idnits 2.17.1 draft-ietf-sipping-policy-package-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: The notifier may keep up the subscription after rejecting a session to indicate that it may send an updated policy decision for this session to the subscriber at a later time. This is useful, for example, if the session was rejected due to a temporary shortage of resources and the notifier expects that this problem to be resolved shortly. In another example, the session was rejected because it was attempted in a restricted period during the day but this period is going to end soon. In this case, the subscriber SHOULD not terminate the subscription to session-specific policies. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 23, 2010) is 5146 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-10) exists of draft-ietf-sip-session-policy-framework-07 == Outdated reference: A later version (-16) exists of draft-ietf-sipping-media-policy-dataset-09 ** Obsolete normative reference: RFC 3265 (Obsoleted by RFC 6665) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SIPPING Working Group V. Hilt 3 Internet-Draft Bell Labs/Alcatel-Lucent 4 Intended status: Standards Track G. Camarillo 5 Expires: September 24, 2010 Ericsson 6 March 23, 2010 8 A Session Initiation Protocol (SIP) Event Package for Session-Specific 9 Session Policies. 10 draft-ietf-sipping-policy-package-08 12 Abstract 14 This specification defines a Session Initiation Protocol (SIP) event 15 package for session-specific policies. This event package enables 16 user agents to subscribe to session policies for a SIP session and to 17 receive notifications if these policies change. 19 Status of this Memo 21 This Internet-Draft is submitted to IETF in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF), its areas, and its working groups. Note that 26 other groups may also distribute working documents as Internet- 27 Drafts. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt. 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html. 40 This Internet-Draft will expire on September 24, 2010. 42 Copyright Notice 44 Copyright (c) 2010 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3. Event Package Formal Definition . . . . . . . . . . . . . . . 4 62 3.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 4 63 3.2. Event Package Parameters . . . . . . . . . . . . . . . . . 4 64 3.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 5 65 3.4. Subscription Duration . . . . . . . . . . . . . . . . . . 5 66 3.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 6 67 3.6. Subscriber generation of SUBSCRIBE requests . . . . . . . 6 68 3.7. Notifier processing of SUBSCRIBE requests . . . . . . . . 8 69 3.8. Notifier generation of NOTIFY requests . . . . . . . . . . 9 70 3.9. Subscriber processing of NOTIFY requests . . . . . . . . . 10 71 3.10. Handling of forked requests . . . . . . . . . . . . . . . 11 72 3.11. Rate of notifications . . . . . . . . . . . . . . . . . . 12 73 3.12. State Agents . . . . . . . . . . . . . . . . . . . . . . . 12 74 3.13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 12 75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 15 76 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 77 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 17 78 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 79 6.1. Normative References . . . . . . . . . . . . . . . . . . . 17 80 6.2. Informative References . . . . . . . . . . . . . . . . . . 18 81 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 18 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 84 1. Introduction 86 The Framework for Session Initiation Protocol (SIP) [RFC3261] Session 87 Policies [I-D.ietf-sip-session-policy-framework] defines a protocol 88 framework that enables a proxy to define and impact policies on 89 sessions such as the codecs or media types to be used. This 90 framework identifies two types of session policies: session-specific 91 and session-independent policies. Session-specific policies are 92 policies that are created for one particular session, based on the 93 session description of this session. They enable a network 94 intermediary to inspect the session description a UA is proposing and 95 to return a policy specifically generated for this session 96 description. For example, an intermediary could open pinholes in a 97 firewall/NAT for each media stream in a session and return a policy 98 that replaces the internal IP addresses and ports in the session 99 description with external ones. Since session-specific policies are 100 tailored to a session, they only apply to the session they are 101 created for. A user agent requests session-specific policies on a 102 session-by-session basis at the time a session is created and the 103 session description is known. Session-independent policies on the 104 other hand are policies that are created independent of a session and 105 generally apply to all the SIP sessions set up by a user agent. 