idnits 2.17.1 draft-ietf-sipping-policy-package-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 767. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 778. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 785. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 791. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: If the subscriber receives a NOTIFY indicating that the session has been rejected, it MUST NOT attempt to establish this session. The notifier may still keep up the subscription after rejecting a session and may send an updated policy decision to the subscriber at a later time. This is useful, for example, if the session was rejected due to a temporary shortage of resources and the notifier expects that this problem to be resolved shortly. In this case, the subscriber SHOULD not terminate the subscription to session-specific policies. If the notifier has terminated the subscription after rejecting the session, the subscriber SHOULD NOT try to re-subscribe for the same session. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 21, 2006) is 6396 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2246 (ref. '2') (Obsoleted by RFC 4346) == Outdated reference: A later version (-16) exists of draft-ietf-sipping-media-policy-dataset-02 ** Obsolete normative reference: RFC 3265 (ref. '4') (Obsoleted by RFC 6665) == Outdated reference: A later version (-10) exists of draft-ietf-sip-session-policy-framework-00 -- Obsolete informational reference (is this intentional?): RFC 2327 (ref. '9') (Obsoleted by RFC 4566) Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SIPPING Working Group V. Hilt 3 Internet-Draft Bell Labs/Lucent Technologies 4 Expires: April 24, 2007 G. Camarillo 5 Ericsson 6 October 21, 2006 8 A Session Initiation Protocol (SIP) Event Package for Session-Specific 9 Session Policies. 10 draft-ietf-sipping-policy-package-02 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on April 24, 2007. 37 Copyright Notice 39 Copyright (C) The Internet Society (2006). 41 Abstract 43 This specification defines a Session Initiation Protocol (SIP) event 44 package for session-specific policies. This event package enables 45 user agents to subscribe to session policies for a SIP session and to 46 receive notifications if these policies change. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 3. Event Package Formal Definition . . . . . . . . . . . . . . . 4 53 3.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 4 54 3.2. Event Package Parameters . . . . . . . . . . . . . . . . . 4 55 3.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 4 56 3.4. Subscription Duration . . . . . . . . . . . . . . . . . . 5 57 3.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 5 58 3.6. Subscriber generation of SUBSCRIBE requests . . . . . . . 6 59 3.7. Notifier processing of SUBSCRIBE requests . . . . . . . . 8 60 3.8. Notifier generation of NOTIFY requests . . . . . . . . . . 9 61 3.9. Subscriber processing of NOTIFY requests . . . . . . . . . 10 62 3.10. Handling of forked requests . . . . . . . . . . . . . . . 10 63 3.11. Rate of notifications . . . . . . . . . . . . . . . . . . 11 64 3.12. State Agents . . . . . . . . . . . . . . . . . . . . . . . 11 65 3.13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 11 66 4. Security Considerations . . . . . . . . . . . . . . . . . . . 14 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 68 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 15 69 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 16 70 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 71 6.1. Normative References . . . . . . . . . . . . . . . . . . . 16 72 6.2. Informative References . . . . . . . . . . . . . . . . . . 16 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 74 Intellectual Property and Copyright Statements . . . . . . . . . . 18 76 1. Introduction 78 The Framework for Session Initiation Protocol (SIP) [5] Session 79 Policies [7] specifies a protocol framework that enables a proxy to 80 define and impact policies on sessions such as the codecs or media 81 types to be used. This draft identifies two types of session 82 policies: session-specific and session-independent policies. 83 Session-specific policies are policies that are created for one 84 particular session, based on the session description of this session. 