--- 1/draft-ietf-speermint-architecture-03.txt 2007-08-13 21:12:16.000000000 +0200 +++ 2/draft-ietf-speermint-architecture-04.txt 2007-08-13 21:12:16.000000000 +0200 @@ -1,22 +1,22 @@ Speermint Working Group R. Penno Internet Draft Juniper Networks Intended status: Informational D. Malas -Expires: September 2007 Level 3 +Expires: January 2008 Level 3 S. Khan Comcast A. Uzelac Global Crossing - April 23, 2007 + August 10, 2007 SPEERMINT Peering Architecture - draft-ietf-speermint-architecture-03 + draft-ietf-speermint-architecture-04 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering @@ -28,82 +28,86 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html - This Internet-Draft will expire on October 23, 2007. + This Internet-Draft will expire on January 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document defines the SPEERMINT peering architecture, its - functional components and peering interface functions. + functional components and peering interface functions. It also + describes the steps taken to establish a session between two peering + domains in the context of the functions defined. Conventions used in this document - In examples, "C:" and "S:" indicate lines sent by the client and - server respectively. - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC-2119 Error! - Reference source not found.. + document are to be interpreted as described in RFC-2119[1] Table of Contents 1. Introduction...................................................3 2. Network Context................................................3 3. Procedures.....................................................6 4. Reference SPEERMINT Architecture...............................6 - 5. Peer Function Examples.........................................7 + 5. Peer Function Examples.........................................8 5.1. The Location Function (LF) of an Initiating Provider......8 5.1.1. Target address analysis..............................8 5.1.2. User ENUM Lookup.....................................9 - 5.1.3. Carrier ENUM lookup..................................9 - 5.1.4. Routing Table........................................9 + 5.1.3. Carrier ENUM lookup.................................10 + 5.1.4. Routing Table.......................................10 5.1.5. SIP DNS Resolution..................................10 - 5.1.6. SIP Redirect Server.................................10 - 5.2. The Location Function (LF) of a Receiving Provider.......10 - 5.2.1. Publish ENUM records................................10 - 5.2.2. Publish SIP DNS records.............................10 - 5.2.3. TLS.................................................10 - 5.2.4. IPSec...............................................11 - 5.2.5. Subscribe Notify....................................11 + 5.1.6. SIP Redirect Server.................................11 + 5.2. The Location Function (LF) of a Receiving Provider.......11 + 5.2.1. Publish ENUM records................................11 + 5.2.2. Publish SIP DNS records.............................11 + 5.2.3. Subscribe Notify....................................11 5.3. Signaling Function (SF)..................................11 - 5.4. Media Function (MF)......................................12 - 5.5. Policy Considerations....................................12 - 6. Call Control and Media Control Deployment Options.............13 - 7. Address space considerations..................................15 - 8. Security Considerations.......................................15 - 9. IANA Considerations...........................................15 - 10. Acknowledgments..............................................15 - 11. References...................................................16 - 11.1. Normative References....................................16 - 11.2. Informative References..................................16 - Author's Addresses...............................................18 - Intellectual Property Statement..................................18 - Disclaimer of Validity...........................................19 + 5.4. The Signaling Function (SF) of an Initiating Provider....12 + 5.4.1. Setup TLS connection................................12 + 5.4.2. IPSec...............................................12 + 5.4.3. Co-Location.........................................13 + 5.4.4. Send the SIP request................................13 + 5.5. The Signaling Function (SF) of an Initiating Provider....14 + 5.5.1. Verify TLS connection...............................14 + 5.5.2. Receive SIP requests................................14 + 5.6. Media Function (MF)......................................15 + 5.7. Policy Considerations....................................15 + 6. Call Control and Media Control Deployment Options.............16 + 7. Address space considerations..................................18 + 8. Security Considerations.......................................18 + 9. IANA Considerations...........................................18 + 10. Acknowledgments..............................................18 + 11. References...................................................19 + 11.1. Normative References....................................19 + 11.2. Informative References..................................20 + Author's Addresses...............................................21 + Intellectual Property Statement..................................21 + Disclaimer of Validity...........................................22 1. Introduction The objective of this document is to define a reference peering architecture in the context of Session PEERing for Multimedia INTerconnect (SPEERMINT). In this process, we define the peering - reference architecture (reference, for short), its functional + reference architecture (reference, for short), it's functional components, and peering interface functions from the perspective of a real-time communications (Voice and Multimedia) IP Service provider network. This architecture allows the interconnection of two service providers in layer 5 peering as defined in the SPEERMINT Requirements [13] and Terminology [12] documents for the purpose SIP-based voice and multimedia traffic. Layer 3 peering is outside the scope of this document. Hence, the @@ -210,81 +215,107 @@ 6. the session establishment, 7. the transfer of media, 8. and the session termination. 4. Reference SPEERMINT Architecture Figure 2 depicts the SPEERMINT architecture and logical functions - that form the peering between two SIP service providers I and R, - where I is the Initiating peer and R is the Receiving peer. + that form the peering between two SIP service providers. +------+ | DNS, | - | Db, | - | etc | - ------- +------+ ------- - / \ | | / \ - | LF---+ +---LF | + +---------| Db, |---------+ + | | etc | | + | +------+ | + | | + --------------- --------------- + / \ / \ | | | | - | SIP SF----------SF SIP | - | Service | | Service | - |Provider MF----------MF Provider| - | I | | R | + | | | | + | +------+ | | +------+ | + | | DNS, | | | | DNS, | | + | | Db, | | | | Db, | | + | | etc | | | | etc | | + | +------+ | | +------+ | + | | | | + | | | | + | +---SF--+ +---SF--+ | + | | | | | | + | | SBE | | SBE | | + | Originating | | | | Terminating | + | +---SF--+ +---SF--+ | + | Domain | | Domain | + | +---MF--+ +---MF--+ | + | SSP | | | | SSP | + | | DBE | | DBE | | + | | | | | | + | +---MF--+ +---MF--+ | + | | | | + | +----LF---+ +----LF---+ | + | +-LF--|----+ | | +----|--LS-+ | + | | | | | | | | | | + | | SM | | LS | | LS | | SM | | + | | | | | | | | | | + | | +----|----+ +----|----+ | | + | +----------+| |+----------+ | | | | | | | | | \ / \ / - ------- ------- + --------------- --------------- Figure 2: Reference SPEERMINT Architecture The procedures presented in Chapter 3 are implemented by a set of peering functions: - o Location Function (LF): Purpose is to develop call routing data - (CRD) by discovering the Signaling Function (SF), , and end - user's reachable host (IP address and port). + o Location Function (LF): Purpose is to develop Session + Establishment Data (SED) by discovering the Signaling Function + (SF) and the end user's reachable host (IP address and port). The + location function is distributed across the Location Server (LS) + and Session Manager (SM). - o Signaling Function (SF): Purpose is to perform routing of SIP - messages, to optionally perform termination and re-initiation of - call, to optionally implement security and policies on SIP - messages, and to assist in discovery/exchange of parameters to be - used by the Media Function (MF). + o Signaling Function (SF): Purpose is to perform SIP call routing, + to optionally perform termination and re-initiation of call, to + optionally implement security and policies on SIP messages, and to + assist in discovery/exchange of parameters to be used by the Media + Function (MF). The signaling function is located within the + Signaling Path Border Element (SBE) o Media Function (MF): Purpose is to perform media related function such as media transcoding and media security implementation - between two SIP providers. + between two SIP providers. The media function is located within + the Data Path Border Element (DBE). The intention of defining these functions is to provide a framework for design segmentation and allow each one to evolve separately. 5. Peer Function Examples This section describes the peering functions in more detail and provides some examples on the role they would play in a SIP call in a Layer 5 peering scenario. Some of the information in the chapter is taken from [14]. 5.1. The Location Function (LF) of an Initiating Provider - Purpose is to develop call routing data (CRD) [12] by discovering - the Signaling Function (SF), and end user's reachable host (IP - address and host). The LF of an Initiating provider analyzes target - address and discovers the next hop signaling function (SF) in a - peering relationship using DNS, SIP Redirect Server, or a functional - equivalent database. + Purpose is to develop Session Establishment Data (SED) [12] by + discovering the Signaling Function (SF), and end user's reachable + host (IP address and host). The LF of an Initiating provider analyzes + target address and discovers the next hop signaling function (SF) in + a peering relationship using DNS, SIP Redirect Server, or a + functional equivalent database. 