idnits 2.17.1 draft-ietf-soc-load-control-event-package-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 13, 2013) is 4055 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303) == Outdated reference: A later version (-15) exists of draft-ietf-soc-overload-control-12 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF SOC Working Group C. Shen 3 Internet-Draft H. Schulzrinne 4 Intended status: Standards Track Columbia U. 5 Expires: September 14, 2013 A. Koike 6 NTT 7 March 13, 2013 9 A Session Initiation Protocol (SIP) Load Control Event Package 10 draft-ietf-soc-load-control-event-package-08.txt 12 Abstract 14 We define a load control event package for the Session Initiation 15 Protocol (SIP). It allows SIP entities to distribute load filtering 16 policies to other SIP entities in the network. The load filtering 17 policies contain rules to throttle calls based on their source or 18 destination domain, telephone number prefix or for a specific user. 19 The mechanism helps to prevent signaling overload and complements 20 feedback-based SIP overload control efforts. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 14, 2013. 39 Copyright Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 4. Design Requirements . . . . . . . . . . . . . . . . . . . . . 6 60 5. SIP Load Filtering Overview . . . . . . . . . . . . . . . . . 6 61 5.1. Load Filtering Policy Format . . . . . . . . . . . . . . 6 62 5.2. Load Filtering Policy Computation . . . . . . . . . . . . 7 63 5.3. Load Filtering Policy Distribution . . . . . . . . . . . 7 64 5.4. Applicability in Different Network Environments . . . . . 10 65 6. Load Control Event Package . . . . . . . . . . . . . . . . . 11 66 6.1. Event Package Name . . . . . . . . . . . . . . . . . . . 11 67 6.2. Event Package Parameters . . . . . . . . . . . . . . . . 11 68 6.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . 11 69 6.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . 12 70 6.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 12 71 6.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 12 72 6.7. Notifier Generation of NOTIFY Requests . . . . . . . . . 12 73 6.8. Subscriber Processing of NOTIFY Requests . . . . . . . . 13 74 6.9. Handling of Forked Requests . . . . . . . . . . . . . . . 14 75 6.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 14 76 6.11. State Delta . . . . . . . . . . . . . . . . . . . . . . . 14 77 7. Load Control Document . . . . . . . . . . . . . . . . . . . . 15 78 7.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 15 79 7.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 15 80 7.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . 16 81 7.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 16 82 7.3.2. Method . . . . . . . . . . . . . . . . . . . . . . . 19 83 7.3.3. Target SIP Entity . . . . . . . . . . . . . . . . . . 19 84 7.3.4. Validity . . . . . . . . . . . . . . . . . . . . . . 20 85 7.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 21 86 7.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 22 87 7.5.1. Load Control Document Examples . . . . . . . . . . . 22 88 7.5.2. Message Flow Examples . . . . . . . . . . . . . . . . 24 89 8. XML Schema Definition for Load Control . . . . . . . . . . . 25 90 9. Related Work . . . . . . . . . . . . . . . . . . . . . . . . 28 91 9.1. Relationship with Load Filtering in PSTN . . . . . . . . 28 92 9.2. Relationship with Other IETF SIP Overload Control Efforts 29 93 10. Discussion of this specification meeting the requirements of 94 RFC5390 . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 95 11. Security Considerations . . . . . . . . . . . . . . . . . . . 34 96 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 97 12.1. Load Control Event Package Registration . . . . . . . . 35 98 12.2. application/load-control+xml MIME Registration . . . . . 35 99 12.3. Load Control Schema Registration . . . . . . . . . . . . 36 100 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 37 101 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 37 102 14.1. Normative References . . . . . . . . . . . . . . . . . . 37 103 14.2. Informative References . . . . . . . . . . . . . . . . . 38 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 106 1. Introduction 108 Proper functioning of Session Initiation Protocol (SIP) [RFC3261] 109 signaling servers is critical in SIP-based communications networks. 110 The performance of SIP servers can be severely degraded when the 111 server is overloaded with excessive number of signaling requests. 112 Both legitimate and malicious traffic can overload SIP servers, 113 despite appropriate capacity planning. 115 There are three common examples of legitimate short-term increases in 116 call volumes. Viewer-voting TV shows or ticket giveaways may 117 generate millions of calls within a few minutes. Call volume may 118 also spike during special holidays such as New Year's Day and 119 Mother's Day. Finally, callers may want to reach friends and family 120 in natural disaster areas such as those affected by hurricanes. When 121 possible, only calls traversing overloaded servers should be 122 throttled under those conditions. 124 SIP load control mechanisms are needed to prevent congestion collapse 125 in these cases [RFC5390]. There are two types of load control 126 approaches. In the first approach, feedback control, SIP servers 127 provide load limits to upstream servers, to reduce the incoming rate 128 of all SIP requests [I-D.ietf-soc-overload-control]. These upstream 129 servers then drop or delay incoming SIP requests. Feedback control 130 is reactive and affects signaling messages that have already been 131 issued by user agent clients. They work well when SIP proxy servers 132 in the core networks (core proxy servers) or destination-specific SIP 133 proxy servers in the edge networks (edge proxy servers) are 134 overloaded. By their nature, they need to distribute rate, drop or 135 window information to all upstream SIP proxy servers and normally 136 affect all calls equally, regardless of destination. For example, in 137 the ticket giveaway case, almost all calls to the hotline will fail 138 at the core proxy servers; if the edge proxy servers leading to the 139 core proxy servers are also overloaded, calls to other destinations 140 will also be rejected or dropped. 142 Here, we propose an additional, complementary load control mechanism, 143 called load filtering. Network operators create load filtering 144 policies that indicate calls to specific destinations or from 145 specific sources should be rate-limited or randomly dropped. These 146 load filtering policies are then distributed to SIP servers and 147 possibly SIP user agents that are likely to generate calls to the 148 affected destinations or from the affected sources. Load filtering 149 works best if it prevents calls as close to the originating user 150 agent clients as possible. 152 The load filtering approach is most applicable for situations where a 153 traffic surge and its source/destination distribution can be 154 predicted in advance. For instance, it is appropriate for a mass- 155 phone-voting event, Mother's Day, New Year's Day, and even a 156 hurricane. However, it is less likely to be effective for the 157 initial phase of unpredicted/unpredictable mass calling events, such 158 as earthquakes or terrorist attacks. In these latter cases, the 159 local traffic load may peak by more than an order of magnitude in 160 minutes, if not seconds. This does not allow time to either 161 effectively identify the load filtering policies needed, nor 162 distribute them to the appropriate servers soon enough to prevent 163 server congestion. Once other, more immediate, techniques (such as 164 the loss-based or rate-based load feedback control methods) have 165 prevented the initial congestion collapse, the load filtering 166 approach can be used to effectively control the continuing overload. 168 Performing SIP load filtering involves the following components of 169 load filtering policies: format definition, computation, distribution 170 and enforcement. This specification defines the load filtering 171 policy, distribution and enforcement in the SIP load control event 172 package built upon existing SIP event notification framework. 173 However, load filtering policy computation is out of scope of this 174 specification, because it depends heavily on the actual network 175 topology and other service provider policies. 177 It should be noted that although the SIP load filtering mechanism is 178 motivated by the SIP overload control problem, which is why this 179 specification refers extensively to parallel SIP overload control 180 related efforts, the applicability of SIP load filtering extends 181 beyond the overload control purpose. For example, it can also be 182 used to implement quality of service or other service level agreement 183 commitments. Therefore, we use the term "load control event 184 package", instead of a narrower term "overload control event 185 package". 187 The rest of this specification is structured as follows: we begin by 188 listing the design requirements for this work in Section 4. We then 189 give an overview of load filtering operation in Section 5. The load 190 control event package for load filtering policy distribution is 191 detailed in Section 6. The load filtering policy format is defined 192 in the two sections that follow, with Section 7 introducing the XML 193 document for load filtering policies and Section 8 listing the 194 associated schema. Section 9 relates this work to corresponding 195 mechanisms in PSTN and other IETF efforts addressing SIP overload 196 control. Section 10 evaluates whether this specification meets the 197 SIP overload control requirements set forth by RFC5390 [RFC5390]. 198 Finally, Section 11 presents security considerations and Section 12 199 provides IANA considerations. 