idnits 2.17.1 

draft-ietf-soc-load-control-event-package-11.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (November 24, 2013) is 3803 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141)

  ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303)

  == Outdated reference: A later version (-15) exists of
     draft-ietf-soc-overload-control-13


     Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	IETF SOC Working Group                                           C. Shen
3	Internet-Draft                                            H. Schulzrinne
4	Intended status: Standards Track                             Columbia U.
5	Expires: May 28, 2014                                           A. Koike
6	                                                                     NTT
7	                                                       November 24, 2013

9	     A Session Initiation Protocol (SIP) Load Control Event Package
10	            draft-ietf-soc-load-control-event-package-11.txt

12	Abstract

14	   We define a load control event package for the Session Initiation
15	   Protocol (SIP).  It allows SIP entities to distribute load filtering
16	   policies to other SIP entities in the network.  The load filtering
17	   policies contain rules to throttle calls based on their source or
18	   destination domain, telephone number prefix or for a specific user.
19	   The mechanism helps to prevent signaling overload and complements
20	   feedback-based SIP overload control efforts.

22	Status of This Memo

24	   This Internet-Draft is submitted in full conformance with the
25	   provisions of BCP 78 and BCP 79.

27	   Internet-Drafts are working documents of the Internet Engineering
28	   Task Force (IETF).  Note that other groups may also distribute
29	   working documents as Internet-Drafts.  The list of current Internet-
30	   Drafts is at http://datatracker.ietf.org/drafts/current/.

32	   Internet-Drafts are draft documents valid for a maximum of six months
33	   and may be updated, replaced, or obsoleted by other documents at any
34	   time.  It is inappropriate to use Internet-Drafts as reference
35	   material or to cite them other than as "work in progress."

37	   This Internet-Draft will expire on May 28, 2014.

39	Copyright Notice

41	   Copyright (c) 2013 IETF Trust and the persons identified as the
42	   document authors.  All rights reserved.

44	   This document is subject to BCP 78 and the IETF Trust's Legal
45	   Provisions Relating to IETF Documents
46	   (http://trustee.ietf.org/license-info) in effect on the date of
47	   publication of this document.  Please review these documents
48	   carefully, as they describe your rights and restrictions with respect
49	   to this document.  Code Components extracted from this document must
50	   include Simplified BSD License text as described in Section 4.e of
51	   the Trust Legal Provisions and are provided without warranty as
52	   described in the Simplified BSD License.

54	Table of Contents

56	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
57	   2.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . .   5
58	   3.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   5
59	   4.  Design Requirements . . . . . . . . . . . . . . . . . . . . .   6
60	   5.  SIP Load Filtering Overview . . . . . . . . . . . . . . . . .   6
61	     5.1.  Load Filtering Policy Format  . . . . . . . . . . . . . .   6
62	     5.2.  Load Filtering Policy Computation . . . . . . . . . . . .   7
63	     5.3.  Load Filtering Policy Distribution  . . . . . . . . . . .   7
64	     5.4.  Applicable Network Domains  . . . . . . . . . . . . . . .  10
65	   6.  Load Control Event Package  . . . . . . . . . . . . . . . . .  11
66	     6.1.  Event Package Name  . . . . . . . . . . . . . . . . . . .  12
67	     6.2.  Event Package Parameters  . . . . . . . . . . . . . . . .  12
68	     6.3.  SUBSCRIBE Bodies  . . . . . . . . . . . . . . . . . . . .  12
69	     6.4.  SUBSCRIBE Duration  . . . . . . . . . . . . . . . . . . .  12
70	     6.5.  NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . .  12
71	     6.6.  Notifier Processing of SUBSCRIBE Requests . . . . . . . .  12
72	     6.7.  Notifier Generation of NOTIFY Requests  . . . . . . . . .  13
73	     6.8.  Subscriber Processing of NOTIFY Requests  . . . . . . . .  13
74	     6.9.  Handling of Forked Requests . . . . . . . . . . . . . . .  14
75	     6.10. Rate of Notifications . . . . . . . . . . . . . . . . . .  15
76	     6.11. State Delta . . . . . . . . . . . . . . . . . . . . . . .  15
77	   7.  Load Control Document . . . . . . . . . . . . . . . . . . . .  15
78	     7.1.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .  15
79	     7.2.  Namespace . . . . . . . . . . . . . . . . . . . . . . . .  16
80	     7.3.  Conditions  . . . . . . . . . . . . . . . . . . . . . . .  16
81	       7.3.1.  Call Identity . . . . . . . . . . . . . . . . . . . .  16
82	       7.3.2.  Method  . . . . . . . . . . . . . . . . . . . . . . .  19
83	       7.3.3.  Target SIP Entity . . . . . . . . . . . . . . . . . .  19
84	       7.3.4.  Validity  . . . . . . . . . . . . . . . . . . . . . .  20
85	     7.4.  Actions . . . . . . . . . . . . . . . . . . . . . . . . .  21
86	     7.5.  Complete Examples . . . . . . . . . . . . . . . . . . . .  22
87	       7.5.1.  Load Control Document Examples  . . . . . . . . . . .  22
88	       7.5.2.  Message Flow Examples . . . . . . . . . . . . . . . .  25
89	   8.  XML Schema Definition for Load Control  . . . . . . . . . . .  27
90	   9.  Related Work  . . . . . . . . . . . . . . . . . . . . . . . .  30
91	     9.1.  Relationship with Load Filtering in PSTN  . . . . . . . .  30
92	     9.2.  Relationship with Other IETF SIP Overload Control Efforts  31
93	   10. Discussion of this specification meeting the requirements of
94	       RFC5390 . . . . . . . . . . . . . . . . . . . . . . . . . . .  32
95	   11. Security Considerations . . . . . . . . . . . . . . . . . . .  37
96	   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  38
97	     12.1.  Load Control Event Package Registration  . . . . . . . .  38
98	     12.2.  application/load-control+xml MIME Registration . . . . .  38
99	     12.3.  URN Sub-Namespace Registration . . . . . . . . . . . . .  39
100	     12.4.  Load Control Schema Registration . . . . . . . . . . . .  40
101	   13. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  40
102	   14. References  . . . . . . . . . . . . . . . . . . . . . . . . .  40
103	     14.1.  Normative References . . . . . . . . . . . . . . . . . .  40
104	     14.2.  Informative References . . . . . . . . . . . . . . . . .  41
105	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  42

107	1.  Introduction

109	   Proper functioning of Session Initiation Protocol (SIP) [RFC3261]
110	   signaling servers is critical in SIP-based communications networks.
111	   The performance of SIP servers can be severely degraded when the
112	   server is overloaded with excessive number of signaling requests.
113	   Both legitimate and malicious traffic can overload SIP servers,
114	   despite appropriate capacity planning.  Some of the SIP server
115	   overload situations are predictable, while others are not.

117	   There are four common examples of predictable short-term increases in
118	   call volumes.  Viewer-voting TV shows or ticket giveaways, special
119	   holidays such as New Year's Day and Mother's Day, end-of-season peaks
120	   in phone orders, or after forecastable natural disasters such as
121	   hurricanes.  On the other hand, examples of unpredicted or
122	   unpredictable mass calling may happen after earthquakes, terrorist
123	   attacks, or at call centers that provide troubleshooting services
124	   when a mass service fails.  When possible, only calls traversing
125	   overloaded servers should be throttled under overload conditions.

127	   SIP load control mechanisms are needed to prevent congestion collapse
128	   in these cases [RFC5390].  There are two types of load control
129	   approaches.  In the first approach, feedback control, SIP servers
130	   provide load limits to upstream servers, to reduce the incoming rate
131	   of all SIP requests [I-D.ietf-soc-overload-control].  These upstream
132	   servers then drop or delay incoming SIP requests.  Feedback control
133	   is reactive and affects signaling messages that have already been
134	   issued by user agent clients.  They work well when SIP proxy servers
135	   in the core networks (core proxy servers) or destination-specific SIP
136	   proxy servers in the edge networks (edge proxy servers) are
137	   overloaded.  By their nature, they need to distribute rate, drop or
138	   window information to all upstream SIP proxy servers and normally
139	   affect all calls equally, regardless of destination.  For example, in
140	   the ticket giveaway case, almost all calls to the hotline will fail
141	   at the core proxy servers; if the edge proxy servers leading to the
142	   core proxy servers are also overloaded, calls to other destinations
143	   will also be rejected or dropped.

145	   Here, we propose an additional, complementary load control mechanism,
146	   called load filtering.  Network operators create load filtering
147	   policies that indicate calls to specific destinations or from
148	   specific sources should be rate-limited or randomly dropped.  These
149	   load filtering policies are then distributed to SIP servers and
150	   possibly SIP user agents that are likely to generate calls to the
151	   affected destinations or from the affected sources.  Load filtering
152	   works best if it prevents calls as close to the originating user
153	   agent clients as possible.

155	   The load filtering approach is most applicable for situations where a
156	   traffic surge and its source/destination distribution can be
157	   predicted in advance.  It is less likely to be effective for the
158	   initial phase of unpredicted or unpredictable mass calling events.
159	   In the latter cases, the local traffic load may peak by more than an
160	   order of magnitude in minutes, if not seconds.  This does not allow
161	   time to either effectively identify the load filtering policies
162	   needed, nor distribute them to the appropriate servers soon enough to
163	   prevent server congestion.  Once other, more immediate, techniques
164	   (such as the loss-based or rate-based load feedback control methods)
165	   have prevented the initial congestion collapse, the load filtering
166	   approach can be used to effectively control the continuing overload.

168	   Performing SIP load filtering involves the following components of
169	   load filtering policies: format definition, computation, distribution
170	   and enforcement.  This specification defines the load filtering
171	   policy, distribution and enforcement in the SIP load control event
172	   package built upon existing SIP event notification framework.
173	   However, load filtering policy computation is out of scope of this
174	   specification, because it depends heavily on the actual network
175	   topology and other service provider policies.

177	   It should be noted that although the SIP load filtering mechanism is
178	   motivated by the SIP overload control problem, which is why this
179	   specification refers extensively to parallel SIP overload control
180	   related efforts, the applicability of SIP load filtering extends
181	   beyond the overload control purpose.  For example, it can also be
182	   used to implement quality of service or other service level agreement
183	   commitments.  Therefore, we use the term "load control event
184	   package", instead of a narrower term "overload control event
185	   package".

187	   The rest of this specification is structured as follows: we begin by
188	   listing the design requirements for this work in Section 4.  We then
189	   give an overview of load filtering operation in Section 5.  The load
190	   control event package for load filtering policy distribution is
191	   detailed in Section 6.  The load filtering policy format is defined
192	   in the two sections that follow, with Section 7 introducing the XML
193	   document for load filtering policies and Section 8 listing the
194	   associated schema.  Section 9 relates this work to corresponding
195	   mechanisms in PSTN and other IETF efforts addressing SIP overload
196	   control.  Section 10 evaluates whether this specification meets the
197	   SIP overload control requirements set forth by [RFC5390].  Finally,
198	   Section 11 presents security considerations and Section 12 provides
199	   IANA considerations.

201	2.  Conventions

203	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
204	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
205	   document are to be interpreted as described in [RFC2119].

