idnits 2.17.1 draft-ietf-soc-load-control-event-package-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 22, 2012) is 4176 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838) == Outdated reference: A later version (-15) exists of draft-ietf-soc-overload-control-09 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF SOC Working Group C. Shen 3 Internet-Draft H. Schulzrinne 4 Intended status: Standards Track Columbia U. 5 Expires: April 25, 2013 A. Koike 6 NTT 7 October 22, 2012 9 A Session Initiation Protocol (SIP) Load Control Event Package 10 draft-ietf-soc-load-control-event-package-05.txt 12 Abstract 14 We define a load control event package for the Session Initiation 15 Protocol (SIP). It allows SIP servers to distribute load filters to 16 other SIP servers in the network. The load filters contain rules to 17 throttle calls based on their source or destination domain, telephone 18 number prefix or for a specific user. The mechanism helps to prevent 19 signaling overload and complements feedback-based SIP overload 20 control efforts. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on April 25, 2013. 39 Copyright Notice 41 Copyright (c) 2012 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 6 58 3. Design Requirements . . . . . . . . . . . . . . . . . . . . . 6 59 4. SIP Load Filtering Overview . . . . . . . . . . . . . . . . . 6 60 4.1. Filter Format . . . . . . . . . . . . . . . . . . . . . . 6 61 4.2. Filter Computation . . . . . . . . . . . . . . . . . . . . 7 62 4.3. Filter Distribution . . . . . . . . . . . . . . . . . . . 7 63 4.4. Applicability in Different Network Environments . . . . . 10 64 5. Load Control Event Package . . . . . . . . . . . . . . . . . . 11 65 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 11 66 5.2. Event Package Parameters . . . . . . . . . . . . . . . . . 11 67 5.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 11 68 5.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . . 12 69 5.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 12 70 5.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12 71 5.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 12 72 5.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 13 73 5.9. Handling of Forked Requests . . . . . . . . . . . . . . . 14 74 5.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 14 75 5.11. State Delta . . . . . . . . . . . . . . . . . . . . . . . 14 76 6. Load Control Document . . . . . . . . . . . . . . . . . . . . 15 77 6.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 15 78 6.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 15 79 6.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . . 15 80 6.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 15 81 6.3.2. Method . . . . . . . . . . . . . . . . . . . . . . . . 18 82 6.3.3. Target SIP Entity . . . . . . . . . . . . . . . . . . 19 83 6.3.4. Validity . . . . . . . . . . . . . . . . . . . . . . . 20 84 6.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 20 85 6.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 21 86 6.5.1. Load Control Document Examples . . . . . . . . . . . . 21 87 6.5.2. Message Flow Examples . . . . . . . . . . . . . . . . 23 88 7. XML Schema Definition for Load Control . . . . . . . . . . . . 25 89 8. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 27 90 8.1. Relationship with Load Filtering in PSTN . . . . . . . . . 27 91 8.2. Relationship with Other IETF SIP Load Control Efforts . . 28 92 9. Discussion of this specification meeting the requirements 93 of RFC5390 . . . . . . . . . . . . . . . . . . . . . . . . . . 29 94 10. Security Considerations . . . . . . . . . . . . . . . . . . . 34 95 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 96 11.1. Load Control Event Package Registration . . . . . . . . . 34 97 11.2. application/load-control+xml MIME Registration . . . . . . 35 98 11.3. Load Control Schema Registration . . . . . . . . . . . . . 36 99 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 36 100 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36 101 13.1. Normative References . . . . . . . . . . . . . . . . . . . 36 102 13.2. Informative References . . . . . . . . . . . . . . . . . . 37 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38 105 1. Introduction 107 Proper functioning of Session Initiation Protocol (SIP) [RFC3261] 108 signaling servers is critical in SIP-based communications networks. 109 The performance of SIP servers can be severely degraded when the 110 server is overloaded with excessive number of signaling requests. 111 Both legitimate and malicious traffic can overload SIP servers, 112 despite appropriate capacity planning. 114 There are three common examples of legitimate short-term increases in 115 call volumes. Viewer-voting TV shows or ticket giveaways may 116 generate millions of calls within a few minutes. Call volume may 117 also spike during special holidays such as New Year's Day and 118 Mother's Day. Finally, callers may want to reach friends and family 119 in natural disaster areas such as those affected by hurricanes. When 120 possible, only calls traversing overloaded servers should be 121 throttled under those conditions. 123 SIP load control mechanisms are needed to prevent congestion collapse 124 in these cases [RFC5390]. There are two types of load control 125 approaches. In the first approach, feedback control, SIP servers 126 provide load limits to upstream servers, to reduce the incoming rate 127 of all SIP requests [I-D.ietf-soc-overload-control]. These upstream 128 servers then drop or delay incoming SIP requests. Feedback control 129 is reactive and affects signaling messages that have already been 130 issued by user agent clients. They work well when SIP proxy servers 131 in the core networks (core proxy servers) or destination-specific SIP 132 proxy servers in the edge networks (edge proxy servers) are 133 overloaded. By their nature, they need to distribute rate, drop or 134 window information to all upstream SIP proxy servers and normally 135 affect all calls equally, regardless of destination. However, 136 feedback control is usually ineffective for overload of more general 137 purpose SIP edge proxy servers. For example, in the ticket giveaway 138 case, almost all calls to the hotline will fail at the core proxy 139 servers; if the edge proxy servers leading to the core proxy servers 140 are also overloaded, calls to other destinations will also be 141 rejected or dropped. 143 Here, we propose an additional, complementary mechanism, called load 144 filtering. Network operators create load filters that indicate that 145 calls to specific destinations or from specific sources should be 146 rate-limited or randomly dropped. These load filters are then 147 distributed to SIP servers and possibly user agents likely to 148 generate calls to the affected destinations or from the affected 149 sources. Load filtering works best if it prevents calls as close to 150 the originating user agent clients as possible. 152 The load filtering approach is most applicable for situations where a 153 traffic surge and its source/destination distribution can be 154 predicted in advance. For instance, it is appropriate for a mass- 155 phone-voting event, Mother's Day, New Years, and even a hurricane. 156 However, it is less likely to be effective for the initial phase of 157 unpredicted/unpredictable mass calling events, such as earthquakes or 158 terrorist attacks. In these latter cases, the local traffic load may 159 peak by more than an order of magnitude in minutes, if not seconds. 160 This does not allow time to either effectively identify the filters 161 needed, nor distribute them to the appropriate servers soon enough to 162 prevent server congestion. Once other, more immediate, techniques 163 (such as the loss-based or rate-based feedback control methods) have 164 prevented the initial congestion collapse, the load filtering 165 approach can be used to effectively control the continuing overload. 167 Performing SIP load filtering requires three components: load filter 168 format, load filter computation method, and load filter distribution 169 mechanism. This specification addresses two of these three 170 components. The load filter format is defined in a SIP load control 171 event package, while the load filter distribution mechanism is built 172 upon the existing SIP event framework. The remaining component, load 173 filter computation method, depends heavily on the actual network 174 topology and service provider policies. Therefore it is out of scope 175 of this specification. 177 It is helpful to clarify two aspects regarding some terminology used 178 in this specification. Firstly, although the SIP load filtering 179 mechanism is motivated by the overload control problem, which is why 180 this specification refers extensively to other parallel SIP overload 181 control related efforts, the applicability of filtering extends 182 beyond the overload control purpose. For example, it can also be 183 used to implement quality of service or other service level agreement 184 commitments. Therefore, we use the term SIP "load control event 185 package", instead of a narrower term "overload control event 186 package". Secondly, since we are describing a specific control 187 mechanism based on filtering, the term "load control" in this 188 specification is used inter-changeably with the term "load filtering" 189 unless associated with other explicit context. 