201 2. Conventions 203 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 204 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 205 document are to be interpreted as described in [RFC2119]. 207 3. Definitions 209 This specification reuses the definitions for "Event Package", 210 "Notification", "Notifier", "Subscriber", "Subscription" as in 211 [RFC6665]. The following additional definitions are also used. 213 Load Filtering: A load control mechanism which applies specific 214 actions to selected loads (e.g., SIP requests) matching specific 215 conditions. 217 Load Filtering Policy: A set of zero or more load filtering rules, 218 also known as load filtering rule set. 220 Load Filtering Rule: Conditions and actions to be applied for load 221 filtering. 223 Load Filtering Condition: Elements that describe how to select loads 224 to apply load filtering actions. This specification defines the 225 "call identity", "method", "target SIP identity", and "validity" 226 condition elements (Section 7.3). 228 Load Filtering Action: An operation to be taken by a load filtering 229 server on loads that match the load filtering conditions. This 230 specification allows actions such as accept, reject and redirect 231 of loads (Section 7.4). 233 Load Filtering Server: A server which performs load filtering. In 234 the context of this specification, the load filtering server is 235 the subscriber, which receives load filtering policies from the 236 notifier and enforces those policies during load filtering. 238 Load Control Document: An XML document that describes the load 239 filtering policies (Section 7). It inherits and enhances the 240 common policy document defined in [RFC4745]. 242 4. Design Requirements 244 The SIP load filtering mechanism needs to satisfy the following 245 requirements: 247 o To simplify the solution, we focus on a method for controlling SIP 248 load, rather than a generic application-layer mechanism. 250 o The load filtering policy needs to be distributed efficiently to 251 possibly a large subset of all SIP elements. 253 o The solution should re-use existing SIP protocol mechanisms to 254 reduce implementation and deployment complexity. 256 o For predictable overload situations, such as holidays and mass 257 calling events, the load filtering policy should specify during 258 what time it is to be applied, so that the information can be 259 distributed ahead of time. 261 o For destination-specific overload situations, the load filtering 262 policy should be able to describe the destination domain or the 263 callee. 265 o To address accidental and intentional high-volume call generators, 266 the load filtering policy should be able to specify the caller. 268 o Caller and callee need to be specified as both SIP URIs and 'Tel' 269 URIs [RFC3966] in load filtering policies. 271 o It should be possible to specify particular information in the SIP 272 headers (e.g., prefixes in telephone numbers) which allow load 273 filtering over limited regionally-focused overloads. 275 o The solution should draw upon experiences from related PSTN 276 mechanisms where applicable. 278 o The solution should be extensible to meet future needs. 280 5. SIP Load Filtering Overview 282 5.1. Load Filtering Policy Format 284 Load filtering policies are specified by sets of rules. Each rule 285 contains both load filtering conditions and actions. The load 286 filtering conditions define identities of the targets to be 287 filtered(Section 7.3.1). For example, there are two typical resource 288 limits in a possible overload situation, i.e., human destination 289 limits (N number of call takers) and node capacity limits. The load 290 filtering targets in these two cases can be the specific callee 291 numbers or the destination domain corresponding to the overload. 292 Load filtering conditions also indicate the specific message type to 293 be matched (Section 7.3.2), with which target SIP entity the 294 filtering policy is associated (Section 7.3.3) and the period of time 295 when the filtering policy should be activated and deactivated 296 (Section 7.3.4). Load filtering actions describe the desired control 297 functions such as limiting the request rate below a certain level 298 (Section 7.4). 300 5.2. Load Filtering Policy Computation 302 Computing the load filtering policies needs to take into 303 consideration information such as overload time, scope and network 304 topology, as well as service policies. It is also important to make 305 sure that there is no resource allocation loop, and that server 306 capacity is allocated in a way which both prevents overload and 307 maximizes effective throughput (aka goodput). In some cases, in 308 order to better utilize system resources, it may be preferable to 309 employ an algorithm which dynamically computes the load filtering 310 policies based on currently observed server load status, rather than 311 using a purely static filtering policy assignment. The computation 312 algorithm for load filtering policies is out of scope of this 313 specification. 315 5.3. Load Filtering Policy Distribution 317 For load filtering policy distribution, this specification defines 318 the SIP event package for load control, which is an "instantiation" 319 of the generic SIP event notification framework [RFC6665]. The SIP 320 event notification framework provides an existing method for SIP 321 entities to subscribe to and receive notifications when certain 322 events occur. Such a framework forms a scalable event distribution 323 architecture that suits our needs. This specification also defines 324 XML schema of a load control document (Section 7), which is used to 325 encode load filtering policies. 327 In order for load filtering policies to be properly distributed, each 328 capable SIP entity in the network SHOULD subscribe to the SIP load 329 control event package from all its outgoing signaling neighbors, 330 known as notifiers (Section 6.6). Subscription is initiated and 331 maintained during normal server operation. Signaling neighbors are 332 discovered by sending signaling messages. For instance, if A sends 333 signaling requests to B, B is an outgoing signaling neighbor of A. A 334 needs to subscribe to the load control event package of B in case B 335 wants to curb requests from A. On the other hand, if B also sends 336 signaling requests to A, then B also needs to subscribe to A. The 337 subscription of neighboring SIP entities needs to be persistent so 338 that it is in place independently of any specific events requiring 339 load filtering. Key to this is the fact that following initial 340 subscription, the notifier sends a notification without a body if no 341 load filtering policy is defined (Section 6.7), and that the 342 subscription needs to be refreshed periodically to make it 343 persistent, as described in Section 4.1 and Section 4.2 of [RFC6665]. 344 The notifier will send a notification to its subscribers each time a 345 new subscription or a subscription refresh is accepted (Section 6.7). 346 The notification request includes in its body the current load 347 filtering policies (Section 7.1) from the notifier. If no such load 348 filtering policy exists, the notification request is sent without a 349 body. The subscribers MAY terminate the subscription if it no longer 350 considers the notifiers as its signaling neighbor, e.g., after an 351 extended period of absence of signaling message exchange. However, 352 if after un-subscribing, the subscriber determines that signaling 353 with the notifier becomes active again, it MUST immediately subscribe 354 to that notifier again. 356 We use the example architecture shown in Figure 1 to illustrate load 357 filtering policy distribution based on the SIP load control event 358 package mechanism. This scenario consists of two networks belonging 359 to Service Provider A and Service Provider B, respectively. Each 360 provider's network is made up of two SIP core proxy servers and four 361 SIP edge proxy servers. The core proxy servers and edge proxy 362 servers of Service Provider A are denoted as CPa1 to CPa2 and EPa1 to 363 EPa4; the core proxy servers and edge proxy servers of Service 364 Provider B are denoted as CPb1 to CPb2 and EPb1 to EPb4. 366 +-----------+ +-----------+ +-----------+ +-----------+ 367 | | | | | | | | 368 | EPa1 | | EPa2 | | EPa3 | | EPa4 | 369 | | | | | | | | 370 +-----------+ +-----------+ +-----------+ +-----------+ 371 \ / \ / 372 \ / \ / 373 \ / \ / 374 +-----------+ +-----------+ 375 | | | | 376 | CPa1 |------------------| CPa2 | 377 | | | | 378 +-----------+ +-----------+ 379 | | 380 Service | | 381 Provider A | | 382 | | 383 ================================================================= 384 | | 386 Service | | 387 Provider B | | 388 | | 389 +-----------+ +-----------+ 390 | | | | 391 | CPb1 |------------------| CPb2 | 392 | | | | 393 +-----------+ +-----------+ 394 / \ / \ 395 / \ / \ 396 / \ / \ 397 +-----------+ +-----------+ +-----------+ +-----------+ 398 | | | | | | | | 399 | EPb1 | | EPb2 | | EPb3 | | EPb4 | 400 | | | | | | | | 401 +-----------+ +-----------+ +-----------+ +-----------+ 403 Figure 1: Example Network Scenario Using SIP Load Control Event 404 Package Mechanism 406 At initialization stage, the proxy servers first identify all their 407 outgoing signaling neighbors and subscribe to them. The neighbor 408 identification process can be performed by service providers through 409 direct provisioning, or by the proxy servers themselves via 410 progressive learning from the signaling messages sent and received. 411 Assuming all signaling relationships in Figure 1 are bi-directional, 412 after this initialization stage, each proxy server will be subscribed 413 to all its neighbors. That is, EPa1 subscribes to CPa1; CPa1 414 subscribes to EPa1, EPa2, CPa2 and CPb1, so on and so forth. The 415 following cases then show two examples of how load filtering policy 416 distribution in this network works. 