207	3.  Definitions

209	   This specification reuses the definitions for "Event Package",
210	   "Notification", "Notifier", "Subscriber", "Subscription" as in
211	   [RFC6665].  The following additional definitions are also used.

213	   Load Filtering:  A load control mechanism which applies specific
214	      actions to selected loads (e.g., SIP requests) matching specific
215	      conditions.

217	   Load Filtering Policy:  A set of zero or more load filtering rules,
218	      also known as load filtering rule set.

220	   Load Filtering Rule:  Conditions and actions to be applied for load
221	      filtering.

223	   Load Filtering Condition:  Elements that describe how to select loads
224	      to apply load filtering actions.  This specification defines the
225	      "call identity", "method", "target SIP identity", and "validity"
226	      condition elements (Section 7.3).

228	   Load Filtering Action:  An operation to be taken by a load filtering
229	      server on loads that match the load filtering conditions.  This
230	      specification allows actions such as accept, reject and redirect
231	      of loads (Section 7.4).

233	   Load Filtering Server:  A server which performs load filtering.  In
234	      the context of this specification, the load filtering server is
235	      the subscriber, which receives load filtering policies from the
236	      notifier and enforces those policies during load filtering.

238	   Load Control Document:  An XML document that describes the load
239	      filtering policies (Section 7).  It inherits and enhances the
240	      common policy document defined in [RFC4745].

242	4.  Design Requirements

244	   The SIP load filtering mechanism needs to satisfy the following
245	   requirements:

247	   o  To simplify the solution, we focus on a method for controlling SIP
248	      load, rather than a generic application-layer mechanism.

250	   o  The load filtering policy needs to be distributed efficiently to
251	      possibly a large subset of all SIP elements.

253	   o  The solution should re-use existing SIP protocol mechanisms to
254	      reduce implementation and deployment complexity.

256	   o  For predictable overload situations, such as holidays and mass
257	      calling events, the load filtering policy should specify during
258	      what time it is to be applied, so that the information can be
259	      distributed ahead of time.

261	   o  For destination-specific overload situations, the load filtering
262	      policy should be able to describe the destination domain or the
263	      callee.

265	   o  To address accidental and intentional high-volume call generators,
266	      the load filtering policy should be able to specify the caller.

268	   o  Caller and callee need to be specified as both SIP URIs and 'tel'
269	      URIs [RFC3966] in load filtering policies.

271	   o  It should be possible to specify particular information in the SIP
272	      headers (e.g., prefixes in telephone numbers) which allow load
273	      filtering over limited regionally-focused overloads.

275	   o  The solution should draw upon experiences from related PSTN
276	      mechanisms [Q.1248.2][E.412][E.300SerSup3] where applicable.

278	   o  The solution should be extensible to meet future needs.

280	5.  SIP Load Filtering Overview

282	5.1.  Load Filtering Policy Format

284	   Load filtering policies are specified by sets of rules.  Each rule
285	   contains both load filtering conditions and actions.  The load
286	   filtering conditions define identities of the targets to be
287	   filtered(Section 7.3.1).  For example, there are two typical resource
288	   limits in a possible overload situation, i.e., human destination
289	   limits (N number of call takers) and node capacity limits.  The load
290	   filtering targets in these two cases can be the specific callee
291	   numbers or the destination domain corresponding to the overload.
292	   Load filtering conditions also indicate the specific message type to
293	   be matched (Section 7.3.2), with which target SIP entity the
294	   filtering policy is associated (Section 7.3.3) and the period of time
295	   when the filtering policy should be activated and deactivated
296	   (Section 7.3.4).  Load filtering actions describe the desired control
297	   functions such as limiting the request rate below a certain level
298	   (Section 7.4).

300	5.2.  Load Filtering Policy Computation

302	   Computing the load filtering policies needs to take into
303	   consideration information such as overload time, scope and network
304	   topology, as well as service policies.  It is also important to make
305	   sure that there is no resource allocation loop, and that server
306	   capacity is allocated in a way which both prevents overload and
307	   maximizes effective throughput (aka goodput).  In some cases, in
308	   order to better utilize system resources, it may be preferable to
309	   employ an algorithm which dynamically computes the load filtering
310	   policies based on currently observed server load status, rather than
311	   using a purely static filtering policy assignment.  The computation
312	   algorithm for load filtering policies is out of scope of this
313	   specification.

315	5.3.  Load Filtering Policy Distribution

317	   For load filtering policy distribution, this specification defines
318	   the SIP event package for load control, which is an "instantiation"
319	   of the generic SIP event notification framework [RFC6665].  The SIP
320	   event notification framework provides an existing method for SIP
321	   entities to subscribe to and receive notifications when certain
322	   events occur.  Such a framework forms a scalable event distribution
323	   architecture that suits our needs.  This specification also defines
324	   XML schema of a load control document (Section 7), which is used to
325	   encode load filtering policies.

327	   In order for load filtering policies to be properly distributed, each
328	   capable SIP entity in the network SHOULD subscribe to the SIP load
329	   control event package from all its outgoing signaling neighbors,
330	   known as notifiers (Section 6.6).  Subscription is initiated and
331	   maintained during normal server operation.  Signaling neighbors are
332	   discovered by sending signaling messages.  For instance, if A sends
333	   signaling requests to B, B is an outgoing signaling neighbor of A. A
334	   needs to subscribe to the load control event package of B in case B
335	   wants to curb requests from A. On the other hand, if B also sends
336	   signaling requests to A, then B also needs to subscribe to A. The
337	   subscription of neighboring SIP entities needs to be persistent so
338	   that it is in place independently of any specific events requiring
339	   load filtering.  Key to this is the fact that following initial
340	   subscription, the notifier sends a notification without a body if no
341	   load filtering policy is defined (Section 6.7), and that the
342	   subscription needs to be refreshed periodically to make it
343	   persistent, as described in Section 4.1 and Section 4.2 of [RFC6665].
344	   The notifier will send a notification to its subscribers each time a
345	   new subscription or a subscription refresh is accepted (Section 6.7).
346	   The notification request includes in its body the current load
347	   filtering policies (Section 7.1) from the notifier.  If no such load
348	   filtering policy exists, the notification request is sent without a
349	   body.  The subscribers MAY terminate the subscription if it no longer
350	   considers the notifiers as its signaling neighbor, e.g., after an
351	   extended period of absence of signaling message exchange.  However,
352	   if after un-subscribing, the subscriber determines that signaling
353	   with the notifier becomes active again, it MUST immediately subscribe
354	   to that notifier again.

356	   We use the example architecture shown in Figure 1 to illustrate load
357	   filtering policy distribution based on the SIP load control event
358	   package mechanism.  This scenario consists of two networks belonging
359	   to Service Provider A and Service Provider B, respectively.  Each
360	   provider's network is made up of two SIP core proxy servers and four
361	   SIP edge proxy servers.  The core proxy servers and edge proxy
362	   servers of Service Provider A are denoted as CPa1 to CPa2 and EPa1 to
363	   EPa4; the core proxy servers and edge proxy servers of Service
364	   Provider B are denoted as CPb1 to CPb2 and EPb1 to EPb4.

366	      +-----------+   +-----------+   +-----------+   +-----------+
367	      |           |   |           |   |           |   |           |
368	      |   EPa1    |   |   EPa2    |   |   EPa3    |   |   EPa4    |
369	      |           |   |           |   |           |   |           |
370	      +-----------+   +-----------+   +-----------+   +-----------+
371	              \         /                    \          /
372	               \       /                      \        /
373	                \     /                        \      /
374	              +-----------+                  +-----------+
375	              |           |                  |           |
376	              |   CPa1    |------------------|   CPa2    |
377	              |           |                  |           |
378	              +-----------+                  +-----------+
379	                    |                              |
380	      Service       |                              |
381	      Provider A    |                              |
382	                    |                              |
383	     =================================================================
384	                    |                              |

386	      Service       |                              |
387	      Provider B    |                              |
388	                    |                              |
389	              +-----------+                  +-----------+
390	              |           |                  |           |
391	              |   CPb1    |------------------|   CPb2    |
392	              |           |                  |           |
393	              +-----------+                  +-----------+
394	                /      \                        /     \
395	               /        \                      /       \
396	              /          \                    /         \
397	      +-----------+   +-----------+   +-----------+   +-----------+
398	      |           |   |           |   |           |   |           |
399	      |   EPb1    |   |   EPb2    |   |   EPb3    |   |   EPb4    |
400	      |           |   |           |   |           |   |           |
401	      +-----------+   +-----------+   +-----------+   +-----------+

403	      Figure 1: Example Network Scenario Using SIP Load Control Event
404	                             Package Mechanism

406	   At initialization stage, the proxy servers first identify all their
407	   outgoing signaling neighbors and subscribe to them.  The neighbor
408	   identification process can be performed by service providers through
409	   direct provisioning, or by the proxy servers themselves via
410	   progressive learning from the signaling messages sent and received.
411	   Assuming all signaling relationships in Figure 1 are bi-directional,
412	   after this initialization stage, each proxy server will be subscribed
413	   to all its neighbors.  That is, EPa1 subscribes to CPa1; CPa1
414	   subscribes to EPa1, EPa2, CPa2 and CPb1, so on and so forth.  The
415	   following cases then show two examples of how load filtering policy
416	   distribution in this network works.

418	   Case I: EPa1 serves a TV program hotline and decides to limit the
419	   total number of incoming calls to the hotline to prevent an overload.
420	   To do so, EPa1 sends a notification to CPa1 with the specific hotline
421	   number, time of activation and total acceptable call rate.  Depending
422	   on the load filtering policy computation algorithm, CPa1 may allocate
423	   the received total acceptable call rate among its neighbors, namely,
424	   EPa2, CPa2, and CPb1, and notify them about the resulting allocation
425	   along with the hotline number and the activation time.  CPa2 and CPb1
426	   may perform further allocation among their own neighbors and notify
427	   the corresponding proxy servers.  This process continues until all
428	   edge proxy servers in the network have been informed about the event
429	   and have proper load filtering policy configured.

431	   In the above case, the network entity where load filtering policy is
432	   first introduced is the SIP server providing access to the resource
433	   that creates the overload situation.  In other cases, the network
434	   entry point of introducing load filtering policy could also be an
435	   entity that hosts this resource.  For example, an operator may host
436	   an application server that performs 800 number translation services.
437	   The application server may itself be a SIP proxy server or a SIP
438	   Back-to-Back User Agent (B2BUA).  If one of the 800 numbers hosted at
439	   the application server creates the overload condition, the load
440	   filtering policies can be introduced from the application server and
441	   then propagated to other SIP proxy servers in the network.

443	   Case II: a hurricane affects the region covered by CPb2, EPb3 and
444	   EPb4.  All these three SIP proxy servers are overloaded.  The rescue
445	   team determines that outbound calls are more valuable than inbound
446	   calls in this specific situation.  Therefore, EPb3 and EPb4 are
447	   configured with load filtering policies to accept more outbound calls
448	   than inbound calls.  CPb2 may be configured the same way or receive
449	   dynamically computed load filtering policies from EPb3 and EPb4.
450	   Depending on the load filtering policy computation algorithm, CPb2
451	   may also send out notifications to its outside neighbors, namely CPb1
452	   and CPa2, specifying a limit on the acceptable rate of inbound calls
453	   to CPb2's responsible domain.  CPb1 and CPa2 may subsequently notify
454	   their neighbors about limiting the calls to CPb2's area.  The same
455	   process could continue until all edge proxy servers are notified and
456	   have load filtering policies configured.

