| draft-ietf-speermint-requirements-05.txt | draft-ietf-speermint-requirements-06.txt | |||
|---|---|---|---|---|
| SPEERMINT Working Group J-F. Mule | SPEERMINT Working Group J-F. Mule | |||
| Internet-Draft CableLabs | Internet-Draft CableLabs | |||
| Intended status: Informational June 27, 2008 | Intended status: Informational July 14, 2008 | |||
| Expires: December 29, 2008 | Expires: January 15, 2009 | |||
| SPEERMINT Requirements for SIP-based Session Peering | SPEERMINT Requirements for SIP-based Session Peering | |||
| draft-ietf-speermint-requirements-05.txt | draft-ietf-speermint-requirements-06.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on December 29, 2008. | This Internet-Draft will expire on January 15, 2009. | |||
| Copyright Notice | ||||
| Copyright (C) The IETF Trust (2008). | ||||
| Abstract | Abstract | |||
| This memo captures protocol requirements identified for enabling | This memo captures protocol requirements to enable session peering of | |||
| session peering of voice, presence, instant messaging and other types | voice, presence, instant messaging and other types of multimedia | |||
| of multimedia traffic. It is an informational document linking the | traffic. It is based on the use cases that have been described in | |||
| session peering use cases to protocol solutions. | the speermint working group. This informational document is intended | |||
| to link the session peering use cases to protocol solutions. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 | 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. Border Elements . . . . . . . . . . . . . . . . . . . . . 5 | 3.2. Border Elements . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. Session Establishment Data . . . . . . . . . . . . . . . . 8 | 3.3. Session Establishment Data . . . . . . . . . . . . . . . . 8 | |||
| 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 8 | 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 8 | |||
| 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 9 | 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. Considerations and Requirements for Session Peering of | 4. Considerations and Requirements for Session Peering of | |||
| Presence and Instant Messaging . . . . . . . . . . . . . . . . 10 | Presence and Instant Messaging . . . . . . . . . . . . . . . . 10 | |||
| 5. Security Requirements . . . . . . . . . . . . . . . . . . . . 12 | 5. Security Requirements . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.1. Security Properties for the Acquisition of Session | 5.1. Security Properties for the Acquisition of Session | |||
| Establishment Data . . . . . . . . . . . . . . . . . . . . 12 | Establishment Data . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.2. Security Properties for the SIP exchanges . . . . . . . . 13 | 5.2. Security Properties for the SIP signaling exchanges . . . 13 | |||
| 5.3. End-to-End Media Security . . . . . . . . . . . . . . . . 13 | 5.3. End-to-End Media Security . . . . . . . . . . . . . . . . 14 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 17 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Policy Parameters for Session Peering . . . . . . . . 20 | Appendix A. Policy Parameters for Session Peering . . . . . . . . 22 | |||
| A.1. Categories of Parameters and Justifications . . . . . . . 20 | A.1. Categories of Parameters for VoIP Session Peering and | |||
| Justifications . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| A.2. Summary of Parameters for Consideration in Session | A.2. Summary of Parameters for Consideration in Session | |||
| Peering Policies . . . . . . . . . . . . . . . . . . . . . 23 | Peering Policies . . . . . . . . . . . . . . . . . . . . . 25 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 26 | Intellectual Property and Copyright Statements . . . . . . . . . . 28 | |||
| 1. Introduction | 1. Introduction | |||
| Peering at the session level represents an agreement between parties | Peering at the session level represents an agreement between parties | |||
| to allow the exchange of multimedia traffic. It is assumed that | to allow the exchange of multimedia traffic. It is assumed that | |||
| these sessions use the Session Initiation Protocol (SIP) protocol to | these sessions use the Session Initiation Protocol (SIP) protocol to | |||
| enable peering between two or more actors. These actors are called | enable peering between two or more actors. These actors are called | |||
| SIP Service Providers (SSPs) and they are typically represented by | SIP Service Providers (SSPs) and they are typically represented by | |||
| users, user groups such as enterprises, real-time collaboration | users, user groups such as enterprises, real-time collaboration | |||
| service communities, or other service providers offering voice or | service communities, or other service providers offering voice or | |||
| multimedia services. | multimedia services using SIP. | |||
| Common terminology for SIP session peering is defined in | A reference architecture for SIP session peering is described in | |||
| [I-D.ietf-speermint-terminology] and a reference architecture is | [I-D.ietf-speermint-architecture]. A number of use cases describe | |||
| described in [I-D.ietf-speermint-architecture]. A number of use | how session peering has been or could be deployed based on the | |||
| cases describe how session peering has been or could be deployed | reference architecture | |||
| based on the reference architecture | ||||
| ([I-D.ietf-speermint-voip-consolidated-usecases] and | ([I-D.ietf-speermint-voip-consolidated-usecases] and | |||
| [I-D.ietf-speermint-consolidated-presence-im-usecases]). | [I-D.ietf-speermint-consolidated-presence-im-usecases]). | |||
| Peering at the session layer can be achieved on a bilateral basis | Peering at the session layer can be achieved on a bilateral basis | |||
| (direct peering established directly between two SSPs), or on an | (direct peering established directly between two SSPs), or on an | |||
| indirect basis via a session intermediary (indirect peering via a | indirect basis via a session intermediary (indirect peering via a | |||
| third-party SSP that has a trust relationship with the SSPs) - see | third-party SSP that has a trust relationship with the SSPs) - see | |||
| the terminology document for more details. | the terminology document for more details. | |||
| This document first describes general requirements. The use cases | This document first describes general requirements. The use cases | |||
| skipping to change at page 4, line 14 | skipping to change at page 4, line 14 | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| This document also reuses the terminology defined in [I-D.ietf- | This document also reuses the terminology defined in [I-D.ietf- | |||
| speermint-terminology]. It is assumed that the reader is familiar | speermint-terminology]. It is assumed that the reader is familiar | |||
| with the Session Description Protocol (SDP) [RFC4566] and the Session | with the Session Description Protocol (SDP) [RFC4566] and the Session | |||
| Initiation Protocol (SIP) [RFC3261]. | Initiation Protocol (SIP) [RFC3261]. Finally, when used with capital | |||
| letters, the terms 'Authentication Service' are to be understood as | ||||
| defined by SIP Identity [RFC4474]. | ||||
| 3. General Requirements | 3. General Requirements | |||
| The following sub-sections contain general requirements applicable to | The following sub-sections contain general requirements applicable to | |||
| multiple use cases for multimedia session peering. | multiple use cases for multimedia session peering. | |||
| 3.1. Scope | 3.1. Scope | |||
| The primary focus of this document is on the requirements applicable | The primary focus of this document is on the requirements applicable | |||
| to the boundaries of Layer 5 SIP networks: SIP entities and Signaling | to the boundaries of Layer 5 SIP networks: SIP entities, Signaling | |||
| path Border Elements (SBEs); any requirements touching SIP UA or end- | path Border Elements (SBEs), and the associated protocol requirements | |||
| devices are considered out of scope. | for the look-up and location routing of the session establishment | |||
| data. The requirements related to SIP UAs, the provisioning of the | ||||
| session data are considered out of scope. | ||||
| SSPs desiring to establish session peering relationships have to | SSPs desiring to establish session peering relationships have to | |||
