idnits 2.17.1 draft-ietf-soc-load-control-event-package-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 17, 2011) is 4845 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Downref: Normative reference to an Informational RFC: RFC 2648 ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) ** Obsolete normative reference: RFC 3265 (Obsoleted by RFC 6665) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) == Outdated reference: A later version (-15) exists of draft-ietf-soc-overload-control-00 == Outdated reference: A later version (-08) exists of draft-ietf-soc-overload-design-04 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF SOC Working Group C. Shen 3 Internet-Draft H. Schulzrinne 4 Intended status: Standards Track Columbia U. 5 Expires: July 21, 2011 A. Koike 6 NTT 7 January 17, 2011 9 A Session Initiation Protocol (SIP) Load Control Event Package 10 draft-ietf-soc-load-control-event-package-00.txt 12 Abstract 14 This document defines a load control event package for the Session 15 Initiation Protocol (SIP). It allows SIP servers to distribute user 16 load control information to other SIP servers in the network. The 17 load control can throttle calls based on their source or destination 18 domain, telephone number prefix or for a specific user. The 19 mechanism helps to prevent signaling overload and complements 20 feedback-based SIP overload control efforts. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on July 21, 2011. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 58 3. Design Requirements . . . . . . . . . . . . . . . . . . . . . 5 59 4. Load Filtering Control Overview . . . . . . . . . . . . . . . 6 60 4.1. Filter Format . . . . . . . . . . . . . . . . . . . . . . 6 61 4.2. Filter Computation . . . . . . . . . . . . . . . . . . . . 6 62 4.3. Filter Distribution . . . . . . . . . . . . . . . . . . . 6 63 4.4. Applicability in Different Network Environments . . . . . 9 64 5. Load Control Event Package . . . . . . . . . . . . . . . . . . 10 65 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 66 5.2. Event Package Parameters . . . . . . . . . . . . . . . . . 10 67 5.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10 68 5.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . . 10 69 5.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 11 70 5.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 11 71 5.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11 72 5.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 12 73 5.9. Handling of Forked Requests . . . . . . . . . . . . . . . 12 74 5.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 12 75 5.11. State Agents . . . . . . . . . . . . . . . . . . . . . . . 13 76 6. Load Control Document . . . . . . . . . . . . . . . . . . . . 13 77 6.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 13 78 6.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 13 79 6.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . . 13 80 6.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 14 81 6.3.2. Validity . . . . . . . . . . . . . . . . . . . . . . . 16 82 6.3.3. Method . . . . . . . . . . . . . . . . . . . . . . . . 17 83 6.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 17 84 6.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 18 85 7. XML Schema Definition for Load Control . . . . . . . . . . . . 20 86 8. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 21 87 8.1. Relationship with Load Filtering in PSTN . . . . . . . . . 21 88 8.2. Relationship with Other IETF SIP Load Control Efforts . . 22 89 9. Discussion of this document meeting the requirements of 90 RFC5390 . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 91 10. Security Considerations . . . . . . . . . . . . . . . . . . . 28 92 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 93 11.1. Load Control Event Package Registration . . . . . . . . . 28 94 11.2. application/load-control+xml MIME Registration . . . . . . 29 95 11.3. Load Control Schema Registration . . . . . . . . . . . . . 30 97 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30 98 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 99 13.1. Normative References . . . . . . . . . . . . . . . . . . . 30 100 13.2. Informative References . . . . . . . . . . . . . . . . . . 31 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32 103 1. Introduction 105 Proper functioning of Session Initiation Protocol (SIP) [RFC3265] 106 signaling servers is critical in SIP-based communications networks. 107 The performance of SIP servers can be severely degraded when the 108 server is overloaded with excessive number of signaling requests. 109 Both legitimate and malicious traffic can overload SIP servers, 110 despite appropriate capacity planning. 112 There are three common examples of legitimate short-term increases in 113 call volumes. Viewer-voting TV shows or ticket giveaways may 114 generate millions of calls within a few minutes. Call volume may 115 also spike during special holidays such as New Year's Day and 116 Mother's Day. Finally, callers may want to reach friends and family 117 in natural disaster areas such as those affected by earthquakes. 118 When possible, only calls traversing overloaded servers should be 119 throttled under those conditions. 121 SIP load control mechanisms are needed to prevent congestion collapse 122 in these cases [RFC5390]. There are two types of load control 123 approaches. In the first approach, feedback control, SIP servers 124 provide load limits to upstream servers, to reduce the incoming rate 125 of all SIP requests [I-D.ietf-soc-overload-control]. These upstream 126 servers then drop or delay incoming SIP requests. Feedback control 127 is reactive and affects signaling messages that have already been 128 issued by user agent clients. They work well if core or destination- 129 specific SIP proxies are overloaded. By their nature, they need to 130 distribute rate, drop or window information to all upstream SIP 131 proxies and generally affect all calls equally, regardless of 132 destination. However, feedback control is ineffective for edge- 133 server overload. For example, for the ticket giveaway case, almost 134 all such calls will fail in the core SIP server. If the edge server 135 is also overloaded, calls to other destinations will also be rejected 136 or dropped. 138 Here, we propose an additional, complementary mechanism, called load 139 filtering. Network operators create filters that indicate that calls 140 to specific destinations or from specific sources should be rate- 141 limited or randomly dropped. These filters are then distributed to 142 SIP servers and possibly user agents likely to generate calls to the 143 affected destinations or from the affected sources. Load filters 144 work best if they prevent calls as close to the user agent client as 145 possible. 147 Performing SIP load filtering control requires three components: 148 filter content format definition, filter content computation methods, 149 and filter distribution mechanism. This document addresses two of 150 the three components. The filter format is defined by the contents 151 of a SIP load control event package, while the filter distribution 152 mechanism is built upon the existing SIP event framework. The 153 remaining component, filter content computation, depends heavily on 154 the actual network topology and service provider policies. Therefore 155 it is out of scope of this document. 157 The rest of this document is structured as follows: we begin by 158 listing the design requirements for this work in Section 3. We then 159 give an overview of the load filtering control operation in 160 Section 4. The load control event package is detailed in Section 5. 