--- 1/draft-ietf-speermint-requirements-04.txt 2008-06-27 23:12:15.000000000 +0200 +++ 2/draft-ietf-speermint-requirements-05.txt 2008-06-27 23:12:15.000000000 +0200 @@ -1,18 +1,18 @@ SPEERMINT Working Group J-F. Mule Internet-Draft CableLabs -Intended status: Informational February 25, 2008 -Expires: August 28, 2008 +Intended status: Informational June 27, 2008 +Expires: December 29, 2008 - SPEERMINT Requirements for SIP-based VoIP Interconnection - draft-ietf-speermint-requirements-04.txt + SPEERMINT Requirements for SIP-based Session Peering + draft-ietf-speermint-requirements-05.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -23,121 +23,113 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 28, 2008. + This Internet-Draft will expire on December 29, 2008. Copyright Notice Copyright (C) The IETF Trust (2008). Abstract - A number of use cases have been described for session peering of - voice, presence, instant messaging and other types of multimedia - traffic. This memo captures some of the requirements identified by - these use case scenarios. It is intended to become an informational - document linking the use cases to potential protocol solutions. + This memo captures protocol requirements identified for enabling + session peering of voice, presence, instant messaging and other types + of multimedia traffic. It is an informational document linking the + session peering use cases to protocol solutions. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 3.2. Session Peering Points . . . . . . . . . . . . . . . . . . 5 + 3.2. Border Elements . . . . . . . . . . . . . . . . . . . . . 5 3.3. Session Establishment Data . . . . . . . . . . . . . . . . 8 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 8 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 9 - 3.4. Other Considerations . . . . . . . . . . . . . . . . . . . 10 4. Considerations and Requirements for Session Peering of - Presence and Instant Messaging . . . . . . . . . . . . . . . . 12 - 5. Security Requirements . . . . . . . . . . . . . . . . . . . . 14 - 5.1. Security in SIP networks in the context of session - peering . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 5.2. Security Requirements for the Lookup and Location - Routing Data . . . . . . . . . . . . . . . . . . . . . . . 14 - 5.3. Hop-by-hop Security for SIP Signaling and TLS - Considerations . . . . . . . . . . . . . . . . . . . . . . 15 - 5.4. End-to-End Media Security . . . . . . . . . . . . . . . . 16 - 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 - 9.1. Normative References . . . . . . . . . . . . . . . . . . . 20 - 9.2. Informative References . . . . . . . . . . . . . . . . . . 20 - Appendix A. Policy Parameters for Session Peering . . . . . . . . 23 - A.1. Categories of Parameters and Justifications . . . . . . . 23 + Presence and Instant Messaging . . . . . . . . . . . . . . . . 10 + 5. Security Requirements . . . . . . . . . . . . . . . . . . . . 12 + 5.1. Security Properties for the Acquisition of Session + Establishment Data . . . . . . . . . . . . . . . . . . . . 12 + 5.2. Security Properties for the SIP exchanges . . . . . . . . 13 + 5.3. End-to-End Media Security . . . . . . . . . . . . . . . . 13 + 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 + 9.2. Informative References . . . . . . . . . . . . . . . . . . 17 + Appendix A. Policy Parameters for Session Peering . . . . . . . . 20 + A.1. Categories of Parameters and Justifications . . . . . . . 20 A.2. Summary of Parameters for Consideration in Session - Peering Policies . . . . . . . . . . . . . . . . . . . . . 26 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 27 - Intellectual Property and Copyright Statements . . . . . . . . . . 28 + Peering Policies . . . . . . . . . . . . . . . . . . . . . 23 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 + Intellectual Property and Copyright Statements . . . . . . . . . . 26 1. Introduction Peering at the session level represents an agreement between parties to allow the exchange of multimedia traffic. It is assumed that these sessions use the Session Initiation Protocol (SIP) protocol to enable peering between two or more actors. These actors are called SIP Service Providers (SSPs) and they are typically represented by users, user groups such as enterprises, real-time collaboration service communities, or other service providers offering voice or multimedia services. - Common terminology for SIP session peering is defined - ([I-D.ietf-speermint-terminology]) and a reference architecture is + Common terminology for SIP session peering is defined in + [I-D.ietf-speermint-terminology] and a reference architecture is described in [I-D.ietf-speermint-architecture]. A number of use - cases have been exposed by users of SIP services and various other - actors describing how layer-5 peering has been or could be deployed + cases describe how session peering has been or could be deployed based on the reference architecture ([I-D.ietf-speermint-voip-consolidated-usecases] and [I-D.ietf-speermint-consolidated-presence-im-usecases]). Peering at the session layer can be achieved on a bilateral basis (direct peering established directly between two SSPs), or on an - indirect basis via an intermediary (indirect peering via a third- - party SSP that has a trust relationship with the SSPs) - see the - terminology document for more details. + indirect basis via a session intermediary (indirect peering via a + third-party SSP that has a trust relationship with the SSPs) - see + the terminology document for more details. - This document first describes general requirements that have been - derived from the working group discussions. The use cases are then - analyzed in the spirit of extracting relevant protocol requirements - that must be met to accomplish the use cases. These requirements are - intended to be independent of the type of media exchanged such as - Voice over IP (VoIP), video telephony, and instant messaging. In the - case where some requirements are media-specific, we define them in a - separate section. + This document first describes general requirements. The use cases + are then analyzed in the spirit of extracting relevant protocol + requirements that must be met to accomplish the use cases. These + requirements are intended to be independent of the type of media + exchanged such as Voice over IP (VoIP), video telephony, and instant + messaging. Media-specific requirements are defined in separate + sections. It is not the goal of this document to mandate any particular use of IETF protocols by SIP Service Providers in order to establish session peering. Instead, the document highlights what requirements should be met and what protocols may be used to define the solution space. Finally, we conclude with a list of parameters for the definition of a session peering policy, provided in an informative appendix. It should be considered as an example of the information SIP Service Providers may have to discuss or agree on to exchange SIP traffic. 2. Terminology - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL - NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in - this document are to be interpreted as described in RFC 2119 - [RFC2119]. + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. - This document also reuses the SIP terminology defined in [I-D.ietf- + This document also reuses the terminology defined in [I-D.ietf- speermint-terminology]. It is assumed that the reader is familiar with the Session Description Protocol (SDP) [RFC4566] and the Session Initiation Protocol (SIP) [RFC3261]. 3. General Requirements The following sub-sections contain general requirements applicable to multiple use cases for multimedia session peering. 3.1. Scope @@ -161,44 +151,42 @@ reach a successful agreement but they are considered out of scope of the SPEERMINT working group. They include aspects such as SIP protocol support (e.g. SIP extensions and field conventions), media (e.g., type of media traffic to be exchanged, compatible media codecs and media transport protocols, mechanisms to ensure differentiated quality of service for media), SIP layer-3 IP connectivity between the Signaling Path and Data Path Border Elements, traffic capacity control (e.g. maximum number of SIP sessions at each ingress point, maximum number of concurrent IM or VoIP sessions), and accounting. - The informative Appendix A lists parameters that SPPs may consider - when discussing the technical aspects of SIP session peering. The - purpose of this list which has evolved through the working group use - case discussions is to capture the parameters that are considered - outside the scope of the protocol requirements. + The informative Appendix A lists parameters that may considered when + discussing the technical aspects of SIP session peering. The purpose + of this list which has evolved through the working group use case + discussions is to capture the parameters that are considered outside + the scope of the protocol requirements. -3.2. Session Peering Points +3.2. Border Elements - For session peering to be scalable and operationally manageable, - maximum flexibility should be given for how signaling path and media - path border elements are declared, dynamically advertised and - updated. + For border elements to be operationally manageable, maximum + flexibility should be given for how border elements are declared or + dynamically advertised. Indeed, in any session peering environment, there is a need for a SIP Service Provider to declare or dynamically advertise the SIP entities - that will face the peer's network. The media or data path border - elements are typically signaled dynamically in the session - description. + that will face the peer's network. The data path border elements are + typically signaled dynamically in the session description. The use cases defined ([I-D.ietf-speermint-voip-consolidated-usecases]) catalog the various - session peering points between SIP Service Providers; they include - Signaling Path Border Elements (SBEs) and SIP proxies (or