418 Case I: EPa1 serves a TV program hotline and decides to limit the 419 total number of incoming calls to the hotline to prevent an overload. 420 To do so, EPa1 sends a notification to CPa1 with the specific hotline 421 number, time of activation and total acceptable call rate. Depending 422 on the load filtering policy computation algorithm, CPa1 may allocate 423 the received total acceptable call rate among its neighbors, namely, 424 EPa2, CPa2, and CPb1, and notify them about the resulting allocation 425 along with the hotline number and the activation time. CPa2 and CPb1 426 may perform further allocation among their own neighbors and notify 427 the corresponding proxy servers. This process continues until all 428 edge proxy servers in the network have been informed about the event 429 and have proper load filtering policy configured. 431 In the above case, the network entity where load filtering policy is 432 first introduced is the SIP server providing access to the resource 433 that creates the overload situation. In other cases, the network 434 entry point of introducing load filtering policy could also be an 435 entity that hosts this resource. For example, an operator may host 436 an application server that performs 800 number translation services. 437 The application server may itself be a SIP proxy server or a SIP 438 Back-to-Back User Agent (B2BUA). If one of the 800 numbers hosted at 439 the application server creates the overload condition, the load 440 filtering policies can be introduced from the application server and 441 then propagated to other SIP proxy servers in the network. 443 Case II: a hurricane affects the region covered by CPb2, EPb3 and 444 EPb4. All these three SIP proxy servers are overloaded. The rescue 445 team determines that outbound calls are more valuable than inbound 446 calls in this specific situation. Therefore, EPb3 and EPb4 are 447 configured with load filtering policies to accept more outbound calls 448 than inbound calls. CPb2 may be configured the same way or receive 449 dynamically computed load filtering policies from EPb3 and EPb4. 450 Depending on the load filtering policy computation algorithm, CPb2 451 may also send out notifications to its outside neighbors, namely CPb1 452 and CPa2, specifying a limit on the acceptable rate of inbound calls 453 to CPb2's responsible domain. CPb1 and CPa2 may subsequently notify 454 their neighbors about limiting the calls to CPb2's area. The same 455 process could continue until all edge proxy servers are notified and 456 have load filtering policies configured. 458 Note that this specification does not define the provisioning 459 interface between the party who determines the load filtering policy 460 and the network entry point where the policy is introduced. One of 461 the options for the provisioning interface is the Extensible Markup 462 Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. 464 5.4. Applicability in Different Network Environments 466 SIP load filtering is more effective when the filtering policies can 467 be pushed to the proximity of signaling sources. But even if only 468 part of the signaling path towards the signaling source could be 469 covered, use of this mechanism can still be beneficial. In fact, due 470 to possibly sophisticated call routing and security concerns, trying 471 to apply automated load filtering policy distribution in the entire 472 inter-domain network path could get extremely complicated and be 473 unrealistic. 475 The scenarios where this mechanism could be most useful are 476 environments consisting of servers with secure and trust relationship 477 and with relatively straightforward routing configuration known to 478 the load filtering policy computation algorithm. These scenarios may 479 include intra-domain environments such as those inside a service 480 provider or enterprise domain; inter-domain environments such as 481 enterprise connecting to a few service providers or between service 482 providers with manageable routing configurations. 484 Another important aspect that affects the applicability of SIP load 485 filtering is that all neighbors that are possible signaling sources 486 need to participate and enforce the designated load filtering 487 policies. Otherwise, a single non-conforming neighbor could make the 488 whole filtering efforts useless by pumping in excessive traffic to 489 overload the server. Therefore, the SIP server that distributes load 490 filtering policies needs to take counter-measures towards any non- 491 conforming neighbors. A simple method is to reject excessive 492 requests with 503 (Service Unavailable) response messages as if they 493 were obeying the rate. Considering the rejection costs, a more 494 complicated but fairer method would be to allocate at the overloaded 495 server the same amount of processing to the combination of both 496 normal processing and rejection as the overloaded server would devote 497 to processing requests for a conforming upstream SIP server. These 498 approaches work as long as the total rejection cost does not 499 overwhelm the entire server resources. In addition, SIP servers need 500 to handle message prioritization properly while performing load 501 filtering, which is described in Section 6.8. 503 6. Load Control Event Package 505 The SIP load filtering mechanism defines a load control event package 506 for SIP based on [RFC6665]. 508 6.1. Event Package Name 510 The name of this event package is "load-control". This name is 511 carried in the Event and Allow-Events header, as specified in 512 [RFC6665]. 514 6.2. Event Package Parameters 516 No package specific event header field parameters are defined for 517 this event package. 519 6.3. SUBSCRIBE Bodies 521 The effectiveness of SIP load filtering relies on the scope of 522 distribution and installation of the filtering policies in the 523 network. Since wide distribution of load filtering policies is 524 desirable, subscribers SHOULD try to subscribe to all those notifiers 525 with which they have regular signaling exchanges, although not all 526 such notifiers may permit such subscription. 528 A SUBSCRIBE request sent without a body implies the default 529 subscription behavior as specified in Section 6.7. 531 6.4. SUBSCRIBE Duration 533 The default expiration time for a subscription to load filtering 534 policy is one hour. Since the desired expiration time may vary 535 significantly for subscriptions among SIP entities with different 536 signaling relationships, the subscribers and notifiers are 537 RECOMMENDED to explicitly negotiate appropriate subscription duration 538 when knowledge about the mutual signaling relationship is available. 540 6.5. NOTIFY Bodies 542 The body of a NOTIFY request in this event package contains load 543 filtering policies. The format of the NOTIFY request body MUST be in 544 one of the formats defined in the Accept header field of the 545 SUBSCRIBE request or be the default format, as specified in 546 [RFC6665]. The default data format for the NOTIFY request body of 547 this event package is "application/load-control+xml" (defined in 548 Section 7). This means that when NOTIFY request body exists but no 549 Accept header field is specified in a SUBSCRIBE request, the NOTIFY 550 request body will contain "application/load-control+xml" format. If 551 NOTIFY request body exists and the Accept header field is present in 552 a SUBSCRIBE request, the NOTIFY request body MUST include 553 "application/load-control+xml" format and MAY include any other 554 formats. 556 6.6. Notifier Processing of SUBSCRIBE Requests 558 The notifier accepts a new subscription or updates an existing 559 subscription upon receiving a valid SUBSCRIBE request. 561 If the identity of the subscriber sending the SUBSCRIBE request is 562 not allowed to receive load filtering policy, the notifier MUST 563 return a 403 "Forbidden" response. 565 If none of MIME types specified in the Accept header of the SUBSCRIBE 566 request is supported, the notifier SHOULD return 406 "Not Acceptable" 567 response. 569 6.7. Notifier Generation of NOTIFY Requests 571 A notifier MUST send a NOTIFY request with its current load filtering 572 policy to the subscriber upon successfully accepting or refreshing a 573 subscription. If no load filtering policy needs to be distributed 574 when the subscription is received, the notifier SHOULD sent a NOTIFY 575 request without body to the subscriber. The content-type header 576 field of this NOTIFY request MUST indicate the correct body format as 577 if the body were present (e.g., "application/load-control+xml"). 578 Sending this NOTIFY request without body is often the case when a 579 subscription is initiated for the first time, e.g., when a SIP entity 580 is just introduced, because there may be no planned events that 581 require load filtering at that time. A notifier SHOULD generate 582 NOTIFY requests each time the load filtering policy changes, with the 583 maximum notification rate not exceeding values defined in 584 Section 6.10. 586 6.8. Subscriber Processing of NOTIFY Requests 588 The subscriber is the load filtering server which enforces load 589 filtering policies received from the notifier. The way subscribers 590 process NOTIFY requests depends on the load filtering policies 591 conveyed in the notifications. Typically, load filtering policies 592 consist of rules specifying actions to be applied to requests 593 matching certain conditions. A subscriber receiving a notification 594 first installs these rules and then enforce corresponding actions on 595 requests matching those conditions, for example, limiting the sending 596 rate of call requests destined for a specific callee. 