| draft-ietf-speermint-requirements-02.txt | draft-ietf-speermint-requirements-03.txt | |||
|---|---|---|---|---|
| SPEERMINT Working Group J-F. Mule | SPEERMINT Working Group J-F. Mule | |||
| Internet-Draft CableLabs | Internet-Draft CableLabs | |||
| Intended status: Best Current July 9, 2007 | Intended status: Informational November 19, 2007 | |||
| Practice | Expires: May 22, 2008 | |||
| Expires: January 10, 2008 | ||||
| SPEERMINT Requirements for SIP-based VoIP Interconnection | SPEERMINT Requirements for SIP-based VoIP Interconnection | |||
| draft-ietf-speermint-requirements-02.txt | draft-ietf-speermint-requirements-03.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 10, 2008. | This Internet-Draft will expire on May 22, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| This memo defines Best Current Practices for session peering between | A number of use cases have been identified for session peering of | |||
| SIP Service Providers for voice or other types of multimedia traffic | voice and other types of multimedia traffic. This memo captures some | |||
| exchanges. In its current state, this document describes high-level | of the requirements that enable these use case scenarios. In its | |||
| guidelines and general requirements for session peering for | current version, this document describes both general and use case | |||
| multimedia interconnect . It also defines a minimum set of | specific requirements for session peering for multimedia | |||
| requirements applicable to session peering for voice over IP, | interconnect. It is intended to become an informational document | |||
| presence and instant messaging interconnects. It is intended to | linking the use cases with potential protocol solutions. | |||
| become best current practices based on the use cases discussed in the | ||||
| SPEERMINT working group. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 | 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Session Peering Points . . . . . . . . . . . . . . . . . . 5 | 3.2. Session Peering Points . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Session Establishment Data (SED) . . . . . . . . . . . . . 6 | 3.3. Session Establishment Data (SED) . . . . . . . . . . . . . 8 | |||
| 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 7 | 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 8 | |||
| 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 7 | 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.4. Other Considerations . . . . . . . . . . . . . . . . . . . 8 | 3.4. Other Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. Signaling and Media Guidelines for Session Peering . . . . . . 10 | 4. Signaling and Media Guidelines for Session Peering . . . . . . 12 | |||
| 4.1. Protocol Specifications . . . . . . . . . . . . . . . . . 10 | 4.1. Protocol Specifications . . . . . . . . . . . . . . . . . 12 | |||
| 4.2. Minimum set of SIP-SDP-related requirements . . . . . . . 10 | 4.2. Minimum set of SIP-SDP-related requirements . . . . . . . 12 | |||
| 4.3. Media-related Requirements . . . . . . . . . . . . . . . . 11 | 4.3. Media-related Requirements . . . . . . . . . . . . . . . . 12 | |||
| 4.4. Requirements for Presence and Instant Messaging . . . . . 11 | 4.4. Requirements for Presence and Instant Messaging . . . . . 13 | |||
| 4.5. Security Requirements . . . . . . . . . . . . . . . . . . 13 | 4.5. Security Requirements . . . . . . . . . . . . . . . . . . 14 | |||
| 4.5.1. Security in today's VoIP networks . . . . . . . . . . 13 | 4.5.1. Security in today's VoIP networks . . . . . . . . . . 15 | |||
| 4.5.2. Signaling Security and TLS Considerations . . . . . . 13 | 4.5.2. Signaling Security and TLS Considerations . . . . . . 15 | |||
| 4.5.3. Media Security . . . . . . . . . . . . . . . . . . . . 14 | 4.5.3. Media Security . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 | 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 18 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. Policy Parameters for Session Peering . . . . . . . . 21 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 20 | |||
| A.1. Categories of Parameters and Justifications . . . . . . . 21 | Appendix A. Policy Parameters for Session Peering . . . . . . . . 24 | |||
| A.1. Categories of Parameters and Justifications . . . . . . . 24 | ||||
| A.2. Summary of Parameters for Consideration in Session | A.2. Summary of Parameters for Consideration in Session | |||
| Peering Policies . . . . . . . . . . . . . . . . . . . . . 24 | Peering Policies . . . . . . . . . . . . . . . . . . . . . 27 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 26 | Intellectual Property and Copyright Statements . . . . . . . . . . 29 | |||
| 1. Introduction | 1. Introduction | |||
| Peering at the session level represents an agreement between parties | Peering at the session level represents an agreement between parties | |||
| to allow the exchange of traffic according to a policy. It is | to allow the exchange of traffic according to a policy. It is | |||
| assumed that these sessions use the Session Initiation Protocol (SIP) | assumed that these sessions use the Session Initiation Protocol (SIP) | |||
| protocol to enable peering between two or more actors. The actors of | protocol to enable peering between two or more actors. The actors of | |||
| SIP session peering are called SIP Service Providers (SSPs) and they | SIP session peering are called SIP Service Providers (SSPs) and they | |||
| are typically represented by users, user groups such as enterprises | are typically represented by users, user groups such as enterprises | |||
| or real-time collaboration service communities, or other service | or real-time collaboration service communities, or other service | |||
| skipping to change at page 3, line 32 | skipping to change at page 3, line 32 | |||
| has been or could be deployed based on the reference architecture | has been or could be deployed based on the reference architecture | |||
| ([I-D.ietf-speermint-voip-consolidated-usecases]) . | ([I-D.ietf-speermint-voip-consolidated-usecases]) . | |||
| Peering at the session layer can be achieved on a bilateral basis | Peering at the session layer can be achieved on a bilateral basis | |||
| (direct peering with SIP sessions established directly between two | (direct peering with SIP sessions established directly between two | |||
| SSPs), or on an indirect basis via an intermediary (indirect peering | SSPs), or on an indirect basis via an intermediary (indirect peering | |||
| via a third-party SSP that has a trust relationship with the SSPs), | via a third-party SSP that has a trust relationship with the SSPs), | |||
| or on a multilateral basis (assisted peering using a federation model | or on a multilateral basis (assisted peering using a federation model | |||
| between SSPs) - see the terminology document for more details. | between SSPs) - see the terminology document for more details. | |||
| This document describes guidelines and requirements that are intended | This document first describes general guidelines that have been | |||
| to become Best Current Practices for session peering (direct, | derived from the working group discussions in the context of session | |||
| indirect or assisted). These requirements are also independent of | peering (direct, indirect or assisted). The use cases are then | |||
| the type of media exchanged by the parties and should be applicable | analyzed in the spirit of extracting relevant protocol requirements | |||
| to any type of multimedia session peering such as Voice over IP | that must be met to accomplish the use cases. These requirements are | |||
| (VoIP), video telephony, and instant messaging. The document also | also independent of the type of media exchanged by the parties and | |||
| defines a minimum set of specific requirements for VoIP, presence and | should be applicable to any type of multimedia session peering such | |||
| instant messaging interconnects. | as Voice over IP (VoIP), video telephony, and instant messaging. In | |||
| the case where some requirements are media-specific, we define them | ||||
| in a separate section. | ||||
| It is not the goal of this document to mandate any particular use of | It is not the goal of this document to mandate any particular use of | |||
| any IETF protocols to establish session peering. However, when | any IETF protocols on SIP Service Providers to establish session | |||
| protocol mechanisms are used, the document aims at providing | peering. Instead, the document highlights what requirements should | |||
| guidelines or best current practices on how they should be | be met and what protocols may be used to define the solution space. | |||
| implemented, configured or configurable in order to facilitate | ||||
| session peering. | ||||
| Finally, a list of parameters for the definition of a session peering | Finally, we conclude with a list of parameters for the definition of | |||