107 The Framework for SIP Session Policies 108 [I-D.ietf-sip-session-policy-framework] defines a mechanism that 109 enables UAs to discover the URIs of session-specific policy servers. 110 This specification defines a SIP event package [RFC3265] that enables 111 UAs to subscribe to session-specific policies on a policy server. 112 Subscribing to session-specific policies involves the following steps 113 (see the Session Policy Framework 114 [I-D.ietf-sip-session-policy-framework]): 116 1. A user agent submits the details of the session it is trying to 117 establish to the policy server and asks whether a session using 118 these parameters is permissible. For example, a user agent might 119 propose a session that contains the media types audio and video. 120 2. The policy server generates a policy decision for this session 121 and returns the decision to the user agent. Possible policy 122 decisions are (1) to deny the session, (2) to propose changes to 123 the session parameters with which the session would be 124 acceptable, or (3) to accept the session as it was proposed. An 125 example for a policy decision is to disallow the use of video but 126 agree to all other aspects of the proposed session. 127 3. The policy server can update the policy decision at a later time. 128 A policy decision update can require additional changes to the 129 session (e.g., because the available bandwidth has changed) or 130 deny a previously accepted session (i.e., disallow the 131 continuation of a session). 133 The event package for session-specific policies enables a user agent 134 to subscribe to the policies for a SIP session following the above 135 model. The subscriber initiates a subscription by submitting the 136 details of the session it is trying to establish to the notifier 137 (i.e., the policy server) in the body of a SUBSCRIBE request. The 138 notifier uses this information to determine the policy decision for 139 this session. It conveys the initial policy decision to the 140 subscriber in a NOTIFY and all changes to this decision in subsequent 141 NOTIFYs. 143 2. Terminology 145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 147 document are to be interpreted as described in RFC 2119 [RFC2119]. 149 3. Event Package Formal Definition 151 This document provides the details for defining a SIP event package 152 as required by RFC 3265 [RFC3265]. 154 3.1. Event Package Name 156 The name of the event package defined in this specification is 157 "session-spec-policy". 159 3.2. Event Package Parameters 161 This package defines the following two event package parameters: 163 local-only: The "local-only" parameter is optional and only defined 164 for NOTIFY requests. The "local-only" parameter indicates that 165 the remote session description is not required by the notifier. 166 It MUST be ignored if received in a SUBSCRIBE request. The usage 167 of the "local-only" parameter is described in Section 3.6, 168 Section 3.8 and Section 3.9. 169 insufficient-info: The "insufficient-info" parameter is optional and 170 only defined for NOTIFY requests. It is used by the notifier to 171 indicate that a policy decision could not be made due to 172 insufficient information. The "insufficient-info" parameter MUST 173 be ignored if received in a SUBSCRIBE request. The usage of the 174 "insufficient-info" parameter is described in Section 3.7, 175 Section 3.8 and Section 3.9. 177 3.3. SUBSCRIBE Bodies 179 A SUBSCRIBE for this event package MUST contain a body that describes 180 a SIP session. The purpose of this body is to enable the notifier to 181 generate the policies the subscriber is interested in. In this event 182 package, the Request-URI, the event package name and event parameters 183 are not sufficient to determine the resource a subscription is for. 184 However, with the session description in the SUBSCRIBE body, the 185 notifier can generate the requested policy decision and create policy 186 events for this resource. 188 All subscribers and notifiers MUST support the MIME type 189 "application/media-policy-dataset+xml" as defined in the User Agent 190 Profile Data Set for Media Policy 191 [I-D.ietf-sipping-media-policy-dataset]. The "application/ 192 media-policy-dataset+xml" format is the default format for SUBSCRIBE 193 bodies in this event package. Subscribers and notifiers MAY 194 negotiate the use of other formats capable of representing a session. 