idnits 2.17.1 

draft-ietf-soc-load-control-event-package-13.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (December 14, 2013) is 3779 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141)

  ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303)

  == Outdated reference: A later version (-15) exists of
     draft-ietf-soc-overload-control-13


     Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	IETF SOC Working Group                                           C. Shen
3	Internet-Draft                                            H. Schulzrinne
4	Intended status: Standards Track                             Columbia U.
5	Expires: June 17, 2014                                          A. Koike
6	                                                                     NTT
7	                                                       December 14, 2013

9	     A Session Initiation Protocol (SIP) Load Control Event Package
10	            draft-ietf-soc-load-control-event-package-13.txt

12	Abstract

14	   This specification defines a load control event package for the
15	   Session Initiation Protocol (SIP).  It allows SIP entities to
16	   distribute load filtering policies to other SIP entities in the
17	   network.  The load filtering policies contain rules to throttle calls
18	   based on their source or destination domain, telephone number prefix
19	   or for a specific user.  The mechanism helps to prevent signaling
20	   overload and complements feedback-based SIP overload control efforts.

22	Status of This Memo

24	   This Internet-Draft is submitted in full conformance with the
25	   provisions of BCP 78 and BCP 79.

27	   Internet-Drafts are working documents of the Internet Engineering
28	   Task Force (IETF).  Note that other groups may also distribute
29	   working documents as Internet-Drafts.  The list of current Internet-
30	   Drafts is at http://datatracker.ietf.org/drafts/current/.

32	   Internet-Drafts are draft documents valid for a maximum of six months
33	   and may be updated, replaced, or obsoleted by other documents at any
34	   time.  It is inappropriate to use Internet-Drafts as reference
35	   material or to cite them other than as "work in progress."

37	   This Internet-Draft will expire on June 17, 2014.

39	Copyright Notice

41	   Copyright (c) 2013 IETF Trust and the persons identified as the
42	   document authors.  All rights reserved.

44	   This document is subject to BCP 78 and the IETF Trust's Legal
45	   Provisions Relating to IETF Documents
46	   (http://trustee.ietf.org/license-info) in effect on the date of
47	   publication of this document.  Please review these documents
48	   carefully, as they describe your rights and restrictions with respect
49	   to this document.  Code Components extracted from this document must
50	   include Simplified BSD License text as described in Section 4.e of
51	   the Trust Legal Provisions and are provided without warranty as
52	   described in the Simplified BSD License.

54	Table of Contents

56	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
57	   2.  Conventions . . . . . . . . . . . . . . . . . . . . . . . . .   3
58	   3.  SIP Load Filtering Overview . . . . . . . . . . . . . . . . .   4
59	     3.1.  Load Filtering Policy Format  . . . . . . . . . . . . . .   4
60	     3.2.  Load Filtering Policy Computation . . . . . . . . . . . .   4
61	     3.3.  Load Filtering Policy Distribution  . . . . . . . . . . .   4
62	     3.4.  Applicable Network Domains  . . . . . . . . . . . . . . .   7
63	   4.  Load Control Event Package  . . . . . . . . . . . . . . . . .   9
64	     4.1.  Event Package Name  . . . . . . . . . . . . . . . . . . .   9
65	     4.2.  Event Package Parameters  . . . . . . . . . . . . . . . .   9
66	     4.3.  SUBSCRIBE Bodies  . . . . . . . . . . . . . . . . . . . .   9
67	     4.4.  SUBSCRIBE Duration  . . . . . . . . . . . . . . . . . . .   9
68	     4.5.  NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . .  10
69	     4.6.  Notifier Processing of SUBSCRIBE Requests . . . . . . . .  10
70	     4.7.  Notifier Generation of NOTIFY Requests  . . . . . . . . .  10
71	     4.8.  Subscriber Processing of NOTIFY Requests  . . . . . . . .  10
72	     4.9.  Handling of Forked Requests . . . . . . . . . . . . . . .  12
73	     4.10. Rate of Notifications . . . . . . . . . . . . . . . . . .  12
74	     4.11. State Delta . . . . . . . . . . . . . . . . . . . . . . .  12
75	   5.  Load Control Document . . . . . . . . . . . . . . . . . . . .  13
76	     5.1.  Format  . . . . . . . . . . . . . . . . . . . . . . . . .  13
77	     5.2.  Namespace . . . . . . . . . . . . . . . . . . . . . . . .  13
78	     5.3.  Conditions  . . . . . . . . . . . . . . . . . . . . . . .  13
79	       5.3.1.  Call Identity . . . . . . . . . . . . . . . . . . . .  14
80	       5.3.2.  Method  . . . . . . . . . . . . . . . . . . . . . . .  16
81	       5.3.3.  Target SIP Entity . . . . . . . . . . . . . . . . . .  17
82	       5.3.4.  Validity  . . . . . . . . . . . . . . . . . . . . . .  18
83	     5.4.  Actions . . . . . . . . . . . . . . . . . . . . . . . . .  18
84	   6.  XML Schema Definition for Load Control  . . . . . . . . . . .  20
85	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  23
86	   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  24
87	     8.1.  Load Control Event Package Registration . . . . . . . . .  24
88	     8.2.  application/load-control+xml Media Type Registration  . .  24
89	     8.3.  URN Sub-Namespace Registration  . . . . . . . . . . . . .  25
90	     8.4.  Load Control Schema Registration  . . . . . . . . . . . .  26
91	   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  26
92	   10. Appendix  . . . . . . . . . . . . . . . . . . . . . . . . . .  27
93	     10.1.  Definitions  . . . . . . . . . . . . . . . . . . . . . .  27
94	     10.2.  Design Requirements  . . . . . . . . . . . . . . . . . .  28
95	     10.3.  Discussion of this specification meeting the
96	            requirements of RFC5390  . . . . . . . . . . . . . . . .  28

98	     10.4.  Complete Examples  . . . . . . . . . . . . . . . . . . .  33
99	       10.4.1.  Load Control Document Examples . . . . . . . . . . .  33
100	       10.4.2.  Message Flow Examples  . . . . . . . . . . . . . . .  37
101	     10.5.  Related Work . . . . . . . . . . . . . . . . . . . . . .  38
102	       10.5.1.  Relationship with Load Filtering in PSTN . . . . . .  38
103	       10.5.2.  Relationship with Other IETF SIP Overload Control
104	                Efforts  . . . . . . . . . . . . . . . . . . . . . .  39
105	   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  40
106	     11.1.  Normative References . . . . . . . . . . . . . . . . . .  40
107	     11.2.  Informative References . . . . . . . . . . . . . . . . .  41
108	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  42

110	1.  Introduction

112	   SIP load control mechanisms are needed to prevent congestion collapse
113	   [RFC6357] in cases of SIP server overload [RFC5390].  There are two
114	   types of load control approaches.  In the first approach, feedback
115	   control, SIP servers provide load limits to upstream servers, to
116	   reduce the incoming rate of all SIP requests
117	   [I-D.ietf-soc-overload-control].  These upstream servers then drop or
118	   delay incoming SIP requests.  Feedback control is reactive and
119	   affects signaling messages that have already been issued by user
120	   agent clients.  They work well when SIP proxy servers in the core
121	   networks (core proxy servers) or destination-specific SIP proxy
122	   servers in the edge networks (edge proxy servers) are overloaded.  By
123	   their nature, they need to distribute rate, drop or window
124	   information to all upstream SIP proxy servers and normally affect all
125	   calls equally, regardless of destination.

