idnits 2.17.1 draft-ietf-soc-load-control-event-package-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 30, 2012) is 4287 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) == Outdated reference: A later version (-15) exists of draft-ietf-soc-overload-control-09 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF SOC Working Group C. Shen 3 Internet-Draft H. Schulzrinne 4 Intended status: Standards Track Columbia U. 5 Expires: January 31, 2013 A. Koike 6 NTT 7 July 30, 2012 9 A Session Initiation Protocol (SIP) Load Control Event Package 10 draft-ietf-soc-load-control-event-package-04.txt 12 Abstract 14 We define a load control event package for the Session Initiation 15 Protocol (SIP). It allows SIP servers to distribute load filters to 16 other SIP servers in the network. The load filters contain rules to 17 throttle calls based on their source or destination domain, telephone 18 number prefix or for a specific user. The mechanism helps to prevent 19 signaling overload and complements feedback-based SIP overload 20 control efforts. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 31, 2013. 39 Copyright Notice 41 Copyright (c) 2012 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 6 58 3. Design Requirements . . . . . . . . . . . . . . . . . . . . . 6 59 4. SIP Load Filtering Overview . . . . . . . . . . . . . . . . . 6 60 4.1. Filter Format . . . . . . . . . . . . . . . . . . . . . . 6 61 4.2. Filter Computation . . . . . . . . . . . . . . . . . . . . 7 62 4.3. Filter Distribution . . . . . . . . . . . . . . . . . . . 7 63 4.4. Applicability in Different Network Environments . . . . . 10 64 5. Load Control Event Package . . . . . . . . . . . . . . . . . . 11 65 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 11 66 5.2. Event Package Parameters . . . . . . . . . . . . . . . . . 11 67 5.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 11 68 5.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . . 12 69 5.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 12 70 5.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12 71 5.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 12 72 5.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 13 73 5.9. Handling of Forked Requests . . . . . . . . . . . . . . . 14 74 5.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 14 75 5.11. State Delta . . . . . . . . . . . . . . . . . . . . . . . 14 76 5.12. State Agents . . . . . . . . . . . . . . . . . . . . . . . 15 77 6. Load Control Document . . . . . . . . . . . . . . . . . . . . 15 78 6.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 15 79 6.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 15 80 6.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . . 15 81 6.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 15 82 6.3.2. Validity . . . . . . . . . . . . . . . . . . . . . . . 18 83 6.3.3. Method . . . . . . . . . . . . . . . . . . . . . . . . 19 84 6.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 19 85 6.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 20 86 7. XML Schema Definition for Load Control . . . . . . . . . . . . 22 87 8. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 24 88 8.1. Relationship with Load Filtering in PSTN . . . . . . . . . 24 89 8.2. Relationship with Other IETF SIP Load Control Efforts . . 25 90 9. Discussion of this specification meeting the requirements 91 of RFC5390 . . . . . . . . . . . . . . . . . . . . . . . . . . 26 92 10. Security Considerations . . . . . . . . . . . . . . . . . . . 31 93 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 94 11.1. Load Control Event Package Registration . . . . . . . . . 31 95 11.2. application/load-control+xml MIME Registration . . . . . . 32 96 11.3. Load Control Schema Registration . . . . . . . . . . . . . 33 97 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 33 98 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33 99 13.1. Normative References . . . . . . . . . . . . . . . . . . . 33 100 13.2. Informative References . . . . . . . . . . . . . . . . . . 34 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 103 1. Introduction 105 Proper functioning of Session Initiation Protocol (SIP) [RFC3261] 106 signaling servers is critical in SIP-based communications networks. 107 The performance of SIP servers can be severely degraded when the 108 server is overloaded with excessive number of signaling requests. 109 Both legitimate and malicious traffic can overload SIP servers, 110 despite appropriate capacity planning. 112 There are three common examples of legitimate short-term increases in 113 call volumes. Viewer-voting TV shows or ticket giveaways may 114 generate millions of calls within a few minutes. Call volume may 115 also spike during special holidays such as New Year's Day and 116 Mother's Day. Finally, callers may want to reach friends and family 117 in natural disaster areas such as those affected by hurricanes. When 118 possible, only calls traversing overloaded servers should be 119 throttled under those conditions. 121 SIP load control mechanisms are needed to prevent congestion collapse 122 in these cases [RFC5390]. There are two types of load control 123 approaches. In the first approach, feedback control, SIP servers 124 provide load limits to upstream servers, to reduce the incoming rate 125 of all SIP requests [I-D.ietf-soc-overload-control]. These upstream 126 servers then drop or delay incoming SIP requests. Feedback control 127 is reactive and affects signaling messages that have already been 128 issued by user agent clients. They work well when SIP proxy servers 129 in the core networks (core proxy servers) or destination-specific SIP 130 proxy servers in the edge networks (edge proxy servers) are 131 overloaded. By their nature, they need to distribute rate, drop or 132 window information to all upstream SIP proxy servers and normally 133 affect all calls equally, regardless of destination. However, 134 feedback control is usually ineffective for overload of more general 135 purpose SIP edge proxy servers. For example, in the ticket giveaway 136 case, almost all calls to the hotline will fail at the core proxy 137 servers; if the edge proxy servers leading to the core proxy servers 138 are also overloaded, calls to other destinations will also be 139 rejected or dropped. 141 Here, we propose an additional, complementary mechanism, called load 142 filtering. Network operators create load filters that indicate that 143 calls to specific destinations or from specific sources should be 144 rate-limited or randomly dropped. These load filters are then 145 distributed to SIP servers and possibly user agents likely to 146 generate calls to the affected destinations or from the affected 147 sources. Load filtering works best if it prevents calls as close to 148 the originating user agent clients as possible. 150 The load filtering approach is most applicable for situations where a 151 traffic surge and its source/destination distribution can be 152 predicted in advance. For instance, it is appropriate for a mass- 153 phone-voting event, Mother's Day, New Years, and even a hurricane. 154 However, it is less likely to be effective for the initial phase of 155 unpredicted/unpredictable mass calling events, such as earthquakes or 156 terrorist attacks. In these latter cases, the local traffic load may 157 peak by more than an order of magnitude in minutes, if not seconds. 158 This does not allow time to either effectively identify the filters 159 needed, nor distribute them to the appropriate servers soon enough to 160 prevent server congestion. Once other, more immediate, techniques 161 (such as the loss-based or rate-based feedback control methods) have 162 prevented the initial congestion collapse, the load filtering 163 approach can be used to effectively control the continuing overload. 165 Performing SIP load filtering requires three components: load filter 166 format, load filter computation method, and load filter distribution 167 mechanism. This specification addresses two of these three 168 components. The load filter format is defined in a SIP load control 169 event package, while the load filter distribution mechanism is built 170 upon the existing SIP event framework. The remaining component, load 171 filter computation method, depends heavily on the actual network 172 topology and service provider policies. Therefore it is out of scope 173 of this specification. 