Effectively, these rules make URI lists that used by URI-list
	opt-in lists.	services into opt-in lists.

	When a URI-list service receives a request with a URI list from a	When a URI-list service receives a request with a URI list from a
	client, the URI-list service checks whether all the destinations have	client, the URI-list service checks whether all the destinations have
	agreed beforehand to receive requests from the service on behalf of	agreed beforehand to receive requests from the service on behalf of
	this client. If the URI list has permission to send requests to all	this client. If the URI list has permission to send requests to all
	of the targets in the request, it does so. If not, it does not send	of the targets in the request, it does so. If not, it does not send
	any request at all.	any request at all.


	The Framework for Consent-Based Communications in SIP	The Framework for Consent-Based Communications in SIP [RFC5360]
	[I-D.ietf-sipping-consent-framework] specifies a means for the URI-	specifies a means for the URI-list service to inform the client that
	list service to inform the client that some permissions were missing	some permissions were missing and how to request them.
	and how to request them.

	Note that the mechanism used to obtain permissions should not	Note that the mechanism used to obtain permissions should not
	create opportunities to launch DoS amplification attacks. These	create opportunities to launch DoS amplification attacks. These
	attacks would be possible if, for instance, the URI-list service	attacks would be possible if, for instance, the URI-list service
	automatically contacted the full set of targets for which it did	automatically contacted the full set of targets for which it did
	not have permissions in order to request permissions. The URI-	not have permissions in order to request permissions. The URI-
	list service would be receiving one SIP request and sending out a	list service would be receiving one SIP request and sending out a
	number of authorization request messages. The Framework for	number of authorization request messages. The Framework for

	Consent-Based Communications in SIP	Consent-Based Communications in SIP [RFC5360] avoids this type of
	[I-D.ietf-sipping-consent-framework] avoids this type of attack by	attack by having the client generate roughly the same amount of
	having the client generate roughly the same amount of traffic	traffic towards the URI-list service as the service generates
	towards the URI-list service as the service generates towards the	towards the destinations.
	destinations.

	In order to have an interoperable way to meet the requirements	In order to have an interoperable way to meet the requirements
	related to opt-in lists described in this section, URI-list services	related to opt-in lists described in this section, URI-list services

	MUST implement, and SHOULD use, The Framework for Consent-Based	MUST implement and SHOULD use "A Framework for Consent-Based
	Communications in SIP [I-D.ietf-sipping-consent-framework].	Communications in SIP" [RFC5360].

	5.3. General Issues	5.3. General Issues

	URI-list services MAY have policies that limit the number of URIs in	URI-list services MAY have policies that limit the number of URIs in

	the lists they accept, as a very long list could be used in a denial	the lists they accept, as a very long list could be used in a
	of service attack to place a large burden on the URI-list service to	denial-of-service attack to place a large burden on the URI-list
	send a large number of SIP requests.	service to send a large number of SIP requests.

	A URI-list service generates a set of requests from a URI list.	A URI-list service generates a set of requests from a URI list.
	Section 19.1.5 of [RFC3261] provides recommendations that need to be	Section 19.1.5 of [RFC3261] provides recommendations that need to be
	taken into consideration when forming a request from a URI.	taken into consideration when forming a request from a URI.
	Naturally, those recommendations apply to all SIP URI-list services.	Naturally, those recommendations apply to all SIP URI-list services.

	The general requirement GEN 4, which states that URI-list services	The general requirement GEN 4, which states that URI-list services
	need to authenticate their clients, and the previous rules apply to	need to authenticate their clients, and the previous rules apply to
	URI-list services in general. In addition, specifications dealing	URI-list services in general. In addition, specifications dealing
	with individual methods MUST describe the security issues that relate	with individual methods MUST describe the security issues that relate
	to each particular method.	to each particular method.