127	   This specification proposes an additional, complementary load control
128	   mechanism, called load filtering.  It is most applicable for
129	   situations where a traffic surge and its source/destination
130	   distribution can be predicted in advance.  In those cases, network
131	   operators create load filtering policies that indicate calls to
132	   specific destinations or from specific sources should be rate-limited
133	   or randomly dropped.  These load filtering policies are then
134	   distributed to SIP servers and possibly SIP user agents that are
135	   likely to generate calls to the affected destinations or from the
136	   affected sources.  Load filtering works best if it prevents calls as
137	   close to the originating user agent clients as possible.  The
138	   applicability of SIP load filtering can also be extended beyond
139	   overload control, e.g., to implement service level agreement
140	   commitments.

142	2.  Conventions

144	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
145	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
146	   document are to be interpreted as described in [RFC2119].

148	3.  SIP Load Filtering Overview

150	3.1.  Load Filtering Policy Format

152	   Load filtering policies are specified by sets of rules.  Each rule
153	   contains both load filtering conditions and actions.  The load
154	   filtering conditions define identities of the targets to be
155	   filtered(Section 5.3.1).  For example, there are two typical resource
156	   limits in a possible overload situation, i.e., human destination
157	   limits (N number of call takers) and node capacity limits.  The load
158	   filtering targets in these two cases can be the specific callee
159	   numbers or the destination domain corresponding to the overload.
160	   Load filtering conditions also indicate the specific message type to
161	   be matched (Section 5.3.2), with which target SIP entity the
162	   filtering policy is associated (Section 5.3.3) and the period of time
163	   when the filtering policy should be activated and deactivated
164	   (Section 5.3.4).  Load filtering actions describe the desired control
165	   functions such as limiting the request rate below a certain level
166	   (Section 5.4).

168	3.2.  Load Filtering Policy Computation

170	   Computing the load filtering policies needs to take into
171	   consideration information such as overload time, scope and network
172	   topology, as well as service policies.  It is also important to make
173	   sure that there is no resource allocation loop, and that server
174	   capacity is allocated in a way which both prevents overload and
175	   maximizes effective throughput (aka goodput).  In some cases, in
176	   order to better utilize system resources, it may be preferable to
177	   employ an algorithm which dynamically computes the load filtering
178	   policies based on currently observed server load status, rather than
179	   using a purely static filtering policy assignment.  The computation
180	   algorithm for load filtering policies is out of scope of this
181	   specification.

183	3.3.  Load Filtering Policy Distribution

185	   For load filtering policy distribution, this specification defines
186	   the SIP event package for load control, which is an "instantiation"
187	   of the generic SIP event notification framework [RFC6665].  This
188	   specification also defines XML schema of a load control document
189	   (Section 5), which is used to encode load filtering policies.

191	   In order for load filtering polices to be properly distributed, each
192	   capable SIP entity in the network subscribes to the SIP load control
193	   event package of each SIP entity to which it sends signaling
194	   requests.  A SIP entity that accepts subscription requests is called
195	   a notifier (Section 4.6).  Subscription is initiated and maintained
196	   during normal server operation.  The subscription of neighboring SIP
197	   entities needs to be persistent, as described in Section 4.1 and
198	   Section 4.2 of [RFC6665].  The refresh procedure is describe in
199	   Section 4.7.  The subscribers can terminate the subscription after an
200	   extended period of absence of signaling message exchange, and can
201	   resubscribe if it determines that signaling with the notifier becomes
202	   active again.

204	   An example architecture is shown in Figure 1 to illustrate SIP load
205	   filtering policy distribution.  This scenario consists of two
206	   networks belonging to Service Provider A and Service Provider B,
207	   respectively.  Each provider's network is made up of two SIP core
208	   proxy servers and four SIP edge proxy servers.  The core proxy
209	   servers and edge proxy servers of Service Provider A are denoted as
210	   CPa1 to CPa2 and EPa1 to EPa4; the core proxy servers and edge proxy
211	   servers of Service Provider B are denoted as CPb1 to CPb2 and EPb1 to
212	   EPb4.

214	      +-----------+   +-----------+   +-----------+   +-----------+
215	      |           |   |           |   |           |   |           |
216	      |   EPa1    |   |   EPa2    |   |   EPa3    |   |   EPa4    |
217	      |           |   |           |   |           |   |           |
218	      +-----------+   +-----------+   +-----------+   +-----------+
219	              \         /                    \          /
220	               \       /                      \        /
221	                \     /                        \      /
222	              +-----------+                  +-----------+
223	              |           |                  |           |
224	              |   CPa1    |------------------|   CPa2    |
225	              |           |                  |           |
226	              +-----------+                  +-----------+
227	                    |                              |
228	      Service       |                              |
229	      Provider A    |                              |
230	                    |                              |
231	     =================================================================
232	                    |                              |
233	      Service       |                              |
234	      Provider B    |                              |
235	                    |                              |
236	              +-----------+                  +-----------+
237	              |           |                  |           |
238	              |   CPb1    |------------------|   CPb2    |
239	              |           |                  |           |
240	              +-----------+                  +-----------+
241	                /      \                        /     \
242	               /        \                      /       \
243	              /          \                    /         \
244	      +-----------+   +-----------+   +-----------+   +-----------+
245	      |           |   |           |   |           |   |           |
246	      |   EPb1    |   |   EPb2    |   |   EPb3    |   |   EPb4    |
247	      |           |   |           |   |           |   |           |
248	      +-----------+   +-----------+   +-----------+   +-----------+

250	      Figure 1: Example Network Scenario Using SIP Load Control Event
251	                             Package Mechanism

253	   At initialization stage, the proxy servers first identify all their
254	   outgoing signaling neighbors and subscribe to them.  The neighbor
255	   identification process can be performed by service providers through
256	   direct provisioning, or by the proxy servers themselves via
257	   progressive learning from the signaling messages sent and received.
258	   Assuming all signaling relationships in Figure 1 are bi-directional,
259	   after this initialization stage, each proxy server will be subscribed
260	   to all its neighbors.