458	   Note that this specification does not define the provisioning
459	   interface between the party who determines the load filtering policy
460	   and the network entry point where the policy is introduced.  One of
461	   the options for the provisioning interface is the Extensible Markup
462	   Language (XML) Configuration Access Protocol (XCAP) [RFC4825].

464	5.4.  Applicable Network Domains

466	   This specification MUST be applied inside a 'Trust Domain'.  The
467	   concept of a Trust Domain is similar to that defined in [RFC3324].  A
468	   Trust Domain for the purpose of SIP load filtering is a set of SIP
469	   entities such as SIP proxy servers that are trusted to exchange load
470	   filtering policies defined in this specification.  In the simplest
471	   case, a Trust Domain is a network of SIP entities belonging to a
472	   single service provider who deploys it and accurately knows the
473	   behaviour of those SIP entities.  Such simple Trust Domains may be
474	   joined to form larger Trust Domains by bi-lateral agreements between
475	   the service providers of the SIP entities.

477	   The key requirement of a Trust Domain for the purpose of SIP load
478	   filtering is that the behavior of all SIP entities within a given
479	   Trust Domain is known to comply to the following set of
480	   specifications.

482	   o  The mechanisms used to secure the communication among SIP entities
483	      within the Trust Domain.

485	   o  The manner used to determine which SIP entities are part of the
486	      Trust Domain.

488	   o  That SIP entities in the Trust Domain are compliant to SIP
489	      [RFC3261]

491	   o  That SIP entities in the Trust Domain are compliant to SIP
492	      [RFC6665]

494	   o  That SIP entities in the Trust Domain are compliant to this
495	      document.

497	   o  The agreement on what types of calls can be affected by this SIP
498	      load filtering mechanism.  For example, call identity condition
499	      elements (Section 7.3.1) <one> and <many> might be limited to
500	      describe specific domains; <many-tel> and <except-tel> might be
501	      limited to describe within certain prefixes.

503	   o  The agreement on the destinations to which calls may be redirected
504	      when the "redirect" action (Section 7.4) is used.  For example,
505	      the URI might have to match a given set of domains.

507	   It is important to note that effectiveness of SIP load filtering
508	   requires that all neighbors that are possible signaling sources
509	   participate and enforce the designated load filtering policies.
510	   Otherwise, a single non-conforming neighbor could make the whole
511	   filtering efforts useless by pumping in excessive traffic to overload
512	   the server.  Therefore, the SIP server that distributes load
513	   filtering policies needs to take counter-measures towards any non-
514	   conforming neighbors.  A simple method is to reject excessive
515	   requests with 503 (Service Unavailable) response messages as if they
516	   were obeying the rate.  Considering the rejection costs, a more
517	   complicated but fairer method would be to allocate at the overloaded
518	   server the same amount of processing to the combination of both
519	   normal processing and rejection as the overloaded server would devote
520	   to processing requests for a conforming upstream SIP server.  These
521	   approaches work as long as the total rejection cost does not
522	   overwhelm the entire server resources.  In addition, SIP servers need
523	   to handle message prioritization properly while performing load
524	   filtering, which is described in Section 6.8.

526	6.  Load Control Event Package
527	   The SIP load filtering mechanism defines a load control event package
528	   for SIP based on [RFC6665].

530	6.1.  Event Package Name

532	   The name of this event package is "load-control".  This name is
533	   carried in the Event and Allow-Events header, as specified in
534	   [RFC6665].

536	6.2.  Event Package Parameters

538	   No package specific event header field parameters are defined for
539	   this event package.

541	6.3.  SUBSCRIBE Bodies

543	   This document does not define the content of SUBSCRIBE bodies.
544	   Future specifications could define bodies for SUBSCRIBE messages, for
545	   example to request specific types of load control event
546	   notifications.

548	   A SUBSCRIBE request sent without a body implies the default
549	   subscription behavior as specified in Section 6.7.

551	6.4.  SUBSCRIBE Duration

553	   The default expiration time for a subscription to load filtering
554	   policy is one hour.  Since the desired expiration time may vary
555	   significantly for subscriptions among SIP entities with different
556	   signaling relationships, the subscribers and notifiers are
557	   RECOMMENDED to explicitly negotiate appropriate subscription duration
558	   when knowledge about the mutual signaling relationship is available.

560	6.5.  NOTIFY Bodies

562	   The body of a NOTIFY request in this event package contains load
563	   filtering policies.  The format of the NOTIFY request body MUST be in
564	   one of the formats defined in the Accept header field of the
565	   SUBSCRIBE request or be the default format, as specified in
566	   [RFC6665].  The default data format for the NOTIFY request body of
567	   this event package is "application/load-control+xml" (defined in
568	   Section 7).  This means that when NOTIFY request body exists but no
569	   Accept header field is specified in a SUBSCRIBE request, the NOTIFY
570	   request body MUST contain "application/load-control+xml" format.

572	6.6.  Notifier Processing of SUBSCRIBE Requests

574	   The notifier accepts a new subscription or updates an existing
575	   subscription upon receiving a valid SUBSCRIBE request.

577	   If the identity of the subscriber sending the SUBSCRIBE request is
578	   not allowed to receive load filtering policy, the notifier MUST
579	   return a 403 "Forbidden" response.

581	   If none of MIME types specified in the Accept header of the SUBSCRIBE
582	   request is supported, the notifier SHOULD return 406 "Not Acceptable"
583	   response.

585	6.7.  Notifier Generation of NOTIFY Requests

587	   A notifier MUST send a NOTIFY request with its current load filtering
588	   policy to the subscriber upon successfully accepting or refreshing a
589	   subscription.  If no load filtering policy needs to be distributed
590	   when the subscription is received, the notifier SHOULD sent a NOTIFY
591	   request without body to the subscriber.  The content-type header
592	   field of this NOTIFY request MUST indicate the correct body format as
593	   if the body were present (e.g., "application/load-control+xml").
594	   Sending this NOTIFY request without body is often the case when a
595	   subscription is initiated for the first time, e.g., when a SIP entity
596	   is just introduced, because there may be no planned events that
597	   require load filtering at that time.  A notifier SHOULD generate
598	   NOTIFY requests each time the load filtering policy changes, with the
599	   maximum notification rate not exceeding values defined in
600	   Section 6.10.

602	6.8.  Subscriber Processing of NOTIFY Requests

604	   The subscriber is the load filtering server which enforces load
605	   filtering policies received from the notifier.  The way subscribers
606	   process NOTIFY requests depends on the load filtering policies
607	   conveyed in the notifications.  Typically, load filtering policies
608	   consist of rules specifying actions to be applied to requests
609	   matching certain conditions.  A subscriber receiving a notification
610	   first installs these rules and then enforce corresponding actions on
611	   requests matching those conditions, for example, limiting the sending
612	   rate of call requests destined for a specific callee.

614	   In the case when load filtering policies specify a future validity,
615	   it is possible that when the validity time comes, the subscription to
616	   the specific notifier that conveyed the rules has expired.  In this
617	   case, it is RECOMMENDED that the subscriber re-activate its
618	   subscription with the corresponding notifier.  Regardless of whether
619	   this re-activation of subscription is successful or not, when the
620	   validity time is reached, the subscriber SHOULD enforce the
621	   corresponding rules.

623	   Upon receipt of a NOTIFY request with a Subscription-State header
624	   field containing the value "terminated", the subscription status with
625	   the particular notifier will be terminated.  Meanwhile, subscribers
626	   MUST also terminate previously received load filtering policies from
627	   that notifier.

629	   The subscriber SHOULD discard unknown bodies.  If the NOTIFY request
630	   contains several bodies, none of them being supported, it SHOULD
631	   unsubscribe.  A NOTIFY request without a body indicates that no load
632	   filtering policies need to be updated.

634	   When the subscriber enforces load filtering policies, it needs to
635	   prioritize requests and select those requests that need to be
636	   rejected or redirected.  This selection is largely a matter of local
637	   policy.  It is expected that the subscriber will follow local policy
638	   as long as the result in reduction of traffic is consistent with the
639	   overload algorithm in effect at that node.  Accordingly, the
640	   normative behavior in the next three paragraphs should be interpreted
641	   with the understanding that the subscriber will aim to preserve local
642	   policy to the fullest extent possible.

644	   o  The subscriber SHOULD honor the local policy for prioritizing SIP
645	      requests such as policies based on message type, e.g., INVITEs
646	      versus requests associated with existing sessions.

648	   o  The subscriber SHOULD honor the local policy for prioritizing SIP
649	      requests based on the content of the Resource-Priority header
650	      (RPH, [RFC4412]).  Specific (namespace.value) RPH contents may
651	      indicate high priority requests that should be preserved as much
652	      as possible during overload.  The RPH contents can also indicate a
653	      low-priority request that is eligible to be dropped during times
654	      of overload.

656	   o  The subscriber SHOULD honor the local policy for prioritizing SIP
657	      requests relating to emergency calls as identified by the SOS URN
658	      [RFC5031] indicating an emergency request.

660	   A local policy can be expected to combine both the SIP request type
661	   and the prioritization markings, and SHOULD be honored when overload
662	   conditions prevail.

664	6.9.  Handling of Forked Requests

666	   Forking is not applicable when this load control event package
667	   mechanism is used within a single-hop distance between neighboring
668	   SIP entities.  If communication scope of the load control event
669	   package mechanism is among multiple hops, forking is not expected to
670	   happen either because the subscription request is addressed to a
671	   clearly defined SIP entity.  However, in the unlikely case when
672	   forking does happen, the load control event package only allows the
673	   first potential dialog-establishing message to create a dialog, as
674	   specified in Section 5.9 of [RFC6665].

676	6.10.  Rate of Notifications

678	   Rate of notifications is likely not a concern for this local control
679	   event package mechanism when it is used in a non-real-time mode for
680	   relatively static load filtering policies.  Nevertheless, if
681	   situation does arise that a rather frequent load filtering policy
682	   update is needed, it is RECOMMENDED that the notifier do not generate
683	   notifications at a rate higher than once per-second in all cases, in
684	   order to avoid the NOTIFY request itself overloading the system.

686	6.11.  State Delta

688	   It is likely that updates to specific load filtering policies are
689	   made by changing only part of the policy parameters only (e.g.
690	   acceptable request rate or percentage, but not matching identities).
691	   This will typically be because the utilization of a resource subject
692	   to overload depends upon dynamic unknowns such as holding time and
693	   the relative distribution of offered loads over subscribing SIP
694	   entities.  The updates could originate manually or be determined
695	   automatically by an algorithm that dynamically computes the load
696	   filtering policies (Section 5.2).  Another factor that is usually not
697	   known precisely or needs to be computed automatically is the duration
698	   of the event requiring load filtering.  Therefore it would also be
699	   common for the validity to change frequently.