161 The load filter content format definition is discussed in the two 162 sections that follow, with Section 6 defining the load control XML 163 document and Section 7 defining the corresponding XML schema. 164 Section 8 relates this work to corresponding mechanisms in PSTN and 165 other IETF efforts addressing SIP load control. Section 9 evaluates 166 whether this document meets the SIP overload control requirements set 167 forth by RFC5390 [RFC5390]. Finally, Section 10 presents security 168 considerations and Section 11 provides IANA considerations. 170 2. Requirements Notation 172 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 173 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 174 document are to be interpreted as described in [RFC2119]. 176 3. Design Requirements 178 The SIP load filtering control mechanism needs to satisfy the 179 following requirements: 181 o To simplify the solution, we focus on SIP load control, rather 182 than a generic application-layer mechanism. 183 o The load filter information needs to be distributed efficiently to 184 possibly a large subset of all SIP elements. 185 o The solution should re-use existing SIP protocol mechanisms to 186 reduce implementation and deployment complexity. 187 o For predictable overload situations, such as holidays and call-in 188 events, the mechanism should specify during what time period it is 189 to be applied, so that the information can be distributed ahead of 190 time. 191 o For destination-specific overload situations, the load filter 192 needs to be able to describe the callee. 193 o To address accidental and intentional high-volume call generators, 194 the filter should allow to specify the caller. 195 o Caller and callee need to be specified as both SIP URIs and 'Tel' 196 URIs[RFC3966]. 198 o For telephone numbers, it should be possible to specify prefixes 199 which allow control over limited regionally-focused overloads. 200 o The solution should draw upon experiences from related PSTN 201 mechanisms where applicable. 202 o The solution should be extensible to meet future needs. 204 4. Load Filtering Control Overview 206 4.1. Filter Format 208 A load filter contains both conditions and actions. Filter 209 conditions include the identities of the targets to be controlled. 210 For example, there are two typical resource limits in a possible 211 overload situation, i.e., human destination limits (N call takers) 212 and proxy capacity limits. The control targets in these two cases 213 can be the specific callee numbers or the destination domains 214 corresponding to the overload. Filter conditions also indicate the 215 period of time during which the control should be activated, and the 216 specific message type to be controlled, e.g., the INVITE message of a 217 SIP session. Filter actions describe the desired control functions 218 such as limiting the request rate below a certain level. Detailed 219 formats of filter conditions and actions are defined in Section 6. 221 4.2. Filter Computation 223 The load filter content computation method needs to take into 224 consideration information such as the overload time, scope and the 225 network topology as well as service policies. It is also important 226 to make sure that there is no resource allocation loop and that loads 227 are allocated in a way that both prevents overload and minimizes the 228 likelihood of network under-utilization. In some cases, in order to 229 better utilize system resources, it may be preferable to employ a 230 dynamic load computation algorithm which adapts to current network 231 status, rather than using a purely static mechanism. The filter 232 content computation algorithm is out of scope of this document. 234 4.3. Filter Distribution 236 For load filter distribution, this document defines the SIP event 237 package for load control, which is an "instantiation" of the generic 238 SIP events framework [RFC3265]. The SIP events framework provides an 239 existing method for SIP entities to subscribe to and receive 240 notifications when certain events have occurred. Such a framework 241 forms a scalable event distribution architecture that suits our 242 needs. This document also defines the XML schema used to encode the 243 load control document. The choice of XML allows us to reuse existing 244 SIP-specific policy related XML schemas when applicable, and also 245 fits our goal of flexibility and extensibility. 247 +-----------+ +-----------+ +-----------+ +-----------+ 248 | | | | | | | | 249 | EPa1 | | EPa2 | | EPa3 | | EPa4 | 250 | | | | | | | | 251 +-----------+ +-----------+ +-----------+ +-----------+ 252 \ / \ / 253 \ / \ / 254 \ / \ / 255 +-----------+ +-----------+ 256 | | | | 257 | CPa1 |------------------| CPa2 | 258 | | | | 259 +-----------+ +-----------+ 260 | | 261 Service | | 262 Provider A | | 263 | | 264 ================================================================= 265 | | 266 Service | | 267 Provider B | | 268 | | 269 +-----------+ +-----------+ 270 | | | | 271 | CPb1 |------------------| CPb2 | 272 | | | | 273 +-----------+ +-----------+ 274 / \ / \ 275 / \ / \ 276 / \ / \ 277 +-----------+ +-----------+ +-----------+ +-----------+ 278 | | | | | | | | 279 | EPb1 | | EPb2 | | EPb3 | | EPb4 | 280 | | | | | | | | 281 +-----------+ +-----------+ +-----------+ +-----------+ 283 Figure 1: Example Network Scenario with SIP Load Control Event 284 Notification 286 The load filter distribution based on the SIP load control event 287 package is illustrated with an example architecture shown in 288 Figure 1. This scenario consists of two networks belonging to 289 Service Provider A and Service Provider B, respectively. Each 290 provider's network is made up of two SIP Core Proxies (CPs) and four 291 SIP Edge Proxies (EPs). The CPs and EPs of Service Provider A are 292 denoted as CPa1 to CPa2 and EPa1 to EPa4; the CPs and EPs of Service 293 Provider B are denoted as CPb1 to CPb2 and EPb1 to EPb4. 295 In general, each SIP proxy server in the network is required to 296 subscribe to the load control event package from all its outgoing 297 signaling neighbors. Signaling neighbors are defined by sending 298 signaling messages. For instance, if A sends signaling requests to 299 B, B is an outgoing signaling neighbor of A. A needs to subscribe to 300 the load control event package of B in case B wants to curb requests 301 from A. On the other hand, if B also sends signaling requests to A, 302 then B also subscribes to A. In the example topology of Figure 1, 303 assuming all signaling relationship is bi-directional, each proxy 304 will need to subscribe to all its neighbors. That is, EPa1 305 subscribes to CPa1; CPa1 subscribes to EPa1, EPa2, CPa2 and CPb1, so 306 on and so forth. Notifications are always sent to all subscribing 307 entities. 309 To begin load filter distribution on a network when the appropriate 310 subscriptions among the SIP entities are ready, the initial filter 311 contents are introduced to a SIP entity which acts as the network 312 entry point for load filtering control. The filter is then 313 propagated to other SIP entities throughout the network. The 314 following shows two examples. 316 Case I: EPa1 serves a TV program hotline and decides to limit the 317 total number of incoming calls to the hotline to prevent an overload. 318 To do so, EPa1 sends a notification to CPa1 with the specific hotline 319 number, time of activation and total acceptable call rate. Depending 320 on the filter computation algorithm, CPa1 may allocate the received 321 total acceptable rate among its neighbors, namely, EPa2, CPa2, and 322 CPb1 and notify them about the resulting allocation along with the 323 hotline number and the activation time. CPa2 and CPb1 may perform 324 further allocation among their own neighbors and notify the 325 corresponding servers. This process continues until all edge proxies 326 in the network have been informed about the event and have proper 327 load filter configured. 