191 The rest of this specification is structured as follows: we begin by 192 listing the design requirements for this work in Section 3. We then 193 give an overview of load filtering operation in Section 4. The load 194 control event package for filter distribution is detailed in 195 Section 5. The load filter format is defined in the two sections 196 that follow, with Section 6 introducing the XML document for load 197 control and Section 7 listing the associated schema. Section 8 198 relates this work to corresponding mechanisms in PSTN and other IETF 199 efforts addressing SIP load control. Section 9 evaluates whether 200 this specification meets the SIP overload control requirements set 201 forth by RFC5390 [RFC5390]. Finally, Section 10 presents security 202 considerations and Section 11 provides IANA considerations. 204 2. Requirements Notation 206 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 207 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 208 document are to be interpreted as described in [RFC2119]. 210 3. Design Requirements 212 The SIP load filtering mechanism needs to satisfy the following 213 requirements: 215 o To simplify the solution, we focus on a method for controlling SIP 216 load, rather than a generic application-layer mechanism. 217 o The load filter needs to be distributed efficiently to possibly a 218 large subset of all SIP elements. 219 o The solution should re-use existing SIP protocol mechanisms to 220 reduce implementation and deployment complexity. 221 o For predictable overload situations, such as holidays and call-in 222 events, the load filter should specify during what time period it 223 is to be applied, so that the information can be distributed ahead 224 of time. 225 o For destination-specific overload situations, the load filter 226 should be able to describe the callee. 227 o To address accidental and intentional high-volume call generators, 228 the load filter should be able to specify the caller. 229 o Caller and callee need to be specified as both SIP URIs and 'Tel' 230 URIs[RFC3966]. 231 o It should be possible to specify particular information in the SIP 232 headers (e.g., prefixes in telephone numbers) which allow control 233 over limited regionally-focused overloads. 234 o The solution should draw upon experiences from related PSTN 235 mechanisms where applicable. 236 o The solution should be extensible to meet future needs. 238 4. SIP Load Filtering Overview 240 4.1. Filter Format 242 A load filter contains both conditions and actions. Filter 243 conditions include the identities of the targets to be controlled 244 (Section 6.3.1). For example, there are two typical resource limits 245 in a possible overload situation, i.e., human destination limits (N 246 number of call takers) and node capacity limits. The control targets 247 in these two cases can be the specific callee numbers or the 248 destination domains corresponding to the overload. Filter conditions 249 also indicate the specific message type to be controlled 250 (Section 6.3.2), with which target SIP entity the filter is 251 associated (Section 6.3.3) and the period of time when the filtering 252 should be activated (Section 6.3.4). Filter actions describe the 253 desired control functions such as limiting the request rate below a 254 certain level (Section 6.4). 256 4.2. Filter Computation 258 Load filter computation needs to take into consideration information 259 such as the overload time, scope and network topology, as well as 260 service policies. It is also important to make sure that there is no 261 resource allocation loop, and that loads are allocated in a way which 262 both prevents overload and maximizes effective throughput (aka 263 goodput). In some cases, in order to better utilize system 264 resources, it may be preferable to employ a dynamic load computation 265 algorithm which adapts to current network status, rather than using a 266 purely static mechanism. The load filter computation algorithm is 267 out of scope of this specification. 269 4.3. Filter Distribution 271 For load filter distribution, this specification defines the SIP 272 event package for load control, which is an "instantiation" of the 273 generic SIP events framework [RFC6665]. The SIP events framework 274 provides an existing method for SIP entities to subscribe to and 275 receive notifications when certain events have occurred. Such a 276 framework forms a scalable event distribution architecture that suits 277 our needs. This specification also defines the XML schema of a load 278 control document (Section 6), which is used to encode load filtering 279 rules. 281 In order for load filters to be properly distributed, each SIP node 282 in the network SHOULD subscribe to the load control event package 283 from all its outgoing signaling neighbors, known as notifiers 284 (Section 5.6). Subscription is initiated and maintained during 285 normal server operation. Signaling neighbors are defined by sending 286 signaling messages. For instance, if A sends signaling requests to 287 B, B is an outgoing signaling neighbor of A. A needs to subscribe to 288 the load control event package of B in case B wants to curb requests 289 from A. On the other hand, if B also sends signaling requests to A, 290 then B also subscribes to A. Subscription of neighboring SIP entities 291 needs to be persistent so that they are in place independently of any 292 specific load filtering events. Key to this is the fact that 293 notification following initial subscription includes an empty message 294 body if no events are configured (Section 5.7), and that the 295 subscription needs to be refreshed periodically to make it 296 persistent, as described in Section 4.1 and Section 4.2 of [RFC6665]. 297 The notifier will send a notification with its current control policy 298 to its subscribers each time a new subscription or a subscription 299 refreshing is accepted (Section 5.7). The same subscription dialog 300 can also be used to convey policies in a set of rules for multiple 301 load filtering events. (Section 6.1). The subscribers MAY terminate 302 the subscription if it no longer considers the notifiers as its 303 signaling neighbor, e.g., after an extended period of absence of 304 signaling message exchange. However, if after un-subscription, the 305 subscriber determines that the signaling with the notifier is active 306 again, it MUST immediately subscribe to that notifier again. 308 We use the example architecture shown in Figure 1 to illustrate load 309 filter distribution based on the SIP load control event package. 310 This scenario consists of two networks belonging to Service Provider 311 A and Service Provider B, respectively. Each provider's network is 312 made up of two SIP core proxy servers and four SIP edge proxy 313 servers. The core proxy servers and edge proxy servers of Service 314 Provider A are denoted as CPa1 to CPa2 and EPa1 to EPa4; the core 315 proxy servers and edge proxy servers of Service Provider B are 316 denoted as CPb1 to CPb2 and EPb1 to EPb4. 318 +-----------+ +-----------+ +-----------+ +-----------+ 319 | | | | | | | | 320 | EPa1 | | EPa2 | | EPa3 | | EPa4 | 321 | | | | | | | | 322 +-----------+ +-----------+ +-----------+ +-----------+ 323 \ / \ / 324 \ / \ / 325 \ / \ / 326 +-----------+ +-----------+ 327 | | | | 328 | CPa1 |------------------| CPa2 | 329 | | | | 330 +-----------+ +-----------+ 331 | | 332 Service | | 333 Provider A | | 334 | | 335 ================================================================= 336 | | 337 Service | | 338 Provider B | | 339 | | 340 +-----------+ +-----------+ 341 | | | | 342 | CPb1 |------------------| CPb2 | 343 | | | | 344 +-----------+ +-----------+ 345 / \ / \ 346 / \ / \ 347 / \ / \ 348 +-----------+ +-----------+ +-----------+ +-----------+ 349 | | | | | | | | 350 | EPb1 | | EPb2 | | EPb3 | | EPb4 | 351 | | | | | | | | 352 +-----------+ +-----------+ +-----------+ +-----------+ 354 Figure 1: Example Network Scenario Using SIP Load Control Event 355 Package Mechanism 357 At the initialization stage, the proxy servers first identify all 358 their outgoing signaling neighbors and subscribe to them. The 359 neighbor identification process can be performed by service providers 360 through direct provisioning, or by the proxy servers themselves via 361 progressively learning from the signaling messages sent and received. 362 Assuming all signaling relationships in Figure 1 are bi-directional, 363 after this initialization stage, each proxy server will be subscribed 364 to all its neighbors. That is, EPa1 subscribes to CPa1; CPa1 365 subscribes to EPa1, EPa2, CPa2 and CPb1, so on and so forth. The 366 following cases then show two examples of how load filter 367 distribution in this network works. 369 Case I: EPa1 serves a TV program hotline and decides to limit the 370 total number of incoming calls to the hotline to prevent an overload. 371 To do so, EPa1 sends a notification to CPa1 with the specific hotline 372 number, time of activation and total acceptable call rate. Depending 373 on the filter computation algorithm, CPa1 may allocate the received 374 total acceptable rate among its neighbors, namely, EPa2, CPa2, and 375 CPb1, and notify them about the resulting allocation along with the 376 hotline number and the activation time. CPa2 and CPb1 may perform 377 further allocation among their own neighbors and notify the 378 corresponding proxy servers. This process continues until all edge 379 proxy servers in the network have been informed about the event and 380 have proper load filter configured. 