any SIP - entity at the boundary of the Layer 5 network). + border elements between SIP Service Providers; they include Signaling + Path Border Elements (SBEs) and SIP proxies (or any SIP entity at the + boundary of the Layer 5 network). o Requirement #1: Protocol mechanisms must exist for a SIP Service Provider (SSP) to communicate the ingress Signaling Path Border Elements of its service domain. Notes on solution space: The SBEs may be advertised to session peers using static mechanisms or they may be dynamically advertised. There seems to be general agreement that [RFC3263] provides a solution for @@ -207,103 +195,83 @@ in cases where the DNS response varies based on who sends the query (peer-dependent SBEs, see below). o Requirement #2: Protocol mechanisms should exist for a SIP Service Provider (SSP) to communicate the egress SBEs of its service domain. Notes on motivations for this requirement: For the purposes of capacity planning, traffic engineering and call admission control, a SIP Service Provider may be asked where - it will generate SIP calls from. Note that this may not be - applicable to all types of session peering (voice may be a - particular case where this is needed -- at least based on current - practices). + it will generate SIP calls from. The SSP accepting calls from a + peer may wish to know where SIP calls will originate from (this + information is typically used by the terminating SSP). + Note that this may not be applicable to all types of session + peering (voice may be a particular case where this is needed -- at + least based on current practices). + While provisioning requirements are out-of-scope of this document, + some SSPs may find use for a mechanism to dynamically advertise or + discover the egress SBEs of a peer. If the SSP also provides media streams to its users as shown in the use cases for "Originating" and "Terminating" SSPs, a mechanism - should exist to allow SSPs to advertise their media border elements - responsible for egress and ingress data path border elements (DBEs), - if applicable. While some SPPs may have open policies and accept - media traffic from anywhere outside their network to anywhere inside - their network, some SSPs may want to optimize media delivery and - identify media paths between peers prior to traffic being sent (layer - 5 to layer 3 QoS mapping). + should exist to allow SSPs to advertise their egress and ingress data + path border elements (DBEs), if applicable. While some SSPs may have + open policies and accept media traffic from anywhere outside their + network to anywhere inside their network, some SSPs may want to + optimize media delivery and identify media paths between peers prior + to traffic being sent (layer 5 to layer 3 QoS mapping). o Requirement #3: Protocol mechanisms should be available to allow a SIP Service Provider to communicate its DBEs to its peers. Notes: Some SSPs engaged in SIP interconnects do exchange this type of DBE information today in a static manner. Some SSPs do not. Some SSPs may have some restrictions on the type of media traffic their SIP entities acting as SBEs are capable of establishing. In order to avoid a failed attempt to establish a session, a mechanism may be provided to allow SSPs to indicate if some restrictions exist on the type of media traffic: ingress and egress SBE points may be peer-dependent, and/or media-dependent. o Requirement #4: The mechanisms recommended for the declaration or advertisement of - SBE and DBE entities must allow for peer and media variability. + SBE and DBE entities must allow for peer variability. Notes on solution space: For advertising peer-dependent SBEs (peer variability), the solution space based on [RFC3263] is under specified and there are no know best current practices. Is DNS the right place for putting data that varies based on who asks? - For advertising media-dependent SBEs, solutions exist as long as - URIs are protocol-dependent URIs. A protocol-dependent URI like a - SIP URI can be mapped to more than one types of media. It should - be noted that some URIs like the IM URI are abstract ([RFC3428]) - and need to be translated to protocol dependent URIs. It is also - not possible to know what media is supported by the SIP SBE before - initiating a query by using mechanisms like [RFC3263]. - - The following example provides some additional motivations for the - above requirement on advertising media-dependent SBEs to peers. - In large multi-service SIP networks, an SSP chooses to have several - SBEs for receiving incoming SIP session requests (ingress SBEs), and - several SBEs for outgoing SIP session requests (egress SBEs). In - order to facilitate the operations, feature management, and - maintenance of its SBEs, the SSP opts for having distinct SBEs for - voice, real-time collaboration, etc. Some SBEs are therefore - dedicated to exchanging certain types of media traffic due to - specific SIP extensions required for certain media types (e.g. - SIMPLE, the SIP MESSAGE Method for Instant Messaging [RFC3428] or