329 Case II: an earthquake affects the region covered by CPb2, EPb3 and 330 EPb4. All the three servers are overloaded. The rescue team 331 determines that outbound calls are more valuable than inbound calls 332 in this specific situation. Therefore, EPb3 and EPb4 are configured 333 with filters to accept more outbound calls than inbound calls. CPb2 334 may be configured the same way or receive dynamic filters from EPb3 335 and EPb4. Depending on the filter computation algorithm, CPb2 may 336 also send out notifications to its outside neighbors, namely CPb1 and 337 CPa2, specifying a limit on the acceptable rate of inbound calls to 338 CPb2's responsible domain. CPb1 and CPa2 may subsequently notify 339 their neighbors about limiting the calls to CPb2's area. The same 340 process could continue until all edge proxy servers are notified and 341 have filters configured. 343 The network entry point for load filtering control in the above two 344 cases is the SIP server to be protected. In other cases, the 345 filtering entry point could also be an entity that the protected SIP 346 server is connected to. For example, an operator may host an 347 application server that performs 800 number translation services. 348 The application server may itself be a SIP proxy or a SIP Back-to- 349 Back User Agent (B2BUA). If one of the 800 numbers hosted at the 350 application server creates the overload condition, the load filtering 351 control can be introduced from the application server and then 352 propogated to other SIP proxy servers in the network. 354 Note that this document does not define the provisioning interface 355 between the load control policy maker and the policy entry point in 356 the network. One of the possible solutions for the provisioning 357 interface is the Extensible Markup Language (XML) Configuration 358 Access Protocol (XCAP) [RFC4825]. 360 4.4. Applicability in Different Network Environments 362 Load filtering control is more effective when the filters can be 363 pushed to the proximity of signaling sources. But even if only part 364 of the signaling path towards the signaling source could be covered, 365 use of this mechanism can still be beneficial. In fact, due to 366 possibly sophisticated call routing and security concerns, trying to 367 apply automated load filter distribution in the entire inter-domain 368 network path could get extremely complicated and be unrealistic. 370 The scenarios where this mechanism could be most useful are 371 environments consisting of servers with secure and trust relationship 372 and with relatively straightforward routing configuration known to 373 the filter computation decision maker. These scenarios may include 374 intra-domain environments such as those inside a service provider or 375 enterprise domain; inter-domain environments such as where enterprise 376 connecting to a few service providers or between service providers 377 with manageable routing configurations. 379 Another important aspect that affects the applicability of the load 380 filtering control is that all possible signaling source neighbors 381 need to participate and enforce the designated filter. Otherwise, a 382 single non-conforming neighbor could make the whole control efforts 383 useless by pumping in excessive traffic to overload the server. 384 Therefore, the SIP server that initiates the filter needs to take 385 counter-measures towards any non-conforming neighbors. A simple 386 policy is to reject excessive requests with 500 responses as if they 387 were obeying the rate. Considering the rejection costs, a more 388 complicated but fairer policy would be to allocate at the overloaded 389 server the same amount of processing to the combination of both 390 normal processing and rejection as the overloaded server would devote 391 to processing requests for a conforming upstream SIP server. These 392 approaches work as long as the total rejection cost does not 393 overwhelm the entire server resources. In addition, whatever the 394 actual policy is, SIP servers SHOULD honor the Resource-Priority 395 Header (RPH) [RFC4412] when processing messages. The RPH contents 396 may indicate high priority requests that should be preserved as much 397 as possible, or low priority requests that could be dropped during 398 overload. The request rejection and message prioritization at an 399 overloaded server are also discussed in Section 5.1 of 400 [I-D.ietf-soc-overload-control] and Section 12 of 401 [I-D.ietf-soc-overload-design]. 403 5. Load Control Event Package 405 This section defines the details of the SIP event package for load 406 control according to [RFC3265]. 408 5.1. Event Package Name 410 The name of this event package is "load-control". This name is 411 carried in the Event and Allow-Events header, as specified in 412 [RFC3265]. 414 5.2. Event Package Parameters 416 No package specific event header field parameters are defined for 417 this event package. 419 5.3. SUBSCRIBE Bodies 421 A SUBSCRIBE request for load control policy MAY contain a body to 422 filter the requested load control notification. For example, a 423 subscriber may be interested in some specific types of load control 424 information only. The details of the subscription filter 425 specification are not yet defined. 427 A SUBSCRIBE request sent without a body implies the default 428 subscription behavior as specified in Section 5.7. 430 5.4. SUBSCRIBE Duration 432 The default expiration time for a subscription to load control policy 433 is one hour. Since the desired expiration time may vary 434 significantly for subscriptions among SIP entities with different 435 signaling relationships, the subscribers and notifiers are 436 RECOMMENDED to explicitly negotiate appropriate subscription 437 durations when knowledge about the mutual signaling relationship is 438 available. 440 5.5. NOTIFY Bodies 442 The body of a NOTIFY message in this event package contains policy 443 information regarding load control. As specified in [RFC3265], the 444 format of the NOTIFY body MUST be in one of the formats defined in 445 the Accept header field of the SUBSCRIBE request or be the default 446 format. The default data format for the NOTIFY body of this event 447 package is "application/load-control+xml" (defined in Section 6). 448 This means that if no Accept header field is specified to a SUBSCRIBE 449 request, the NOTIFY will contain a body in the "application/ 450 load-control+xml" format. If the Accept header field is present, it 451 MUST include "application/load-control+xml" and MAY include any other 452 types. 454 5.6. Notifier Processing of SUBSCRIBE Requests 456 The effectiveness of load filtering control relies on the scope of 457 distribution and installation of the control policies in the network. 458 Since wide distribution of the policy information is desirable, SIP 459 entity subscribers SHOULD try to subscribe to all those SIP entity 460 notifiers with which they have regular signaling exchanges, although 461 not all such SIP notifiers may permit such a subscription. 463 If the identity of the entity sending the SUBSCRIBE message is not 464 allowed to receive overload control information, the notifier MUST 465 return a 403 "Forbidden" response. 467 If none of MIME types specified in the Accept header of the SUBSCRIBE 468 is supported, the Notifier SHOULD return 406 "Not Acceptable" 469 response. 