| policy is provided in an informative appendix. It should be | a session peering policy, provided in an informative appendix. It | |||
| considered as an example of the information a SIP Service Provider | should be considered as an example of the information SIP Service | |||
| may require in order to connect to another using SIP. | Providers may have to discuss or agree on to connect to one another. | |||
| 2. Terminology | 2. Terminology | |||
| In this document, the key words "MUST", "MUST NOT", "REQUIRED", | In this document, the key words "MUST", "MUST NOT", "REQUIRED", | |||
| "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", | "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", | |||
| and "OPTIONAL" are to be interpreted as described in RFC 2119 | and "OPTIONAL" are to be interpreted as described in RFC 2119 | |||
| [RFC2119]. | [RFC2119]. | |||
| This memo makes use of the following terms and acronyms defined in | 3. General Requirements | |||
| The following sections illustrates general requirements applicable to | ||||
| multiple session peering use cases for multimedia sessions. This | ||||
| memo makes use of the following terms and acronyms defined in | ||||
| [I-D.ietf-speermint-terminology]: SIP Service Provider (SSP), | [I-D.ietf-speermint-terminology]: SIP Service Provider (SSP), | |||
| Signaling Path Border Element (SBE), Data Path Border Element (DBE), | Signaling Path Border Element (SBE), Data Path Border Element (DBE), | |||
| Session Establishment Data (SED), Layer 3 and Layer 5 peering, | Session Establishment Data (SED), Layer 3 and Layer 5 peering, | |||
| session peering, federation, etc. It is assumed that the reader is | session peering, federation, etc. It is assumed that the reader is | |||
| familiar with the Session Description Protocol (SDP) [RFC4566] and | familiar with the Session Description Protocol (SDP) [RFC4566] and | |||
| the Session Initiation Protocol (SIP) [RFC3261]. | the Session Initiation Protocol (SIP) [RFC3261]. | |||
| 3. General Requirements | ||||
| The following sections define general guidelines and requirements | ||||
| applicable to session peering for multimedia sessions. | ||||
| 3.1. Scope | 3.1. Scope | |||
| SSPs desiring to establish session peering relationships have to | SSPs desiring to establish session peering relationships have to | |||
| reach an agreement on numerous aspects. | reach an agreement on numerous aspects. | |||
| This document only addresses best current practice for certain | This document only addresses certain aspects of a session peering | |||
| aspects of a session peering agreement, including the declaration, | agreement, mostly the requirements relevant to protocols, including | |||
| advertisement and management of ingress and egress for session | the declaration, advertisement and management of ingress and egress | |||
| signaling and media, information and conventions related to the | for session signaling and media, information and conventions related | |||
| Session Establishment Data (SED), the security requirements each peer | to the Session Establishment Data (SED), and the security mechanisms | |||
| may enforce on its network to accept and secure session exchanges, | a peer may use to accept and secure session exchanges. | |||
| and, the format and necessary details to determine the minimum set of | Numerous other aspects of session peering arrangement are critical to | |||
| parameters required to achieve SIP and SDP interoperability. | reach a successful agreement but they are considered out of scope of | |||
| Several other aspects of session peering are critical to reach a | the SPEERMINT working group and not addressed in this document. They | |||
| successful agreement but they are considered out of scope of the | ||||
| SPEERMINT working group and not addressed in this document. They | ||||
| include aspects such as media (e.g., type of media traffic to be | include aspects such as media (e.g., type of media traffic to be | |||
| exchanged, compatible media codecs and media transport protocols, | exchanged, compatible media codecs and media transport protocols, | |||
| mechanisms to ensure differentiated quality of service for media), | mechanisms to ensure differentiated quality of service for media), | |||
| layer-3 IP connectivity between the Signaling Path and Data Path | layer-3 IP connectivity between the Signaling Path and Data Path | |||
| Border Elements, traffic capacity control (e.g. maximum number of SIP | Border Elements, traffic capacity control (e.g. maximum number of SIP | |||
| sessions at each ingress point, maximum number of concurrent IM or | sessions at each ingress point, maximum number of concurrent IM or | |||
| VoIP sessions), and accounting. The primary focus of this document | VoIP sessions), and accounting. The primary focus of this document | |||
| is on the requirements applicable to the boundaries of Layer 5 SIP | is on the requirements applicable to the boundaries of Layer 5 SIP | |||
| networks: SIP UA or end-device requirements are also considered out | networks: SIP UA or end-device requirements are also considered out | |||
| of scope. | of scope. | |||
| The informative Appendix A lists parameters that SPPs should consider | The informative Appendix A lists parameters that SPPs may consider | |||
| when discussing the technical aspects of SIP session peering. | when discussing the technical aspects of SIP session peering. The | |||
| purpose of this list which has evolved through the working group use | ||||
| case discussions is to capture the parameters that are considered | ||||
| outside the scope of the protocol requirements. | ||||
| 3.2. Session Peering Points | 3.2. Session Peering Points | |||
| For session peering to be scalable and operationally manageable by | For session peering to be scalable and operationally manageable by | |||
| SSPs, maximum flexibility should be given for how signaling path and | SSPs, maximum flexibility should be given for how signaling path and | |||
| media path border elements are declared, dynamically advertised and | media path border elements are declared, dynamically advertised and | |||
| updated. Indeed, in any session peering environment, there is a need | updated. | |||
| for a SIP Service Provider to declare or dynamically advertise the | ||||
| SIP and media entities that will face the peer's network. | ||||
| An SSP SHOULD declare the signaling border elements responsible for | Indeed, in any session peering environment, there is a need for a SIP | |||
| egress and ingress points so called Signaling Path Border Elements | Service Provider to declare or dynamically advertise the SIP entities | |||
| (SBEs). If the SSP also provides media streams to its users, an SSP | that will face the peer's network. The media path border elements | |||
| SHOULD declare the media border elements responsible for egress and | are typically signaled dynamically in the session messaging; some | |||
| ingress points so called Signaling Path Data Elements (SDEs); if such | SSPs may want to statically or dynamically announce these media paths | |||
| an SSP relies on STUN servers ([RFC3489]) and STUN Relay extensions | to do proper capacity planning, QoS mapping with lower layers, etc. | |||
| to permit the traversal of NAT devices, the SSP SHOULD declare those | ||||
| STUN servers as part of its SDEs. It is RECOMMENDED that SSPs use | ||||
| DNS and provide one or more domain names to be used with [RFC3263] to | ||||
| locate SBEs. | ||||
| An SPP SHOULD also indicate if some restrictions exist on the type of | ||||
| media traffic the SIP entities acting as SBEs are capable of | ||||
| establishing. Ingress and egress SBE points MAY be peer-dependent, | ||||
| and/or media-dependent. An SSP SHOULD be able to accomodate | ||||
| multiple, media-dependent ingress points from a peer's network. The | ||||
| mechanisms recommended for the declaration and advertisement of SBE | ||||
| and SDE entities MUST allow for peer and media variability. | ||||
| Motivations: | The use cases defined | |||
| While there could be one single Signaling Path Border Element (SBE) | ([I-D.ietf-speermint-voip-consolidated-usecases]) catalog the various | |||
| in some SSP networks that communicates with all SIP peer networks, an | session peering points between SIP Service Providers; they include | |||
| SSP may choose to have one or more SBEs for receiving incoming SIP | the Session Managers (SM) or Signaling Path Border Elements (SBEs). | |||
| session requests (ingress signaling points), and one or more SBEs for | ||||
| outgoing SIP session requests (egress signaling points). Ingress and | ||||
| egress signaling points may be distinct SIP entities and could be | ||||
| media-dependent. Some providers deploy SIP entities specialized for | ||||
| voice, real-time collaboration, etc. For example, within an SSP | ||||
