idnits 2.17.1 draft-ietf-sipcore-invfix-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == It seems as if not all pages are separated by form feeds - found 20 form feeds but 265 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3261, updated by this document, for RFC5378 checks: 2000-07-17) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Sept 12, 2009) is 5607 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '4' on line 675 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Sparks 3 Internet-Draft Tekelec 4 Updates: 3261 (if approved) T. Zourzouvillys 5 Intended status: Standards Track VoIP.co.uk 6 Expires: March 16, 2010 Sept 12, 2009 8 Correct transaction handling for 200 responses to Session Initiation 9 Protocol INVITE requests 10 draft-ietf-sipcore-invfix-00 12 Status of this Memo 14 This Internet-Draft is submitted to IETF in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on March 16, 2010. 35 Copyright Notice 37 Copyright (c) 2009 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents in effect on the date of 42 publication of this document (http://trustee.ietf.org/license-info). 43 Please review these documents carefully, as they describe your rights 44 and restrictions with respect to this document. 46 Abstract 48 This document normatively updates RFC 3261, the Session Initiation 49 Protocol (SIP), to address an error in the specified handling of 50 success (200 class) responses to INVITE requests. Elements following 51 RFC 3261 exactly will misidentify retransmissions of the request as a 52 new, unassociated, request. The correction involves modifying the 53 INVITE transaction state machines. The correction also changes the 54 way responses that cannot be matched to an existing transaction are 55 handled to address a security risk. 57 Table of Contents 59 1. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 60 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Reason for Change . . . . . . . . . . . . . . . . . . . . . . 3 62 4. Summary of Change . . . . . . . . . . . . . . . . . . . . . . 4 63 5. Consequences if Not Approved . . . . . . . . . . . . . . . . . 4 64 6. The Change . . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 7. Change Details . . . . . . . . . . . . . . . . . . . . . . . . 5 66 7.1. Server Transaction Impacts . . . . . . . . . . . . . . . . 5 67 7.2. Client Transaction Impacts . . . . . . . . . . . . . . . . 9 68 7.3. Proxy Considerations . . . . . . . . . . . . . . . . . . . 10 69 8. Exact changes to RFC3261 . . . . . . . . . . . . . . . . . . . 11 70 8.1. Page 85 . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 8.2. Page 107 . . . . . . . . . . . . . . . . . . . . . . . . . 11 72 8.3. Page 114 . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 8.4. Pages 126 through 128 . . . . . . . . . . . . . . . . . . 12 74 8.5. Pages 134 to 135 . . . . . . . . . . . . . . . . . . . . . 15 75 8.6. Page 136 . . . . . . . . . . . . . . . . . . . . . . . . . 15 76 8.7. Page 137 . . . . . . . . . . . . . . . . . . . . . . . . . 17 77 8.8. Page 141 . . . . . . . . . . . . . . . . . . . . . . . . . 17 78 8.9. Page 144 . . . . . . . . . . . . . . . . . . . . . . . . . 17 79 8.10. Page 146 . . . . . . . . . . . . . . . . . . . . . . . . . 18 80 8.11. Page 265 . . . . . . . . . . . . . . . . . . . . . . . . . 18 81 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 82 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 83 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 84 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 85 12.1. Normative References . . . . . . . . . . . . . . . . . . . 19 86 12.2. Informative References . . . . . . . . . . . . . . . . . . 20 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 89 1. Conventions and Definitions 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC-2119 [RFC2119]. 95 2. Introduction 97 This document describes an essential correction to the Session 98 Initiation Protocol (SIP), defined in [RFC3261], using the process 99 defined in [I-D.drage-sip-essential-correction]. The change 100 addresses an error in the handling of 200 class responses to INVITE 101 requests that leads to retransmissions of the INVITE being treated as 102 new requests and forbids forwarding stray INVITE responses. 104 3. Reason for Change 106 One use of the INVITE method in SIP is to establish new sessions. 107 These "initial" INVITEs may fork at intermediaries, and more than one 108 receiving endpoint may choose to accept the request. SIP is designed 109 such that the requester receives all of these success responses. 