196 Note: It has been proposed to directly use SDP [RFC4566] instead 197 of encoding the session descriptions in the Media Policy 198 [I-D.ietf-sipping-media-policy-dataset] format. However, using a 199 separate format such as the Media Policy format has a number of 200 advantages over the direct use of SDP: i) the Media Policy format 201 is more flexible and allows the inclusion of information that 202 can't be expressed in SDP (e.g., the target URI), ii) the Media 203 Policy format enables the encoding of local and remote session 204 descriptions in a single document (not requiring the use of MIME 205 multipart and new content disposition types), and iii) it aligns 206 the formats used for session-specific and session-independent 207 policies. A drawback is that it requires the UA to encode SDP and 208 session information in Media Policy documents. 210 3.4. Subscription Duration 212 A subscription to the session-specific policy package is usually 213 established at the beginning of a session and terminated when the 214 corresponding session ends. A typical duration of a phone call is a 215 few minutes. 217 Since the duration of a subscription to the session-specific policy 218 package is related to the lifetime of the corresponding session, the 219 value for the duration of a subscription is largely irrelevant. 220 However, the duration SHOULD be longer than the typical duration of a 221 session. The default subscription duration for this event package is 222 set to two hours. 224 A subscription MAY be terminated before a session ends by the 225 notifier. For example, a notifier may terminate the subscription 226 after the initial policy notification has been sent to the subscriber 227 if it knows that these policies will not change during the session. 228 A subscriber MUST NOT terminate a subscription unless it is 229 terminating the session this subscription is for or discovers that 230 the notifier has been removed from the list of policy servers 231 relevant for this session (see the Session Policy Framework 232 [I-D.ietf-sip-session-policy-framework]). A subscriber MUST refresh 233 a subscription with a SUBSCRIBE request before the last SUBSCRIBE 234 request expires to avoid that the subscription times out. 236 3.5. NOTIFY Bodies 238 In this event package, the body of a notification contains the 239 session policy requested by the subscriber. All subscribers and 240 notifiers MUST support the format "application/ 241 media-policy-dataset+xml" [I-D.ietf-sipping-media-policy-dataset] as 242 a format for NOTIFY bodies. 244 The SUBSCRIBE request MAY contain an Accept header field. If no such 245 header field is present, it has a default value of "application/ 246 media-policy-dataset+xml". If the header field is present, it MUST 247 include "application/media-policy-dataset+xml", and MAY include any 248 other MIME type capable of representing session-specific policies. 249 As defined in RFC 3265 [RFC3265], the body of notifications MUST be 250 in one of the formats defined in the Accept header of the SUBSCRIBE 251 request or in the default format. 253 If the notifier uses the same format in NOTIFY bodies that was used 254 by the subscriber in the SUBSCRIBE body (e.g., "application/ 255 media-policy-dataset+xml"), the notifier can expect that the 256 subscriber supports all format extensions that were used in the 257 SUBSCRIBE body. The notifier cannot assume that the subscriber 258 supports other extensions beyond that and SHOULD NOT use such 259 extensions. 261 If the SUBSCRIBE request contained a representation of the local 262 session description and the subscription was accepted, then the 263 NOTIFY body MUST contain a policy for the local session description. 264 If the SUBSCRIBE request of an accepted subscription contained the 265 local and the remote session description, then the NOTIFY body MUST 266 contain two policies, one for the local and one for the remote 267 session description. 269 3.6. Subscriber generation of SUBSCRIBE requests 271 The subscriber follows the general rules for generating SUBSCRIBE 272 requests defined in RFC 3265 [RFC3265]. The subscriber MUST provide 273 sufficient information in the SUBSCRIBE body to fully describe the 274 session for which it seeks to receive session-specific policies. The 275 subscriber MUST use the most recent session description as a basis 276 for this information. 278 If the "application/media-policy-dataset+xml" format is used in 279 SUBSCRIBE bodies, the subscriber MUST provide a value for each field 280 that is defined for session information documents 281 [I-D.ietf-sipping-media-policy-dataset] and for which the subscriber 282 has information available. In other words, the subscriber MUST fill 283 in the elements of a session information document as complete as 284 possible. If the subscriber supports extensions of the "application/ 285 media-policy-dataset+xml" format, the subscriber MUST also provide a 286 value for each field defined by this extension for session 287 information documents, if possible. Providing as much information as 288 possible avoids that a session is rejected due to a lack of session 289 information and the negotiation of the information to be disclosed 290 between notifier and subscriber. 