598 In the case when load filtering policies specify a future validity, 599 it is possible that when the validity time comes, the subscription to 600 the specific notifier that conveyed the rules has expired. In this 601 case, it is RECOMMENDED that the subscriber re-activate its 602 subscription with the corresponding notifier. Regardless of whether 603 this re-activation of subscription is successful or not, when the 604 validity time is reached, the subscriber SHOULD enforce the 605 corresponding rules. 607 Upon receipt of a NOTIFY request with a Subscription-State header 608 field containing the value "terminated", the subscription status with 609 the particular notifier will be terminated. Meanwhile, subscribers 610 MUST also terminate previously received load filtering policies from 611 that notifier. 613 The subscriber SHOULD discard unknown bodies. If the NOTIFY request 614 contains several bodies, none of them being supported, it SHOULD 615 unsubscribe. A NOTIFY request without a body indicates that no load 616 filtering policies need to be updated. 618 When the subscriber enforces load filtering policies, it needs to 619 prioritize requests and select those requests that need to be 620 rejected or redirected. This selection is largely a matter of local 621 policy. It is expected that the subscriber will follow local policy 622 as long as the result in reduction of traffic is consistent with the 623 overload algorithm in effect at that node. Accordingly, the 624 normative behavior in the next three paragraphs should be interpreted 625 with the understanding that the subscriber will aim to preserve local 626 policy to the fullest extent possible. 628 o The subscriber SHOULD honor the local policy for prioritizing SIP 629 requests such as policies based on message type, e.g., INVITEs 630 versus requests associated with existing sessions. 632 o The subscriber SHOULD honor the local policy for prioritizing SIP 633 requests based on the content of the Resource-Priority header 634 (RPH, [RFC4412]). Specific (namespace.value) RPH contents may 635 indicate high priority requests that should be preserved as much 636 as possible during overload. The RPH contents can also indicate a 637 low-priority request that is eligible to be dropped during times 638 of overload. 640 o The subscriber SHOULD honor the local policy for prioritizing SIP 641 requests relating to emergency calls as identified by the SOS URN 642 [RFC5031] indicating an emergency request. 644 A local policy can be expected to combine both the SIP request type 645 and the prioritization markings, and SHOULD be honored when overload 646 conditions prevail. 648 6.9. Handling of Forked Requests 650 Forking is not applicable when this load control event package 651 mechanism is used within a single-hop distance between neighboring 652 SIP entities. If communication scope of the load control event 653 package mechanism is among multiple hops, forking is not expected to 654 happen either because the subscription request is addressed to a 655 clearly defined SIP entity. However, in the unlikely case when 656 forking does happen, the load control event package only allows the 657 first potential dialog-establishing message to create a dialog, as 658 specified in Section 5.9 of [RFC6665]. 660 6.10. Rate of Notifications 662 Rate of notifications is likely not a concern for this local control 663 event package mechanism when it is used in a non-real-time mode for 664 relatively static load filtering policies. Nevertheless, if 665 situation does arise that a rather frequent load filtering policy 666 update is needed, it is RECOMMENDED that the notifier do not generate 667 notifications at a rate higher than once per-second in all cases, in 668 order to avoid the NOTIFY request itself overloading the system. 670 6.11. State Delta 671 It is likely that updates to specific load filtering policies are 672 made by changing only part of the policy parameters only (e.g. 673 acceptable request rate or percentage, but not matching identities). 674 This will typically be because the utilization of a resource subject 675 to overload depends upon dynamic unknowns such as holding time and 676 the relative distribution of offered loads over subscribing SIP 677 entities. The updates could originate manually or be determined 678 automatically by an algorithm that dynamically computes the load 679 filtering policies (Section 5.2). Another factor that is usually not 680 known precisely or needs to be computed automatically is the duration 681 of the event requiring load filtering. Therefore it would also be 682 common for the validity to change frequently. 684 This event package allows the use of state delta as in [RFC6665] to 685 accommodate frequent updates of partial policy parameters. For each 686 NOTIFY transaction in a subscription, a version number that increases 687 by exactly one MUST be included in the NOTIFY request body when the 688 body is present. When the subscriber receives a state delta, it 689 associates the partial updates to the particular policy by matching 690 the appropriate rule id (Section 7.5). If the subscriber receives a 691 NOTIFY request with a version number that is increased by more than 692 one, it knows that it has missed a state delta and needs to ask for a 693 full state snapshot. Therefore, the subscriber ignores that NOTIFY 694 request containing the state delta, and re-sends a SUBSCRIBE request 695 to force a NOTIFY request containing a complete state snapshot. 697 7. Load Control Document 699 7.1. Format 701 A load control document is an XML document that describes the load 702 filtering policies. It inherits and enhances the common policy 703 document defined in [RFC4745]. A common policy document contains a 704 set of rules. Each rule consists of three parts: conditions, actions 705 and transformations. The conditions part is a set of expressions 706 containing attributes such as identity, domain, and validity time 707 information. Each expression evaluates to TRUE or FALSE. Conditions 708 are matched on "equality" or "greater than" style comparison. There 709 is no regular expression matching. Conditions are evaluated on 710 receipt of an initial SIP request for a dialog or standalone 711 transaction. If a request matches all conditions in a rule set, the 712 action part and the transformation part are consulted to determine 713 the "permission" on how to handle the request. Each action or 714 transformation specifies a positive grant to the policy server to 715 perform the resulting actions. Well-defined mechanism are available 716 for combining actions and transformations obtained from more than one 717 sources. 719 7.2. Namespace 721 The namespace URI for elements defined by this specification is a 722 Uniform Resource Namespace (URN) ([RFC2141]), using the namespace 723 identifier 'ietf' defined by [RFC2648] and extended by [RFC3688]. 724 The URN is as follows: 726 urn:ietf:params:xml:ns:load-control 728 7.3. Conditions 730 [RFC4745] defines three condition elements: , and 731 . In this specification, we re-define an element for 732 identity, define a new element for method and reuse the 733 element. The element is not used. 735 7.3.1. Call Identity 737 Since the problem space of this specification is different from that 738 of [RFC4745], the [RFC4745] element is not sufficient for 739 use with load filtering. First, load filtering may be applied to 740 different identities contained in a request, including identities of 741 both the receiving entity and the sending entity. Second, the 742 importance of authentication varies when different identities of a 743 request are concerned. This specification defines new identity 744 conditions that can accommodate the granularity of specific SIP 745 identity header fields. The requirement for authentication depends 746 on which field is to be matched. 748 The identity condition for load filtering is specified by the element and its sub-element . The element 750 itself contains sub-elements representing SIP sending and receiving 751 identity header fields: , , and , each is of the same type as the element in 753 [RFC4745]. Therefore, they also inherit the sub-elements of the 754 element, including , , and . 756 The [RFC4745] and elements may contain an "id" 757 attribute, which is the URI of a single entity to be included or 758 excluded in the condition. When used in the , , and elements, this "id" value is the URI 760 contained in the corresponding SIP header field, i.e., From, To, 761 Request-URI, and P-Asserted-Identity. 763 When the element contains multiple sub- 764 elements, the result is combined using logical OR. When the , 765 , and elements contain 766 multiple or sub-elements, the result is also combined 767 using logical OR. When the sub-element further contains one 768 or more sub-elements, the result of each sub- 769 element is combined using a logical OR, similar to that of the 770 element in [RFC4745]. However, when the element 771 contains multiple of the , , and sub-elements, the result is combined using logical AND. 773 This allows the call identity to be specified by multiple fields of a 774 SIP request simultaneously, e.g., both the From and the To header 775 fields. 777 The following shows an example of the element, which 778 matches call requests whose To header field contains the SIP URI 779 "sip:alice@hotline.example.com", or the 'tel' URI 780 "tel:+1-212-555-1234". 782 783 784 785 786 787 788 789 791 Before evaluating call-identity conditions, the subscriber shall 792 convert URIs received in SIP header fields in canonical form as per 793 [RFC3261], except that the phone-context parameter shall not be 794 removed, if present. 