175 It is helpful to clarify two aspects regarding some terminology used 176 in this specification. Firstly, although the SIP load filtering 177 mechanism is motivated by the overload control problem, which is why 178 this specification refers extensively to other parallel SIP overload 179 control related efforts, the applicability of filtering extends 180 beyond the overload control purpose. For example, it can also be 181 used to implement quality of service or other service level agreement 182 commitments. Therefore, we use the term SIP "load control event 183 package", instead of a narrower term "overload control event 184 package". Secondly, since we are describing a specific control 185 mechanism based on filtering, the term "load control" in this 186 specification is used inter-changeably with the term "load filtering" 187 unless associated with other explicit context. 189 The rest of this specification is structured as follows: we begin by 190 listing the design requirements for this work in Section 3. We then 191 give an overview of load filtering operation in Section 4. The load 192 control event package for filter distribution is detailed in 193 Section 5. The load filter format is defined in the two sections 194 that follow, with Section 6 introducing the XML document for load 195 control and Section 7 listing the associated schema. Section 8 196 relates this work to corresponding mechanisms in PSTN and other IETF 197 efforts addressing SIP load control. Section 9 evaluates whether 198 this specification meets the SIP overload control requirements set 199 forth by RFC5390 [RFC5390]. Finally, Section 10 presents security 200 considerations and Section 11 provides IANA considerations. 202 2. Requirements Notation 204 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 205 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 206 document are to be interpreted as described in [RFC2119]. 208 3. Design Requirements 210 The SIP load filtering mechanism needs to satisfy the following 211 requirements: 213 o To simplify the solution, we focus on a method for controlling SIP 214 load, rather than a generic application-layer mechanism. 215 o The load filter needs to be distributed efficiently to possibly a 216 large subset of all SIP elements. 217 o The solution should re-use existing SIP protocol mechanisms to 218 reduce implementation and deployment complexity. 219 o For predictable overload situations, such as holidays and call-in 220 events, the load filter should specify during what time period it 221 is to be applied, so that the information can be distributed ahead 222 of time. 223 o For destination-specific overload situations, the load filter 224 should be able to describe the callee. 225 o To address accidental and intentional high-volume call generators, 226 the load filter should be able to specify the caller. 227 o Caller and callee need to be specified as both SIP URIs and 'Tel' 228 URIs[RFC3966]. 229 o It should be possible to specify particular information in the SIP 230 headers (e.g., prefixes in telephone numbers) which allow control 231 over limited regionally-focused overloads. 232 o The solution should draw upon experiences from related PSTN 233 mechanisms where applicable. 234 o The solution should be extensible to meet future needs. 236 4. SIP Load Filtering Overview 238 4.1. Filter Format 240 A load filter contains both conditions and actions. Filter 241 conditions include the identities of the targets to be controlled. 242 For example, there are two typical resource limits in a possible 243 overload situation, i.e., human destination limits (N number of call 244 takers) and node capacity limits. The control targets in these two 245 cases can be the specific callee numbers or the destination domains 246 corresponding to the overload. Filter conditions also indicate the 247 period of time during which the control should be activated, and the 248 specific message type to be controlled, e.g., the INVITE message of a 249 SIP session. Filter actions describe the desired control functions 250 such as limiting the request rate below a certain level. Detailed 251 formats of filter conditions and actions are defined in Section 6. 253 4.2. Filter Computation 255 Load filter computation needs to take into consideration information 256 such as the overload time, scope and network topology, as well as 257 service policies. It is also important to make sure that there is no 258 resource allocation loop, and that loads are allocated in a way which 259 both prevents overload and maximizes effective throughput(aka 260 goodput). In some cases, in order to better utilize system 261 resources, it may be preferable to employ a dynamic load computation 262 algorithm which adapts to current network status, rather than using a 263 purely static mechanism. The load filter computation algorithm is 264 out of scope of this specification. 266 4.3. Filter Distribution 268 For load filter distribution, this specification defines the SIP 269 event package for load control, which is an "instantiation" of the 270 generic SIP events framework [RFC6665]. The SIP events framework 271 provides an existing method for SIP entities to subscribe to and 272 receive notifications when certain events have occurred. Such a 273 framework forms a scalable event distribution architecture that suits 274 our needs. This specification also defines the XML schema of a load 275 control document (Section 6), which is used to encode load filtering 276 rules. 278 In order for load filters to be properly distributed, each SIP node 279 in the network SHOULD subscribe to the load control event package 280 from all its outgoing signaling neighbors, known as notifiers 281 (Section 5.6). Subscription is initiated and maintained during 282 normal server operation. Signaling neighbors are defined by sending 283 signaling messages. For instance, if A sends signaling requests to 284 B, B is an outgoing signaling neighbor of A. A needs to subscribe to 285 the load control event package of B in case B wants to curb requests 286 from A. On the other hand, if B also sends signaling requests to A, 287 then B also subscribes to A. Subscription of neighboring SIP entities 288 needs to be persistent so that they are in place independently of any 289 specific load filtering events. Key to this is the fact that 290 notification following initial subscription includes an empty message 291 body if no events are configured (Section 5.7), and that the 292 subscription needs to be refreshed periodically to make it 293 persistent, as described in Section 4.1 and Section 4.2 of [RFC6665]. 294 The notifier will send a notification with its current control policy 295 to its subscribers each time a new subscription or a subscription 296 refreshing is accepted (Section 5.7). The same subscription dialog 297 can also be used to convey policies for multiple different load 298 filtering events in a set of rules (Section 6.1). 300 We use the example architecture shown in Figure 1 to illustrate load 301 filter distribution based on the SIP load control event package. 302 This scenario consists of two networks belonging to Service Provider 303 A and Service Provider B, respectively. Each provider's network is 304 made up of two SIP core proxy servers and four SIP edge proxy 305 servers. The core proxy servers and edge proxy servers of Service 306 Provider A are denoted as CPa1 to CPa2 and EPa1 to EPa4; the core 307 proxy servers and edge proxy servers of Service Provider B are 308 denoted as CPb1 to CPb2 and EPb1 to EPb4. 310 +-----------+ +-----------+ +-----------+ +-----------+ 311 | | | | | | | | 312 | EPa1 | | EPa2 | | EPa3 | | EPa4 | 313 | | | | | | | | 314 +-----------+ +-----------+ +-----------+ +-----------+ 315 \ / \ / 316 \ / \ / 317 \ / \ / 318 +-----------+ +-----------+ 319 | | | | 320 | CPa1 |------------------| CPa2 | 321 | | | | 322 +-----------+ +-----------+ 323 | | 324 Service | | 325 Provider A | | 326 | | 327 ================================================================= 328 | | 329 Service | | 330 Provider B | | 331 | | 332 +-----------+ +-----------+ 333 | | | | 334 | CPb1 |------------------| CPb2 | 335 | | | | 336 +-----------+ +-----------+ 337 / \ / \ 338 / \ / \ 340 / \ / \ 341 +-----------+ +-----------+ +-----------+ +-----------+ 342 | | | | | | | | 343 | EPb1 | | EPb2 | | EPb3 | | EPb4 | 344 | | | | | | | | 345 +-----------+ +-----------+ +-----------+ +-----------+ 347 Figure 1: Example Network Scenario Using SIP Load Control Event 348 Package Mechanism 350 At the initialization stage, the proxy servers first identify all 351 their outgoing signaling neighbors and subscribe to them. The 352 neighbor identification process can be performed by service providers 353 through direct provisioning, or by the proxy servers themselves via 354 progressively learning from the signaling messages sent and received. 