5.1.1. Target address analysis - When the initiating provider receives a request to communicate, the initiating provider analyzes the target state data to determine whether the call needs to be terminated internal or external to its network. The analysis method is internal to the provider's policy; thus, outside the scope of SPEERMINT. Note that the peer is free to consult any manner of private data sources to make this determination. If the target address does not represent a resource inside the initiating peer's administrative domain or federation of domains, the @@ -345,26 +376,35 @@ the initiating peer MAY still sends the call to another provider for PSTN gateway termination by prior arrangement using a routing table. If so, the initiating peer rewrites the Request-URI to address the gateway resource in the target provider's domain and MAY forward the request on to that provider using the procedures described in the remainder of these steps. 5.1.5. SIP DNS Resolution Once a sip: or sips: in an external domain is selected as the target, - the initiating peer uses the procedures described in [4] Section 4. - To summarize the RFC 3263 procedure: unless these are explicitly - encoded in the target URI, a transport is chosen using NAPTR records, - a port is chosen using SRV records, and an address is chosen using A - or AAAA records. Note that these are queries of records in the - global DNS. + the initiating peer MAY apply local policy to decide whether + forwarding requests to the target domain is acceptable. If so, the + initiating peer uses the procedures in RFC 3263 [6] Section 4 to + determine how to contact the receiving peer. To summarize the RFC + 3263 procedure: unless these are explicitly encoded in the target + URI, a transport is chosen using NAPTR records, a port is chosen + using SRV records, and an address is chosen using A or AAAA records. + Note that these are queries of records in the global DNS. + + When communicating with a public external peer, entities compliant to + this document MUST only select a TLS-protected transport for + communication from the initiating peer to the receiving peer. Note + that this is a single-hop requirement. Either peer MAY insist on + using a sips: URI which asserts that each hop is TLS-protected, but + this document does not require protection over each hop. 5.1.6. SIP Redirect Server A SIP Redirect Server may help in resolving current address of a mobile target address. 5.2. The Location Function (LF) of a Receiving Provider 5.2.1. Publish ENUM records @@ -375,46 +415,21 @@ accept traffic from specific initiating peers, it MAY still reject requests on a case-by-case basis. 5.2.2. Publish SIP DNS records To receive peer requests, the receiving peer MUST insure that it publishes appropriate NAPTR, SRV, and address (A and/or AAAA) records in the global DNS that resolve an appropriate transport, port, and address to a relevant SIP server. -5.2.3. TLS - - Once a transport, port, and address are found, the initiating peer - will open or find a reusable TLS connection to the peer. The - initiating provider should verify the server certificate which should - be rooted in a well-known certificate authority. The initiating - provider should be prepared to provide a TLS client certificate upon - request during the TLS handshake. The client certificate should - contain a DNS or URI choice type in the subject AltName which - corresponds to the domain asserted in the host production of the From - header URI. The certificate should be valid and rooted in a well- - known certificate authority. Note that the client certificate MAY - contain a list of entries in the subjectAltName, only one of which - has to match the domain in the From header URI. - - When the receiving peer receives a TLS client hello, it responds with - its certificate. The receiving peer certificate SHOULD be valid and - rooted in a well-known certificate authority. The receiving peer - should request and verify the client certificate during the TLS - handshake. - -5.2.4. IPSec - - Editor's Note: will be described later. - -5.2.5. Subscribe Notify +5.2.3. Subscribe Notify Policy function may also be optionally implemented by dynamic subscribe, notify, and exchange of policy information and feature information among providers [22]. 