471 5.7. Notifier Generation of NOTIFY Requests 473 Following the [RFC3265] specification, a notifier MUST send a NOTIFY 474 with its current load control policy to the subscriber upon 475 successfully accepting or refreshing a subscription. The NOTIFY 476 request MAY include a body. If no applicable restriction is active 477 when the subscription request is received, an empty document is 478 attached to the NOTIFY request. A notifier SHOULD generate NOTIFY 479 requests each time the load control policy changes, with the maximum 480 notification rate not exceeding values defined in Section 5.10. 482 This event package does not support notifications that contain deltas 483 to previous information or partial information. 485 5.8. Subscriber Processing of NOTIFY Requests 487 The way subscribers process NOTIFY requests depends on the contents 488 of the notifications. Typically, a load control notification 489 consists of rules that should be applied to requests matching certain 490 identities. A SIP entity subscriber receiving the notification first 491 installs these rules and then filter incoming requests to enforce 492 actions on appropriate requests, for example, limiting the sending 493 rate of call requests destined for a specific SIP entity. 495 In the case when load control rules specify a future validity time, 496 it is possible that when the validity time comes, the subscription to 497 the specific notifier that conveyed the rules has expired. In this 498 case, it is RECOMMENDED that the subscriber re-activate its 499 subscription with the corresponding notifier. Regardless of whether 500 this re-activation of subscription is successful or not, when the 501 validity time is reached, the subscriber SHOULD enforce the 502 corresponding rules. 504 Upon receipt of a NOTIFY request with a Subscription-State header 505 field containing the value "terminated", the subscriber MUST remove 506 all previously received load control information and process all 507 calls without applying any restriction. 509 The subscriber SHALL discard unknown bodies. If the NOTIFY request 510 contains several bodies, none of them being supported, it SHOULD 511 unsubscribe. A NOTIFY request that does not contain a body MUST be 512 ignored. 514 5.9. Handling of Forked Requests 516 Forking is not applicable when the load control event package is used 517 within a single-hop distance between neighboring SIP entities. If 518 the communication scope of the load-control event package is among 519 multiple hops, forking is not expected to happen either because the 520 subscription request is addressed to a clearly defined SIP entity. 521 However, in the unlikely case when forking does happen, the load- 522 control event package only allows the first potential dialog- 523 establishing message to create a dialog, as specified in Section 524 4.4.9 of [RFC3265]. 526 5.10. Rate of Notifications 528 Rate of notifications is likely not a concern for this event package 529 when it is used in a non-real-time mode for relatively static load 530 control policies. Nevertheless, if situation does arise that a 531 rather frequent load control policy update is needed, it is 532 RECOMMENDED that the notifier does not generate notifications at a 533 rate higher than once per-second in all cases, in order to avoid the 534 NOTIFY message itself overloading the system. 536 5.11. State Agents 538 The load control policy information can be directly generated by 539 concerned SIP entities distributed in the network. Alternatively, 540 qualified state agents external to the SIP entities MAY be defined to 541 take charge of load control policy making. 543 6. Load Control Document 545 6.1. Format 547 A load control document is an XML document that inherits and enhances 548 the common policy document defined in [RFC4745]. A common policy 549 document contains a set of rules. Each rule consists of three parts: 550 conditions, actions and transformations. The conditions part is a 551 set of expressions containing attributes such as identity, domain, 552 and validity time information. Each expression evaluates to TRUE or 553 FALSE. Conditions are matched on "equality" or "greater than" style 554 comparison. There is no regular expression matching. Conditions are 555 evaluated on receipt of an initial SIP request for a dialog or 556 standalone transaction. If a request matches all conditions in a 557 rule set, the action part and the transformation part are consulted 558 to determine the "permission" on how to handle the request. Each 559 action or transformation specifies a positive grant to the policy 560 server to perform the resulting actions. Well-defined mechanism are 561 available for combining actions and transformations obtained from 562 more than one sources. 564 6.2. Namespace 566 The namespace URI for elements defined by this specification is a 567 Uniform Resource Namespace (URN) ([RFC2141]), using the namespace 568 identifier 'ietf' defined by [RFC2648] and extended by [RFC3688]. 569 The URN is as follows: 571 urn:ietf:params:xml:ns:load-control 573 6.3. Conditions 575 [RFC4745] defines three condition elements: , and 576 . In this document, we re-define an element for identity 577 and reuse the element. The element is not used. 579 6.3.1. Call Identity 581 Since the problem space of this document is different from that of 582 [RFC4745], the [RFC4745] element is not sufficient for use 583 with load control. First, load control may be applied to different 584 identity information contained in a request, including identities of 585 both the receiving entity and the sending entity. Second, the 586 importance of authentication varies when different identities of a 587 request are concerned. This document defines new identity conditions 588 that can accommodate the granularity of specific SIP identity header 589 fields. Requirement for authentication depends on which field is to 590 be matched. 592 The identity condition for load control is specified by the element and its sub-element . The element 594 itself contains sub-elements representing SIP sending and receiving 595 identity header fields: , , and , each is of the same type as the element in 597 [RFC4745]. Therefore, they also inherit the sub-elements of the 598 element, including , , and . 600 The [RFC4745] and elements may contain an "id" 601 attribute, which is the URI of a single entity to be included or 602 excluded in the condition. When used in the , , and elements, this "id" value is the URI 604 contained in the corresponding SIP header field, i.e., From, To, 605 Request-URI, and P-Asserted-Identity. 607 When the element contains multiple sub- 608 elements, the result is combined using logical OR. When the , 609 , and elements contain 610 multiple , , or sub-elements, the result is also 611 combined using logical OR, similar to that of the element 612 in [RFC4745]. However, when the element contains multiple of 613 the , , and sub- 614 elements, the result is combined using logical AND. This allows the 615 call identity to be specified by multiple fields of a SIP request 616 simultaneously, e.g., both the From and the To header fields. 618 The following shows an example of the element. 620 621 622 623 624 625 626 627 629 This example matches call requests whose To header field contains the 630 SIP URI "sip:alice@hotline.example.com", or the 'tel' URI 631 "tel:+1-212-555-1234". 