the - Message Sessions Relay Protocol (MSRP)). Note that this example is - applicable to some enterprise networks where IP voice traffic hits - different SIP gateways and voice servers (e.g. IP-PBX) than Instant - Messaging and real-time collaboration servers (e.g. real-time - collaboration and IM server supporting SIMPLE and XMPP). In the use cases provided as part of direct and indirect scenarios, an SSP deals with multiple SIP entities and multiple SBEs in its own domain. There is often a many-to-many relationship between SIP Proxies and Signaling path Border Elements. It should be possible for an SSP to define which egress SBE a SIP entity must use based on a given peer destination. For example, in the case of an indirect peering scenario (section 5.1.5 of [I-D.ietf-speermint-voip-consolidated-usecases], Figure 5), it should be possible for the O-Proxy to choose the appropriate O-SBE based on the information the O-Proxy receives from the Lookup Function (LUF) - or Location Routing Function (LRF) - message response labeled (3). - Note that this example also applies to the case of Direct Peering - when a service provider has multiple service areas and each service - area involves multiple SIP Proxies and a few SBEs. + and/or Location Routing Function (LRF) - message response labeled + (3). Note that this example also applies to the case of Direct + Peering when a service provider has multiple service areas and each + service area involves multiple SIP Proxies and a few SBEs. o Requirement #5: The mechanisms recommended for the lookup and location routing service must be capable or returning both a target URI destination - and a SIP Route. + and a value for the SIP Route header. Notes: solutions exist if the protocol used between the Proxy and the LUF/LRF is SIP; if ENUM is used, the author of this document does not know of any solution today. It is desirable for an SSP to be able to communicate how authentication of a peer's SBEs will occur (see the security requirements for more details). o Requirement #6: @@ -373,72 +341,20 @@ without requiring an SBE to initiate a SIP request. Furthermore, since each call setup implies the execution of any proposed algorithm, the establishment of a SIP session via peering should incur minimal overhead and delay, and employ caching wherever possible to avoid extra protocol round trips. o Requirement #9: The mechanisms for session peering must allow an SBE to locate its peer SBE given a URI type and the target SSP domain name. -3.4. Other Considerations - - The considerations listed below were gathered early on in the - SPEERMINT working group as part of discussions to define the scope of - the working group. They have not been updated in this revision of - the draft. - - o It is assumed that session peering is independent of lower layers. - The mechanisms used to establish session peering should - accommodate diverse supporting lower layers. It should not matter - whether lower layers rely on the public Internet or are - implemented by private L3 connectivity, using firewalls or L2/L3 - Virtual Private Networks (VPNs), IPSec tunnels or Transport Layer - Security (TLS) connections [RFC3546]... - - o Session Peering Policies and Extensibility: - Mechanisms developed for session peering should be flexible and - extensible to cover existing and future session peering models. - It is also recommended that SSP policies be published via local - configuration choices in a distributed system like DNS rather than - in a centralized system like a 'peering registry'. - In the context of session peering, a policy is defined as the set - of parameters and other information needed by an SPP to connect to - another. Some of the session policy parameters may be statically - exchanged and set throughout the lifetime of the peering - relationship. Others parameters may be discovered and updated - dynamically using by some explicit protocol mechanisms. These - dynamic parameters may also relate to an SSP's session-dependent - or session independent policies as defined in - [I-D.ietf-sipping-session-policy]. - - o Administrative and Technical Policies: - Various types of policy information may need to be discovered or - exchanged in order to establish session peering. At a minimum, a - policy should specify information related to session establishment - data in order to avoid session establishment failures. A policy - may also include information related to QoS, billing and - accounting, layer-3 related interconnect requirements which are - out of the scope of this document, see examples in Section - Appendix A. - - Motivations: - The reasons for declining or accepting incoming calls from a - prospective peering partner can be both administrative - (contractual, legal, commercial, or business decisions) and - technical (certain QoS parameters, TLS keys, domain keys, ...). - The objectives are to provide a baseline framework to define, - publish and optionally retrieve policy information so that a - session establishment does not need to be