111 Two sets of requirements in [RFC3261] work together to allow multiple 112 200s to be processed correctly by the requester. First, all elements 113 are required to immediately destroy any INVITE client transaction 114 state upon forwarding a matching 200 OK response. This requirement 115 applies to both proxies and user agents (proxies forward the response 116 upstream, the transaction layer at user agents forward the response 117 to its "UA core"). Second, all proxies are required to statelessly 118 forward any 200 OK responses that do not match an existing 119 transaction, also called stray responses, upstream. The transaction 120 layer at user agents is required to forward these responses to its UA 121 core. Logic in the UA core deals with acknowledging each of these 122 responses. 124 This technique for specifying the behavior was chosen over adjusting 125 INVITE client transaction state machines as a simpler way to specify 126 the correct behavior. 128 Over time, implementation experience demonstrated the existing text 129 is in error. Once any element with a server transaction (say, a 130 proxy in the path of the INVITE) deletes that transaction state, any 131 retransmission of the INVITE will be treated as a new request, 132 potentially forwarded to different locations than the original. Many 133 implementations in the field have made proprietary adjustments to 134 their transaction logic to avoid this error. 136 The requirement to statelessly forward stray responses has also been 137 identified as a security risk. Through it, elements compliant to 138 [RFC3261] are compelled to do work (forward packets) that is not 139 protected by the admission policies applied to requests. This can be 140 leveraged to, for instance, use a SIP proxy as an anonymizing 141 forwarder of packets in a distributed DOS attack. General internet 142 endpoints can also collude to tunnel non-SIP content through such 143 proxies by wrapping them in an SIP response envelope. 145 Additionally, [RFC3261] requires that if an unrecoverable transport 146 error is encountered while sending a response in a client 147 transaction, that the transaction moves immediately into the 148 Terminated state. This will result in any re-transmitted INVITE 149 requests received after such an error was encountered be processed as 150 a new request instead of being absorbed as a re-transmission. 152 4. Summary of Change 154 This correction document updates [RFC3261], adding a state and 155 changing the transitions in the INVITE client state machine such that 156 the INVITE client transaction remains in place to receive multiple 157 200 OK responses. It adds a state to the INVITE server state machine 158 to absorb retransmissions of the INVITE after a 200 OK response has 159 been sent. It modifies state transitions in the INVITE server state 160 machine to absorb retransmissions of the INVITE request after 161 encountering a unrecoverable transport error when sending a response. 162 It also forbids forwarding stray responses to INVITE requests (not 163 just 200 OK responses), which RFC3261 requires. 165 5. Consequences if Not Approved 167 Implementations strictly conformant to [RFC3261] will process 168 retransmitted initial INVITE requests as new requests. Proxies may 169 forward them to different locations than the original. Proxies may 170 also be used as anonymizing forwarders of bulk traffic. 171 Implementations will process any retransmitted INVITE request as new 172 request after an attempt to send a response resulted in a 173 unrecoverable error. 175 6. The Change 177 An element sending or receiving a 200 OK to an INVITE transaction 178 MUST NOT destroy any matching INVITE transaction state. This state 179 is necessary to ensure correct processing of retransmissions of the 180 request and the retransmission of the 200 OK and ACK that follow. 182 An element encountering an unrecoverable tranport error when trying 183 to send a response to an INVITE request MUST NOT immediately destroy 184 the associated INVITE server transaction state. This state is 185 necessary to ensure correct processing of retransmissions of the 186 request. 188 When receiving any SIP response, a transaction-stateful proxy MUST 189 compare the transaction identifier in that response against its 190 existing transaction state machines. The proxy MUST NOT forward the 191 response if there is no matching transaction state machine. 