85 They enable a network intermediary to inspect the session description 86 a UA is proposing and to return a policy specifically generated for 87 this session description. For example, an intermediary could open 88 pinholes in a firewall/NAT for each media stream in a session and 89 return a policy that replaces the internal IP addresses and ports 90 with external ones. Since session-specific policies are tailored to 91 a session, they only apply to the session they are created for. A 92 user agent requests session-specific policies on a session-by-session 93 basis at the time a session is created and the session description is 94 known. Session-independent policies on the other hand are policies 95 that are created independent of a session and generally apply to all 96 the SIP sessions set up by a user agent (see [7]). 98 The Framework for SIP Session Policies [7] defines a mechanism that 99 enables UAs to discover the URIs of session-specific policy servers. 100 This specification defines a SIP event package [4] that enables UAs 101 to subscribe to session-specific policies on a policy server. 102 Subscribing to session-specific policies involves the following steps 103 (see [7]): 105 1. A user agent submits the details of the session it is trying to 106 establish to the policy server and asks whether a session using 107 these parameters is permissible. For example, a user agent might 108 propose a session that contains the media types audio and video. 109 2. The policy server generates a policy decision for this session 110 and returns the decision to the user agent. Possible policy 111 decisions are (1) to deny the session, (2) to propose changes to 112 the session parameters with which the session would be 113 acceptable, or (3) to accept the session as it was proposed. An 114 example for a policy decision is to disallow the use of video but 115 agree to all other aspects of the proposed session. 116 3. The policy server can update the policy decision at a later time. 117 A policy decision update can, for example, require additional 118 changes to the session (e.g. because the available bandwidth has 119 changed) or deny a previously accepted session (i.e. disallow the 120 continuation of a session). 122 The event package for session-specific policies enables a user agent 123 to subscribe to the policies for a SIP session following the above 124 model. The subscriber initiates a subscription by submitting the 125 details of the session it is trying to establish to the notifier 126 (i.e. the policy server) in the body of a SUBSCRIBE request. The 127 notifier uses this information to determine the policy decision for 128 this session. It conveys the initial policy decision to the 129 subscriber in a NOTIFY and all changes to this decision in subsequent 130 NOTIFYs. 132 2. Terminology 134 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 135 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT 136 RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as 137 described in BCP 14, RFC 2119 [1] and indicate requirement levels for 138 compliant implementations. 140 3. Event Package Formal Definition 142 This document provides the details for defining a SIP event package 143 as required by RFC 3265 [4]. 145 3.1. Event Package Name 147 The name of the event package defined in this specification is 148 "session-spec-policy". 150 3.2. Event Package Parameters 152 This package defines the optional event package parameter "local- 153 only". This parameter is only defined for NOTIFY requests and MUST 154 be ignored if received in a SUBSCRIBE request. The usage of the 155 "local-only" parameter is described in Section 3.3, Section 3.8 and 156 Section 3.9. 158 3.3. SUBSCRIBE Bodies 160 A SUBSCRIBE for this event package MUST contain a body that describes 161 a SIP session. The purpose of this body is to enable the notifier to 162 generate the policies the subscriber is interested in. In this event 163 package, the Request-URI, the event package name and event parameters 164 are not sufficient to determine the resource a subscription is for. 165 However, with the session description in the SUBSCRIBE body, the 166 notifier can generate the requested policy decision and create policy 167 events for this resource. 169 All subscribers and notifiers MUST support the MIME type 170 "application/session-policy+xml" as defined in the User Agent Profile 171 Data Set for Media Policy [3]. The "application/session-policy+xml" 172 format is the default format for SUBSCRIBE bodies in this event 173 package. Subscribers and notifiers MAY negotiate the use of other 174 formats capable of representing a session. 