355 Assuming all signaling relationships in Figure 1 are bi-directional, 356 after this initialization stage, each proxy server will be subscribed 357 to all its neighbors. That is, EPa1 subscribes to CPa1; CPa1 358 subscribes to EPa1, EPa2, CPa2 and CPb1, so on and so forth. The 359 following cases then show two examples of how load filter 360 distribution in this network works. 362 Case I: EPa1 serves a TV program hotline and decides to limit the 363 total number of incoming calls to the hotline to prevent an overload. 364 To do so, EPa1 sends a notification to CPa1 with the specific hotline 365 number, time of activation and total acceptable call rate. Depending 366 on the filter computation algorithm, CPa1 may allocate the received 367 total acceptable rate among its neighbors, namely, EPa2, CPa2, and 368 CPb1, and notify them about the resulting allocation along with the 369 hotline number and the activation time. CPa2 and CPb1 may perform 370 further allocation among their own neighbors and notify the 371 corresponding proxy servers. This process continues until all edge 372 proxy servers in the network have been informed about the event and 373 have proper load filter configured. 375 In the above case, the network entity where load filtering policy is 376 first introduced is the SIP server providing access to the resource 377 that creates the overload condition. In other cases, the network 378 entry point of load filtering policy could also be an entity that 379 hosts this resource. For example, an operator may host an 380 application server that performs 800 number translation services. 381 The application server may itself be a SIP proxy or a SIP Back-to- 382 Back User Agent (B2BUA). If one of the 800 numbers hosted at the 383 application server creates the overload condition, the load filtering 384 policies can be introduced from the application server and then 385 propogated to other SIP proxy servers in the network. 387 Case II: a hurricane affects the region covered by CPb2, EPb3 and 388 EPb4. All the three proxy servers are overloaded. The rescue team 389 determines that outbound calls are more valuable than inbound calls 390 in this specific situation. Therefore, EPb3 and EPb4 are configured 391 with filters to accept more outbound calls than inbound calls. CPb2 392 may be configured the same way or receive dynamically computed 393 filters from EPb3 and EPb4. Depending on the filter computation 394 algorithm, CPb2 may also send out notifications to its outside 395 neighbors, namely CPb1 and CPa2, specifying a limit on the acceptable 396 rate of inbound calls to CPb2's responsible domain. CPb1 and CPa2 397 may subsequently notify their neighbors about limiting the calls to 398 CPb2's area. The same process could continue until all edge proxy 399 servers are notified and have filters configured. 401 Note that this specification does not define the provisioning 402 interface between the party who determines the load control policy 403 and the network entry point where the policy is introduced. One of 404 the options for the provisioning interface is the Extensible Markup 405 Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. 407 4.4. Applicability in Different Network Environments 409 SIP load filtering is more effective when the filters can be pushed 410 to the proximity of signaling sources. But even if only part of the 411 signaling path towards the signaling source could be covered, use of 412 this mechanism can still be beneficial. In fact, due to possibly 413 sophisticated call routing and security concerns, trying to apply 414 automated load filter distribution in the entire inter-domain network 415 path could get extremely complicated and be unrealistic. 417 The scenarios where this mechanism could be most useful are 418 environments consisting of servers with secure and trust relationship 419 and with relatively straightforward routing configuration known to 420 the filter computation algorithm. These scenarios may include intra- 421 domain environments such as those inside a service provider or 422 enterprise domain; inter-domain environments such as where enterprise 423 connecting to a few service providers or between service providers 424 with manageable routing configurations. 426 Another important aspect that affects the applicability of SIP load 427 filtering is that all possible signaling source neighbors need to 428 participate and enforce the designated filter. Otherwise, a single 429 non-conforming neighbor could make the whole control efforts useless 430 by pumping in excessive traffic to overload the server. Therefore, 431 the SIP server that initiates the filter needs to take counter- 432 measures towards any non-conforming neighbors. A simple policy is to 433 reject excessive requests with 500 responses as if they were obeying 434 the rate. Considering the rejection costs, a more complicated but 435 fairer policy would be to allocate at the overloaded server the same 436 amount of processing to the combination of both normal processing and 437 rejection as the overloaded server would devote to processing 438 requests for a conforming upstream SIP server. These approaches work 439 as long as the total rejection cost does not overwhelm the entire 440 server resources. In addition, whatever the actual policy is, SIP 441 servers SHOULD honor the local policy for prioritizing SIP requests 442 such as policies based on the contents of the Resource-Priority 443 Header (RPH) [RFC4412]. The RPH contents may indicate high priority 444 requests that should be preserved as much as possible, or low 445 priority requests that could be dropped during overload. Other 446 indicators, such as the SOS Uniform Resource Name (URN) [RFC5031] 447 indicating an emergency request, may also be used for prioritization. 448 SIP request rejection and message prioritization at an overloaded 449 server are also discussed in Section 5.10 of 450 [I-D.ietf-soc-overload-control] and Section 12 of [RFC6357]. 452 5. Load Control Event Package 454 The SIP load filtering mechanism uses the SIP event package for load 455 control. This section defines details of the SIP event package for 456 load control according to [RFC6665]. 458 5.1. Event Package Name 460 The name of this event package is "load-control". This name is 461 carried in the Event and Allow-Events header, as specified in 462 [RFC6665]. 464 5.2. Event Package Parameters 466 No package specific event header field parameters are defined for 467 this event package. 469 5.3. SUBSCRIBE Bodies 471 The effectiveness of SIP load filtering relies on the scope of 472 distribution and installation of the control policies in the network. 473 Since wide distribution of control policies is desirable, subscribers 474 SHOULD try to subscribe to all those notifiers with which they have 475 regular signaling exchanges, although not all such notifiers may 476 permit such a subscription. 478 A SUBSCRIBE request for the SIP load control event package MAY 479 contain a body to filter the requested load control event 480 notification. The details of the subscription filter specification 481 are not yet defined. 483 A SUBSCRIBE request sent without a body implies the default 484 subscription behavior as specified in Section 5.7. 486 5.4. SUBSCRIBE Duration 488 The default expiration time for a subscription to load control policy 489 is one hour. Since the desired expiration time may vary 490 significantly for subscriptions among SIP entities with different 491 signaling relationships, the subscribers and notifiers are 492 RECOMMENDED to explicitly negotiate appropriate subscription 493 durations when knowledge about the mutual signaling relationship is 494 available. 496 5.5. NOTIFY Bodies 498 The body of a NOTIFY request in this event package contains load 499 control policy. As specified in [RFC6665], the format of the NOTIFY 500 body MUST be in one of the formats defined in the Accept header field 501 of the SUBSCRIBE request or be the default format. The default data 502 format for the NOTIFY body of this event package is "application/ 503 load-control+xml" (defined in Section 6). This means that if no 504 Accept header field is specified to a SUBSCRIBE request, the NOTIFY 505 request will contain a body in the "application/load-control+xml" 506 format. If the Accept header field is present, it MUST include 507 "application/load-control+xml" and MAY include any other types. 509 5.6. Notifier Processing of SUBSCRIBE Requests 511 Notifier accepts a new subscription or updates an existing 512 subscription upon receiving a valid SUBSCRIBE request. 514 If the identity of the subscriber sending the SUBSCRIBE request is 515 not allowed to receive load control policy, the notifier MUST return 516 a 403 "Forbidden" response. 