382 In the above case, the network entity where load filtering policy is 383 first introduced is the SIP server providing access to the resource 384 that creates the overload condition. In other cases, the network 385 entry point of load filtering policy could also be an entity that 386 hosts this resource. For example, an operator may host an 387 application server that performs 800 number translation services. 388 The application server may itself be a SIP proxy or a SIP Back-to- 389 Back User Agent (B2BUA). If one of the 800 numbers hosted at the 390 application server creates the overload condition, the load filtering 391 policies can be introduced from the application server and then 392 propagated to other SIP proxy servers in the network. 394 Case II: a hurricane affects the region covered by CPb2, EPb3 and 395 EPb4. All the three proxy servers are overloaded. The rescue team 396 determines that outbound calls are more valuable than inbound calls 397 in this specific situation. Therefore, EPb3 and EPb4 are configured 398 with filters to accept more outbound calls than inbound calls. CPb2 399 may be configured the same way or receive dynamically computed 400 filters from EPb3 and EPb4. Depending on the filter computation 401 algorithm, CPb2 may also send out notifications to its outside 402 neighbors, namely CPb1 and CPa2, specifying a limit on the acceptable 403 rate of inbound calls to CPb2's responsible domain. CPb1 and CPa2 404 may subsequently notify their neighbors about limiting the calls to 405 CPb2's area. The same process could continue until all edge proxy 406 servers are notified and have filters configured. 408 Note that this specification does not define the provisioning 409 interface between the party who determines the load control policy 410 and the network entry point where the policy is introduced. One of 411 the options for the provisioning interface is the Extensible Markup 412 Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. 414 4.4. Applicability in Different Network Environments 416 SIP load filtering is more effective when the filters can be pushed 417 to the proximity of signaling sources. But even if only part of the 418 signaling path towards the signaling source could be covered, use of 419 this mechanism can still be beneficial. In fact, due to possibly 420 sophisticated call routing and security concerns, trying to apply 421 automated load filter distribution in the entire inter-domain network 422 path could get extremely complicated and be unrealistic. 424 The scenarios where this mechanism could be most useful are 425 environments consisting of servers with secure and trust relationship 426 and with relatively straightforward routing configuration known to 427 the filter computation algorithm. These scenarios may include intra- 428 domain environments such as those inside a service provider or 429 enterprise domain; inter-domain environments such as where enterprise 430 connecting to a few service providers or between service providers 431 with manageable routing configurations. 433 Another important aspect that affects the applicability of SIP load 434 filtering is that all possible signaling source neighbors need to 435 participate and enforce the designated filter. Otherwise, a single 436 non-conforming neighbor could make the whole control efforts useless 437 by pumping in excessive traffic to overload the server. Therefore, 438 the SIP server that initiates the filter needs to take counter- 439 measures towards any non-conforming neighbors. A simple policy is to 440 reject excessive requests with 500 responses as if they were obeying 441 the rate. Considering the rejection costs, a more complicated but 442 fairer policy would be to allocate at the overloaded server the same 443 amount of processing to the combination of both normal processing and 444 rejection as the overloaded server would devote to processing 445 requests for a conforming upstream SIP server. These approaches work 446 as long as the total rejection cost does not overwhelm the entire 447 server resources. In addition, whatever the actual policy is, SIP 448 servers SHOULD honor the local policy for prioritizing SIP requests 449 such as policies based on the contents of the Resource-Priority 450 Header (RPH) [RFC4412]. The RPH contents may indicate high priority 451 requests that should be preserved as much as possible, or low 452 priority requests that could be dropped during overload. Other 453 indicators, such as the SOS Uniform Resource Name (URN) [RFC5031] 454 indicating an emergency request, may also be used for prioritization. 455 SIP request rejection and message prioritization at an overloaded 456 server are also discussed in Section 5.10 of 457 [I-D.ietf-soc-overload-control] and Section 12 of [RFC6357]. 459 5. Load Control Event Package 461 The SIP load filtering mechanism uses the SIP event package for load 462 control. This section defines details of the SIP event package for 463 load control according to [RFC6665]. 465 5.1. Event Package Name 467 The name of this event package is "load-control". This name is 468 carried in the Event and Allow-Events header, as specified in 469 [RFC6665]. 471 5.2. Event Package Parameters 473 No package specific event header field parameters are defined for 474 this event package. 476 5.3. SUBSCRIBE Bodies 478 The effectiveness of SIP load filtering relies on the scope of 479 distribution and installation of the control policies in the network. 480 Since wide distribution of control policies is desirable, subscribers 481 SHOULD try to subscribe to all those notifiers with which they have 482 regular signaling exchanges, although not all such notifiers may 483 permit such a subscription. 485 A SUBSCRIBE request for the SIP load control event package MAY 486 contain a body to filter the requested load control event 487 notification. The details of the subscription filter specification 488 are not yet defined. 490 A SUBSCRIBE request sent without a body implies the default 491 subscription behavior as specified in Section 5.7. 493 5.4. SUBSCRIBE Duration 495 The default expiration time for a subscription to load control policy 496 is one hour. Since the desired expiration time may vary 497 significantly for subscriptions among SIP entities with different 498 signaling relationships, the subscribers and notifiers are 499 RECOMMENDED to explicitly negotiate appropriate subscription duration 500 when knowledge about the mutual signaling relationship is available. 502 5.5. NOTIFY Bodies 504 The body of a NOTIFY request in this event package contains load 505 control policy. As specified in [RFC6665], the format of the NOTIFY 506 body MUST be in one of the formats defined in the Accept header field 507 of the SUBSCRIBE request or be the default format. The default data 508 format for the NOTIFY body of this event package is "application/ 509 load-control+xml" (defined in Section 6). This means that if no 510 Accept header field is specified to a SUBSCRIBE request, the NOTIFY 511 request will contain a body in the "application/load-control+xml" 512 format. If the Accept header field is present, it MUST include 513 "application/load-control+xml" and MAY include any other types. 515 5.6. Notifier Processing of SUBSCRIBE Requests 517 Notifier accepts a new subscription or updates an existing 518 subscription upon receiving a valid SUBSCRIBE request. 520 If the identity of the subscriber sending the SUBSCRIBE request is 521 not allowed to receive load control policy, the notifier MUST return 522 a 403 "Forbidden" response. 524 If none of MIME types specified in the Accept header of the SUBSCRIBE 525 request is supported, the Notifier SHOULD return 406 "Not Acceptable" 526 response. 528 5.7. Notifier Generation of NOTIFY Requests 529 Following [RFC6665] specification, a notifier MUST send a NOTIFY with 530 its current load control policy to the subscriber upon successfully 531 accepting or refreshing a subscription. If no applicable restriction 532 is active when the subscription request is received, an empty message 533 body is attached to the NOTIFY request. This is often the case when 534 a subscription is initiated for the first time, e.g., when a SIP 535 entity is just introduced, because there may be no planned events 536 configured at that time. A notifier SHOULD generate NOTIFY requests 537 each time the load control policy changes, with the maximum 538 notification rate not exceeding values defined in Section 5.10. 540 5.8. Subscriber Processing of NOTIFY Requests 542 The way subscribers process NOTIFY requests depends on the contents 543 of the notifications. Typically, a load control notification 544 consists of rules that should be applied to requests matching certain 545 identities. A subscriber receiving the notification first installs 546 these rules and then filter incoming requests to enforce actions on 547 appropriate requests, for example, limiting the sending rate of call 548 requests destined for a specific SIP entity. 550 In the case when load control rules specify a future validity time, 551 it is possible that when the validity time comes, the subscription to 552 the specific notifier that conveyed the rules has expired. In this 553 case, it is RECOMMENDED that the subscriber re-activate its 554 subscription with the corresponding notifier. Regardless of whether 555 this re-activation of subscription is successful or not, when the 556 validity time is reached, the subscriber SHOULD enforce the 557 corresponding rules. 