176 Note: encoding the local and remote session description in the 177 Media Policy [3] format has a number of advantages compared to the 178 use of the SDP [9] format in SUBSCRIBE bodies: i) the Media Policy 179 format is more flexible and allows the inclusion of information 180 that can't be expressed in SDP (e.g. the target URI), ii) the 181 Media Policy format enables the encoding of local and remote 182 session descriptions in a single document (not requiring the use 183 of MIME multipart and new content disposition types), and iii) it 184 aligns the formats used for session-specific and session- 185 independent policies. A drawback is that it requires the UA to 186 generate encode SDP and session information in Media Policy 187 documents. 189 3.4. Subscription Duration 191 A subscription to the session-specific policy package is usually 192 established at the beginning of a session and terminated when the 193 corresponding session ends. A typical duration of a phone call is a 194 few minutes. 196 Since the duration of a subscription to the session-specific policy 197 package is related to the lifetime of the corresponding session, the 198 value for the duration of a subscription is largely irrelevant. 199 However, it SHOULD be longer than the typical duration of a session. 200 The default subscription duration for this event package is set to 201 two hours. 203 A subscription MAY be terminated before a session ends by the 204 notifier. For example, a notifier may terminate the subscription 205 after the initial policy notification has been sent to the subscriber 206 if it knows that these policies will not change during the session. 207 A subscriber MUST NOT terminate a subscription unless it is 208 terminating the session this subscription is for. 210 3.5. NOTIFY Bodies 212 In this event package, the body of a notification contains the 213 session policy requested by the subscriber. All subscribers and 214 notifiers MUST support the format "application/session-policy+xml" 215 [3] as a format for NOTIFY bodies. 217 The SUBSCRIBE request MAY contain an Accept header field. If no such 218 header field is present, it has a default value of "application/ 219 session-policy+xml". If the header field is present, it MUST include 220 "application/session-policy+xml", and MAY include any other MIME type 221 capable of representing session-specific policies. As defined RFC 222 3265 [4], the body of notifications MUST be in one of the formats 223 defined in the Accept header of the SUBSCRIBE request or in the 224 default format. 226 If the notifier uses the same format in NOTIFY bodies that was used 227 by the subscriber in the SUBSCRIBE body (e.g. "application/ 228 session-policy+xml"), the notifier can expect that the subscriber 229 supports all format extensions that were used in the SUBSCRIBE body. 230 The notifier cannot assume that the subscriber supports other 231 extensions beyond that and SHOULD NOT use such extensions. 233 If the SUBSCRIBE request contained a representation of the local 234 session description and the subscription was accepted, then the 235 NOTIFY body MUST contain a policy for the local session description. 236 If the SUBSCRIBE request of an accepted subscription contained the 237 local and the remote session description, then the NOTIFY body MUST 238 contain two policies, one for the local and one for the remote 239 session description. 241 3.6. Subscriber generation of SUBSCRIBE requests 243 The subscriber follows the general rules for generating SUBSCRIBE 244 requests defined in [4]. The subscriber MUST include enough 245 information in the SUBSCRIBE body to accurately describe the session 246 for which it seeks to receive session-specific policies. It MUST use 247 the most recent session description if multiple versions are 248 available. 250 OPEN ISSUE: how much information should a UA disclose to the 251 policy server. In general, it seems desirable that the UA always 252 discloses all elements in the session description that can be 253 mapped to the media data set format and a few extra fields (e.g. 254 request URI, session ID). This may require guidelines for 255 building media policy data set the documents. 257 Subscriptions to this event package are typically created in 258 conjunction with an SDP offer/answer exchange [8] during the 259 establishment of a session (see [7]). If used with an offer/answer 260 exchange, the subscriber MUST insert the representation of the local 261 session description in the SUBSCRIBE body. The local session 262 description is the one that was created by the subscriber (e.g. the 263 offer if the subscriber has initiated the offer/answer exchange). 