518 If none of MIME types specified in the Accept header of the SUBSCRIBE 519 request is supported, the Notifier SHOULD return 406 "Not Acceptable" 520 response. 522 5.7. Notifier Generation of NOTIFY Requests 524 Following [RFC6665] specification, a notifier MUST send a NOTIFY with 525 its current load control policy to the subscriber upon successfully 526 accepting or refreshing a subscription. If no applicable restriction 527 is active when the subscription request is received, an empty message 528 body is attached to the NOTIFY request. This is often the case when 529 a subscription is initiated for the first time, e.g., when a SIP 530 entity is just introduced, because there may be no planned events 531 configured at that time. A notifier SHOULD generate NOTIFY requests 532 each time the load control policy changes, with the maximum 533 notification rate not exceeding values defined in Section 5.10. 535 5.8. Subscriber Processing of NOTIFY Requests 537 The way subscribers process NOTIFY requests depends on the contents 538 of the notifications. Typically, a load control notification 539 consists of rules that should be applied to requests matching certain 540 identities. A subscriber receiving the notification first installs 541 these rules and then filter incoming requests to enforce actions on 542 appropriate requests, for example, limiting the sending rate of call 543 requests destined for a specific SIP entity. 545 In the case when load control rules specify a future validity time, 546 it is possible that when the validity time comes, the subscription to 547 the specific notifier that conveyed the rules has expired. In this 548 case, it is RECOMMENDED that the subscriber re-activate its 549 subscription with the corresponding notifier. Regardless of whether 550 this re-activation of subscription is successful or not, when the 551 validity time is reached, the subscriber SHOULD enforce the 552 corresponding rules. 554 When enforcing actions on requests matching the filters, subscribers 555 SHOULD honor the local policy for prioritizing SIP requests such as 556 policies based on the content of the Resource-Priority header (RPH, 557 [RFC4412]). Specific (namespace.value) RPH contents may indicate 558 high priority requests that should be preserved as much as possible 559 during overload. The RPH contents can also indicate a low-priority 560 request that is eligible to be dropped during times of overload. 561 Other indicators, such as the SOS URN [RFC5031] indicating an 562 emergency request, may also be used for prioritization. 564 Upon receipt of a NOTIFY request with a Subscription-State header 565 field containing the value "terminated", the subscription status with 566 the particular notifier will be terminated. However, subscribers 567 SHOULD NOT change previously received load control policies from that 568 notifier because of this change in subscription status, unless it has 569 other specific reasons to do so. Modifications of existing load 570 control policies at the subscriber are performed after directly 571 receiving notifications containing updated load control policies. 573 The subscriber SHALL discard unknown bodies. If the NOTIFY request 574 contains several bodies, none of them being supported, it SHOULD 575 unsubscribe. A NOTIFY request that does not contain a body MUST be 576 ignored. 578 5.9. Handling of Forked Requests 579 Forking is not applicable when the load control event package is used 580 within a single-hop distance between neighboring SIP entities. If 581 the communication scope of the load control event package is among 582 multiple hops, forking is not expected to happen either because the 583 subscription request is addressed to a clearly defined SIP entity. 584 However, in the unlikely case when forking does happen, the load 585 control event package only allows the first potential dialog- 586 establishing message to create a dialog, as specified in Section 5.9 587 of [RFC6665]. 589 5.10. Rate of Notifications 591 Rate of notifications is likely not a concern for this event package 592 when it is used in a non-real-time mode for relatively static load 593 control policies. Nevertheless, if situation does arise that a 594 rather frequent load control policy update is needed, it is 595 RECOMMENDED that the notifier does not generate notifications at a 596 rate higher than once per-second in all cases, in order to avoid the 597 NOTIFY request itself overloading the system. 599 5.11. State Delta 601 It is likely that updates to specific load control events are made by 602 changing the control restriction parameter information only (e.g. 603 rate, percent), but not other rule elements, such as call-identity. 604 This will typically be because the utilisation of a resource subject 605 to overload depends upon dynamic unknowns such as holding time and 606 the relative distribution of offered loads over subscribing SIP 607 entities. The updates could originate manually or be determined 608 automatically by a dynamic filter computation algorithm 609 (Section 4.2). Another factor that is usually not known precisely or 610 needs to be computed automatically is the validity duration of the 611 load control event. Therefore it would also be common for the 612 validity to change frequently. 614 This event package allows the use of state delta to accommodate 615 frequent updates of partial rule parameters. As in [RFC6665], a 616 version number that increases by exactly one is included in the 617 NOTIFY body for each NOTIFY transaction in a subscription. When the 618 subscriber receives a state delta, it associates the partial updates 619 to the particular rules by matching the appropriate rule id 620 (Section 6.5). If the subscriber receives a NOTIFY that has a 621 version number that is increased by more than one, it knows that it 622 has missed a state delta. The subscriber then keeps the version 623 number, ignores the NOTIFY request containing the state delta, and 624 re-sends a SUBSCRIBE to force a NOTIFY containing a complete state 625 snapshot. 627 5.12. State Agents 629 The load control policy can be directly generated by concerned SIP 630 entities distributed in the network. Alternatively, qualified state 631 agents external to the SIP entities MAY be defined to take charge of 632 determining load control policies. 634 6. Load Control Document 636 6.1. Format 638 A load control document is an XML document that inherits and enhances 639 the common policy document defined in [RFC4745]. A common policy 640 document contains a set of rules. Each rule consists of three parts: 641 conditions, actions and transformations. The conditions part is a 642 set of expressions containing attributes such as identity, domain, 643 and validity time information. Each expression evaluates to TRUE or 644 FALSE. Conditions are matched on "equality" or "greater than" style 645 comparison. There is no regular expression matching. Conditions are 646 evaluated on receipt of an initial SIP request for a dialog or 647 standalone transaction. If a request matches all conditions in a 648 rule set, the action part and the transformation part are consulted 649 to determine the "permission" on how to handle the request. Each 650 action or transformation specifies a positive grant to the policy 651 server to perform the resulting actions. Well-defined mechanism are 652 available for combining actions and transformations obtained from 653 more than one sources. 655 6.2. Namespace 657 The namespace URI for elements defined by this specification is a 658 Uniform Resource Namespace (URN) ([RFC2141]), using the namespace 659 identifier 'ietf' defined by [RFC2648] and extended by [RFC3688]. 660 The URN is as follows: 662 urn:ietf:params:xml:ns:load-control 664 6.3. Conditions 666 [RFC4745] defines three condition elements: , and 667 . In this specification, we re-define an element for 668 identity and reuse the element. The element is 669 not used. 671 6.3.1. Call Identity 673 Since the problem space of this specification is different from that 674 of [RFC4745], the [RFC4745] element is not sufficient for 675 use with load control. First, load control may be applied to 676 different identities contained in a request, including identities of 677 both the receiving entity and the sending entity. Second, the 678 importance of authentication varies when different identities of a 679 request are concerned. This specification defines new identity 680 conditions that can accommodate the granularity of specific SIP 681 identity header fields. The requirement for authentication depends 682 on which field is to be matched. 