--- 1/draft-ietf-speermint-architecture-01.txt 2006-10-21 01:12:38.000000000 +0200 +++ 2/draft-ietf-speermint-architecture-02.txt 2006-10-21 01:12:38.000000000 +0200 @@ -1,16 +1,16 @@ Speermint Working Group R.Penno (Editor) Internet Draft Juniper Networks -Expires: March 2007 September 18, 2006 +Expires: April 2007 October 20, 2006 SPEERMINT Peering Architecture - draft-ietf-speermint-architecture-01 + draft-ietf-speermint-architecture-02 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering @@ -41,49 +41,50 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1] Table of Contents 1. Introduction...................................................2 2. Network Context................................................3 3. Procedures.....................................................5 4. Reference SPEERMINT Architecture...............................5 - 5. Peer Function Examples.........................................7 + 5. Peer Function Examples.........................................6 5.1. The Location Function (LF) of an Initiating Provider......7 5.1.1. Target address analysis..............................7 - 5.1.2. User ENUM Lookup.....................................8 + 5.1.2. User ENUM Lookup.....................................7 5.1.3. Carrier ENUM lookup..................................8 5.1.4. Routing Table........................................8 5.1.5. SIP DNS Resolution...................................8 5.1.6. SIP Redirect Server..................................9 5.2. The Location Function (LF) of a Receiving Provider........9 5.2.1. Publish ENUM records.................................9 5.2.2. Publish SIP DNS records..............................9 - 5.3. Policy Function (PF)......................................9 - 5.3.1. TLS.................................................11 - 5.3.2. IPSec...............................................11 - 5.3.3. Subscribe Notify....................................11 - 5.4. Signaling Function (SF)..................................11 - 5.5. Media Function (MF)......................................12 - 6. Call Control and Media Control Deployment Options.............12 - 7. Security Considerations.......................................13 - 8. IANA Considerations...........................................14 - 9. Acknowledgments...............................................14 - Author's Addresses...............................................15 - 10. References...................................................15 - 10.1. Normative References....................................15 - 10.2. Informative References..................................16 - Intellectual Property Statement..................................17 - Disclaimer of Validity...........................................18 - Copyright Statement..............................................18 - Acknowledgment...................................................18 + 5.2.3. TLS..................................................9 + 5.2.4. IPSec................................................9 + 5.2.5. Subscribe Notify....................................10 + 5.3. Signaling Function (SF)..................................10 + 5.4. Media Function (MF)......................................10 + 5.5. Policy Considerations....................................10 + 6. Call Control and Media Control Deployment Options.............11 + 7. Address space considerations..................................12 + 8. Security Considerations.......................................13 + 9. IANA Considerations...........................................13 + 10. Acknowledgments..............................................13 + Author's Addresses...............................................14 + 11. References...................................................14 + 11.1. Normative References....................................14 + 11.2. Informative References..................................15 + Intellectual Property Statement..................................16 + Disclaimer of Validity...........................................17 + Copyright Statement..............................................17 + Acknowledgment...................................................17 1. Introduction The objective of this document is to define a reference peering architecture in the context of Session PEERing for Multimedia INTerconnect (SPEERMINT). In this process, we define the peering reference architecture (reference, for short), its functional components, and peering interface functions from the perspective of a real-time communications (Voice and Multimedia) IP Service provider network. @@ -209,46 +210,37 @@ where I is the Initiating peer and R is the Receiving peer. +------+ | DNS, | | Db, | | etc | ------- +------+ ------- / \ | | / \ | LF---+ +---LF | | | | | - | PF----------PF | - | | | | | SIP