| network, some SBEs may be dedicated for certain types of media | ||||
| traffic due to specific SIP extensions required for certain media | ||||
| types (e.g. SIMPLE, the SIP MESSAGE Method for Instant Messaging | ||||
| [RFC3428] or the Message Sessions Relay Protocol (MSRP)). | ||||
| An SSP SHOULD communicate how authentication of the peer's SBEs will | Requirement #1: protocol mechanisms must exist for SSPs to | |||
| occur (see the security requirements for more details). The use of | communicate the egress and ingress points of its service domain. | |||
| access control lists based on fixed IP addresses or fixed IP sub-nets | The session peering points may be advertized to session peers | |||
| of the SBEs is NOT RECOMMENDED as it does not scale: it not only | using static mechanisms or they may be dynamically advertized. | |||
| involves an error-prone manual process to configure access control | ||||
| lists but it also prevents peers from dynamically making IP network | Notes on solution space: there seems to be general agreement that | |||
| addressing changes to their SBE egress points without advertising | [RFC3263] provides a solution for dynamic advertisements in most | |||
| those changes "manually". | cases of Direct, Indirect and Assistent peering use cases. There | |||
| continues to be discussion on how to best use this to advertize | ||||
| peer-dependent SBEs (see below). | ||||
| If the SSP also provides media streams to its users as shown in the | ||||
| use cases for the SSPs in the "Originating" and "Terminating" | ||||
| Domains, a mechanism should exist to allow SSPs to advertize their | ||||
| media border elements responsible for egress and ingress points so | ||||
| called Signaling Path Data Elements (SDEs). While some SPPs may have | ||||
| open policies and accept media traffic from anywhere to anywhere | ||||
| inside their network, some SSPs may want to optimize media delivery | ||||
| and identifying media paths between peers prior to traffic being | ||||
| sent. | ||||
| Requirement #2: protocol mechanisms must exist for SSPs to | ||||
| communicate the egress and ingress media points or SDEs of its | ||||
| service domain. | ||||
| Notes on solution space: SSPs engaged in SIP interconnects do | ||||
| exchange this information today in a static manner. | ||||
| Some SPP may impose some restrictions on the type of media traffic | ||||
| the SIP entities acting as SBEs are capable of establishing. In | ||||
| order to avoid a failed attempt to establish a session, a mechanism | ||||
| may be provided to allow SSPs to indicate if some restrictions exist | ||||
| on the type of media traffic; ingress and egress SBE points may be | ||||
| peer-dependent, and/or media-dependent. | ||||
| Requirement #3: the mechanisms recommended for the declaration and | ||||
| advertisement of SBE and SDE entities must allow for peer and | ||||
| media variability. | ||||
| Notes on solution space: for advertising peer-dependent SBEs (peer | ||||
| variability), the solution space based on is under specified and | ||||
| there are no know best current practices. For advertising media- | ||||
| dependent SBEs, solutions exist as long as URIs are protocol- | ||||
| dependent URIs, and a protocol-dependent URI like a SIP URI can be | ||||
| mapped to one type of media. First, some URIs like the IM URI are | ||||
| abstract ([RFC3428]) and need to be translated to protocol | ||||
| dependent URIs. Second, by using mechamisms available today, it | ||||
| is not possible to know what media is supported by the SIP SBE | ||||
| before initiating a query. | ||||
| Motivations for the media variability: | ||||
| While there could be one single Signaling Path Border Element | ||||
| (SBE) in some SSP networks that communicates with all SIP peer | ||||
| networks, an SSP may choose to have one or more SBEs for receiving | ||||
| incoming SIP session requests (ingress signaling points), and one | ||||
| or more SBEs for outgoing SIP session requests (egress signaling | ||||
| points). Ingress and egress signaling points may be distinct SIP | ||||
| entities and could be media-dependent. Some providers deploy SIP | ||||
| entities specialized for voice, real-time collaboration, etc. For | ||||
| example, within an SSP network, some SBEs may be dedicated for | ||||
| certain types of media traffic due to specific SIP extensions | ||||
| required for certain media types (e.g. SIMPLE, the SIP MESSAGE | ||||
| Method for Instant Messaging [RFC3428] or the Message Sessions | ||||
| Relay Protocol (MSRP)). | ||||
| In the use cases provided as part of direct and indirect scenarios, | ||||
| an SSP may deal with multiple Session Managers and multiple SBEs in | ||||
| its own domain. There is often a many-to-many relationship between | ||||
| Session Managers and Signaling path Border Elements. It should be | ||||
| possible for an SSP to define which egress SBE a Session Manager must | ||||
| use based on a given peer destination. For example, in the case of | ||||
| an indirect peering scenario via Transit PSP (Figure 3 of | ||||
| [I-D.ietf-speermint-voip-consolidated-usecases]), it should be | ||||
| possible for the O-SM to choose the appropriate O-SBE based on the | ||||
| information the O-SM receives in the response labeled (3)). Note | ||||
| that this example also applies to the case of Direct Peering when a | ||||
| service provider has multiple service areas and each service area | ||||
| involves multiple Session Managers and a few SBEs. This is also | ||||
| implied in the Direct Use Case (section 3.1 of | ||||
| [I-D.ietf-speermint-voip-consolidated-usecases]), by the use of the | ||||
| route terminology in step 3 "Routing database entity replies with | ||||
| route to called party" (route in the sense of both target URI and SIP | ||||
| Route or next hop SIP or SBE entity as defined in [RFC3261]). | ||||
| Requirement #4: the mechanisms recommended for the location | ||||
| service must be capable or returning both a target URI destination | ||||
| and a SIP Route. | ||||
| Notes on solution space: solutions exist if the protocol used | ||||
| between the SM and the LS is SIP; if ENUM is used, the author of | ||||
| this document does not know of any solution today. | ||||
| It is desirable for an SSP to be able to communicate how | ||||
| authentication of the peer's SBEs will occur (see the security | ||||
| requirements for more details). | ||||
| Requirement #5: the mechanisms recommended for locating a peer's | ||||
| SBE must be able to convey how a peer should initiate secure | ||||
| session establishment. | ||||
| Notes on the solution space: certain mechanisms exist, for e.g. | ||||
| the required use of SIP over TLS may be discovered via RFC 3263. | ||||
| 3.3. Session Establishment Data (SED) | 3.3. Session Establishment Data (SED) | |||
| The Session Establishment Data (SED) is defined as the data used to | The Session Establishment Data (SED) is defined as the data used to | |||
| route a call or SIP session to the called domain's ingress point | route a call or SIP session to the called domain's ingress point | |||
| ([I-D.ietf-speermint-terminology]). Given that SED is the set of | ([I-D.ietf-speermint-terminology]). Given that SED is the set of | |||
| parameters that the outgoing SBEs need to complete the session | parameters that the Session Managers and outgoing SBEs need to | |||
| establishment, some information must be shared between SSPs on | complete the session establishment, some information is shared | |||
| special requirements or conventions required for a successful session | between SSPs. The following paragraphs capture some general | |||
| establishment. The following paragraphs capture the recommended best | requirements on the SED data. | |||
| practices for the SED data. | ||||
| 3.3.1. User Identities and SIP URIs | 3.3.1. User Identities and SIP URIs | |||
| User identities used between peers can be represented in many | User identities used between peers can be represented in many | |||
| different formats. Session Establishment Data SHOULD rely on URIs | different formats. Session Establishment Data should rely on URIs | |||
| (Uniform Resource Identifiers, RFC 3986 [RFC3986]) and SIP URIs | (Uniform Resource Identifiers, RFC 3986 [RFC3986]) and SIP URIs | |||
| SHOULD be preferred over tel URIs (RFC 3966 [RFC3966]). | should be preferred over tel URIs (RFC 3966 [RFC3966]) for session | |||
| The use of DNS domain names and hostnames is RECOMMENDED in SIP URIs | peering of VoIP traffic. | |||
| and they MUST be resolvable on the public Internet. It is | The use of DNS domain names and hostnames is recommended in SIP URIs | |||
| RECOMMENDED that the host part of SIP URIs contain a fully-qualified | and they should be resolvable on the public Internet. It is | |||
| recommended that the host part of SIP URIs contain a fully-qualified | ||||