264 Under certain circumstances, a UA may not have a session description 265 when subscribing to session-specific policies, for example, when it 266 is composing an empty INVITE request (i.e. an INVITE request that 267 does not contain an offer). In these cases, a UA SHOULD establish a 268 subscription without including a representation of the local session 269 description. The UA MUST send another SUBSCRIBE request that 270 contains this session description as soon as the session description 271 becomes available, for example, because the UA has received a 200 OK 272 to an empty INVITE request. A policy server can choose to admit a 273 session only after the UA has disclosed the session descriptions. 275 The subscriber SHOULD also include a representation of the remote 276 session description in the SUBSCRIBE body. The remote session 277 description is the one the subscriber has received (i.e. the answer 278 if the subscriber has initiated the offer/answer exchange). In some 279 scenarios, the remote session description is not available to the 280 subscriber at the time the subscription to session-specific policies 281 is established. In this case, the initial SUBSCRIBE message SHOULD 282 only contain a representation of the local session description. When 283 the remote description becomes available, the subscriber SHOULD 284 refresh the subscription by sending another SUBSCRIBE request, which 285 then contains the local and the remote session description, unless 286 the subscriber has received a NOTIFY with the "local-only" parameter. 287 This parameter indicates that the notifier does not need to see the 288 remote session description. 290 A user agent can change the session description of an ongoing 291 session. A change in the session description will typically affect 292 the policy decisions for this session. A subscriber MUST refresh the 293 subscription to session-specific policies every time the session 294 description of a session changes. It does so by sending a SUBSCRIBE 295 request, which contains the details of the updated session 296 descriptions. 298 A subscriber may receive a error that indicates a server failure in 299 response to a SUBSCRIBE request. In this case, the subscriber SHOULD 300 try to locate an alternative server, for example, using the 301 procedures described in [6]. If no alternative server can be 302 located, the subscriber MAY continue with the session for which it 303 wanted to receive session-specific policies without subscribing to 304 session-specific policies. This is to avoid that a failed policy 305 server prevents a UA from setting up or continuing with a session. 306 Since the sessions created by the UA may not be policy compliant 307 without this subscription, they may be blocked by policy enforcement 308 mechanisms if they are in place. 310 Session policies can contain sensitive information. Moreover, policy 311 decisions can significantly impact the behavior of a user agent. A 312 user agent should therefore verify the identity of a policy server 313 and make sure that policies have not been altered in transit. All 314 implementations of this package MUST support TLS [2] and the SIPS URI 315 scheme. A subscriber SHOULD use SIPS URIs when subscribing to 316 session-specific policies so that policies are transmitted over TLS. 317 See Section 4. 319 3.7. Notifier processing of SUBSCRIBE requests 321 All subscriptions to session-specific policies SHOULD be 322 authenticated and authorized before approval. The notifier SHOULD 323 authenticate the subscriber using any of the techniques available 324 through SIP, including digest, S/MIME, TLS or other transport 325 specific mechanisms. Administrators SHOULD use a SIPS URI as a 326 policy server URI. See Section 4. 328 The authorization policy is at the discretion of the administrator. 329 In general, all users SHOULD be allowed to subscribe to the session- 330 specific policies of their sessions. A subscription to this event 331 package will typically be established by a device that needs to know 332 about the policies for its sessions. However, subscriptions may also 333 be established by applications (e.g. a conference server). In those 334 cases, an authorization policy will typically be provided for these 335 applications. 337 Responding in a timely manner to a SUBSCRIBE request is crucial for 338 this event package. A notifier must minimize the time needed for 339 processing SUBSCRIBE requests and generating the initial NOTIFY. 340 This includes minimizing the time needed to generate an initial 341 policy decision. A short response time is in particular important 342 for this event package since it minimizes the delay for fetching 343 policies during an INVITE transaction and therefore reduces call 344 setup time. In addition, subscriptions to session-specific policies 345 can be established while the subscriber is in an INVITE transaction 346 at a point where it has received the 200 OK but before sending the 347 ACK. Delaying the creation of the initial NOTIFY would delay the 348 transmission of the ACK. A more detailed discussion of this scenario 349 can be found in [7]. 