633 The [RFC4745] and elements may take a "domain" 634 attribute. The "domain" attribute specifies a domain name to be 635 matched by the domain part of the candidate identity. Thus, it 636 allows matching a large and possibly unknown number of entities 637 within a domain. The "domain" attribute works well for SIP URIs. 639 A URI identifying a SIP user, however, can also be a 'tel' URI. We 640 therefore need a similar way to match a group of 'tel' URIs. 641 According to [RFC3966], there are two formats of 'tel' URIs: global 642 format and local format. All phone numbers must be expressed in the 643 global format when possible. The global format 'tel' URIs start with 644 a "+". The rest of the phone numbers are expressed in a local 645 format, which must be qualified by a "phone-context" parameter. The 646 "phone-context" parameter may be labelled as a global number or any 647 number of its leading digits, or a domain name. Both formats of the 648 'tel' URI make the resulting URI globally unique. 650 'Tel' URIs of global format can be grouped by prefixes consisting of 651 any number of common leading digits. For example, a prefix formed by 652 a country code or both the country and area code identifies telephone 653 numbers within a country or an area. Since the length of the country 654 and area code for different regions are different, the length of the 655 number prefix is also variable. This allows further flexibility such 656 as grouping the numbers into sub-areas within the same area code. 657 'Tel' URIs of local-number format can be grouped by the value of the 658 "phone-context" parameter. 660 To include the two formats of 'tel' URI grouping in the and 661 elements, one approach is to add a new attribute similar to 662 the "domain" attribute. In this document, we decided on a simpler 663 approach. There are basically two forms of grouping attribute values 664 for both SIP URIs and 'tel' URIs: domain name or number prefix 665 starting with "+". Both of them can be expressed as strings. 666 Therefore, we re-interpret the existing "domain" attribute of the 667 and elements to allow it to contain both forms of 668 grouping attribute values. In particular, when the "domain" 669 attribute value starts with "+", it denotes a number prefix, 670 otherwise, the value denotes a domain name. Note that the tradeoff 671 of this simpler approach is the overlapping in matching different 672 types of URIs. Specifically, a domain name in the "domain" attribute 673 could be matched by both a SIP URI with that domain name and a local 674 format 'tel' URI containing the same domain name in the "phone- 675 context". On the other hand, a number prefix in the "domain" 676 attribute could be matched by both global 'tel' URIs starting with 677 those leading digits, and local 'tel' URIs having the same prefix in 678 the "phone-context" parameter. These overlapping situations would 679 not be a big problem because of two reasons. First, when the "phone- 680 context" coincides with the SIP domain name or the global number 681 prefix, it is usually the case that the related phone numbers indeed 682 belong to the same domain or the same area, which means the 683 overlapping is not inappropriate. Second, the use of the local 684 format 'tel' URI in practice is expected to be rare. As a result, 685 the chance of such overlapping happening is very small. 687 The following example shows the use of the re-interpreted "domain" 688 attribute. 690 691 692 693 694 695 696 697 698 699 700 701 702 704 This example matches those requests calling to the number "+1-202- 705 999-1234" but are not calling from a "+1-212" prefix or a SIP From 706 URI domain of "manhattan.example.com". 708 6.3.2. Validity 710 A rule is usually associated with a validity period condition. This 711 document reuses the element of [RFC4745], which specifies 712 a period of validity time by pairs of and sub- 713 elements. When multiple time periods are defined, the validity 714 condition is evaluated to TRUE if the current time falls into any of 715 the specified time periods. i.e., it represents a logical OR 716 operation across all validity time periods. 718 The following example shows a element specifying a valid 719 period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. 721 722 2008-05-31T12:00:00-05:00 723 2008-05-31T15:00:00-05:00 724 726 6.3.3. Method 728 The load created on a SIP server depends on the type of an initial 729 SIP request for a dialog or standalone transaction. The 730 element specifies the SIP method to which a particular action 731 applies. When this element is not included, the rule actions are 732 applicable to all initial methods. 734 The following example shows the use of the element. 736 INVITE 738 6.4. Actions 740 As [RFC4745] specified, conditions form the 'if'-part of rules, while 741 actions and transformations form the 'then'-part. Transformations 742 are not used in the load control document. The actions for load 743 control are defined by the element, which takes any one of 744 the three sub-elements , , and . The 745 element denotes an absolute value of the maximum acceptable request 746 rate in requests per second; the element specifies the 747 relative percentage of incoming requests that should be accepted; the 748 element describes the acceptable window size supplied by the 749 receiver, which is applicable in window-based load control. In 750 static load filter configuration scenarios, using the sub- 751 element is RECOMMENDED because it is hard to enforce the percentage 752 rate or window-based control when the incoming load from upstream or 753 the reactions from downstream are uncertain. (See 754 [I-D.ietf-soc-overload-control] [I-D.ietf-soc-overload-design] for 755 more details on rate-based and window-based load control) 757 In addition, the element takes an optional "alt-action" 758 attribute which can be used to explicitly specify the desired action 759 in case a request cannot be accepted. The possible "alt-action" 760 values are "drop" for simple drop, "reject" for explicit rejection 761 (e.g., sending a "500 Server Internal Error" response message to an 762 INVITE request), and "forward". The default value is "reject" in 763 order to avoid possible SIP retransmissions when an unreliable 764 transport is used. If the "alt-action" value is "forward", an "alt- 765 target" attribute MUST be defined. The "alt-target" specifies a URI 766 where the request should be forwarded (e.g., an answering machine 767 with explanation of why the request cannot be accepted). 769 In the following element example, the server accepts 770 maximum of 100 call requests per second. The remaining calls are 771 forwarded to an answering machine. 773 774 776 100 777 778 780 6.5. Complete Examples 782 This section presents two complete examples of rule sets. 784 The first example assumes that a set of hotlines are set up at 785 "sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The 786 hotlines are activated from 12:00 to 15:00 US Eastern Standard Time 787 on 2008-05-31. The goal is to limit the incoming calls to the 788 hotlines to 100 requests per second. Calls that exceed the rate 789 limit are explicitly rejected. 791 792 795 796 797 798 799 800 801 802 803 804 805 806 2008-05-31T12:00:00-05:00 807 2008-05-31T15:00:00-05:00 808 809 810 811 812 100 813 814 816 817 819 The second example considers optimizing server resource usage of a 820 three-day period during the aftermath of an earthquake. Incoming 821 calls to the earthquake domain "pompeii.example.com" will be limited 822 to a rate of 100 requests per second, except for those calls 823 originating from a particular rescue team domain 824 "rescue.example.com". Outgoing calls from the earthquake domain or 825 calls within the local domain are never limited. All calls that are 826 throttled due to the rate limit will be forwarded to an answering 827 machine with updated earthquake rescue information. 829 830 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 79-08-24T09:00:00+01:00 850 79-08-27T09:00:00+01:00 851 852 853 854 856 100 857 858 860 861 863 7. XML Schema Definition for Load Control 865 This section defines the XML schema for the load-control document. 