262	   Case I: EPa1 serves a TV program hotline and decides to limit the
263	   total number of incoming calls to the hotline to prevent an overload.
264	   To do so, EPa1 sends a notification to CPa1 with the specific hotline
265	   number, time of activation and total acceptable call rate.  Depending
266	   on the load filtering policy computation algorithm, CPa1 may allocate
267	   the received total acceptable call rate among its neighbors, namely,
268	   EPa2, CPa2, and CPb1, and notify them about the resulting allocation
269	   along with the hotline number and the activation time.  CPa2 and CPb1
270	   may perform further allocation among their own neighbors and notify
271	   the corresponding proxy servers.  This process continues until all
272	   edge proxy servers in the network have been informed about the event
273	   and have proper load filtering policy configured.

275	   In the above case, the network entity where load filtering policy is
276	   first introduced is the SIP server providing access to the resource
277	   that creates the overload situation.  In other cases, the network
278	   entry point of introducing load filtering policy could also be an
279	   entity that hosts this resource.  For example, an operator may host
280	   an application server that performs 800 number translation services.
281	   The application server may itself be a SIP proxy server or a SIP
282	   Back-to-Back User Agent (B2BUA).  If one of the 800 numbers hosted at
283	   the application server creates the overload condition, the load
284	   filtering policies can be introduced from the application server and
285	   then propagated to other SIP proxy servers in the network.

287	   Case II: a hurricane affects the region covered by CPb2, EPb3 and
288	   EPb4.  All these three SIP proxy servers are overloaded.  The rescue
289	   team determines that outbound calls are more valuable than inbound
290	   calls in this specific situation.  Therefore, EPb3 and EPb4 are
291	   configured with load filtering policies to accept more outbound calls
292	   than inbound calls.  CPb2 may be configured the same way or receive
293	   dynamically computed load filtering policies from EPb3 and EPb4.
294	   Depending on the load filtering policy computation algorithm, CPb2
295	   may also send out notifications to its outside neighbors, namely CPb1
296	   and CPa2, specifying a limit on the acceptable rate of inbound calls
297	   to CPb2's responsible domain.  CPb1 and CPa2 may subsequently notify
298	   their neighbors about limiting the calls to CPb2's area.  The same
299	   process could continue until all edge proxy servers are notified and
300	   have load filtering policies configured.

302	   Note that this specification does not define the provisioning
303	   interface between the party who determines the load filtering policy
304	   and the network entry point where the policy is introduced.  One of
305	   the options for the provisioning interface is the Extensible Markup
306	   Language (XML) Configuration Access Protocol (XCAP) [RFC4825].

308	3.4.  Applicable Network Domains

310	   This specification MUST be applied inside a 'Trust Domain'.  The
311	   concept of a Trust Domain is similar to that defined in [RFC3324] and
312	   [RFC3325].  A Trust Domain for the purpose of SIP load filtering is a
313	   set of SIP entities such as SIP proxy servers that are trusted to
314	   exchange load filtering policies defined in this specification.  In
315	   the simplest case, a Trust Domain is a network of SIP entities
316	   belonging to a single service provider who deploys it and accurately
317	   knows the behaviour of those SIP entities.  Such simple Trust Domains
318	   may be joined to form larger Trust Domains by bi-lateral agreements
319	   between the service providers of the SIP entities.

321	   The key requirement of a Trust Domain for the purpose of SIP load
322	   filtering is that the behavior of all SIP entities within a given
323	   Trust Domain is known to comply to the following set of
324	   specifications.

326	   o  The mechanisms used to secure the communication among SIP entities
327	      within the Trust Domain.

329	   o  The manner used to determine which SIP entities are part of the
330	      Trust Domain.

332	   o  That SIP entities in the Trust Domain are compliant to SIP
333	      [RFC3261]

335	   o  That SIP entities in the Trust Domain are compliant to SIP
336	      [RFC6665]

338	   o  That SIP entities in the Trust Domain are compliant to this
339	      specification.

341	   o  The agreement on what types of calls can be affected by this SIP
342	      load filtering mechanism.  For example, call identity condition
343	      elements (Section 5.3.1) <one> and <many> might be limited to
344	      describe specific domains; <many-tel> and <except-tel> might be
345	      limited to describe within certain prefixes.

347	   o  The agreement on the destinations to which calls may be redirected
348	      when the "redirect" action (Section 5.4) is used.  For example,
349	      the URI might have to match a given set of domains.

351	   It is important to note that effectiveness of SIP load filtering
352	   requires that all neighbors that are possible signaling sources
353	   participate and enforce the designated load filtering policies.
354	   Otherwise, a single non-conforming neighbor could make the whole
355	   filtering efforts useless by pumping in excessive traffic to overload
356	   the server.  Therefore, the SIP server that distributes load
357	   filtering policies needs to take counter-measures towards any non-
358	   conforming neighbors.  A simple method is to reject excessive
359	   requests with 503 (Service Unavailable) response messages as if they
360	   were obeying the rate.  Considering the rejection costs, a more
361	   complicated but fairer method would be to allocate at the overloaded
362	   server the same amount of processing to the combination of both
363	   normal processing and rejection as the overloaded server would devote
364	   to processing requests for a conforming upstream SIP server.  These
365	   approaches work as long as the total rejection cost does not
366	   overwhelm the entire server resources.  In addition, SIP servers need
367	   to handle message prioritization properly while performing load
368	   filtering, which is described in Section 4.8.

370	4.  Load Control Event Package

372	   The SIP load filtering mechanism defines a load control event package
373	   for SIP based on [RFC6665].

375	4.1.  Event Package Name

377	   The name of this event package is "load-control".  This name is
378	   carried in the Event and Allow-Events header, as specified in
379	   [RFC6665].

381	4.2.  Event Package Parameters

383	   No package specific event header field parameters are defined for
384	   this event package.

386	4.3.  SUBSCRIBE Bodies

388	   This specification does not define the content of SUBSCRIBE bodies.
389	   Future specifications could define bodies for SUBSCRIBE messages, for
390	   example to request specific types of load control event
391	   notifications.

393	   A SUBSCRIBE request sent without a body implies the default
394	   subscription behavior as specified in Section 4.7.

396	4.4.  SUBSCRIBE Duration

398	   The default expiration time for a subscription to load filtering
399	   policy is one hour.  Since the desired expiration time may vary
400	   significantly for subscriptions among SIP entities with different
401	   signaling relationships, the subscribers and notifiers are
402	   RECOMMENDED to explicitly negotiate appropriate subscription duration
403	   when knowledge about the mutual signaling relationship is available.

405	4.5.  NOTIFY Bodies

407	   The body of a NOTIFY request in this event package contains load
408	   filtering policies.  The format of the NOTIFY request body MUST be in
409	   one of the formats defined in the Accept header field of the
410	   SUBSCRIBE request or be the default format, as specified in
411	   [RFC6665].  The default data format for the NOTIFY request body of
412	   this event package is "application/load-control+xml" (defined in
413	   Section 5).  This means that when NOTIFY request body exists but no
414	   Accept header field is specified in a SUBSCRIBE request, the NOTIFY
415	   request body MUST contain "application/load-control+xml" format.