559 When enforcing actions on requests matching the filters, subscribers 560 SHOULD honor the local policy for prioritizing SIP requests such as 561 policies based on the content of RPH [RFC4412]). Specific 562 (namespace.value) RPH contents may indicate high priority requests 563 that should be preserved as much as possible during overload. The 564 RPH contents can also indicate a low-priority request that is 565 eligible to be dropped during times of overload. Other indicators, 566 such as the SOS URN [RFC5031] indicating an emergency request, may 567 also be used for prioritization. 569 Upon receipt of a NOTIFY request with a Subscription-State header 570 field containing the value "terminated", the subscription status with 571 the particular notifier will be terminated. Meanwhile, Subscribers 572 MUST also terminate previously received load control policies from 573 that notifier. 575 The subscriber SHALL discard unknown bodies. If the NOTIFY request 576 contains several bodies, none of them being supported, it SHOULD 577 unsubscribe. A NOTIFY request that does not contain a body or 578 contains an empty body indicates no filtering rules need to be 579 updated. 581 5.9. Handling of Forked Requests 583 Forking is not applicable when the load control event package is used 584 within a single-hop distance between neighboring SIP entities. If 585 the communication scope of the load control event package is among 586 multiple hops, forking is not expected to happen either because the 587 subscription request is addressed to a clearly defined SIP entity. 588 However, in the unlikely case when forking does happen, the load 589 control event package only allows the first potential dialog- 590 establishing message to create a dialog, as specified in Section 5.9 591 of [RFC6665]. 593 5.10. Rate of Notifications 595 Rate of notifications is likely not a concern for this event package 596 when it is used in a non-real-time mode for relatively static load 597 control policies. Nevertheless, if situation does arise that a 598 rather frequent load control policy update is needed, it is 599 RECOMMENDED that the notifier does not generate notifications at a 600 rate higher than once per-second in all cases, in order to avoid the 601 NOTIFY request itself overloading the system. 603 5.11. State Delta 605 It is likely that updates to specific load control events are made by 606 changing the control restriction parameter information only (e.g. 607 rate, percent), but not other rule elements, such as call-identity. 608 This will typically be because the utilization of a resource subject 609 to overload depends upon dynamic unknowns such as holding time and 610 the relative distribution of offered loads over subscribing SIP 611 entities. The updates could originate manually or be determined 612 automatically by a dynamic filter computation algorithm 613 (Section 4.2). Another factor that is usually not known precisely or 614 needs to be computed automatically is the validity duration of the 615 load control event. Therefore it would also be common for the 616 validity to change frequently. 618 This event package allows the use of state delta to accommodate 619 frequent updates of partial rule parameters. As in [RFC6665], a 620 version number that increases by exactly one is included in the 621 NOTIFY body for each NOTIFY transaction in a subscription. When the 622 subscriber receives a state delta, it associates the partial updates 623 to the particular rules by matching the appropriate rule id 624 (Section 6.5). If the subscriber receives a NOTIFY that has a 625 version number that is increased by more than one, it knows that it 626 has missed a state delta. The subscriber then keeps the version 627 number, ignores the NOTIFY request containing the state delta, and 628 re-sends a SUBSCRIBE to force a NOTIFY containing a complete state 629 snapshot. 631 6. Load Control Document 633 6.1. Format 635 A load control document is an XML document that inherits and enhances 636 the common policy document defined in [RFC4745]. A common policy 637 document contains a set of rules. Each rule consists of three parts: 638 conditions, actions and transformations. The conditions part is a 639 set of expressions containing attributes such as identity, domain, 640 and validity time information. Each expression evaluates to TRUE or 641 FALSE. Conditions are matched on "equality" or "greater than" style 642 comparison. There is no regular expression matching. Conditions are 643 evaluated on receipt of an initial SIP request for a dialog or 644 standalone transaction. If a request matches all conditions in a 645 ruleset, the action part and the transformation part are consulted to 646 determine the "permission" on how to handle the request. Each action 647 or transformation specifies a positive grant to the policy server to 648 perform the resulting actions. Well-defined mechanism are available 649 for combining actions and transformations obtained from more than one 650 sources. 652 6.2. Namespace 654 The namespace URI for elements defined by this specification is a 655 Uniform Resource Namespace (URN) ([RFC2141]), using the namespace 656 identifier 'ietf' defined by [RFC2648] and extended by [RFC3688]. 657 The URN is as follows: 659 urn:ietf:params:xml:ns:load-control 661 6.3. Conditions 663 [RFC4745] defines three condition elements: , and 664 . In this specification, we re-define an element for 665 identity, define a new element for method and reuse the 666 element. The element is not used. 668 6.3.1. Call Identity 670 Since the problem space of this specification is different from that 671 of [RFC4745], the [RFC4745] element is not sufficient for 672 use with load control. First, load control may be applied to 673 different identities contained in a request, including identities of 674 both the receiving entity and the sending entity. Second, the 675 importance of authentication varies when different identities of a 676 request are concerned. This specification defines new identity 677 conditions that can accommodate the granularity of specific SIP 678 identity header fields. The requirement for authentication depends 679 on which field is to be matched. 681 The identity condition for load control is specified by the element and its sub-element . The element 683 itself contains sub-elements representing SIP sending and receiving 684 identity header fields: , , and , each is of the same type as the element in 686 [RFC4745]. Therefore, they also inherit the sub-elements of the 687 element, including , , and . 689 The [RFC4745] and elements may contain an "id" 690 attribute, which is the URI of a single entity to be included or 691 excluded in the condition. When used in the , , and elements, this "id" value is the URI 693 contained in the corresponding SIP header field, i.e., From, To, 694 Request-URI, and P-Asserted-Identity. 696 When the element contains multiple sub- 697 elements, the result is combined using logical OR. When the , 698 , and elements contain 699 multiple or sub-elements, the result is also combined 700 using logical OR. When the sub-element further contains one 701 or more sub-elements, the result of each sub- 702 element is combined using a logical OR, similar to that of the 703 element in [RFC4745]. However, when the element 704 contains multiple of the , , and sub-elements, the result is combined using logical AND. 706 This allows the call identity to be specified by multiple fields of a 707 SIP request simultaneously, e.g., both the From and the To header 708 fields. 710 The following shows an example of the element. 712 713 714 715 716 717 718 720 722 This example matches call requests whose To header field contains the 723 SIP URI "sip:alice@hotline.example.com", or the 'tel' URI 724 "tel:+1-212-555-1234". 726 Before evaluating call-identity conditions, the subscriber shall 727 convert URIs received in SIP header fields in canonical form as per 728 [RFC3261], except that the phone-context parameter shall not be 729 removed, if present. 731 The [RFC4745] and elements may take a "domain" 732 attribute. The "domain" attribute specifies a domain name to be 733 matched by the domain part of the candidate identity. Thus, it 734 allows matching a large and possibly unknown number of entities 735 within a domain. The "domain" attribute works well for SIP URIs. 737 A URI identifying a SIP user, however, can also be a 'tel' URI. We 738 therefore need a similar way to match a group of 'tel' URIs. 739 According to [RFC3966], there are two forms of 'tel' URIs for global 740 numbers and local numbers, respectively. All phone numbers must be 741 expressed in global form when possible. The global number 'tel' URIs 742 start with a "+". The rest of the numbers are expressed as local 743 numbers, which must be qualified by a "phone-context" parameter. The 744 "phone-context" parameter may be labelled as a global number or any 745 number of its leading digits, or a domain name. Both forms of the 746 'tel' URI make the resulting URI globally unique. 