| reach an agreement on numerous aspects. | reach an agreement on numerous points. | |||
| This document highlights only certain aspects of a session peering | This document highlights only certain aspects of a session peering | |||
| agreement, mostly the requirements relevant to protocols, including | agreement, mostly the requirements relevant to protocols: the | |||
| the declaration, advertisement and management of ingress and egress | declaration, advertisement and management of ingress and egress for | |||
| for session signaling and media, information related to the Session | session signaling and media, information related to the Session | |||
| Establishment Data (SED), and the security mechanisms a peer may use | Establishment Data (SED), and the security mechanisms a peer may use | |||
| to accept and secure session exchanges. | to accept and secure session exchanges. | |||
| Numerous other aspects of session peering arrangement are critical to | Numerous other considerations of session peering arrangement are | |||
| reach a successful agreement but they are considered out of scope of | critical to reach a successful agreement but they are considered out | |||
| the SPEERMINT working group. They include aspects such as SIP | of scope of the SPEERMINT working group. They include information | |||
| protocol support (e.g. SIP extensions and field conventions), media | about SIP protocol support (e.g. SIP extensions and field | |||
| (e.g., type of media traffic to be exchanged, compatible media codecs | conventions), media (e.g., type of media traffic to be exchanged, | |||
| and media transport protocols, mechanisms to ensure differentiated | compatible media codecs and media transport protocols, mechanisms to | |||
| quality of service for media), SIP layer-3 IP connectivity between | ensure differentiated quality of service for media), SIP layer-3 IP | |||
| the Signaling Path and Data Path Border Elements, traffic capacity | connectivity between the Signaling Path and Data Path Border | |||
| control (e.g. maximum number of SIP sessions at each ingress point, | Elements, traffic capacity control (e.g. maximum number of SIP | |||
| maximum number of concurrent IM or VoIP sessions), and accounting. | sessions at each ingress point, maximum number of concurrent IM or | |||
| VoIP sessions), and accounting. | ||||
| The informative Appendix A lists parameters that may considered when | The informative Appendix A lists parameters that may be considered | |||
| discussing the technical aspects of SIP session peering. The purpose | when discussing the technical parameters of SIP session peering. The | |||
| of this list which has evolved through the working group use case | purpose of this list is to capture the parameters that are considered | |||
| discussions is to capture the parameters that are considered outside | outside the scope of the protocol requirements. | |||
| the scope of the protocol requirements. | ||||
| 3.2. Border Elements | 3.2. Border Elements | |||
| For border elements to be operationally manageable, maximum | For border elements to be operationally manageable, maximum | |||
| flexibility should be given for how border elements are declared or | flexibility should be given for how they are declared or dynamically | |||
| dynamically advertised. | advertised. | |||
| Indeed, in any session peering environment, there is a need for a SIP | Indeed, in any session peering environment, there is a need for a SIP | |||
| Service Provider to declare or dynamically advertise the SIP entities | Service Provider to declare or dynamically advertise the SIP entities | |||
| that will face the peer's network. The data path border elements are | that will face the peer's network. The data path border elements are | |||
| typically signaled dynamically in the session description. | typically signaled dynamically in the session description. | |||
| The use cases defined | The use cases defined | |||
| ([I-D.ietf-speermint-voip-consolidated-usecases]) catalog the various | ([I-D.ietf-speermint-voip-consolidated-usecases]) catalog the various | |||
| border elements between SIP Service Providers; they include Signaling | border elements between SIP Service Providers; they include Signaling | |||
| Path Border Elements (SBEs) and SIP proxies (or any SIP entity at the | Path Border Elements (SBEs) and SIP proxies (or any SIP entity at the | |||
| boundary of the Layer 5 network). | boundary of the Layer 5 network). | |||
| o Requirement #1: | o Requirement #1: | |||
| Protocol mechanisms must exist for a SIP Service Provider (SSP) to | Protocol mechanisms must exist for a SIP Service Provider to | |||
| communicate the ingress Signaling Path Border Elements of its | communicate the ingress Signaling Path Border Elements of its | |||
| service domain. | service domain. | |||
| Notes on solution space: | Notes on solution space: | |||
| The SBEs may be advertised to session peers using static | The SBEs may be advertised to session peers using static | |||
| mechanisms or they may be dynamically advertised. There seems to | mechanisms or they may be dynamically advertised. There is | |||
| be general agreement that [RFC3263] provides a solution for | general agreement that [RFC3263] provides a solution for | |||
| dynamically advertising ingress SBEs in most cases of Direct or | dynamically advertising ingress SBEs in most cases of Direct or | |||
| Indirect peering. However, this DNS-based solution may be limited | Indirect peering. However, this DNS-based solution may be limited | |||
| in cases where the DNS response varies based on who sends the | in cases where the DNS response varies based on who sends the | |||
| query (peer-dependent SBEs, see below). | query (peer-dependent SBEs, see below). | |||
| o Requirement #2: | o Requirement #2: | |||
| Protocol mechanisms should exist for a SIP Service Provider (SSP) | Protocol mechanisms must exist for a SIP Service Provider to | |||
| to communicate the egress SBEs of its service domain. | communicate the egress SBEs of its service domain. | |||
| Notes on motivations for this requirement: | Notes on motivations for this requirement: | |||
| For the purposes of capacity planning, traffic engineering and | For the purposes of capacity planning, traffic engineering and | |||
| call admission control, a SIP Service Provider may be asked where | call admission control, a SIP Service Provider may be asked where | |||
| it will generate SIP calls from. The SSP accepting calls from a | it will generate SIP calls from. The SSP accepting calls from a | |||
| peer may wish to know where SIP calls will originate from (this | peer may wish to know where SIP calls will originate from (this | |||
| information is typically used by the terminating SSP). | information is typically used by the terminating SSP). | |||
| Note that this may not be applicable to all types of session | ||||
| peering (voice may be a particular case where this is needed -- at | ||||
| least based on current practices). | ||||
| While provisioning requirements are out-of-scope of this document, | While provisioning requirements are out-of-scope of this document, | |||
| some SSPs may find use for a mechanism to dynamically advertise or | some SSPs may find use for a mechanism to dynamically advertise or | |||
| discover the egress SBEs of a peer. | discover the egress SBEs of a peer. | |||
| If the SSP also provides media streams to its users as shown in the | If the SSP also provides media streams to its users as shown in the | |||
| use cases for "Originating" and "Terminating" SSPs, a mechanism | use cases for "Originating" and "Terminating" SSPs, a mechanism | |||
| should exist to allow SSPs to advertise their egress and ingress data | should exist to allow SSPs to advertise their egress and ingress data | |||
| path border elements (DBEs), if applicable. While some SSPs may have | path border elements (DBEs), if applicable. While some SSPs may have | |||
| open policies and accept media traffic from anywhere outside their | open policies and accept media traffic from anywhere outside their | |||
| network to anywhere inside their network, some SSPs may want to | network to anywhere inside their network, some SSPs may want to | |||
| optimize media delivery and identify media paths between peers prior | optimize media delivery and identify media paths between peers prior | |||