417	4.6.  Notifier Processing of SUBSCRIBE Requests

419	   The notifier accepts a new subscription or updates an existing
420	   subscription upon receiving a valid SUBSCRIBE request.

422	   If the identity of the subscriber sending the SUBSCRIBE request is
423	   not allowed to receive load filtering policy, the notifier MUST
424	   return a 403 "Forbidden" response.

426	   If none of media types specified in the Accept header of the
427	   SUBSCRIBE request is supported, the notifier SHOULD return 406 "Not
428	   Acceptable" response.

430	4.7.  Notifier Generation of NOTIFY Requests

432	   A notifier MUST send a NOTIFY request with its current load filtering
433	   policy to the subscriber upon successfully accepting or refreshing a
434	   subscription.  If no load filtering policy needs to be distributed
435	   when the subscription is received, the notifier SHOULD sent a NOTIFY
436	   request without body to the subscriber.  The content-type header
437	   field of this NOTIFY request MUST indicate the correct body format as
438	   if the body were present (e.g., "application/load-control+xml").
439	   Sending this NOTIFY request without body is often the case when a
440	   subscription is initiated for the first time, e.g., when a SIP entity
441	   is just introduced, because there may be no planned events that
442	   require load filtering at that time.  A notifier SHOULD generate
443	   NOTIFY requests each time the load filtering policy changes, with the
444	   maximum notification rate not exceeding values defined in
445	   Section 4.10.

447	4.8.  Subscriber Processing of NOTIFY Requests

449	   The subscriber is the load filtering server which enforces load
450	   filtering policies received from the notifier.  The way subscribers
451	   process NOTIFY requests depends on the load filtering policies
452	   conveyed in the notifications.  Typically, load filtering policies
453	   consist of rules specifying actions to be applied to requests
454	   matching certain conditions.  A subscriber receiving a notification
455	   first installs these rules and then enforce corresponding actions on
456	   requests matching those conditions, for example, limiting the sending
457	   rate of call requests destined for a specific callee.

459	   In the case when load filtering policies specify a future validity,
460	   it is possible that when the validity time comes, the subscription to
461	   the specific notifier that conveyed the rules has expired.  In this
462	   case, it is RECOMMENDED that the subscriber re-activate its
463	   subscription with the corresponding notifier.  Regardless of whether
464	   this re-activation of subscription is successful or not, when the
465	   validity time is reached, the subscriber SHOULD enforce the
466	   corresponding rules.

468	   Upon receipt of a NOTIFY request with a Subscription-State header
469	   field containing the value "terminated", the subscription status with
470	   the particular notifier will be terminated.  Meanwhile, subscribers
471	   MUST also terminate previously received load filtering policies from
472	   that notifier.

474	   The subscriber MUST discard unknown bodies.  If the NOTIFY request
475	   contains several bodies, none of them being supported, it SHOULD
476	   unsubscribe unless it has knowledge that it will possibly receive
477	   NOTIFY requests with supported bodies from that notifier.  A NOTIFY
478	   request without a body indicates that no load filtering policies need
479	   to be updated.

481	   When the subscriber enforces load filtering policies, it needs to
482	   prioritize requests and select those requests that need to be
483	   rejected or redirected.  This selection is largely a matter of local
484	   policy.  It is expected that the subscriber will follow local policy
485	   as long as the result in reduction of traffic is consistent with the
486	   overload algorithm in effect at that node.  Accordingly, the
487	   normative behavior in the next three paragraphs should be interpreted
488	   with the understanding that the subscriber will aim to preserve local
489	   policy to the fullest extent possible.

491	   o  The subscriber SHOULD honor the local policy for prioritizing SIP
492	      requests such as policies based on message type, e.g., INVITEs
493	      versus requests associated with existing sessions.

495	   o  The subscriber SHOULD honor the local policy for prioritizing SIP
496	      requests based on the content of the Resource-Priority header
497	      (RPH, [RFC4412]).  Specific (namespace.value) RPH contents may
498	      indicate high priority requests that should be preserved as much
499	      as possible during overload.  The RPH contents can also indicate a
500	      low-priority request that is eligible to be dropped during times
501	      of overload.

503	   o  The subscriber SHOULD honor the local policy for prioritizing SIP
504	      requests relating to emergency calls as identified by the SOS URN
505	      [RFC5031] indicating an emergency request.

507	   A local policy can be expected to combine both the SIP request type
508	   and the prioritization markings, and SHOULD be honored when overload
509	   conditions prevail.

511	4.9.  Handling of Forked Requests

513	   Forking is not applicable when this load control event package
514	   mechanism is used within a single-hop distance between neighboring
515	   SIP entities.  If communication scope of the load control event
516	   package mechanism is among multiple hops, forking is not expected to
517	   happen either because the subscription request is addressed to a
518	   clearly defined SIP entity.  However, in the unlikely case when
519	   forking does happen, the load control event package only allows the
520	   first potential dialog-establishing message to create a dialog, as
521	   specified in Section 5.9 of [RFC6665].

523	4.10.  Rate of Notifications

525	   Rate of notifications is likely not a concern for this local control
526	   event package mechanism when it is used in a non-real-time mode for
527	   relatively static load filtering policies.  Nevertheless, if
528	   situation does arise that a rather frequent load filtering policy
529	   update is needed, it is RECOMMENDED that the notifier do not generate
530	   notifications at a rate higher than once per-second in all cases, in
531	   order to avoid the NOTIFY request itself overloading the system.

533	4.11.  State Delta

535	   It is likely that updates to specific load filtering policies are
536	   made by changing only part of the policy parameters only (e.g.
537	   acceptable request rate or percentage, but not matching identities).
538	   This will typically be because the utilization of a resource subject
539	   to overload depends upon dynamic unknowns such as holding time and
540	   the relative distribution of offered loads over subscribing SIP
541	   entities.  The updates could originate manually or be determined
542	   automatically by an algorithm that dynamically computes the load
543	   filtering policies (Section 3.2).  Another factor that is usually not
544	   known precisely or needs to be computed automatically is the duration
545	   of the event requiring load filtering.  Therefore it would also be
546	   common for the validity to change frequently.

548	   This event package allows the use of state delta as in [RFC6665] to
549	   accommodate frequent updates of partial policy parameters.  For each
550	   NOTIFY transaction in a subscription, a version number that increases
551	   by exactly one MUST be included in the NOTIFY request body when the
552	   body is present.  When the subscriber receives a state delta, it
553	   associates the partial updates to the particular policy by matching
554	   the appropriate rule id (Section 10.4).  If the subscriber receives a
555	   NOTIFY request with a version number that is increased by more than
556	   one, it knows that it has missed a state delta and needs to ask for a
557	   full state snapshot.  Therefore, the subscriber ignores that NOTIFY
558	   request containing the state delta, and re-sends a SUBSCRIBE request
559	   to force a NOTIFY request containing a complete state snapshot.

