idnits 2.17.1 draft-ietf-soc-load-control-event-package-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 2, 2012) is 4409 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) ** Obsolete normative reference: RFC 3265 (Obsoleted by RFC 6665) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) == Outdated reference: A later version (-15) exists of draft-ietf-soc-overload-control-07 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF SOC Working Group C. Shen 3 Internet-Draft AT&T 4 Intended status: Standards Track H. Schulzrinne 5 Expires: September 3, 2012 Columbia U. 6 A. Koike 7 NTT 8 March 2, 2012 10 A Session Initiation Protocol (SIP) Load Control Event Package 11 draft-ietf-soc-load-control-event-package-03.txt 13 Abstract 15 We define a load control event package for the Session Initiation 16 Protocol (SIP). It allows SIP servers to distribute load filters to 17 other SIP servers in the network. The load filters contain rules to 18 throttle calls based on their source or destination domain, telephone 19 number prefix or for a specific user. The mechanism helps to prevent 20 signaling overload and complements feedback-based SIP overload 21 control efforts. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 3, 2012. 40 Copyright Notice 42 Copyright (c) 2012 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 59 3. Design Requirements . . . . . . . . . . . . . . . . . . . . . 6 60 4. SIP Load Filtering Overview . . . . . . . . . . . . . . . . . 6 61 4.1. Filter Format . . . . . . . . . . . . . . . . . . . . . . 6 62 4.2. Filter Computation . . . . . . . . . . . . . . . . . . . . 6 63 4.3. Filter Distribution . . . . . . . . . . . . . . . . . . . 7 64 4.4. Applicability in Different Network Environments . . . . . 10 65 5. Load Control Event Package . . . . . . . . . . . . . . . . . . 11 66 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 11 67 5.2. Event Package Parameters . . . . . . . . . . . . . . . . . 11 68 5.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 11 69 5.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . . 11 70 5.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 12 71 5.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12 72 5.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 12 73 5.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 12 74 5.9. Handling of Forked Requests . . . . . . . . . . . . . . . 13 75 5.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 13 76 5.11. State Delta . . . . . . . . . . . . . . . . . . . . . . . 13 77 5.12. State Agents . . . . . . . . . . . . . . . . . . . . . . . 14 78 6. Load Control Document . . . . . . . . . . . . . . . . . . . . 14 79 6.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 14 80 6.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 15 81 6.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . . 15 82 6.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 15 83 6.3.2. Validity . . . . . . . . . . . . . . . . . . . . . . . 18 84 6.3.3. Method . . . . . . . . . . . . . . . . . . . . . . . . 18 85 6.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 18 86 6.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 19 87 7. XML Schema Definition for Load Control . . . . . . . . . . . . 21 88 8. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 23 89 8.1. Relationship with Load Filtering in PSTN . . . . . . . . . 23 90 8.2. Relationship with Other IETF SIP Load Control Efforts . . 24 91 9. Discussion of this specification meeting the requirements 92 of RFC5390 . . . . . . . . . . . . . . . . . . . . . . . . . . 25 93 10. Security Considerations . . . . . . . . . . . . . . . . . . . 30 94 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 95 11.1. Load Control Event Package Registration . . . . . . . . . 31 96 11.2. application/load-control+xml MIME Registration . . . . . . 31 97 11.3. Load Control Schema Registration . . . . . . . . . . . . . 32 98 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32 99 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33 100 13.1. Normative References . . . . . . . . . . . . . . . . . . . 33 101 13.2. Informative References . . . . . . . . . . . . . . . . . . 33 102 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34 104 1. Introduction 106 Proper functioning of Session Initiation Protocol (SIP) [RFC3265] 107 signaling servers is critical in SIP-based communications networks. 108 The performance of SIP servers can be severely degraded when the 109 server is overloaded with excessive number of signaling requests. 110 Both legitimate and malicious traffic can overload SIP servers, 111 despite appropriate capacity planning. 113 There are three common examples of legitimate short-term increases in 114 call volumes. Viewer-voting TV shows or ticket giveaways may 115 generate millions of calls within a few minutes. Call volume may 116 also spike during special holidays such as New Year's Day and 117 Mother's Day. Finally, callers may want to reach friends and family 118 in natural disaster areas such as those affected by earthquakes. 119 When possible, only calls traversing overloaded servers should be 120 throttled under those conditions. 122 SIP load control mechanisms are needed to prevent congestion collapse 123 in these cases [RFC5390]. There are two types of load control 124 approaches. In the first approach, feedback control, SIP servers 125 provide load limits to upstream servers, to reduce the incoming rate 126 of all SIP requests [I-D.ietf-soc-overload-control]. These upstream 127 servers then drop or delay incoming SIP requests. Feedback control 128 is reactive and affects signaling messages that have already been 129 issued by user agent clients. They work well when SIP proxy servers 130 in the core networks (core proxy servers) or destination-specific SIP 131 proxy servers in the edge networks (edge proxy servers) are 132 overloaded. By their nature, they need to distribute rate, drop or 133 window information to all upstream SIP proxy servers and normally 134 affect all calls equally, regardless of destination. However, 135 feedback control is usually ineffective for overload of more general 136 purpose SIP edge proxy servers. For example, in the ticket giveaway 137 case, almost all calls to the hotline will fail at the core proxy 138 servers; if the edge proxy servers leading to the core proxy servers 139 are also overloaded, calls to other destinations will also be 140 rejected or dropped. 142 Here, we propose an additional, complementary mechanism, called load 143 filtering. Network operators create load filters that indicate that 144 calls to specific destinations or from specific sources should be 145 rate-limited or randomly dropped. These load filters are then 146 distributed to SIP servers and possibly user agents likely to 147 generate calls to the affected destinations or from the affected 148 sources. Load filtering works best if it prevents calls as close to 149 the user agent clients as possible. 151 Performing SIP load filtering requires three components: load filter 152 format, load filter computation method, and load filter distribution 153 mechanism. This specification addresses two of these three 154 components. The load filter format is defined in a SIP load control 155 event package, while the load filter distribution mechanism is built 156 upon the existing SIP event framework. The remaining component, load 157 filter computation method, depends heavily on the actual network 158 topology and service provider policies. Therefore it is out of scope 159 of this specification. 161 It is helpful to clarify two aspects regarding some terminology used 162 in this specification. Firstly, although the SIP load filtering 163 mechanism is motivated by the overload control problem, which is why 164 this specification refers extensively to other parallel SIP overload 165 control related efforts, the applicability of filtering extends 166 beyond the overload control purpose. For example, it can also be 167 used to implement quality of service or other service level agreement 168 commitments. Therefore, we use the term SIP "load control event 169 package", instead of a narrower term "overload control event 170 package". Secondly, since we are describing a specific control 171 mechanism based on filtering, the term "load control" in this 172 specification is used inter-changeably with the term "load filtering" 173 unless when associated with other explicit context. This 174 specification, however, does not preclude the load control document 175 defined here (Section 6) to be extended in the future for other forms 176 of control as appropriate. 