| to traffic being sent (layer 5 to layer 3 QoS mapping). | to traffic being sent (layer 5 to layer 3 QoS mapping). | |||
| o Requirement #3: | o Requirement #3: | |||
| Protocol mechanisms should be available to allow a SIP Service | Protocol mechanisms must allow a SIP Service Provider to | |||
| Provider to communicate its DBEs to its peers. | communicate its DBEs to its peers. | |||
| Notes: Some SSPs engaged in SIP interconnects do exchange this | Notes: Some SSPs engaged in SIP interconnects do exchange this | |||
| type of DBE information today in a static manner. Some SSPs do | type of DBE information today in a static manner. Some SSPs do | |||
| not. | not. | |||
| Some SSPs may have some restrictions on the type of media traffic | Some SSPs may have some restrictions on the type of media traffic | |||
| their SIP entities acting as SBEs are capable of establishing. In | their SIP entities acting as SBEs are capable of establishing. In | |||
| order to avoid a failed attempt to establish a session, a mechanism | order to avoid a failed attempt to establish a session, a mechanism | |||
| may be provided to allow SSPs to indicate if some restrictions exist | may be provided to allow SSPs to indicate if some restrictions exist | |||
| on the type of media traffic: ingress and egress SBE points may be | on the type of media traffic: ingress and egress SBE points may be | |||
| peer-dependent, and/or media-dependent. | peer-dependent, and/or media-dependent. | |||
| o Requirement #4: | o Requirement #4: | |||
| The mechanisms recommended for the declaration or advertisement of | The mechanisms recommended for the declaration or advertisement of | |||
| SBE and DBE entities must allow for peer variability. | SBE and DBE entities MUST allow for peer variability. | |||
| Notes on solution space: | Notes on solution space: | |||
| For advertising peer-dependent SBEs (peer variability), the | For advertising peer-dependent SBEs (peer variability), the | |||
| solution space based on [RFC3263] is under specified and there are | solution space based on [RFC3263] is under specified and there are | |||
| no know best current practices. Is DNS the right place for | no know best current practices. Is DNS the right place for | |||
| putting data that varies based on who asks? | putting data that varies based on who asks? | |||
| In the use cases provided as part of direct and indirect scenarios, | In the use cases provided as part of direct and indirect scenarios, | |||
| an SSP deals with multiple SIP entities and multiple SBEs in its own | an SSP deals with multiple SIP entities and multiple SBEs in its own | |||
| domain. There is often a many-to-many relationship between SIP | domain. There is often a many-to-many relationship between SIP | |||
| skipping to change at page 7, line 44 | skipping to change at page 7, line 43 | |||
| [I-D.ietf-speermint-voip-consolidated-usecases], Figure 5), it should | [I-D.ietf-speermint-voip-consolidated-usecases], Figure 5), it should | |||
| be possible for the O-Proxy to choose the appropriate O-SBE based on | be possible for the O-Proxy to choose the appropriate O-SBE based on | |||
| the information the O-Proxy receives from the Lookup Function (LUF) | the information the O-Proxy receives from the Lookup Function (LUF) | |||
| and/or Location Routing Function (LRF) - message response labeled | and/or Location Routing Function (LRF) - message response labeled | |||
| (3). Note that this example also applies to the case of Direct | (3). Note that this example also applies to the case of Direct | |||
| Peering when a service provider has multiple service areas and each | Peering when a service provider has multiple service areas and each | |||
| service area involves multiple SIP Proxies and a few SBEs. | service area involves multiple SIP Proxies and a few SBEs. | |||
| o Requirement #5: | o Requirement #5: | |||
| The mechanisms recommended for the lookup and location routing | The mechanisms recommended for the lookup and location routing | |||
| service must be capable or returning both a target URI destination | functions MUST be capable of returning both a target URI | |||
| and a value for the SIP Route header. | destination and a value for the SIP Route header. | |||
| Notes: solutions exist if the protocol used between the Proxy and | Notes: solutions exist if the protocol used between the Proxy and | |||
| the LUF/LRF is SIP; if ENUM is used, the author of this document | the LUF/LRF is SIP; if ENUM is used, the author of this document | |||
| does not know of any solution today. | does not know of any solution today. | |||
| It is desirable for an SSP to be able to communicate how | It is desirable for an SSP to be able to communicate how | |||
| authentication of a peer's SBEs will occur (see the security | authentication of a peer's SBEs will occur (see the security | |||
| requirements for more details). | requirements for more details). | |||
| o Requirement #6: | o Requirement #6: | |||
| The mechanisms recommended for locating a peer's SBE must be able | The mechanisms recommended for locating a peer's SBE MUST be able | |||
| to convey how a peer should initiate secure session establishment. | to convey how a peer should initiate secure session establishment. | |||
| Notes : certain mechanisms exist; for example, the required | Notes : certain mechanisms exist; for example, the required | |||
| protocol use of SIP over TLS may be discovered via [RFC3263]. | protocol use of SIP over TLS may be discovered via [RFC3263]. | |||
| 3.3. Session Establishment Data | 3.3. Session Establishment Data | |||
| The Session Establishment Data (SED) is defined in | The Session Establishment Data (SED) is defined in | |||
| [I-D.ietf-speermint-terminology] as the data used to route a call to | [I-D.ietf-speermint-terminology] as the data used to route a call to | |||
| the next hop associated with the called domain's ingress point. The | the next hop associated with the called domain's ingress point. The | |||
| skipping to change at page 8, line 30 | skipping to change at page 8, line 28 | |||
| data. | data. | |||
| 3.3.1. User Identities and SIP URIs | 3.3.1. User Identities and SIP URIs | |||
| User identities used between peers can be represented in many | User identities used between peers can be represented in many | |||
| different formats. Session Establishment Data should rely on URIs | different formats. Session Establishment Data should rely on URIs | |||
| (Uniform Resource Identifiers, [RFC3986]) and SIP URIs should be | (Uniform Resource Identifiers, [RFC3986]) and SIP URIs should be | |||
| preferred over tel URIs ([RFC3966]) for session peering of VoIP | preferred over tel URIs ([RFC3966]) for session peering of VoIP | |||
| traffic. | traffic. | |||
| The use of DNS domain names and hostnames is recommended in SIP URIs | The use of DNS domain names and hostnames is recommended in SIP URIs | |||
| and they should be resolvable on the public Internet. It is | and they should be resolvable on the public Internet. As for the | |||
| recommended that the host part of SIP URIs contain a fully-qualified | ||||
| domain name instead of a numeric IPv4 or IPv6 address. As for the | ||||
| user part of the SIP URIs, the mechanisms for session peering should | user part of the SIP URIs, the mechanisms for session peering should | |||
| not require an SSP to be aware of which individual user identities | not require an SSP to be aware of which individual user identities | |||
| are valid within its peer's domain. | are valid within its peer's domain. | |||
| o Requirement #7: | o Requirement #7: | |||
| The protocols used for session peering must accommodate the use of | The protocols used for session peering MUST accommodate the use of | |||
| different types of URIs. URIs with the same domain-part should | different types of URIs. URIs with the same domain-part SHOULD | |||
| share the same set of peering policies, thus the domain of the SIP | share the same set of peering policies, thus the domain of the SIP | |||
| URI may be used as the primary key to any information regarding | URI may be used as the primary key to any information regarding | |||
| the reachability of that SIP URI. | the reachability of that SIP URI. The host part of SIP URIs | |||
| SHOULD contain a fully-qualified domain name instead of a numeric | ||||
| IPv4 or IPv6 address. | ||||
| o Requirement #8: | o Requirement #8: | |||
| The mechanisms for session peering should not require an SSP to be | The mechanisms for session peering should not require an SSP to be | |||