351 A subscriber may not have disclosed enough information in the 352 SUBSCRIBE request to enable the notifier to generate a policy 353 decision. For example, if a UA may have subscribed to session- 354 specific policies without including the representation of a session 355 description. The policy server SHOULD accept such a subscription. 356 However, it SHOULD generate a NOTIFY request within the subscription 357 that indicates that a policy decision could not be made due to 358 insufficient information. This can be expressed by either generating 359 a NOTIFY request with an empty body or by inserting a corresponding 360 policy decision document into the NOTIFY body. 362 OPEN ISSUE: in the latter case, the policy document needs to be 363 able to express that the policy decision is still pending due to 364 insufficient information. 366 3.8. Notifier generation of NOTIFY requests 368 A notifier sends a notification in response to SUBSCRIBE requests as 369 defined in RFC 3265 [4]. In addition, a notifier MAY send a 370 notification at any time during the subscription. Typically, it will 371 send one every time the policy decision this subscription is for has 372 changed. When and why a policy decision changes is entirely at the 373 discretion of the administrator. A policy decision can change for 374 many reasons. For example, a network may become congested due to an 375 increase in traffic and reduces the bandwidth available to an 376 individual user. Another example is a session that has been started 377 during "business hours" and continues into "evening hours" where more 378 bandwidth or video sessions are available to the user according to 379 the service level agreement. 381 Policy decisions are expressed in the format negotiated for the 382 NOTIFY body (e.g. "application/session-policy+xml"). The policy 383 document in a NOTIFY body MUST represent a complete policy decision. 384 Notifications that contain the deltas to previous policy decisions or 385 partial policy decisions are not supported in this event package. 387 The notifier SHOULD terminate the subscription if the policy decision 388 is to reject a session and if it can be expected that this decision 389 will not change in the foreseeable future. The notifier SHOULD keep 390 the subscription alive, if it rejects a session but expects that the 391 session can be admitted at a later point in time. For example, if 392 the session was rejected due to a temporary shortage of resources and 393 the notifier expects that these resources will become available again 394 shortly it should keep the subscription alive. A session is admitted 395 by returning a policy decision document that requires some or no 396 changes to the session. 398 If the notifier has not received enough information to make a policy 399 decision from the subscriber (e.g. because it did not receive a 400 session description), it SHOULD NOT terminate the subscription since 401 it can be expected that the UA refreshes the subscription with a 402 SUBSCRIBE request that contains more information. It SHOULD generate 403 a NOTIFY request with an empty body or with a body that contains a 404 policy decision document indicating that the decision could not be 405 made. 407 Some session-specific policies do not require the disclosure of the 408 remote session description to the notifier. If a notifier determines 409 that this is the case after receiving a SUBSCRIBE request, it MAY 410 include the "local-only" event parameter in NOTIFY requests. 412 3.9. Subscriber processing of NOTIFY requests 414 A subscriber MUST apply the policy decision received in a NOTIFY to 415 the session associated with this subscription. If the UA decides not 416 to apply the received policy decision, it MUST NOT set up the session 417 and MUST terminate the session if it is already in progress. If the 418 UA has a pending INVITE transaction for this session, it MUST cancel 419 or reject the INVITE request. 421 If the subscriber receives a NOTIFY indicating that the session has 422 been rejected, it MUST NOT attempt to establish this session. The 423 notifier may still keep up the subscription after rejecting a session 424 and may send an updated policy decision to the subscriber at a later 425 time. This is useful, for example, if the session was rejected due 426 to a temporary shortage of resources and the notifier expects that 427 this problem to be resolved shortly. In this case, the subscriber 428 SHOULD not terminate the subscription to session-specific policies. 