193 When receiving an ACK that matches an existing INVITE server 194 transaction, and the ACK does not contain a branch parameter 195 containing the magic cookie defined in RFC 3261, the matching 196 transaction MUST be checked to see if it is in the "Accepted" state. 197 If it is, then the ACK must be passed directly to the transaction 198 user instead of absorbing it in the transaction. This is necessary 199 as requests from RFC 2543 clients will not include a unique branch 200 parameter, and the mechanisms for calculating the transaction id from 201 such a request will be the same for both INVITE and ACKs. 203 7. Change Details 205 These changes impact requirements in several sections of RFC3261. 206 The exact effect on that text is detailed in Section 8. This section 207 describes the details of the change, particularly the impact on the 208 INVITE state machines, more succinctly to facilitate review and 209 simplify implementation. 211 7.1. Server Transaction Impacts 213 To allow a SIP element to recognize retransmissions of an INVITE as 214 retransmissions instead of new requests, a new state, "Accepted", is 215 added to the INVITE server transaction state machine. A new timer, 216 Timer L, is also added to ultimately allow the state machine to 217 terminate. A server transaction in the "Proceeding" state will 218 transition to the "Accepted" state when it issues a 2xx response, and 219 will remain in that state just long enough to absorb any 220 retransmissions of the INVITE. 222 If the SIP elements's TU issues a 2xx response for this transaction 223 while the state machine is in the "Proceeding" state, it MUST 224 transition to the "Accepted" state and set Timer L to 64*T1. 226 While in the "Accepted" state, any retransmissions of the INVITE 227 received will match this transaction state machine and will be 228 absorbed by the machine without changing its state. These 229 retransmissions are not passed onto the TU. RFC3261 requires the TU 230 to periodically retransmit the 2xx response until it receives an ACK. 231 The server transaction MUST NOT generate 2xx retransmissions on its 232 own. Any retransmission of the 2xx response passed from the TU to 233 the transaction while in the "Accepted" state MUST be passed to the 234 transport layer for transmission. Any ACKs received from the network 235 while in the "Accepted" state MUST be passed directly to the TU and 236 not absorbed. 238 When Timer L fires and the state machine is in the "Accepted" state, 239 the machine MUST transition to the "Terminated" state. Once the 240 transaction is in the "Terminated" state, it MUST be destroyed 241 immediately. Timer L reflects the amount of time the server 242 transaction could receive 2xx responses for retransmission from the 243 TU while it is waiting to receive an ACK. 245 A server transaction MUST NOT discard transaction state based only on 246 encountering a non-recoverable transport error when sending a 247 response. Instead the assocated INVITE server transaction state 248 machine MUST remain in its current state. (Timers will eventually 249 cause it to transition to the Terminated state). This allows 250 retransmissions of the INVITE to be absorbed instead of being 251 processed as a new request. 253 Figure 1 and Figure 2 graphically show the parts of the INVITE server 254 state machine that has changed. The entire new INVITE server state 255 machine is shown in Figure 5. 257 BEFORE AFTER 259 +-----------+ +-----------+ 260 | | | | 261 | Proceeding| | Proceeding| 262 | | | | 263 | | | | 264 | | | | 265 | | | | 266 +-----------+ +-----------+ 267 |2xx from TU |2xx from TU 268 |send response |send response 269 +-------------->+ +------->+ 270 | | 271 | | 272 | | 273 | | Transport 274 | INVITE | Error 275 | - | Inform TU 276 | +-----+ | +--+ 277 | | | V | v 278 | | +------------+ 279 | | | |<--+ 280 | +->| Accepted | | ACK 281 | | |---+ to TU 282 | +------------+ 283 | | ^ | 284 | +--+ | | 285 | | +-----+ 286 | | 2xx from TU 287 | | send response 288 | | 289 | | Timer L fires 290 | | - 291 | | 292 | V 293 +-----------+ | +------------+ 294 | | | | | 295 | Terminated|<-----------+ | Terminated | 296 | | | | 297 +-----------+ +------------+ 299 Figure 1: Changes to the INVITE server transaction state machine when 300 sending 2xx 302 BEFORE AFTER 304 +-----------+ +------------+ 305 | | | | 306 | Proceeding| | Proceeding | Transport Err. 307 | | | | Inform TU 308 | | Transport Err. | |----------+ 309 | | Inform TU | | | 310 | |--------------->+ | |<---------+ 311 +-----------+ | +------------+ 312 | 313 | 314 | 315 | 316 | Transport Err. 317 +-----------+ | +-----------+ Inform TU 318 | | | | |---------+ 319 | Completed | | | Completed | | 320 | | | | |<--------+ 321 +-----------+ | +-----------+ 322 | | 323 | | 324 +------------------>+ 325 Transport Err.