| domain name instead of a numeric IPv4 or IPv6 address. As for the | domain name instead of a numeric IPv4 or IPv6 address. As for the | |||
| user part of the SIP URIs, an SSP SHOULD NOT need to be aware of | user part of the SIP URIs, the mechanisms for session peering should | |||
| which individual user identities are valid within a peer's domain. | not require an SSP to be aware of which individual user identities | |||
| are valid within its peer's domain. | ||||
| Although SED data may be based on E.164-based SIP URIs for voice | Requirement #6: the protocols used for session peering must | |||
| interconnects, a generic peering methodology should not rely on such | accomodate the use of different types of URIs. URIs with the same | |||
| E.164 numbers. As described in | domain-part should share the same set of peering policies, thus | |||
| [I-D.draft-elwell-speermint-enterprise-usecases], in some use cases | the domain of the SIP URI may be used as the primary key to any | |||
| for enterprise to enterprise peering (even if a transit SSP is | information regarding the reachability of that SIP URI. | |||
| involved), it should be possible to use user identity URIs that do | ||||
| not map to E.164 numbers, e.g. for presence, instant messaging and | Requirement #7: the mechanisms for session peering should not | |||
| even for voice. | require a peer to be aware of which individual user identities are | |||
| valid within its peer's domain. | ||||
| Notes on the solution space for #6 and #7: generally well | ||||
| understood in IETF. When telephone numbers are in tel URIs, SIP | ||||
| requests cannot be routed in accordance with the traditional DNS | ||||
| resolution procedures standardized for SIP as indicated in RFC | ||||
| 3824 [RFC3824]. This means that the solutions built for session | ||||
| peering must not solely use PSTN identifiers such as Service | ||||
| Provider IDs (SPIDs) or Trunk Group IDs (these should not be | ||||
| precluded but solutions should not be limited to these). | ||||
| Motivations: | Motivations: | |||
| When SSP support voice, telephone numbers commonly appear in the | Although SED data may be based on E.164-based SIP URIs for voice | |||
| username portion of a SIP URI. When telephone numbers are in tel | interconnects, a generic peering methodology should not rely on | |||
| URIs, SIP requests cannot be routed in accordance with the | such E.164 numbers. As described in | |||
| traditional DNS resolution procedures standardized for SIP as | [I-D.draft-elwell-speermint-enterprise-usecases], in some use | |||
| indicated in RFC 3824 [RFC3824]. The recommendations defined in | cases for enterprise to enterprise peering (even if a transit SSP | |||
| [RFC3824] SHOULD be followed by implementers when using E.164 numbers | is involved), it should be possible to use user identity URIs that | |||
| with SIP. Furthermore, it is commonly assumed that all SIP URIs with | do not map to E.164 numbers, e.g. for presence, instant messaging | |||
| the same domain-part share the same set of peering policies, thus the | and even for voice. | |||
| domain of the SIP URI may be used as the primary key to any | ||||
| information regarding the reachability of that SIP URI. | ||||
| 3.3.2. URI Reachability | 3.3.2. URI Reachability | |||
| Based on a well-known URI type (for e.g. sip, pres, or im URIs), it | Based on a well-known URI type (for e.g. sip, pres, or im URIs), it | |||
| MUST be possible to determine whether the SSP domain servicing the | must be possible to determine whether the SSP domain servicing the | |||
| URI allows for session peering, and if it does, it SHOULD be possible | URI allows for session peering, and if it does, it should be possible | |||
| to locate and retrieve the domain's policy and SBE entities. | to locate and retrieve the domain's policy and SBE entities. | |||
| For example, an originating service provider must be able to | For example, an originating service provider must be able to | |||
| determine whether a SIP URI is open for direct interconnection | determine whether a SIP URI is open for direct interconnection | |||
| without requiring an SBE to initiate a SIP request. Furthermore, | without requiring an SBE to initiate a SIP request. Furthermore, | |||
| since each call setup implies the execution of any proposed | since each call setup implies the execution of any proposed | |||
| algorithm, the establishment of a SIP session via peering should | algorithm, the establishment of a SIP session via peering should | |||
| incur minimal overhead and delay, and employ caching wherever | incur minimal overhead and delay, and employ caching wherever | |||
| possible to avoid extra protocol round trips. | possible to avoid extra protocol round trips. | |||
| The use of DNS domain names and hostnames is RECOMMENDED in SIP URIs | Requirement #8: the mechanisms for session peering must allow an | |||
| and they MUST be resolvable on the public Internet. The DNS | SBE to locate its peer SBE given a SSP hostname or domain name. | |||
| procedures specified in [RFC3263] SHOULD be followed to resolve a SIP | ||||
| URI into a reachable host (IP address and port), and transport | ||||
| protocol. Note that RFC 3263 relies on DNS SRV [RFC2782] and NAPTR | ||||
| Resource Records [RFC2915]. | ||||
| Motivations: | Notes on the solution space: generally well understood in IETF. | |||
| This requirement is important as unsuccessful call attempts are | Open questions exist in how dynamic should the mechanism be to be | |||
| highly undesirable since they can introduce high delays due to | able to retrieve the domain's policy for secure signaling between | |||
| timeouts and can act as an unintended denial of service attack (e.g., | SBEs, peer-dependent/media-dependent policies. | |||
| by repeated TLS handshakes). There should be a high probability of | ||||
| successful call completion for policy-conforming peers. | ||||
| 3.4. Other Considerations | 3.4. Other Considerations | |||
| The considerations listed below were gathered early on in the | The considerations listed below were gathered early on in the | |||
| SPEERMINT working group as part of discussions to define the scope of | SPEERMINT working group as part of discussions to define the scope of | |||
| the working group. They are left here but have been re-written | the working group. | |||
| without requirements verbs for the most part. | ||||
| o Session peering should be independent of lower layers. | o It is assumed that session peering is independent of lower layers. | |||
| The mechanisms used to establish session peering should | The mechanisms used to establish session peering should | |||
| accommodate diverse supporting lower layers. It should not matter | accommodate diverse supporting lower layers. It should not matter | |||
| whether lower layers rely on the public Internet or are | whether lower layers rely on the public Internet or are | |||
| implemented by private L3 connectivity, using firewalls or L2/L3 | implemented by private L3 connectivity, using firewalls or L2/L3 | |||
| Virtual Private Networks (VPNs), IPSec tunnels or Transport Layer | Virtual Private Networks (VPNs), IPSec tunnels or Transport Layer | |||
| Security (TLS) connections [RFC3546]... | Security (TLS) connections [RFC3546]... | |||
| o Session Peering Policies and Extensibility: | o Session Peering Policies and Extensibility: | |||
| Mechanisms developed for session peering should be flexible and | Mechanisms developed for session peering should be flexible and | |||
| extensible to cover existing and future session peering models. | extensible to cover existing and future session peering models. | |||
| skipping to change at page 8, line 48 | skipping to change at page 10, line 33 | |||
| configuration choices in a distributed system like DNS rather than | configuration choices in a distributed system like DNS rather than | |||
| in a centralized system like a 'peering registry'. | in a centralized system like a 'peering registry'. | |||
| In the context of session peering, a policy is defined as the set | In the context of session peering, a policy is defined as the set | |||
| of parameters and other information needed by an SPP to connect to | of parameters and other information needed by an SPP to connect to | |||
| another. Some of the session policy parameters may be statically | another. Some of the session policy parameters may be statically | |||
| exchanged and set throughout the lifetime of the peering | exchanged and set throughout the lifetime of the peering | |||
| relationship. Others parameters may be discovered and updated | relationship. Others parameters may be discovered and updated | |||
| dynamically using by some explicit protocol mechanisms. These | dynamically using by some explicit protocol mechanisms. These | |||
| dynamic parameters may also relate to an SSP's session-dependent | dynamic parameters may also relate to an SSP's session-dependent | |||