SF----------SF SIP | | Service | | Service | |Provider MF----------MF Provider| | I | | R | | | | | | | | | \ / \ / ------- ------- Figure 2: Reference SPEERMINT Architecture The procedures presented in Chapter 3 are implemented by a set of peering functions: o Location Function (LF): Purpose is to develop call routing data - (CRD) by discovering the Signaling Function (SF), Policy Function - (PF), and end user's reachable host (IP address and port). - - o Policy Function (PF): Purpose is to perform authentication and to - exchange policy parameters to be used by the SF. The data acquired - through the policy function can provide input to the LF, SF or MF - functions. Therefore the policy function can happen multiple times - (through multiple methods) during the procedures used to establish - a call. + (CRD) by discovering the Signaling Function (SF), , and end + user's reachable host (IP address and port). o Signaling Function (SF): Purpose is to perform routing of SIP messages, to optionally perform termination and re-initiation of call, to optionally implement security and policies on SIP messages, and to assist in discovery/exchange of parameters to be used by the Media Function (MF). o Media Function (MF): Purpose is to perform media related function such as media transcoding and media security implementation between two SIP providers. @@ -260,25 +252,25 @@ This section describes the peering functions in more detail and provides some examples on the role they would play in a SIP call in a Layer 5 peering scenario. Some of the information in the chapter is taken from [14]. 5.1. The Location Function (LF) of an Initiating Provider Purpose is to develop call routing data (CRD) [12] by discovering - the Signaling Function (SF), Policy Function (PF), and end user's - reachable host (IP address and host). The LF of an Initiating - provider analyzes target address and discovers the next hop - signaling function (SF) in a peering relationship using DNS, SIP - Redirect Server, or a functional equivalent database. + the Signaling Function (SF), and end user's reachable host (IP + address and host). The LF of an Initiating provider analyzes target + address and discovers the next hop signaling function (SF) in a + peering relationship using DNS, SIP Redirect Server, or a functional + equivalent database. 5.1.1. Target address analysis When the initiating provider receives a request to communicate, the initiating provider analyzes the target state data to determine whether the call needs to be terminated internal or external to its network. The analysis method is internal to the provider's policy; thus, outside the scope of SPEERMINT. Note that the peer is free to consult any manner of private data sources to make this determination. @@ -343,31 +335,26 @@ PSTN gateway termination by prior arrangement using a routing table. If so, the initiating peer rewrites the Request-URI to address the gateway resource in the target provider's domain and MAY forward the request on to that provider using the procedures described in the remainder of these steps. 5.1.5. SIP DNS Resolution Once a sip: or sips: in an external domain is selected as the target, the initiating peer uses the procedures described in [4] Section 4. - To summarize the RFC 3263 procedure: unless these are explicitly encoded in the target URI, a transport is chosen using NAPTR records, a port is chosen using SRV records, and an address is chosen using A or AAAA records. Note that these are queries of records in the global DNS. - It is worth mentioning that the PF can override the default RFC 3263 - procedure. That may be based on learned routes (via SUBSCRIBE), or - federation announcements. - 5.1.6. SIP Redirect Server A SIP Redirect Server may help in resolving current address of a mobile target address. 5.2. The Location Function (LF) of a Receiving Provider 5.2.1. Publish ENUM records The receiving peer SHOULD participate by publishing "E2U+sip" and @@ -377,110 +364,52 @@ accept traffic from specific initiating peers, it MAY still reject requests on a case-by-case basis. 5.2.2. Publish SIP DNS records To receive peer requests, the receiving peer MUST insure that it publishes appropriate NAPTR, SRV, and address (A and/or AAAA) records in the global DNS that resolve an appropriate transport, port, and address to a relevant SIP server. -5.3. Policy Function (PF) - - The purpose of policy function is to perform authentication and to - exchange peering policy capabilities to be used by the signaling - function. The policy function can happen multiple times (through - multiple methods) during the procedures used to establish a call and - the data acquired as a result can provide input to the LF, SF or MF - functions. - - Policy data can come through DNS NAPTR resolution as shown in [18] - and/or a SIP peering