796 The [RFC4745] and elements may take a "domain" 797 attribute. The "domain" attribute specifies a domain name to be 798 matched by the domain part of the candidate identity. Thus, it 799 allows matching a large and possibly unknown number of entities 800 within a domain. The "domain" attribute works well for SIP URIs. 802 A URI identifying a SIP user, however, can also be a 'tel' URI. We 803 therefore need a similar way to match a group of 'tel' URIs. 804 According to [RFC3966], there are two forms of 'tel' URIs for global 805 numbers and local numbers, respectively. All phone numbers must be 806 expressed in global form when possible. The global number 'tel' URIs 807 start with a "+". The rest of the numbers are expressed as local 808 numbers, which must be qualified by a "phone-context" parameter. The 809 "phone-context" parameter may be labelled as a global number or any 810 number of its leading digits, or a domain name. Both forms of the 811 'tel' URI make the resulting URI globally unique. 813 'Tel' URIs of global numbers can be grouped by prefixes consisting of 814 any number of common leading digits. For example, a prefix formed by 815 a country code or both the country and area code identifies telephone 816 numbers within a country or an area. Since the length of the country 817 and area code for different regions are different, the length of the 818 number prefix also varies. This allows further flexibility such as 819 grouping the numbers into sub-areas within the same area code. 'Tel' 820 URIs of local numbers can be grouped by the value of the "phone- 821 context" parameter. 823 To include the two forms of 'tel' URI grouping in the and 824 elements, one approach is to add a new attribute similar to 825 the "domain" attribute. In this specification, we decide on a 826 simpler approach. There are basically two types of grouping 827 attribute values for both SIP URIs and 'tel' URIs: domain name and 828 number prefix starting with "+". Both of them can be expressed as 829 strings. Therefore, we re-interpret the existing "domain" attribute 830 of the and elements to allow it to contain both types 831 of grouping attribute values. In particular, when the "domain" 832 attribute value starts with "+", it denotes a number prefix, 833 otherwise, the value denotes a domain name. Note that the tradeoff 834 of this simpler approach is the overlap in matching different types 835 of URIs. Specifically, a domain name in the "domain" attribute could 836 be matched by both a SIP URI with that domain name and a local number 837 'tel' URI containing the same domain name in the "phone-context". On 838 the other hand, a number prefix in the "domain" attribute could be 839 matched by both global number 'tel' URIs starting with those leading 840 digits, and local number 'tel' URIs having the same prefix in the 841 "phone-context" parameter. However, when the "phone-context" 842 coincides with the SIP domain name or the global number prefix, in 843 many cases the related phone numbers indeed belong to the same domain 844 or the same area, which means the overlap is not inappropriate. It 845 should be noted that the method of grouping local numbers as defined 846 in this specification does not support all cases. For example, if 847 the phone-context for short service numbers in a country is the 848 country code, this solution does not permit the definition of a load 849 filtering policy that excludes all E.164 numbers in that country but 850 retains all short service numbers. A complete solution for local 851 number grouping requires a separate method outside the scope of this 852 document. 854 The following example shows the use of the re-interpreted "domain" 855 attribute. It matches those requests calling to the number 856 "+1-202-999-1234" but are not calling from a "+1-212" prefix or a SIP 857 From URI domain of "manhattan.example.com". 859 860 861 862 863 864 865 866 867 868 869 870 871 873 7.3.2. Method 875 The load created on a SIP server depends on the type of initial SIP 876 requests for dialogs or standalone transactions. The 877 element specifies the SIP method to which the load filtering action 878 applies. When this element is not included, the load filtering 879 actions are applicable to all applicable initial requests. These 880 requests include INVITE, MESSAGE, REGISTER, SUBSCRIBE, OPTIONS, and 881 PUBLISH. Non-initial requests, such as ACK, BYE and CANCEL are not 882 subjected to load filtering. In addition, SUBSCRIBE requests are not 883 filtered if the event-type header field indicates the event package 884 defined in this specification. 886 The following example shows the use of the element in the 887 case the filtering actions should be applied to INVITE requests. 889 INVITE 891 7.3.3. Target SIP Entity 893 A SIP server that performs load filtering may have multiple paths to 894 route call requests matching the same set of call identity elements. 895 In those situations, the SIP load filtering server may desire to take 896 advantage of alternative paths and only apply load filtering actions 897 to matching requests for the next hop SIP entity that originated the 898 corresponding load filtering policy. To achieve that, the SIP load 899 filtering server needs to associate every load filtering policy with 900 its originating SIP entity. The element is 901 defined for that purpose and it contains the URI of the entity that 902 initiated the load filtering policy, which is generally the 903 corresponding notifier. A notifier MAY include this element as part 904 of the condition of its filtering policy being sent to the 905 subscriber, as below. 907 sip:biloxi.example.com 909 When a SIP load filtering server receives a policy with a element, it SHOULD record it and take it into 911 consideration when making load filtering decisions. If the load 912 filtering server receives a load filtering policy that does not 913 contain a element, it MAY still record the URI of 914 the load filtering policy's originator as the 915 information and consider it when making load filtering decisions. 917 The following are two examples of using the 918 element. Usecase I: the network has user A connected to SIP Proxy 919 1 (SP1), user B connected to SIP Proxy 3 (SP3), SP1 and SP3 920 connected via SIP Proxy 2 (SP2), and SP2 connected to an 921 Application Server (AS). Under normal load conditions, a call 922 from A to B is routed along the following path: A-SP1-SP2-AS- 923 SP3-B. The AS provides a non-essential service and can be 924 bypassed in case of overload. Now let's assume that AS is 925 overloaded and sends to SP2 a load filtering policy requesting 926 that 50% of all INVITE requests be dropped. SP2 can maintain AS 927 as the for that policy so that it knows the 928 50% drop action is only applicable to call requests that must go 929 through AS, without affecting those calls directly routed through 930 SP3 to B. Usecase II: An 800 translation service is installed on 931 two Application Servers, AS1 and AS2. User A is connected to SP1 932 and calls 800-1234-4529, which is translated by AS1 and AS2 into a 933 regular E.164 number depending on, e.g., the caller's location. 934 SP1 forwards INVITE requests with Request-URI = "800 number" to 935 AS1 or AS2 based on a load balancing strategy. As calls to 936 800-1234-4529 creates a pre-overload condition in AS1, AS1 sends 937 to SP1 a load filtering policy requesting that 50% of calls 938 towards 800-1234-4529 be rejected. In this case, SP1 can maintain 939 AS1 as the for the rule, and only apply the 940 load filtering policy on incoming requests that are intended to be 941 sent to AS1. Those requests that are sent to AS2, although 942 matching the of the filter, will not be affected. 944 7.3.4. Validity 946 A filtering policy is usually associated with a validity period 947 condition. This specification reuses the element of 948 [RFC4745], which specifies a period of validity time by pairs of 949 and sub-elements. When multiple time periods are 950 defined, the validity condition is evaluated to TRUE if the current 951 time falls into any of the specified time periods. i.e., it 952 represents a logical OR operation across all validity time periods. 954 The following example shows a element specifying a valid 955 period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. 957 958 2008-05-31T12:00:00-05:00 959 2008-05-31T15:00:00-05:00 960 962 7.4. Actions 964 The actions a load filtering server takes on loads matching the load 965 filtering conditions are defined by the element in the load 966 filtering policy, which includes any one of the three sub-elements 967 , , and . The element denotes an absolute 968 value of the maximum acceptable request rate in requests per second; 969 the element specifies the relative percentage of incoming 970 requests that should be accepted; the element describes the 971 acceptable window size supplied by the receiver, which is applicable 972 in window-based load filtering. In static load filtering policy 973 configuration scenarios, using the sub-element is RECOMMENDED 974 because it is hard to enforce the percentage rate or window-based 975 load filtering when incoming load from upstream or reactions from 976 downstream are uncertain. (See [I-D.ietf-soc-overload-control] 977 [RFC6357] for more details on rate-based, loss-based and window-based 978 load control.) 980 In addition, the element takes an optional "alt-action" 981 attribute which can be used to explicitly specify the desired action 982 in case a request cannot be processed. The default "alt-action" 983 value is "reject" where the load filtering server will reject the 984 request with a 503 (Service Unavailable) response message. Other 985 possible "alt-action" values include "drop" for simple drop, and 986 "redirect" for redirecting the request to another target. It should 987 be noted that when running SIP over an unreliable transport such as 988 UDP, using the "drop" action will create message retransmissions that 989 further worsen the possible overload situation. Therefore, any 990 "drop" action applied to an unreliable transport MUST be treated as 991 if it were "reject". When the "alt-action" value is "redirect", an 992 "alt-target" attribute MUST be defined. The "alt-target" specifies 993 one URI or a list of URIs where the request should be redirected. 