561	5.  Load Control Document

563	5.1.  Format

565	   A load control document is an XML document that describes the load
566	   filtering policies.  It inherits and enhances the common policy
567	   document defined in [RFC4745].  A common policy document contains a
568	   set of rules.  Each rule consists of three parts: conditions, actions
569	   and transformations.  The conditions part is a set of expressions
570	   containing attributes such as identity, domain, and validity time
571	   information.  Each expression evaluates to TRUE or FALSE.  Conditions
572	   are matched on "equality" or "greater than" style comparison.  There
573	   is no regular expression matching.  Conditions are evaluated on
574	   receipt of an initial SIP request for a dialog or standalone
575	   transaction.  If a request matches all conditions in a rule set, the
576	   action part and the transformation part are consulted to determine
577	   the "permission" on how to handle the request.  Each action or
578	   transformation specifies a positive grant to the policy server to
579	   perform the resulting actions.  Well-defined mechanism are available
580	   for combining actions and transformations obtained from more than one
581	   sources.

583	5.2.  Namespace

585	   The namespace URI for elements defined by this specification is a
586	   Uniform Resource Namespace (URN) ([RFC2141]), using the namespace
587	   identifier 'ietf' defined by [RFC2648] and extended by [RFC3688].
588	   The URN is as follows:

590	   urn:ietf:params:xml:ns:load-control

592	5.3.  Conditions

594	   [RFC4745] defines three condition elements: <identity>, <sphere> and
595	   <validity>.  In this specification defines new condition elements and
596	   reuses the <validity> element.  The <sphere> element is not used.

598	5.3.1.  Call Identity

600	   Since the problem space of this specification is different from that
601	   of [RFC4745], the [RFC4745] <identity> element is not sufficient for
602	   use with load filtering.  First, load filtering may be applied to
603	   different identities contained in a request, including identities of
604	   both the receiving entity and the sending entity.  Second, the
605	   importance of authentication varies when different identities of a
606	   request are concerned.  This specification defines new identity
607	   conditions that can accommodate the granularity of specific SIP
608	   identity header fields.  The requirement for authentication depends
609	   on which field is to be matched.

611	   The identity condition for load filtering is specified by the <call-
612	   identity> element and its sub-element <sip>.  The <sip> element
613	   itself contains sub-elements representing SIP sending and receiving
614	   identity header fields: <from>, <to>, <request-uri> and <p-asserted-
615	   identity>.  All those sub-elements are of an extended form of the
616	   [RFC4745] <identity> element.  In addition to the sub-elements
617	   including <one>, <except>, and <many> in the [RFC4745] <identity>
618	   element, the extended form adds two new sub-elements, namely, <many-
619	   tel> and <except-tel>, which will be explained later in this section.

621	   The [RFC4745] <one> and <except> elements may contain an "id"
622	   attribute, which is the URI of a single entity to be included or
623	   excluded in the condition.  When used in the <from>, <to>, <request-
624	   uri> and <p-asserted-identity> elements, this "id" value is the URI
625	   contained in the corresponding SIP header field, i.e., From, To,
626	   Request-URI, and P-Asserted-Identity.

628	   When the <call-identity> element contains multiple <sip> sub-
629	   elements, the result is combined using logical OR.  When the <from>,
630	   <to>, <request-uri> and <p-asserted-identity> elements contain
631	   multiple <one> or <many> or <many-tel> sub-elements, the result is
632	   also combined using logical OR.  When the <many> sub-element further
633	   contains one or more <except> sub-elements, or when the <many-tel>
634	   sub-element further contains one or more <except-tel> sub-elements,
635	   the result of each <except> or <except-tel> sub-element is combined
636	   using a logical OR, similar to that of the [RFC4745] <identity>
637	   element.  However, when the <sip> element contains multiple of the
638	   <from>, <to>, <request-uri> and <p-asserted-identity> sub-elements,
639	   the result is combined using logical AND.  This allows the call
640	   identity to be specified by multiple fields of a SIP request
641	   simultaneously, e.g., both the From and the To header fields.

643	   The following shows an example of the <call-identity> element, which
644	   matches call requests whose To header field contains the SIP URI
645	   "sip:alice@hotline.example.com", or the 'tel' URI
646	   "tel:+1-212-555-1234".

648	               <call-identity>
649	                   <sip>
650	                       <to>
651	                           <one id="sip:alice@hotline.example.com"/>
652	                           <one id="tel:+1-212-555-1234"/>
653	                       </to>
654	                   </sip>
655	               </call-identity>

657	   Before evaluating call-identity conditions, the subscriber shall
658	   convert URIs received in SIP header fields in canonical form as per
659	   [RFC3261], except that the phone-context parameter shall not be
660	   removed, if present.

662	   The [RFC4745] <many> and <except> elements may take a "domain"
663	   attribute.  The "domain" attribute specifies a domain name to be
664	   matched by the domain part of the candidate identity.  Thus, it
665	   allows matching a large and possibly unknown number of entities
666	   within a domain.  The "domain" attribute works well for SIP URIs.

668	   A URI identifying a SIP user, however, can also be a 'tel' URI.
669	   Therefore a similar way to match a group of 'tel' URIs is needed.
670	   There are two forms of 'tel' URIs for global numbers and local
671	   numbers, respectively.  According to [RFC3966], "All phone numbers
672	   MUST use the global form unless they cannot be represented as such."
673	   "Local numbers MUST be tagged with a 'phone-context'".  The global
674	   number 'tel' URIs start with a "+".  The "phone-context" parameter of
675	   local numbers may be labelled as a global number or any number of its
676	   leading digits, or a domain name.  Both forms of the 'tel' URI make
677	   the resulting URI globally unique.

679	   'Tel' URIs of global numbers can be grouped by prefixes consisting of
680	   any number of common leading digits.  For example, a prefix formed by
681	   a country code or both the country and area code identifies telephone
682	   numbers within a country or an area.  Since the length of the country
683	   and area code for different regions are different, the length of the
684	   number prefix also varies.  This allows further flexibility such as
685	   grouping the numbers into sub-areas within the same area code.  'Tel'
686	   URIs of local numbers can be grouped by the value of the "phone-
687	   context" parameter.

689	   The <many> and <except> sub-elements in the [RFC4745] <identity>
690	   element do not allow additional attributes to be added directly.
691	   Redefining behavior of their existing <domain> attribute creates
692	   backward-compatibility issues.  Therefore, this specification defines
693	   the <many-tel> and <except-tel> sub-elements that extend the
694	   [RFC4745] <identity> element.  Both of them have a "prefix" attribute
695	   for grouping 'tel' URIs, similar to the "domain" attribute for
696	   grouping SIP URIs in existing <many> and <except> sub-elements.  For
697	   global numbers, the "prefix" attribute value holds any number of
698	   common leading digits, for example, "+1-212" for U.S. phone numbers
699	   within area code "212" or "+1-212-854" for the organization with U.S.
700	   area code "212" and local prefix "854".  For local numbers, the
701	   "prefix" attribute value contains the "phone-context" parameter
702	   value.  It should be noted that visual separators (such as the "-"
703	   sign) in 'tel' URIs are not used for URI comparison as per [RFC3966].