5.3. Signaling Function (SF) The purpose of signaling function is to perform routing of SIP messages, to optionally perform termination and re-initiation of a call, to optionally implement security and policies on SIP messages, @@ -429,29 +444,149 @@ Admission Control, SIP Denial of Service protection, SIP Topology Hiding, SIP header normalization, and SIP security, privacy and encryption. The signaling function can also process SDP payloads for media information such as media type, bandwidth, and type of codec; then, communicate this information to the media function. Signaling function may optionally communicate with network layer to pass Layer 3 related policies [10] -5.4. Media Function (MF) +5.4. The Signaling Function (SF) of an Initiating Provider + +5.4.1. Setup TLS connection + + Once a transport, port, and address are found, the initiating peer + will open or find a reusable TLS connection to the peer. The + initiating provider MUST verify the server certificate which SHOULD + be rooted in a well-known certificate authority. The initiating + provider MUST be prepared to provide a TLS client certificate upon + request during the TLS handshake. The client certificate MUST + contain a DNS or URI choice type in the subjectAltName which + corresponds to the domain asserted in the host production of the From + header URI. The certificate SHOULD be valid and rooted in a well- + known certificate authority. + + Note that the client certificate MAY contain a list of entries in the + subjectAltName, only one of which has to match the domain in the From + header URI. + +5.4.2. IPSec + + In certain deployments the use of IPSec between the signaling + functions of the originating and terminating domains can be used as a + security mechanism instead of TLS. + +5.4.3. Co-Location + + In this scenario the signaling functions are co-located in a + physically secure location and/or are members of a segregated + network. In this case messages between the originating and + terminating domains would be sent as clear text. + +5.4.4. Send the SIP request + + Once a TLS connection between the peers is established, the + initiating peer sends the request. When sending some requests, the + initiating peer MUST verify and assert the senders identity using the + SIP Identity mechanism. + + The domain name in the URI of the From: header MUST be a domain which + was present in the certificate presented when establishing the TLS + connection for this request, even if the user part has an anonymous + value. If the From header contains the user URI parameter with the + value of "phone", the user part of the From header URI MUST be a + complete and valid tel: URI [9] telephone-subscriber production, and + SHOULD be a global-number. For example, the following are all + acceptable, the first three are encouraged: + + From: "John Doe" + From: "+12125551212" <+12125551212@example.net;user=phone> + From: "Anonymous" + From: <4092;phone-context=+12125554000@example.net;user=phone> + From: "5551212" <5551212@example.net> + + The following are not acceptable: + + From: "2125551212" <2125551212@example.net;user=phone> + From: "Anonymous" + + In addition, for new dialog-forming requests and non-dialog-forming + requests, the request MUST contain a valid Identity and Identity-Info + header as described in [12]. The Identity-Info header must present a + domain name which is represented in the certificate presented when + establishing the TLS connection over which the request is sent. The + initiating peer SHOULD include an Identity header on in-dialog + requests as well, if the From header field value matches an identity + the initiating peer is willing to assert. + + The initiating peer MAY include any SIP option-tags in Supported, + Require, or Proxy-Require headers according to procedures in + standards-track SIP extensions. Note however that the initiating + peer MUST be prepared to fallback to baseline SIP functionality as + defined by the mandatory-to-implement features of RFC 3261, RFC 3263, + and RFC 3264 [7], except that peers implementing this specification + MUST implement SIP over TLS using the sip: URI scheme, the SIP + Identity header, and RFC 4320 [10] non-INVITE transaction fixes. + +5.5. The Signaling Function (SF) of an Initiating Provider + +5.5.1. Verify TLS connection + + When the receiving peer receives a TLS client hello, it responds with + its certificate. The receiving peer certificate SHOULD be valid and + rooted in a well-known certificate authority. The receiving peer + MUST request and verify the client certificate during the TLS + handshake. + + Once the initiating peer has been authenticated, the receiving peer + can authorize communication from this peer based on the domain name + of the peer and the root of its certificate. This allows two + authorization models to be used, together or separately. In the + domain-based model, the receiving peer can allow communication from + peers with some trusted administrative domains which use general- + purpose certificate authorities, without explicitly permitting all + domains with certificates rooted in the same authority. It also + allows a certificate authority (CA) based model where every domain + with a valid certificate rooted in some list of CAs is automatically + authorized. + +5.5.2. Receive SIP requests + + Once a TLS connection is established, the receiving peer is prepared + to receive incoming SIP requests. For new dialog-forming requests + and out-of-dialog requests, the receiving peer verifies that the + target (request-URI) is a domain which for which it is responsible. + (For these requests, there should be no remaining Route header field + values.) Next the receiving verifies that the Identity header is + valid, corresponds