| or session independent policies as defined in | or session independent policies as defined in | |||
| [I-D.ietf-sipping-session-policy-framework]. | [I-D.ietf-sipping-session-policy]. | |||
| o Administrative and Technical Policies: | o Administrative and Technical Policies: | |||
| Various types of policy information may need to be discovered or | Various types of policy information may need to be discovered or | |||
| exchanged in order to establish session peering. At a minimum, a | exchanged in order to establish session peering. At a minimum, a | |||
| policy should specify information related to session establishment | policy should specify information related to session establishment | |||
| data in order to avoid session establishment failures. A policy | data in order to avoid session establishment failures. A policy | |||
| may also include information related to QoS, billing and | may also include information related to QoS, billing and | |||
| accounting, layer-3 related interconnect requirements which are | accounting, layer-3 related interconnect requirements which are | |||
| out of the scope of this document, see examples in Section | out of the scope of this document, see examples in Section | |||
| Appendix A. | Appendix A. | |||
| skipping to change at page 10, line 7 | skipping to change at page 12, line 7 | |||
| (contractual, legal, commercial, or business decisions) and | (contractual, legal, commercial, or business decisions) and | |||
| technical (certain QoS parameters, TLS keys, domain keys, ...). | technical (certain QoS parameters, TLS keys, domain keys, ...). | |||
| The objectives are to provide a baseline framework to define, | The objectives are to provide a baseline framework to define, | |||
| publish and optionally retrieve policy information so that a | publish and optionally retrieve policy information so that a | |||
| session establishment does not need to be attempted to know that | session establishment does not need to be attempted to know that | |||
| imcompatible policy parameters will cause the session to fail | imcompatible policy parameters will cause the session to fail | |||
| (this was originally referred to as "no blocked calls"). | (this was originally referred to as "no blocked calls"). | |||
| 4. Signaling and Media Guidelines for Session Peering | 4. Signaling and Media Guidelines for Session Peering | |||
| This section provides some guidelines for maximizing SIP-based | This section provides some guidelines for SIP-based interconnections. | |||
| interconnections between SSPs. It should be considered as the | This section should be partially or entirely removed from the next | |||
| minimal set of requirements to be implemented to perform SIP | revision of this document given the intent of this memo. | |||
| interconnects for presence, IM, or VoIP. | ||||
| 4.1. Protocol Specifications | 4.1. Protocol Specifications | |||
| A detailed list of SIP and SDP RFCs the session peers' SBEs must | While it is generally agreed that this is out of the scope of | |||
| conform to must be provided by SSPs. It is NOT RECOMMENDED to rely | speermint, a detailed list of SIP and SDP RFCs the session peers' | |||
| on Internet-Drafts for commercial SIP interconnects, but if | SBEs must conform to should be provided by SSPs. It is not | |||
| applicable, a list of supported or required IETF Internet-Drafts | recommended to rely on Internet-Drafts for commercial SIP | |||
| SHOULD be provided. Such specifications SHOULD include protocol | interconnects, but if applicable, a list of supported or required | |||
| implementation compliance statements, indicate the minimal extensions | IETF Internet-Drafts should be provided. Such specifications should | |||
| that MUST be supported, and the full details on what options and | include protocol implementation compliance statements, indicate the | |||
| protocol features MUST be supported, MUST NOT be supported or MAY be | minimal extensions that must be supported, and the full details on | |||
| supported. This specification SHOULD include a high-level | what options and protocol features must be supported, must not be | |||
| description of the services that are expected to be supported by the | supported or may be supported. This specification should include a | |||
| peering relationship and it MAY include sample message flows. | high-level description of the services that are expected to be | |||
| supported by the peering relationship and it may include sample | ||||
| message flows. | ||||
| 4.2. Minimum set of SIP-SDP-related requirements | 4.2. Minimum set of SIP-SDP-related requirements | |||
| The main objective of SIP interconnects being the establishment of | The main objective of SIP interconnects being the establishment of | |||
| successful SIP calls between peer SSPs, this section provides some | successful SIP calls between peer SSPs, this section provides some | |||
| guidelines for the minimum set of SIP specifications that SHOULD be | guidelines for the minimum set of SIP specifications that should be | |||
| supported by SBEs. | supported by SBEs. | |||
| The Core SIP Specifications as defined in [RFC3261] and | The Core SIP Specifications as defined in [RFC3261] and | |||
| [I-D.ietf-sip-hitchhikers-guide] MUST be supported by Signaling Path | [I-D.ietf-sip-hitchhikers-guide] MUST be supported by Signaling Path | |||
| Border Elements (SBEs) and any other SIP implementations involved in | Border Elements (SBEs) and any other SIP implementations involved in | |||
| session peering. The specifications contained in the Core SIP group | session peering. The specifications contained in the Core SIP group | |||
| provide the fundamental and basic mechanisms required to enable SIP | provide the fundamental and basic mechanisms required to enable SIP | |||
| interconnects. The Hitchkiker's guide include specific sections for | interconnects. The Hitchkiker's guide include specific sections for | |||
| voice, instant message and presence. | voice, instant message and presence. | |||
| Furthermore, SBE implementers MUST follow the recommendations | Furthermore, SBE implementers must follow the recommendations | |||
| contained in RFC 3261 regarding the use of the Supported and Require | contained in RFC 3261 regarding the use of the Supported and Require | |||
| headers. Signaling Path Border Elements SHOULD include the supported | headers. Signaling Path Border Elements should include the supported | |||
| SIP extensions in the Supported header and the use of the Require | SIP extensions in the Supported header and the use of the Require | |||
| header must be configurable on a per SSP target domain basis in order | header must be configurable on a per SSP target domain basis in order | |||
| to match a network peer's policy and to maximize interoperability. | to match a network peer's policy and to maximize interoperability. | |||
| In the cases of indirect or assisted peering, it is also important | ||||
| that an adequate level of SIP message transparency is available. In | ||||
| particular, the intermediary SBE MUST NOT modify or remove | ||||
| information in the SIP or SDP parameters beyond what is required for | ||||
| the purpose of call routing. In particular, intermediary SBE SHOULD | ||||
| NOT: | ||||
| o Remove SIP header lines, SIP header fields and SIP message bodies | ||||
| that are intended for the destination SBE, or the called SIP UA | ||||
| irrespective of whether or not those header lines or parameters | ||||
| are understood by the intermediary SBE; | ||||
| o Modify header fields and bodies in a way that may break any | ||||
| integrity protection. | ||||
| 4.3. Media-related Requirements | 4.3. Media-related Requirements | |||
| SSPs engaged in session peering SHOULD support of compatible codecs. | Compatible codecs must be support by SSPs engaged in session peering. | |||
| An SSP domain policy SHOULD specify media-related parameters that | An SSP domain policy should specify media-related parameters that | |||
| their user's SIP entities support or that the SSP authorizes in its | their user's SIP entities support or that the SSP authorizes in its | |||
| domain's policy. Direct media exchange between the SSPs' user | domain's policy. Direct media exchange between the SSPs' user | |||
| devices is preferred and media transcoding SHOULD be avoided by | devices is preferred and media transcoding should be avoided by | |||
| proposing commonly agreed codecs. SSPs SHOULD discuss mechanisms | proposing commonly agreed codecs. Mechanisms employed for IPv4-IPv6 | |||
| employed for IPv4-IPv6 translation of media, as well as solutions | translation of media should also be agreed upon, as well as solutions | |||
| used for NAT traversal such as ICE [I-D.ietf-ice] and STUN | used for NAT traversal such as ICE [I-D.ietf-ice] and STUN | |||