| 326 Inform TU | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 +-----------+ | 337 | | | 338 | Terminated|<---------------+ 339 | | 340 +-----------+ 342 Figure 2: Changes to the INVITE server transaction state machine on 343 encountering transport error 345 7.2. Client Transaction Impacts 347 In order to correctly distinguish retransmissions of 2xx responses 348 from stray 2xx responses, the INVITE client state machine is modified 349 to not transition immediately to "Terminated" on receipt of a 2xx 350 response. Instead, the machine will transition to a new "Accepted" 351 state, and remain there just long enough, determined by a new timer 352 M, to receive and pass to the TU any retransmissions of the 2xx 353 response or any additional 2xx responses from other branches of a 354 downstream fork of the matching request. If a 2xx response is 355 received while the client INVITE state machine is in the "Calling" or 356 "Proceeding" states, it MUST transition to the "Accepted" state, pass 357 the 2xx response to the TU, and set Timer M to 64*T1. A 2xx response 358 received while in the "Accepted" state MUST be passed to the TU and 359 the machine remains in the "Accepted" state. The client transaction 360 MUST NOT generate an ACK to any 2xx response on its own. The TU 361 responsible for the transaction will generate the ACK. 363 When Timer M fires and the state machine is in the "Accepted" state, 364 the machine MUST transition to the "Terminated" state. Once the 365 transaction is in the "Terminated" state, it MUST be destroyed 366 immediately. 368 Any response received which does not match an existing client 369 transaction state machine is simply dropped. (Implementations are, 370 of course, free to log or do other implementation specific things 371 with such responses, but the implementer should be sure to consider 372 the impact of large numbers of malicious stray responses). 374 Note that it is not necessary to preserve client transaction state 375 upon the detection of unrecoverable transport errors. Existing 376 requirements ensure the TU has been notified, and the new 377 requirements in this document ensure that any received retransmitted 378 response will be dropped since there will no longer be any matching 379 transaction state. 381 Figure 3 graphically shows the part of the INVITE client state 382 machine that has changed. The entire new INVITE client state machine 383 is shown in Figure 4. 385 +-----------+ +-----------+ 386 | | | | 387 | Calling | | Calling | 388 | |----------->+ | |-----------+ 389 +-----------+ 2xx | +-----------+ 2xx | 390 2xx to TU | 2xx to TU | 391 | | 392 | | 393 | | 394 | | 395 +-----------+ | +-----------+ | 396 | | | | | | 397 |Proceeding |----------->| |Proceeding |---------->| 398 | | 2xx | | | 2xx | 399 +-----------+ 2xx to TU | +-----------+ 2xx to TU | 400 | | 401 | | 402 | | 403 | V 404 | +-----------+ 405 | | | 406 | | Accepted | 407 | +---| | 408 | 2xx | +-----------+ 409 | 2xx to TU | ^ | 410 | | | | 411 | +-----+ | 412 | | 413 | +-----------------+ 414 | | Timer M fires 415 | | - 416 | V 417 +-----------+ | +-----------+ 418 | | | | | 419 | Terminated|<-----------+ | Terminated| 420 | | | | 421 +-----------+ +-----------+ 423 Figure 3: Changes to the INVITE client transaction state machine 425 7.3. Proxy Considerations 427 This document changes the behaviour of transaction-stateful proxies 428 to not forward stray INVITE responses. When receiving any SIP 429 response, a transaction-stateful proxy MUST compare the transaction 430 identifier in that response against its existing transaction state 431 machines. The proxy MUST NOT forward the response if there is no 432 matching transaction state machine. 434 8. Exact changes to RFC3261 436 This section describes exactly the same changes as above, but shows 437 exactly which text in RFC3261 is affected. 439 Section 13.3.1.4 paragraph 4 is replaced entirely by 441 Once the response has been constructed, it is passed to the INVITE 442 server transaction. In order to ensure reliable end-to-end 443 transport of the response, it is necessary to periodically pass 444 the response directly to the transport until the ACK arrives. The 445 2xx response is passed to the transport with an interval that 446 starts at T1 seconds and doubles for each retransmission until it 447 reaches T2 seconds (T1 and T2 are defined in Section 17). 