705	   The following example shows the use of the "prefix" attribute along
706	   with the "domain" attribute.  It matches those requests calling to
707	   the number "+1-202-999-1234" but are not calling from a "+1-212"
708	   prefix or a SIP From URI domain of "manhattan.example.com".

710	               <call-identity>
711	                   <sip>
712	                       <from>
713	                           <many>
714	                               <except domain="manhattan.example.com"/>
715	                           </many>
716	                           <many-tel>
717	                               <except-tel prefix="+1-212"/>
718	                           </many-tel>
719	                       </from>
720	                       <to>
721	                           <one id="tel:+1-202-999-1234"/>
722	                       </to>
723	                   </sip>
724	               </call-identity>

726	5.3.2.  Method

728	   The load created on a SIP server depends on the type of initial SIP
729	   requests for dialogs or standalone transactions.  The <method>
730	   element specifies the SIP method to which the load filtering action
731	   applies.  When this element is not included, the load filtering
732	   actions are applicable to all applicable initial requests.  These
733	   requests include INVITE, MESSAGE, REGISTER, SUBSCRIBE, OPTIONS, and
734	   PUBLISH.  Non-initial requests, such as ACK, BYE and CANCEL MUST NOT
735	   be subjected to load filtering.  In addition, SUBSCRIBE requests are
736	   not filtered if the event-type header field indicates the event
737	   package defined in this specification.

739	   The following example shows the use of the <method> element in the
740	   case the filtering actions should be applied to INVITE requests.

742	           <method>INVITE</method>

744	5.3.3.  Target SIP Entity

746	   A SIP server that performs load filtering may have multiple paths to
747	   route call requests matching the same set of call identity elements.
748	   In those situations, the SIP load filtering server may desire to take
749	   advantage of alternative paths and only apply load filtering actions
750	   to matching requests for the next hop SIP entity that originated the
751	   corresponding load filtering policy.  To achieve that, the SIP load
752	   filtering server needs to associate every load filtering policy with
753	   its originating SIP entity.  The <target-sip-entity> element is
754	   defined for that purpose and it contains the URI of the entity that
755	   initiated the load filtering policy, which is generally the
756	   corresponding notifier.  A notifier MAY include this element as part
757	   of the condition of its filtering policy being sent to the
758	   subscriber, as below.

760	   <target-sip-entity>sip:biloxi.example.com</target-sip-entity>

762	   When a SIP load filtering server receives a policy with a <target-
763	   sip-entity> element, it SHOULD record it and take it into
764	   consideration when making load filtering decisions.  If the load
765	   filtering server receives a load filtering policy that does not
766	   contain a <target-sip-entity> element, it MAY still record the URI of
767	   the load filtering policy's originator as the <target-sip-entity>
768	   information and consider it when making load filtering decisions.

770	      The following are two examples of using the <target-sip-entity>
771	      element.

773	      Use case I: the network has user A connected to SIP Proxy 1 (SP1),
774	      user B connected to SIP Proxy 3 (SP3), SP1 and SP3 connected via
775	      SIP Proxy 2 (SP2), and SP2 connected to an Application Server
776	      (AS).  Under normal load conditions, a call from A to B is routed
777	      along the following path: A-SP1-SP2-AS-SP3-B. The AS provides a
778	      non-essential service and can be bypassed in case of overload.
779	      Now let's assume that AS is overloaded and sends to SP2 a load
780	      filtering policy requesting that 50% of all INVITE requests be
781	      dropped.  SP2 can maintain AS as the <target-sip-entity> for that
782	      policy so that it knows the 50% drop action is only applicable to
783	      call requests that must go through AS, without affecting those
784	      calls directly routed through SP3 to B.

786	      Use case II: An 800 translation service is installed on two
787	      Application Servers, AS1 and AS2.  User A is connected to SP1 and
788	      calls 800-1234-4529, which is translated by AS1 and AS2 into a
789	      regular E.164 number depending on, e.g., the caller's location.
790	      SP1 forwards INVITE requests with Request-URI = "800 number" to
791	      AS1 or AS2 based on a load balancing strategy.  As calls to
792	      800-1234-4529 creates a pre-overload condition in AS1, AS1 sends
793	      to SP1 a load filtering policy requesting that 50% of calls
794	      towards 800-1234-4529 be rejected.  In this case, SP1 can maintain
795	      AS1 as the <target-sip-entity> for the rule, and only apply the
796	      load filtering policy on incoming requests that are intended to be
797	      sent to AS1.  Those requests that are sent to AS2, although
798	      matching the <call-identity> of the filter, will not be affected.

800	5.3.4.  Validity

802	   A filtering policy is usually associated with a validity period
803	   condition.  This specification reuses the <validity> element of
804	   [RFC4745], which specifies a period of validity time by pairs of
805	   <from> and <until> sub-elements.  When multiple time periods are
806	   defined, the validity condition is evaluated to TRUE if the current
807	   time falls into any of the specified time periods. i.e., it
808	   represents a logical OR operation across all validity time periods.

810	   The following example shows a <validity> element specifying a valid
811	   period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31.

813	               <validity>
814	                   <from>2008-05-31T12:00:00-05:00</from>
815	                   <until>2008-05-31T15:00:00-05:00</until>
816	               </validity>

818	5.4.  Actions

820	   The actions a load filtering server takes on loads matching the load
821	   filtering conditions are defined by the <accept> element in the load
822	   filtering policy, which includes any one of the three sub-elements
823	   <rate>, <percent>, and <win>.  The <rate> element denotes an absolute
824	   value of the maximum acceptable request rate in requests per second;
825	   the <percent> element specifies the relative percentage of incoming
826	   requests that should be accepted; the <win> element describes the
827	   acceptable window size supplied by the receiver, which is applicable
828	   in window-based load filtering.  In static load filtering policy
829	   configuration scenarios, using the <rate> sub-element is RECOMMENDED
830	   because it is hard to enforce the percentage rate or window-based
831	   load filtering when incoming load from upstream or reactions from
832	   downstream are uncertain.  (See [I-D.ietf-soc-overload-control]
833	   [RFC6357] for more details on rate-based, loss-based and window-based
834	   load control.)
835	   In addition, the <accept> element takes an optional "alt-action"
836	   attribute which can be used to explicitly specify the desired action
837	   in case a request cannot be processed.  The "alt-action" can take one
838	   of the following three values: "reject", "redirect" and "drop".

840	   o  The "reject" action is the default value for "alt-action".  It
841	      means that the load filtering server will reject the request with
842	      a 503 (Service Unavailable) response message.