| ([RFC3489]). | ([RFC3489]). | |||
| Motivations: The media capabilities of an SSP's network are either a | Motivations: The media capabilities of an SSP's network are either a | |||
| property of the SIP end-devices, SIP applications, or, a combination | property of the SIP end-devices, SIP applications, or, a combination | |||
| of the property of end-devices and Data Path Border Elements that may | of the property of end-devices and Data Path Border Elements that may | |||
| provide media transcoding. | provide media transcoding. | |||
| The choice of one or more common media codecs for SIP sessions | The choice of one or more common media codecs for SIP sessions | |||
| between SSPs is outside the scope of SPEERMINT. A list of media- | between SSPs is outside the scope of SPEERMINT. A list of media- | |||
| skipping to change at page 13, line 47 | skipping to change at page 15, line 37 | |||
| 4.5.2. Signaling Security and TLS Considerations | 4.5.2. Signaling Security and TLS Considerations | |||
| The Transport Layer Security (TLS) is a standard way to secure | The Transport Layer Security (TLS) is a standard way to secure | |||
| signaling between SIP entities. TLS can be used in direct peering to | signaling between SIP entities. TLS can be used in direct peering to | |||
| mutually authenticate SSPs and provide message confidentiality and | mutually authenticate SSPs and provide message confidentiality and | |||
| integrity protection. The remaining paragraphs explore how TLS could | integrity protection. The remaining paragraphs explore how TLS could | |||
| be deployed and used between 2 SSPs to secure SIP exchanges. The | be deployed and used between 2 SSPs to secure SIP exchanges. The | |||
| intent is to capture what two SSPs should discuss and agree on in | intent is to capture what two SSPs should discuss and agree on in | |||
| order to establish TLS connections for SIP session peering. | order to establish TLS connections for SIP session peering. | |||
| 1. SSPs SHOULD agree on one or more Certificate Authorities (CAs) | 1. SSPs should agree on one or more Certificate Authorities (CAs) | |||
| to trust for securing session peering exchanges. | to trust for securing session peering exchanges. | |||
| Motivations: | Motivations: | |||
| An SSP should have control over which root CAs it trusts for SIP | An SSP should have control over which root CAs it trusts for SIP | |||
| communications. This may imply creating a certificate trust list | communications. This may imply creating a certificate trust list | |||
| and including the peer's CA for each authorized domain. In the | and including the peer's CA for each authorized domain. In the | |||
| case of a federation, This requirement allows for the initiating | case of a federation, This requirement allows for the initiating | |||
| side to verify that the server certificate chains up to a trusted | side to verify that the server certificate chains up to a trusted | |||
| root CA. This also means that SIP servers SHOULD allow the | root CA. This also means that SIP servers should allow the | |||
| configuration of a certificate trust list in order to allow a VSP/ | configuration of a certificate trust list in order to allow a VSP/ | |||
| ASP to control which peer's CAs are trusted for TLS connections. | ASP to control which peer's CAs are trusted for TLS connections. | |||
| Note that these considerations seem to be around two themes: one | Note that these considerations seem to be around two themes: one | |||
| is trusting a root, the other is trusting intermediate CAs. | is trusting a root, the other is trusting intermediate CAs. | |||
| 2. Peers SHOULD indicate whether their domain policies require | 2. Peers should indicate whether their domain policies require | |||
| proxy servers to inspect and verify the identity provided in SIP | proxy servers to inspect and verify the identity provided in SIP | |||
| requests as defined in [RFC4474]. Federations supporting | requests as defined in [RFC4474]. Federations supporting | |||
| [RFC4474] MUST specify the CA(s) permitted to issue certificates | [RFC4474] must specify the CA(s) permitted to issue certificates | |||
| of the authentication service. | of the authentication service. | |||
| 3. SIP and SBE servers involved in the secure session | 3. SIP and SBE servers involved in the secure session | |||
| establishment over TLS MUST have valid X.509 certificates and MUST | establishment over TLS must have valid X.509 certificates and must | |||
| be able to receive a TLS connection on a well-known port. | be able to receive a TLS connection on a well-known port. | |||
| 4. The following TLS/SIP Protocol parameters SHOULD be agreed | 4. The following SIP and TLS protocol parameters should be agreed | |||
| upon as part of session peering policies: the version of TLS | upon as part of session peering policies: the version of TLS | |||
| supported by Signaling Border Elements (TLSv1, TLSv1.1), the SIP | supported by Signaling Border Elements (TLSv1, TLSv1.1), the SIP | |||
| TLS port (default 5061), the server-side session timeout (default | TLS port (default 5061), the server-side session timeout (default | |||
| 300 seconds), the list of supported or recommended ciphersuites, | 300 seconds), the list of supported or recommended ciphersuites, | |||
| and the list of trusted root CAs. | and the list of trusted root CAs. | |||
| 5. SIP and SBE servers involved in the session establishment over | 5. SIP and SBE servers involved in the session establishment over | |||
| TLS MUST verify and validate the client certificates: the client | TLS must verify and validate the client certificates: the client | |||
| certificate MUST contain a DNS or URI choice type in the | certificate must contain a DNS or URI choice type in the | |||
| subjectAltName which corresponds to the domain asserted in the | subjectAltName which corresponds to the domain asserted in the | |||
| host portion of the URI contained in the From header. It is also | host portion of the URI contained in the From header. It is also | |||
| recommended that VSPs/ASPs convey the domain identity in the | recommended that VSPs/ASPs convey the domain identity in the | |||
| certificates using both a canonical name of the SIP server(s) and | certificates using both a canonical name of the SIP server(s) and | |||
| the SIP URI for the domain as described in section 4 of | the SIP URI for the domain as described in section 4 of | |||
| [I-D.gurbani-sip-domain-certs]. On the client side, it is also | [I-D.gurbani-sip-domain-certs]. On the client side, it is also | |||
| critical for the TLS client to authenticate the server as defined | critical for the TLS client to authenticate the server as defined | |||
| in [RFC3261] and in section 9 of [I-D.ietf-sip-certs]. | in [RFC3261] and in section 9 of [I-D.ietf-sip-certs]. | |||
| 6. A session peering policy SHOULD include details on SIP session | 6. A session peering policy should include details on SIP session | |||
| establishment over TLS if TLS is supported. | establishment over TLS if TLS is supported. | |||
| 4.5.3. Media Security | 4.5.3. Media Security | |||
| Media security for session peering is as important as signaling | Media security for session peering is as important as signaling | |||
| security, especially for SSPs that want to continue to meet commonly | security, especially for SSPs that want to continue to meet commonly | |||
| assumed privacy and confidentiality requirements outside their | assumed privacy and confidentiality requirements outside their | |||
| networks. Media can be secured using secure media transport | networks. Media can be secured using secure media transport | |||
| protocols (e.g. secure RTP or sRTP). The issues of key management | protocols (e.g. secure RTP or sRTP). The issues of key management | |||
| protocols for sRTP are being raised in IETF and this continues to be | protocols for sRTP are being raised in IETF and this continues to be | |||
| skipping to change at page 16, line 12 | skipping to change at page 17, line 12 | |||
| references for more details. Some of these scenarios may be | references for more details. Some of these scenarios may be | |||
| applicable to interdomain SSP session peering. | applicable to interdomain SSP session peering. | |||
| 5. Acknowledgments | 5. Acknowledgments | |||
| This document is a work-in-progress and it is based on the input and | This document is a work-in-progress and it is based on the input and | |||
| contributions made by a large number of people in the SPEERMINT | contributions made by a large number of people in the SPEERMINT | |||
| working group, including: Edwin Aoki, Scott Brim, John Elwell, Mike | working group, including: Edwin Aoki, Scott Brim, John Elwell, Mike | |||
| Hammer, Avshalom Houri, Richard Shocky, Henry Sinnreich, Richard | Hammer, Avshalom Houri, Richard Shocky, Henry Sinnreich, Richard | |||