448 Response retransmissions cease when an ACK request for the 449 response is received. This is independent of whatever transport 450 protocols are used to send the response. 452 Section 16.7 paragraphs 1 and 2 are replaced entirely by 454 When a response is received by an element, it first tries to 455 locate a client transaction (Section 17.1.3) matching the 456 response. If a transaction is found, the response is handed to 457 the client transaction. If none is found, the element MUST NOT 458 forward the response. 460 Section 16.7, part 9, first paragraph. Replace this sentence 462 If the server transaction is no longer available to handle the 463 transmission, the element MUST forward the response statelessly by 464 sending it to the server transport. 466 with 468 If the server transaction is no longer available to handle the 469 transmission, the response is simply discarded. 471 8.4. Pages 126 through 128 473 Section 17.1.1.2. Replace paragraph 7 (starting "When in either") 474 through the end of the section with 476 When in either the "Calling" or "Proceeding" states, reception of 477 a response with status code from 300-699 MUST cause the client 478 transaction to transition to "Completed". The client transaction 479 MUST pass the received response up to the TU, and the client 480 transaction MUST generate an ACK request, even if the transport is 481 reliable (guidelines for constructing the ACK from the response 482 are given in Section 17.1.1.3) and then pass the ACK to the 483 transport layer for transmission. The ACK MUST be sent to the 484 same address, port, and transport to which the original request 485 was sent. 487 The client transaction MUST start timer D when it enters the 488 "Completed" state for any reason, with a value of at least 32 489 seconds for unreliable transports, and a value of zero seconds for 490 reliable transports. Timer D reflects the amount of time that the 491 server transaction can remain in the "Completed" state when 492 unreliable transports are used. This is equal to Timer H in the 493 INVITE server transaction, whose default is 64*T1, and is also 494 equal to the time a UAS core will wait for an ACK once it sends a 495 2xx response. However, the client transaction does not know the 496 value of T1 in use by the server transaction or any downstream UAS 497 cores, so an absolute minimum of 32s is used instead of basing 498 Timer D on T1. 500 Any retransmissions of a response with status code 300-699 that 501 are received while in the "Completed" state MUST cause the ACK to 502 be re-passed to the transport layer for retransmission, but the 503 newly received response MUST NOT be passed up to the TU. 505 A retransmission of the response is defined as any response which 506 would match the same client transaction based on the rules of 507 Section 17.1.3. 509 If timer D fires while the client transaction is in the 510 "Completed" state, the client transaction MUST move to the 511 "Terminated" state. 513 When a 2xx response is received while in either the "Calling" or 514 "Proceeding" states, the client transaction MUST transition to the 515 "Accepted" state, and Timer M MUST be started with a value of 516 64*T1. The 2xx response MUST be passed up to the TU. The client 517 transaction MUST NOT generate an ACK to the 2xx response - its 518 handling is delegated to the TU. A UAC core will send an ACK to 519 the 2xx response using a new transaction. A proxy core will 520 always forward the 2xx response upstream. 522 The purpose of the "Accepted" state is to allow the client 523 transaction to continue to exist to receive, and pass to the TU, 524 any retransmissions of the 2xx response and any additional 2xx 525 responses from other branches of the INVITE if it forked 526 downstream. Timer M reflects the amount of time that transaction 527 user will wait for such messages. 529 Any 2xx responses matching this client transaction that are 530 received while in the "Accepted" state MUST be passed up to the 531 TU. The client transaction MUST NOT generate an ACK to the 2xx 532 response. The client transaction takes no further action. 534 If timer M fires while the client transaction is in the "Accepted" 535 state, the client transaction MUST move to the "Terminated" state. 537 The client transaction MUST be destroyed the instant it enters the 538 "Terminated" state. 