292 Subscriptions to this event package are typically created in 293 conjunction with an SDP offer/answer exchange [RFC3264] during the 294 establishment of a session (see the Session Policy Framework 295 [I-D.ietf-sip-session-policy-framework]). If used with an offer/ 296 answer exchange, the subscriber MUST insert the representation of the 297 local session description in the SUBSCRIBE body. The local session 298 description is the one that was created by the subscriber (e.g., the 299 offer if the subscriber has initiated the offer/answer exchange). 300 Under certain circumstances, a UA may not have a session description 301 when subscribing to session-specific policies, for example, when it 302 is composing an empty INVITE request (i.e., an INVITE request that 303 does not contain an offer). In these cases, a UA SHOULD establish a 304 subscription without including a representation of the local session 305 description. The UA MUST refresh the subscription with a SUBSCRIBE 306 request that contains this session description as soon as the session 307 description becomes available, for example, when the UA receives a 308 200 OK to an empty INVITE request. A policy server can choose to 309 admit a session only after the UA has disclosed the session 310 descriptions. 312 The subscriber SHOULD also include a representation of the remote 313 session description in the SUBSCRIBE body. The remote session 314 description is the one the subscriber has received (i.e., the answer 315 if the subscriber has initiated the offer/answer exchange). In some 316 scenarios, the remote session description is not available to the 317 subscriber at the time the subscription to session-specific policies 318 is established. In this case, the initial SUBSCRIBE message SHOULD 319 only contain a representation of the local session description. When 320 the remote description becomes available, the subscriber SHOULD 321 refresh the subscription by sending another SUBSCRIBE request, which 322 then contains the local and the remote session description, unless 323 the subscriber has received a NOTIFY with the "local-only" parameter. 324 This parameter indicates that the notifier does not need to see the 325 remote session description. 327 A user agent can change the session description of an ongoing 328 session. A change in the session description will typically affect 329 the policy decisions for this session. A subscriber MUST refresh the 330 subscription to session-specific policies every time the session 331 description of a session changes. It does this by sending a 332 SUBSCRIBE request, which contains the details of the updated session 333 descriptions. 335 A subscriber may receive an error that indicates a server failure in 336 response to a SUBSCRIBE request. In this case, the subscriber SHOULD 337 try to locate an alternative server, for example, using the 338 procedures described in [RFC3263]. If no alternative server can be 339 located, the subscriber MAY continue with the session for which it 340 wanted to receive session-specific policies without subscribing to 341 session-specific policies. This is to avoid that a failed policy 342 server prevents a UA from setting up or continuing with a session. 343 Since the sessions created by the UA may not be policy compliant 344 without this subscription, they may be blocked by policy enforcement 345 mechanisms if they are in place. 347 Session policies can contain sensitive information. Moreover, policy 348 decisions can significantly impact the behavior of a user agent. A 349 user agent should therefore verify the identity of a policy server 350 and make sure that policies have not been altered in transit. All 351 implementations of this package MUST support TLS [RFC5246] and the 352 SIPS URI scheme. A subscriber SHOULD use SIPS URIs when subscribing 353 to session-specific policies so that policies are transmitted over 354 TLS. See Section 4. 356 3.7. Notifier processing of SUBSCRIBE requests 358 All subscriptions to session-specific policies SHOULD be 359 authenticated and authorized before approval. However, a policy 360 server may frequently encounter UAs it cannot authenticate. In these 361 cases, the policy server MAY provide a generic policy that does not 362 reveal sensitive information to these UAs. For details see 363 Section 4. 365 The authorization policy is at the discretion of the administrator. 366 In general, all users SHOULD be allowed to subscribe to the session- 367 specific policies of their sessions. A subscription to this event 368 package will typically be established by a device that needs to know 369 about the policies for its sessions. However, subscriptions may also 370 be established by applications (e.g., a conference server). In those 371 cases, an authorization policy will typically be provided for these 372 applications. 