attempted to know that - incompatible policy parameters will cause the session to fail - (this was originally referred to as "no blocked calls"). - 4. Considerations and Requirements for Session Peering of Presence and Instant Messaging This section describes requirements for presence and instant messaging session peering. Several use cases for presence and instant messaging peering are described in [I-D.ietf-speermint-consolidated-presence-im-usecases], a document authored by A. Houri, E. Aoki and S. Parameswar. Credits for this section must go to A. Houri, E. Aoki and S. Parameswar. @@ -503,284 +419,219 @@ for different properties that exist in PIDF. For example "Do Not Disturb" may be translated to "Busy" in another system. In order to make sure that the meaning of the status is preserved, there is a need that either each system will translate its internal statuses to standard PIDF based statuses of a translation table of proprietary statuses to standard based PIDF statuses will be provided from one system to the other. 5. Security Requirements - Session peering does bring a new environment in which security - requirements should be analyzed but the fundamental mechanisms for - securing SIP and media exchanges remain applicable (see Section 26.2 - of [RFC3261]. The issues are less in the mechanisms that do exist - and can be used to mitigate threats than they are in getting two SSPs - to agree on which ones to use. - - This section first provides a broad picture of the various mechanisms - used today in the context of SIP session peering. We then describe - security considerations for the three types of information flows - described in the use cases: the data queried from the Lookup or - Location Routing Functions, data exchanged in the SIP signaling - between SSPs (directly and indirectly), and media. - -5.1. Security in SIP networks in the context of session peering + This section describes the security properties that are desirable for + the protocol exchanges in scope of session peering. Three types of + information flows are described in the architecture and use case + documents: the acquisition of the Session Establishment Data (SED) + based on a destination target via the Lookup and Location Routing + Functions (LUF and LRF), the SIP signaling between SIP Service + Providers, and the associated media exchanges. - In today's SIP deployments, various approaches exist to secure - exchanges between SIP Service Providers. Lookup, signaling and media - security are the three primary topics for consideration in most - deployments. - A number of transport, network and session-level mechanisms are used - for SIP by some categories of SSPs. TLS is used in the enterprise - networks for applications such as VoIP and secure Instant Messaging - and session-level security is used end-to-end for some instant - messaging systems or in service provider networks for Instant - Messaging and presence applications. At the network-level, IPsec and - L2/L3 VPNs are widely used in some SSP networks where there is a - desire to secure all signaling and media traffic at or below the IP - layer. - Media level security between providers is not widely used today for - media transported using the Real-Time Protocol (RTP), even though it - is in use in few deployments where the privacy of voice and other RTP - media is critical. + This section is focused on three security services, authentication, + data confidentiality and data integrity as summarized in [RFC3365]. + However, this text does not specify the mandatory-to-implement + security mechanisms as required by [RFC3365]; this is left for future + protocol solutions that meet the requirements. A security threat analysis provides guidance for session peering - ([I-D.draft-niccolini-speermint-voipthreats]). More discussions - based on this threat analysis and use cases continue to be required - in the working group to define what hop-by-hop or end-to-end security - requirements are necessary in the context of session peering. + ([I-D.draft-niccolini-speermint-voipthreats]). -5.2. Security Requirements for the Lookup and Location Routing Data +5.1. Security Properties for the Acquisition of Session Establishment + Data The Look-Up Function (LUF) and Location Routing Function (LRF) are - defined in [I-D.ietf-speermint-terminology]. They provide a - mechanism for determining for a given request the target domain to - which the request should be routed, and SED required to route the - request to that domain. - - Requirement #15: - The protocols used for the LUF and LRF must allow the look-up and SED - data to be exchanged securely (authentication and encryption services - should be provided). - - Notes on the solution space: ENUM, SIP and proprietary protocols are - typically used today for accessing these functions. - -5.3. Hop-by-hop Security for SIP Signaling and TLS Considerations - - Given the direct and indirect peering uses cases referenced in the - previous sections of this document, hop-by-hop security between two - SSPs using