540 Replace Figure 5 with 541 |INVITE from TU 542 Timer A fires |INVITE sent Timer B fires 543 Reset A, V or Transport Err. 544 INVITE sent +-----------+ inform TU 545 +---------| |--------------------------+ 546 | | Calling | | 547 +-------->| |-----------+ | 548 300-699 +-----------+ 2xx | | 549 ACK sent | | 2xx to TU | | 550 resp. to TU | |1xx | | 551 +-----------------------------+ |1xx to TU | | 552 | | | | 553 | 1xx V | | 554 | 1xx to TU +-----------+ | | 555 | +---------| | | | 556 | | |Proceeding | | | 557 | +-------->| | | | 558 | +-----------+ 2xx | | 559 | 300-699 | | 2xx to TU | | 560 | ACK sent, +--------+ +---------------+ | 561 | resp. to TU| | | 562 | | | | 563 | V V | 564 | +-----------+ +----------+ | 565 +------------->| |Transport Err. | | | 566 | Completed |Inform TU | Accepted | | 567 +--| |-------+ | |-+ | 568 300-699 | +-----------+ | +----------+ | | 569 ACK sent| ^ | | | ^ | | 570 | | | | | | | | 571 +----+ | | | +-----+ | 572 |Timer D fires | Timer M fires| 2xx | 573 |- | - | 2xx to TU | 574 +--------+ | +-----------+ | 575 NOTE: V V V | 576 transitions +------------+ | 577 labeled with | | | 578 the event | Terminated |<-----------------------+ 579 over the action | | 580 to take +------------+ 582 Figure 4: INVITE client transaction 584 8.5. Pages 134 to 135 586 Section 17.2.1 paragraph 4 is replaced with 588 If, while in the "Proceeding" state, the TU passes a 2xx response 589 to the server transaction, the server transaction MUST pass this 590 response to the transport layer for transmission. It is not 591 retransmitted by the server transaction; retransmissions of 2xx 592 responses are handled by the TU. The server transaction MUST then 593 transition to the "Accepted" state. 595 Replace Figure 7 with 596 |INVITE 597 |pass INV to TU 598 INVITE V send 100 if TU won't in 200ms 599 send response+------------+ 600 +--------| |--------+ 101-199 from TU 601 | | | | send response 602 +------->| |<-------+ 603 | Proceeding | 604 | |--------+ Transport Err. 605 | | | Inform TU 606 | |<-------+ 607 +------------+ 608 300-699 from TU | |2xx from TU 609 send response | |send response 610 +--------------+ +------------+ 611 | | 612 INVITE V Timer G fires | 613 send response +-----------+ send response | 614 +--------| |--------+ | 615 | | | | | 616 +------->| Completed |<-------+ INVITE | Transport Err. 617 | | - | Inform TU 618 +--------| |----+ +-----+ | +---+ 619 | +-----------+ | ACK | | v | v 620 | ^ | | - | +------------+ 621 | | | | | | |---+ ACK 622 +----------+ | | +->| Accepted | | to TU 623 Transport Err. | | | |<--+ 624 Inform TU | V +------------+ 625 | +-----------+ | ^ | 626 | | | | | | 627 | | Confirmed | | +-----+ 628 | | | | 2xx from TU 629 Timer H fires | +-----------+ | send response 630 - | | | 631 | | Timer I fires | 632 | | - | Timer L fires 633 | V | - 634 | +------------+ | 635 | | |<----+ 636 +------->| Terminated | 637 | | 638 +------------+ 640 Figure 5: INVITE server transaction 642 Section 17.2.1 - Replace the last paragraph (starting "Once the 643 transaction") with 645 The purpose of the "Accepted" state is to absorb retransmissions 646 of an accepted INVITE request. Any such retransmissions are 647 absorbed entirely within the server transaction. They are not 648 passed up to the TU since any downstream UAS cores that accepted 649 the request have taken responsibility for reliability and will 650 already retransmit their 2xx responses if neccessary. 652 While in the "Accepted" state, if the TU passes a 2xx response, 653 the server transaction MUST pass the response to the transport 654 layer for transmission. 656 When the INVITE server transaction enters the "Accepted" state, 657 Timer L MUST be set to fire in 64*T1 for all transports. This 658 value matches both Timer B in the next upstream client state 659 machine (the amount of time the previous hop will wait for a 660 response when no provisionals have been sent) and the amount of 661 time this (or any downstream) UAS core might be retransmitting the 662 2xx while waiting for an ACK. If an ACK is received while the 663 INVITE server transaction is in the "Accepted" state, then the ACK 664 must be passed up to the TU. If Timer L fires while the INVITE 665 server transaction is in the "Accepted" state, the transaction 666 MUST transition to the "Terminated" state. 668 Once the transaction is in the "Terminated" state, it MUST be 669 destroyed immediately. 671 Section 17.2.4 - Replace the second paragraph with 673 First, the procedures in [4] are followed, which attempt to 674 deliver the response to a backup. If those should all fail, based 675 on the definition of failure in [4], the server transaction SHOULD 676 inform the TU that a failure has occurred, and MUST remain in the 677 current state. 