178 The rest of this specification is structured as follows: we begin by 179 listing the design requirements for this work in Section 3. We then 180 give an overview of load filtering operation in Section 4. The load 181 control event package for filter distribution is detailed in 182 Section 5. The load filter format is defined in the two sections 183 that follow, with Section 6 introducing the XML document for load 184 control and Section 7 listing the associated schema. Section 8 185 relates this work to corresponding mechanisms in PSTN and other IETF 186 efforts addressing SIP load control. Section 9 evaluates whether 187 this specification meets the SIP overload control requirements set 188 forth by RFC5390 [RFC5390]. Finally, Section 10 presents security 189 considerations and Section 11 provides IANA considerations. 191 2. Requirements Notation 193 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 194 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 195 document are to be interpreted as described in [RFC2119]. 197 3. Design Requirements 198 The SIP load filtering mechanism needs to satisfy the following 199 requirements: 201 o To simplify the solution, we focus on a method for controlling SIP 202 load, rather than a generic application-layer mechanism. 203 o The load filter needs to be distributed efficiently to possibly a 204 large subset of all SIP elements. 205 o The solution should re-use existing SIP protocol mechanisms to 206 reduce implementation and deployment complexity. 207 o For predictable overload situations, such as holidays and call-in 208 events, the load filter should specify during what time period it 209 is to be applied, so that the information can be distributed ahead 210 of time. 211 o For destination-specific overload situations, the load filter 212 needs to be able to describe the callee. 213 o To address accidental and intentional high-volume call generators, 214 the load filter should allow to specify the caller. 215 o Caller and callee need to be specified as both SIP URIs and 'Tel' 216 URIs[RFC3966]. 217 o For telephone numbers, it should be possible to specify prefixes 218 which allow control over limited regionally-focused overloads. 219 o The solution should draw upon experiences from related PSTN 220 mechanisms where applicable. 221 o The solution should be extensible to meet future needs. 223 4. SIP Load Filtering Overview 225 4.1. Filter Format 227 A load filter contains both conditions and actions. Filter 228 conditions include the identities of the targets to be controlled. 229 For example, there are two typical resource limits in a possible 230 overload situation, i.e., human destination limits (N number of call 231 takers) and proxy capacity limits. The control targets in these two 232 cases can be the specific callee numbers or the destination domains 233 corresponding to the overload. Filter conditions also indicate the 234 period of time during which the control should be activated, and the 235 specific message type to be controlled, e.g., the INVITE message of a 236 SIP session. Filter actions describe the desired control functions 237 such as limiting the request rate below a certain level. Detailed 238 formats of filter conditions and actions are defined in Section 6. 240 4.2. Filter Computation 242 Load filter computation needs to take into consideration information 243 such as the overload time, scope and network topology, as well as 244 service policies. It is also important to make sure that there is no 245 resource allocation loop, and that loads are allocated in a way which 246 both prevents overload and minimizes the likelihood of network 247 resource under-utilization. In some cases, in order to better 248 utilize system resources, it may be preferable to employ a dynamic 249 load computation algorithm which adapts to current network status, 250 rather than using a purely static mechanism. The load filter 251 computation algorithm is out of scope of this specification. 253 4.3. Filter Distribution 255 For load filter distribution, this specification defines the SIP 256 event package for load control, which is an "instantiation" of the 257 generic SIP events framework [RFC3265]. The SIP events framework 258 provides an existing method for SIP entities to subscribe to and 259 receive notifications when certain events have occurred. Such a 260 framework forms a scalable event distribution architecture that suits 261 our needs. This specification also defines the XML schema of a load 262 control document (Section 6), which is used to encode load filtering 263 rules. 265 In order for load filters to be properly distributed, each SIP proxy 266 server in the network is required to subscribe to the load control 267 event package from all its outgoing signaling neighbors, known as 268 notifiers (Section 5.6). Subscription is initiated and maintained 269 during normal server operation. Signaling neighbors are defined by 270 sending signaling messages. For instance, if A sends signaling 271 requests to B, B is an outgoing signaling neighbor of A. A needs to 272 subscribe to the load control event package of B in case B wants to 273 curb requests from A. On the other hand, if B also sends signaling 274 requests to A, then B also subscribes to A. Subscription of 275 neighboring SIP entities needs to be persistent so that they are in 276 place independently of any specific load filtering events. Key to 277 this is the fact that notification following initial subscription 278 includes an empty message body if no events are configured 279 (Section 5.7), and that the subscription needs to be refreshed 280 periodically to make it persistent, as described in Section 3.1.6 and 281 Section 3.1.4.2 of [RFC3265]. The notifier will send a notification 282 with its current control policy to its subscribers each time a new 283 subscription or a subscription refreshing is accepted (Section 5.7). 284 The same subscription dialog can also be used to convey policies for 285 multiple different load filtering events in a set of rules 286 (Section 6.1). 288 We use the example architecture shown in Figure 1 to illustrate load 289 filter distribution based on the SIP load control event package. 290 This scenario consists of two networks belonging to Service Provider 291 A and Service Provider B, respectively. Each provider's network is 292 made up of two SIP core proxy servers and four SIP edge proxy 293 servers. The core proxy servers and edge proxy servers of Service 294 Provider A are denoted as CPa1 to CPa2 and EPa1 to EPa4; the core 295 proxy servers and edge proxy servers of Service Provider B are 296 denoted as CPb1 to CPb2 and EPb1 to EPb4. 298 +-----------+ +-----------+ +-----------+ +-----------+ 299 | | | | | | | | 300 | EPa1 | | EPa2 | | EPa3 | | EPa4 | 301 | | | | | | | | 302 +-----------+ +-----------+ +-----------+ +-----------+ 303 \ / \ / 304 \ / \ / 305 \ / \ / 306 +-----------+ +-----------+ 307 | | | | 308 | CPa1 |------------------| CPa2 | 309 | | | | 310 +-----------+ +-----------+ 311 | | 312 Service | | 313 Provider A | | 314 | | 315 ================================================================= 316 | | 317 Service | | 318 Provider B | | 319 | | 320 +-----------+ +-----------+ 321 | | | | 322 | CPb1 |------------------| CPb2 | 323 | | | | 324 +-----------+ +-----------+ 325 / \ / \ 326 / \ / \ 327 / \ / \ 328 +-----------+ +-----------+ +-----------+ +-----------+ 329 | | | | | | | | 330 | EPb1 | | EPb2 | | EPb3 | | EPb4 | 331 | | | | | | | | 332 +-----------+ +-----------+ +-----------+ +-----------+ 334 Figure 1: Example Network Scenario Using SIP Load Control Event 335 Package Mechanism 337 At the initialization stage, the proxy servers first identify all 338 their outgoing signaling neighbors and subscribe to them. The 339 neighbor identification process can be performed by service providers 340 through direct provisioning, or by the proxy servers themselves via 341 progressively learning from the singling messages sent and received. 342 Assuming all signaling relationship in Figure 1 is bi-directional, 343 after this initialization stage, each proxy server will be subscribed 344 to all its neighbors. That is, EPa1 subscribes to CPa1; CPa1 345 subscribes to EPa1, EPa2, CPa2 and CPb1, so on and so forth. The 346 following cases then show two examples of how load filter 347 distribution in this network works. 