Transport Layer Security (TLS) is desirable. - - The Transport Layer Security (TLS) is a standard way to secure - signaling between SIP entities. TLS can be used in direct peering to - mutually authenticate SSPs and provide message confidentiality and - integrity protection. The remaining paragraphs explore how TLS could - be deployed and used between 2 SSPs to secure SIP exchanges. The - intent is to capture what two SSPs should discuss and agree on in - order to establish TLS connections for SIP session peering. + defined in [I-D.ietf-speermint-terminology]. They provide mechanisms + for determining the SIP target address and domain the request should + be sent to, and the associated SED to route the request to that + domain. - 1. One or more Certificate Authorities (CAs) should be agreed - between SSPs for securing session peering exchanges. - Alternatively, self-signed certificates may also be used. + A mutual authentication service is desirable for the LUF and LRF + protocol exchanges. The response from the LUF and LRF may depend on + the identity of the requestor: the authentication of the LUF/LRF + requests is therefore a desirable property. Mutual authentication is + also desirable: the requestor may verify the identity of the systems + that provided the LUF/LRF responses given the nature of the data + returned in those responses. Authentication also provides some + protection for the availability of the LUF and LRF against attackers + that would attempt to launch DoS attacks by sending bogus requests + causing the LUF to perform a lookup and consume resources. - Motivations: - An SSP should have control over which root CAs it trusts for SIP - communications. This may imply creating a certificate trust list - and including the peer's CA for each authorized domain. In the - case of a federation, this requirement allows for the initiating - side to verify that the server certificate chains up to a trusted - root CA. This also means that SIP servers should allow the - configuration of a certificate trust list in order to allow an SSP - to control which peer's CAs are trusted for TLS connections. Note - that these considerations seem to be around two themes: one is - trusting a root, the other is trusting intermediate CAs. - There are various use cases of direct peering where there is no - pre-established trust relationship that can rely on self-signed - certificates. + Given the sensitive nature of the session establishment data + exchanged with the LUF and LRF functions, the protocol mechanisms + chosen for the lookup and location routing should offer data + confidentiality and integrity protection (SED data may contain user + addresses, SIP URI, location of SIP entities at the boundaries of SIP + Service Provider domains, etc.). - 2. Peers should indicate whether their domain policies require - proxy servers to inspect and verify the identity provided in SIP - requests as defined in [RFC4474]. Federations supporting - [RFC4474] and CA(s) must specify the CA(s) permitted to issue - certificates of the authentication service. + Requirement #15: + The data exchanges for the lookup and location routing MUST support + mutual authentication, data confidentiality and integrity. - 3. SIP entities and SBEs involved in the secure session - establishment over TLS must have valid X.509 certificates and must - be able to receive a TLS connection on a well-known port as - defined in [RFC3261]. + Notes on the solution space: ENUM, SIP and proprietary protocols are + typically used today for accessing these functions. SSPs may use + lower layer security mechanisms to guarantee some of those security + properties. - 4. The following SIP and TLS protocol parameters should be agreed - upon as part of session peering policies: the version of TLS - supported by SIP entities and SBEs (TLSv1, TLSv1.1), the SIP TLS - port (default 5061), the server-side session timeout (default 300 - seconds), the list of supported or recommended ciphersuites, the - list of trusted root CAs if applicable or whether self-signed - certs are acceptable. +5.2. Security Properties for the SIP exchanges - 5. SIP entities and SBEs involved in the session establishment - over TLS must verify and validate the client certificates. See - section 9 and 9.3 of [I-D.ietf-sip-certs]. + The fundamental mechanisms for securing SIP are applicable (see + Section 26.2 of [RFC3261], and [RFC4474]). - 6. A session peering policy should include details on SIP session - establishment over TLS if TLS is supported. + Authentication of SIP communications are desirable, especially in the + context of session peering involving SIP intermediaries. Data + confidentiality and integrity of the SIP message body may be + desirable given some of the levels of session peering indirection + (indirect/assisted peering), but they could be harmful as they may + prevent intermediary SSPs from "inserting" SBEs/DBEs along the + signaling and data paths. -5.4. End-to-End Media Security +5.3. End-to-End Media Security Media security is