	6. IANA Considerations	6. IANA Considerations

	This document defines a new Content-Disposition header field	This document defines a new Content-Disposition header field

	disposition type (recipient-list) in Section 4.1. This value should	disposition type (recipient-list) in Section 4.1. This value has
	be registered in the IANA registry for Mail Content Disposition	been registered in the IANA registry for Mail Content Disposition
	Values and Parameters with the following description:	Values and Parameters with the following description:


	recipient-list the body contains a list of URIs	recipient-list The body includes a list of URIs to which URI-list
		services are to be applied.


	7. Acknowledges	7. Acknowledgements

	Duncan Mills and Miguel A. Garcia-Martin supported the idea of 1 to n	Duncan Mills and Miguel A. Garcia-Martin supported the idea of 1 to n
	MESSAGE requests. Jon Peterson, Dean Willis, and Jonathan Rosenberg	MESSAGE requests. Jon Peterson, Dean Willis, and Jonathan Rosenberg
	provided useful comments.	provided useful comments.

	8. References	8. References

	8.1. Normative References	8.1. Normative References

	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate

	skipping to change at page 9, line 27	skipping to change at page 8, line 27

	[RFC2183] Troost, R., Dorner, S., and K. Moore, "Communicating	[RFC2183] Troost, R., Dorner, S., and K. Moore, "Communicating
	Presentation Information in Internet Messages: The	Presentation Information in Internet Messages: The
	Content-Disposition Header Field", RFC 2183, August 1997.	Content-Disposition Header Field", RFC 2183, August 1997.

	[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,	[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
	A., Peterson, J., Sparks, R., Handley, M., and E.	A., Peterson, J., Sparks, R., Handley, M., and E.
	Schooler, "SIP: Session Initiation Protocol", RFC 3261,	Schooler, "SIP: Session Initiation Protocol", RFC 3261,
	June 2002.	June 2002.


	[I-D.ietf-sipping-consent-framework]	[RFC5360] Rosenberg, J., Camarillo, G., Ed., and D. Willis, "A
	Rosenberg, J., "A Framework for Consent-Based	Framework for Consent-Based Communications in the Session
	Communications in the Session Initiation Protocol (SIP)",	Initiation Protocol (SIP)", RFC 5360, October 2008.
	draft-ietf-sipping-consent-framework-05 (work in
	progress), June 2006.

	8.2. Informative References	8.2. Informative References

	[RFC4453] Rosenberg, J., Camarillo, G., and D. Willis, "Requirements	[RFC4453] Rosenberg, J., Camarillo, G., and D. Willis, "Requirements
	for Consent-Based Communications in the Session Initiation	for Consent-Based Communications in the Session Initiation
	Protocol (SIP)", RFC 4453, April 2006.	Protocol (SIP)", RFC 4453, April 2006.

	[RFC4575] Rosenberg, J., Schulzrinne, H., and O. Levin, "A Session	[RFC4575] Rosenberg, J., Schulzrinne, H., and O. Levin, "A Session
	Initiation Protocol (SIP) Event Package for Conference	Initiation Protocol (SIP) Event Package for Conference
	State", RFC 4575, August 2006.	State", RFC 4575, August 2006.


	[RFC4662] Roach, A., Campbell, B., and J. Rosenberg, "A Session	[RFC4662] Roach, A.B., Campbell, B., and J. Rosenberg, "A Session
	Initiation Protocol (SIP) Event Notification Extension for	Initiation Protocol (SIP) Event Notification Extension for
	Resource Lists", RFC 4662, August 2006.	Resource Lists", RFC 4662, August 2006.

	[RFC4825] Rosenberg, J., "The Extensible Markup Language (XML)	[RFC4825] Rosenberg, J., "The Extensible Markup Language (XML)
	Configuration Access Protocol (XCAP)", RFC 4825, May 2007.	Configuration Access Protocol (XCAP)", RFC 4825, May 2007.


	[I-D.ietf-sip-uri-list-conferencing]	[RFC5364] Garcia-Martin, M. and G. Camarillo, "Extensible Markup
	Camarillo, G. and A. Johnston, "Conference Establishment	Language (XML) Format Extension for Representing Copy
	Using Request-Contained Lists in the Session Initiation	Control Attributes in Resource Lists", RFC 5364, October
	Protocol (SIP)", draft-ietf-sip-uri-list-conferencing-01	2008.
	(work in progress), January 2007.