684 The identity condition for load control is specified by the element and its sub-element . The element 686 itself contains sub-elements representing SIP sending and receiving 687 identity header fields: , , and , each is of the same type as the element in 689 [RFC4745]. Therefore, they also inherit the sub-elements of the 690 element, including , , and . 692 The [RFC4745] and elements may contain an "id" 693 attribute, which is the URI of a single entity to be included or 694 excluded in the condition. When used in the , , and elements, this "id" value is the URI 696 contained in the corresponding SIP header field, i.e., From, To, 697 Request-URI, and P-Asserted-Identity. 699 When the element contains multiple sub- 700 elements, the result is combined using logical OR. When the , 701 , and elements contain 702 multiple , , or sub-elements, the result is also 703 combined using logical OR, similar to that of the element 704 in [RFC4745]. However, when the element contains multiple of 705 the , , and sub- 706 elements, the result is combined using logical AND. This allows the 707 call identity to be specified by multiple fields of a SIP request 708 simultaneously, e.g., both the From and the To header fields. 710 The following shows an example of the element. 712 713 714 715 716 717 718 719 721 This example matches call requests whose To header field contains the 722 SIP URI "sip:alice@hotline.example.com", or the 'tel' URI 723 "tel:+1-212-555-1234". 725 Before evaluating call-identity conditions, the subscriber shall 726 convert URIs received in SIP header fields in canonical form as per 727 [RFC3261], except that the phone-context parameter shall not be 728 removed, if present. 730 The [RFC4745] and elements may take a "domain" 731 attribute. The "domain" attribute specifies a domain name to be 732 matched by the domain part of the candidate identity. Thus, it 733 allows matching a large and possibly unknown number of entities 734 within a domain. The "domain" attribute works well for SIP URIs. 736 A URI identifying a SIP user, however, can also be a 'tel' URI. We 737 therefore need a similar way to match a group of 'tel' URIs. 738 According to [RFC3966], there are two forms of 'tel' URIs for global 739 numbers and local numbers, respectively. All phone numbers must be 740 expressed in global form when possible. The global number 'tel' URIs 741 start with a "+". The rest of the numbers are expressed as local 742 numbers, which must be qualified by a "phone-context" parameter. The 743 "phone-context" parameter may be labelled as a global number or any 744 number of its leading digits, or a domain name. Both forms of the 745 'tel' URI make the resulting URI globally unique. 747 'Tel' URIs of global numbers can be grouped by prefixes consisting of 748 any number of common leading digits. For example, a prefix formed by 749 a country code or both the country and area code identifies telephone 750 numbers within a country or an area. Since the length of the country 751 and area code for different regions are different, the length of the 752 number prefix is also variable. This allows further flexibility such 753 as grouping the numbers into sub-areas within the same area code. 754 'Tel' URIs of local numbers can be grouped by the value of the 755 "phone-context" parameter. 757 To include the two forms of 'tel' URI grouping in the and 758 elements, one approach is to add a new attribute similar to 759 the "domain" attribute. In this specification, we decided on a 760 simpler approach. There are basically two types of grouping 761 attribute values for both SIP URIs and 'tel' URIs: domain name and 762 number prefix starting with "+". Both of them can be expressed as 763 strings. Therefore, we re-interpret the existing "domain" attribute 764 of the and elements to allow it to contain both types 765 of grouping attribute values. In particular, when the "domain" 766 attribute value starts with "+", it denotes a number prefix, 767 otherwise, the value denotes a domain name. Note that the tradeoff 768 of this simpler approach is the overlap in matching different types 769 of URIs. Specifically, a domain name in the "domain" attribute could 770 be matched by both a SIP URI with that domain name and a local number 771 'tel' URI containing the same domain name in the "phone-context". On 772 the other hand, a number prefix in the "domain" attribute could be 773 matched by both global number 'tel' URIs starting with those leading 774 digits, and local number 'tel' URIs having the same prefix in the 775 "phone-context" parameter. However, when the "phone-context" 776 coincides with the SIP domain name or the global number prefix, in 777 many cases the related phone numbers indeed belong to the same domain 778 or the same area, which means the overlap is not inappropriate. It 779 should be noted that the method of grouping local numbers as defined 780 in this document does not support all cases. For example, if the 781 phone-context for short service numbers in a country is the country 782 code, this solution does not permit to define a filter that excludes 783 all E.164 numbers in that country but retain all short service 784 numbers. A complete solution for local number grouping requires a 785 separate method outside the scope of this document. 787 The following example shows the use of the re-interpreted "domain" 788 attribute. 790 791 792 793 794 795 796 797 798 799 800 801 802 804 This example matches those requests calling to the number "+1-202- 805 999-1234" but are not calling from a "+1-212" prefix or a SIP From 806 URI domain of "manhattan.example.com". 808 6.3.2. Validity 810 A rule is usually associated with a validity period condition. This 811 specification reuses the element of [RFC4745], which 812 specifies a period of validity time by pairs of and 813 sub-elements. When multiple time periods are defined, the validity 814 condition is evaluated to TRUE if the current time falls into any of 815 the specified time periods. i.e., it represents a logical OR 816 operation across all validity time periods. 818 The following example shows a element specifying a valid 819 period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. 821 822 2008-05-31T12:00:00-05:00 823 2008-05-31T15:00:00-05:00 824 826 6.3.3. Method 828 The load created on a SIP server depends on the type of an initial 829 SIP request for a dialog or standalone transaction. The 830 element specifies the SIP method to which a particular action 831 applies. When this element is not included, the rule actions are 832 applicable to all initial methods. But SUBSCRIBE requests are not 833 filtered if the event-type header field indicates the event package 834 defined in this document. 836 The following example shows the use of the element. 838 INVITE 840 6.4. Actions 842 As [RFC4745] specified, conditions form the 'if'-part of rules, while 843 actions and transformations form the 'then'-part. Transformations 844 are not used in the load control document. The actions for load 845 control are defined by the element, which takes any one of 846 the three sub-elements , , and . The 847 element denotes an absolute value of the maximum acceptable request 848 rate in requests per second; the element specifies the 849 relative percentage of incoming requests that should be accepted; the 850 element describes the acceptable window size supplied by the 851 receiver, which is applicable in window-based load control. In 852 static load filter configuration scenarios, using the sub- 853 element is RECOMMENDED because it is hard to enforce the percentage 854 rate or window-based control when the incoming load from upstream or 855 the reactions from downstream are uncertain. (See 856 [I-D.ietf-soc-overload-control] [RFC6357] for more details on rate- 857 based, loss-based and window-based load control) 859 In addition, the element takes an optional "alt-action" 860 attribute which can be used to explicitly specify the desired action 861 in case a request cannot be accepted. The possible "alt-action" 862 values are "drop" for simple drop, "reject" for explicit rejection 863 (e.g., sending a "500 Server Internal Error" response message to an 864 INVITE request), and "forward". The default value is "reject" in 865 order to avoid possible SIP retransmissions when an unreliable 866 transport is used. If the "alt-action" value is "forward", an "alt- 867 target" attribute MUST be defined. The "alt-target" specifies a URI 868 where the request should be forwarded (e.g., an answering machine 869 with explanation of why the request cannot be accepted). 871 In the following element example, the server accepts 872 maximum of 100 call requests per second. The remaining calls are 873 forwarded to an answering machine. 