349 Case I: EPa1 serves a TV program hotline and decides to limit the 350 total number of incoming calls to the hotline to prevent an overload. 351 To do so, EPa1 sends a notification to CPa1 with the specific hotline 352 number, time of activation and total acceptable call rate. Depending 353 on the filter computation algorithm, CPa1 may allocate the received 354 total acceptable rate among its neighbors, namely, EPa2, CPa2, and 355 CPb1, and notify them about the resulting allocation along with the 356 hotline number and the activation time. CPa2 and CPb1 may perform 357 further allocation among their own neighbors and notify the 358 corresponding proxy servers. This process continues until all edge 359 proxy servers in the network have been informed about the event and 360 have proper load filter configured. 362 Case II: an earthquake affects the region covered by CPb2, EPb3 and 363 EPb4. All the three proxy servers are overloaded. The rescue team 364 determines that outbound calls are more valuable than inbound calls 365 in this specific situation. Therefore, EPb3 and EPb4 are configured 366 with filters to accept more outbound calls than inbound calls. CPb2 367 may be configured the same way or receive dynamically computed 368 filters from EPb3 and EPb4. Depending on the filter computation 369 algorithm, CPb2 may also send out notifications to its outside 370 neighbors, namely CPb1 and CPa2, specifying a limit on the acceptable 371 rate of inbound calls to CPb2's responsible domain. CPb1 and CPa2 372 may subsequently notify their neighbors about limiting the calls to 373 CPb2's area. The same process could continue until all edge proxy 374 servers are notified and have filters configured. 376 In the above two cases, the network entity where load filtering 377 policy is first introduced is the SIP server to be protected. In 378 other cases, the network entry point of load filtering policy could 379 also be an entity that the protected SIP server is connected to. For 380 example, an operator may host an application server that performs 800 381 number translation services. The application server may itself be a 382 SIP proxy or a SIP Back-to-Back User Agent (B2BUA). If one of the 383 800 numbers hosted at the application server creates the overload 384 condition, the load filtering policies can be introduced from the 385 application server and then propogated to other SIP proxy servers in 386 the network. 388 Note that this specification does not define the provisioning 389 interface between the party who determines the load control policy 390 and the network entry point where the policy is introduced. One of 391 the options for the provisioning interface is the Extensible Markup 392 Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. 394 4.4. Applicability in Different Network Environments 396 SIP load filtering is more effective when the filters can be pushed 397 to the proximity of signaling sources. But even if only part of the 398 signaling path towards the signaling source could be covered, use of 399 this mechanism can still be beneficial. In fact, due to possibly 400 sophisticated call routing and security concerns, trying to apply 401 automated load filter distribution in the entire inter-domain network 402 path could get extremely complicated and be unrealistic. 404 The scenarios where this mechanism could be most useful are 405 environments consisting of servers with secure and trust relationship 406 and with relatively straightforward routing configuration known to 407 the filter computation algorithm. These scenarios may include intra- 408 domain environments such as those inside a service provider or 409 enterprise domain; inter-domain environments such as where enterprise 410 connecting to a few service providers or between service providers 411 with manageable routing configurations. 413 Another important aspect that affects the applicability of SIP load 414 filtering is that all possible signaling source neighbors need to 415 participate and enforce the designated filter. Otherwise, a single 416 non-conforming neighbor could make the whole control efforts useless 417 by pumping in excessive traffic to overload the server. Therefore, 418 the SIP server that initiates the filter needs to take counter- 419 measures towards any non-conforming neighbors. A simple policy is to 420 reject excessive requests with 500 responses as if they were obeying 421 the rate. Considering the rejection costs, a more complicated but 422 fairer policy would be to allocate at the overloaded server the same 423 amount of processing to the combination of both normal processing and 424 rejection as the overloaded server would devote to processing 425 requests for a conforming upstream SIP server. These approaches work 426 as long as the total rejection cost does not overwhelm the entire 427 server resources. In addition, whatever the actual policy is, SIP 428 servers SHOULD honor the Resource-Priority Header (RPH) [RFC4412] 429 when processing messages. The RPH contents may indicate high 430 priority requests that should be preserved as much as possible, or 431 low priority requests that could be dropped during overload. SIP 432 request rejection and message prioritization at an overloaded server 433 are also discussed in Section 5.1 of [I-D.ietf-soc-overload-control] 434 and Section 12 of [RFC6357]. 436 5. Load Control Event Package 438 The SIP load filtering mechanism uses the SIP event package for load 439 control. This section defines details of the SIP event package for 440 load control according to [RFC3265]. 442 5.1. Event Package Name 444 The name of this event package is "load-control". This name is 445 carried in the Event and Allow-Events header, as specified in 446 [RFC3265]. 448 5.2. Event Package Parameters 450 No package specific event header field parameters are defined for 451 this event package. 453 5.3. SUBSCRIBE Bodies 455 The effectiveness of SIP load filtering relies on the scope of 456 distribution and installation of the control policies in the network. 457 Since wide distribution of control policies is desirable, subscribers 458 SHOULD try to subscribe to all those notifiers with which they have 459 regular signaling exchanges, although not all such notifiers may 460 permit such a subscription. 462 A SUBSCRIBE request for the SIP load control event package MAY 463 contain a body to filter the requested load control event 464 notification. For example, a subscriber may be interested in some 465 specific types of load control policy only. The details of the 466 subscription filter specification are not yet defined. 468 A SUBSCRIBE request sent without a body implies the default 469 subscription behavior as specified in Section 5.7. 471 5.4. SUBSCRIBE Duration 473 The default expiration time for a subscription to load control policy 474 is one hour. Since the desired expiration time may vary 475 significantly for subscriptions among SIP entities with different 476 signaling relationships, the subscribers and notifiers are 477 RECOMMENDED to explicitly negotiate appropriate subscription 478 durations when knowledge about the mutual signaling relationship is 479 available. 481 5.5. NOTIFY Bodies 483 The body of a NOTIFY request in this event package contains load 484 control policy. As specified in [RFC3265], the format of the NOTIFY 485 body MUST be in one of the formats defined in the Accept header field 486 of the SUBSCRIBE request or be the default format. The default data 487 format for the NOTIFY body of this event package is "application/ 488 load-control+xml" (defined in Section 6). This means that if no 489 Accept header field is specified to a SUBSCRIBE request, the NOTIFY 490 request will contain a body in the "application/load-control+xml" 491 format. If the Accept header field is present, it MUST include 492 "application/load-control+xml" and MAY include any other types. 494 5.6. Notifier Processing of SUBSCRIBE Requests 496 Notifier accepts a new subscription or updates an existing 497 subscription upon receiving a valid SUBSCRIBE request. 499 If the identity of the subscriber sending the SUBSCRIBE request is 500 not allowed to receive load control policy, the notifier MUST return 501 a 403 "Forbidden" response. 