844	   o  The "redirect" action means redirecting the request to another
845	      target.  When it is used, an "alt-target" attribute MUST be
846	      defined.  The "alt-target" specifies one URI or a list of URIs
847	      where the request should be redirected.  The server sends out the
848	      redirect URIs in a 300-class response message.

850	   o  The "drop" action means simply ignoring the request without doing
851	      anything, which can in certain cases help save processing
852	      capability during overload.  For example, when SIP is running over
853	      a reliable transport such as TCP, the "drop" action does not send
854	      out the rejection response, neither does it close the transport
855	      connection.  However, when running SIP over an unreliable
856	      transport such as UDP, using the "drop" action will create message
857	      retransmissions that further worsen the possible overload
858	      situation.  Therefore, any "drop" action applied to an unreliable
859	      transport MUST be treated as if it were "reject".

861	   The above "alt-action" processing can also be illustrated through the
862	   following pseudocode.

864	           SWITCH "alt-action"
865	             "redirect": "redirect"
866	             "drop":
867	               IF unreliable-transport
868	                 THEN treat as "reject"
869	               ELSE
870	                 "drop"
871	             "reject": "reject"
872	             default: "reject"
873	           END

875	   In the following <actions> element example, the server accepts
876	   maximum of 100 call requests per second.  The remaining calls are
877	   redirected to an answering machine.

879	           <actions>
880	               <accept alt-action="redirect" alt-target=
881	                       "sip:answer-machine@example.com">
882	                   <rate>100</rate>
883	               </accept>
884	           </actions>

886	6.  XML Schema Definition for Load Control

888	   This section defines the XML schema for the load control document.
889	   It extends the Common Policy schema in [RFC4745] in two ways.
890	   Firstly, it defines two mandatory attributes for the <ruleset>
891	   element: version and state.  The version attribute allows the
892	   recipient of the notification to properly order them.  Versions start
893	   at 0, and increase by one for each new document sent to a subscriber
894	   within the same subscription.  Versions MUST be representable using a
895	   non-negative 32 bit integer.  The state attribute indicates whether
896	   the document contains a full load filtering policy update, or whether
897	   it contains only state delta as partial update.  Secondly, it defines
898	   new members of the <conditions> and <actions> elements.

900	   <?xml version="1.0" encoding="UTF-8"?>
901	   <xs:schema targetNamespace="urn:ietf:params:xml:ns:load-control"
902	       xmlns:lc="urn:ietf:params:xml:ns:load-control"
903	       xmlns:cp="urn:ietf:params:xml:ns:common-policy"
904	       xmlns:xs="http://www.w3.org/2001/XMLSchema"
905	       elementFormDefault="qualified"
906	       attributedFormDefault="unqualified">

908	   <xs:import namespace="urn:ietf:params:xml:ns:common-policy"/>

910	   <!-- RULESET -->

912	   <xs:element name="ruleset">
913	     <xs:complexType>
914	       <xs:complexContent>
915	         <xs:restriction base="xs:anyType">
916	           <xs:sequence>
917	             <xs:element name="rule" type="cp:ruleType"
918	             minOccurs="0" maxOccurs="unbounded"/>
919	           </xs:sequence>
920	         </xs:restriction>
921	       </xs:complexContent>
922	       <xs:attribute name="version" type="xs:integer" use="required"/>
923	       <xs:attribute name="state" use="required">
924	         <xs:simpleType>
925	           <xs:restriction base="xs:string">
926	             <xs:enumeration value="full"/>
927	             <xs:enumeration value="partial"/>
928	           </xs:restriction>
929	         </xs:simpleType>
930	       </xs:attribute>
931	     </xs:complexType>
932	   </xs:element>

934	   <!-- CONDITIONS -->

936	   <!-- CALL IDENTITY -->
937	   <xs:element name="call-identity" type="lc:call-identity-type"/>

939	   <!-- CALL IDENTITY TYPE -->
940	   <xs:complexType name="call-identity-type">
941	     <xs:choice>
942	       <xs:element name="sip" type="lc:sip-id-type"/>
943	       <any namespace="##other" processContents="lax" minOccurs="0"
944	       maxOccurs="unbounded"/>
945	     </xs:choice>
946	     <anyAtrribute namespace="##other" processContents="lax"/>
947	   </xs:complexType>

949	   <!-- SIP ID TYPE -->
950	   <xs:complexType name="sip-id-type">
951	     <xs:sequence>
952	       <element name="from" type="lc:identityType" minOccurs="0"/>
953	       <element name="to" type="lc:identityType" minOccurs="0"/>
954	       <element name="request-uri" type="lc:identityType"
955	       minOccurs="0"/>
956	       <element name="p-asserted-identity" type="lc:identityType"
957	       minOccurs="0"/>
958	       <any namespace="##other" processContents="lax" minOccurs="0"
959	       maxOccurs="unbounded"/>
960	     </xs:sequence>
961	     <anyAtrribute namespace="##other" processContents="lax"/>
962	   </xs:complexType>

964	   <!-- IDENTITY TYPE -->
965	   <xs:complexType name="identityType">
966	     <xs:complexContent>
967	       <xs:restriction base="xs:anyType">
968	         <xs:choice minOccurs="1" maxOccurs="unbounded">
969	           <xs:element name="one" type="cp:oneType"/>
970	           <xs:element name="many" type="lc:manyType"/>
971	           <xs:element name="many-tel" type="lc:manyTelType"/>
972	           <xs:any namespace="##other" processContents="lax"/>
973	         </xs:choice>

975	       </xs:restriction>
976	     </xs:complexContent>
977	   </xs:complexType>

979	   <!-- MANY-TEL TYPE -->
980	   <xs:complexType name="manyTelType">
981	     <xs:complexContent>
982	       <xs:restriction base="xs:anyType">
983	         <xs:choice minOccurs="0" maxOccurs="unbounded">
984	           <xs:element name="except-tel" type="lc:exceptTelType"/>
985	           <xs:any namespace="##other"
986	           minOccurs="0" processContents="lax"/>
987	         </xs:choice>
988	         <xs:attribute name="prefix"
989	         use="optional" type="xs:string"/>
990	       </xs:restriction>
991	     </xs:complexContent>
992	   </xs:complexType>

994	   <!-- EXCEPT-TEL TYPE -->
995	   <xs:complexType name="exceptTelType">
996	     <xs:attribute name="prefix" type="xs:string" use="optional"/>
997	     <xs:attribute name="id" type="xs:anyURI" use="optional"/>
998	   </xs:complexType>

1000	   <!-- METHOD -->
1001	   <xs:element name="method" type="lc:method-type"/>

1003	   <!-- METHOD TYPE -->
1004	   <xs:simpleType name="method-type">
1005	     <xs:restriction base="xs:string">
1006	       <xs:enumeration value="INVITE"/>
1007	       <xs:enumeration value="MESSAGE"/>
1008	       <xs:enumeration value="REGISTER"/>
1009	       <xs:enumeration value="SUBSCRIBE"/>
1010	       <xs:enumeration value="OPTIONS"/>
1011	       <xs:enumeration value="PUBLISH"/>
1012	     </xs:restriction>
1013	   </xs:simpleType>