875 876 878 100 879 880 882 6.5. Complete Examples 884 This section presents two complete examples of load control documents 885 valid with respect to the XML schema defined in Section 7. 887 The first example assumes that a set of hotlines are set up at 888 "sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The 889 hotlines are activated from 12:00 to 15:00 US Eastern Standard Time 890 on 2008-05-31. The goal is to limit the incoming calls to the 891 hotlines to 100 requests per second. Calls that exceed the rate 892 limit are explicitly rejected. 894 895 899 900 901 902 903 904 905 906 907 908 909 910 2008-05-31T12:00:00-05:00 911 2008-05-31T15:00:00-05:00 912 913 914 915 916 100 917 918 920 921 923 The second example considers optimizing server resource usage of a 924 three-day period during the aftermath of a hurricane. Incoming calls 925 to the hurricane domain "pompeii.example.com" will be limited to a 926 rate of 100 requests per second, except for those calls originating 927 from a particular rescue team domain "rescue.example.com". Outgoing 928 calls from the hurricane domain or calls within the local domain are 929 never limited. All calls that are throttled due to the rate limit 930 will be forwarded to an answering machine with updated hurricane 931 rescue information. 933 934 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 79-08-24T09:00:00+01:00 955 79-08-27T09:00:00+01:00 956 957 958 959 962 100 963 964 966 967 969 7. XML Schema Definition for Load Control 971 This section defines the XML schema for the load control document. 972 It extends the Common Policy schema in [RFC4745] in two ways. 973 Firstly, it defines two mandatory attributes for the ruleset element: 974 version and state. The version attribute allows the recipient of the 975 notification to properly order them. Versions start at 0, and 976 increase by one for each new document sent to a subscriber within the 977 same subscription. Versions MUST be representable using a non- 978 negative 32 bit integer. The state attribute indicates whether the 979 document contains a full control policy update, or whether it 980 contains only state delta as partial update. Secondly, it defines 981 new members of the and elements. 983 984 991 993 995 996 997 998 999 1000 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1017 1019 1020 1021 1023 1024 1025 1026 1027 1029 1030 1031 1033 1034 1035 1036 1037 1038 1039 1041 1043 1044 1045 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1059 1061 1062 1063 1064 1065 1066 1068 1069 1070 1071 1072 1074 1076 8. Related Work 1078 8.1. Relationship with Load Filtering in PSTN 1080 It is known that the existing PSTN network also uses a load filtering 1081 mechanism to prevent overload and the filter configuration is done 1082 manually except in specific cases when the Intelligent Network 1083 architecture is used [AINGR]. This specification defines a SIP 1084 events framework based distribution mechanism which allows automated 1085 filter distribution in suitable environments. 1087 There are control messages associated with PSTN overload control 1088 which would specify an outgoing control list, call gap duration and 1089 control duration [AINGR]. These items could be roughly correlated to 1090 the identity, action and time fields of the SIP load filter defined 1091 in this specification. However, the filter defined in this 1092 specification is much more generic and flexible as opposed to its 1093 PSTN counterpart. 1095 Firstly, PSTN load filtering only applies to telephone numbers. The 1096 SIP filter identity allows both SIP URI and telephone numbers 1097 (through Tel URI) to be specified. The identities can be arbitrarily 1098 grouped by SIP domains or any number of leading prefix of the 1099 telephone numbers. 1101 Secondly, the PSTN filtering action is usually limited to call 1102 gapping. The action field in the SIP load filter allows more 1103 flexible rate throttle and other possibilities. 1105 Thirdly, the duration field in PSTN filtering specifies a value in 1106 seconds for the control duration only, and the allowed values are 1107 mapped into a value set. The time field in the SIP load filter may 1108 specify not only a duration, but also a future activation time which 1109 could be especially useful for automating load control for 1110 predictable overloads. 1112 PSTN filtering can be performed in both edge switches and transit 1113 switches; SIP filtering can also be applied in both edge proxy 1114 servers and core proxy servers, and even in capable user agents. 1116 PSTN overload control also has special accommodation for High 1117 Probability of Completion (HPC) calls, which would be similar to the 1118 calls designated by the SIP Resource Priority Headers [RFC4412]. SIP 1119 filtering mechanism can also prioritize the treatment of these calls 1120 by specifying favorable actions for these calls. 1122 PSTN filtering also provides administrative option for routing failed 1123 call attempts to either Recorder Tone or a special announcement. 1124 Similar capability can be provided in the SIP filtering mechanism by 1125 specifying the appropriate "alt-action" attribute in the SIP 1126 filtering action field. 1128 8.2. Relationship with Other IETF SIP Load Control Efforts 1130 The load filtering rules in this specification consists of identity, 1131 action and time. The identity can range from a single specific user 1132 to an arbitrary user aggregate, domains or areas. The user can be 1133 identified by either the source or the destination. When the user is 1134 identified by the source and a favorable action is specified, the 1135 result is to some extent similar to identifying a priority user based 1136 on authorized Resource Priority Headers [RFC4412] in the requests. 1137 Specifying a source user identity with an unfavorable action would 1138 cause an effect to some extent similar to an inverse SIP resource 1139 priority mechanism. 1141 The load filter defined in this specification is generic and expected 1142 to be applicable not only to the load filtering mechanism but also to 1143 the feedback overload control mechanism in 1144 [I-D.ietf-soc-overload-control]. In particular, both mechanisms 1145 could use specific or wildcard filter identities for load control and 1146 could share well-known load control actions. The time duration field 1147 in the load filter could also be used in both mechanisms. As 1148 mentioned in Section 1, the load filter distribution mechanism and 1149 the feedback overload control mechanism address complementary areas 1150 in the load control problem space. Load filtering is more proactive 1151 and focuses on distributing the filter towards the source of the 1152 traffic; the hop-by-hop feedback based approach is reactive and 1153 targets more at traffic already accepted in the network. Therefore, 1154 they could also make different use of the generic filter components. 1155 For example, the load filtering mechanism may use the time field in 1156 the filter to specify not only a control duration but also a future 1157 activation time to accommodate a predicable overload such as the one 1158 caused by Mother's Day greetings or a viewer-voting program; the 1159 feedback-based control might not need to use the time field or might 1160 use the time field to specify an immediate control duration. 1162 9. Discussion of this specification meeting the requirements of RFC5390 1164 This section evaluates whether the load control event package defined 1165 in this specification satisfies the various SIP overload control 1166 requirements set forth by RFC5390 [RFC5390]. Not all RFC5390 1167 requirements are found applicable due to the scope of this document. 1168 Therefore, we categorize the assessment results into Yes (meet the 1169 requirement), P/A (partially applicable), No (must be used in 1170 conjunction with another mechanism to meet the requirement), and N/A 1171 (not applicable). 1173 REQ 1: The overload mechanism shall strive to maintain the overall 1174 useful throughput (taking into consideration the quality-of- 1175 service needs of the using applications) of a SIP server at 1176 reasonable levels, even when the incoming load on the network is 1177 far in excess of its capacity. The overall throughput under load 1178 is the ultimate measure of the value of an overload control 1179 mechanism. 1181 P/A. The goal of the load filtering is to prevent overload or 1182 maintain overall goodput during the time of overload, but it is 1183 dependent on the advance predictions of the load. If the predictions 1184 are incorrect, in either direction, the effectiveness of the 1185 mechanism will be affected. 