429 If the notifier has terminated the subscription after rejecting the 430 session, the subscriber SHOULD NOT try to re-subscribe for the same 431 session. 433 The subscriber may receive a NOTIFY which indicates that the 434 SUBSCRIBER request did not contain enough information. The 435 subscriber SHOULD re-subscribe with more complete information as soon 436 as the missing information (e.g. the session description) is 437 available. 439 A subscriber may receive an update to a policy decision for a session 440 that is already established. The subscriber MUST apply the new 441 policy decision to this session. If a UA decides that it does not 442 want to apply the new policy decision, it MUST terminate the session. 443 An updated policy decision may require the UA generate a re-INVITE or 444 UPDATE request in this session if the session description has changed 445 or it may need to terminate this session. A policy update that 446 requires a UA to terminate a session can, for example, be triggered 447 by the users account running out of credit or the detection of an 448 emergency that requires the termination of non-emergency calls. 450 If the subscriber receives a NOTIFY that contains the "local-only" 451 event parameter, it SHOULD NOT include the remote session description 452 in subsequent SUBSCRIBE requests within this subscription. 454 3.10. Handling of forked requests 456 This event package allows the creation of only one dialog as a result 457 of an initial SUBSCRIBE request. The techniques to achieve this 458 behavior are described in [4]. 460 3.11. Rate of notifications 462 It is anticipated that the rate of policy changes will be very low. 463 In any case, notifications SHOULD NOT be generated at a rate of more 464 than once every five seconds. 466 3.12. State Agents 468 State agents play no role in this package. 470 3.13. Examples 472 The following message flow illustrates how a user agent (Alice's 473 phone) can subscribe to session-specific policies when establishing a 474 call (here to Bob's phone). The flow assumes that the user agent has 475 already received the policy server URI (e.g. through configuration or 476 as described in [7]) and it does not show messages for authentication 477 on a transport or SIP level. 479 These call flow examples are informative and not normative. 480 Implementers should consult the main text of this document for exact 481 protocol details. 483 Policy Server Alice Bob 484 | | | 485 |(1) SUBSCRIBE | | 486 |<------------------| | 487 |(2) 200 OK | | 488 |------------------>| | 489 |(3) NOTIFY | | 490 |------------------>| | 491 |(4) 200 OK | | 492 |<------------------| | 493 | |(5) INVITE | 494 | |------------------>| 495 | | | 496 | |(6) 200 OK | 497 | |<------------------| 498 | |(7) ACK | 499 | |------------------>| 500 |(8) SUBSCRIBE | | 501 |<------------------| | 502 |(9) 200 OK | | 503 |------------------>| | 504 |(10) NOTIFY | | 505 |------------------>| | 506 |(11) 200 OK | | 507 |<------------------| | 508 | | | 510 Message Details 512 (1) SUBSCRIBE Alice -> Policy Server 514 SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 515 Via: SIP/2.0/TLS pc.biloxi.example.com:5061 516 ;branch=z9hG4bK74bf 517 Max-Forwards: 70 518 From: Alice ;tag=8675309 519 To: PS 520 Call-ID: rt4353gs2egg@pc.biloxi.example.com 521 CSeq: 1 SUBSCRIBE 522 Contact: 523 Expires: 7200 524 Event: session-spec-policy 525 Accept: application/session-policy+xml 526 Content-Type: application/session-policy+xml 527 Content-Length: ... 529 [Local session description (offer)] 531 (2) 200 OK Policy Server -> Alice 533 (3) NOTIFY Policy Server -> Alice 535 NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 536 Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 537 ;branch=z9hG4bK74br 538 Max-Forwards: 70 539 From: PS ;tag=31451098 540 To: Alice ;tag=8675309 541 Call-ID: rt4353gs2egg@pc.biloxi.example.com 542 CSeq: 1 NOTIFY 543 Event: session-spec-policy 544 Subscription-State: active;expires=7200 545 Content-Type: application/session-policy+xml 546 Content-Length: ... 548 [Policy for local session description (offer)] 549 (4) 200 OK Alice -> Policy Server 551 (5) INVITE Alice -> Bob 553 (6) 200 OK Bob -> Alice 555 (7) ACK Alice -> Bob 557 (8) SUBSCRIBE Alice -> Policy Server 559 SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 560 Via: SIP/2.0/TLS pc.biloxi.example.com:5061 561 ;branch=z9hG4bKna998sl 562 Max-Forwards: 70 563 From: Alice ;tag=8675309 564 To: PS ;tag=31451098 565 Call-ID: rt4353gs2egg@pc.biloxi.example.com 566 CSeq: 2 SUBSCRIBE 567 Expires: 7200 568 Event: session-spec-policy 569 Accept: application/session-policy+xml 570 Content-Type: application/session-policy+xml 571 Content-Length: ... 