| aware of which individual user identities are valid within its | aware of which individual user identities are valid within its | |||
| peer's domain. | peer's domain. | |||
| o Notes on the solution space for #7 and #8: | o Notes on the solution space for #7 and #8: | |||
| This is generally well supported by IETF protocols. When | This is generally well supported by IETF protocols. When | |||
| telephone numbers are in tel URIs, SIP requests cannot be routed | telephone numbers are in tel URIs, SIP requests cannot be routed | |||
| in accordance with the traditional DNS resolution procedures | in accordance with the traditional DNS resolution procedures | |||
| skipping to change at page 9, line 30 | skipping to change at page 9, line 27 | |||
| to locate and retrieve the domain's policy and SBE entities. | to locate and retrieve the domain's policy and SBE entities. | |||
| For example, an originating service provider must be able to | For example, an originating service provider must be able to | |||
| determine whether a SIP URI is open for direct interconnection | determine whether a SIP URI is open for direct interconnection | |||
| without requiring an SBE to initiate a SIP request. Furthermore, | without requiring an SBE to initiate a SIP request. Furthermore, | |||
| since each call setup implies the execution of any proposed | since each call setup implies the execution of any proposed | |||
| algorithm, the establishment of a SIP session via peering should | algorithm, the establishment of a SIP session via peering should | |||
| incur minimal overhead and delay, and employ caching wherever | incur minimal overhead and delay, and employ caching wherever | |||
| possible to avoid extra protocol round trips. | possible to avoid extra protocol round trips. | |||
| o Requirement #9: | o Requirement #9: | |||
| The mechanisms for session peering must allow an SBE to locate its | The mechanisms for session peering MUST allow an SBE to locate its | |||
| peer SBE given a URI type and the target SSP domain name. | peer SBE given a URI type and the target SSP domain name. | |||
| 4. Considerations and Requirements for Session Peering of Presence and | 4. Considerations and Requirements for Session Peering of Presence and | |||
| Instant Messaging | Instant Messaging | |||
| This section describes requirements for presence and instant | This section describes requirements for presence and instant | |||
| messaging session peering. Several use cases for presence and | messaging session peering. Several use cases for presence and | |||
| instant messaging peering are described in | instant messaging peering are described in | |||
| [I-D.ietf-speermint-consolidated-presence-im-usecases], a document | [I-D.ietf-speermint-consolidated-presence-im-usecases], a document | |||
| authored by A. Houri, E. Aoki and S. Parameswar. Credits for this | authored by A. Houri, E. Aoki and S. Parameswar. Credits for this | |||
| section must go to A. Houri, E. Aoki and S. Parameswar. | section must go to A. Houri, E. Aoki and S. Parameswar. | |||
| The following requirements for presence and instant messaging session | The following requirements for presence and instant messaging session | |||
| peering are derived from | peering are derived from | |||
| [I-D.ietf-speermint-consolidated-presence-im-usecases] and | [I-D.ietf-speermint-consolidated-presence-im-usecases] and an initial | |||
| [I-D.houri-speermint-presence-im-requirements]: | set of related requirements published by A. Houri, E. Aoki and S. | |||
| Parameswar: | ||||
| o Requirement #10: | o Requirement #10: | |||
| The mechanisms recommended for the exchange of presence | The mechanisms recommended for the exchange of presence | |||
| information between SSPs MUST allow a user of one SSP's presence | information between SSPs MUST allow a user of one SSP's presence | |||
| community to subscribe presentities served by another SSP via its | community to subscribe presentities served by another SSP via its | |||
| local community, including subscriptions to a single presentity, a | local community, including subscriptions to a single presentity, a | |||
| personal, public or ad-hoc group list of presentities. | personal, public or ad-hoc group list of presentities. | |||
| Notes: see section 2.2 of | Notes: see section 2.2 of | |||
| [I-D.ietf-speermint-consolidated-presence-im-usecases]. | [I-D.ietf-speermint-consolidated-presence-im-usecases]. | |||
| skipping to change at page 12, line 22 | skipping to change at page 12, line 22 | |||
| Functions (LUF and LRF), the SIP signaling between SIP Service | Functions (LUF and LRF), the SIP signaling between SIP Service | |||
| Providers, and the associated media exchanges. | Providers, and the associated media exchanges. | |||
| This section is focused on three security services, authentication, | This section is focused on three security services, authentication, | |||
| data confidentiality and data integrity as summarized in [RFC3365]. | data confidentiality and data integrity as summarized in [RFC3365]. | |||
| However, this text does not specify the mandatory-to-implement | However, this text does not specify the mandatory-to-implement | |||
| security mechanisms as required by [RFC3365]; this is left for future | security mechanisms as required by [RFC3365]; this is left for future | |||
| protocol solutions that meet the requirements. | protocol solutions that meet the requirements. | |||
| A security threat analysis provides guidance for session peering | A security threat analysis provides guidance for session peering | |||
| ([I-D.draft-niccolini-speermint-voipthreats]). | ([I-D.niccolini-speermint-voipthreats]). | |||
| 5.1. Security Properties for the Acquisition of Session Establishment | 5.1. Security Properties for the Acquisition of Session Establishment | |||
| Data | Data | |||
| The Look-Up Function (LUF) and Location Routing Function (LRF) are | The Look-Up Function (LUF) and Location Routing Function (LRF) are | |||
| defined in [I-D.ietf-speermint-terminology]. They provide mechanisms | defined in [I-D.ietf-speermint-terminology]. They provide mechanisms | |||
| for determining the SIP target address and domain the request should | for determining the SIP target address and domain the request should | |||
| be sent to, and the associated SED to route the request to that | be sent to, and the associated SED to route the request to that | |||
| domain. | domain. | |||
| o Requirement #15: | ||||
| The protocols used to query the Lookup and Location Routing | ||||
| Functions MUST support mutual authentication. | ||||
| Motivations: | ||||
| A mutual authentication service is desirable for the LUF and LRF | A mutual authentication service is desirable for the LUF and LRF | |||
| protocol exchanges. The response from the LUF and LRF may depend on | protocol exchanges. The response from the LUF and LRF may depend | |||
| the identity of the requestor: the authentication of the LUF/LRF | on the identity of the requestor: the authentication of the LUF/ | |||
| requests is therefore a desirable property. Mutual authentication is | LRF requests is therefore a desirable property. Mutual | |||
| also desirable: the requestor may verify the identity of the systems | authentication is also desirable: the requestor may verify the | |||
| that provided the LUF/LRF responses given the nature of the data | identity of the systems that provided the LUF/LRF responses given | |||
| returned in those responses. Authentication also provides some | the nature of the data returned in those responses. | |||
| protection for the availability of the LUF and LRF against attackers | Authentication also provides some protection for the availability | |||
| that would attempt to launch DoS attacks by sending bogus requests | of the LUF and LRF against attackers that would attempt to launch | |||
| causing the LUF to perform a lookup and consume resources. | DoS attacks by sending bogus requests causing the LUF to perform a | |||
| lookup and consume resources. | ||||
| o Requirement #16: | ||||
| The protocols used to query the Lookup and Location Routing | ||||
| Functions MUST provide support for data confidentiality and | ||||
| integrity. | ||||
| Motivations: | ||||
| Given the sensitive nature of the session establishment data | Given the sensitive nature of the session establishment data | |||