1187 REQ 2: When a single network element fails, goes into overload, or 1188 suffers from reduced processing capacity, the mechanism should 1189 strive to limit the impact of this on other elements in the 1190 network. This helps to prevent a small-scale failure from 1191 becoming a widespread outage. 1193 N/A if filter values are installed in advance and do not change 1194 during the potential overload period. P/A if filter values are 1195 dynamically adjusted due to the specific filter computation 1196 algorithm. The dynamic filter computation algorithm is outside the 1197 scope of this specification, while the distribution of the updated 1198 filters uses the event package mechanism of this specification. 1200 REQ 3: The mechanism should seek to minimize the amount of 1201 configuration required in order to work. For example, it is 1202 better to avoid needing to configure a server with its SIP message 1203 throughput, as these kinds of quantities are hard to determine. 1205 No. This mechanism is entirely dependent on advance configuration, 1206 based on advance knowledge. In order to satisfy Req 3, it should be 1207 used in conjunction with other mechanisms which are not based on 1208 advance configuration. 1210 REQ 4: The mechanism must be capable of dealing with elements that 1211 do not support it, so that a network can consist of a mix of 1212 elements that do and don't support it. In other words, the 1213 mechanism should not work only in environments where all elements 1214 support it. It is reasonable to assume that it works better in 1215 such environments, of course. Ideally, there should be 1216 incremental improvements in overall network throughput as 1217 increasing numbers of elements in the network support the 1218 mechanism. 1220 No. This mechanism is entirely dependent on the participation of all 1221 possible neighbors. In order to satisfy Req 4, it should be used in 1222 conjunction with other mechanisms, some of which are described in 1223 Section 4.4. 1225 REQ 5: The mechanism should not assume that it will only be 1226 deployed in environments with completely trusted elements. It 1227 should seek to operate as effectively as possible in environments 1228 where other elements are malicious; this includes preventing 1229 malicious elements from obtaining more than a fair share of 1230 service. 1232 No. This mechanism is entirely dependent on the non-malicious 1233 participation of all possible neighbors. In order to satisfy Req 5, 1234 it should be used in conjunction with other mechanisms, some of which 1235 are described in Section 4.4. 1237 REQ 6: When overload is signaled by means of a specific message, 1238 the message must clearly indicate that it is being sent because of 1239 overload, as opposed to other, non overload-based failure 1240 conditions. This requirement is meant to avoid some of the 1241 problems that have arisen from the reuse of the 503 response code 1242 for multiple purposes. Of course, overload is also signaled by 1243 lack of response to requests. This requirement applies only to 1244 explicit overload signals. 1246 N/A. This mechanism signals anticipated overload, not actual 1247 overload. However the signals in this mechanism are not used for any 1248 other purpose. 1250 REQ 7: The mechanism shall provide a way for an element to 1251 throttle the amount of traffic it receives from an upstream 1252 element. This throttling shall be graded so that it is not all- 1253 or-nothing as with the current 503 mechanism. This recognizes the 1254 fact that "overload" is not a binary state and that there are 1255 degrees of overload. 1257 Yes. This event package allows rate/loss/windows-based overload 1258 control options as discussed in Section 6.4. 1260 REQ 8: The mechanism shall ensure that, when a request was not 1261 processed successfully due to overload (or failure) of a 1262 downstream element, the request will not be retried on another 1263 element that is also overloaded or whose status is unknown. This 1264 requirement derives from REQ 1. 1266 N/A to the load control event package itself. 1268 REQ 9: That a request has been rejected from an overloaded element 1269 shall not unduly restrict the ability of that request to be 1270 submitted to and processed by an element that is not overloaded. 1271 This requirement derives from REQ 1. 1273 Yes. For example, the load filter [Section 4.1] allows the inclusion 1274 of alternative forwarding destinations for rejected requests. 1276 REQ 10: The mechanism should support servers that receive requests 1277 from a large number of different upstream elements, where the set 1278 of upstream elements is not enumerable. 1280 No. Because this mechanism requires advance configuration of 1281 specifically identified neighbors, it does not support environments 1282 where the number and identity of the upstream neighbors are not known 1283 in advance. In order to satisfy Req 10, it should be used in 1284 conjunction with other mechanisms. 1286 REQ 11: The mechanism should support servers that receive requests 1287 from a finite set of upstream elements, where the set of upstream 1288 elements is enumerable. 1290 Yes. See also answer to REQ 10. 1292 REQ 12: The mechanism should work between servers in different 1293 domains. 1295 Yes. The load control event package is not limited by domain 1296 boundaries. However, it is likely more applicable in intra-domain 1297 scenarios than in inter-domain scenarios due to security and other 1298 concerns (See also Section 4.4). 1300 REQ 13: The mechanism must not dictate a specific algorithm for 1301 prioritizing the processing of work within a proxy during times of 1302 overload. It must permit a proxy to prioritize requests based on 1303 any local policy, so that certain ones (such as a call for 1304 emergency services or a call with a specific value of the 1305 Resource-Priority header field [RFC4412]) are given preferential 1306 treatment, such as not being dropped, being given additional 1307 retransmission, or being processed ahead of others. 1309 P/A. This mechanism does not specifically address the prioritizing of 1310 work during times of overload. But it does not preclude any 1311 particular local policy. 1313 REQ 14: The mechanism should provide unambiguous directions to 1314 clients on when they should retry a request and when they should 1315 not. This especially applies to TCP connection establishment and 1316 SIP registrations, in order to mitigate against avalanche restart. 1318 N/A to the load control event package itself. 1320 REQ 15: In cases where a network element fails, is so overloaded 1321 that it cannot process messages, or cannot communicate due to a 1322 network failure or network partition, it will not be able to 1323 provide explicit indications of the nature of the failure or its 1324 levels of congestion. The mechanism must properly function in 1325 these cases. 1327 P/A. Because the filters are provisioned in advance, they are not 1328 affected by the overload or failure of other nodes. But, on the 1329 other hand, they may not, in those cases, be able to protect the 1330 overloaded node (see Req 1). 1332 REQ 16: The mechanism should attempt to minimize the overhead of 1333 the overload control messaging. 1335 Yes. The standardized SIP event package mechanism [RFC6665] is used. 1337 REQ 17: The overload mechanism must not provide an avenue for 1338 malicious attack, including DoS and DDoS attacks. 1340 P/A. This mechanism does provide a potential avenue for malicious 1341 attacks. Therefore the security mechanisms for SIP event packages in 1342 general [RFC6665] and of section 10 of this specification should be 1343 used. 1345 REQ 18: The overload mechanism should be unambiguous about whether 1346 a load indication applies to a specific IP address, host, or URI, 1347 so that an upstream element can determine the load of the entity 1348 to which a request is to be sent. 1350 Yes. The identity of load indication is covered in the filter format 1351 definition in Section 4.1. 1353 REQ 19: The specification for the overload mechanism should give 1354 guidance on which message types might be desirable to process over 1355 others during times of overload, based on SIP-specific 1356 considerations. For example, it may be more beneficial to process 1357 a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh 1358 with a non-zero expiration (since the former reduces the overall 1359 amount of load on the element), or to process re-INVITEs over new 1360 INVITEs. 1362 N/A to the load control event package itself. 1364 REQ 20: In a mixed environment of elements that do and do not 1365 implement the overload mechanism, no disproportionate benefit 1366 shall accrue to the users or operators of the elements that do not 1367 implement the mechanism. 