573 [Local session description (offer)] 574 [Remote session description (answer)] 576 (9) 200 OK Policy Server -> Alice 578 (10) NOTIFY Policy Server -> Alice 580 NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 581 Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 582 ;branch=z9hG4bKna998sk 583 Max-Forwards: 70 584 From: PS ;tag=31451098 585 To: Alice ;tag=8675309 586 Call-ID: rt4353gs2egg@pc.biloxi.example.com 587 CSeq: 2 NOTIFY 588 Event: session-spec-policy 589 Subscription-State: active;expires=7200 590 Content-Type: application/session-policy+xml 591 Content-Length: ... 593 [Policy for local session description (offer)] 594 [Policy for remote session description (answer)] 595 F6 200 OK Alice -> Policy Server 597 4. Security Considerations 599 Session policies can significantly change the behavior of a user 600 agent and can therefore be used by an attacker to compromise a user 601 agent. For example, session policies can be used to prevent a user 602 agent from successfully establishing a session (e.g. by setting the 603 available bandwidth to zero). Such a policy can be submitted to the 604 user agent during a session, which will cause the UA to terminate the 605 session. 607 A user agent transmits session information to a policy server. This 608 session information may contain sensitive data the user may not want 609 an eavesdropper or an unauthorized policy server to see. In 610 particular, the session information may contain the encryption keys 611 for media streams. Vice versa, session policies may also contain 612 sensitive information about the network or service level agreements 613 the service provider may not want to disclose to an eavesdropper or 614 an unauthorized user agent. 616 It is therefore important to secure the communication between the 617 user agent and the policy server. The following three discrete 618 attributes need to be protected: 620 1. mutual authentication between the user agent and the policy 621 server, 622 2. confidentiality of the messages exchanged between the user agent 623 and the policy server and 624 3. ensuring that private information is not exchanged between the 625 two parties, even over an confidentiality-assured and 626 authenticated session. 628 The confidentiality of the messages exchanged between the two parties 629 can be protected by encrypting the data stream through a TLS session 630 using the cipher suites specified in [5]. 632 Accordingly, policy servers SHOULD be addressable only through a SIPS 633 URI and it MUST support TLS. In order to send a subscription to the 634 policy server, the user agent MUST support TLS, although it does not 635 need to possess a certificate. In such a case, the policy server 636 SHOULD authenticate the UA using HTTP Digest. The confidentiality of 637 the communication between the policy server and the user agent will 638 be assured as long as the policy server supports TLS and is reached 639 through a SIPS URI. 641 Authenticating the two parties can performed using X.509 certificates 642 exchanged through TLS and other techniques such as HTTP Digest. When 643 the user agent establishes a TLS session with the policy server, the 644 policy server will present it a X.509 certificate. The user agent 645 SHOULD ensure that the identity of the policy server encoded in the 646 certificate matches the URI that the user received when it used the 647 Framework for SIP Session Policies [7] to retrieve a URI of a 648 session-specific policy server. 650 Likewise, when a policy server receives a new subscription (as 651 opposed to a refresh subscription), it should authenticate the user 652 agent using any means at its disposal. If the user agent has a TLS 653 certificate, the identity of the user agent SHOULD be contained in 654 the certificate, or if the user agent does not possess a certificate, 655 the policy server SHOULD challenge the user agent using HTTP Digest. 657 And finally, the fact that the user agent and the policy server have 658 successfully authenticated each other and have established a secure 659 TLS session does not absolve either one from ensuring that they do 660 not communicate sensitive information. For example, a session 661 description may contain sensitive information -- session keys, for 662 example -- that the user agent may not want to share with the policy 663 server; and indeed, the policy server does not need such information 664 to effectively formulate a policy. Thus, the user agent should not 665 insert such sensitive information in a policy document that it sends 666 to the policy server. Likewise, the policy server may have 667 information that is sensitive and of no use to the user agent -- 668 network service level agreements, or network statistics, for example. 