994 The server sends out the redirect URIs in a 300-class response 995 message. 997 In the following element example, the server accepts 998 maximum of 100 call requests per second. The remaining calls are 999 redirected to an answering machine. 1001 1002 1004 100 1005 1006 1008 7.5. Complete Examples 1010 7.5.1. Load Control Document Examples 1012 This section presents two complete examples of load control documents 1013 valid with respect to the XML schema defined in Section 8. 1015 The first example assumes that a set of hotlines are set up at 1016 "sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The 1017 hotlines are activated from 12:00 to 15:00 US Eastern Standard Time 1018 on 2008-05-31. The goal is to limit the incoming calls to the 1019 hotlines to 100 requests per second. Calls that exceed the rate 1020 limit are explicitly rejected. 1022 1023 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 INVITE 1038 1039 2008-05-31T12:00:00-05:00 1040 2008-05-31T15:00:00-05:00 1041 1042 1043 1044 1045 100 1046 1047 1049 1050 1052 The second example considers optimizing server resource usage of a 1053 three-day period during the aftermath of a hurricane. Incoming calls 1054 to the hurricane domain "newyork.example.com" will be limited to a 1055 rate of 100 requests per second, except for those calls originating 1056 from a particular rescue team domain "rescue.example.com". Outgoing 1057 calls from the hurricane domain or calls within the local domain are 1058 never limited. All calls that are throttled due to the rate limit 1059 will be forwarded to an answering machine with updated hurricane 1060 rescue information. 1062 1063 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 INVITE 1083 1084 2012-10-25T09:00:00+01:00 1085 2012-10-28T09:00:00+01:00 1086 1087 1088 1089 1091 100 1092 1093 1095 1096 1098 7.5.2. Message Flow Examples 1100 This section presents an example message flow of using the load 1101 control event package mechanism defined in this specification. 1103 atlanta biloxi 1104 | F1 SUBSCRIBE | 1105 |------------------>| 1106 | F2 200 OK | 1107 |<------------------| 1108 | F3 NOTIFY | 1109 |<------------------| 1110 | F4 200 OK | 1111 |------------------>| 1113 F1 SUBSCRIBE atlanta.example.com -> biloxi.example.com 1115 SUBSCRIBE sip:biloxi.example.com SIP/2.0 1116 Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy7cjbu3 1117 From: sip:atlanta.example.com;tag=162ab5 1118 To: sip:biloxi.example.com 1119 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1120 CSeq: 2012 SUBSCRIBE 1121 Contact: sip:atlanta.example.com 1122 Event: load-control 1123 Max-Forwards: 70 1124 Accept: application/load-control+xml 1125 Expires: 3600 1126 Content-Length: 0 1128 F2 200 OK biloxi.example.com -> atlanta.example.com 1130 SIP/2.0 200 OK 1131 Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy7cjbu3 1132 ;received=192.0.2.1 1133 To: ;tag=331dc8 1134 From: ;tag=162ab5 1135 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1136 CSeq: 2012 SUBSCRIBE 1137 Expires: 3600 1138 Contact: sip:biloxi.example.com 1139 Content-Length: 0 1141 F3 NOTIFY biloxi.example.com -> atlanta.example.com 1143 NOTIFY sip:atlanta.example.com SIP/2.0 1144 Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy71g2ks 1145 From: ;tag=331dc8 1146 To: ;tag=162ab5 1147 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1148 Event: load-control 1149 Subscription-State: active;expires=3599 1150 Max-Forwards: 70 1151 CSeq: 1775 NOTIFY 1152 Contact: sip:biloxi.example.com 1153 Content-Type: application/load-control+xml 1154 Content-Length: ... 1156 [Load Control Document] 1158 F4 200 OK atlanta.example.com -> biloxi.example.com 1160 SIP/2.0 200 OK 1161 Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy71g2ks 1162 ;received=192.0.2.2 1163 From: ;tag=331dc8 1164 To: ;tag=162ab5 1165 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com 1166 CSeq: 1775 NOTIFY 1167 Content-Length: 0 1169 8. XML Schema Definition for Load Control 1171 This section defines the XML schema for the load control document. 1172 It extends the Common Policy schema in [RFC4745] in two ways. 1173 Firstly, it defines two mandatory attributes for the 1174 element: version and state. The version attribute allows the 1175 recipient of the notification to properly order them. Versions start 1176 at 0, and increase by one for each new document sent to a subscriber 1177 within the same subscription. Versions MUST be representable using a 1178 non-negative 32 bit integer. The state attribute indicates whether 1179 the document contains a full load filtering policy update, or whether 1180 it contains only state delta as partial update. Secondly, it defines 1181 new members of the and elements. 1183 1184 1191 1193 1195 1196 1197 1198 1199 1200 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1217 1219 1220 1222 1223 1224 1225 1226 1228 1229 1230 1232 1233 1234 1235 1236 1237 1238 1240 1242 1243 1244 1246 1247 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1261 1262 1264 1265 1266 1267 1268 1269 1270 1272 1273 1274 1276 1277 1279 1280 1281 1282 1284 1286 9. Related Work 1288 9.1. Relationship with Load Filtering in PSTN 1290 It is known that existing PSTN network also uses a load filtering 1291 mechanism to prevent overload and the filtering policy configuration 1292 is done manually except in specific cases when the Intelligent 1293 Network architecture is used [Q.1248.2][E.412]. This specification 1294 defines a load filtering mechanism based on the SIP event 1295 notification framework that allows automated filtering policy 1296 distribution in suitable environments. 1298 There are control messages associated with PSTN overload control 1299 which would specify an outgoing control list, call gap duration and 1300 control duration [Q.1248.2][E.412]. These items could be roughly 1301 correlated to the identity, action and time fields of the SIP load 1302 filtering policy defined in this specification. However, the load 1303 filtering policy defined in this specification is much more generic 1304 and flexible as opposed to its PSTN counterpart. 1306 Firstly, PSTN load filtering only applies to telephone numbers. The 1307 identity element of SIP load filtering policy allows both SIP URI and 1308 telephone numbers (through Tel URI) to be specified. These 1309 identities can be arbitrarily grouped by SIP domains or any number of 1310 leading prefix of the telephone numbers. 1312 Secondly, the PSTN load filtering action is usually limited to call 1313 gapping. The action field in SIP load filtering policy allows more 1314 flexible possibilities such as rate throttle and others. 1316 Thirdly, the duration field in PSTN load filtering specifies a value 1317 in seconds for the load filtering duration only, and the allowed 1318 values are mapped into a value set. The time field in SIP load 1319 filtering policy may specify not only a duration, but also a future 1320 activation time which could be especially useful for automating load 1321 filtering for predictable overloads. 1323 PSTN load filtering can be performed in both edge switches and 1324 transit switches; SIP load filtering can also be applied in both edge 1325 proxy servers and core proxy servers, and even in capable user 1326 agents. 1328 PSTN load filtering also has special accommodation for High 1329 Probability of Completion (HPC) calls, which would be similar to 1330 calls designated by the SIP Resource Priority Headers [RFC4412]. SIP 1331 load filtering mechanism also allows prioritizing the treatment of 1332 these calls by specifying favorable actions for them. 1334 PSTN load filtering also provides administrative option for routing 1335 failed call attempts to either a reorder tone [E.300SerSup3] 1336 indicating overload conditions, or a special recorded announcement. 1337 Similar capability can be provided in SIP load filtering mechanism by 1338 specifying appropriate "alt-action" attribute in the SIP load 1339 filtering action field. 1341 9.2. Relationship with Other IETF SIP Overload Control Efforts 1343 The load filtering policies in this specification consist of 1344 identity, action and time. The identity can range from a single 1345 specific user to an arbitrary user aggregate, domains or areas. The 1346 user can be identified by either the source or the destination. When 1347 the user is identified by the source and a favorable action is 1348 specified, the result is to some extent similar to identifying a 1349 priority user based on authorized Resource Priority Headers [RFC4412] 1350 in the requests. Specifying a source user identity with an 1351 unfavorable action would cause an effect to some extent similar to an 1352 inverse SIP resource priority mechanism. 1354 The load filtering policy defined in this specification is generic 1355 and expected to be applicable not only to the load filtering 1356 mechanism but also to the feedback overload control mechanism in 1357 [I-D.ietf-soc-overload-control]. In particular, both mechanisms 1358 could use specific or wildcard identities for load control and could 1359 share well-known load control actions. The time duration field in 1360 the load filtering policy could also be used in both mechanisms. As 1361 mentioned in Section 1, the load filtering policy distribution 1362 mechanism and the feedback overload control mechanism address 1363 complementary areas in the overload control problem space. Load 1364 filtering is more proactive and focuses on distributing filtering 1365 policies towards the source of the traffic; the hop-by-hop feedback- 1366 based approach is reactive and targets more at traffic already 1367 accepted in the network. Therefore, they could also make different 1368 use of the generic load filtering policy components. For example, 1369 the load filtering mechanism may use the time field in the filtering 1370 policy to specify not only a control duration but also a future 1371 activation time to accommodate a predicable overload such as the one 1372 caused by Mother's Day greetings or a viewer-voting program; the 1373 feedback-based control might not need to use the time field or might 1374 use the time field to specify an immediate load control duration. 