701	   This event package allows the use of state delta as in [RFC6665] to
702	   accommodate frequent updates of partial policy parameters.  For each
703	   NOTIFY transaction in a subscription, a version number that increases
704	   by exactly one MUST be included in the NOTIFY request body when the
705	   body is present.  When the subscriber receives a state delta, it
706	   associates the partial updates to the particular policy by matching
707	   the appropriate rule id (Section 7.5).  If the subscriber receives a
708	   NOTIFY request with a version number that is increased by more than
709	   one, it knows that it has missed a state delta and needs to ask for a
710	   full state snapshot.  Therefore, the subscriber ignores that NOTIFY
711	   request containing the state delta, and re-sends a SUBSCRIBE request
712	   to force a NOTIFY request containing a complete state snapshot.

714	7.  Load Control Document

716	7.1.  Format

718	   A load control document is an XML document that describes the load
719	   filtering policies.  It inherits and enhances the common policy
720	   document defined in [RFC4745].  A common policy document contains a
721	   set of rules.  Each rule consists of three parts: conditions, actions
722	   and transformations.  The conditions part is a set of expressions
723	   containing attributes such as identity, domain, and validity time
724	   information.  Each expression evaluates to TRUE or FALSE.  Conditions
725	   are matched on "equality" or "greater than" style comparison.  There
726	   is no regular expression matching.  Conditions are evaluated on
727	   receipt of an initial SIP request for a dialog or standalone
728	   transaction.  If a request matches all conditions in a rule set, the
729	   action part and the transformation part are consulted to determine
730	   the "permission" on how to handle the request.  Each action or
731	   transformation specifies a positive grant to the policy server to
732	   perform the resulting actions.  Well-defined mechanism are available
733	   for combining actions and transformations obtained from more than one
734	   sources.

736	7.2.  Namespace

738	   The namespace URI for elements defined by this specification is a
739	   Uniform Resource Namespace (URN) ([RFC2141]), using the namespace
740	   identifier 'ietf' defined by [RFC2648] and extended by [RFC3688].
741	   The URN is as follows:

743	   urn:ietf:params:xml:ns:load-control

745	7.3.  Conditions

747	   [RFC4745] defines three condition elements: <identity>, <sphere> and
748	   <validity>.  In this specification, we define new condition elements
749	   and reuse the <validity> element.  The <sphere> element is not used.

751	7.3.1.  Call Identity

753	   Since the problem space of this specification is different from that
754	   of [RFC4745], the [RFC4745] <identity> element is not sufficient for
755	   use with load filtering.  First, load filtering may be applied to
756	   different identities contained in a request, including identities of
757	   both the receiving entity and the sending entity.  Second, the
758	   importance of authentication varies when different identities of a
759	   request are concerned.  This specification defines new identity
760	   conditions that can accommodate the granularity of specific SIP
761	   identity header fields.  The requirement for authentication depends
762	   on which field is to be matched.

764	   The identity condition for load filtering is specified by the <call-
765	   identity> element and its sub-element <sip>.  The <sip> element
766	   itself contains sub-elements representing SIP sending and receiving
767	   identity header fields: <from>, <to>, <request-uri> and <p-asserted-
768	   identity>.  All those sub-elements are of an extended form of the
769	   [RFC4745] <identity> element.  In addition to the sub-elements
770	   including <one>, <except>, and <many> in the [RFC4745] <identity>
771	   element, the extended form adds two new sub-elements, namely, <many-
772	   tel> and <except-tel>, which will be explained later in this section.

774	   The [RFC4745] <one> and <except> elements may contain an "id"
775	   attribute, which is the URI of a single entity to be included or
776	   excluded in the condition.  When used in the <from>, <to>, <request-
777	   uri> and <p-asserted-identity> elements, this "id" value is the URI
778	   contained in the corresponding SIP header field, i.e., From, To,
779	   Request-URI, and P-Asserted-Identity.

781	   When the <call-identity> element contains multiple <sip> sub-
782	   elements, the result is combined using logical OR.  When the <from>,
783	   <to>, <request-uri> and <p-asserted-identity> elements contain
784	   multiple <one> or <many> or <many-tel> sub-elements, the result is
785	   also combined using logical OR.  When the <many> sub-element further
786	   contains one or more <except> sub-elements, or when the <many-tel>
787	   sub-element further contains one or more <except-tel> sub-elements,
788	   the result of each <except> or <except-tel> sub-element is combined
789	   using a logical OR, similar to that of the [RFC4745] <identity>
790	   element.  However, when the <sip> element contains multiple of the
791	   <from>, <to>, <request-uri> and <p-asserted-identity> sub-elements,
792	   the result is combined using logical AND.  This allows the call
793	   identity to be specified by multiple fields of a SIP request
794	   simultaneously, e.g., both the From and the To header fields.

796	   The following shows an example of the <call-identity> element, which
797	   matches call requests whose To header field contains the SIP URI
798	   "sip:alice@hotline.example.com", or the 'tel' URI
799	   "tel:+1-212-555-1234".

801	               <call-identity>
802	                   <sip>
803	                       <to>
804	                           <one id="sip:alice@hotline.example.com"/>
805	                           <one id="tel:+1-212-555-1234"/>
806	                       </to>
807	                   </sip>
808	               </call-identity>

810	   Before evaluating call-identity conditions, the subscriber shall
811	   convert URIs received in SIP header fields in canonical form as per
812	   [RFC3261], except that the phone-context parameter shall not be
813	   removed, if present.

815	   The [RFC4745] <many> and <except> elements may take a "domain"
816	   attribute.  The "domain" attribute specifies a domain name to be
817	   matched by the domain part of the candidate identity.  Thus, it
818	   allows matching a large and possibly unknown number of entities
819	   within a domain.  The "domain" attribute works well for SIP URIs.

821	   A URI identifying a SIP user, however, can also be a 'tel' URI.  We
822	   therefore need a similar way to match a group of 'tel' URIs.
823	   According to [RFC3966], there are two forms of 'tel' URIs for global
824	   numbers and local numbers, respectively.  All phone numbers must be
825	   expressed in global form when possible.  The global number 'tel' URIs
826	   start with a "+".  The rest of the numbers are expressed as local
827	   numbers, which must be qualified by a "phone-context" parameter.  The
828	   "phone-context" parameter may be labelled as a global number or any
829	   number of its leading digits, or a domain name.  Both forms of the
830	   'tel' URI make the resulting URI globally unique.

832	   'Tel' URIs of global numbers can be grouped by prefixes consisting of
833	   any number of common leading digits.  For example, a prefix formed by
834	   a country code or both the country and area code identifies telephone
835	   numbers within a country or an area.  Since the length of the country
836	   and area code for different regions are different, the length of the
837	   number prefix also varies.  This allows further flexibility such as
838	   grouping the numbers into sub-areas within the same area code.  'Tel'
839	   URIs of local numbers can be grouped by the value of the "phone-
840	   context" parameter.

842	   The <many> and <except> sub-elements in the [RFC4745] <identity>
843	   element do not allow additional attributes to be added directly.
844	   Redefining behavior of their existing <domain> attribute creates
845	   backward-compatibility issues.  Therefore, this specification defines
846	   the <many-tel> and <except-tel> sub-elements that extend the
847	   [RFC4745] <identity> element.  Both of them have a "prefix" attribute
848	   for grouping 'tel' URIs, similar to the "domain" attribute for
849	   grouping SIP URIs in existing <many> and <except> sub-elements.  For
850	   global numbers, the "prefix" attribute value holds any number of
851	   common leading digits, for example, "+1-212" for U.S. phone numbers
852	   within area code "212" or "+1-212-854" for the organization with U.S.
853	   area code "212" and local prefix "854".  For local numbers, the
854	   "prefix" attribute value contains the "phone-context" parameter
855	   value.  It should be noted that visual separators (such as the "-"
856	   sign) in 'tel' URIs are not used for URI comparison as per [RFC3966].

858	   The following example shows the use of the "prefix" attribute along
859	   with the "domain" attribute.  It matches those requests calling to
860	   the number "+1-202-999-1234" but are not calling from a "+1-212"
861	   prefix or a SIP From URI domain of "manhattan.example.com".

863	            <call-identity>
864	                <sip>
865	                    <from>
866	                        <many>
867	                            <except domain="manhattan.example.com"/>
868	                        </many>
869	                        <many-tel>
870	                            <except-tel prefix="+1-212"/>
871	                        </many-tel>
872	                    </from>
873	                    <to>
874	                        <one id="tel:+1-202-999-1234"/>
875	                    </to>
876	                </sip>
877	            </call-identity>

879	7.3.2.  Method

881	   The load created on a SIP server depends on the type of initial SIP
882	   requests for dialogs or standalone transactions.  The <method>
883	   element specifies the SIP method to which the load filtering action
884	   applies.  When this element is not included, the load filtering
885	   actions are applicable to all applicable initial requests.  These
886	   requests include INVITE, MESSAGE, REGISTER, SUBSCRIBE, OPTIONS, and
887	   PUBLISH.  Non-initial requests, such as ACK, BYE and CANCEL MUST NOT
888	   be subjected to load filtering.  In addition, SUBSCRIBE requests are
889	   not filtered if the event-type header field indicates the event
890	   package defined in this specification.

892	   The following example shows the use of the <method> element in the
893	   case the filtering actions should be applied to INVITE requests.

895	        <method>INVITE</method>

897	7.3.3.  Target SIP Entity

899	   A SIP server that performs load filtering may have multiple paths to
900	   route call requests matching the same set of call identity elements.
901	   In those situations, the SIP load filtering server may desire to take
902	   advantage of alternative paths and only apply load filtering actions
903	   to matching requests for the next hop SIP entity that originated the
904	   corresponding load filtering policy.  To achieve that, the SIP load
905	   filtering server needs to associate every load filtering policy with
906	   its originating SIP entity.  The <target-sip-entity> element is
907	   defined for that purpose and it contains the URI of the entity that
908	   initiated the load filtering policy, which is generally the
909	   corresponding notifier.  A notifier MAY include this element as part
910	   of the condition of its filtering policy being sent to the
911	   subscriber, as below.

913	   <target-sip-entity>sip:biloxi.example.com</target-sip-entity>

915	   When a SIP load filtering server receives a policy with a <target-
916	   sip-entity> element, it SHOULD record it and take it into
917	   consideration when making load filtering decisions.  If the load
918	   filtering server receives a load filtering policy that does not
919	   contain a <target-sip-entity> element, it MAY still record the URI of
920	   the load filtering policy's originator as the <target-sip-entity>
921	   information and consider it when making load filtering decisions.

923	      The following are two examples of using the <target-sip-entity>
924	      element.

926	      Use case I: the network has user A connected to SIP Proxy 1 (SP1),
927	      user B connected to SIP Proxy 3 (SP3), SP1 and SP3 connected via
928	      SIP Proxy 2 (SP2), and SP2 connected to an Application Server
929	      (AS).  Under normal load conditions, a call from A to B is routed
930	      along the following path: A-SP1-SP2-AS-SP3-B. The AS provides a
931	      non-essential service and can be bypassed in case of overload.
932	      Now let's assume that AS is overloaded and sends to SP2 a load
933	      filtering policy requesting that 50% of all INVITE requests be
934	      dropped.  SP2 can maintain AS as the <target-sip-entity> for that
935	      policy so that it knows the 50% drop action is only applicable to
936	      call requests that must go through AS, without affecting those
937	      calls directly routed through SP3 to B.