	[I-D.ietf-sip-uri-list-subscribe]
	Camarillo, G., "Subscriptions to Request-Contained
	Resource Lists in the Session Initiation Protocol (SIP)",
	draft-ietf-sip-uri-list-subscribe-01 (work in progress),
	January 2007.


	[I-D.ietf-sip-uri-list-message]	[RFC5365] Garcia-Martin, M. and G. Camarillo, "Multiple-Recipient
	Garcia-Martin, M. and G. Camarillo, "Multiple-Recipient
	MESSAGE Requests in the Session Initiation Protocol	MESSAGE Requests in the Session Initiation Protocol

	(SIP)", draft-ietf-sip-uri-list-message-01 (work in	(SIP)", RFC 5365, October 2008.
	progress), January 2007.


	[I-D.ietf-sipping-capacity-attribute]	[RFC5366] Camarillo, G. and A. Johnston, "Conference Establishment
	Garcia-Martin, M. and G. Camarillo, "Extensible Markup	Using Request-Contained Lists in the Session Initiation
	Language (XML) Format Extension for Representing Copy	Protocol (SIP)", RFC 5366, October 2008.
	Control Attributes in Resource Lists",
	draft-ietf-sipping-capacity-attribute-04 (work in	[RFC5367] Camarillo, G., Roach, A.B., and O. Levin, "Subscriptions
	progress), March 2007.	to Request-Contained Resource Lists in the Session
		Initiation Protocol (SIP)", RFC 5367, October 2008.

	Authors' Addresses	Authors' Addresses

	Gonzalo Camarillo	Gonzalo Camarillo
	Ericsson	Ericsson
	Hirsalantie 11	Hirsalantie 11
	Jorvas 02420	Jorvas 02420
	Finland	Finland


	Email: Gonzalo.Camarillo@ericsson.com	EMail: Gonzalo.Camarillo@ericsson.com

	Adam Roach	Adam Roach

	Estacado Systems	Tekelec
	Dallas, TX	17210 Campbell Rd Ste 250
	US	Dallas, TX 75252
		USA


	Email: adam@estacado.net	EMail: Adam.Roach@tekelec.com

	Full Copyright Statement	Full Copyright Statement


	Copyright (C) The IETF Trust (2007).	Copyright (C) The IETF Trust (2008).

	This document is subject to the rights, licenses and restrictions	This document is subject to the rights, licenses and restrictions
	contained in BCP 78, and except as set forth therein, the authors	contained in BCP 78, and except as set forth therein, the authors
	retain all their rights.	retain all their rights.

	This document and the information contained herein are provided on an	This document and the information contained herein are provided on an
	"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS	"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
	OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND	OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
	THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS	THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
	OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF	OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF

	skipping to change at page 11, line 44	skipping to change at line 445
	attempt made to obtain a general license or permission for the use of	attempt made to obtain a general license or permission for the use of
	such proprietary rights by implementers or users of this	such proprietary rights by implementers or users of this
	specification can be obtained from the IETF on-line IPR repository at	specification can be obtained from the IETF on-line IPR repository at
	http://www.ietf.org/ipr.	http://www.ietf.org/ipr.

	The IETF invites any interested party to bring to its attention any	The IETF invites any interested party to bring to its attention any
	copyrights, patents or patent applications, or other proprietary	copyrights, patents or patent applications, or other proprietary
	rights that may cover technology that may be required to implement	rights that may cover technology that may be required to implement
	this standard. Please address the information to the IETF at	this standard. Please address the information to the IETF at
	ietf-ipr@ietf.org.	ietf-ipr@ietf.org.


	Acknowledgment

	Funding for the RFC Editor function is provided by the IETF
	Administrative Support Activity (IASA).

End of changes. 52 change blocks.
	178 lines changed or deleted	144 lines changed or added
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/