1369 No. This mechanism is entirely dependent on the participation of all 1370 possible neighbors. In order to satisfy Req 20, it should be used in 1371 conjunction with other mechanisms, some of which are described in 1372 Section 4.4. 1374 REQ 21: The overload mechanism should ensure that the system 1375 remains stable. When the offered load drops from above the 1376 overall capacity of the network to below the overall capacity, the 1377 throughput should stabilize and become equal to the offered load. 1379 N/A to the load control event package itself. 1381 REQ 22: It must be possible to disable the reporting of load 1382 information towards upstream targets based on the identity of 1383 those targets. This allows a domain administrator who considers 1384 the load of their elements to be sensitive information, to 1385 restrict access to that information. Of course, in such cases, 1386 there is no expectation that the overload mechanism itself will 1387 help prevent overload from that upstream target. 1389 N/A to the load control event package itself. 1391 REQ 23: It must be possible for the overload mechanism to work in 1392 cases where there is a load balancer in front of a farm of 1393 proxies. 1395 Yes. The load control event package does not preclude its use in a 1396 scenario with server farms. 1398 10. Security Considerations 1400 Two aspects of security considerations arise from this specification. 1401 One is the SIP event framework based filter distribution mechanism, 1402 the other is the filter enforcement mechanism. 1404 Security considerations for SIP event framework based mechanisms are 1405 covered in Section 6 of [RFC6665]. A particularly relevant security 1406 concern for this event package is that if the notifiers can be 1407 spoofed, attackers can send fake notifications asking subscribers to 1408 throttle all traffic, leading to Denial-of-Service attacks. 1409 Therefore, all load control notification MUST be authenticated and 1410 authorized before being accepted. Standard authentication and 1411 authorization mechanisms recommended in [RFC3261] such as TLS 1412 [RFC5246] and IPSec [RFC4301] may serve this purpose. On the other 1413 hand, if a legitimate notifier is itself compromised, additional 1414 mechanisms will be needed to detect the attack. 1416 Security considerations for filter enforcements vary depending on the 1417 filter itself. This specification defines possible filter match of 1418 the following SIP header fields: , , and 1419 . The exact requirement to authenticate and 1420 authorize these fields is up to the service provider. In general, if 1421 the identity field represents the source of the request, it SHOULD be 1422 authenticated and authorized; if the identity field represents the 1423 destination of the request, the authentication and authorization is 1424 optional. 1426 11. IANA Considerations 1428 This specification registers a SIP event package, a new MIME type, a 1429 new XML namespace, and a new XML schema. 1431 11.1. Load Control Event Package Registration 1433 This section registers an event package based on the registration 1434 procedures defined in [RFC6665]. 1436 Package name: load-control 1438 Type: package 1440 Published specification: This specification 1442 Person to contact: Charles Shen, charles@cs.columbia.edu 1444 11.2. application/load-control+xml MIME Registration 1446 This section registers a new MIME type based on the procedures 1447 defined in [RFC4288] and guidelines in [RFC3023]. 1449 MIME media type name: application 1451 MIME subtype name: load-control+xml 1453 Mandatory parameters: none 1455 Optional parameters: Same as charset parameter application/xml in 1456 [RFC3023] 1458 Encoding considerations: Same as encoding considerations of 1459 application/xml in [RFC3023] 1461 Security considerations: See Section 10 of [RFC3023] and Section 10 1462 of this specification 1464 Interpretability considerations: None 1466 Published Specification: This specification 1468 Applications which use this media type: load control of SIP entities 1470 Additional information: 1472 Magic number: None 1474 File extension: .xml 1476 Macintosh file type code: 'TEXT' 1478 Personal and email address for further information: 1480 Charles Shen, charles@cs.columbia.edu 1482 Intended usage: COMMON 1483 Author/Change Controller: IETF SOC Working Group 1484 , as designated by the IESG 1486 11.3. Load Control Schema Registration 1488 URI: urn:ietf:params:xml:schema:load-control 1490 Registrant Contact: IETF SOC working group, Charles Shen 1491 (charles@cs.columbia.edu). 1493 XML: the XML schema to be registered is contained in Section 7. 1495 Its first line is 1497 1499 and its last line is 1501 1503 12. Acknowledgements 1505 The authors would like to thank Bruno Chatras, Martin Dolly, Keith 1506 Drage, Ashutosh Dutta, Janet Gunn, Vijay Gurbani, Volker Hilt, Geoff 1507 Hunt, Carolyn Johnson, Hadriel Kaplan, Paul Kyzivat, Salvatore 1508 Loreto, Timothy Moran, Eric Noel, Parthasarathi R, Shida Schubert, 1509 Robert Sparks, Phil Williams and other members of the SOC and SIPPING 1510 working group for many helpful comments. In particular, Bruno 1511 Chatras proposed the condition element along with many other 1512 text improvements. Janet Gunn provided detailed text suggestions for 1513 Section 9. Eric Noel suggested clarification on filter distribution 1514 initialization process. Shida Schubert made many suggestions about 1515 terminology usage. Phil Williams suggested adding support for delta 1516 updates. Ashutosh Dutta gave pointers to PSTN references. 1518 13. References 1520 13.1. Normative References 1522 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1523 Requirement Levels", BCP 14, RFC 2119, March 1997. 1525 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 1527 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 1528 Types", RFC 3023, January 2001. 1530 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1531 A., Peterson, J., Sparks, R., Handley, M., and E. 1532 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1533 June 2002. 1535 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1536 January 2004. 1538 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 1539 RFC 3966, December 2004. 1541 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1542 Registration Procedures", BCP 13, RFC 4288, December 2005. 1544 [RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., 1545 Polk, J., and J. Rosenberg, "Common Policy: A Document 1546 Format for Expressing Privacy Preferences", RFC 4745, 1547 February 2007. 1549 [RFC6665] Roach, A., "SIP-Specific Event Notification", RFC 6665, 1550 July 2012. 1552 13.2. Informative References 1554 [AINGR] Bell Communications Research, "AINGR: Service Control 1555 Point (SCP) Network Traffic Management", GR-2938-CORE , 1556 December 1996. 1558 [I-D.ietf-soc-overload-control] 1559 Gurbani, V., Hilt, V., and H. Schulzrinne, "Session 1560 Initiation Protocol (SIP) Overload Control", 1561 draft-ietf-soc-overload-control-09 (work in progress), 1562 July 2012. 1564 [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, 1565 August 1999. 1567 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1568 Internet Protocol", RFC 4301, December 2005. 1570 [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource 1571 Priority for the Session Initiation Protocol (SIP)", 1572 RFC 4412, February 2006. 1574 [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) 1575 Configuration Access Protocol (XCAP)", RFC 4825, May 2007. 1577 [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for 1578 Emergency and Other Well-Known Services", RFC 5031, 1579 January 2008. 1581 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1582 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1584 [RFC5390] Rosenberg, J., "Requirements for Management of Overload in 1585 the Session Initiation Protocol", RFC 5390, December 2008. 1587 [RFC6357] Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design 1588 Considerations for Session Initiation Protocol (SIP) 1589 Overload Control", RFC 6357, August 2011. 1591 Authors' Addresses 1593 Charles Shen 1594 Columbia University 1595 Department of Computer Science 1596 1214 Amsterdam Avenue, MC 0401 1597 New York, NY 10027 1598 USA 1600 Phone: +1 212 854 3109 1601 Email: charles@cs.columbia.edu 1603 Henning Schulzrinne 1604 Columbia University 1605 Department of Computer Science 1606 1214 Amsterdam Avenue, MC 0401 1607 New York, NY 10027 1608 USA 1610 Phone: +1 212 939 7004 1611 Email: schulzrinne@cs.columbia.edu 1613 Arata Koike 1614 NTT Service Integration Labs 1615 3-9-11 Midori-cho Musashino-shi 1616 Tokyo, 184-0013 1617 Japan 1619 Phone: +81 422 59 6099 1620 Email: koike.arata@lab.ntt.co.jp