939	      Use case II: An 800 translation service is installed on two
940	      Application Servers, AS1 and AS2.  User A is connected to SP1 and
941	      calls 800-1234-4529, which is translated by AS1 and AS2 into a
942	      regular E.164 number depending on, e.g., the caller's location.
943	      SP1 forwards INVITE requests with Request-URI = "800 number" to
944	      AS1 or AS2 based on a load balancing strategy.  As calls to
945	      800-1234-4529 creates a pre-overload condition in AS1, AS1 sends
946	      to SP1 a load filtering policy requesting that 50% of calls
947	      towards 800-1234-4529 be rejected.  In this case, SP1 can maintain
948	      AS1 as the <target-sip-entity> for the rule, and only apply the
949	      load filtering policy on incoming requests that are intended to be
950	      sent to AS1.  Those requests that are sent to AS2, although
951	      matching the <call-identity> of the filter, will not be affected.

953	7.3.4.  Validity

955	   A filtering policy is usually associated with a validity period
956	   condition.  This specification reuses the <validity> element of

958	   [RFC4745], which specifies a period of validity time by pairs of
959	   <from> and <until> sub-elements.  When multiple time periods are
960	   defined, the validity condition is evaluated to TRUE if the current
961	   time falls into any of the specified time periods. i.e., it
962	   represents a logical OR operation across all validity time periods.

964	   The following example shows a <validity> element specifying a valid
965	   period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31.

967	            <validity>
968	                <from>2008-05-31T12:00:00-05:00</from>
969	                <until>2008-05-31T15:00:00-05:00</until>
970	            </validity>

972	7.4.  Actions

974	   The actions a load filtering server takes on loads matching the load
975	   filtering conditions are defined by the <accept> element in the load
976	   filtering policy, which includes any one of the three sub-elements
977	   <rate>, <percent>, and <win>.  The <rate> element denotes an absolute
978	   value of the maximum acceptable request rate in requests per second;
979	   the <percent> element specifies the relative percentage of incoming
980	   requests that should be accepted; the <win> element describes the
981	   acceptable window size supplied by the receiver, which is applicable
982	   in window-based load filtering.  In static load filtering policy
983	   configuration scenarios, using the <rate> sub-element is RECOMMENDED
984	   because it is hard to enforce the percentage rate or window-based
985	   load filtering when incoming load from upstream or reactions from
986	   downstream are uncertain.  (See [I-D.ietf-soc-overload-control]
987	   [RFC6357] for more details on rate-based, loss-based and window-based
988	   load control.)

990	   In addition, the <accept> element takes an optional "alt-action"
991	   attribute which can be used to explicitly specify the desired action
992	   in case a request cannot be processed.  The "alt-action" can take one
993	   of the following three values: "reject", "redirect" and "drop".

995	   o  The "reject" action is the default value for "alt-action".  It
996	      means that the load filtering server will reject the request with
997	      a 503 (Service Unavailable) response message.

999	   o  The "redirect" action means redirecting the request to another
1000	      target.  When it is used, an "alt-target" attribute MUST be
1001	      defined.  The "alt-target" specifies one URI or a list of URIs
1002	      where the request should be redirected.  The server sends out the
1003	      redirect URIs in a 300-class response message.

1005	   o  The "drop" action means simply ignoring the request without doing
1006	      anything, which can in certain cases help save processing
1007	      capability during overload.  For example, when SIP is running over
1008	      a reliable transport such as TCP, the "drop" action does not send
1009	      out the rejection response, neither does it close the transport
1010	      connection.  The "drop" action is generally also good at dealing
1011	      with telephony DOS attacks.  However, when running SIP over an
1012	      unreliable transport such as UDP, using the "drop" action will
1013	      create message retransmissions that further worsen the possible
1014	      overload situation.  Therefore, any "drop" action applied to an
1015	      unreliable transport MUST be treated as if it were "reject".

1017	   In the following <actions> element example, the server accepts
1018	   maximum of 100 call requests per second.  The remaining calls are
1019	   redirected to an answering machine.

1021	        <actions>
1022	            <accept alt-action="redirect" alt-target=
1023	                    "sip:answer-machine@example.com">
1024	                <rate>100</rate>
1025	            </accept>
1026	        </actions>

1028	7.5.  Complete Examples

1030	7.5.1.  Load Control Document Examples

1032	   This section presents two complete examples of load control documents
1033	   valid with respect to the XML schema defined in Section 8.

1035	   The first example assumes that a set of hotlines are set up at
1036	   "sip:alice@hotline.example.com" and "tel:+1-212-555-1234".  The
1037	   hotlines are activated from 12:00 to 15:00 US Eastern Standard Time
1038	   on 2008-05-31.  The goal is to limit the incoming calls to the
1039	   hotlines to 100 requests per second.  Calls that exceed the rate
1040	   limit are explicitly rejected.

1042	   <?xml version="1.0" encoding="UTF-8"?>
1043	   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
1044	               xmlns:lc="urn:ietf:params:xml:ns:load-control"
1045	               version="0" state="full">

1047	       <rule id="f3g44k1">
1048	           <conditions>
1049	               <lc:call-identity>
1050	                   <lc:sip>
1051	                       <lc:to>
1052	                           <one id="sip:alice@hotline.example.com"/>
1053	                           <one id="tel:+1-212-555-1234"/>

1055	                       </lc:to>
1056	                   </lc:sip>
1057	               </lc:call-identity>
1058	               <method>INVITE</method>
1059	               <validity>
1060	                   <from>2008-05-31T12:00:00-05:00</from>
1061	                   <until>2008-05-31T15:00:00-05:00</until>
1062	               </validity>
1063	           </conditions>
1064	           <actions>
1065	               <lc:accept alt-action="reject">
1066	                   <lc:rate>100</lc:rate>
1067	               </lc:accept>
1068	           </actions>

1070	       </rule>
1071	   </ruleset>

1073	   The second example considers optimizing server resource usage of a
1074	   three-day period during the aftermath of a hurricane.  Incoming calls
1075	   to the domain "sandy.example.com" or to call destinations with prefix
1076	   "+1-212" will be limited to a rate of 100 requests per second, except
1077	   for those calls originating from a particular rescue team domain
1078	   "rescue.example.com".  Outgoing calls from the hurricane domain or
1079	   calls within the local domain are never limited.  All calls that are
1080	   throttled due to the rate limit will be forwarded to an answering
1081	   machine with updated hurricane rescue information.

1083	   <?xml version="1.0" encoding="UTF-8"?>
1084	   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
1085	       xmlns:lc="urn:ietf:params:xml:ns:load-control"
1086	       version="1" state="full">

1088	       <rule id="f3g44k2">
1089	           <conditions>
1090	               <lc:call-identity>
1091	                   <lc:sip>
1092	                       <lc:to>
1093	                           <many domain="sandy.example.com"/>
1094	                           <many-tel prefix="+1-212"/>
1095	                       </lc:to>
1096	                       <lc:from>
1097	                           <many>
1098	                               <except domain="sandy.example.com"/>
1099	                               <except domain="rescue.example.com"/>
1100	                           </many>
1101	                       </lc:from>

1103	                   </lc:sip>
1104	               </lc:call-identity>
1105	               <method>INVITE</method>
1106	               <validity>
1107	                   <from>2012-10-25T09:00:00+01:00</from>
1108	                   <until>2012-10-28T09:00:00+01:00</until>
1109	               </validity>
1110	           </conditions>
1111	           <actions>
1112	               <lc:accept alt-action="redirect" alt-target=
1113	                       "sip:sandy@update.example.com">
1114	                   <lc:rate>100</lc:rate>
1115	               </lc:accept>
1116	           </actions>

1118	       </rule>
1119	   </ruleset>

1121	   Sometimes it may occur that multiple rules in a ruleset define
1122	   actions that match the same methods, call identity and validity.  In
1123	   those cases, the "first-match-wins" principle is used.  For example,
1124	   in the following ruleset, the first rule requires all calls from the
1125	   "example.com" domain to be rejected.  Even though the rule following
1126	   that one specifies that calls from "sip:alice@example.com" be
1127	   redirected to a specific target "sip:eve@example.com", the calls from
1128	   "sip:alice@example.com" will still be rejected because they have
1129	   already been matched by the earlier rule.

1131	   <?xml version="1.0" encoding="UTF-8"?>
1132	   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
1133	       xmlns:lc="urn:ietf:params:xml:ns:load-control"
1134	       version="1" state="full">

1136	       <rule id="f3g44k3">
1137	           <conditions>
1138	               <lc:call-identity>
1139	                   <lc:sip>
1140	                       <lc:from>
1141	                           <many domain="example.com"/>
1142	                       </lc:from>
1143	                   </lc:sip>
1144	               </lc:call-identity>
1145	               <method>INVITE</method>
1146	               <validity>
1147	                   <from>2013-7-2T09:00:00+01:00</from>
1148	                   <until>2013-7-3T09:00:00+01:00</until>
1149	               </validity>

1151	           </conditions>
1152	           <actions>
1153	               <lc:accept alt-action="reject">
1154	                   <lc:rate>0</lc:rate>
1155	               </lc:accept>
1156	           </actions>
1157	       </rule>

1159	       <rule id="f3g44k4">
1160	           <conditions>
1161	               <lc:call-identity>
1162	                   <lc:sip>
1163	                       <lc:from>
1164	                           <one id="sip:alice@example.com"/>
1165	                       </lc:from>
1166	                   </lc:sip>
1167	               </lc:call-identity>
1168	               <method>INVITE</method>
1169	               <validity>
1170	                   <from>2013-7-2T09:00:00+01:00</from>
1171	                   <until>2013-7-3T09:00:00+01:00</until>
1172	               </validity>
1173	           </conditions>
1174	           <actions>
1175	               <lc:accept alt-action="redirect" alt-target=
1176	                       "sip:eve@example.com">
1177	                   <lc:rate>0</lc:rate>
1178	               </lc:accept>
1179	           </actions>
1180	       </rule>

1182	   </ruleset>

1184	7.5.2.  Message Flow Examples

1186	   This section presents an example message flow of using the load
1187	   control event package mechanism defined in this specification.