669 Thus, the policy server should refrain from transmitting such 670 information to the user agent. 672 5. IANA Considerations 674 5.1. Event Package Name 676 This specification registers an event package, based on the 677 registration procedures defined in RFC 3265 [2]. The following is 678 the information required for such a registration: 680 Package Name: session-spec-policy 682 Package or Template-Package: This is a package. 684 Published Document: RFC XXXX (Note to RFC Editor: Please fill in XXXX 685 with the RFC number of this specification). 687 Person to Contact: Volker Hilt, volkerh@bell-labs.com. 689 Appendix A. Acknowledgements 691 Many thanks to Jonathan Rosenberg for the many discussions and 692 suggestions for this draft, to Roni Even, Bob Penfield, Mary Barnes 693 and Shida Schubert for reviewing the draft and providing feedback and 694 to Vijay Gurbani for the comments and input to the security 695 considerations section. 697 6. References 699 6.1. Normative References 701 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 702 Levels", BCP 14, RFC 2119, March 1997. 704 [2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 705 RFC 2246, January 1999. 707 [3] Hilt, V., Camarillo, G., and J. Rosenberg, "A User Agent Profile 708 Data Set for Media Policy", 709 draft-ietf-sipping-media-policy-dataset-02 (work in progress), 710 October 2006. 712 [4] Roach, A., "Session Initiation Protocol (SIP)-Specific Event 713 Notification", RFC 3265, June 2002. 715 [5] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., 716 Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: 717 Session Initiation Protocol", RFC 3261, June 2002. 719 [6] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol 720 (SIP): Locating SIP Servers", RFC 3263, June 2002. 722 [7] Hilt, V., Camarillo, G., and J. Rosenberg, "A Framework for 723 Session Initiation Protocol (SIP) Session Policies", 724 draft-ietf-sip-session-policy-framework-00 (work in progress), 725 October 2006. 727 6.2. Informative References 729 [8] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with 730 Session Description Protocol (SDP)", RFC 3264, June 2002. 732 [9] Handley, M. and V. Jacobson, "SDP: Session Description 733 Protocol", RFC 2327, April 1998. 735 Authors' Addresses 737 Volker Hilt 738 Bell Labs/Lucent Technologies 739 101 Crawfords Corner Rd 740 Holmdel, NJ 07733 741 USA 743 Email: volkerh@bell-labs.com 745 Gonzalo Camarillo 746 Ericsson 747 Hirsalantie 11 748 Jorvas 02420 749 Finland 751 Email: Gonzalo.Camarillo@ericsson.com 753 Full Copyright Statement 755 Copyright (C) The Internet Society (2006). 757 This document is subject to the rights, licenses and restrictions 758 contained in BCP 78, and except as set forth therein, the authors 759 retain all their rights. 761 This document and the information contained herein are provided on an 762 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 763 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 764 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 765 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 766 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 767 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 769 Intellectual Property 771 The IETF takes no position regarding the validity or scope of any 772 Intellectual Property Rights or other rights that might be claimed to 773 pertain to the implementation or use of the technology described in 774 this document or the extent to which any license under such rights 775 might or might not be available; nor does it represent that it has 776 made any independent effort to identify any such rights. Information 777 on the procedures with respect to rights in RFC documents can be 778 found in BCP 78 and BCP 79. 780 Copies of IPR disclosures made to the IETF Secretariat and any 781 assurances of licenses to be made available, or the result of an 782 attempt made to obtain a general license or permission for the use of 783 such proprietary rights by implementers or users of this 784 specification can be obtained from the IETF on-line IPR repository at 785 http://www.ietf.org/ipr. 787 The IETF invites any interested party to bring to its attention any 788 copyrights, patents or patent applications, or other proprietary 789 rights that may cover technology that may be required to implement 790 this standard. Please address the information to the IETF at 791 ietf-ipr@ietf.org. 793 Acknowledgment 795 Funding for the RFC Editor function is provided by the IETF 796 Administrative Support Activity (IASA).