748 'Tel' URIs of global numbers can be grouped by prefixes consisting of 749 any number of common leading digits. For example, a prefix formed by 750 a country code or both the country and area code identifies telephone 751 numbers within a country or an area. Since the length of the country 752 and area code for different regions are different, the length of the 753 number prefix is also variable. This allows further flexibility such 754 as grouping the numbers into sub-areas within the same area code. 755 'Tel' URIs of local numbers can be grouped by the value of the 756 "phone-context" parameter. 758 To include the two forms of 'tel' URI grouping in the and 759 elements, one approach is to add a new attribute similar to 760 the "domain" attribute. In this specification, we decided on a 761 simpler approach. There are basically two types of grouping 762 attribute values for both SIP URIs and 'tel' URIs: domain name and 763 number prefix starting with "+". Both of them can be expressed as 764 strings. Therefore, we re-interpret the existing "domain" attribute 765 of the and elements to allow it to contain both types 766 of grouping attribute values. In particular, when the "domain" 767 attribute value starts with "+", it denotes a number prefix, 768 otherwise, the value denotes a domain name. Note that the tradeoff 769 of this simpler approach is the overlap in matching different types 770 of URIs. Specifically, a domain name in the "domain" attribute could 771 be matched by both a SIP URI with that domain name and a local number 772 'tel' URI containing the same domain name in the "phone-context". On 773 the other hand, a number prefix in the "domain" attribute could be 774 matched by both global number 'tel' URIs starting with those leading 775 digits, and local number 'tel' URIs having the same prefix in the 776 "phone-context" parameter. However, when the "phone-context" 777 coincides with the SIP domain name or the global number prefix, in 778 many cases the related phone numbers indeed belong to the same domain 779 or the same area, which means the overlap is not inappropriate. It 780 should be noted that the method of grouping local numbers as defined 781 in this document does not support all cases. For example, if the 782 phone-context for short service numbers in a country is the country 783 code, this solution does not permit to define a filter that excludes 784 all E.164 numbers in that country but retain all short service 785 numbers. A complete solution for local number grouping requires a 786 separate method outside the scope of this document. 788 The following example shows the use of the re-interpreted "domain" 789 attribute. 791 792 793 794 795 796 797 798 799 800 801 802 803 805 This example matches those requests calling to the number "+1-202- 806 999-1234" but are not calling from a "+1-212" prefix or a SIP From 807 URI domain of "manhattan.example.com". 809 6.3.2. Method 811 The load created on a SIP server depends on the type of an initial 812 SIP request for a dialog or standalone transaction. The 813 element specifies the SIP method to which a particular action 814 applies. When this element is not included, the rule actions are 815 applicable to all initial methods. The applicable initial methods 816 include INVITE, MESSAGE, REGISTER, SUBSCRIBE, OPTIONS, PUBLISH 817 requests. Non-initial requests, such as ACK, BYE and CANCEL requests 818 are not subjected to load filtering. In addition, SUBSCRIBE requests 819 are not filtered if the event-type header field indicates the event 820 package defined in this document. 822 The following example shows the use of the element. 824 INVITE 826 6.3.3. Target SIP Entity 828 A SIP load filtering server may have multiple paths to route call 829 requests matching the same set of call identity elements. In those 830 situations, the filtering server may desire to take advantage of 831 alternative paths and only apply filter actions to matching outgoing 832 requests for the next hop SIP entity that originated the filter. To 833 achieve that, the filtering server needs to associate every filter 834 rule with its originating SIP entity. The 835 element is defined for that purpose and it contains the URI of the 836 entity that initiates the filter which is generally the notifier 837 itself. A notifier MAY include this element as part of the condition 838 of the filter rules being sent to the subscriber, as below. 840 sip:biloxi.example.com 842 When a filtering server receives a rule with a 843 element, it SHOULD record it and take it into consideration when 844 making filtering decisions for outgoing requests. If the filtering 845 server receives a filter that does not contain a 846 element, it MAY still record the URI of the filter's originator as 847 the information and consider it in the filtering 848 decisions. 850 The following are two examples of using the 851 element. Usecase I: the network has user A connected to SIP Proxy 852 1 (SP1), user B connected to SP3, SP1 and SP3 connected via SP2, 853 and SP2 connected to an Application Server (AS). Under normal 854 load conditions, a call from A to B is routed along the following 855 path: A-SP1-SP2-AS-SP3-B. The AS provides a non-essential service 856 and can be bypassed in case of overload. Now let's assume that AS 857 is overloaded and sends to SP2 a filter requesting that 50% of all 858 INVITE requests be dropped. SP2 can maintain AS as the for the rule so that it knows the 50% drop action is 860 only applicable to call requests that must go through AS, without 861 affecting those calls directly routed through SP3 to B. Usecase 862 II: An 800 translation service is installed on two Application 863 Servers, AS1 and AS2. User A is connected to SP1 and calls 800- 864 1234-4529, which is translated by AS1 and AS2 into a regular E164 865 number, depending on, e.g., the caller's location. SP1 forwards 866 INVITE requests with Request-URI = "800 number" to AS1 or AS2 867 based on a load balancing strategy. As calls to 800-1234-4529 868 creates a pre-overload condition in AS1, AS1 sends to SP1 a filter 869 requesting that 50% of calls towards 800-1234-4529 be rejected. 870 In this case, SP1 can maintain AS1 as the for 871 the rule, and only apply the filter on incoming requests that are 872 intended to be sent to AS1. Those requests that are sent to AS2, 873 although matching the of the filter, will not be 874 affected. 876 6.3.4. Validity 878 A rule is usually associated with a validity period condition. This 879 specification reuses the element of [RFC4745], which 880 specifies a period of validity time by pairs of and 881 sub-elements. When multiple time periods are defined, the validity 882 condition is evaluated to TRUE if the current time falls into any of 883 the specified time periods. i.e., it represents a logical OR 884 operation across all validity time periods. 886 The following example shows a element specifying a valid 887 period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. 889 890 2008-05-31T12:00:00-05:00 891 2008-05-31T15:00:00-05:00 892 894 6.4. Actions 896 As [RFC4745] specified, conditions form the 'if'-part of rules, while 897 actions and transformations form the 'then'-part. Transformations 898 are not used in the load control document. The actions for load 899 control are defined by the element, which takes any one of 900 the three sub-elements , , and . The 901 element denotes an absolute value of the maximum acceptable request 902 rate in requests per second; the element specifies the 903 relative percentage of incoming requests that should be accepted; the 904 element describes the acceptable window size supplied by the 905 receiver, which is applicable in window-based load control. In 906 static load filter configuration scenarios, using the sub- 907 element is RECOMMENDED because it is hard to enforce the percentage 908 rate or window-based control when the incoming load from upstream or 909 the reactions from downstream are uncertain. (See 910 [I-D.ietf-soc-overload-control] [RFC6357] for more details on rate- 911 based, loss-based and window-based load control) 913 In addition, the element takes an optional "alt-action" 914 attribute which can be used to explicitly specify the desired action 915 in case a request cannot be processed. The default "alt-action" is 916 value is "reject" where the server will reject the request with a 503 917 (Service Unavailable) response message. Other possible "alt-action" 918 values include "drop" for simple drop, and "redirect" for redirecting 919 the request to another target. It should be noted that when running 920 SIP over an unreliable transport such as UDP, using the "drop" action 921 will create message retransmissions that further worsen the overload 922 situation. Therefore, any "drop" action applied to an unreliable 923 transport MUST be treated as if it were "reject". When the "alt- 924 action" value is "redirect", an "alt-target" attribute MUST be 925 defined. The "alt-target" specifies one or a list of URIs where the 926 request should be redirected. The server sends out the redirection 927 URIs in a 300-class response message. 929 In the following element example, the server accepts 930 maximum of 100 call requests per second. The remaining calls are 931 redirected to an answering machine. 933 934 936 100 937 938 940 6.5. Complete Examples 942 6.5.1. Load Control Document Examples 944 This section presents two complete examples of load control documents 945 valid with respect to the XML schema defined in Section 7. 