1189	      atlanta             biloxi
1190	         | F1 SUBSCRIBE      |
1191	         |------------------>|
1192	         | F2 200 OK         |
1193	         |<------------------|
1194	         | F3 NOTIFY         |
1195	         |<------------------|
1196	         | F4 200 OK         |
1197	         |------------------>|

1199	      F1 SUBSCRIBE atlanta.example.com -> biloxi.example.com

1201	         SUBSCRIBE sip:biloxi.example.com SIP/2.0
1202	         Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy7cjbu3
1203	         From: sip:atlanta.example.com;tag=162ab5
1204	         To: sip:biloxi.example.com
1205	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1206	         CSeq: 2012 SUBSCRIBE
1207	         Contact: sip:atlanta.example.com
1208	         Event: load-control
1209	         Max-Forwards: 70
1210	         Accept: application/load-control+xml
1211	         Expires: 3600
1212	         Content-Length: 0

1214	      F2 200 OK   biloxi.example.com -> atlanta.example.com

1216	         SIP/2.0 200 OK
1217	         Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy7cjbu3
1218	           ;received=192.0.2.1
1219	         To: <sip:biloxi.example.com>;tag=331dc8
1220	         From: <sip:atlanta.example.com>;tag=162ab5
1221	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1222	         CSeq: 2012 SUBSCRIBE
1223	         Expires: 3600
1224	         Contact: sip:biloxi.example.com
1225	         Content-Length: 0

1227	      F3 NOTIFY  biloxi.example.com -> atlanta.example.com

1229	         NOTIFY sip:atlanta.example.com SIP/2.0
1230	         Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy71g2ks
1231	         From: <sip:biloxi.example.com>;tag=331dc8
1232	         To: <sip:atlanta.example.com>;tag=162ab5
1233	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1234	         Event: load-control
1235	         Subscription-State: active;expires=3599
1236	         Max-Forwards: 70
1237	         CSeq: 1775 NOTIFY
1238	         Contact: sip:biloxi.example.com
1239	         Content-Type: application/load-control+xml
1240	         Content-Length: ...

1242	         [Load Control Document]

1244	      F4 200 OK atlanta.example.com -> biloxi.example.com
1245	         SIP/2.0 200 OK
1246	         Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy71g2ks
1247	           ;received=192.0.2.2
1248	         From: <sip:biloxi.example.com>;tag=331dc8
1249	         To: <sip:atlanta.example.com>;tag=162ab5
1250	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1251	         CSeq: 1775 NOTIFY
1252	         Content-Length: 0

1254	8.  XML Schema Definition for Load Control

1256	   This section defines the XML schema for the load control document.
1257	   It extends the Common Policy schema in [RFC4745] in two ways.
1258	   Firstly, it defines two mandatory attributes for the <ruleset>
1259	   element: version and state.  The version attribute allows the
1260	   recipient of the notification to properly order them.  Versions start
1261	   at 0, and increase by one for each new document sent to a subscriber
1262	   within the same subscription.  Versions MUST be representable using a
1263	   non-negative 32 bit integer.  The state attribute indicates whether
1264	   the document contains a full load filtering policy update, or whether
1265	   it contains only state delta as partial update.  Secondly, it defines
1266	   new members of the <conditions> and <actions> elements.

1268	   <?xml version="1.0" encoding="UTF-8"?>
1269	   <xs:schema targetNamespace="urn:ietf:params:xml:ns:load-control"
1270	       xmlns:lc="urn:ietf:params:xml:ns:load-control"
1271	       xmlns:cp="urn:ietf:params:xml:ns:common-policy"
1272	       xmlns:xs="http://www.w3.org/2001/XMLSchema"
1273	       elementFormDefault="qualified"
1274	       attributedFormDefault="unqualified">

1276	   <xs:import namespace="urn:ietf:params:xml:ns:common-policy"/>

1278	   <!-- RULESET -->

1280	   <xs:element name="ruleset">
1281	     <xs:complexType>
1282	       <xs:complexContent>
1283	         <xs:restriction base="xs:anyType">
1284	           <xs:sequence>
1285	             <xs:element name="rule" type="cp:ruleType"
1286	             minOccurs="0" maxOccurs="unbounded"/>
1287	           </xs:sequence>
1288	         </xs:restriction>
1289	       </xs:complexContent>
1290	       <xs:attribute name="version" type="xs:integer" use="required"/>
1291	       <xs:attribute name="state" use="required">
1292	         <xs:simpleType>
1293	           <xs:restriction base="xs:string">
1294	             <xs:enumeration value="full"/>
1295	             <xs:enumeration value="partial"/>
1296	           </xs:restriction>
1297	         </xs:simpleType>
1298	       </xs:attribute>
1299	     </xs:complexType>
1300	   </xs:element>

1302	   <!-- CONDITIONS -->

1304	   <!-- CALL IDENTITY -->
1305	   <xs:element name="call-identity" type="lc:call-identity-type"/>

1307	   <!-- CALL IDENTITY TYPE -->
1308	   <xs:complexType name="call-identity-type">
1309	     <xs:choice>
1310	       <xs:element name="sip" type="lc:sip-id-type"/>
1311	       <any namespace="##other" processContents="lax" minOccurs="0"
1312	       maxOccurs="unbounded"/>
1313	     </xs:choice>
1314	     <anyAtrribute namespace="##other" processContents="lax"/>
1315	   </xs:complexType>

1317	   <!-- SIP ID TYPE -->
1318	   <xs:complexType name="sip-id-type">
1319	     <xs:sequence>
1320	       <element name="from" type="lc:identityType" minOccurs="0"/>
1321	       <element name="to" type="lc:identityType" minOccurs="0"/>
1322	       <element name="request-uri" type="lc:identityType"
1323	       minOccurs="0"/>
1324	       <element name="p-asserted-identity" type="lc:identityType"
1325	       minOccurs="0"/>
1326	       <any namespace="##other" processContents="lax" minOccurs="0"
1327	       maxOccurs="unbounded"/>
1328	     </xs:sequence>
1329	     <anyAtrribute namespace="##other" processContents="lax"/>
1330	   </xs:complexType>

1332	   <!-- IDENTITY TYPE -->
1333	   <xs:complexType name="identityType">
1334	     <xs:complexContent>
1335	       <xs:restriction base="xs:anyType">
1336	         <xs:choice minOccurs="1" maxOccurs="unbounded">
1337	           <xs:element name="one" type="cp:oneType"/>
1338	           <xs:element name="many" type="lc:manyType"/>
1339	           <xs:element name="many-tel" type="lc:manyTelType"/>
1340	           <xs:any namespace="##other" processContents="lax"/>
1341	         </xs:choice>
1342	       </xs:restriction>
1343	     </xs:complexContent>
1344	   </xs:complexType>

1346	   <!-- MANY-TEL TYPE -->
1347	   <xs:complexType name="manyTelType">
1348	     <xs:complexContent>
1349	       <xs:restriction base="xs:anyType">
1350	         <xs:choice minOccurs="0" maxOccurs="unbounded">
1351	           <xs:element name="except-tel" type="lc:exceptTelType"/>
1352	           <xs:any namespace="##other"
1353	           minOccurs="0" processContents="lax"/>
1354	         </xs:choice>
1355	         <xs:attribute name="prefix"
1356	         use="optional" type="xs:string"/>
1357	       </xs:restriction>
1358	     </xs:complexContent>
1359	   </xs:complexType>

1361	   <!-- EXCEPT-TEL TYPE -->
1362	   <xs:complexType name="exceptTelType">
1363	     <xs:attribute name="prefix" type="xs:string" use="optional"/>
1364	     <xs:attribute name="id" type="xs:anyURI" use="optional"/>
1365	   </xs:complexType>

1367	   <!-- METHOD -->
1368	   <xs:element name="method" type="lc:method-type"/>

1370	   <!-- METHOD TYPE -->
1371	   <xs:simpleType name="method-type">
1372	     <xs:restriction base="xs:string">
1373	       <xs:enumeration value="INVITE"/>
1374	       <xs:enumeration value="MESSAGE"/>
1375	       <xs:enumeration value="REGISTER"/>
1376	       <xs:enumeration value="SUBSCRIBE"/>
1377	       <xs:enumeration value="OPTIONS"/>
1378	       <xs:enumeration value="PUBLISH"/>
1379	     </xs:restriction>
1380	   </xs:simpleType>

1382	   <!-- TARGET SIP ENTITY -->
1383	   <xs:element name="target-sip-entity" type="xs:anyURI" minOccurs="0"/>

1385	   <!-- ACTIONS -->
1386	   <xs:element name="accept">
1387	     <xs:choice>
1388	       <element name="rate" type="xs:decimal" minOccurs="0"/>
1389	       <element name="win" type="xs:integer" minOccurs="0"/>
1390	       <element name="percent" type="xs:decimal" minOccurs="0"/>
1391	       <any namespace="##other" processContents="lax" minOccurs="0"
1392	       maxOccurs="unbounded"/>
1393	     </xs:choice>
1394	     <xs:attribute name="alt-action" type="xs:string" default="reject"/>
1395	     <xs:attribute name="alt-target" type="lc:alt-target-type"
1396	     use="optional"/>
1397	     <anyAtrribute namespace="##other" processContents="lax"/>
1398	   </xs:element>

1400	   <!-- ALT TARGET TYPE -->
1401	   <xs:simpleType name="alt-target-type">
1402	     <xs:list itemType="xs:anyURI"/>
1403	   </xs:simpleType>

1405	   </xs:schema>

1407	9.  Related Work

1409	9.1.  Relationship with Load Filtering in PSTN

1411	   It is known that existing PSTN network also uses a load filtering
1412	   mechanism to prevent overload and the filtering policy configuration
1413	   is done manually except in specific cases when the Intelligent
1414	   Network architecture is used [Q.1248.2][E.412].  This specification
1415	   defines a load filtering mechanism based on the SIP event
1416	   notification framework that allows automated filtering policy
1417	   distribution in suitable environments.

1419	   There are control messages associated with PSTN overload control
1420	   which would specify an outgoing control list, call gap duration and
1421	   control duration [Q.1248.2][E.412].  These items could be roughly
1422	   correlated to the identity, action and time fields of the SIP load
1423	   filtering policy defined in this specification.  However, the load
1424	   filtering policy defined in this specification is much more generic
1425	   and flexible as opposed to its PSTN counterpart.

1427	   Firstly, PSTN load filtering only applies to telephone numbers.  The
1428	   identity element of SIP load filtering policy allows both SIP URI and
1429	   telephone numbers (through 'tel' URI) to be specified.  These
1430	   identities can be arbitrarily grouped by SIP domains or any number of
1431	   leading prefix of the telephone numbers.

1433	   Secondly, the PSTN load filtering action is usually limited to call
1434	   gapping.  The action field in SIP load filtering policy allows more
1435	   flexible possibilities such as rate throttle and others.

1437	   Thirdly, the duration field in PSTN load filtering specifies a value
1438	   in seconds for the load filtering duration only, and the allowed
1439	   values are mapped into a value set.  The time field in SIP load
1440	   filtering policy may specify not only a duration, but also a future
1441	   activation time which could be especially useful for automating load
1442	   filtering for predictable overloads.

1444	   PSTN load filtering can be performed in both edge switches and
1445	   transit switches; SIP load filtering can also be applied in both edge
1446	   proxy servers and core proxy servers, and even in capable user
1447	   agents.

1449	   PSTN load filtering also has special accommodation for High
1450	   Probability of Completion (HPC) calls, which would be similar to
1451	   calls designated by the SIP Resource Priority Headers [RFC4412].  SIP
1452	   load filtering mechanism also allows prioritizing the treatment of
1453	   these calls by specifying favorable actions for them.

1455	   PSTN load filtering also provides administrative option for routing
1456	   failed call attempts to either a reorder tone [E.300SerSup3]
1457	   indicating overload conditions, or a special recorded announcement.
1458	   Similar capability can be provided in SIP load filtering mechanism by
1459	   specifying appropriate "alt-action" attribute in the SIP load
1460	   filtering action field.