503 If none of MIME types specified in the Accept header of the SUBSCRIBE 504 is supported, the Notifier SHOULD return 406 "Not Acceptable" 505 response. 507 5.7. Notifier Generation of NOTIFY Requests 509 Following [RFC3265] specification, a notifier MUST send a NOTIFY with 510 its current load control policy to the subscriber upon successfully 511 accepting or refreshing a subscription. If no applicable restriction 512 is active when the subscription request is received, an empty message 513 body is attached to the NOTIFY request. This is often the case when 514 a subscription is initiated for the first time, e.g., when a SIP 515 entity is just introduced, because there may be no planned events 516 configured at that time. A notifier SHOULD generate NOTIFY requests 517 each time the load control policy changes, with the maximum 518 notification rate not exceeding values defined in Section 5.10. 520 5.8. Subscriber Processing of NOTIFY Requests 522 The way subscribers process NOTIFY requests depends on the contents 523 of the notifications. Typically, a load control notification 524 consists of rules that should be applied to requests matching certain 525 identities. A subscriber receiving the notification first installs 526 these rules and then filter incoming requests to enforce actions on 527 appropriate requests, for example, limiting the sending rate of call 528 requests destined for a specific SIP entity. 530 In the case when load control rules specify a future validity time, 531 it is possible that when the validity time comes, the subscription to 532 the specific notifier that conveyed the rules has expired. In this 533 case, it is RECOMMENDED that the subscriber re-activate its 534 subscription with the corresponding notifier. Regardless of whether 535 this re-activation of subscription is successful or not, when the 536 validity time is reached, the subscriber SHOULD enforce the 537 corresponding rules. 539 Upon receipt of a NOTIFY request with a Subscription-State header 540 field containing the value "terminated", the subscription status with 541 the particular notifier will be terminated. However, subscribers 542 SHOULD NOT change previously received load control policies from that 543 notifier because of this change in subscription status, unless it has 544 other specific reasons to do so. Modifications of existing load 545 control policies at the subscriber is performed after directly 546 receiving notifications containing updated load control policies. 548 The subscriber SHALL discard unknown bodies. If the NOTIFY request 549 contains several bodies, none of them being supported, it SHOULD 550 unsubscribe. A NOTIFY request that does not contain a body MUST be 551 ignored. 553 5.9. Handling of Forked Requests 555 Forking is not applicable when the load control event package is used 556 within a single-hop distance between neighboring SIP entities. If 557 the communication scope of the load control event package is among 558 multiple hops, forking is not expected to happen either because the 559 subscription request is addressed to a clearly defined SIP entity. 560 However, in the unlikely case when forking does happen, the load 561 control event package only allows the first potential dialog- 562 establishing message to create a dialog, as specified in Section 563 4.4.9 of [RFC3265]. 565 5.10. Rate of Notifications 567 Rate of notifications is likely not a concern for this event package 568 when it is used in a non-real-time mode for relatively static load 569 control policies. Nevertheless, if situation does arise that a 570 rather frequent load control policy update is needed, it is 571 RECOMMENDED that the notifier does not generate notifications at a 572 rate higher than once per-second in all cases, in order to avoid the 573 NOTIFY request itself overloading the system. 575 5.11. State Delta 577 It is likely that updates to specific load control events are made by 578 changing the control restriction parameter information only (e.g. 579 rate, percent), but not other rule elements, such as call-identity. 580 This will typically be because the utilisation of a resource subject 581 to overload depends upon dynamic unknowns such as holding time and 582 the relative distribution of offered loads over subscribing SIP 583 entities. The updates could originate manually or be determined 584 automatically by a dynamic filter computation algorithm 585 (Section 4.2). Another factor usually not known precisely or is 586 computed automatically is the validity duration of the load control 587 event. Therefore it would also be common for the validity to change 588 frequently. 590 This event package allows the use of state delta to accommodate 591 frequent updates of partial rule parameters. As in [RFC3265], a 592 version number that increases by exactly one is included in the 593 NOTIFY body for each NOTIFY transaction in a subscription. When the 594 subscriber receives a state delta, it associates the partial updates 595 to the particular rules by matching the appropriate rule id 596 (Section 6.5). If the subscriber receives a NOTIFY that has a 597 version number that is increased by more than one, it knows that it 598 has missed a state delta. The subscriber then keeps the version 599 number, ignores the NOTIFY request containing the state delta, and 600 re-sends a SUBSCRIBE to force a NOTIFY containing a complete state 601 snapshot. 603 5.12. State Agents 605 The load control policy can be directly generated by concerned SIP 606 entities distributed in the network. Alternatively, qualified state 607 agents external to the SIP entities MAY be defined to take charge of 608 determining load control policies. 610 6. Load Control Document 612 6.1. Format 614 A load control document is an XML document that inherits and enhances 615 the common policy document defined in [RFC4745]. A common policy 616 document contains a set of rules. Each rule consists of three parts: 617 conditions, actions and transformations. The conditions part is a 618 set of expressions containing attributes such as identity, domain, 619 and validity time information. Each expression evaluates to TRUE or 620 FALSE. Conditions are matched on "equality" or "greater than" style 621 comparison. There is no regular expression matching. Conditions are 622 evaluated on receipt of an initial SIP request for a dialog or 623 standalone transaction. If a request matches all conditions in a 624 rule set, the action part and the transformation part are consulted 625 to determine the "permission" on how to handle the request. Each 626 action or transformation specifies a positive grant to the policy 627 server to perform the resulting actions. Well-defined mechanism are 628 available for combining actions and transformations obtained from 629 more than one sources. 631 6.2. Namespace 633 The namespace URI for elements defined by this specification is a 634 Uniform Resource Namespace (URN) ([RFC2141]), using the namespace 635 identifier 'ietf' defined by [RFC2648] and extended by [RFC3688]. 636 The URN is as follows: 638 urn:ietf:params:xml:ns:load-control 640 6.3. Conditions 642 [RFC4745] defines three condition elements: , and 643 . In this specification, we re-define an element for 644 identity and reuse the element. The element is 645 not used. 647 6.3.1. Call Identity 649 Since the problem space of this specification is different from that 650 of [RFC4745], the [RFC4745] element is not sufficient for 651 use with load control. First, load control may be applied to 652 different identities contained in a request, including identities of 653 both the receiving entity and the sending entity. Second, the 654 importance of authentication varies when different identities of a 655 request are concerned. This specification defines new identity 656 conditions that can accommodate the granularity of specific SIP 657 identity header fields. The requirement for authentication depends 658 on which field is to be matched. 660 The identity condition for load control is specified by the element and its sub-element . The element 662 itself contains sub-elements representing SIP sending and receiving 663 identity header fields: , , and , each is of the same type as the element in 665 [RFC4745]. Therefore, they also inherit the sub-elements of the 666 element, including , , and . 