947 The first example assumes that a set of hotlines are set up at 948 "sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The 949 hotlines are activated from 12:00 to 15:00 US Eastern Standard Time 950 on 2008-05-31. The goal is to limit the incoming calls to the 951 hotlines to 100 requests per second. Calls that exceed the rate 952 limit are explicitly rejected. 954 955 959 960 961 962 963 964 965 966 967 968 969 INVITE 970 971 2008-05-31T12:00:00-05:00 972 2008-05-31T15:00:00-05:00 973 974 975 976 977 100 978 979 981 982 984 The second example considers optimizing server resource usage of a 985 three-day period during the aftermath of a hurricane. Incoming calls 986 to the hurricane domain "neworleans.example.com" will be limited to a 987 rate of 100 requests per second, except for those calls originating 988 from a particular rescue team domain "rescue.example.com". Outgoing 989 calls from the hurricane domain or calls within the local domain are 990 never limited. All calls that are throttled due to the rate limit 991 will be forwarded to an answering machine with updated hurricane 992 rescue information. 994 995 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 INVITE 1015 1016 2005-08-28T09:00:00+01:00 1017 2005-08-31T09:00:00+01:00 1018 1019 1020 1021 1023 100 1024 1025 1027 1028 1030 6.5.2. Message Flow Examples 1032 This section presents an example message flow of using the load 1033 control event package mechanism defined in this document. 1035 atlanta biloxi 1036 | F1 SUBSCRIBE | 1037 |------------------>| 1038 | F2 200 OK | 1039 |<------------------| 1040 | F3 NOTIFY | 1041 |<------------------| 1042 | F4 200 OK | 1043 |------------------>| 1045 F1 SUBSCRIBE atlanta.example.com -> biloxi.example.com 1047 SUBSCRIBE sip:biloxi.example.com SIP/2.0 1048 Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy7cjbu3 1049 From: sip:atlanta.example.com;tag=162ab5 1050 To: sip:biloxi.example.com 1051 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1052 CSeq: 2012 SUBSCRIBE 1053 Contact: sip:atlanta.example.com 1054 Event: load-control 1055 Max-Forwards: 70 1056 Accept: application/load-control+xml 1057 Expires: 3600 1058 Content-Length: 0 1060 F2 200 OK biloxi.example.com -> atlanta.example.com 1062 SIP/2.0 200 OK 1063 Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy7cjbu3 1064 ;received=192.0.2.1 1065 To: ;tag=331dc8 1066 From: ;tag=162ab5 1067 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1068 CSeq: 2012 SUBSCRIBE 1069 Expires: 3600 1070 Contact: sip:biloxi.example.com 1071 Content-Length: 0 1073 F3 NOTIFY biloxi.example.com -> atlanta.example.com 1075 NOTIFY sip:atlanta.example.com SIP/2.0 1076 Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy71g2ks 1077 From: ;tag=331dc8 1078 To: ;tag=162ab5 1079 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1080 Event: load-control 1081 Subscription-State: active;expires=3599 1082 Max-Forwards: 70 1083 CSeq: 1775 NOTIFY 1084 Contact: sip:biloxi.example.com 1085 Content-Type: application/load-control+xml 1086 Content-Length: ... 1088 [Load Control Document] 1090 F4 200 OK atlanta.example.com -> biloxi.example.com 1092 SIP/2.0 200 OK 1093 Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy71g2ks 1094 ;received=192.0.2.2 1095 From: ;tag=331dc8 1096 To: ;tag=162ab5 1097 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1098 CSeq: 1775 NOTIFY 1099 Content-Length: 0 1101 7. XML Schema Definition for Load Control 1103 This section defines the XML schema for the load control document. 1104 It extends the Common Policy schema in [RFC4745] in two ways. 1105 Firstly, it defines two mandatory attributes for the ruleset element: 1106 version and state. The version attribute allows the recipient of the 1107 notification to properly order them. Versions start at 0, and 1108 increase by one for each new document sent to a subscriber within the 1109 same subscription. Versions MUST be representable using a non- 1110 negative 32 bit integer. The state attribute indicates whether the 1111 document contains a full control policy update, or whether it 1112 contains only state delta as partial update. Secondly, it defines 1113 new members of the and elements. 1115 1116 1123 1125 1127 1128 1129 1130 1131 1132 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1150 1151 1153 1154 1155 1156 1157 1159 1160 1161 1163 1164 1165 1166 1167 1168 1169 1171 1173 1174 1175 1177 1178 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1192 1193 1195 1196 1197 1198 1199 1200 1201 1203 1204 1205 1207 1208 1210 1211 1212 1213 1215 1217 8. Related Work 1219 8.1. Relationship with Load Filtering in PSTN 1221 It is known that the existing PSTN network also uses a load filtering 1222 mechanism to prevent overload and the filter configuration is done 1223 manually except in specific cases when the Intelligent Network 1224 architecture is used [Q.1248.2][E.412]. This specification defines a 1225 SIP events framework based distribution mechanism which allows 1226 automated filter distribution in suitable environments. 1228 There are control messages associated with PSTN overload control 1229 which would specify an outgoing control list, call gap duration and 1230 control duration [Q.1248.2][E.412]. These items could be roughly 1231 correlated to the identity, action and time fields of the SIP load 1232 filter defined in this specification. However, the filter defined in 1233 this specification is much more generic and flexible as opposed to 1234 its PSTN counterpart. 1236 Firstly, PSTN load filtering only applies to telephone numbers. The 1237 SIP filter identity allows both SIP URI and telephone numbers 1238 (through Tel URI) to be specified. The identities can be arbitrarily 1239 grouped by SIP domains or any number of leading prefix of the 1240 telephone numbers. 1242 Secondly, the PSTN filtering action is usually limited to call 1243 gapping. The action field in the SIP load filter allows more 1244 flexible rate throttle and other possibilities. 1246 Thirdly, the duration field in PSTN filtering specifies a value in 1247 seconds for the control duration only, and the allowed values are 1248 mapped into a value set. The time field in the SIP load filter may 1249 specify not only a duration, but also a future activation time which 1250 could be especially useful for automating load control for 1251 predictable overloads. 1253 PSTN filtering can be performed in both edge switches and transit 1254 switches; SIP filtering can also be applied in both edge proxy 1255 servers and core proxy servers, and even in capable user agents. 1257 PSTN overload control also has special accommodation for High 1258 Probability of Completion (HPC) calls, which would be similar to the 1259 calls designated by the SIP Resource Priority Headers [RFC4412]. SIP 1260 filtering mechanism can also prioritize the treatment of these calls 1261 by specifying favorable actions for these calls. 1263 PSTN filtering also provides administrative option for routing failed 1264 call attempts to either a reorder tone [E.300SerSup3] indicating 1265 overload conditions, or a special recorded announcement. Similar 1266 capability can be provided in the SIP filtering mechanism by 1267 specifying the appropriate "alt-action" attribute in the SIP 1268 filtering action field. 1270 8.2. Relationship with Other IETF SIP Load Control Efforts 1272 The load filtering rules in this specification consists of identity, 1273 action and time. The identity can range from a single specific user 1274 to an arbitrary user aggregate, domains or areas. The user can be 1275 identified by either the source or the destination. When the user is 1276 identified by the source and a favorable action is specified, the 1277 result is to some extent similar to identifying a priority user based 1278 on authorized Resource Priority Headers [RFC4412] in the requests. 1279 Specifying a source user identity with an unfavorable action would 1280 cause an effect to some extent similar to an inverse SIP resource 1281 priority mechanism. 1283 The load filter defined in this specification is generic and expected 1284 to be applicable not only to the load filtering mechanism but also to 1285 the feedback overload control mechanism in 1286 [I-D.ietf-soc-overload-control]. In particular, both mechanisms 1287 could use specific or wildcard filter identities for load control and 1288 could share well-known load control actions. The time duration field 1289 in the load filter could also be used in both mechanisms. As 1290 mentioned in Section 1, the load filter distribution mechanism and 1291 the feedback overload control mechanism address complementary areas 1292 in the load control problem space. Load filtering is more proactive 1293 and focuses on distributing the filter towards the source of the 1294 traffic; the hop-by-hop feedback based approach is reactive and 1295 targets more at traffic already accepted in the network. Therefore, 1296 they could also make different use of the generic filter components. 1297 For example, the load filtering mechanism may use the time field in 1298 the filter to specify not only a control duration but also a future 1299 activation time to accommodate a predicable overload such as the one 1300 caused by Mother's Day greetings or a viewer-voting program; the 1301 feedback-based control might not need to use the time field or might 1302 use the time field to specify an immediate control duration. 1304 9. Discussion of this specification meeting the requirements of RFC5390 1306 This section evaluates whether the load control event package defined 1307 in this specification satisfies the various SIP overload control 1308 requirements set forth by RFC5390 [RFC5390]. Not all RFC5390 1309 requirements are found applicable due to the scope of this document. 