event package [22]. - - The policy capabilities should be specified through well defined XML - schemas. These policies define the capabilities of each peer and its - devices used for peering. For example, the following capabilities - could be exchanged through the policy function: - - o Adjacency (Next hop network attributes) - - o If there are many adjacent proxies to use, the choice could be - based on: - - . Location of the proxy - - . Maximum number of calls per second (CPS) - - . Maximum number of established calls - - . Maximum allowed bandwidth (KBS) - - o Path Discovery (Domains that are NOT adjacent) - - o What are the paths to the destination domain that can: - - . Guarantee quality - - . Participate in Guarantee's for Trust - - . Are these paths available? - - o Adjacency and Path Congestion detection/avoidance - - o Inflow Traffic Restriction (not call-by-call) - - o For maintenance actions - - o For congestion management - - o How can a carrier prevent upstream networks from submitting - calls for certain destinations in overload - - The authentication policy function can be implemented by TLS (as - described in (5.3.1), IPSec or any other method that meet the - security needs to a specific deployment. - - Editor's Note: This section will be updated based on the progress on - the SPEERMINT policy document. - -5.3.1. TLS +5.2.3. TLS Once a transport, port, and address are found, the initiating peer will open or find a reusable TLS connection to the peer. The initiating provider should verify the server certificate which should be rooted in a well-known certificate authority. The initiating provider should be prepared to provide a TLS client certificate upon request during the TLS handshake. The client certificate should contain a DNS or URI choice type in the subject AltName which corresponds to the domain asserted in the host production of the From header URI. The certificate should be valid and rooted in a well- known certificate authority. Note that the client certificate MAY contain a list of entries in the subjectAltName, only one of which has to match the domain in the From header URI. When the receiving peer receives a TLS client hello, it responds with its certificate. The receiving peer certificate SHOULD be valid and rooted in a well-known certificate authority. The receiving peer should request and verify the client certificate during the TLS handshake. -5.3.2. IPSec +5.2.4. IPSec Editor's Note: will be described later. -5.3.3. Subscribe Notify +5.2.5. Subscribe Notify Policy function may also be optionally implemented by dynamic subscribe, notify, and exchange of policy information and feature information among providers [22]. -5.4. Signaling Function (SF) +5.3. Signaling Function (SF) The purpose of signaling function is to perform routing of SIP messages, to optionally perform termination and re-initiation of a call, to optionally implement security and policies on SIP messages, and to assist in discovery/exchange of parameters to be used by the Media Function (MF). The routing of SIP messages are performed by SIP proxies. The optional termination and re-initiation of calls are performed by B2BUA. @@ -489,28 +418,62 @@ Admission Control, SIP Denial of Service protection, SIP Topology Hiding, SIP header normalization, and SIP security, privacy and encryption. The signaling function can also process SDP payloads for media information such as media type, bandwidth, and type of codec; then, communicate this information to the media function. Signaling function may optionally communicate with network layer to pass Layer 3 related policies [10] -5.5. Media Function (MF) +5.4. Media Function (MF) Examples of the media function is to transform voice payload from one coding (e.g., G.711) to another (e.g., EvRC), media relaying, media security, privacy, and encryption. Editor's Note: This section will be further updated. +5.5. Policy Considerations + + In the context of the SPEERMINT working group when two Layer 5 + devices (e.g., SIP Proxies) peer, there is a need to exchange peering + policy information. There are specifications in progress in the + SIPPING working group to define policy exchange between an UA and a + domain [23] and providing profile data to SIP user agents [24] These + considerations borrow from both. + + Following the terminology introduced in [12], this package uses the + terms Peering Session-Independent and Session-Specific policies in + the following context. + + o Peering Session-Independent policies include Diffserv Marking, + Policing, Session Admission Control, domain reachabilities, + amongst others. The time period between Peering Session- + Independent policy changes is much greater than the time it takes + to establish a call. + + o Peering Session-Specific polices includes supported + connection/call rate, total