| Stastny, Patrik Faltstrom, Otmar Lendl, Daryl Malas, Dave Meyer, | Stastny, Patrik Faltstrom, Otmar Lendl, Daryl Malas, Dave Meyer, | |||
| Sriram Parameswar, Jason Livingood, Bob Natale, Benny Rodrig, Brian | Sriram Parameswar, Jon Peterson, Jason Livingood, Bob Natale, Benny | |||
| Rosen, Eric Rosenfeld, Adam Uzelac and Dan Wing. Specials thanks go | Rodrig, Brian Rosen, Eric Rosenfeld, Adam Uzelac and Dan Wing. | |||
| to Rohan Mahy, Brian Rosen, John Elwell for their initial drafts | Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their | |||
| describing guidelines or best current practices in various | initial drafts describing guidelines or best current practices in | |||
| environments, and to Avshalom Houri, Edwin Aoki and Sriram Parameswar | various environments, and to Avshalom Houri, Edwin Aoki and Sriram | |||
| for authoring the presence and instant messaging requirements. | Parameswar for authoring the presence and instant messaging | |||
| requirements. | ||||
| 6. Security Considerations | 6. IANA Considerations | |||
| None. | ||||
| 7. Security Considerations | ||||
| Securing session peering communications involves numerous protocol | Securing session peering communications involves numerous protocol | |||
| exchanges, first and foremost, the securing of SIP signaling and | exchanges, first and foremost, the securing of SIP signaling and | |||
| media sessions. The security considerations contained in [RFC3261], | media sessions. The security considerations contained in [RFC3261], | |||
| and [RFC4474] are applicable to the SIP protocol exchanges. A number | and [RFC4474] are applicable to the SIP protocol exchanges. A number | |||
| of security considerations are also described in Section Section 4.5. | of security considerations are also described in Section Section 4.5. | |||
| 7. References | 8. References | |||
| 7.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| 7.2. Informative References | 8.2. Informative References | |||
| [I-D.Malas-sip-performance] | [I-D.Malas-sip-performance] | |||
| Malas, D., "SIP End-to-End Performance Metrics", May 2007. | Malas, D., "SIP End-to-End Performance Metrics", May 2007. | |||
| [I-D.draft-elwell-speermint-enterprise-usecases] | [I-D.draft-elwell-speermint-enterprise-usecases] | |||
| Elwell, J. and B. Rodrig, "Use cases for Enterprise | Elwell, J. and B. Rodrig, "Use cases for Enterprise | |||
| Peering using the Session Initiation Protocol", | Peering using the Session Initiation Protocol", | |||
| draft-elwell-speermint-enterprise-usecases-00.txt (work in | draft-elwell-speermint-enterprise-usecases-00.txt (work in | |||
| progress), February 2007. | progress), February 2007. | |||
| [I-D.draft-niccolini-speermint-voipthreats] | [I-D.draft-niccolini-speermint-voipthreats] | |||
| Niccolini, S. and E. Chen, "VoIP Security Threats relevant | Niccolini, S. and E. Chen, "VoIP Security Threats relevant | |||
| to SPEERMINT", March 2007. | to SPEERMINT", March 2007. | |||
| [I-D.gurbani-sip-domain-certs] | [I-D.gurbani-sip-domain-certs] | |||
| Gurbani, V., Jeffrey, A., and S. Lawrence, "Domain | Gurbani, V., Jeffrey, A., and S. Lawrence, "Domain | |||
| Certificates in the Session Initiation Protocol (SIP)", | Certificates in the Session Initiation Protocol (SIP)", | |||
| draft-gurbani-sip-domain-certs-05 (work in progress), | draft-gurbani-sip-domain-certs-06 (work in progress), | |||
| June 2007. | June 2007. | |||
| [I-D.ietf-ice] | [I-D.ietf-ice] | |||
| Rosenberg, J., "Interactive Connectivity Establishment | Rosenberg, J., "Interactive Connectivity Establishment | |||
| (ICE): A Protocol for Network Address Translator (NAT) | (ICE): A Protocol for Network Address Translator (NAT) | |||
| Traversal for Offer/Answer Protocols", June 2007. | Traversal for Offer/Answer Protocols", June 2007. | |||
| [I-D.ietf-sip-certs] | [I-D.ietf-sip-certs] | |||
| Jennings, C., Peterson, J., and J. Fischl, "Certificate | Jennings, C., Peterson, J., and J. Fischl, "Certificate | |||
| Management Service for The Session Initiation Protocol | Management Service for The Session Initiation Protocol | |||
| (SIP)", May 2007. | (SIP)", May 2007. | |||
| [I-D.ietf-sip-hitchhikers-guide] | [I-D.ietf-sip-hitchhikers-guide] | |||
| Rosenberg, J., "A Hitchhikers Guide to the Session | Rosenberg, J., "A Hitchhikers Guide to the Session | |||
| Initiation Protocol (SIP)", July 2007. | Initiation Protocol (SIP)", July 2007. | |||
| [I-D.ietf-sipping-session-policy-framework] | [I-D.ietf-sipping-session-policy] | |||
| Hilt, V., "A Framework for Session Initiation Protocol | Hilt, V. and G. Camarillo, "A Session Initiation Protocol | |||
| (SIP) Session Policies", | (SIP) Event Package for Session-Specific Session | |||
| draft-ietf-sipping-session-policy-framework-01 (work in | Policies", draft-ietf-sipping-policy-package-04.txt (work | |||
| progress), June 2006. | in progress), August 2007. | |||
| [I-D.ietf-speermint-architecture] | [I-D.ietf-speermint-architecture] | |||
| Penno et al., R., "SPEERMINT Peering Architecture", | Penno et al., R., "SPEERMINT Peering Architecture", | |||
| April 2007. | draft-ietf-speermint-architecture-03.txt (work in | |||
| progress), April 2007. | ||||
| [I-D.ietf-speermint-terminology] | [I-D.ietf-speermint-terminology] | |||
| Meyer, R. and D. Malas, "SPEERMINT Terminology", | Meyer, R. and D. Malas, "SPEERMINT Terminology", | |||
| July 2007. | draft-ietf-speermint-terminology-13.txt (work in | |||
| progress), November 2007. | ||||
| [I-D.ietf-speermint-voip-consolidated-usecases] | [I-D.ietf-speermint-voip-consolidated-usecases] | |||
| Uzelac et al., A., "VoIP SIP Peering Use Cases", | Uzelac et al., A., "VoIP SIP Peering Use Cases", | |||
| June 2007. | draft-ietf-speermint-voip-consolidated-usecases-03.txt | |||
| (work in progress), July 2007. | ||||
| [I-D.ietf-wing-media-security-requirements] | [I-D.ietf-wing-media-security-requirements] | |||
| Wing, D., Fries, S., and H. Tschofenig, "Requirements for | Wing, D., Fries, S., and H. Tschofenig, "Requirements for | |||
| a Media Security Key Management Protocol", | a Media Security Key Management Protocol", | |||
| draft-wing-media-security-requirements (work in progress), | draft-wing-media-security-requirements (work in progress), | |||
| June 2007. | June 2007. | |||
| [I-D.presence-im-requirements] | [I-D.presence-im-requirements] | |||
| Houri, A., Aoki, E., and S. Parameswar, "Presence and IM | Houri, A., Aoki, E., and S. Parameswar, "Presence and IM | |||
| Requirements", May 2007. | Requirements", May 2007. | |||
| skipping to change at page 21, line 34 | skipping to change at page 24, line 34 | |||
| its service description, server or device configurations and variable | its service description, server or device configurations and variable | |||
| based on peer relationships. | based on peer relationships. | |||
| A.1. Categories of Parameters and Justifications | A.1. Categories of Parameters and Justifications | |||
| The following list should be considered as an initial list of | The following list should be considered as an initial list of | |||
| "discussion topics" to be addressed by peers when initiating a VoIP | "discussion topics" to be addressed by peers when initiating a VoIP | |||
| peering relationship. | peering relationship. | |||
| o IP Network Connectivity: | o IP Network Connectivity: | |||
| Session peers must define how the IP network connectivity between | Session peers should define how the IP network connectivity | |||
| their respective SBEs and SDEs. While this is out of scope of | between their respective SBEs and SDEs. While this is out of | |||
| session peering, SSPs must agree on a common mechanism for IP | scope of session peering, SSPs must agree on a common mechanism | |||
| transport of session signaling and media. This may be accomplish | for IP transport of session signaling and media. This may be | |||
| via private (e.g. IPVPN, IPsec, etc.) or public IP networks. | accomplish via private (e.g. IPVPN, IPsec, etc.) or public IP | |||
| networks. | ||||
| o Media-related Parameters: | o Media-related Parameters: | |||
| * Media Codecs: list of supported media codecs for audio, real- | * Media Codecs: list of supported media codecs for audio, real- | |||
| time fax (version of T.38, if applicable), real-time text (RFC | time fax (version of T.38, if applicable), real-time text (RFC | |||
| 4103), DTMF transport, voice band data communications (as | 4103), DTMF transport, voice band data communications (as | |||
| applicable) along with the supported or recommended codec | applicable) along with the supported or recommended codec | |||
| packetization rates, level of RTP paylod redundancy, audio | packetization rates, level of RTP paylod redundancy, audio | |||
| volume levels, etc. | volume levels, etc. | |||
| * Media Transport: level of support for RTP-RTCP [RFC3550], RTP | * Media Transport: level of support for RTP-RTCP [RFC3550], RTP | |||
| Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , | Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , | |||
| T.38 transport over RTP, etc. | T.38 transport over RTP, etc. | |||
| * Other: support of the VoIP metric block as defined in RTP | * Other: support of the VoIP metric block as defined in RTP | |||
| Control Protocol Extended Reports [RFC3611] , etc. | Control Protocol Extended Reports [RFC3611] , etc. | |||
| o SIP: | o SIP: | |||
| * A session peering policy SHOULD include the list of supported | * A session peering policy should include the list of supported | |||
| and required SIP RFCs, supported and required SIP methods | and required SIP RFCs, supported and required SIP methods | |||
| (including private p headers if applicable), error response | (including private p headers if applicable), error response | |||
| codes, supported or recommended format of some header field | codes, supported or recommended format of some header field | |||
| values , etc. | values , etc. | |||
| * It should also be possible to describe the list of supported | * It should also be possible to describe the list of supported | |||
| SIP RFCs by various functional groupings. A group of SIP RFCs | SIP RFCs by various functional groupings. A group of SIP RFCs | |||
| may represent how a call feature is implemented (call hold, | may represent how a call feature is implemented (call hold, | |||
| transfer, conferencing, etc.), or it may indicate a functional | transfer, conferencing, etc.), or it may indicate a functional | |||
| grouping as in [I-D.ietf-sip-hitchhikers-guide]. | grouping as in [I-D.ietf-sip-hitchhikers-guide]. | |||
| o Presence and Instant Messaging: TBD | o Presence and Instant Messaging: TBD | |||
| o Accounting: | o Accounting: | |||
| Methods used for call or session accounting SHOULD be specified. | Methods used for call or session accounting should be specified. | |||
| An SSP may require a peer to track session usage. It is critical | An SSP may require a peer to track session usage. It is critical | |||
| for peers to determine whether the support of any SIP extensions | for peers to determine whether the support of any SIP extensions | |||
| for accounting is a pre-requisite for SIP interoperability. In | for accounting is a pre-requisite for SIP interoperability. In | |||
| some cases, call accounting may feed data for billing purposes but | some cases, call accounting may feed data for billing purposes but | |||
| not always: some operators may decide to use accounting as a 'bill | not always: some operators may decide to use accounting as a 'bill | |||
| and keep' model to track session usage and monitor usage against | and keep' model to track session usage and monitor usage against | |||
| service level agreements. | service level agreements. | |||
| [RFC3702] defines the terminology and basic requirements for | [RFC3702] defines the terminology and basic requirements for | |||
| accounting of SIP sessions. A few private SIP extensions have | accounting of SIP sessions. A few private SIP extensions have | |||
| also been defined and used over the years to enable call | also been defined and used over the years to enable call | |||
| skipping to change at page 23, line 8 | skipping to change at page 26, line 8 | |||
| SIP transactions per second on per domain basis, Session | SIP transactions per second on per domain basis, Session | |||
| Completion Rate (SCR), Session Establishment Rate (SER), etc. | Completion Rate (SCR), Session Establishment Rate (SER), etc. | |||
| Some SIP end-to-end performance metrics are defined in | Some SIP end-to-end performance metrics are defined in | |||
| [I-D.Malas-sip-performance]; a subset of these may be applicable | [I-D.Malas-sip-performance]; a subset of these may be applicable | |||
| to session peering and interconnects. | to session peering and interconnects. | |||
| Some media-related metrics for monitoring VoIP calls have been | Some media-related metrics for monitoring VoIP calls have been | |||
| defined in the VoIP Metrics Report Block, in Section 4.7 of | defined in the VoIP Metrics Report Block, in Section 4.7 of | |||
| [RFC3611]. | [RFC3611]. | |||
| o Security: | o Security: | |||
| A SSP SHOULD describe the security requirements that other peers | An SSP should describe the security requirements that other peers | |||
| must meet in order to terminate calls to its network. While such | must meet in order to terminate calls to its network. While such | |||
| a list of security-related policy parameters often depends on the | a list of security-related policy parameters often depends on the | |||
| security models pre-agreed to by peers, it is expected that these | security models pre-agreed to by peers, it is expected that these | |||
| parameters will be discoverable or signaled in the future to allow | parameters will be discoverable or signaled in the future to allow | |||
| session peering outside SSP clubs. The list of security | session peering outside SSP clubs. The list of security | |||
| parameters may be long and composed of high-level requirements | parameters may be long and composed of high-level requirements | |||
| (e.g. authentication, privacy, secure transport) and low level | (e.g. authentication, privacy, secure transport) and low level | |||
| protocol configuration elements like TLS parameters. | protocol configuration elements like TLS parameters. | |||
| The following list is not intended to be complete, it provides a | The following list is not intended to be complete, it provides a | |||
| preliminary list in the form of examples: | preliminary list in the form of examples: | |||
| skipping to change at page 23, line 31 | skipping to change at page 26, line 31 | |||
| only be admitted if certain criteria are met. For example, for | only be admitted if certain criteria are met. For example, for | |||
| some providers' networks, only incoming SIP sessions signaled | some providers' networks, only incoming SIP sessions signaled | |||
| over established IPSec tunnels or presented to the well-known | over established IPSec tunnels or presented to the well-known | |||
| TLS ports are admitted. Other call admission requirements may | TLS ports are admitted. Other call admission requirements may | |||
| be related to some performance metrics as descrived above. | be related to some performance metrics as descrived above. | |||
| Finally, it is possible that some requiremetns be imposed on | Finally, it is possible that some requiremetns be imposed on | |||
| lower layers, but these are considered out of scope of session | lower layers, but these are considered out of scope of session | |||
| peering. | peering. | |||
| * Call authorization requirements and validation: the presence of | * Call authorization requirements and validation: the presence of | |||
| a caller or user identity MAY be required by an SSP. Indeed, | a caller or user identity may be required by an SSP. Indeed, | |||
| some SSPs may further authorize an incoming session request by | some SSPs may further authorize an incoming session request by | |||
| validating the caller's identity against white/black lists | validating the caller's identity against white/black lists | |||
| maintained by the service provider or users (traditional caller | maintained by the service provider or users (traditional caller | |||
| ID screening applications or IM white list). | ID screening applications or IM white list). | |||
| * Privacy requirements: an SSP MAY demand that its SIP messages | * Privacy requirements: an SSP may demand that its SIP messages | |||
| be securely transported by its peers for privacy reasons so | be securely transported by its peers for privacy reasons so | |||
| that the calling/called party information be protected. Media | that the calling/called party information be protected. Media | |||
| sessions may also require privacy and some SSP policies may | sessions may also require privacy and some SSP policies may | |||
| include requirements on the use of secure media transport | include requirements on the use of secure media transport | |||
| protocols such as sRTP, along with some contraints on the | protocols such as sRTP, along with some contraints on the | |||
| minimum authentication/encryption options for use in sRTP. | minimum authentication/encryption options for use in sRTP. | |||
| * Network-layer security parameters: this covers how IPSec | * Network-layer security parameters: this covers how IPSec | |||
| security associated may be established, the IPSec key exchange | security associated may be established, the IPSec key exchange | |||
| mechanisms to be used and any keying materials, the lifetime of | mechanisms to be used and any keying materials, the lifetime of | |||
| End of changes. 61 change blocks. | ||||
| 238 lines changed or deleted | 305 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||