| exchanged with the LUF and LRF functions, the protocol mechanisms | exchanged with the LUF and LRF functions, the protocol mechanisms | |||
| chosen for the lookup and location routing should offer data | chosen for the lookup and location routing should offer data | |||
| confidentiality and integrity protection (SED data may contain user | confidentiality and integrity protection (SED data may contain | |||
| addresses, SIP URI, location of SIP entities at the boundaries of SIP | user addresses, SIP URI, location of SIP entities at the | |||
| Service Provider domains, etc.). | boundaries of SIP Service Provider domains, etc.). | |||
| Requirement #15: | o Notes on the solution space for Requirements #15 and #16: ENUM, | |||
| The data exchanges for the lookup and location routing MUST support | SIP and proprietary protocols are typically used today for | |||
| mutual authentication, data confidentiality and integrity. | accessing these functions. Even though SSPs may use lower layer | |||
| security mechanisms to guarantee some of those security | ||||
| properties, candidate protocols for the LUF and LRF must meet the | ||||
| above requirements. | ||||
| Notes on the solution space: ENUM, SIP and proprietary protocols are | 5.2. Security Properties for the SIP signaling exchanges | |||
| typically used today for accessing these functions. SSPs may use | ||||
| lower layer security mechanisms to guarantee some of those security | ||||
| properties. | ||||
| 5.2. Security Properties for the SIP exchanges | While the SIP signaling exchanges are out of scope of speermint, this | |||
| section describes some of the security properties that are desirable | ||||
| in the context of SIP interconnects between SSPs. | ||||
| The fundamental mechanisms for securing SIP are applicable (see | In general, the security properties desirable for the SIP exchanges | |||
| Section 26.2 of [RFC3261], and [RFC4474]). | in an inter-domain context apply to session peering. These include: | |||
| Authentication of SIP communications are desirable, especially in the | o securing the transport of SIP messages between the peers' SBEs. | |||
| context of session peering involving SIP intermediaries. Data | Authentication of SIP communications is desirable, especially in | |||
| the context of session peering involving SIP intermediaries. Data | ||||
| confidentiality and integrity of the SIP message body may be | confidentiality and integrity of the SIP message body may be | |||
| desirable given some of the levels of session peering indirection | desirable as well given some of the levels of session peering | |||
| (indirect/assisted peering), but they could be harmful as they may | indirection (indirect/assisted peering), but they could be harmful | |||
| prevent intermediary SSPs from "inserting" SBEs/DBEs along the | as they may prevent intermediary SSPs from "inserting" SBEs/DBEs | |||
| signaling and data paths. | along the signaling and data paths. | |||
| o providing an Authentication Service to authenticate the identity | ||||
| of connected users based on the SIP Service Provider domains (for | ||||
| both the SIP requests and the responses). | ||||
| The fundamental mechanisms for securing SIP between proxy servers | ||||
| intra- and inter-domain are applicable to session peering; refer to | ||||
| Section 26.2 of [RFC3261] for transport-layer security of SIP | ||||
| messages using TLS, [I-D.ietf-sip-connect-reuse] for establishing TLS | ||||
| connections between proxies, [RFC4474] for the protocol mechanisms to | ||||
| verify the identity of the senders of SIP requests in an inter-domain | ||||
| context, and [RFC4916] for verifying the identity of the sender of | ||||
| SIP responses). | ||||
| o Requirement #17: | ||||
| The security properties provided by the protocol mechanisms | ||||
| defined in Section 26.2 of [RFC3261] and | ||||
| [I-D.ietf-sip-connect-reuse] for transport-layer security, and by | ||||
| [RFC4474], and [RFC4916] for SIP identity MUST be met in the | ||||
| context of the speermint architecture. | ||||
| Motivations: | ||||
| The motivations for this requirement are provided in the above | ||||
| paragraphs. | ||||
| o Discussion points around Requirement #17: | ||||
| The above text captures the super-set of security properties that | ||||
| 2 SSPs would ever want. The question is why would SSPs need RFC | ||||
| 4474 if they have hop-by-hop security and connection reuse | ||||
| underneath? What additional properties would RFC4474 provide in | ||||
| this context? | ||||
| On a different note, is it reasonable to say that SSPs need the | ||||
| validation of the sender of the request using SIP Identity RFC | ||||
| 4474 for every request? If yes, have folks considered the impact | ||||
| of requiring the computation and verification of the SIP Identity | ||||
| field value for every request? | ||||
| 5.3. End-to-End Media Security | 5.3. End-to-End Media Security | |||
| Media security is critical to guarantee end-to-end confidentiality of | Media security is critical to guarantee end-to-end confidentiality of | |||
| the communication between the end-users' devices, independently of | the communication between the end-users' devices, independently of | |||
| how many direct or indirect peers are along the signaling path. | how many direct or indirect peers are present along the signaling | |||
| path. A number of desirable security properties emerge from this | ||||
| It is recommended that the establishment of media security be | goal. | |||
| provided along the media path and not over the signaling path given | ||||
| the indirect peering use cases. | ||||
| Notes on the solution space: | The establishment of media security may be achieved along the media | |||
| Media carried over the Real-Time Protocol (RTP) can be secured using | path and not over the signaling path given the indirect peering use | |||
| secure RTP or sRTP ([RFC3711]). A framework for establishing sRTP | cases. | |||
| security using Datagram TLS [RFC4347] is described in | For example, media carried over the Real-Time Protocol (RTP) can be | |||
| [I-D.ietf-sip-dtls-srtp-framework]: it allows for end-to-end media | secured using secure RTP (SRTP [RFC3711]). A framework for | |||
| establishing SRTP security using Datagram TLS [RFC4347] is described | ||||
| in [I-D.ietf-sip-dtls-srtp-framework]: it allows for end-to-end media | ||||
| security establishment using extensions to DTLS | security establishment using extensions to DTLS | |||
| ([I-D.ietf-avt-dtls-srtp]). This DTLS-SRTP framework meets the above | ([I-D.ietf-avt-dtls-srtp]). | |||
| requirement. | It should also be noted that media can be carried in numerous | |||
| protocols other than RTP such as SIP (SIP MESSAGE method), MSRP, | ||||
| XMPP, etc., over TCP ([RFC4571]), and that it can be encrypted over | ||||
| secure connection-oriented transport sessions over TLS ([RFC4572]). | ||||
| Note that media can also be carried in numerous protocols other than | A desirable security property for session peering is that SIP | |||
| RTP such as SIP (SIP MESSAGE method), MSRP, XMPP, etc. In these | entities should not intervene in the Session Description Protocol | |||
| cases, it is desirable those those protocols offer data | (SDP) exchanges for end-to-end media security. | |||
| confidentiality protection at a minimum. | ||||
| o Requirement #18: | ||||
| The protocols used to enable session peering MUST NOT interfere | ||||
| with the exchanges of media security attributes in SDP. Media | ||||
| attribute lines that are not understood by SBEs MUST be ignored | ||||
| and passed along the signaling path untouched. | ||||
| 6. Acknowledgments | 6. Acknowledgments | |||
| This document is a work-in-progress and it is based on the input and | This document is based on the input and contributions made by a large | |||
| contributions made by a large number of people in the SPEERMINT | number of people in the SPEERMINT working group, including: Edwin | |||
| working group, including: Edwin Aoki, Scott Brim, John Elwell, Mike | Aoki, Scott Brim, John Elwell, Mike Hammer, Avshalom Houri, Richard | |||
| Hammer, Avshalom Houri, Richard Shocky, Henry Sinnreich, Richard | Shocky, Henry Sinnreich, Richard Stastny, Patrik Faltstrom, Otmar | |||
| Stastny, Patrik Faltstrom, Otmar Lendl, Daryl Malas, Dave Meyer, | Lendl, Daryl Malas, Dave Meyer, Sriram Parameswar, Jon Peterson, | |||
| Sriram Parameswar, Jon Peterson, Jason Livingood, Bob Natale, Benny | Jason Livingood, Bob Natale, Benny Rodrig, Brian Rosen, Eric | |||