1376 10. Discussion of this specification meeting the requirements of 1377 RFC5390 1379 This section evaluates whether the load control event package 1380 mechanism defined in this specification satisfies various SIP 1381 overload control requirements set forth by RFC5390 [RFC5390]. Not 1382 all RFC5390 requirements are found applicable due to the scope of 1383 this specification. Therefore, we categorize the assessment results 1384 into Yes (meet the requirement), P/A (Partially Applicable), No (must 1385 be used in conjunction with another mechanism to meet the 1386 requirement), and N/A (Not Applicable). 1388 REQ 1: The overload mechanism shall strive to maintain the overall 1389 useful throughput (taking into consideration the quality-of- 1390 service needs of the using applications) of a SIP server at 1391 reasonable levels, even when the incoming load on the network is 1392 far in excess of its capacity. The overall throughput under load 1393 is the ultimate measure of the value of an overload control 1394 mechanism. 1396 P/A. The goal of the load filtering is to prevent overload or 1397 maintain overall goodput during the time of overload, but it is 1398 dependent on the advance predictions of the load. If the predictions 1399 are incorrect, in either direction, the effectiveness of the 1400 mechanism will be affected. 1402 REQ 2: When a single network element fails, goes into overload, or 1403 suffers from reduced processing capacity, the mechanism should 1404 strive to limit the impact of this on other elements in the 1405 network. This helps to prevent a small-scale failure from 1406 becoming a widespread outage. 1408 N/A if load filtering policies are installed in advance and do not 1409 change during the potential overload period. P/A if load filtering 1410 policies are dynamically adjusted. The algorithm to dynamically 1411 compute load filtering policies is outside the scope of this 1412 specification, while the distribution of the updated filtering 1413 policies uses the event package mechanism of this specification. 1415 REQ 3: The mechanism should seek to minimize the amount of 1416 configuration required in order to work. For example, it is 1417 better to avoid needing to configure a server with its SIP message 1418 throughput, as these kinds of quantities are hard to determine. 1420 No. This mechanism is entirely dependent on advance configuration, 1421 based on advance knowledge. In order to satisfy Req 3, it should be 1422 used in conjunction with other mechanisms which are not based on 1423 advance configuration. 1425 REQ 4: The mechanism must be capable of dealing with elements that 1426 do not support it, so that a network can consist of a mix of 1427 elements that do and don't support it. In other words, the 1428 mechanism should not work only in environments where all elements 1429 support it. It is reasonable to assume that it works better in 1430 such environments, of course. Ideally, there should be 1431 incremental improvements in overall network throughput as 1432 increasing numbers of elements in the network support the 1433 mechanism. 1435 No. This mechanism is entirely dependent on the participation of all 1436 possible neighbors. In order to satisfy Req 4, it should be used in 1437 conjunction with other mechanisms, some of which are described in 1438 Section 5.4. 1440 REQ 5: The mechanism should not assume that it will only be 1441 deployed in environments with completely trusted elements. It 1442 should seek to operate as effectively as possible in environments 1443 where other elements are malicious; this includes preventing 1444 malicious elements from obtaining more than a fair share of 1445 service. 1447 No. This mechanism is entirely dependent on the non-malicious 1448 participation of all possible neighbors. In order to satisfy Req 5, 1449 it should be used in conjunction with other mechanisms, some of which 1450 are described in Section 5.4. 1452 REQ 6: When overload is signaled by means of a specific message, 1453 the message must clearly indicate that it is being sent because of 1454 overload, as opposed to other, non overload-based failure 1455 conditions. This requirement is meant to avoid some of the 1456 problems that have arisen from the reuse of the 503 response code 1457 for multiple purposes. Of course, overload is also signaled by 1458 lack of response to requests. This requirement applies only to 1459 explicit overload signals. 1461 N/A. This mechanism signals anticipated overload, not actual 1462 overload. However the signals in this mechanism are not used for any 1463 other purpose. 1465 REQ 7: The mechanism shall provide a way for an element to 1466 throttle the amount of traffic it receives from an upstream 1467 element. This throttling shall be graded so that it is not all- 1468 or-nothing as with the current 503 mechanism. This recognizes the 1469 fact that "overload" is not a binary state and that there are 1470 degrees of overload. 1472 Yes. This event package allows rate/loss/window-based overload 1473 control options as discussed in Section 7.4. 1475 REQ 8: The mechanism shall ensure that, when a request was not 1476 processed successfully due to overload (or failure) of a 1477 downstream element, the request will not be retried on another 1478 element that is also overloaded or whose status is unknown. This 1479 requirement derives from REQ 1. 1481 N/A to the load control event package mechanism itself. 1483 REQ 9: That a request has been rejected from an overloaded element 1484 shall not unduly restrict the ability of that request to be 1485 submitted to and processed by an element that is not overloaded. 1486 This requirement derives from REQ 1. 1488 Yes. For example, load filtering policy [Section 5.1] allows the 1489 inclusion of alternative forwarding destinations for rejected 1490 requests. 1492 REQ 10: The mechanism should support servers that receive requests 1493 from a large number of different upstream elements, where the set 1494 of upstream elements is not enumerable. 1496 No. Because this mechanism requires advance configuration of 1497 specifically identified neighbors, it does not support environments 1498 where the number and identity of the upstream neighbors are not known 1499 in advance. In order to satisfy Req 10, it should be used in 1500 conjunction with other mechanisms. 1502 REQ 11: The mechanism should support servers that receive requests 1503 from a finite set of upstream elements, where the set of upstream 1504 elements is enumerable. 1506 Yes. See also answer to REQ 10. 1508 REQ 12: The mechanism should work between servers in different 1509 domains. 1511 Yes. The load control event package mechanism is not limited by 1512 domain boundaries. However, it is likely more applicable in intra- 1513 domain scenarios than in inter-domain scenarios due to security and 1514 other concerns (See also Section 5.4). 1516 REQ 13: The mechanism must not dictate a specific algorithm for 1517 prioritizing the processing of work within a proxy during times of 1518 overload. It must permit a proxy to prioritize requests based on 1519 any local policy, so that certain ones (such as a call for 1520 emergency services or a call with a specific value of the 1521 Resource-Priority header field [RFC4412]) are given preferential 1522 treatment, such as not being dropped, being given additional 1523 retransmission, or being processed ahead of others. 1525 P/A. This mechanism does not specifically address the prioritizing 1526 of work during times of overload. But it does not preclude any 1527 particular local policy. 1529 REQ 14: The mechanism should provide unambiguous directions to 1530 clients on when they should retry a request and when they should 1531 not. This especially applies to TCP connection establishment and 1532 SIP registrations, in order to mitigate against avalanche restart. 1534 N/A to the load control event package mechanism itself. 1536 REQ 15: In cases where a network element fails, is so overloaded 1537 that it cannot process messages, or cannot communicate due to a 1538 network failure or network partition, it will not be able to 1539 provide explicit indications of the nature of the failure or its 1540 levels of congestion. The mechanism must properly function in 1541 these cases. 1543 P/A. Because the load filtering policies are provisioned in advance, 1544 they are not affected by the overload or failure of other network 1545 elements. But, on the other hand, they may not, in those cases, be 1546 able to protect the overloaded network elements (see Req 1). 1548 REQ 16: The mechanism should attempt to minimize the overhead of 1549 the overload control messaging. 1551 Yes. The standardized SIP event package mechanism [RFC6665] is used. 1553 REQ 17: The overload mechanism must not provide an avenue for 1554 malicious attack, including DoS and DDoS attacks. 1556 P/A. This mechanism does provide a potential avenue for malicious 1557 attacks. Therefore the security mechanisms for SIP event packages in 1558 general [RFC6665] and of section 10 of this specification should be 1559 used. 1561 REQ 18: The overload mechanism should be unambiguous about whether 1562 a load indication applies to a specific IP address, host, or URI, 1563 so that an upstream element can determine the load of the entity 1564 to which a request is to be sent. 1566 Yes. The identity of load indication is covered in the load 1567 filtering policy format definition in Section 5.1. 