679 Section 18.1.2 - Replace the second paragraph with 680 The client transport uses the matching procedures of Section 681 17.1.3 to attempt to match the response to an existing 682 transaction. If there is a match, the response MUST be passed to 683 that transaction. Otherwise, any element other than a stateless 684 proxy MUST silently discard the response. 686 Section 18.2.1 - Replace the last paragraph with 688 Next, the server transport attempts to match the request to a 689 server transaction. It does so using the matching rules described 690 in Section 17.2.3. If a matching server transaction is found, the 691 request is passed to that transaction for processing. If no match 692 is found, the request is passed to the core, which may decide to 693 construct a new server transaction for that request. 695 Add to Table 4: 697 Timer L 64*T1 Section 17.2.1 Wait time for 698 accepted INVITE 699 request retransmits 701 Timer M 64*T1 Section 17.1.1 Wait time for 702 retransmission of 703 2xx to INVITE or 704 additional 2xx from 705 other branches of 706 a forked INVITE 708 9. IANA Considerations 710 None. 712 10. Security Considerations 714 This document makes two changes to the Session Initiation Protocol to 715 address the error discussed in Section 3. It changes the behavior of 716 both the client and server INVITE transaction state machines, and it 717 changes the way "stray" responses (those that don't match any 718 existing transaction) are handled at transaction stateful elements. 720 The changes to the state machines cause elements to hold onto each 721 accepted INVITE transaction state longer (32 seconds) than what was 722 specified in RFC 3261. This will have a direct impact on the amount 723 of work an attacker leveraging state exhaustion will have to exert 724 against the system. However, this additional state is necessary to 725 achieve correct operation. 727 RFC 3261 required SIP proxies to forward any stray 200 class 728 responses to an INVITE request upstream statelessly. As a result, 729 conformant proxies can be forced to forward packets (that look 730 sufficiently like SIP responses) to destinations of the sender's 731 choosing. Section 3 discusses some of the malicious behavior this 732 enables. This document reverses the stateless forwarding 733 requirement, making it a violation of the specification to forward 734 stray responses. 736 RFC 3261 defines a "stateless proxy" which forwards requests and 737 responses without creating or maintaining any transaction state. The 738 requirements introduced in this document do not change the behavior 739 of these elements in any way. Stateless proxies are inherently 740 vulnerable to the abuses discussed in Section 3. One way operators 741 might mitigate this vulnerability is to carefully control which peer 742 elements can present traffic to a given stateless proxy. 744 The changes introduced by this document are backward-compatible. 745 Transaction behavior will be no less correct, and possible more 746 correct, when only one peer in a transaction implements these 747 changes. Except for the considerations mentioned earlier in this 748 section, introducing elements implementing these changes into 749 deployments with RFC 3261 implementations adds no additional security 750 concerns. 752 11. Acknowledgments 754 Pekka Pessi reported the improper handling of INVITE retransmissions. 755 Brett Tate performed a careful review uncovering the need for the 756 Accepted state and Timer M in the client transaction state machine. 757 Jan Kolomaznik noticed that a server transaction should let a TU know 758 about transport errors when it attempts to send a 200-class response. 759 Michael Procter corrected several nits. 761 12. References 763 12.1. Normative References 765 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 766 Requirement Levels", BCP 14, RFC 2119, March 1997. 768 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 769 A., Peterson, J., Sparks, R., Handley, M., and E. 770 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 771 June 2002. 773 12.2. Informative References 775 [I-D.drage-sip-essential-correction] 776 Drage, K., "A Process for Handling Essential Corrections 777 to the Session Initiation Protocol (SIP)", 778 draft-drage-sip-essential-correction-03 (work in 779 progress), July 2008. 781 Authors' Addresses 783 Robert Sparks 784 Tekelec 785 17210 Campbell Road 786 Suite 250 787 Dallas, Texas 75252 788 USA 790 Email: RjS@nostrum.com 792 Theo Zourzouvillys 793 VoIP.co.uk 794 Commerce House 795 Telford Rd 796 Bicester, Oxfordshire OX26 6BU 797 UK 799 Email: theo@crazygreek.co.uk