| Rodrig, Brian Rosen, Eric Rosenfeld, Adam Uzelac and Dan Wing. | Rosenfeld, Adam Uzelac, and David Schwartz. | |||
| Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their | Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their | |||
| initial drafts describing guidelines or best current practices in | initial drafts describing guidelines or best current practices in | |||
| various environments, and to Avshalom Houri, Edwin Aoki and Sriram | various environments, to Avshalom Houri, Edwin Aoki and Sriram | |||
| Parameswar for authoring the presence and instant messaging | Parameswar for authoring the presence and instant messaging | |||
| requirements. | requirements and to Dan Wing for providing detailed feedback on the | |||
| security consideration sections. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document does not register any values in IANA registries. | This document does not register any values in IANA registries. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| Securing session peering communications involves numerous protocol | Securing session peering communications involves numerous protocol | |||
| exchanges, first and foremost, the securing of SIP signaling and | exchanges, first and foremost, the securing of SIP signaling and | |||
| media sessions. The security considerations contained in [RFC3261], | media sessions. The security considerations contained in [RFC3261], | |||
| skipping to change at page 17, line 14 | skipping to change at page 19, line 14 | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [I-D.draft-ietf-pmol-sip-perf-metrics] | [I-D.ietf-avt-dtls-srtp] | |||
| Malas, D., "SIP End-to-End Performance Metrics", | McGrew, D. and E. Rescorla, "Datagram Transport Layer | |||
| draft-ietf-pmol-sip-perf-metrics-01.txt (work in | Security (DTLS) Extension to Establish Keys for Secure | |||
| progress), June 2008. | Real-time Transport Protocol (SRTP)", | |||
| draft-ietf-avt-dtls-srtp-02 (work in progress), | ||||
| [I-D.draft-niccolini-speermint-voipthreats] | February 2008. | |||
| Niccolini, S., Chen, E., and J. Seedorf, "VoIP Security | ||||
| Threats relevant to SPEERMINT", | ||||
| draft-niccolini-speermint-voipthreats-03.txt (work in | ||||
| progress), February 2008. | ||||
| [I-D.houri-speermint-presence-im-requirements] | [I-D.ietf-pmol-sip-perf-metrics] | |||
| Houri, A., Aoki, E., and S. Parameswar, "Presence and IM | Malas, D., "SIP End-to-End Performance Metrics", | |||
| Requirements", May 2007. | draft-ietf-pmol-sip-perf-metrics-01 (work in progress), | |||
| June 2008. | ||||
| [I-D.ietf-avt-dtls-srtp] | [I-D.ietf-sip-connect-reuse] | |||
| McGrew, D. and E. Rescorla, "DTLS Extensions to Establish | Mahy, R., Gurbani, V., and B. Tate, "Connection Reuse in | |||
| Keys for SRTP", draft-ietf-avt-dtls-srtp-02.txt (work in | the Session Initiation Protocol (SIP)", | |||
| progress), February 2008. | draft-ietf-sip-connect-reuse-10 (work in progress), | |||
| May 2008. | ||||
| [I-D.ietf-sip-dtls-srtp-framework] | [I-D.ietf-sip-dtls-srtp-framework] | |||
| Fischl, J., Tschofenig, H., and E. Rescorla, "DTLS-SRTP | Fischl, J., Tschofenig, H., and E. Rescorla, "Framework | |||
| Framework", draft-ietf-sip-dtls-srtp-framework-01 (work in | for Establishing an SRTP Security Context using DTLS", | |||
| progress), February 2008. | draft-ietf-sip-dtls-srtp-framework-01 (work in progress), | |||
| February 2008. | ||||
| [I-D.ietf-sip-hitchhikers-guide] | [I-D.ietf-sip-hitchhikers-guide] | |||
| Rosenberg, J., "A Hitchhikers Guide to the Session | Rosenberg, J., "A Hitchhiker's Guide to the Session | |||
| Initiation Protocol (SIP)", July 2007. | Initiation Protocol (SIP)", | |||
| draft-ietf-sip-hitchhikers-guide-05 (work in progress), | ||||
| February 2008. | ||||
| [I-D.ietf-speermint-architecture] | [I-D.ietf-speermint-architecture] | |||
| Penno et al., R., "SPEERMINT Peering Architecture", | Penno, R., "SPEERMINT Peering Architecture", | |||
| draft-ietf-speermint-architecture-06.txt (work in | draft-ietf-speermint-architecture-06 (work in progress), | |||
| progress), May 2008. | May 2008. | |||
| [I-D.ietf-speermint-consolidated-presence-im-usecases] | [I-D.ietf-speermint-consolidated-presence-im-usecases] | |||
| Houri, A., Aoki, E., and S. Parameswar, "Presence & | Houri, A., "Presence & Instant Messaging Peering Use | |||
| Instant Messaging Peering Use Cases", | Cases", | |||
| draft-ietf-speermint-consolidated-presence-im-usecases-04 | draft-ietf-speermint-consolidated-presence-im-usecases-05 | |||
| (work in progress), February 2008. | (work in progress), July 2008. | |||
| [I-D.ietf-speermint-terminology] | [I-D.ietf-speermint-terminology] | |||
| Meyer, R. and D. Malas, "SPEERMINT Terminology", | Malas, D. and D. Meyer, "SPEERMINT Terminology", | |||
| draft-ietf-speermint-terminology-16.txt (work in | draft-ietf-speermint-terminology-16 (work in progress), | |||
| progress), February 2008. | February 2008. | |||
| [I-D.ietf-speermint-voip-consolidated-usecases] | [I-D.ietf-speermint-voip-consolidated-usecases] | |||
| Uzelac et al., A., "VoIP SIP Peering Use Cases", | Uzelac, A. and Y. Lee, "VoIP SIP Peering Use Cases", | |||
| draft-ietf-speermint-voip-consolidated-usecases-08.txt | draft-ietf-speermint-voip-consolidated-usecases-08 (work | |||
| (work in progress), May 2008. | in progress), May 2008. | |||
| [I-D.niccolini-speermint-voipthreats] | ||||
| Niccolini, S., Chen, E., and J. Seedorf, "SPEERMINT | ||||
| Security BCPs", draft-niccolini-speermint-voipthreats-03 | ||||
| (work in progress), February 2008. | ||||
| [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., | [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., | |||
| Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- | Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- | |||
| Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, | Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, | |||
| September 1997. | September 1997. | |||
| [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | |||
| A., Peterson, J., Sparks, R., Handley, M., and E. | A., Peterson, J., Sparks, R., Handley, M., and E. | |||
| Schooler, "SIP: Session Initiation Protocol", RFC 3261, | Schooler, "SIP: Session Initiation Protocol", RFC 3261, | |||
| June 2002. | June 2002. | |||
| skipping to change at page 20, line 5 | skipping to change at page 21, line 38 | |||
| [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security", RFC 4347, April 2006. | Security", RFC 4347, April 2006. | |||
| [RFC4474] Peterson, J. and C. Jennings, "Enhancements for | [RFC4474] Peterson, J. and C. Jennings, "Enhancements for | |||
| Authenticated Identity Management in the Session | Authenticated Identity Management in the Session | |||
| Initiation Protocol (SIP)", RFC 4474, August 2006. | Initiation Protocol (SIP)", RFC 4474, August 2006. | |||
| [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | |||
| Description Protocol", RFC 4566, July 2006. | Description Protocol", RFC 4566, July 2006. | |||
| [RFC4571] Lazzaro, J., "Framing Real-time Transport Protocol (RTP) | ||||
| and RTP Control Protocol (RTCP) Packets over Connection- | ||||
| Oriented Transport", RFC 4571, July 2006. | ||||
| [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the | ||||
| Transport Layer Security (TLS) Protocol in the Session | ||||
| Description Protocol (SDP)", RFC 4572, July 2006. | ||||
| [RFC4916] Elwell, J., "Connected Identity in the Session Initiation | ||||
| Protocol (SIP)", RFC 4916, June 2007. | ||||
| Appendix A. Policy Parameters for Session Peering | Appendix A. Policy Parameters for Session Peering | |||
| This informative section lists various types of parameters that | This informative section lists various types of parameters that | |||
| should be considered by implementers when deciding what configuration | should be considered by implementers when deciding what configuration | |||
| parameters to expose to system administrators or management stations, | variables to expose to system administrators or management stations, | |||
| as well as SSPs or federations of SSPs when discussing the technical | as well as SSPs or federations of SSPs when discussing the technical | |||
| aspects of a session peering policy. | part of a session peering policy. | |||
| In the context of session peering, a policy can be defined as the set | In the context of session peering, a policy can be defined as the set | |||