374 Responding in a timely manner to a SUBSCRIBE request is crucial for 375 this event package. A notifier must minimize the time needed for 376 processing SUBSCRIBE requests and generating the initial NOTIFY. 377 This includes minimizing the time needed to generate an initial 378 policy decision. A short response time is in particular important 379 for this event package since it minimizes the delay for fetching 380 policies during an INVITE transaction and therefore reduces call 381 setup time. In addition, subscriptions to session-specific policies 382 can be established while the subscriber is in an INVITE transaction 383 at a point where it has received the 200 OK but before sending the 384 ACK. Delaying the creation of the initial NOTIFY would delay the 385 transmission of the ACK. A more detailed discussion of this scenario 386 can be found in the Session Policy Framework 387 [I-D.ietf-sip-session-policy-framework]. 389 A subscriber may not have disclosed enough information in the 390 SUBSCRIBE request to enable the notifier to generate a policy 391 decision. For example, a UA may have subscribed to session-specific 392 policies without including the representation of a session 393 description. The policy server SHOULD accept such a subscription. 394 The policy server SHOULD generate a NOTIFY request that includes the 395 "insufficient-info" event package parameter. A NOTIFY request with 396 this parameter indicates that a policy decision could not be made due 397 to insufficient information. The body of such a NOTIFY request can 398 either be empty or contain a policy decision document that provides 399 hints about which information was missing. 401 3.8. Notifier generation of NOTIFY requests 403 A notifier sends a notification in response to SUBSCRIBE requests as 404 defined in RFC 3265 [RFC3265]. In addition, a notifier MAY send a 405 notification at any time during the subscription. Typically, it will 406 send one every time the policy decision this subscription is for has 407 changed. When and why a policy decision changes is entirely at the 408 discretion of the administrator. A policy decision can change for 409 many reasons. For example, a network may become congested due to an 410 increase in traffic and reduce the bandwidth available to an 411 individual user. Another example is a session that has been started 412 during "business hours" and continues into "evening hours" where more 413 bandwidth or video sessions are available to the user according to 414 the service level agreement. 416 Policy decisions are expressed in the format negotiated for the 417 NOTIFY body (e.g., "application/media-policy-dataset+xml"). The 418 policy document in a NOTIFY body MUST represent a complete policy 419 decision. Notifications that contain the deltas to previous policy 420 decisions or partial policy decisions are not supported in this event 421 package. 423 The notifier SHOULD terminate the subscription if the policy decision 424 is to reject a session and if it can be expected that this decision 425 will not change in the foreseeable future. The notifier SHOULD keep 426 the subscription alive, if it rejects a session but expects that the 427 session can be admitted soon. For example, if the session was 428 rejected due to a temporary shortage of resources and the notifier 429 expects that these resources will become available again shortly it 430 should keep the subscription alive. The decision to reject a session 431 is expressed in the policy decision document. A session is admitted 432 by returning a policy decision document that requires some or no 433 changes to the session. 435 If the notifier has not received enough information to make a policy 436 decision from the subscriber (e.g., because it did not receive a 437 session description), the notifier SHOULD NOT terminate the 438 subscription since it can be expected that the UA refreshes the 439 subscription with a SUBSCRIBE request that contains more information. 440 The notifier SHOULD generate a NOTIFY request with the "insufficient- 441 info" event package parameter to indicate that a policy decision 442 could not be made due to insufficient information. This NOTIFY 443 request can contain an empty body or a body that contains a policy 444 decision document indicating which information was missing. 446 Some session-specific policies do not require the disclosure of the 447 remote session description to the notifier. If a notifier determines 448 that this is the case after receiving a SUBSCRIBE request, the 449 notifier SHOULD include the "local-only" event parameter in NOTIFY 450 requests. 