866 It extends the Common Policy schema in [RFC4745] by defining new 867 members of the and elements. 869 870 877 879 881 882 883 885 886 887 888 889 891 892 893 895 896 897 898 899 900 901 903 905 906 907 909 910 911 912 913 914 915 917 918 919 920 921 923 924 925 926 927 928 929 930 931 932 933 934 936 8. Related Work 938 8.1. Relationship with Load Filtering in PSTN 940 It is known that the existing PSTN network also uses a load filtering 941 mechanism to prevent overload and the filter configuration is done 942 manually. This document defines the SIP event framework based 943 distribution mechanism which allows automated filter distribution in 944 suitable environments. 946 There are control messages associated with PSTN overload control 947 which would specify an outgoing control list, call gap duration and 948 control duration [AINGR]. These items could be roughly correlated to 949 the identity, action and the time fields in the SIP load filter 950 content definition in this document. However, the filter defined in 951 this document is much more generic and flexible as opposed to its 952 PSTN counterpart. 954 Firstly, PSTN filtering only applies to telephone numbers, and the 955 number of prefix to be matched for a group of telephone numbers is 956 usually a fixed set. The SIP filter identity allows both SIP URI and 957 telephone numbers (through Tel URI) to be specified. The identities 958 can be arbitrary grouped by SIP domains or any number of leading 959 prefix of the telephone number. 961 Secondly, the PSTN filtering action is usually limited to call 962 gapping with a fixed set of allowed gapping intervals. The action 963 field in the SIP load filter allows more flexible rate throttle and 964 other possibilities. 966 Thirdly, the duration field in PSTN filtering specifies a value in 967 seconds for the control duration only and the allowed values are 968 mapped into a value set. The time field in the SIP load filter may 969 specify not only a duration, but also a future activation time which 970 could be especially useful for automating overload control for 971 predictable overloads. 973 PSTN filtering can be performed in both edge switches and transit 974 switches; SIP filtering can also be applied in both edge proxies and 975 core proxies, and even in capable user agents. 977 PSTN overload control also has special accommodation for High 978 Probability of Completion (HPC) calls, which would be similar to the 979 calls designated by the SIP Resource Priority Headers [RFC4412]. SIP 980 filtering mechanism can also prioritize the treatment of these calls 981 by specifying favorable actions for these calls. 983 PSTN filtering also provides administrative option for routing failed 984 call attempts to either Reorder Tone or a special announcement. 985 Similar capability can be provided in the SIP filtering mechanism by 986 specifying the appropriate "alt-action" attribute in the SIP 987 filtering action field. 989 8.2. Relationship with Other IETF SIP Load Control Efforts 991 The filter content definition in this document is based on identity, 992 action and time. The identity can range from a single specific user 993 to an arbitrary user aggregate, domains or areas. The user can be 994 identified by either the source or the destination. When the user is 995 identified by the source and a favorable action is specified, the 996 result is to some extent similar to identifying a priority user based 997 on authorized Resource Priority Headers [RFC4412] in the requests. 998 Specifying a source user identity with an unfavorable action would 999 cause an effect to some extent similar to an inverse SIP resource 1000 priority mechanism. 1002 The filter content defined in this document is generic and is 1003 expected to be applicable not only to the load filtering control 1004 mechanism but also to the feedback overload control mechanism in 1005 [I-D.ietf-soc-overload-control]. In particular, both of them could 1006 use specific or wildcard filter identities for load control and could 1007 share well-known load control actions. The time duration field in 1008 the filter content could also be used in both mechanisms. As 1009 mentioned in Section 1, the load filter distribution mechanism and 1010 the feedback overload control mechanism address complementary areas 1011 in the load control problem space. Load filtering is more proactive 1012 and focuses on distributing the filter towards the source of the 1013 traffic; the hop-by-hop feedback based approach is reactive and 1014 targets more at traffic already accepted in the network. Therefore, 1015 they could also make different use of the generic filter components. 1016 For example, the load filtering mechanism may use the time field in 1017 the filter to specify not only a control duration but also a future 1018 activation time to accommodate a predicable overload such as one 1019 caused by Mother's Day or a viewer-voting program; the feedback-based 1020 control might not need to use the time field or might use the time 1021 field to specify an immediate control duration. 1023 9. Discussion of this document meeting the requirements of RFC5390 1025 This section evaluates whether the load filtering control event 1026 package mechanism defined in this document satisfies the various SIP 1027 overload control requirements set forth by RFC5390 [RFC5390]. Not 1028 all the RFC5390 requirements are found applicable due to the scope 1029 limit of this document. Therefore, we categorize the assessment 1030 results into Yes (meet the requirement), P/A (partially applicable), 1031 No (must be used in conjunction with another mechanism to meet the 1032 requirement), and N/A (not applicable). 1034 REQ 1: The overload mechanism shall strive to maintain the overall 1035 useful throughput (taking into consideration the quality-of- 1036 service needs of the using applications) of a SIP server at 1037 reasonable levels, even when the incoming load on the network is 1038 far in excess of its capacity. The overall throughput under load 1039 is the ultimate measure of the value of an overload control 1040 mechanism. 1042 P/A. The goal of the load filtering control is to prevent overload or 1043 maintain overall goodput during the time of overload, but it is 1044 dependent on the advance predictions of the load. If the predictions 1045 are incorrect, in either direction, the mechanism will throttle too 1046 much or too little. 1048 REQ 2: When a single network element fails, goes into overload, or 1049 suffers from reduced processing capacity, the mechanism should 1050 strive to limit the impact of this on other elements in the 1051 network. This helps to prevent a small-scale failure from 1052 becoming a widespread outage. 1054 N/A if filter values are installed in advance and do not change 1055 during the potential overload period. P/A if filter values are 1056 dynamically adjusted due to the specific filter computation 1057 algorithm. The dynamic filter computation algorithm is outside the 1058 scope of this document, while the distribution of the updated filters 1059 uses the event package mechanism of this document. 1061 REQ 3: The mechanism should seek to minimize the amount of 1062 configuration required in order to work. For example, it is 1063 better to avoid needing to configure a server with its SIP message 1064 throughput, as these kinds of quantities are hard to determine. 1066 No. This mechanism is entirely dependent on advance configuration, 1067 based on advance knowledge. In order to satisfy Req 3, it should be 1068 used in conjunction with other mechanisms which are not based on 1069 advance configuration. 