668 The [RFC4745] and elements may contain an "id" 669 attribute, which is the URI of a single entity to be included or 670 excluded in the condition. When used in the , , and elements, this "id" value is the URI 672 contained in the corresponding SIP header field, i.e., From, To, 673 Request-URI, and P-Asserted-Identity. 675 When the element contains multiple sub- 676 elements, the result is combined using logical OR. When the , 677 , and elements contain 678 multiple , , or sub-elements, the result is also 679 combined using logical OR, similar to that of the element 680 in [RFC4745]. However, when the element contains multiple of 681 the , , and sub- 682 elements, the result is combined using logical AND. This allows the 683 call identity to be specified by multiple fields of a SIP request 684 simultaneously, e.g., both the From and the To header fields. 686 The following shows an example of the element. 688 689 690 691 692 693 694 695 697 This example matches call requests whose To header field contains the 698 SIP URI "sip:alice@hotline.example.com", or the 'tel' URI 699 "tel:+1-212-555-1234". 701 The [RFC4745] and elements may take a "domain" 702 attribute. The "domain" attribute specifies a domain name to be 703 matched by the domain part of the candidate identity. Thus, it 704 allows matching a large and possibly unknown number of entities 705 within a domain. The "domain" attribute works well for SIP URIs. 707 A URI identifying a SIP user, however, can also be a 'tel' URI. We 708 therefore need a similar way to match a group of 'tel' URIs. 709 According to [RFC3966], there are two forms of 'tel' URIs for global 710 numbers and local numbers, respectively. All phone numbers must be 711 expressed in global form when possible. The global number 'tel' URIs 712 start with a "+". The rest of the numbers are expressed as local 713 numbers, which must be qualified by a "phone-context" parameter. The 714 "phone-context" parameter may be labelled as a global number or any 715 number of its leading digits, or a domain name. Both forms of the 716 'tel' URI make the resulting URI globally unique. 718 'Tel' URIs of global numbers can be grouped by prefixes consisting of 719 any number of common leading digits. For example, a prefix formed by 720 a country code or both the country and area code identifies telephone 721 numbers within a country or an area. Since the length of the country 722 and area code for different regions are different, the length of the 723 number prefix is also variable. This allows further flexibility such 724 as grouping the numbers into sub-areas within the same area code. 725 'Tel' URIs of local numbers can be grouped by the value of the 726 "phone-context" parameter. 728 To include the two forms of 'tel' URI grouping in the and 729 elements, one approach is to add a new attribute similar to 730 the "domain" attribute. In this specification, we decided on a 731 simpler approach. There are basically two types of grouping 732 attribute values for both SIP URIs and 'tel' URIs: domain name and 733 number prefix starting with "+". Both of them can be expressed as 734 strings. Therefore, we re-interpret the existing "domain" attribute 735 of the and elements to allow it to contain both types 736 of grouping attribute values. In particular, when the "domain" 737 attribute value starts with "+", it denotes a number prefix, 738 otherwise, the value denotes a domain name. Note that the tradeoff 739 of this simpler approach is the overlap in matching different types 740 of URIs. Specifically, a domain name in the "domain" attribute could 741 be matched by both a SIP URI with that domain name and a local number 742 'tel' URI containing the same domain name in the "phone-context". On 743 the other hand, a number prefix in the "domain" attribute could be 744 matched by both global number 'tel' URIs starting with those leading 745 digits, and local number 'tel' URIs having the same prefix in the 746 "phone-context" parameter. These overlap situations would not be a 747 big problem because of two reasons. First, when the "phone-context" 748 coincides with the SIP domain name or the global number prefix, it is 749 usually the case that the related phone numbers indeed belong to the 750 same domain or the same area, which means the overlap is not 751 inappropriate. Second, use of the local number 'tel' URI in practice 752 is expected to be rare. As a result, the chance of such overlap 753 happening is very small. 755 The following example shows the use of the re-interpreted "domain" 756 attribute. 758 759 760 761 762 763 764 765 766 767 768 769 770 772 This example matches those requests calling to the number "+1-202- 773 999-1234" but are not calling from a "+1-212" prefix or a SIP From 774 URI domain of "manhattan.example.com". 776 6.3.2. Validity 778 A rule is usually associated with a validity period condition. This 779 specification reuses the element of [RFC4745], which 780 specifies a period of validity time by pairs of and 781 sub-elements. When multiple time periods are defined, the validity 782 condition is evaluated to TRUE if the current time falls into any of 783 the specified time periods. i.e., it represents a logical OR 784 operation across all validity time periods. 786 The following example shows a element specifying a valid 787 period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. 789 790 2008-05-31T12:00:00-05:00 791 2008-05-31T15:00:00-05:00 792 794 6.3.3. Method 796 The load created on a SIP server depends on the type of an initial 797 SIP request for a dialog or standalone transaction. The 798 element specifies the SIP method to which a particular action 799 applies. When this element is not included, the rule actions are 800 applicable to all initial methods. 802 The following example shows the use of the element. 804 INVITE 806 6.4. Actions 808 As [RFC4745] specified, conditions form the 'if'-part of rules, while 809 actions and transformations form the 'then'-part. Transformations 810 are not used in the load control document. The actions for load 811 control are defined by the element, which takes any one of 812 the three sub-elements , , and . The 813 element denotes an absolute value of the maximum acceptable request 814 rate in requests per second; the element specifies the 815 relative percentage of incoming requests that should be accepted; the 816 element describes the acceptable window size supplied by the 817 receiver, which is applicable in window-based load control. In 818 static load filter configuration scenarios, using the sub- 819 element is RECOMMENDED because it is hard to enforce the percentage 820 rate or window-based control when the incoming load from upstream or 821 the reactions from downstream are uncertain. (See 822 [I-D.ietf-soc-overload-control] [RFC6357] for more details on rate- 823 based, loss-based and window-based load control) 825 In addition, the element takes an optional "alt-action" 826 attribute which can be used to explicitly specify the desired action 827 in case a request cannot be accepted. The possible "alt-action" 828 values are "drop" for simple drop, "reject" for explicit rejection 829 (e.g., sending a "500 Server Internal Error" response message to an 830 INVITE request), and "forward". The default value is "reject" in 831 order to avoid possible SIP retransmissions when an unreliable 832 transport is used. If the "alt-action" value is "forward", an "alt- 833 target" attribute MUST be defined. The "alt-target" specifies a URI 834 where the request should be forwarded (e.g., an answering machine 835 with explanation of why the request cannot be accepted). 837 In the following element example, the server accepts 838 maximum of 100 call requests per second. The remaining calls are 839 forwarded to an answering machine. 841 842 844 100 845 846 848 6.5. Complete Examples 850 This section presents two complete examples of load control documents 851 vliad with respect to the XML schema defined in Section 7. 853 The first example assumes that a set of hotlines are set up at 854 "sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The 855 hotlines are activated from 12:00 to 15:00 US Eastern Standard Time 856 on 2008-05-31. The goal is to limit the incoming calls to the 857 hotlines to 100 requests per second. Calls that exceed the rate 858 limit are explicitly rejected. 