idnits 2.17.1 draft-ietf-sip-refer-with-norefersub-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 367. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 344. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 351. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 357. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 137 has weird spacing: '... where pro...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 13, 2006) is 6677 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3265 (ref. '4') (Obsoleted by RFC 6665) == Outdated reference: A later version (-15) exists of draft-ietf-sip-gruu-06 == Outdated reference: A later version (-10) exists of draft-ietf-simple-prescaps-ext-05 Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SIP O. Levin 3 Internet-Draft Microsoft Corporation 4 Expires: July 17, 2006 January 13, 2006 6 Suppression of Session Initiation Protocol REFER Method Implicit 7 Subscription 8 draft-ietf-sip-refer-with-norefersub-04 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on July 17, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This specification defines a way to suppress an implicit subscription 42 with the Session Initiation Protocol (SIP) REFER method. A new SIP 43 option tag "norefersub" is defined to indicate support for this 44 extension. A new SIP header field "Refer-Sub" is defined to request 45 the usage of this extension. 47 Table of Contents 49 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 5. Preventing Forking of REFER Requests . . . . . . . . . . . . . 5 54 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 55 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 56 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 57 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 58 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 59 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 60 10.2. Informational References . . . . . . . . . . . . . . . . 8 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 62 Intellectual Property and Copyright Statements . . . . . . . . . . 10 64 1. Terminology 66 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 67 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 68 document are to be interpreted as described in RFC 2119 [1]. 70 To simplify discussions of the REFER method and its extensions, the 71 three terms below are being used throughout the document: 72 o REFER-Issuer: the UA issuing the REFER request 73 o REFER-Recipient: the UA receiving the REFER request 74 o REFER-Target: the UA designated in the Refer-To URI 76 2. Introduction 78 The REFER specification [3] specifies that every REFER creates an 79 implicit subscription between the REFER-Issuer and the REFER- 80 Recipient. 82 This document defines a new SIP header field: "Refer-Sub" meaningful 83 within a REFER transaction only. This header field, when set to 84 "false", specifies that a REFER-Issuer requests that the REFER- 85 Recipient doesn't establish an implicit subscription and the 86 resultant dialog. 88 This document defines a new option tag: "norefersub". This tag, when 89 included in the Supported header field, indicates that a User Agent 90 (UA) is capable of accepting a REFER request without creating an 91 implicit subscription when acting as a REFER-Recipient. 93 3. Motivation 95 The REFER specification mandates that every REFER creates an implicit 96 subscription between the REFER-Issuer and the REFER-Recipient. This 97 subscription results in at least one NOTIFY being sent from the 98 REFER-Recipient to the REFER-Issuer. The REFER-Recipient may choose 99 to cancel the implicit subscription with this NOTIFY. The REFER- 100 Issuer may choose to cancel this implicit subscription with an 101 explicit SUBSCRIBE (Expires: 0) after receipt of the initial NOTIFY. 103 One purpose of requiring the implicit subscription and initial NOTIFY 104 is to allow for the situation where the REFER request gets forked and 105 the REFER-Issuer needs a way to see the multiple dialogs that may be 106 established as a result of the forked REFER. This is the same 107 approach used to handle forking of SUBSCRIBE [4] requests. Where the 108 REFER-Issuer explicitly specifies that forking not occur, the 109 requirement that an implicit subscription be established is 110 unnecessary. 112 Another purpose of the NOTIFY is to inform the REFER-Issuer of the 113 progress of the SIP transaction that results from the REFER at the 114 REFER-Recipient. In the case where the REFER-Issuer is already aware 115 of the progress of the requested operation, such as when the REFER- 116 Issuer has an explicit subscription to the dialog event package at 117 the REFER-Recipient, the implicit subscription and resultant NOTIFY 118 traffic related to the REFER can create an unnecessary network 119 overhead. 121 4. Definitions 123 This document defines a new SIP header field: "Refer-Sub". This 124 header field is meaningful and MAY be used with a REFER request and 125 the corresponding 2XX response only. This header field set to 126 "false" specifies that a REFER-Issuer requests that the REFER- 127 Recipient doesn't establish an implicit subscription and the 128 resultant dialog. Note that when using this extension, the REFER 129 remains a target refresh request (as in the default case - when the 130 extension is not used). 