| of parameters and other information needed by an SSP to exchange | of parameters and other information needed by an SSP to exchange | |||
| traffic with another peer. Some of the session policy parameters may | traffic with another peer. Some of the session policy parameters may | |||
| be statically exchanged and set throughout the lifetime of the | be statically exchanged and set throughout the lifetime of the | |||
| peering relationship. Others parameters may be discovered and | peering relationship. Others parameters may be discovered and | |||
| updated dynamically using by some explicit protocol mechanisms. | updated dynamically using by some explicit protocol mechanisms. | |||
| These dynamic parameters may also relate to an SSP's session- | These dynamic parameters may be session-dependent, or the may apply | |||
| dependent or session independent policies as defined in [I-D.ietf- | over multiple sessions or peers. | |||
| sipping-session-policy]. | ||||
| Various types of policy information may need to be discovered or | Various types of policy information may need to be discovered or | |||
| exchanged in order to establish session peering. At a minimum, a | exchanged in order to establish session peering. At a minimum, a | |||
| policy should specify information related to session establishment | policy should specify information related to session establishment | |||
| data in order to avoid session establishment failures. A policy may | data in order to avoid session establishment failures. A policy may | |||
| also include information related to QoS, billing and accounting, | also include information related to QoS, billing and accounting, | |||
| layer-3 related interconnect requirements which are out of the scope | layer-3 related interconnect requirements which are out of the scope | |||
| of this document. | of this document. | |||
| Some aspects of session peering policies must be agreed to and | Some aspects of session peering policies must be agreed to and | |||
| skipping to change at page 20, line 45 | skipping to change at page 22, line 44 | |||
| capabilities, standard ways of expressing those policy parameters may | capabilities, standard ways of expressing those policy parameters may | |||
| be defined among SSP and exchanged dynamically. For e.g., templates | be defined among SSP and exchanged dynamically. For e.g., templates | |||
| could be created in various document formats so that it could be | could be created in various document formats so that it could be | |||
| possible to dynamically discover some of the domain policy. Such | possible to dynamically discover some of the domain policy. Such | |||
| templates could be initiated by implementers (for each software/ | templates could be initiated by implementers (for each software/ | |||
| hardware release, a list of supported RFCs, RFC parameters is | hardware release, a list of supported RFCs, RFC parameters is | |||
| provided in a standard format) and then adapted by each SSP based on | provided in a standard format) and then adapted by each SSP based on | |||
| its service description, server or device configurations and variable | its service description, server or device configurations and variable | |||
| based on peer relationships. | based on peer relationships. | |||
| A.1. Categories of Parameters and Justifications | A.1. Categories of Parameters for VoIP Session Peering and | |||
| Justifications | ||||
| The following list should be considered as an initial list of | The following list should be considered as an initial list of | |||
| "discussion topics" to be addressed by peers when initiating a VoIP | "discussion topics" to be addressed by peers when initiating a VoIP | |||
| peering relationship. | peering relationship. | |||
| o IP Network Connectivity: | o IP Network Connectivity: | |||
| Session peers should define how the IP network connectivity | Session peers should define how the IP network connectivity | |||
| between their respective SBEs and DBEs. While this is out of | between their respective SBEs and DBEs. While this is out of | |||
| scope of session peering, SSPs must agree on a common mechanism | scope of session peering, SSPs must agree on a common mechanism | |||
| for IP transport of session signaling and media. This may be | for IP transport of session signaling and media. This may be | |||
| accomplish via private (e.g. IPVPN, IPsec, etc.) or public IP | accomplish via private (e.g. IPVPN, IPsec, etc.) or public IP | |||
| networks. | networks. | |||
| o Media-related Parameters: | o Media-related Parameters: | |||
| * Media Codecs: list of supported media codecs for audio, real- | * Media Codecs: list of supported media codecs for audio, real- | |||
| time fax (version of T.38, if applicable), real-time text (RFC | time fax (version of T.38, if applicable), real-time text (RFC | |||
| 4103), DTMF transport, voice band data communications (as | 4103), DTMF transport, voice band data communications (as | |||
| applicable) along with the supported or recommended codec | applicable) along with the supported or recommended codec | |||
| packetization rates, level of RTP paylod redundancy, audio | packetization rates, level of RTP payload redundancy, audio | |||
| volume levels, etc. | volume levels, etc. | |||
| * Media Transport: level of support for RTP-RTCP [RFC3550], RTP | * Media Transport: level of support for RTP-RTCP [RFC3550], RTP | |||
| Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , | Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , | |||
| T.38 transport over RTP, etc. | T.38 transport over RTP, etc. | |||
| * Other: support of the VoIP metric block as defined in RTP | * Other: support of the VoIP metric block as defined in RTP | |||
| Control Protocol Extended Reports [RFC3611] , etc. | Control Protocol Extended Reports [RFC3611] , etc. | |||
| o SIP: | o SIP: | |||
| skipping to change at page 21, line 43 | skipping to change at page 23, line 43 | |||
| (including private p headers if applicable), error response | (including private p headers if applicable), error response | |||
| codes, supported or recommended format of some header field | codes, supported or recommended format of some header field | |||
| values , etc. | values , etc. | |||
| * It should also be possible to describe the list of supported | * It should also be possible to describe the list of supported | |||
| SIP RFCs by various functional groupings. A group of SIP RFCs | SIP RFCs by various functional groupings. A group of SIP RFCs | |||
| may represent how a call feature is implemented (call hold, | may represent how a call feature is implemented (call hold, | |||
| transfer, conferencing, etc.), or it may indicate a functional | transfer, conferencing, etc.), or it may indicate a functional | |||
| grouping as in [I-D.ietf-sip-hitchhikers-guide]. | grouping as in [I-D.ietf-sip-hitchhikers-guide]. | |||
| o Presence and Instant Messaging: TBD | ||||
| o Accounting: | o Accounting: | |||
| Methods used for call or session accounting should be specified. | Methods used for call or session accounting should be specified. | |||
| An SSP may require a peer to track session usage. It is critical | An SSP may require a peer to track session usage. It is critical | |||
| for peers to determine whether the support of any SIP extensions | for peers to determine whether the support of any SIP extensions | |||
| for accounting is a pre-requisite for SIP interoperability. In | for accounting is a pre-requisite for SIP interoperability. In | |||
| some cases, call accounting may feed data for billing purposes but | some cases, call accounting may feed data for billing purposes but | |||
| not always: some operators may decide to use accounting as a 'bill | not always: some operators may decide to use accounting as a 'bill | |||
| and keep' model to track session usage and monitor usage against | and keep' model to track session usage and monitor usage against | |||
| service level agreements. | service level agreements. | |||
| [RFC3702] defines the terminology and basic requirements for | [RFC3702] defines the terminology and basic requirements for | |||
| skipping to change at page 22, line 22 | skipping to change at page 24, line 20 | |||
| Layer-5 performance metrics should be defined and shared between | Layer-5 performance metrics should be defined and shared between | |||
| peers. The performance metrics apply directly to signaling or | peers. The performance metrics apply directly to signaling or | |||