1071 REQ 4: The mechanism must be capable of dealing with elements that 1072 do not support it, so that a network can consist of a mix of 1073 elements that do and don't support it. In other words, the 1074 mechanism should not work only in environments where all elements 1075 support it. It is reasonable to assume that it works better in 1076 such environments, of course. Ideally, there should be 1077 incremental improvements in overall network throughput as 1078 increasing numbers of elements in the network support the 1079 mechanism. 1081 No. This mechanism is entirely dependent on the participation of all 1082 possible neighbors. In order to satisfy Req 4, it should be used in 1083 conjunction with other mechanisms, some of which are described in 1084 Section 4.4. 1086 REQ 5: The mechanism should not assume that it will only be 1087 deployed in environments with completely trusted elements. It 1088 should seek to operate as effectively as possible in environments 1089 where other elements are malicious; this includes preventing 1090 malicious elements from obtaining more than a fair share of 1091 service. 1093 No. This mechanism is entirely dependent on the non-malicious 1094 participation of all possible neighbors. In order to satisfy Req 5, 1095 it should be used in conjunction with other mechanisms, some of which 1096 are described in Section 4.4. 1098 REQ 6: When overload is signaled by means of a specific message, 1099 the message must clearly indicate that it is being sent because of 1100 overload, as opposed to other, non overload-based failure 1101 conditions. This requirement is meant to avoid some of the 1102 problems that have arisen from the reuse of the 503 response code 1103 for multiple purposes. Of course, overload is also signaled by 1104 lack of response to requests. This requirement applies only to 1105 explicit overload signals. 1107 N/A. This mechanism signals anticipated overload, not actual 1108 overload. However the signals in this mechanism are not used for any 1109 other purpose. 1111 REQ 7: The mechanism shall provide a way for an element to 1112 throttle the amount of traffic it receives from an upstream 1113 element. This throttling shall be graded so that it is not all- 1114 or-nothing as with the current 503 mechanism. This recognizes the 1115 fact that "overload" is not a binary state and that there are 1116 degrees of overload. 1118 Yes. This event package allows rate/loss/windows-based overload 1119 control options as discussed in Section 6.4. 1121 REQ 8: The mechanism shall ensure that, when a request was not 1122 processed successfully due to overload (or failure) of a 1123 downstream element, the request will not be retried on another 1124 element that is also overloaded or whose status is unknown. This 1125 requirement derives from REQ 1. 1127 N/A to the load control event package itself. 1129 REQ 9: That a request has been rejected from an overloaded element 1130 shall not unduly restrict the ability of that request to be 1131 submitted to and processed by an element that is not overloaded. 1132 This requirement derives from REQ 1. 1134 Yes. For example, the filter format [Section 4.1] allows the 1135 inclusion of alternative forwarding destinations for rejected 1136 requests. 1138 REQ 10: The mechanism should support servers that receive requests 1139 from a large number of different upstream elements, where the set 1140 of upstream elements is not enumerable. 1142 No. Because this mechanism requires advance configuration of 1143 specific identified neighbors, it does not support environments where 1144 the number and identity of the upstream neighbors are not known in 1145 advance. In order to satisfy Req 10, it should be used in 1146 conjunction with other mechanisms. 1148 REQ 11: The mechanism should support servers that receive requests 1149 from a finite set of upstream elements, where the set of upstream 1150 elements is enumerable. 1152 Yes. See also answer to REQ 10. 1154 REQ 12: The mechanism should work between servers in different 1155 domains. 1157 Yes. The load control event package is not limited by domain 1158 boundaries. 1160 REQ 13: The mechanism must not dictate a specific algorithm for 1161 prioritizing the processing of work within a proxy during times of 1162 overload. It must permit a proxy to prioritize requests based on 1163 any local policy, so that certain ones (such as a call for 1164 emergency services or a call with a specific value of the 1165 Resource-Priority header field [RFC4412]) are given preferential 1166 treatment, such as not being dropped, being given additional 1167 retransmission, or being processed ahead of others. 1169 P/A. This mechanism does not specifically address the prioritizing of 1170 work during times of overload. But it does not preclude any 1171 particular local policy. 1173 REQ 14: The mechanism should provide unambiguous directions to 1174 clients on when they should retry a request and when they should 1175 not. This especially applies to TCP connection establishment and 1176 SIP registrations, in order to mitigate against avalanche restart. 1178 N/A to the load control event package itself. 1180 REQ 15: In cases where a network element fails, is so overloaded 1181 that it cannot process messages, or cannot communicate due to a 1182 network failure or network partition, it will not be able to 1183 provide explicit indications of the nature of the failure or its 1184 levels of congestion. The mechanism must properly function in 1185 these cases. 1187 P/A. Because the filters are provisioned in advance, they are not 1188 affected by the overload or failure of other nodes. But, on the 1189 other hand, they may not, in those cases, be able to protect the 1190 overloaded node (see Req 1). 1192 REQ 16: The mechanism should attempt to minimize the overhead of 1193 the overload control messaging. 1195 Yes. The standardized SIP event package mechanism RFC3265 [RFC3265] 1196 is used. 1198 REQ 17: The overload mechanism must not provide an avenue for 1199 malicious attack, including DoS and DDoS attacks. 1201 P/A. This mechanism does provide a potential avenue for malicious 1202 attacks. Therefore the security mechanisms for SIP event packages in 1203 general [RFC3265] and of section 10 of this document SHOULD be used. 1205 REQ 18: The overload mechanism should be unambiguous about whether 1206 a load indication applies to a specific IP address, host, or URI, 1207 so that an upstream element can determine the load of the entity 1208 to which a request is to be sent. 1210 Yes. The identity of load indication is covered in the filter format 1211 definition in Section 4.1. 1213 REQ 19: The specification for the overload mechanism should give 1214 guidance on which message types might be desirable to process over 1215 others during times of overload, based on SIP-specific 1216 considerations. For example, it may be more beneficial to process 1217 a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh 1218 with a non-zero expiration (since the former reduces the overall 1219 amount of load on the element), or to process re-INVITEs over new 1220 INVITEs. 1222 N/A to the load control event package itself. 1224 REQ 20: In a mixed environment of elements that do and do not 1225 implement the overload mechanism, no disproportionate benefit 1226 shall accrue to the users or operators of the elements that do not 1227 implement the mechanism. 1229 No. This mechanism is entirely dependent on the participation of all 1230 possible neighbors. In order to satisfy Req 20, it should be used in 1231 conjunction with other mechanisms, some of which are described in 1232 Section 4.4. 