452 3.9. Subscriber processing of NOTIFY requests 454 A subscriber MUST apply the policy decision received in a NOTIFY to 455 the session associated with this subscription. If the UA decides not 456 to apply the received policy decision, the UA MUST NOT set up the 457 session and MUST terminate the session if the session is already in 458 progress. If the UA has a pending INVITE transaction for this 459 session, the UA MUST cancel or reject the INVITE request. 461 If the subscriber receives a NOTIFY indicating that the session has 462 been rejected, the subscriber MUST NOT attempt to establish this 463 session. If the notifier has terminated the subscription after 464 rejecting the session, the subscriber SHOULD NOT try to re-send the 465 same SUBSCRIBE request again. The termination of the subscription by 466 the notifier indicates that the policy decision for this session is 467 final and will not change in the foreseeable future. The subscriber 468 MAY try to re-subscribe for this session if at least one aspect of 469 the session (e.g., a parameter in the session description or the 470 target URI) has changed or if there is other reason to believe that 471 re-trying the subscription will be successful (e.g., because time has 472 progressed significantly since the last attempt). 474 The notifier may keep up the subscription after rejecting a session 475 to indicate that it may send an updated policy decision for this 476 session to the subscriber at a later time. This is useful, for 477 example, if the session was rejected due to a temporary shortage of 478 resources and the notifier expects that this problem to be resolved 479 shortly. In another example, the session was rejected because it was 480 attempted in a restricted period during the day but this period is 481 going to end soon. In this case, the subscriber SHOULD not terminate 482 the subscription to session-specific policies. 484 The subscriber may receive a NOTIFY which contains an "insufficient- 485 info" event package parameter to indicate that the SUBSCRIBE request 486 did not contain enough information. The subscriber SHOULD refresh 487 the subscription with more complete information as soon as the 488 missing information (e.g., the session description) is available. 490 A subscriber may receive an update to a policy decision for a session 491 that is already established. The subscriber MUST apply the new 492 policy decision to this session. If a UA decides that it does not 493 want to apply the new policy decision, the UA MUST terminate the 494 session. An updated policy decision may require the UA to generate a 495 re-INVITE or UPDATE request in this session if the session 496 description has changed or it may need to terminate this session. A 497 policy update that requires a UA to terminate a session can, for 498 example, be triggered by the users account running out of credit or 499 the detection of an emergency that requires the termination of non- 500 emergency calls. 502 If the subscriber receives a NOTIFY that contains the "local-only" 503 event parameter, the subscriber SHOULD NOT include the remote session 504 description in subsequent SUBSCRIBE requests within this 505 subscription. 507 3.10. Handling of forked requests 509 This event package allows the creation of only one dialog as a result 510 of an initial SUBSCRIBE request. The techniques to achieve this 511 behavior are described in [RFC3265]. 513 3.11. Rate of notifications 515 It is anticipated that the rate of policy changes will be very low. 516 In any case, notifications SHOULD NOT be generated at a rate of more 517 than once every five seconds. 519 3.12. State Agents 521 State agents play no role in this package. 523 3.13. Examples 525 The following message flow illustrates how a user agent (Alice's 526 phone) can subscribe to session-specific policies when establishing a 527 call (here to Bob's phone). The flow assumes that the user agent has 528 already received the policy server URI (e.g., through configuration 529 or as described in the Session Policy Framework 530 [I-D.ietf-sip-session-policy-framework]) and it does not show 531 messages for authentication on a transport or SIP level. 533 These call flow examples are informative and not normative. 534 Implementers should consult the main text of this document for exact 535 protocol details. 537 Policy Server Alice Bob 538 | | | 539 |(1) SUBSCRIBE | | 540 |<------------------| | 541 |(2) 200 OK | | 542 |------------------>| | 543 |(3) NOTIFY | | 544 |------------------>| | 545 |(4) 200 OK | | 546 |<------------------| | 547 | |(5) INVITE | 548 | |------------------>| 549 | | | 550 | |(6) 200 OK | 551 | |<------------------| 552 | |(7) ACK | 553 | |------------------>| 554 |(8) SUBSCRIBE | | 555 |<------------------| | 556 |(9) 200 OK | | 557 |------------------>| | 558 |(10) NOTIFY | | 559 |------------------>| | 560 |(11) 200 OK | | 561 |<------------------| | 562 | | | 564 Message Details 566 (1) SUBSCRIBE Alice -> Policy Server 568 SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 569 Via: SIP/2.0/TLS pc.biloxi.example.com:5061 570 ;branch=z9hG4bK74bf 571 Max-Forwards: 70 572 From: Alice ;tag=8675309 573 To: PS 574 Call-ID: rt4353gs2egg@pc.biloxi.example.com 575 CSeq: 1 SUBSCRIBE 576 Contact: 577 Expires: 7200 578 Event: session-spec-policy 579 Accept: application/media-policy-dataset+xml 580 Content-Type: application/media-policy-dataset+xml 581 Content-Length: ... 