| media; they may be used pro-actively to help avoid congestion, | media; they may be used pro-actively to help avoid congestion, | |||
| call quality issues or call signaling failures, and as part of | call quality issues or call signaling failures, and as part of | |||
| monitoring techniques, they can be used to evaluate the | monitoring techniques, they can be used to evaluate the | |||
| performance of peering exchanges. | performance of peering exchanges. | |||
| Examples of SIP performance metrics include the maximum number of | Examples of SIP performance metrics include the maximum number of | |||
| SIP transactions per second on per domain basis, Session | SIP transactions per second on per domain basis, Session | |||
| Completion Rate (SCR), Session Establishment Rate (SER), etc. | Completion Rate (SCR), Session Establishment Rate (SER), etc. | |||
| Some SIP end-to-end performance metrics are defined in | Some SIP end-to-end performance metrics are defined in | |||
| [I-D.draft-ietf-pmol-sip-perf-metrics]; a subset of these may be | [I-D.ietf-pmol-sip-perf-metrics]; a subset of these may be | |||
| applicable to session peering and interconnects. | applicable to session peering and interconnects. | |||
| Some media-related metrics for monitoring VoIP calls have been | Some media-related metrics for monitoring VoIP calls have been | |||
| defined in the VoIP Metrics Report Block, in Section 4.7 of | defined in the VoIP Metrics Report Block, in Section 4.7 of | |||
| [RFC3611]. | [RFC3611]. | |||
| o Security: | o Security: | |||
| An SSP should describe the security requirements that other peers | An SSP should describe the security requirements that other peers | |||
| must meet in order to terminate calls to its network. While such | must meet in order to terminate calls to its network. While such | |||
| a list of security-related policy parameters often depends on the | a list of security-related policy parameters often depends on the | |||
| security models pre-agreed to by peers, it is expected that these | security models pre-agreed to by peers, it is expected that these | |||
| skipping to change at page 22, line 44 | skipping to change at page 24, line 42 | |||
| session peering outside SSP clubs. The list of security | session peering outside SSP clubs. The list of security | |||
| parameters may be long and composed of high-level requirements | parameters may be long and composed of high-level requirements | |||
| (e.g. authentication, privacy, secure transport) and low level | (e.g. authentication, privacy, secure transport) and low level | |||
| protocol configuration elements like TLS parameters. | protocol configuration elements like TLS parameters. | |||
| The following list is not intended to be complete, it provides a | The following list is not intended to be complete, it provides a | |||
| preliminary list in the form of examples: | preliminary list in the form of examples: | |||
| * Call admission requirements: for some providers, sessions can | * Call admission requirements: for some providers, sessions can | |||
| only be admitted if certain criteria are met. For example, for | only be admitted if certain criteria are met. For example, for | |||
| some providers' networks, only incoming SIP sessions signaled | some providers' networks, only incoming SIP sessions signaled | |||
| over established IPSec tunnels or presented to the well-known | over established IPsec tunnels or presented to the well-known | |||
| TLS ports are admitted. Other call admission requirements may | TLS ports are admitted. Other call admission requirements may | |||
| be related to some performance metrics as descrived above. | be related to some performance metrics as described above. | |||
| Finally, it is possible that some requiremetns be imposed on | Finally, it is possible that some requirements be imposed on | |||
| lower layers, but these are considered out of scope of session | lower layers, but these are considered out of scope of session | |||
| peering. | peering. | |||
| * Call authorization requirements and validation: the presence of | * Call authorization requirements and validation: the presence of | |||
| a caller or user identity may be required by an SSP. Indeed, | a caller or user identity may be required by an SSP. Indeed, | |||
| some SSPs may further authorize an incoming session request by | some SSPs may further authorize an incoming session request by | |||
| validating the caller's identity against white/black lists | validating the caller's identity against white/black lists | |||
| maintained by the service provider or users (traditional caller | maintained by the service provider or users (traditional caller | |||
| ID screening applications or IM white list). | ID screening applications or IM white list). | |||
| * Privacy requirements: an SSP may demand that its SIP messages | * Privacy requirements: an SSP may demand that its SIP messages | |||
| be securely transported by its peers for privacy reasons so | be securely transported by its peers for privacy reasons so | |||
| that the calling/called party information be protected. Media | that the calling/called party information be protected. Media | |||
| sessions may also require privacy and some SSP policies may | sessions may also require privacy and some SSP policies may | |||
| include requirements on the use of secure media transport | include requirements on the use of secure media transport | |||
| protocols such as sRTP, along with some contraints on the | protocols such as SRTP, along with some constraints on the | |||
| minimum authentication/encryption options for use in sRTP. | minimum authentication/encryption options for use in SRTP. | |||
| * Network-layer security parameters: this covers how IPSec | * Network-layer security parameters: this covers how IPsec | |||
| security associated may be established, the IPSec key exchange | security associated may be established, the IPsec key exchange | |||
| mechanisms to be used and any keying materials, the lifetime of | mechanisms to be used and any keying materials, the lifetime of | |||
| timed Security Associated if applicable, etc. | timed Security Associated if applicable, etc. | |||
| * Transport-layer security parameters: this covers how TLS | * Transport-layer security parameters: this covers how TLS | |||
| connections should be established as described in Section | connections should be established as described in Section | |||
| Section 5. | Section 5. | |||
| A.2. Summary of Parameters for Consideration in Session Peering | A.2. Summary of Parameters for Consideration in Session Peering | |||
| Policies | Policies | |||
| skipping to change at page 24, line 4 | skipping to change at page 25, line 48 | |||
| * Codecs for audio, video, real time text, instant messaging | * Codecs for audio, video, real time text, instant messaging | |||
| media sessions | media sessions | |||
| * Modes of communications for audio (voice, fax, DTMF), IM (page | * Modes of communications for audio (voice, fax, DTMF), IM (page | |||
| mode, MSRP) | mode, MSRP) | |||
| * Media transport and means to establish secure media sessions | * Media transport and means to establish secure media sessions | |||
| * List of ingress and egress DBEs where applicable, including | * List of ingress and egress DBEs where applicable, including | |||
| STUN Relay servers if present | STUN Relay servers if present | |||
| o SIP | ||||
| o SIP | ||||
| * SIP RFCs, methods and error responses | * SIP RFCs, methods and error responses | |||
| * headers and header values | * headers and header values | |||
| * possibly, list of SIP RFCs supported by groups (e.g. by call | * possibly, list of SIP RFCs supported by groups (e.g. by call | |||
| feature) | feature) | |||
| o Accounting | o Accounting | |||
| o Capacity Control and Performance Management: any limits on, or, | o Capacity Control and Performance Management: any limits on, or, | |||
| skipping to change at page 26, line 44 | skipping to change at line 1003 | |||
| attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
| ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
| Acknowledgment | ||||
| Funding for the RFC Editor function is provided by the IETF | ||||
| Administrative Support Activity (IASA). | ||||
| End of changes. 70 change blocks. | ||||
| 186 lines changed or deleted | 261 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||