132 This document adds the following entry to Table 2 of [2]. The 133 additions to this table are also provided for extension methods at 134 the time of publication of this document. This is provided as a 135 courtesy to the reader and is not normative in any way: 137 Header field where proxy ACK BYE CAN INV OPT REG MSG 139 Refer-Sub R, 2xx - - - - - - - 141 Header field where SUB NOT REF INF UPD PRA PUB 143 Refer-Sub R, 2xx - - o - - - - 145 The Refer-Sub header field MAY be encrypted as part of end-to-end 146 encryption. 148 The syntax of the header field follows the BNF defined below: 150 Refer-Sub = "Refer-Sub" HCOLON refer-sub-value *(SEMI exten) 151 refer-sub-value = "true" / "false" 152 exten = generic-param 154 where the syntax of generic-param is defined in [2]. 156 The "Refer-Sub" header field set to "false" MAY be used by the REFER- 157 Issuer only when the REFER-Issuer can be certain that the REFER 158 request will not be forked. 160 If the REFER-Recipient supports the extension and is willing to 161 process the REFER transaction without establishing an implicit 162 subscription, it MUST insert the "Refer-Sub" header field set to 163 "false" in the 2xx response to the REFER-Issuer. In this case no 164 implicit subscription is created. Consequently, no new dialog is 165 created if this REFER was issued outside any existing dialog. 167 If the REFER-Issuer inserts the "Refer-Sub" header field set to 168 "false", but the REFER-Recipient doesn't grant the suggestion (i.e. 169 either does not include the "Refer-Sub" header field or includes the 170 "Refer-Sub" header field set to "true" in the 2xx response), an 171 implicit subscription is created as in default case. 173 This document also defines a new option tag, "norefersub". This tag, 174 when included in the Supported header field, specifies that a User 175 Agent (UA) is capable of accepting a REFER request without creating 176 an implicit subscription when acting as a REFER-Recipient. 178 The REFER-Issuer can know the capabilities of the REFER-Recipient 179 from the presence of the option tags in the Supported header field of 180 the dialog initiating request or response. Another way of learning 181 the capabilities would be by using presence, such as defined in [6]. 182 However, if the capabilities of the REFER-Recipient are not known, 183 using the "norefersub" tag with the Require header field is NOT 184 RECOMMENDED. This is due to the fact that in the event the REFER- 185 Recipient doesn't support the extension, in order to fallback to the 186 normal REFER, the REFER-Issuer will need to issue a new REFER 187 transaction thus resulting in additional round-trips. 189 As described in Section 8.2.2.3 in [2], a REFER-Recipient will reject 190 a REFER request containing a Require: norefersub header field with a 191 420 (Bad Extension) response unless it supports this extension. Note 192 that Require: norefersub can be present with a Refer-Sub: false 193 header field. 195 5. Preventing Forking of REFER Requests 197 The REFER specification allows for the possibility of forking a REFER 198 request which is sent outside of an existing dialog. In addition, a 199 proxy may fork an unknown method type. Should forking occur, the 200 sender of the REFER with "Refer-Sub" will not be aware as only a 201 single 2xx response will be forwarded by the forking proxy. As a 202 result, the responsibility is on the issuer of the REFER with "Refer- 203 Sub" to ensure that no forking will result. 205 If a REFER request to a given Request-URI might fork, the REFER- 206 Issuer SHOULD NOT include the "Refer-Sub" header field. The REFER- 207 Issuer SHOULD use standardized mechanisms for ensuring the REFER 208 request does not fork. In absence of any other mechanism, the 209 Request-URI of the REFER request SHOULD have GRUU properties 210 according to the definitions of [5] as those properties ensure the 211 request will not fork. 213 6. Example 215 An example of REFER which suppresses the implicit subscription is 216 shown below. Note that the conventions used in the SIP Torture Test 217 Messages [7] document are reused, specifically the tag. 219 REFER sip:pc-b@example.com SIP/2.0 220 Via: SIP/2.0/TCP issuer.example.com;branch=z9hG4bK-a-1 221 From: ;tag=1a 222 223 To: sip:b@example.com;opaque=urn:uuid:f8 224 1d4fae-7dec-11d0-a765-00a0c91e6bf6;grid=99a 225 226 Call-ID: 1@issuer.example.com 227 CSeq: 234234 REFER 228 Max-Forwards: 70 229 Refer-To: 230 Refer-Sub: false 231 Supported: norefersub 232 Contact: sip:a@issuer.example.com 233 Content-Length: 0 235 7. IANA Considerations 237 This document registers a new SIP header field "Refer-Sub". This 238 header field is only meaningful for the REFER request defined in RFC 239 3515 [3] and the corresponding response. The following information 240 to be added to the header field sub-registry under 241 http://www.iana.org/assignments/sip-parameters: 242 o Header Name: Refer-Sub 243 o Compact Form: None 244 o Reference: [Substitute with this RFC number] 246 This document also registers a new SIP option tag, "norefersub". The 247 required information for this registration, as specified in RFC 3261 248 [2], is: 250 o Name: norefersub 251 o Description: This option tag specifies a User Agent ability of 252 accepting a REFER request without establishing an implicit 253 subscription (compared to the default case defined in RFC 3515 254 [3]). 