583 [Local session description (offer)] 585 (2) 200 OK Policy Server -> Alice 587 (3) NOTIFY Policy Server -> Alice 589 NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 590 Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 591 ;branch=z9hG4bK74br 592 Max-Forwards: 70 593 From: PS ;tag=31451098 594 To: Alice ;tag=8675309 595 Call-ID: rt4353gs2egg@pc.biloxi.example.com 596 CSeq: 1 NOTIFY 597 Event: session-spec-policy 598 Subscription-State: active;expires=7200 599 Content-Type: application/media-policy-dataset+xml 600 Content-Length: ... 602 [Policy for local session description (offer)] 603 (4) 200 OK Alice -> Policy Server 605 (5) INVITE Alice -> Bob 607 (6) 200 OK Bob -> Alice 609 (7) ACK Alice -> Bob 611 (8) SUBSCRIBE Alice -> Policy Server 613 SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 614 Via: SIP/2.0/TLS pc.biloxi.example.com:5061 615 ;branch=z9hG4bKna998sl 616 Max-Forwards: 70 617 From: Alice ;tag=8675309 618 To: PS ;tag=31451098 619 Call-ID: rt4353gs2egg@pc.biloxi.example.com 620 CSeq: 2 SUBSCRIBE 621 Expires: 7200 622 Event: session-spec-policy 623 Accept: application/media-policy-dataset+xml 624 Content-Type: application/media-policy-dataset+xml 625 Content-Length: ... 627 [Local session description (offer)] 628 [Remote session description (answer)] 630 (9) 200 OK Policy Server -> Alice 632 (10) NOTIFY Policy Server -> Alice 634 NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 635 Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 636 ;branch=z9hG4bKna998sk 637 Max-Forwards: 70 638 From: PS ;tag=31451098 639 To: Alice ;tag=8675309 640 Call-ID: rt4353gs2egg@pc.biloxi.example.com 641 CSeq: 2 NOTIFY 642 Event: session-spec-policy 643 Subscription-State: active;expires=7200 644 Content-Type: application/media-policy-dataset+xml 645 Content-Length: ... 647 [Policy for local session description (offer)] 648 [Policy for remote session description (answer)] 649 F6 200 OK Alice -> Policy Server 651 4. Security Considerations 653 Session policies can significantly change the behavior of a user 654 agent and can therefore be used by an attacker to compromise a user 655 agent. For example, session policies can be used to prevent a user 656 agent from successfully establishing a session (e.g., by setting the 657 available bandwidth to zero). Such a policy can be submitted to the 658 user agent during a session, which may cause the UA to terminate the 659 session. 661 A user agent transmits session information to a policy server. This 662 information may contain sensitive data the user may not want an 663 eavesdropper or an unauthorized policy server to see. For example, 664 the session information may contain the encryption keys for media 665 streams. Vice versa, session policies may also contain sensitive 666 information about the network or service level agreements the service 667 provider may not want to disclose to an eavesdropper or an 668 unauthorized user agent. 670 It is therefore important to secure the communication between the 671 user agent and the policy server. The following three discrete 672 attributes need to be protected: 674 1. authentication of the policy server and, if needed, the user 675 agent, 676 2. confidentiality of the messages exchanged between the user agent 677 and the policy server and 678 3. ensuring that private information is not exchanged between the 679 two parties, even over a confidentiality-assured and 680 authenticated session. 682 Authentication of the peers and protecting the confidentiality of the 683 policies in transit is achieved by existing SIP security mechanisms 684 (the use of TLS and sips URI scheme [RFC3261], [RFC5630]). 686 Accordingly, policy servers SHOULD be addressable only through a SIPS 687 URI. Policy server and user agent MUST support TLS. The 688 confidentiality of the communication between the policy server and 689 the user agent will be assured as long as the policy server supports 690 TLS and is reached through a SIPS URI. 692 Authenticating the two parties can be performed using X.509 693 certificates exchanged through TLS and other techniques such as HTTP 694 Digest. When the user agent establishes a TLS session with the 695 policy server, the policy server will present it a X.509 certificate. 696 The user agent SHOULD ensure that the identity of the policy server 697 encoded in the certificate matches the URI of the policy server the 698 user agent has received either using the Session Policy Framework 699 [I-D.ietf-sip-session-policy-framework] or other means such as 700 configuration. 