critical to guarantee end-to-end confidentiality of the communication between the end-users' devices, independently of how many direct or indirect peers are along the signaling path. - o Requirement #16: It is recommended that the establishment of media security be - provided along the media path and not over the signaling path - given the indirect peering use cases. + provided along the media path and not over the signaling path given + the indirect peering use cases. Notes on the solution space: - Media carried over the Real-Time Protocol (RTP) can be secured - using secure RTP or sRTP ([RFC3711]). A framework for - establishing sRTP security using Datagram TLS [RFC4347] is - described in [I-D.ietf-sip-dtls-srtp-framework]: it allows for - end-to-end media security establishment using extensions to DTLS - ([I-D.ietf-avt-dtls-srtp]). This DTLS-SRTP framework meets the - above requirement. + Media carried over the Real-Time Protocol (RTP) can be secured using + secure RTP or sRTP ([RFC3711]). A framework for establishing sRTP + security using Datagram TLS [RFC4347] is described in + [I-D.ietf-sip-dtls-srtp-framework]: it allows for end-to-end media + security establishment using extensions to DTLS + ([I-D.ietf-avt-dtls-srtp]). This DTLS-SRTP framework meets the above + requirement. Note that media can also be carried in numerous protocols other than RTP such as SIP (SIP MESSAGE method), MSRP, XMPP, etc. In these - cases, the above requirement is also met given the security features - of these protocols. + cases, it is desirable those those protocols offer data + confidentiality protection at a minimum. 6. Acknowledgments This document is a work-in-progress and it is based on the input and contributions made by a large number of people in the SPEERMINT working group, including: Edwin Aoki, Scott Brim, John Elwell, Mike Hammer, Avshalom Houri, Richard Shocky, Henry Sinnreich, Richard Stastny, Patrik Faltstrom, Otmar Lendl, Daryl Malas, Dave Meyer, Sriram Parameswar, Jon Peterson, Jason Livingood, Bob Natale, Benny Rodrig, Brian Rosen, Eric Rosenfeld, Adam Uzelac and Dan Wing. Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their initial drafts describing guidelines or best current practices in various environments, and to Avshalom Houri, Edwin Aoki and Sriram Parameswar for authoring the presence and instant messaging requirements. 7. IANA Considerations - None. + This document does not register any values in IANA registries. 8. Security Considerations Securing session peering communications involves numerous protocol exchanges, first and foremost, the securing of SIP signaling and media sessions. The security considerations contained in [RFC3261], and [RFC4474] are applicable to the SIP protocol exchanges. A number of security considerations are also described in Section Section 5. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 9.2. Informative References - [I-D.draft-malas-performance-metrics] + [I-D.draft-ietf-pmol-sip-perf-metrics] Malas, D., "SIP End-to-End Performance Metrics", - December 2007. + draft-ietf-pmol-sip-perf-metrics-01.txt (work in + progress), June 2008. [I-D.draft-niccolini-speermint-voipthreats] Niccolini, S., Chen, E., and J. Seedorf, "VoIP Security Threats relevant to SPEERMINT", draft-niccolini-speermint-voipthreats-03.txt (work in progress), February 2008. [I-D.houri-speermint-presence-im-requirements] Houri, A., Aoki, E., and S. Parameswar, "Presence and IM Requirements", May 2007. [I-D.ietf-avt-dtls-srtp] McGrew, D. and E. Rescorla, "DTLS Extensions to Establish - Keys for SRTP", draft-ietf-avt-dtls-srtp-01.txt (work in - progress), November 2007. - - [I-D.ietf-sip-certs] - Jennings, C., Peterson, J., and J. Fischl, "Certificate - Management Service for The Session Initiation Protocol - (SIP)", draft-ietf-sip-certs-05.txt (work in progress), - January 2008. + Keys for SRTP", draft-ietf-avt-dtls-srtp-02.txt (work in + progress), February 2008. [I-D.ietf-sip-dtls-srtp-framework] Fischl, J., Tschofenig, H., and E. Rescorla, "DTLS-SRTP Framework", draft-ietf-sip-dtls-srtp-framework-01 (work in progress), February 2008. [I-D.ietf-sip-hitchhikers-guide] Rosenberg, J., "A Hitchhikers Guide to the Session Initiation Protocol (SIP)", July 2007. - [I-D.ietf-sipping-session-policy] - Hilt, V. and G. Camarillo, "A Session Initiation Protocol - (SIP) Event Package for Session-Specific Session - Policies", draft-ietf-sipping-policy-package-04.txt (work - in progress), August 2007. - [I-D.ietf-speermint-architecture] Penno et al., R., "SPEERMINT Peering Architecture", - draft-ietf-speermint-architecture-04.txt (work in - progress), August 2007. + draft-ietf-speermint-architecture-06.txt (work in + progress), May 2008. [I-D.ietf-speermint-consolidated-presence-im-usecases] Houri, A., Aoki, E., and S. Parameswar, "Presence & Instant Messaging Peering Use Cases", draft-ietf-speermint-consolidated-presence-im-usecases-04 (work in progress), February 2008. [I-D.ietf-speermint-terminology] Meyer, R. and D. Malas, "SPEERMINT Terminology", draft-ietf-speermint-terminology-16.txt (work in progress), February 2008. [I-D.ietf-speermint-voip-consolidated-usecases] Uzelac et al., A., "VoIP SIP Peering Use Cases", - draft-ietf-speermint-voip-consolidated-usecases-05.txt - (work in progress), February 2008. + draft-ietf-speermint-voip-consolidated-usecases-08.txt + (work in progress), May 2008. [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, September 1997. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002. - [RFC3428] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., - and D. Gurle, "Session Initiation Protocol (SIP) Extension - for Instant Messaging", RFC 3428, December 2002. + [RFC3365] Schiller, J., "Strong Security Requirements for Internet + Engineering Task Force Standard Protocols", BCP 61, + RFC 3365, August 2002. [RFC3455] Garcia-Martin, M., Henrikson, E., and D. Mills, "Private Header (P-Header) Extensions to the Session Initiation Protocol (SIP) for the 3rd-Generation Partnership Project (3GPP)", RFC 3455, January 2003. - [RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., - and T. Wright, "Transport Layer Security (TLS) - Extensions", RFC 3546, June 2003. - [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. [RFC3603] Marshall, W. and F. Andreasen, "Private Session Initiation Protocol (SIP) Proxy-to-Proxy Extensions for Supporting the PacketCable Distributed Call Signaling Architecture", RFC 3603, October 2003. [RFC3611] Friedman, T., Caceres, R., and A. Clark, "RTP Control @@ -812,24 +663,42 @@ [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, August 2006. [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, July 2006. Appendix A. Policy Parameters for Session Peering This informative section lists various types of parameters that - should be first considered by implementers when deciding what - configuration parameters to expose to system admins or management - stations, and second, by SSPs or federations of SSPs when discussing - the technical aspects of a session peering policy. + should be considered by implementers when deciding what configuration + parameters to expose to system administrators or management stations, + as well as SSPs or federations of SSPs when discussing the technical + aspects of a session peering policy. + + In the context of session peering, a policy can be defined as the set + of parameters and other information needed by an SSP to exchange + traffic with another peer. Some of the session policy parameters may + be statically exchanged and set throughout the lifetime of the + peering relationship. Others parameters may be discovered and + updated dynamically using by some explicit protocol mechanisms. + These dynamic parameters may also relate to an SSP's session- + dependent or session independent policies as defined in [I-D.ietf- + sipping-session-policy]. + + Various types of policy information may need to be discovered or + exchanged in order to establish session peering. At a minimum, a + policy should specify information related to session establishment + data in order to avoid session establishment failures. A policy may + also include information related to QoS, billing and accounting, + layer-3 related interconnect requirements which are out of the scope + of this document. Some aspects of session peering policies must be agreed to and manually implemented; they are static and are typically documented as part of a business contract, technical document or agreement between parties. For some parameters linked to protocol support and capabilities, standard ways of expressing those policy parameters may be defined among SSP and exchanged dynamically. For e.g., templates could be created in various document formats so that it could be possible to dynamically discover some of the domain policy. Such templates could be initiated by implementers (for each software/ @@ -903,21 +772,21 @@ Layer-5 performance metrics should be defined and shared between peers. The performance metrics apply directly to signaling or media; they may be used pro-actively to help avoid congestion, call quality issues or call signaling failures, and as part of monitoring techniques, they can be used to evaluate the performance of peering exchanges. Examples of SIP performance metrics include the maximum number of SIP transactions per second on per domain basis, Session Completion Rate (SCR), Session Establishment Rate (SER), etc. Some SIP end-to-end performance metrics are defined in - [I-D.draft-malas-performance-metrics]; a subset of these may be + [I-D.draft-ietf-pmol-sip-perf-metrics]; a subset of these may be applicable to session peering and interconnects. Some media-related metrics for monitoring VoIP calls have been defined in the VoIP Metrics Report Block, in Section 4.7 of [RFC3611]. o Security: An SSP should describe the security requirements that other peers must meet in order to terminate calls to its network. While such a list of security-related policy parameters often depends on the security models pre-agreed to by peers, it is expected that these