1569 REQ 19: The specification for the overload mechanism should give 1570 guidance on which message types might be desirable to process over 1571 others during times of overload, based on SIP-specific 1572 considerations. For example, it may be more beneficial to process 1573 a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh 1574 with a non-zero expiration (since the former reduces the overall 1575 amount of load on the element), or to process re-INVITEs over new 1576 INVITEs. 1578 N/A to the load control event package mechanism itself. 1580 REQ 20: In a mixed environment of elements that do and do not 1581 implement the overload mechanism, no disproportionate benefit 1582 shall accrue to the users or operators of the elements that do not 1583 implement the mechanism. 1585 No. This mechanism is entirely dependent on the participation of all 1586 possible neighbors. In order to satisfy Req 20, it should be used in 1587 conjunction with other mechanisms, some of which are described in 1588 Section 5.4. 1590 REQ 21: The overload mechanism should ensure that the system 1591 remains stable. When the offered load drops from above the 1592 overall capacity of the network to below the overall capacity, the 1593 throughput should stabilize and become equal to the offered load. 1595 N/A to the load control event package mechanism itself. 1597 REQ 22: It must be possible to disable the reporting of load 1598 information towards upstream targets based on the identity of 1599 those targets. This allows a domain administrator who considers 1600 the load of their elements to be sensitive information, to 1601 restrict access to that information. Of course, in such cases, 1602 there is no expectation that the overload mechanism itself will 1603 help prevent overload from that upstream target. 1605 N/A to the load control event package mechanism itself. 1607 REQ 23: It must be possible for the overload mechanism to work in 1608 cases where there is a load balancer in front of a farm of 1609 proxies. 1611 Yes. The load control event package mechanism does not preclude its 1612 use in a scenario with server farms. 1614 11. Security Considerations 1616 Two aspects of security considerations arise from this specification. 1618 One is the SIP event notification framework-based load filtering 1619 policy distribution mechanism, the other is the load filtering policy 1620 enforcement mechanism. 1622 Security considerations for SIP event package mechanisms are covered 1623 in Section 6 of [RFC6665]. A particularly relevant security concern 1624 for this event package is that if the notifiers can be spoofed, 1625 attackers can send fake notifications asking subscribers to throttle 1626 all traffic, leading to Denial-of-Service attacks. Therefore, all 1627 load filtering policy notifications MUST be authenticated and 1628 authorized before being accepted. Standard authentication and 1629 authorization mechanisms recommended in [RFC3261] such as TLS 1630 [RFC5246] and IPSec [RFC4301] may serve this purpose. On the other 1631 hand, if a legitimate notifier is itself compromised, additional 1632 mechanisms will be needed to detect the attack. 1634 Security considerations for load filtering policy enforcement depends 1635 very much on the contents of the policy. This specification defines 1636 possible match of the following SIP header fields in a load filtering 1637 policy: , , and . The 1638 exact requirement to authenticate and authorize these fields is up to 1639 the service provider. In general, if the identity field represents 1640 the source of the request, it SHOULD be authenticated and authorized; 1641 if the identity field represents the destination of the request, the 1642 authentication and authorization is optional. 1644 12. IANA Considerations 1646 This specification registers a SIP event package, a new MIME type, a 1647 new XML namespace, and a new XML schema. 1649 12.1. Load Control Event Package Registration 1651 This section registers an event package based on the registration 1652 procedures defined in [RFC6665]. 1654 Package name: load-control 1656 Type: package 1658 Published specification: This specification 1660 Person to contact: Charles Shen, charles@cs.columbia.edu 1662 12.2. application/load-control+xml MIME Registration 1664 This section registers a new MIME type based on the procedures 1665 defined in [RFC6838] and guidelines in [RFC3023]. 1667 MIME media type name: application 1669 MIME subtype name: load-control+xml 1671 Mandatory parameters: none 1673 Optional parameters: Same as charset parameter application/xml in 1674 [RFC3023] 1676 Encoding considerations: Same as encoding considerations of 1677 application/xml in [RFC3023] 1679 Security considerations: See Section 10 of [RFC3023] and Section 11 1680 of this specification 1682 Interoperability considerations: None 1684 Published Specification: This specification 1686 Applications which use this media type: load control of SIP entities 1688 Additional information: 1690 Magic number: None 1692 File extension: .xml 1694 Macintosh file type code: 'TEXT' 1696 Personal and email address for further information: 1698 Charles Shen, charles@cs.columbia.edu 1700 Intended usage: COMMON 1702 Author/Change Controller: IETF SOC Working Group , as designated by the IESG 1705 12.3. Load Control Schema Registration 1707 URI: urn:ietf:params:xml:schema:load-control 1709 Registrant Contact: IETF SOC working group, Charles Shen 1710 (charles@cs.columbia.edu). 1712 XML: the XML schema to be registered is contained in Section 8. 1714 Its first line is 1716 1718 and its last line is 1720 1722 13. Acknowledgements 1724 The authors would like to thank Bruno Chatras, Martin Dolly, Keith 1725 Drage, Ashutosh Dutta, Janet Gunn, Vijay Gurbani, Volker Hilt, Geoff 1726 Hunt, Carolyn Johnson, Hadriel Kaplan, Paul Kyzivat, Salvatore 1727 Loreto, Timothy Moran, Eric Noel, Parthasarathi R, Adam Roach, Shida 1728 Schubert, Robert Sparks, Phil Williams and other members of the SOC 1729 and SIPPING working group for many helpful comments. In particular, 1730 Bruno Chatras proposed the and condition 1731 elements along with many other text improvements. Janet Gunn 1732 provided detailed text suggestions including Section 10. Eric Noel 1733 suggested clarification on load filtering policy distribution 1734 initialization process. Shida Schubert made many suggestions about 1735 terminology usage. Phil Williams suggested adding support for delta 1736 updates. Ashutosh Dutta gave pointers to PSTN references. Adam 1737 Roach suggested RFC6665-related and other helpful clarifications. 1739 14. References 1741 14.1. Normative References 1743 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1744 Requirement Levels", BCP 14, RFC 2119, March 1997. 1746 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 1748 [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media 1749 Types", RFC 3023, January 2001. 1751 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1752 A., Peterson, J., Sparks, R., Handley, M., and E. 1753 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1754 June 2002. 1756 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1757 January 2004. 1759 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 1760 3966, December 2004. 1762 [RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., 1763 Polk, J., and J. Rosenberg, "Common Policy: A Document 1764 Format for Expressing Privacy Preferences", RFC 4745, 1765 February 2007. 1767 [RFC6665] Roach, A.B., "SIP-Specific Event Notification", RFC 6665, 1768 July 2012. 1770 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 1771 Specifications and Registration Procedures", BCP 13, RFC 1772 6838, January 2013. 1774 14.2. Informative References 1776 [E.300SerSup3] 1777 ITU-T, , "North American Precise Audible Tone Plan", E.300 1778 Series Supplement 3 , November 1988. 1780 [E.412] ITU-T, , "Network Management Controls", E.412-2003 , 1781 January 2003. 1783 [I-D.ietf-soc-overload-control] 1784 Gurbani, V., Hilt, V., and H. Schulzrinne, "Session 1785 Initiation Protocol (SIP) Overload Control", draft-ietf- 1786 soc-overload-control-12 (work in progress), February 2013. 1788 [Q.1248.2] 1789 ITU-T, , "Interface Recommendation for Intelligent Network 1790 Capability Set4:SCF-SSF interface", Q.1248.2 , July 2001. 1792 [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, 1793 August 1999. 1795 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1796 Internet Protocol", RFC 4301, December 2005. 1798 [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource 1799 Priority for the Session Initiation Protocol (SIP)", RFC 1800 4412, February 2006. 1802 [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) 1803 Configuration Access Protocol (XCAP)", RFC 4825, May 2007. 1805 [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for 1806 Emergency and Other Well-Known Services", RFC 5031, 1807 January 2008. 1809 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1810 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1812 [RFC5390] Rosenberg, J., "Requirements for Management of Overload in 1813 the Session Initiation Protocol", RFC 5390, December 2008. 1815 [RFC6357] Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design 1816 Considerations for Session Initiation Protocol (SIP) 1817 Overload Control", RFC 6357, August 2011. 1819 Authors' Addresses 1821 Charles Shen 1822 Columbia University 1823 Department of Computer Science 1824 1214 Amsterdam Avenue, MC 0401 1825 New York, NY 10027 1826 USA 1828 Phone: +1 212 854 3109 1829 Email: charles@cs.columbia.edu 1831 Henning Schulzrinne 1832 Columbia University 1833 Department of Computer Science 1834 1214 Amsterdam Avenue, MC 0401 1835 New York, NY 10027 1836 USA 1838 Phone: +1 212 939 7004 1839 Email: schulzrinne@cs.columbia.edu 1841 Arata Koike 1842 NTT Service Integration Labs 1843 3-9-11 Midori-cho Musashino-shi 1844 Tokyo 184-0013 1845 Japan 1847 Phone: +81 422 59 6099 1848 Email: koike.arata@lab.ntt.co.jp