1462	9.2.  Relationship with Other IETF SIP Overload Control Efforts

1464	   The load filtering policies in this specification consist of
1465	   identity, action and time.  The identity can range from a single
1466	   specific user to an arbitrary user aggregate, domains or areas.  The
1467	   user can be identified by either the source or the destination.  When
1468	   the user is identified by the source and a favorable action is
1469	   specified, the result is to some extent similar to identifying a
1470	   priority user based on authorized Resource Priority Headers [RFC4412]
1471	   in the requests.  Specifying a source user identity with an
1472	   unfavorable action would cause an effect to some extent similar to an
1473	   inverse SIP resource priority mechanism.

1475	   The load filtering policy defined in this specification is generic
1476	   and expected to be applicable not only to the load filtering
1477	   mechanism but also to the feedback overload control mechanism in
1478	   [I-D.ietf-soc-overload-control].  In particular, both mechanisms
1479	   could use specific or wildcard identities for load control and could
1480	   share well-known load control actions.  The time duration field in
1481	   the load filtering policy could also be used in both mechanisms.  As
1482	   mentioned in Section 1, the load filtering policy distribution
1483	   mechanism and the feedback overload control mechanism address
1484	   complementary areas in the overload control problem space.  Load
1485	   filtering is more proactive and focuses on distributing filtering
1486	   policies towards the source of the traffic; the hop-by-hop feedback-
1487	   based approach is reactive and targets more at traffic already
1488	   accepted in the network.  Therefore, they could also make different
1489	   use of the generic load filtering policy components.  For example,
1490	   the load filtering mechanism may use the time field in the filtering
1491	   policy to specify not only a control duration but also a future
1492	   activation time to accommodate a predicable overload such as the one
1493	   caused by Mother's Day greetings or a viewer-voting program; the
1494	   feedback-based control might not need to use the time field or might
1495	   use the time field to specify an immediate load control duration.

1497	10.  Discussion of this specification meeting the requirements of
1498	     RFC5390

1500	   This section evaluates whether the load control event package
1501	   mechanism defined in this specification satisfies various SIP
1502	   overload control requirements set forth by RFC5390 [RFC5390].  Not
1503	   all RFC5390 requirements are found applicable due to the scope of
1504	   this specification.  Therefore, we categorize the assessment results
1505	   into Yes (meet the requirement), P/A (Partially Applicable), No (must
1506	   be used in conjunction with another mechanism to meet the
1507	   requirement), and N/A (Not Applicable).

1509	      REQ 1: The overload mechanism shall strive to maintain the overall
1510	      useful throughput (taking into consideration the quality-of-
1511	      service needs of the using applications) of a SIP server at
1512	      reasonable levels, even when the incoming load on the network is
1513	      far in excess of its capacity.  The overall throughput under load
1514	      is the ultimate measure of the value of an overload control
1515	      mechanism.

1517	   P/A. The goal of the load filtering is to prevent overload or
1518	   maintain overall goodput during the time of overload, but it is
1519	   dependent on the advance predictions of the load.  If the predictions
1520	   are incorrect, in either direction, the effectiveness of the
1521	   mechanism will be affected.

1523	      REQ 2: When a single network element fails, goes into overload, or
1524	      suffers from reduced processing capacity, the mechanism should
1525	      strive to limit the impact of this on other elements in the
1526	      network.  This helps to prevent a small-scale failure from
1527	      becoming a widespread outage.

1529	   N/A if load filtering policies are installed in advance and do not
1530	   change during the potential overload period.  P/A if load filtering
1531	   policies are dynamically adjusted.  The algorithm to dynamically
1532	   compute load filtering policies is outside the scope of this
1533	   specification, while the distribution of the updated filtering
1534	   policies uses the event package mechanism of this specification.

1536	      REQ 3: The mechanism should seek to minimize the amount of
1537	      configuration required in order to work.  For example, it is
1538	      better to avoid needing to configure a server with its SIP message
1539	      throughput, as these kinds of quantities are hard to determine.

1541	   No.  This mechanism is entirely dependent on advance configuration,
1542	   based on advance knowledge.  In order to satisfy Req 3, it should be
1543	   used in conjunction with other mechanisms which are not based on
1544	   advance configuration.

1546	      REQ 4: The mechanism must be capable of dealing with elements that
1547	      do not support it, so that a network can consist of a mix of
1548	      elements that do and don't support it.  In other words, the
1549	      mechanism should not work only in environments where all elements
1550	      support it.  It is reasonable to assume that it works better in
1551	      such environments, of course.  Ideally, there should be
1552	      incremental improvements in overall network throughput as
1553	      increasing numbers of elements in the network support the
1554	      mechanism.

1556	   No.  This mechanism is entirely dependent on the participation of all
1557	   possible neighbors.  In order to satisfy Req 4, it should be used in
1558	   conjunction with other mechanisms, some of which are described in
1559	   Section 5.4.

1561	      REQ 5: The mechanism should not assume that it will only be
1562	      deployed in environments with completely trusted elements.  It
1563	      should seek to operate as effectively as possible in environments
1564	      where other elements are malicious; this includes preventing
1565	      malicious elements from obtaining more than a fair share of
1566	      service.

1568	   No.  This mechanism is entirely dependent on the non-malicious
1569	   participation of all possible neighbors.  In order to satisfy Req 5,
1570	   it should be used in conjunction with other mechanisms, some of which
1571	   are described in Section 5.4.

1573	      REQ 6: When overload is signaled by means of a specific message,
1574	      the message must clearly indicate that it is being sent because of
1575	      overload, as opposed to other, non overload-based failure
1576	      conditions.  This requirement is meant to avoid some of the
1577	      problems that have arisen from the reuse of the 503 response code
1578	      for multiple purposes.  Of course, overload is also signaled by
1579	      lack of response to requests.  This requirement applies only to
1580	      explicit overload signals.

1582	   N/A. This mechanism signals anticipated overload, not actual
1583	   overload.  However the signals in this mechanism are not used for any
1584	   other purpose.

1586	      REQ 7: The mechanism shall provide a way for an element to
1587	      throttle the amount of traffic it receives from an upstream
1588	      element.  This throttling shall be graded so that it is not all-
1589	      or-nothing as with the current 503 mechanism.  This recognizes the
1590	      fact that "overload" is not a binary state and that there are
1591	      degrees of overload.

1593	   Yes. This event package allows rate/loss/window-based overload
1594	   control options as discussed in Section 7.4.

1596	      REQ 8: The mechanism shall ensure that, when a request was not
1597	      processed successfully due to overload (or failure) of a
1598	      downstream element, the request will not be retried on another
1599	      element that is also overloaded or whose status is unknown.  This
1600	      requirement derives from REQ 1.

1602	   N/A to the load control event package mechanism itself.

1604	      REQ 9: That a request has been rejected from an overloaded element
1605	      shall not unduly restrict the ability of that request to be
1606	      submitted to and processed by an element that is not overloaded.
1607	      This requirement derives from REQ 1.

1609	   Yes. For example, load filtering policy [Section 5.1] allows the
1610	   inclusion of alternative forwarding destinations for rejected
1611	   requests.

1613	      REQ 10: The mechanism should support servers that receive requests
1614	      from a large number of different upstream elements, where the set
1615	      of upstream elements is not enumerable.

1617	   No.  Because this mechanism requires advance configuration of
1618	   specifically identified neighbors, it does not support environments
1619	   where the number and identity of the upstream neighbors are not known
1620	   in advance.  In order to satisfy Req 10, it should be used in
1621	   conjunction with other mechanisms.

1623	      REQ 11: The mechanism should support servers that receive requests
1624	      from a finite set of upstream elements, where the set of upstream
1625	      elements is enumerable.

1627	   Yes. See also answer to REQ 10.

1629	      REQ 12: The mechanism should work between servers in different
1630	      domains.

1632	   Yes. The load control event package mechanism is not limited by
1633	   domain boundaries.  However, it is likely more applicable in intra-
1634	   domain scenarios than in inter-domain scenarios due to security and
1635	   other concerns (See also Section 5.4).

1637	      REQ 13: The mechanism must not dictate a specific algorithm for
1638	      prioritizing the processing of work within a proxy during times of
1639	      overload.  It must permit a proxy to prioritize requests based on
1640	      any local policy, so that certain ones (such as a call for
1641	      emergency services or a call with a specific value of the
1642	      Resource-Priority header field [RFC4412]) are given preferential
1643	      treatment, such as not being dropped, being given additional
1644	      retransmission, or being processed ahead of others.

1646	   P/A. This mechanism does not specifically address the prioritizing of
1647	   work during times of overload.  But it does not preclude any
1648	   particular local policy.

1650	      REQ 14: The mechanism should provide unambiguous directions to
1651	      clients on when they should retry a request and when they should
1652	      not.  This especially applies to TCP connection establishment and
1653	      SIP registrations, in order to mitigate against avalanche restart.

1655	   N/A to the load control event package mechanism itself.

1657	      REQ 15: In cases where a network element fails, is so overloaded
1658	      that it cannot process messages, or cannot communicate due to a
1659	      network failure or network partition, it will not be able to
1660	      provide explicit indications of the nature of the failure or its
1661	      levels of congestion.  The mechanism must properly function in
1662	      these cases.

1664	   P/A. Because the load filtering policies are provisioned in advance,
1665	   they are not affected by the overload or failure of other network
1666	   elements.  But, on the other hand, they may not, in those cases, be
1667	   able to protect the overloaded network elements (see Req 1).

1669	      REQ 16: The mechanism should attempt to minimize the overhead of
1670	      the overload control messaging.

1672	   Yes. The standardized SIP event package mechanism [RFC6665] is used.

1674	      REQ 17: The overload mechanism must not provide an avenue for
1675	      malicious attack, including DoS and DDoS attacks.

1677	   P/A. This mechanism does provide a potential avenue for malicious
1678	   attacks.  Therefore the security mechanisms for SIP event packages in
1679	   general [RFC6665] and of section 10 of this specification should be
1680	   used.

1682	      REQ 18: The overload mechanism should be unambiguous about whether
1683	      a load indication applies to a specific IP address, host, or URI,
1684	      so that an upstream element can determine the load of the entity
1685	      to which a request is to be sent.

1687	   Yes. The identity of load indication is covered in the load filtering
1688	   policy format definition in Section 5.1.

1690	      REQ 19: The specification for the overload mechanism should give
1691	      guidance on which message types might be desirable to process over
1692	      others during times of overload, based on SIP-specific
1693	      considerations.  For example, it may be more beneficial to process
1694	      a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh
1695	      with a non-zero expiration (since the former reduces the overall
1696	      amount of load on the element), or to process re-INVITEs over new
1697	      INVITEs.

1699	   N/A to the load control event package mechanism itself.

1701	      REQ 20: In a mixed environment of elements that do and do not
1702	      implement the overload mechanism, no disproportionate benefit
1703	      shall accrue to the users or operators of the elements that do not
1704	      implement the mechanism.

1706	   No.  This mechanism is entirely dependent on the participation of all
1707	   possible neighbors.  In order to satisfy Req 20, it should be used in
1708	   conjunction with other mechanisms, some of which are described in
1709	   Section 5.4.

1711	      REQ 21: The overload mechanism should ensure that the system
1712	      remains stable.  When the offered load drops from above the
1713	      overall capacity of the network to below the overall capacity, the
1714	      throughput should stabilize and become equal to the offered load.