860 861 865 866 867 868 869 870 871 872 873 874 875 876 2008-05-31T12:00:00-05:00 877 2008-05-31T15:00:00-05:00 878 879 880 881 882 100 883 884 886 887 889 The second example considers optimizing server resource usage of a 890 three-day period during the aftermath of an earthquake. Incoming 891 calls to the earthquake domain "pompeii.example.com" will be limited 892 to a rate of 100 requests per second, except for those calls 893 originating from a particular rescue team domain 894 "rescue.example.com". Outgoing calls from the earthquake domain or 895 calls within the local domain are never limited. All calls that are 896 throttled due to the rate limit will be forwarded to an answering 897 machine with updated earthquake rescue information. 899 900 904 905 906 907 908 909 911 912 913 914 915 916 917 918 919 920 921 79-08-24T09:00:00+01:00 922 79-08-27T09:00:00+01:00 923 924 925 926 928 100 929 930 932 933 935 7. XML Schema Definition for Load Control 937 This section defines the XML schema for the load control document. 938 It extends the Common Policy schema in [RFC4745] in two ways. 939 Firstly, it defines two mandatory attributes for the ruleset element: 940 version and state. The version attribute allows the recipient of the 941 notification to properly order them. Versions start at 0, and 942 increase by one for each new document sent to a subscriber within the 943 same subscription. Versions MUST be representable using a non- 944 negative 32 bit integer. The state attribute indicates whether the 945 document contains a full control policy update, or whether it 946 contains only state delta as partial update. Secondly, it defines 947 new members of the and elements. 949 950 957 959 961 962 963 964 965 966 968 969 970 971 972 973 974 975 976 977 978 979 980 981 983 985 986 987 989 990 991 992 993 995 996 997 999 1000 1001 1002 1003 1004 1005 1007 1009 1010 1011 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1025 1027 1028 1029 1030 1031 1032 1034 1035 1036 1037 1038 1040 1042 8. Related Work 1044 8.1. Relationship with Load Filtering in PSTN 1046 It is known that the existing PSTN network also uses a load filtering 1047 mechanism to prevent overload and the filter configuration is done 1048 manually. This specification defines a SIP events framework based 1049 distribution mechanism which allows automated filter distribution in 1050 suitable environments. 1052 There are control messages associated with PSTN overload control 1053 which would specify an outgoing control list, call gap duration and 1054 control duration [AINGR]. These items could be roughly correlated to 1055 the identity, action and time fields of the SIP load filter defined 1056 in this specification. However, the filter defined in this 1057 specification is much more generic and flexible as opposed to its 1058 PSTN counterpart. 1060 Firstly, PSTN load filtering only applies to telephone numbers, and 1061 the number of prefix to be matched for a group of telephone numbers 1062 is usually a fixed set. The SIP filter identity allows both SIP URI 1063 and telephone numbers (through Tel URI) to be specified. The 1064 identities can be arbitrarily grouped by SIP domains or any number of 1065 leading prefix of the telephone numbers. 1067 Secondly, the PSTN filtering action is usually limited to call 1068 gapping with a fixed set of allowed gapping intervals. The action 1069 field in the SIP load filter allows more flexible rate throttle and 1070 other possibilities. 1072 Thirdly, the duration field in PSTN filtering specifies a value in 1073 seconds for the control duration only, and the allowed values are 1074 mapped into a value set. The time field in the SIP load filter may 1075 specify not only a duration, but also a future activation time which 1076 could be especially useful for automating load control for 1077 predictable overloads. 1079 PSTN filtering can be performed in both edge switches and transit 1080 switches; SIP filtering can also be applied in both edge proxy 1081 servers and core proxy servers, and even in capable user agents. 1083 PSTN overload control also has special accommodation for High 1084 Probability of Completion (HPC) calls, which would be similar to the 1085 calls designated by the SIP Resource Priority Headers [RFC4412]. SIP 1086 filtering mechanism can also prioritize the treatment of these calls 1087 by specifying favorable actions for these calls. 1089 PSTN filtering also provides administrative option for routing failed 1090 call attempts to either Recorder Tone or a special announcement. 1091 Similar capability can be provided in the SIP filtering mechanism by 1092 specifying the appropriate "alt-action" attribute in the SIP 1093 filtering action field. 1095 8.2. Relationship with Other IETF SIP Load Control Efforts 1097 The load filtering rules in this specification consists of identity, 1098 action and time. The identity can range from a single specific user 1099 to an arbitrary user aggregate, domains or areas. The user can be 1100 identified by either the source or the destination. When the user is 1101 identified by the source and a favorable action is specified, the 1102 result is to some extent similar to identifying a priority user based 1103 on authorized Resource Priority Headers [RFC4412] in the requests. 1104 Specifying a source user identity with an unfavorable action would 1105 cause an effect to some extent similar to an inverse SIP resource 1106 priority mechanism. 1108 The load filter defined in this specification is generic and expected 1109 to be applicable not only to the load filtering mechanism but also to 1110 the feedback overload control mechanism in 1111 [I-D.ietf-soc-overload-control]. In particular, both mechanisms 1112 could use specific or wildcard filter identities for load control and 1113 could share well-known load control actions. The time duration field 1114 in the load filter could also be used in both mechanisms. As 1115 mentioned in Section 1, the load filter distribution mechanism and 1116 the feedback overload control mechanism address complementary areas 1117 in the load control problem space. Load filtering is more proactive 1118 and focuses on distributing the filter towards the source of the 1119 traffic; the hop-by-hop feedback based approach is reactive and 1120 targets more at traffic already accepted in the network. Therefore, 1121 they could also make different use of the generic filter components. 1122 For example, the load filtering mechanism may use the time field in 1123 the filter to specify not only a control duration but also a future 1124 activation time to accommodate a predicable overload such as the one 1125 caused by Mother's Day greetings or a viewer-voting program; the 1126 feedback-based control might not need to use the time field or might 1127 use the time field to specify an immediate control duration. 1129 9. Discussion of this specification meeting the requirements of RFC5390 1131 This section evaluates whether the load control event package defined 1132 in this specification satisfies the various SIP overload control 1133 requirements set forth by RFC5390 [RFC5390]. Not all RFC5390 1134 requirements are found applicable due to the scope of this document. 1135 Therefore, we categorize the assessment results into Yes (meet the 1136 requirement), P/A (partially applicable), No (must be used in 1137 conjunction with another mechanism to meet the requirement), and N/A 1138 (not applicable). 1140 REQ 1: The overload mechanism shall strive to maintain the overall 1141 useful throughput (taking into consideration the quality-of- 1142 service needs of the using applications) of a SIP server at 1143 reasonable levels, even when the incoming load on the network is 1144 far in excess of its capacity. The overall throughput under load 1145 is the ultimate measure of the value of an overload control 1146 mechanism. 1148 P/A. The goal of the load filtering is to prevent overload or 1149 maintain overall goodput during the time of overload, but it is 1150 dependent on the advance predictions of the load. If the predictions 1151 are incorrect, in either direction, the effectiveness of the 1152 mechanism will be affected. 1154 REQ 2: When a single network element fails, goes into overload, or 1155 suffers from reduced processing capacity, the mechanism should 1156 strive to limit the impact of this on other elements in the 1157 network. This helps to prevent a small-scale failure from 1158 becoming a widespread outage. 