to the message, corresponds to the Identity-Info + header, and that the domain in the From header corresponds to one of + the domains in the TLS client certificate. + + For in-dialog requests, the receiving peer can verify that it + corresponds to the top-most Route header field value. The peer also + validates any Identity header if present. + + The receiving peer MAY reject incoming requests due to local policy. + When a request is rejected because the initiating peer is not + authorized to peer, the receiving peer SHOULD respond with a 403 + response with the reason phrase "Unsupported Peer". + +5.6. Media Function (MF) Examples of the media function is to transform voice payload from one coding (e.g., G.711) to another (e.g., EvRC), media relaying, media security, privacy, and encryption. Editor's Note: This section will be further updated. -5.5. Policy Considerations +5.7. Policy Considerations In the context of the SPEERMINT working group when two Layer 5 devices (e.g., SIP Proxies) peer, there is a need to exchange peering policy information. There are specifications in progress in the SIPPING working group to define policy exchange between an UA and a domain [23] and providing profile data to SIP user agents [24] These considerations borrow from both. Following the terminology introduced in [12], this package uses the terms Peering Session-Independent and Session-Specific policies in @@ -588,21 +723,21 @@ [3] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [4] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002. [5] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC - 3546, June 2003. + 4366, April 2006. [6] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. [7] Peterson, J., Liu, H., Yu, J., and B. Campbell, "Using E.164 numbers with the Session Initiation Protocol (SIP)", RFC 3824, June 2004. [8] Peterson, J., "Address Resolution for Instant Messaging and @@ -611,57 +746,57 @@ [9] Peterson, J., "Telephone Number Mapping (ENUM) Service Registration for Presence Services", RFC 3953, January 2005. [10] ETSI TS 102 333: " Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Gate control protocol". [11] Peterson, J., "enumservice registration for Session Initiation Protocol (SIP) Addresses-of-Record", RFC 3764, April 2004. + [12] Livingood, J. and R. Shockey, "IANA Registration for an + Enumservice Containing PSTN Signaling Information", RFC 4769, + November 2006. + 11.2. Informative References - [12] Meyer, D., "SPEERMINT Terminology", draft-ietf-speermint- - terminology-04 (work in progress), May 2006. + [13] Meyer, D., "SPEERMINT Terminology", draft-ietf-speermint- + terminology-08 (work in progress), Junly 2007. - [13] Mule, J-F., "SPEERMINT Requirements for SIP-based VoIP - Interconnection", draft-ietf-speermint-requirements-00.txt, - June 2006. + [14] Mule, J-F., "SPEERMINT Requirements for SIP-based VoIP + Interconnection", draft-ietf-speermint-requirements-02.txt, + July 2007. - [14] Mahy, R., "A Minimalist Approach to Direct Peering", draft- - mahy-speermint-direct-peering-00.txt, June 19, 2006. + [15] Mahy, R., "A Minimalist Approach to Direct Peering", draft- + mahy-speermint-direct-peering-02.txt, July 2007. - [15] Penno, R., et al., "SPEERMINT Routing Architecture Message + [16] Penno, R., et al., "SPEERMINT Routing Architecture Message Flows", draft-ietf-speermint-flows-02.txt", April 2007. - [16] Lee, Y., "Session Peering Use Case for Cable", draft-lee- - speermint-use-case-cable-00.txt, June, 2006. + [17] Lee, Y., "Session Peering Use Case for Cable", draft-lee- + speermint-use-case-cable-01.txt, June, 2006. - [17] Houri, A., et al., "RTC Provisioning Requirements", draft- + [18] Houri, A., et al., "RTC Provisioning Requirements", draft- houri-speermint-rtc-provisioning-reqs-00.txt, June, 2006. - [18] Habler, M., et al., "A Federation based VOIP Peering + [19] Habler, M., et al., "A Federation based VOIP Peering Architecture", draft-lendl-speermint-federations-03.txt, September 2006. - [19] Mahy, R., "A Telephone Number Mapping (ENUM) Service + [20] Mahy, R., "A Telephone Number Mapping (ENUM) Service Registration for Instant Messaging (IM) Services", draft-ietf- - enum-im-service-00 (work in progress), March 2006. + enum-im-service-03 (work in progress), March 2006. - [20] Haberler, M. and R. Stastny, "Combined User and Carrier ENUM in - the e164.arpa tree", draft-haberler-carrier-enum-02 (work in + [21] Haberler, M. and R. Stastny, "Combined User and Carrier ENUM in + the e164.arpa tree", draft-haberler-carrier-enum-03 (work in progress), March 2006. - [21] Livingood, J. and R. Shockey, "IANA Registration for an - Enumservice Containing PSTN Signaling Information", draft-ietf- - enum-pstn-04 (work in progress), May 2006. - [22] Penno, R., Malas D., and Melampy, P., "A Session Initiation Protocol (SIP) Event package for Peering", draft-penno-sipping- peering-package-00 (work in progress), September 2006. [23] Hollander, D., Bray, T., and A. Layman, "Namespaces in XML", W3C REC REC-xml-names-19990114, January 1999. [24] Burger, E (Ed.), "A Mechanism for Content Indirection in Author's Addresses