1716	   N/A to the load control event package mechanism itself.

1718	      REQ 22: It must be possible to disable the reporting of load
1719	      information towards upstream targets based on the identity of
1720	      those targets.  This allows a domain administrator who considers
1721	      the load of their elements to be sensitive information, to
1722	      restrict access to that information.  Of course, in such cases,
1723	      there is no expectation that the overload mechanism itself will
1724	      help prevent overload from that upstream target.

1726	   N/A to the load control event package mechanism itself.

1728	      REQ 23: It must be possible for the overload mechanism to work in
1729	      cases where there is a load balancer in front of a farm of
1730	      proxies.

1732	   Yes. The load control event package mechanism does not preclude its
1733	   use in a scenario with server farms.

1735	11.  Security Considerations

1737	   Two aspects of security considerations arise from this specification.
1738	   One is the SIP event notification framework-based load filtering
1739	   policy distribution mechanism, the other is the load filtering policy
1740	   enforcement mechanism.

1742	   Security considerations for SIP event package mechanisms are covered
1743	   in Section 6 of [RFC6665].  A particularly relevant security concern
1744	   for this event package is that if the notifiers can be spoofed,
1745	   attackers can send fake notifications asking subscribers to throttle
1746	   all traffic, leading to Denial-of-Service attacks.  Therefore, this
1747	   SIP load filtering mechanism MUST be used in a Trust Domain
1748	   (Section 5.4).  But if a legitimate notifier in the Trust Domain is
1749	   itself compromised, additional mechanisms will be needed to detect
1750	   the attack.

1752	   Security considerations for load filtering policy enforcement depends
1753	   very much on the contents of the policy.  This specification defines
1754	   possible match of the following SIP header fields in a load filtering
1755	   policy: <from>, <to>, <request-uri> and <p-asserted-identity>.  The
1756	   exact requirement to authenticate and authorize these fields is up to
1757	   the service provider.  In general, if the identity field represents
1758	   the source of the request, it SHOULD be authenticated and authorized;
1759	   if the identity field represents the destination of the request, the
1760	   authentication and authorization is optional.

1762	   In addition, there could be one specific type of attack around the
1763	   use the "redirect" action (Section 7.4).  Assuming a number of SIP
1764	   proxy servers in a Trust Domain are using UDP, and configured to get
1765	   their policies from a central server.  An attacker spoofs the central
1766	   server's address to send a number of NOTIFY bodies telling the proxy
1767	   servers to redirect all calls to victim@outside-of-trust-domain.com.
1768	   The proxy servers then redirect all calls to victim, who is then
1769	   DoSed off of the Internet.  To address this type of threat, this
1770	   document requires that a Trust Domain agrees on what types of calls
1771	   can be affected as well as on the destinations to which calls may be
1772	   redirected, as in Section 5.4.

1774	12.  IANA Considerations

1776	   This specification registers a SIP event package, a new MIME type, a
1777	   new XML namespace, and a new XML schema.

1779	12.1.  Load Control Event Package Registration

1781	   This section registers an event package based on the registration
1782	   procedures defined in [RFC6665].

1784	   Package name: load-control

1786	   Type: package

1788	   Published specification: This specification

1790	   Person to contact: Charles Shen, charles@cs.columbia.edu

1792	12.2.  application/load-control+xml MIME Registration

1794	   This section registers a new MIME type based on the procedures
1795	   defined in [RFC6838] and guidelines in [RFC3023].

1797	      MIME media type name: application

1799	      MIME subtype name: load-control+xml

1801	      Mandatory parameters: none

1803	   Optional parameters: Same as charset parameter application/xml in
1804	   [RFC3023]

1806	   Encoding considerations: Same as encoding considerations of
1807	   application/xml in [RFC3023]

1809	   Security considerations: See Section 10 of [RFC3023] and Section 11
1810	   of this specification

1812	   Interoperability considerations: None

1814	   Published Specification: This specification
1815	   Applications which use this media type: load control of SIP entities

1817	   Additional information:

1819	   Magic number: None

1821	   File extension: .xml

1823	   Macintosh file type code: 'TEXT'

1825	   Personal and email address for further information:

1827	   Charles Shen, charles@cs.columbia.edu

1829	   Intended usage: COMMON

1831	   Author/Change Controller: IETF SOC Working Group <sip-
1832	   overload@ietf.org>, as designated by the IESG <iesg@ietf.org>

1834	12.3.  URN Sub-Namespace Registration

1836	   This section registers a new XML namespace, as per the guidelines in
1837	   [RFC3688]

1839	   URI: The URI for this namespace is

1841	      urn:ietf:params:xml:ns:load-control

1843	   Registrant Contact: IETF SOC Working Group <sip-overload@ietf.org>,
1844	   as designated by the IESG <iesg@ietf.org>

1846	   XML:

1848	   BEGIN
1849	   <?xml version="1.0"?>
1850	   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
1851	                "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
1852	   <html xmlns="http://www.w3.org/1999/xhtml">
1853	   <head>
1854	     <meta http-equiv="content-type"
1855	       content="text/html;charset=iso-8859-1"/>
1856	     <title>SIP Load Control Namespace</title>
1857	   </head>
1858	   <body>
1859	     <h1>Namespace for SIP Load Control</h1>
1860	     <h2>urn:ietf:params:xml:ns:load-control</h2>
1861	     <p>See <a href="http://www.rfc-editor.org/rfc/rfc[?].txt">
1862	         RFC[?]</a>.</p>
1863	   </body>
1864	   </html>
1865	   END

1867	12.4.  Load Control Schema Registration

1869	   URI: urn:ietf:params:xml:schema:load-control

1871	   Registrant Contact: IETF SOC working group, Charles Shen
1872	   (charles@cs.columbia.edu).

1874	   XML: the XML schema to be registered is contained in Section 8.

1876	   Its first line is

1878	   <?xml version="1.0" encoding="UTF-8"?>

1880	   and its last line is

1882	   </xs:schema>

1884	13.  Acknowledgements

1886	   The authors would like to thank Richard Barnes, Bruno Chatras, Martin
1887	   Dolly, Keith Drage, Ashutosh Dutta, Janet Gunn, Vijay Gurbani, Volker
1888	   Hilt, Geoff Hunt, Carolyn Johnson, Hadriel Kaplan, Paul Kyzivat,
1889	   Pearl Liang, Salvatore Loreto, Timothy Moran, Eric Noel,
1890	   Parthasarathi R, Adam Roach, Dan Romascanu, Shida Schubert, Robert
1891	   Sparks, Phil Williams and other members of the SOC and SIPPING
1892	   working group for many helpful comments.  In particular, Bruno
1893	   Chatras proposed the <method> and <target-sip-entity> condition
1894	   elements along with many other text improvements.  Janet Gunn
1895	   provided detailed text suggestions including Section 10.  Eric Noel
1896	   suggested clarification on load filtering policy distribution
1897	   initialization process.  Shida Schubert made many suggestions such as
1898	   terminology usage.  Phil Williams suggested adding support for delta
1899	   updates.  Ashutosh Dutta gave pointers to PSTN references.  Adam
1900	   Roach suggested RFC6665-related and other helpful clarifications.
1901	   Richard Barnes made many suggestions such as referencing the Trust
1902	   Domain concept of RFC3324, the use of a separate element for 'tel'
1903	   URI grouping and addressing the "redirect" action security threat.

1905	14.  References

1907	14.1.  Normative References

1909	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1910	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1912	   [RFC2141]  Moats, R., "URN Syntax", RFC 2141, May 1997.

1914	   [RFC3023]  Murata, M., St. Laurent, S., and D. Kohn, "XML Media
1915	              Types", RFC 3023, January 2001.

1917	   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
1918	              A., Peterson, J., Sparks, R., Handley, M., and E.
1919	              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
1920	              June 2002.

1922	   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1923	              January 2004.

1925	   [RFC3966]  Schulzrinne, H., "The tel URI for Telephone Numbers", RFC
1926	              3966, December 2004.

1928	   [RFC4745]  Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
1929	              Polk, J., and J. Rosenberg, "Common Policy: A Document
1930	              Format for Expressing Privacy Preferences", RFC 4745,
1931	              February 2007.

1933	   [RFC6665]  Roach, A., "SIP-Specific Event Notification", RFC 6665,
1934	              July 2012.

1936	   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
1937	              Specifications and Registration Procedures", BCP 13, RFC
1938	              6838, January 2013.

1940	14.2.  Informative References

1942	   [E.300SerSup3]
1943	              ITU-T, , "North American Precise Audible Tone Plan", E.300
1944	              Series Supplement 3 , November 1988.

1946	   [E.412]    ITU-T, , "Network Management Controls", E.412-2003 ,
1947	              January 2003.

1949	   [I-D.ietf-soc-overload-control]
1950	              Gurbani, V., Hilt, V., and H. Schulzrinne, "Session
1951	              Initiation Protocol (SIP) Overload Control", draft-ietf-
1952	              soc-overload-control-13 (work in progress), May 2013.

1954	   [Q.1248.2]
1955	              ITU-T, , "Interface Recommendation for Intelligent Network
1956	              Capability Set4:SCF-SSF interface", Q.1248.2 , July 2001.

1958	   [RFC2648]  Moats, R., "A URN Namespace for IETF Documents", RFC 2648,
1959	              August 1999.

1961	   [RFC3324]  Watson, M., "Short Term Requirements for Network Asserted
1962	              Identity", RFC 3324, November 2002.

1964	   [RFC4412]  Schulzrinne, H. and J. Polk, "Communications Resource
1965	              Priority for the Session Initiation Protocol (SIP)", RFC
1966	              4412, February 2006.

1968	   [RFC4825]  Rosenberg, J., "The Extensible Markup Language (XML)
1969	              Configuration Access Protocol (XCAP)", RFC 4825, May 2007.

1971	   [RFC5031]  Schulzrinne, H., "A Uniform Resource Name (URN) for
1972	              Emergency and Other Well-Known Services", RFC 5031,
1973	              January 2008.

1975	   [RFC5390]  Rosenberg, J., "Requirements for Management of Overload in
1976	              the Session Initiation Protocol", RFC 5390, December 2008.

1978	   [RFC6357]  Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design
1979	              Considerations for Session Initiation Protocol (SIP)
1980	              Overload Control", RFC 6357, August 2011.

1982	Authors' Addresses

1984	   Charles Shen
1985	   Columbia University
1986	   Department of Computer Science
1987	   1214 Amsterdam Avenue, MC 0401
1988	   New York, NY   10027
1989	   USA

1991	   Phone: +1 212 854 3109
1992	   Email: charles@cs.columbia.edu

1994	   Henning Schulzrinne
1995	   Columbia University
1996	   Department of Computer Science
1997	   1214 Amsterdam Avenue, MC 0401
1998	   New York, NY   10027
1999	   USA

2001	   Phone: +1 212 939 7004
2002	   Email: schulzrinne@cs.columbia.edu
2003	   Arata Koike
2004	   NTT Service Integration Labs
2005	   3-9-11 Midori-cho Musashino-shi
2006	   Tokyo  184-0013
2007	   Japan

2009	   Phone: +81 422 59 6099
2010	   Email: koike.arata@lab.ntt.co.jp