1160 N/A if filter values are installed in advance and do not change 1161 during the potential overload period. P/A if filter values are 1162 dynamically adjusted due to the specific filter computation 1163 algorithm. The dynamic filter computation algorithm is outside the 1164 scope of this specification, while the distribution of the updated 1165 filters uses the event package mechanism of this specification. 1167 REQ 3: The mechanism should seek to minimize the amount of 1168 configuration required in order to work. For example, it is 1169 better to avoid needing to configure a server with its SIP message 1170 throughput, as these kinds of quantities are hard to determine. 1172 No. This mechanism is entirely dependent on advance configuration, 1173 based on advance knowledge. In order to satisfy Req 3, it should be 1174 used in conjunction with other mechanisms which are not based on 1175 advance configuration. 1177 REQ 4: The mechanism must be capable of dealing with elements that 1178 do not support it, so that a network can consist of a mix of 1179 elements that do and don't support it. In other words, the 1180 mechanism should not work only in environments where all elements 1181 support it. It is reasonable to assume that it works better in 1182 such environments, of course. Ideally, there should be 1183 incremental improvements in overall network throughput as 1184 increasing numbers of elements in the network support the 1185 mechanism. 1187 No. This mechanism is entirely dependent on the participation of all 1188 possible neighbors. In order to satisfy Req 4, it should be used in 1189 conjunction with other mechanisms, some of which are described in 1190 Section 4.4. 1192 REQ 5: The mechanism should not assume that it will only be 1193 deployed in environments with completely trusted elements. It 1194 should seek to operate as effectively as possible in environments 1195 where other elements are malicious; this includes preventing 1196 malicious elements from obtaining more than a fair share of 1197 service. 1199 No. This mechanism is entirely dependent on the non-malicious 1200 participation of all possible neighbors. In order to satisfy Req 5, 1201 it should be used in conjunction with other mechanisms, some of which 1202 are described in Section 4.4. 1204 REQ 6: When overload is signaled by means of a specific message, 1205 the message must clearly indicate that it is being sent because of 1206 overload, as opposed to other, non overload-based failure 1207 conditions. This requirement is meant to avoid some of the 1208 problems that have arisen from the reuse of the 503 response code 1209 for multiple purposes. Of course, overload is also signaled by 1210 lack of response to requests. This requirement applies only to 1211 explicit overload signals. 1213 N/A. This mechanism signals anticipated overload, not actual 1214 overload. However the signals in this mechanism are not used for any 1215 other purpose. 1217 REQ 7: The mechanism shall provide a way for an element to 1218 throttle the amount of traffic it receives from an upstream 1219 element. This throttling shall be graded so that it is not all- 1220 or-nothing as with the current 503 mechanism. This recognizes the 1221 fact that "overload" is not a binary state and that there are 1222 degrees of overload. 1224 Yes. This event package allows rate/loss/windows-based overload 1225 control options as discussed in Section 6.4. 1227 REQ 8: The mechanism shall ensure that, when a request was not 1228 processed successfully due to overload (or failure) of a 1229 downstream element, the request will not be retried on another 1230 element that is also overloaded or whose status is unknown. This 1231 requirement derives from REQ 1. 1233 N/A to the load control event package itself. 1235 REQ 9: That a request has been rejected from an overloaded element 1236 shall not unduly restrict the ability of that request to be 1237 submitted to and processed by an element that is not overloaded. 1238 This requirement derives from REQ 1. 1240 Yes. For example, the load filter [Section 4.1] allows the inclusion 1241 of alternative forwarding destinations for rejected requests. 1243 REQ 10: The mechanism should support servers that receive requests 1244 from a large number of different upstream elements, where the set 1245 of upstream elements is not enumerable. 1247 No. Because this mechanism requires advance configuration of 1248 specifically identified neighbors, it does not support environments 1249 where the number and identity of the upstream neighbors are not known 1250 in advance. In order to satisfy Req 10, it should be used in 1251 conjunction with other mechanisms. 1253 REQ 11: The mechanism should support servers that receive requests 1254 from a finite set of upstream elements, where the set of upstream 1255 elements is enumerable. 1257 Yes. See also answer to REQ 10. 1259 REQ 12: The mechanism should work between servers in different 1260 domains. 1262 Yes. The load control event package is not limited by domain 1263 boundaries. However, it is likely more applicable in intra-domain 1264 scenarios than in inter-domain scenarios due to security and other 1265 concerns (See also Section 4.4). 1267 REQ 13: The mechanism must not dictate a specific algorithm for 1268 prioritizing the processing of work within a proxy during times of 1269 overload. It must permit a proxy to prioritize requests based on 1270 any local policy, so that certain ones (such as a call for 1271 emergency services or a call with a specific value of the 1272 Resource-Priority header field [RFC4412]) are given preferential 1273 treatment, such as not being dropped, being given additional 1274 retransmission, or being processed ahead of others. 1276 P/A. This mechanism does not specifically address the prioritizing of 1277 work during times of overload. But it does not preclude any 1278 particular local policy. 1280 REQ 14: The mechanism should provide unambiguous directions to 1281 clients on when they should retry a request and when they should 1282 not. This especially applies to TCP connection establishment and 1283 SIP registrations, in order to mitigate against avalanche restart. 1285 N/A to the load control event package itself. 1287 REQ 15: In cases where a network element fails, is so overloaded 1288 that it cannot process messages, or cannot communicate due to a 1289 network failure or network partition, it will not be able to 1290 provide explicit indications of the nature of the failure or its 1291 levels of congestion. The mechanism must properly function in 1292 these cases. 1294 P/A. Because the filters are provisioned in advance, they are not 1295 affected by the overload or failure of other nodes. But, on the 1296 other hand, they may not, in those cases, be able to protect the 1297 overloaded node (see Req 1). 1299 REQ 16: The mechanism should attempt to minimize the overhead of 1300 the overload control messaging. 1302 Yes. The standardized SIP event package mechanism RFC3265 [RFC3265] 1303 is used. 1305 REQ 17: The overload mechanism must not provide an avenue for 1306 malicious attack, including DoS and DDoS attacks. 1308 P/A. This mechanism does provide a potential avenue for malicious 1309 attacks. Therefore the security mechanisms for SIP event packages in 1310 general [RFC3265] and of section 10 of this specification should be 1311 used. 1313 REQ 18: The overload mechanism should be unambiguous about whether 1314 a load indication applies to a specific IP address, host, or URI, 1315 so that an upstream element can determine the load of the entity 1316 to which a request is to be sent. 1318 Yes. The identity of load indication is covered in the filter format 1319 definition in Section 4.1. 1321 REQ 19: The specification for the overload mechanism should give 1322 guidance on which message types might be desirable to process over 1323 others during times of overload, based on SIP-specific 1324 considerations. For example, it may be more beneficial to process 1325 a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh 1326 with a non-zero expiration (since the former reduces the overall 1327 amount of load on the element), or to process re-INVITEs over new 1328 INVITEs. 1330 N/A to the load control event package itself. 1332 REQ 20: In a mixed environment of elements that do and do not 1333 implement the overload mechanism, no disproportionate benefit 1334 shall accrue to the users or operators of the elements that do not 1335 implement the mechanism. 