256 8. Security Considerations 258 The purpose of this SIP extension is to modify the expected behavior 259 of the REFER-Recipient. The change in behavior is for the REFER- 260 Recipient to not establish a dialog and to not send NOTIFY messages 261 back to the REFER-Issuer. As such, a malicious inclusion of a 262 "Refer-Sub" header field set to "false" reduces the processing and 263 state requirements on the recipient. As a result, its use in a 264 denial of service attack seems limited. 266 Should an intermediary maliciously insert a "Refer-Sub" header field 267 set to "false", two possibilities may occur. If the REFER-Recipient 268 does not support the extension, the REFER will fail with a "420 Bad 269 Extension" response. The REFER-Issuer will be confused as no "Refer- 270 Sub" was in the request, and the resulting request will fail. Should 271 the REFER-Recipient support the extension, the 2xx response will 272 contain the "Refer-Sub" header field set to "false". In any case, 273 the REFER-Recipient will not establish a new dialog and send NOTIFYs. 274 As a result the REFER-Recipient will not learn the outcome of the 275 operation on the Refer-To URI. 277 Should an intermediary maliciously remove a "Refer-Sub" header field 278 set to "false", the REFER-Recipient will try to sent notifications 279 over the "explicitly established" dialog. It may confuse the REFER- 280 Issuer, unless the Man in the Middle (MitM) has the motivation and 281 the ability to intercept the notifications. 283 To protect against these kinds of MitM attacks, integrity protection 284 should be used. For example, the REFER-Issuer could use S/MIME as 285 discussed in RFC 3261 [2] to protect against these kinds of attacks. 287 9. Acknowledgements 289 The SIP community would like to thank Sriram Parameswar for his ideas 290 being originally presented in draft-parameswar-sipping-norefersub-00 291 and served as the basis for this specification. 293 10. References 294 10.1. Normative References 296 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 297 Levels", BCP 14, RFC 2119, March 1997. 299 [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., 300 Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: 301 Session Initiation Protocol", RFC 3261, June 2002. 303 [3] Sparks, R., "The Session Initiation Protocol (SIP) Refer 304 Method", RFC 3515, April 2003. 306 [4] Roach, A., "Session Initiation Protocol (SIP)-Specific Event 307 Notification", RFC 3265, June 2002. 309 10.2. Informational References 311 [5] Rosenberg, J., "Obtaining and Using Globally Routable User Agent 312 (UA) URIs (GRUU) in the Session Initiation Protocol (SIP)", 313 draft-ietf-sip-gruu-06 (work in progress), October 2005. 315 [6] Lonnfors, M. and K. Kiss, "User Agent Capability Extension to 316 Presence Information Data Format (PIDF)", 317 draft-ietf-simple-prescaps-ext-05 (work in progress), 318 October 2005. 320 [7] Sparks, R., "Session Initiation Protocol Torture Test Messages", 321 draft-ietf-sipping-torture-tests-09 (work in progress), 322 November 2005. 324 Author's Address 326 Orit Levin 327 Microsoft Corporation 328 One Microsoft Way 329 Redmond, WA 98052 330 USA 332 Phone: 425-722-2225 333 Email: oritl@microsoft.com 335 Intellectual Property Statement 337 The IETF takes no position regarding the validity or scope of any 338 Intellectual Property Rights or other rights that might be claimed to 339 pertain to the implementation or use of the technology described in 340 this document or the extent to which any license under such rights 341 might or might not be available; nor does it represent that it has 342 made any independent effort to identify any such rights. Information 343 on the procedures with respect to rights in RFC documents can be 344 found in BCP 78 and BCP 79. 346 Copies of IPR disclosures made to the IETF Secretariat and any 347 assurances of licenses to be made available, or the result of an 348 attempt made to obtain a general license or permission for the use of 349 such proprietary rights by implementers or users of this 350 specification can be obtained from the IETF on-line IPR repository at 351 http://www.ietf.org/ipr. 353 The IETF invites any interested party to bring to its attention any 354 copyrights, patents or patent applications, or other proprietary 355 rights that may cover technology that may be required to implement 356 this standard. Please address the information to the IETF at 357 ietf-ipr@ietf.org. 359 Disclaimer of Validity 361 This document and the information contained herein are provided on an 362 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 363 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 364 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 365 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 366 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 367 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 369 Copyright Statement 371 Copyright (C) The Internet Society (2006). This document is subject 372 to the rights, licenses and restrictions contained in BCP 78, and 373 except as set forth therein, the authors retain all their rights. 375 Acknowledgment 377 Funding for the RFC Editor function is currently provided by the 378 Internet Society.