1310 Therefore, we categorize the assessment results into Yes (meet the 1311 requirement), P/A (partially applicable), No (must be used in 1312 conjunction with another mechanism to meet the requirement), and N/A 1313 (not applicable). 1315 REQ 1: The overload mechanism shall strive to maintain the overall 1316 useful throughput (taking into consideration the quality-of- 1317 service needs of the using applications) of a SIP server at 1318 reasonable levels, even when the incoming load on the network is 1319 far in excess of its capacity. The overall throughput under load 1320 is the ultimate measure of the value of an overload control 1321 mechanism. 1323 P/A. The goal of the load filtering is to prevent overload or 1324 maintain overall goodput during the time of overload, but it is 1325 dependent on the advance predictions of the load. If the predictions 1326 are incorrect, in either direction, the effectiveness of the 1327 mechanism will be affected. 1329 REQ 2: When a single network element fails, goes into overload, or 1330 suffers from reduced processing capacity, the mechanism should 1331 strive to limit the impact of this on other elements in the 1332 network. This helps to prevent a small-scale failure from 1333 becoming a widespread outage. 1335 N/A if filter values are installed in advance and do not change 1336 during the potential overload period. P/A if filter values are 1337 dynamically adjusted due to the specific filter computation 1338 algorithm. The dynamic filter computation algorithm is outside the 1339 scope of this specification, while the distribution of the updated 1340 filters uses the event package mechanism of this specification. 1342 REQ 3: The mechanism should seek to minimize the amount of 1343 configuration required in order to work. For example, it is 1344 better to avoid needing to configure a server with its SIP message 1345 throughput, as these kinds of quantities are hard to determine. 1347 No. This mechanism is entirely dependent on advance configuration, 1348 based on advance knowledge. In order to satisfy Req 3, it should be 1349 used in conjunction with other mechanisms which are not based on 1350 advance configuration. 1352 REQ 4: The mechanism must be capable of dealing with elements that 1353 do not support it, so that a network can consist of a mix of 1354 elements that do and don't support it. In other words, the 1355 mechanism should not work only in environments where all elements 1356 support it. It is reasonable to assume that it works better in 1357 such environments, of course. Ideally, there should be 1358 incremental improvements in overall network throughput as 1359 increasing numbers of elements in the network support the 1360 mechanism. 1362 No. This mechanism is entirely dependent on the participation of all 1363 possible neighbors. In order to satisfy Req 4, it should be used in 1364 conjunction with other mechanisms, some of which are described in 1365 Section 4.4. 1367 REQ 5: The mechanism should not assume that it will only be 1368 deployed in environments with completely trusted elements. It 1369 should seek to operate as effectively as possible in environments 1370 where other elements are malicious; this includes preventing 1371 malicious elements from obtaining more than a fair share of 1372 service. 1374 No. This mechanism is entirely dependent on the non-malicious 1375 participation of all possible neighbors. In order to satisfy Req 5, 1376 it should be used in conjunction with other mechanisms, some of which 1377 are described in Section 4.4. 1379 REQ 6: When overload is signaled by means of a specific message, 1380 the message must clearly indicate that it is being sent because of 1381 overload, as opposed to other, non overload-based failure 1382 conditions. This requirement is meant to avoid some of the 1383 problems that have arisen from the reuse of the 503 response code 1384 for multiple purposes. Of course, overload is also signaled by 1385 lack of response to requests. This requirement applies only to 1386 explicit overload signals. 1388 N/A. This mechanism signals anticipated overload, not actual 1389 overload. However the signals in this mechanism are not used for any 1390 other purpose. 1392 REQ 7: The mechanism shall provide a way for an element to 1393 throttle the amount of traffic it receives from an upstream 1394 element. This throttling shall be graded so that it is not all- 1395 or-nothing as with the current 503 mechanism. This recognizes the 1396 fact that "overload" is not a binary state and that there are 1397 degrees of overload. 1399 Yes. This event package allows rate/loss/windows-based overload 1400 control options as discussed in Section 6.4. 1402 REQ 8: The mechanism shall ensure that, when a request was not 1403 processed successfully due to overload (or failure) of a 1404 downstream element, the request will not be retried on another 1405 element that is also overloaded or whose status is unknown. This 1406 requirement derives from REQ 1. 1408 N/A to the load control event package itself. 1410 REQ 9: That a request has been rejected from an overloaded element 1411 shall not unduly restrict the ability of that request to be 1412 submitted to and processed by an element that is not overloaded. 1413 This requirement derives from REQ 1. 1415 Yes. For example, the load filter [Section 4.1] allows the inclusion 1416 of alternative forwarding destinations for rejected requests. 1418 REQ 10: The mechanism should support servers that receive requests 1419 from a large number of different upstream elements, where the set 1420 of upstream elements is not enumerable. 1422 No. Because this mechanism requires advance configuration of 1423 specifically identified neighbors, it does not support environments 1424 where the number and identity of the upstream neighbors are not known 1425 in advance. In order to satisfy Req 10, it should be used in 1426 conjunction with other mechanisms. 1428 REQ 11: The mechanism should support servers that receive requests 1429 from a finite set of upstream elements, where the set of upstream 1430 elements is enumerable. 1432 Yes. See also answer to REQ 10. 1434 REQ 12: The mechanism should work between servers in different 1435 domains. 1437 Yes. The load control event package is not limited by domain 1438 boundaries. However, it is likely more applicable in intra-domain 1439 scenarios than in inter-domain scenarios due to security and other 1440 concerns (See also Section 4.4). 1442 REQ 13: The mechanism must not dictate a specific algorithm for 1443 prioritizing the processing of work within a proxy during times of 1444 overload. It must permit a proxy to prioritize requests based on 1445 any local policy, so that certain ones (such as a call for 1446 emergency services or a call with a specific value of the 1447 Resource-Priority header field [RFC4412]) are given preferential 1448 treatment, such as not being dropped, being given additional 1449 retransmission, or being processed ahead of others. 1451 P/A. This mechanism does not specifically address the prioritizing of 1452 work during times of overload. But it does not preclude any 1453 particular local policy. 1455 REQ 14: The mechanism should provide unambiguous directions to 1456 clients on when they should retry a request and when they should 1457 not. This especially applies to TCP connection establishment and 1458 SIP registrations, in order to mitigate against avalanche restart. 1460 N/A to the load control event package itself. 1462 REQ 15: In cases where a network element fails, is so overloaded 1463 that it cannot process messages, or cannot communicate due to a 1464 network failure or network partition, it will not be able to 1465 provide explicit indications of the nature of the failure or its 1466 levels of congestion. The mechanism must properly function in 1467 these cases. 1469 P/A. Because the filters are provisioned in advance, they are not 1470 affected by the overload or failure of other nodes. But, on the 1471 other hand, they may not, in those cases, be able to protect the 1472 overloaded node (see Req 1). 1474 REQ 16: The mechanism should attempt to minimize the overhead of 1475 the overload control messaging. 1477 Yes. The standardized SIP event package mechanism [RFC6665] is used. 1479 REQ 17: The overload mechanism must not provide an avenue for 1480 malicious attack, including DoS and DDoS attacks. 1482 P/A. This mechanism does provide a potential avenue for malicious 1483 attacks. Therefore the security mechanisms for SIP event packages in 1484 general [RFC6665] and of section 10 of this specification should be 1485 used. 1487 REQ 18: The overload mechanism should be unambiguous about whether 1488 a load indication applies to a specific IP address, host, or URI, 1489 so that an upstream element can determine the load of the entity 1490 to which a request is to be sent. 1492 Yes. The identity of load indication is covered in the filter format 1493 definition in Section 4.1. 1495 REQ 19: The specification for the overload mechanism should give 1496 guidance on which message types might be desirable to process over 1497 others during times of overload, based on SIP-specific 1498 considerations. For example, it may be more beneficial to process 1499 a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh 1500 with a non-zero expiration (since the former reduces the overall 1501 amount of load on the element), or to process re-INVITEs over new 1502 INVITEs. 