1234 REQ 21: The overload mechanism should ensure that the system 1235 remains stable. When the offered load drops from above the 1236 overall capacity of the network to below the overall capacity, the 1237 throughput should stabilize and become equal to the offered load. 1239 N/A to the load control event package itself. 1241 REQ 22: It must be possible to disable the reporting of load 1242 information towards upstream targets based on the identity of 1243 those targets. This allows a domain administrator who considers 1244 the load of their elements to be sensitive information, to 1245 restrict access to that information. Of course, in such cases, 1246 there is no expectation that the overload mechanism itself will 1247 help prevent overload from that upstream target. 1249 N/A to the load control event package itself. 1251 REQ 23: It must be possible for the overload mechanism to work in 1252 cases where there is a load balancer in front of a farm of 1253 proxies. 1255 Yes. The load control event package does not preclude its use in a 1256 scenario with server farms. 1258 10. Security Considerations 1260 Two aspects of security considerations arise from this document. One 1261 is the SIP event framework based filter distribution mechanism, the 1262 other is the filter enforcement mechanism. 1264 Security considerations for SIP event framework based mechanisms are 1265 covered in Section 5 of [RFC3265]. A particularly relevant aspect 1266 for notification control is that, in order to prevent the load 1267 control notification being used to launch denial of service attacks, 1268 all load control notification MUST be authenticated and authorized 1269 before being accepted. Standard authentication and authorization 1270 mechanisms recommended in [RFC3261] such as TLS [RFC5246] and IPSec 1271 [RFC4301] may serve this purpose. 1273 Security considerations for filter enforcements vary depending on the 1274 filter contents. This document defines possible filter match of the 1275 following SIP header fields: , , and 1276 . The exact requirement to authenticate and 1277 authorize these fields is up to the service provider. In general, if 1278 the identity field represents the source of the request, it SHOULD be 1279 authenticated and authorized; if the identity field represents the 1280 destination of the request the authentication and authorization is 1281 optional. 1283 11. IANA Considerations 1285 This specification registers a SIP event package, a new MIME type, a 1286 new XML namespace, and a new XML schema. 1288 11.1. Load Control Event Package Registration 1289 This section registers an event package based on the registration 1290 procedures defined in [RFC3265]. 1292 Package name: load-control 1294 Type: package 1296 Published specification: This document 1298 Person to contact: Charles Shen, charles@cs.columbia.edu 1300 11.2. application/load-control+xml MIME Registration 1302 This section registers a new MIME type based on the procedures 1303 defined in [RFC4288] and guidelines in [RFC3023]. 1305 MIME media type name: application 1307 MIME subtype name: load-control+xml 1309 Mandatory parameters: none 1311 Optional parameters: Same as charset parameter application/xml in 1312 [RFC3023] 1314 Encoding considerations: Same as encoding considerations of 1315 application/xml in [RFC3023] 1317 Security considerations: See Section 10 of [RFC3023] and Section 10 1318 of this specification 1320 Interpretability considerations: None 1322 Published Specification: This document 1324 Applications which use this media type: load control of SIP entities 1326 Additional information: 1328 Magic number: None 1330 File extension: .xml 1332 Macintosh file type code: 'TEXT' 1334 Personal and email address for further information: 1336 Charles Shen, charles@cs.columbia.edu 1337 Intended usage: COMMON 1339 Author/Change Controller: IETF SIPPING Working Group 1340 , as designated by the IESG 1342 11.3. Load Control Schema Registration 1344 URI: urn:ietf:params:xml:schema:load-control 1346 Registrant Contact: IETF SIPPING working group, Charles Shen 1347 (charles@cs.columbia.edu). 1349 XML: the XML schema to be registered is contained in Section 7. 1351 Its first line is 1353 1355 and its last line is 1357 1359 12. Acknowledgements 1361 The authors would like to thank Bruno Chatras, Janet Gunn, Vijay 1362 Gurbani, Volker Hilt, Geoff Hunt, Timothy Moran, Eric Noel, 1363 Parthasarathi R, Keith Drage, Salvatore Loreto and other members of 1364 the SIPPING and SIP-OVERLOAD working group for helpful comments. 1365 Bruno Chatras proposed a number of text improvements, including 1366 adding the condition element. Janet Gunn provided detailed 1367 text suggestions for Section 9. 1369 13. References 1371 13.1. Normative References 1373 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1374 Requirement Levels", BCP 14, RFC 2119, March 1997. 1376 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 1378 [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, 1379 August 1999. 1381 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 1382 Types", RFC 3023, January 2001. 1384 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1385 A., Peterson, J., Sparks, R., Handley, M., and E. 1386 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1387 June 2002. 1389 [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific 1390 Event Notification", RFC 3265, June 2002. 1392 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1393 January 2004. 1395 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 1396 RFC 3966, December 2004. 1398 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1399 Registration Procedures", BCP 13, RFC 4288, December 2005. 1401 [RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., 1402 Polk, J., and J. Rosenberg, "Common Policy: A Document 1403 Format for Expressing Privacy Preferences", RFC 4745, 1404 February 2007. 1406 13.2. Informative References 1408 [AINGR] Bell Communications Research, "AINGR: Service Control 1409 Point (SCP) Network Traffic Management", GR-2938-CORE , 1410 December 1996. 1412 [I-D.ietf-soc-overload-control] 1413 Gurbani, V., Hilt, V., and H. Schulzrinne, "Session 1414 Initiation Protocol (SIP) Overload Control", 1415 draft-ietf-soc-overload-control-00 (work in progress), 1416 November 2010. 1418 [I-D.ietf-soc-overload-design] 1419 Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design 1420 Considerations for Session Initiation Protocol (SIP) 1421 Overload Control", draft-ietf-soc-overload-design-04 (work 1422 in progress), December 2010. 1424 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1425 Internet Protocol", RFC 4301, December 2005. 1427 [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource 1428 Priority for the Session Initiation Protocol (SIP)", 1429 RFC 4412, February 2006. 1431 [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) 1432 Configuration Access Protocol (XCAP)", RFC 4825, May 2007. 1434 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1435 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1437 [RFC5390] Rosenberg, J., "Requirements for Management of Overload in 1438 the Session Initiation Protocol", RFC 5390, December 2008. 1440 Authors' Addresses 1442 Charles Shen 1443 Columbia University 1444 Department of Computer Science 1445 1214 Amsterdam Avenue, MC 0401 1446 New York, NY 10027 1447 USA 1449 Phone: +1 212 854 3109 1450 Email: charles@cs.columbia.edu 1452 Henning Schulzrinne 1453 Columbia University 1454 Department of Computer Science 1455 1214 Amsterdam Avenue, MC 0401 1456 New York, NY 10027 1457 USA 1459 Phone: +1 212 939 7004 1460 Email: schulzrinne@cs.columbia.edu 1462 Arata Koike 1463 NTT Service Integration Labs & 1464 NTT Washington DC Representative Office 1465 1100 13th St., NW, Suite 900 1466 Washington DC, 20005 1467 USA 1469 Phone: +1 202 312 1451 1470 Email: koike.arata@lab.ntt.co.jp