702 When a policy server receives a new subscription (as opposed to a 703 refresh subscription), the policy server SHOULD try to authenticate 704 the user agent using any means at its disposal. If the user agent 705 has an X.509 certificate suitable for use with TLS, the identity of 706 the user agent SHOULD be contained in the certificate, or if the user 707 agent does not possess a certificate, the policy server SHOULD 708 challenge the user agent using HTTP Digest. A policy server may 709 frequently encounter UAs it cannot authenticate. In these cases, the 710 policy server MAY provide a generic policy that does not reveal 711 sensitive information to these UAs. 713 If the subscriber and notifier desire to protect the integrity of the 714 policy exchange in an end-to-end manner, they MAY use S/MIME to 715 protect the session policies. However, RFC3261 cautions that 716 "[i]mplementers should note, however, that there may be rare network 717 intermediaries (not typical proxy servers) that rely on viewing or 718 modifying the bodies of SIP messages (especially SDP), and that 719 secure MIME may prevent these sorts of intermediaries from 720 functioning." [RFC3261]. 722 And finally, the fact that the user agent and the policy server have 723 successfully authenticated each other and have established a secure 724 TLS session does not absolve either one from ensuring that they do 725 not communicate sensitive information. For example, a session 726 description may contain sensitive information -- session keys, for 727 example -- that the user agent may not want to share with the policy 728 server; and indeed, the policy server does not need such information 729 to effectively formulate a policy. Thus, the user agent should not 730 insert such sensitive information in a session information document 731 that it sends to the policy server. Likewise, the policy server may 732 have information that is sensitive and of no use to the user agent -- 733 network service level agreements, or network statistics, for example. 734 Thus, the policy server should refrain from transmitting such 735 information to the user agent. 737 5. IANA Considerations 738 5.1. Event Package Name 740 This specification registers an event package, based on the 741 registration procedures defined in RFC 3265 [RFC3265]. The following 742 is the information required for such a registration: 744 Package Name: session-spec-policy 746 Package or Template-Package: This is a package. 748 Published Document: RFC XXXX (Note to RFC Editor: Please fill in XXXX 749 with the RFC number of this specification). 751 Person to Contact: Volker Hilt, volkerh@bell-labs.com. 753 6. References 755 6.1. Normative References 757 [I-D.ietf-sip-session-policy-framework] 758 Hilt, V., Camarillo, G., and J. Rosenberg, "A Framework 759 for Session Initiation Protocol (SIP) Session Policies", 760 draft-ietf-sip-session-policy-framework-07 (work in 761 progress), February 2010. 763 [I-D.ietf-sipping-media-policy-dataset] 764 Hilt, V., Worley, D., Camarillo, G., and J. Rosenberg, "A 765 User Agent Profile Data Set for Media Policy", 766 draft-ietf-sipping-media-policy-dataset-09 (work in 767 progress), March 2010. 769 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 770 Requirement Levels", BCP 14, RFC 2119, March 1997. 772 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 773 A., Peterson, J., Sparks, R., Handley, M., and E. 774 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 775 June 2002. 777 [RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation 778 Protocol (SIP): Locating SIP Servers", RFC 3263, 779 June 2002. 781 [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific 782 Event Notification", RFC 3265, June 2002. 784 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 785 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 787 6.2. Informative References 789 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 790 with Session Description Protocol (SDP)", RFC 3264, 791 June 2002. 793 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 794 Description Protocol", RFC 4566, July 2006. 796 [RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session 797 Initiation Protocol (SIP)", RFC 5630, October 2009. 799 Appendix A. Acknowledgements 801 Many thanks to Jonathan Rosenberg for the discussions and suggestions 802 for this draft. Many thanks to Roni Even, Bob Penfield, Mary Barnes, 803 Shida Schubert and Jon Peterson for reviewing the draft and to Vijay 804 Gurbani for the contributions to the security considerations section. 806 Authors' Addresses 808 Volker Hilt 809 Bell Labs/Alcatel-Lucent 810 791 Holmdel-Keyport Rd 811 Holmdel, NJ 07733 812 USA 814 Email: volkerh@bell-labs.com 816 Gonzalo Camarillo 817 Ericsson 818 Hirsalantie 11 819 Jorvas 02420 820 Finland 822 Email: Gonzalo.Camarillo@ericsson.com