1504 N/A to the load control event package itself. 1506 REQ 20: In a mixed environment of elements that do and do not 1507 implement the overload mechanism, no disproportionate benefit 1508 shall accrue to the users or operators of the elements that do not 1509 implement the mechanism. 1511 No. This mechanism is entirely dependent on the participation of all 1512 possible neighbors. In order to satisfy Req 20, it should be used in 1513 conjunction with other mechanisms, some of which are described in 1514 Section 4.4. 1516 REQ 21: The overload mechanism should ensure that the system 1517 remains stable. When the offered load drops from above the 1518 overall capacity of the network to below the overall capacity, the 1519 throughput should stabilize and become equal to the offered load. 1521 N/A to the load control event package itself. 1523 REQ 22: It must be possible to disable the reporting of load 1524 information towards upstream targets based on the identity of 1525 those targets. This allows a domain administrator who considers 1526 the load of their elements to be sensitive information, to 1527 restrict access to that information. Of course, in such cases, 1528 there is no expectation that the overload mechanism itself will 1529 help prevent overload from that upstream target. 1531 N/A to the load control event package itself. 1533 REQ 23: It must be possible for the overload mechanism to work in 1534 cases where there is a load balancer in front of a farm of 1535 proxies. 1537 Yes. The load control event package does not preclude its use in a 1538 scenario with server farms. 1540 10. Security Considerations 1542 Two aspects of security considerations arise from this specification. 1543 One is the SIP event framework based filter distribution mechanism, 1544 the other is the filter enforcement mechanism. 1546 Security considerations for SIP event framework based mechanisms are 1547 covered in Section 6 of [RFC6665]. A particularly relevant security 1548 concern for this event package is that if the notifiers can be 1549 spoofed, attackers can send fake notifications asking subscribers to 1550 throttle all traffic, leading to Denial-of-Service attacks. 1551 Therefore, all load control notification MUST be authenticated and 1552 authorized before being accepted. Standard authentication and 1553 authorization mechanisms recommended in [RFC3261] such as TLS 1554 [RFC5246] and IPSec [RFC4301] may serve this purpose. On the other 1555 hand, if a legitimate notifier is itself compromised, additional 1556 mechanisms will be needed to detect the attack. 1558 Security considerations for filter enforcement vary depending on the 1559 filter itself. This specification defines possible filter match of 1560 the following SIP header fields: , , and 1561 . The exact requirement to authenticate and 1562 authorize these fields is up to the service provider. In general, if 1563 the identity field represents the source of the request, it SHOULD be 1564 authenticated and authorized; if the identity field represents the 1565 destination of the request, the authentication and authorization is 1566 optional. 1568 11. IANA Considerations 1570 This specification registers a SIP event package, a new MIME type, a 1571 new XML namespace, and a new XML schema. 1573 11.1. Load Control Event Package Registration 1575 This section registers an event package based on the registration 1576 procedures defined in [RFC6665]. 1578 Package name: load-control 1580 Type: package 1582 Published specification: This specification 1584 Person to contact: Charles Shen, charles@cs.columbia.edu 1586 11.2. application/load-control+xml MIME Registration 1588 This section registers a new MIME type based on the procedures 1589 defined in [RFC4288] and guidelines in [RFC3023]. 1591 MIME media type name: application 1593 MIME subtype name: load-control+xml 1595 Mandatory parameters: none 1597 Optional parameters: Same as charset parameter application/xml in 1598 [RFC3023] 1600 Encoding considerations: Same as encoding considerations of 1601 application/xml in [RFC3023] 1603 Security considerations: See Section 10 of [RFC3023] and Section 10 1604 of this specification 1606 Interoperability considerations: None 1608 Published Specification: This specification 1610 Applications which use this media type: load control of SIP entities 1612 Additional information: 1614 Magic number: None 1616 File extension: .xml 1618 Macintosh file type code: 'TEXT' 1620 Personal and email address for further information: 1622 Charles Shen, charles@cs.columbia.edu 1624 Intended usage: COMMON 1625 Author/Change Controller: IETF SOC Working Group 1626 , as designated by the IESG 1628 11.3. Load Control Schema Registration 1630 URI: urn:ietf:params:xml:schema:load-control 1632 Registrant Contact: IETF SOC working group, Charles Shen 1633 (charles@cs.columbia.edu). 1635 XML: the XML schema to be registered is contained in Section 7. 1637 Its first line is 1639 1641 and its last line is 1643 1645 12. Acknowledgements 1647 The authors would like to thank Bruno Chatras, Martin Dolly, Keith 1648 Drage, Ashutosh Dutta, Janet Gunn, Vijay Gurbani, Volker Hilt, Geoff 1649 Hunt, Carolyn Johnson, Hadriel Kaplan, Paul Kyzivat, Salvatore 1650 Loreto, Timothy Moran, Eric Noel, Parthasarathi R, Adam Roach, Shida 1651 Schubert, Robert Sparks, Phil Williams and other members of the SOC 1652 and SIPPING working group for many helpful comments. In particular, 1653 Bruno Chatras proposed the and condition 1654 elements along with many other text improvements. Janet Gunn 1655 provided detailed text suggestions for Section 9. Eric Noel 1656 suggested clarification on filter distribution initialization 1657 process. Shida Schubert made many suggestions about terminology 1658 usage. Phil Williams suggested adding support for delta updates. 1659 Ashutosh Dutta gave pointers to PSTN references. Adam Roach 1660 suggested RFC6665-related and other helpful clarifications. 1662 13. References 1664 13.1. Normative References 1666 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1667 Requirement Levels", BCP 14, RFC 2119, March 1997. 1669 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 1671 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 1672 Types", RFC 3023, January 2001. 1674 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1675 A., Peterson, J., Sparks, R., Handley, M., and E. 1676 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1677 June 2002. 1679 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1680 January 2004. 1682 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 1683 RFC 3966, December 2004. 1685 [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and 1686 Registration Procedures", BCP 13, RFC 4288, December 2005. 1688 [RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., 1689 Polk, J., and J. Rosenberg, "Common Policy: A Document 1690 Format for Expressing Privacy Preferences", RFC 4745, 1691 February 2007. 1693 [RFC6665] Roach, A., "SIP-Specific Event Notification", RFC 6665, 1694 July 2012. 1696 13.2. Informative References 1698 [E.300SerSup3] 1699 ITU-T, "North American Precise Audible Tone Plan", E.300 1700 Series Supplement 3 , November 1988. 1702 [E.412] ITU-T, "Network Management Controls", E.412-2003 , 1703 January 2003. 1705 [I-D.ietf-soc-overload-control] 1706 Gurbani, V., Hilt, V., and H. Schulzrinne, "Session 1707 Initiation Protocol (SIP) Overload Control", 1708 draft-ietf-soc-overload-control-09 (work in progress), 1709 July 2012. 1711 [Q.1248.2] 1712 ITU-T, "Interface Recommendation for Intelligent Network 1713 Capability Set4:SCF-SSF interface", Q.1248.2 , July 2001. 1715 [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, 1716 August 1999. 1718 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1719 Internet Protocol", RFC 4301, December 2005. 1721 [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource 1722 Priority for the Session Initiation Protocol (SIP)", 1723 RFC 4412, February 2006. 1725 [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) 1726 Configuration Access Protocol (XCAP)", RFC 4825, May 2007. 1728 [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for 1729 Emergency and Other Well-Known Services", RFC 5031, 1730 January 2008. 1732 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1733 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1735 [RFC5390] Rosenberg, J., "Requirements for Management of Overload in 1736 the Session Initiation Protocol", RFC 5390, December 2008. 1738 [RFC6357] Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design 1739 Considerations for Session Initiation Protocol (SIP) 1740 Overload Control", RFC 6357, August 2011. 1742 Authors' Addresses 1744 Charles Shen 1745 Columbia University 1746 Department of Computer Science 1747 1214 Amsterdam Avenue, MC 0401 1748 New York, NY 10027 1749 USA 1751 Phone: +1 212 854 3109 1752 Email: charles@cs.columbia.edu 1754 Henning Schulzrinne 1755 Columbia University 1756 Department of Computer Science 1757 1214 Amsterdam Avenue, MC 0401 1758 New York, NY 10027 1759 USA 1761 Phone: +1 212 939 7004 1762 Email: schulzrinne@cs.columbia.edu 1763 Arata Koike 1764 NTT Service Integration Labs 1765 3-9-11 Midori-cho Musashino-shi 1766 Tokyo, 184-0013 1767 Japan 1769 Phone: +81 422 59 6099 1770 Email: koike.arata@lab.ntt.co.jp