1337 No. This mechanism is entirely dependent on the participation of all 1338 possible neighbors. In order to satisfy Req 20, it should be used in 1339 conjunction with other mechanisms, some of which are described in 1340 Section 4.4. 1342 REQ 21: The overload mechanism should ensure that the system 1343 remains stable. When the offered load drops from above the 1344 overall capacity of the network to below the overall capacity, the 1345 throughput should stabilize and become equal to the offered load. 1347 N/A to the load control event package itself. 1349 REQ 22: It must be possible to disable the reporting of load 1350 information towards upstream targets based on the identity of 1351 those targets. This allows a domain administrator who considers 1352 the load of their elements to be sensitive information, to 1353 restrict access to that information. Of course, in such cases, 1354 there is no expectation that the overload mechanism itself will 1355 help prevent overload from that upstream target. 1357 N/A to the load control event package itself. 1359 REQ 23: It must be possible for the overload mechanism to work in 1360 cases where there is a load balancer in front of a farm of 1361 proxies. 1363 Yes. The load control event package does not preclude its use in a 1364 scenario with server farms. 1366 10. Security Considerations 1368 Two aspects of security considerations arise from this specification. 1369 One is the SIP event framework based filter distribution mechanism, 1370 the other is the filter enforcement mechanism. 1372 Security considerations for SIP event framework based mechanisms are 1373 covered in Section 5 of [RFC3265]. A particularly relevant security 1374 concern for this event package is that if the notifiers can be 1375 spoofed, attackers can send fake notifications asking subscribers to 1376 throttle all traffic, leading to Denial-of-Service attacks. 1377 Therefore, all load control notification MUST be authenticated and 1378 authorized before being accepted. Standard authentication and 1379 authorization mechanisms recommended in [RFC3261] such as TLS 1380 [RFC5246] and IPSec [RFC4301] may serve this purpose. On the other 1381 hand, if a legitimate notifier is itself compromised, additional 1382 mechanisms will be needed to detect the attack. 1384 Security considerations for filter enforcements vary depending on the 1385 filter itself. This specification defines possible filter match of 1386 the following SIP header fields: , , and 1387 . The exact requirement to authenticate and 1388 authorize these fields is up to the service provider. In general, if 1389 the identity field represents the source of the request, it SHOULD be 1390 authenticated and authorized; if the identity field represents the 1391 destination of the request, the authentication and authorization is 1392 optional. 1394 11. IANA Considerations 1396 This specification registers a SIP event package, a new MIME type, a 1397 new XML namespace, and a new XML schema. 1399 11.1. Load Control Event Package Registration 1401 This section registers an event package based on the registration 1402 procedures defined in [RFC3265]. 1404 Package name: load-control 1406 Type: package 1408 Published specification: This specification 1410 Person to contact: Charles Shen, charles@cs.columbia.edu 1412 11.2. application/load-control+xml MIME Registration 1414 This section registers a new MIME type based on the procedures 1415 defined in [RFC4288] and guidelines in [RFC3023]. 1417 MIME media type name: application 1419 MIME subtype name: load-control+xml 1421 Mandatory parameters: none 1423 Optional parameters: Same as charset parameter application/xml in 1424 [RFC3023] 1426 Encoding considerations: Same as encoding considerations of 1427 application/xml in [RFC3023] 1429 Security considerations: See Section 10 of [RFC3023] and Section 10 1430 of this specification 1432 Interpretability considerations: None 1433 Published Specification: This specification 1435 Applications which use this media type: load control of SIP entities 1437 Additional information: 1439 Magic number: None 1441 File extension: .xml 1443 Macintosh file type code: 'TEXT' 1445 Personal and email address for further information: 1447 Charles Shen, charles@cs.columbia.edu 1449 Intended usage: COMMON 1451 Author/Change Controller: IETF SOC Working Group 1452 , as designated by the IESG 1454 11.3. Load Control Schema Registration 1456 URI: urn:ietf:params:xml:schema:load-control 1458 Registrant Contact: IETF SOC working group, Charles Shen 1459 (charles@cs.columbia.edu). 1461 XML: the XML schema to be registered is contained in Section 7. 1463 Its first line is 1465 1467 and its last line is 1469 1471 12. Acknowledgements 1473 The authors would like to thank Bruno Chatras, Martin Dolly, Keith 1474 Drage, Ashutosh Dutta, Janet Gunn, Vijay Gurbani, Volker Hilt, Geoff 1475 Hunt, Hadriel Kaplan, Paul Kyzivat, Salvatore Loreto, Timothy Moran, 1476 Eric Noel, Parthasarathi R, Shida Schubert, Robert Sparks, Phil 1477 Williams and other members of the SOC and SIPPING working group for 1478 many helpful comments. In addition, Bruno Chatras proposed the 1479 condition element. Janet Gunn provided detailed text 1480 suggestions for Section 9. Shida made many suggestions about 1481 terminology usage. Phil Williams suggested adding support for delta 1482 updates. Ashutosh Dutta gave pointers to PSTN references. 1484 13. References 1486 13.1. Normative References 1488 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1489 Requirement Levels", BCP 14, RFC 2119, March 1997. 1491 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 1493 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 1494 Types", RFC 3023, January 2001. 1496 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1497 A., Peterson, J., Sparks, R., Handley, M., and E. 1498 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1499 June 2002. 1501 [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific 1502 Event Notification", RFC 3265, June 2002. 1504 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1505 January 2004. 1507 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 1508 RFC 3966, December 2004. 1510 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1511 Registration Procedures", BCP 13, RFC 4288, December 2005. 1513 [RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., 1514 Polk, J., and J. Rosenberg, "Common Policy: A Document 1515 Format for Expressing Privacy Preferences", RFC 4745, 1516 February 2007. 1518 13.2. Informative References 1520 [AINGR] Bell Communications Research, "AINGR: Service Control 1521 Point (SCP) Network Traffic Management", GR-2938-CORE , 1522 December 1996. 1524 [I-D.ietf-soc-overload-control] 1525 Gurbani, V., Hilt, V., and H. Schulzrinne, "Session 1526 Initiation Protocol (SIP) Overload Control", 1527 draft-ietf-soc-overload-control-07 (work in progress), 1528 January 2012. 1530 [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, 1531 August 1999. 1533 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1534 Internet Protocol", RFC 4301, December 2005. 1536 [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource 1537 Priority for the Session Initiation Protocol (SIP)", 1538 RFC 4412, February 2006. 1540 [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) 1541 Configuration Access Protocol (XCAP)", RFC 4825, May 2007. 1543 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1544 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1546 [RFC5390] Rosenberg, J., "Requirements for Management of Overload in 1547 the Session Initiation Protocol", RFC 5390, December 2008. 1549 [RFC6357] Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design 1550 Considerations for Session Initiation Protocol (SIP) 1551 Overload Control", RFC 6357, August 2011. 1553 Authors' Addresses 1555 Charles Shen 1556 AT&T Security Research Center 1557 33 Thomas Street 1558 New York, NY 10007 1559 USA 1561 Phone: +1 212 513 2081 1562 Email: shen@att.com 1564 Henning Schulzrinne 1565 Columbia University 1566 Department of Computer Science 1567 1214 Amsterdam Avenue, MC 0401 1568 New York, NY 10027 1569 USA 1571 Phone: +1 212 939 7004 1572 Email: schulzrinne@cs.columbia.edu 1573 Arata Koike 1574 NTT Service Integration Labs & 1575 3-9-11 Midori-cho Musashino-shi 1576 Tokyo, 184-0013 1577 Japan 1579 Phone: +81 422 59 6099 1580 Email: koike.arata@lab.ntt.co.jp