number of connections/calls available, + current utilization, amongst others. Peering Session-specific + policies can change within the time it takes to establish a call. + + These policies can be Peer dependent or independent, creating the + following peering policy tree definition: + + Peer Independent + Session dependent + Session independent + Peer Dependent + Session dependent + Session independent + 6. Call Control and Media Control Deployment Options The peering functions can either be deployed along the following two dimensions depending upon how the signaling function and the media function along with IP functions are implemented: Composed or Decomposed: Addresses the question whether the media paths must flow through the same physical and geographic nodes as the call signaling, @@ -557,40 +520,50 @@ This model allows the implementation of M:N model where one SF is associated with multiple peering MF and one peering MF is associated with multiple peering proxies. Generally, a vertical protocol associates the relationship between a SF and a MF. This architecture reduces the potential of single point failure. This architecture, allows separation of the policy decision point and the policy enforcement point. An example of disadvantages is the scaling complexity because of the M:N relationship and latency due to the vertical control messages between entities. -7. Security Considerations +7. Address space considerations + + Peering must occur in a common address space, which is defined by the + federation, which may be entirely on the public Internet, or some + private address space. The origination or termination networks may or + may not entirely be in that same address space. If they are not, + then a translation (NAT) may be needed before the signaling or media + is presented to the federation. The only requirement is that all + entities across the peering interface are reachable. + +8. Security Considerations In all cases, cryptographic-based security should be maintained as an optional requirement between peering providers conditioned on the presence or absence of underlying physical security of peer connections, e.g. within the same secure physical building. In order to maintain a consistent approach, unique and specialized security requirements common for the majority of peering relationships, should be standardized within the IETF. These standardized methods may enable capabilities such as dynamic peering relationships across publicly maintained interconnections. TODO: Address RFC-3552 BCP items. -8. IANA Considerations +9. IANA Considerations There are no IANA considerations at this time. -9. Acknowledgments +10. Acknowledgments The working group thanks Sohel Khan for his initial architecture draft that helped to initiate work on this draft. A significant portion of this draft is taken from [14] with permission from the author R. Mahy. The other important contributor is Otmar Lendl. Author's Addresses @@ -623,23 +596,23 @@ USA Email: rpenno@juniper.net Adam Uzelac Global Crossing 1120 Pittsford Victor Road PITTSFORD, NY 14534 USA Email: adam.uzelac@globalcrossing.com -10. References +11. References -10.1. Normative References +11.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Mealling, M. and R. Daniel, "The Naming Authority Pointer (NAPTR) DNS Resource Record", RFC 2915, September 2000. [3] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. @@ -665,21 +638,21 @@ [9] Peterson, J., "Telephone Number Mapping (ENUM) Service Registration for Presence Services", RFC 3953, January 2005. [10] ETSI TS 102 333: " Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Gate control protocol". [11] Peterson, J., "enumservice registration for Session Initiation Protocol (SIP) Addresses-of-Record", RFC 3764, April 2004. -10.2. Informative References +11.2. Informative References [12] Meyer, D., "SPEERMINT Terminology", draft-ietf-speermint- terminology-04 (work in progress), May 2006. [13] Mule, J-F., "SPEERMINT Requirements for SIP-based VoIP Interconnection", draft-ietf-speermint-requirements-00.txt, June 2006. [14] Mahy, R., "A Minimalist Approach to Direct Peering", draft- mahy-speermint-direct-peering-00.txt, June 19, 2006. @@ -706,20 +679,25 @@ progress), March 2006. [21] Livingood, J. and R. Shockey, "IANA Registration for an Enumservice Containing PSTN Signaling Information", draft-ietf- enum-pstn-04 (work in progress), May 2006. [22] Penno, R., Malas D., and Melampy, P., "A Session Initiation Protocol (SIP) Event package for Peering", draft-penno-sipping- peering-package-00 (work in progress), September 2006. + [23] Hollander, D., Bray, T., and A. Layman, "Namespaces in XML", + W3C REC REC-xml-names-19990114, January 1999. + + [24] Burger, E (Ed.), "A Mechanism for Content Indirection in + Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.