1015	   <!-- TARGET SIP ENTITY -->
1016	   <xs:element name="target-sip-entity" type="xs:anyURI" minOccurs="0"/>

1018	   <!-- ACTIONS -->
1019	   <xs:element name="accept">
1020	     <xs:choice>
1021	       <element name="rate" type="xs:decimal" minOccurs="0"/>
1022	       <element name="win" type="xs:integer" minOccurs="0"/>
1023	       <element name="percent" type="xs:decimal" minOccurs="0"/>
1024	       <any namespace="##other" processContents="lax" minOccurs="0"
1025	       maxOccurs="unbounded"/>
1026	     </xs:choice>
1027	     <xs:attribute name="alt-action" type="xs:string" default="reject"/>
1028	     <xs:attribute name="alt-target" type="lc:alt-target-type"
1029	     use="optional"/>
1030	     <anyAtrribute namespace="##other" processContents="lax"/>
1031	   </xs:element>

1033	   <!-- ALT TARGET TYPE -->
1034	   <xs:simpleType name="alt-target-type">
1035	     <xs:list itemType="xs:anyURI"/>
1036	   </xs:simpleType>

1038	   </xs:schema>

1040	7.  Security Considerations

1042	   Two aspects of security considerations arise from this specification.
1043	   One is the SIP event notification framework-based load filtering
1044	   policy distribution mechanism, the other is the load filtering policy
1045	   enforcement mechanism.

1047	   Security considerations for SIP event package mechanisms are covered
1048	   in Section 6 of [RFC6665].  A particularly relevant security concern
1049	   for this event package is that if the notifiers can be spoofed,
1050	   attackers can send fake notifications asking subscribers to throttle
1051	   all traffic, leading to Denial-of-Service attacks.  Therefore, this
1052	   SIP load filtering mechanism MUST be used in a Trust Domain
1053	   (Section 3.4).  But if a legitimate notifier in the Trust Domain is
1054	   itself compromised, additional mechanisms will be needed to detect
1055	   the attack.

1057	   Security considerations for load filtering policy enforcement depends
1058	   very much on the contents of the policy.  This specification defines
1059	   possible match of the following SIP header fields in a load filtering
1060	   policy: <from>, <to>, <request-uri> and <p-asserted-identity>.  The
1061	   exact requirement to authenticate and authorize these fields is up to
1062	   the service provider.  In general, if the identity field represents
1063	   the source of the request, it SHOULD be authenticated and authorized;
1064	   if the identity field represents the destination of the request, the
1065	   authentication and authorization is optional.

1067	   In addition, there could be one specific type of attack around the
1068	   use the "redirect" action (Section 5.4).  Assuming a number of SIP
1069	   proxy servers in a Trust Domain are using UDP, and configured to get
1070	   their policies from a central server.  An attacker spoofs the central
1071	   server's address to send a number of NOTIFY bodies telling the proxy
1072	   servers to redirect all calls to victim@outside-of-trust-domain.com.
1073	   The proxy servers then redirect all calls to victim, who is then
1074	   DoSed off of the Internet.  To address this type of threat, this
1075	   specification requires that a Trust Domain agrees on what types of
1076	   calls can be affected as well as on the destinations to which calls
1077	   may be redirected, as in Section 3.4.

1079	8.  IANA Considerations

1081	   This specification registers a SIP event package, a new media type, a
1082	   new XML namespace, and a new XML schema.

1084	8.1.  Load Control Event Package Registration

1086	   This section registers an event package based on the registration
1087	   procedures defined in [RFC6665].

1089	   Package name: load-control

1091	   Type: package

1093	   Published specification: This specification

1095	   Person to contact: Charles Shen, charles@cs.columbia.edu

1097	8.2.  application/load-control+xml Media Type Registration

1099	   This section registers a new media type based on the procedures
1100	   defined in [RFC6838] and guidelines in [RFC3023].

1102	   Type name: application

1104	   Subtype name: load-control+xml

1106	   Required parameters: none

1108	   Optional parameters: Same as charset parameter of application/xml as
1109	   specified in [RFC3023].

1111	   Encoding considerations: Same as encoding considerations of
1112	   application/xml as specified in [RFC3023].

1114	   Security considerations: See Section 10 of [RFC3023] and Section 7 of
1115	   this specification.

1117	   Interoperability considerations: none
1118	   Published specification: This specification

1120	   Applications that use this media type: Applications that perform load
1121	   control of SIP entities.

1123	   Fragment identifier considerations: Same as fragment identifier
1124	   considerations of application/xml as specified in [RFC3023].

1126	   Additional Information:

1128	      Deprecated alias names for this type: none

1130	      Magic Number(s): none

1132	      File Extension(s): .xml

1134	      Macintosh file type code(s): "TEXT"

1136	   Person and email address for further information: Charles Shen,
1137	   charles@cs.columbia.edu

1139	   Intended usage: COMMON

1141	   Restrictions on usage: none

1143	   Author: Charles Shen, Henning Schulzrinne, Arata Koike

1145	   Change controller: IESG

1147	   Provisional registration? (standards tree only): no

1149	8.3.  URN Sub-Namespace Registration

1151	   This section registers a new XML namespace, as per the guidelines in
1152	   [RFC3688]

1154	   URI: The URI for this namespace is

1156	      urn:ietf:params:xml:ns:load-control

1158	   Registrant Contact: IETF SOC Working Group <sip-overload@ietf.org>,
1159	   as designated by the IESG <iesg@ietf.org>

1161	   XML:

1163	   BEGIN
1164	   <?xml version="1.0"?>
1165	   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
1166	                "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
1167	   <html xmlns="http://www.w3.org/1999/xhtml">
1168	   <head>
1169	     <meta http-equiv="content-type"
1170	       content="text/html;charset=iso-8859-1"/>
1171	     <title>SIP Load Control Namespace</title>
1172	   </head>
1173	   <body>
1174	     <h1>Namespace for SIP Load Control</h1>
1175	     <h2>urn:ietf:params:xml:ns:load-control</h2>
1176	     <p>See <a href="http://www.rfc-editor.org/rfc/rfc[?].txt">
1177	         RFC[?]</a>.</p>
1178	   </body>
1179	   </html>
1180	   END

1182	8.4.  Load Control Schema Registration

1184	   URI: urn:ietf:params:xml:schema:load-control

1186	   Registrant Contact: IETF SOC working group, Charles Shen
1187	   (charles@cs.columbia.edu).

1189	   XML: the XML schema to be registered is contained in Section 6.

1191	   Its first line is

1193	   <?xml version="1.0" encoding="UTF-8"?>

1195	   and its last line is

1197	   </xs:schema>

1199	9.  Acknowledgements

1201	   The authors would like to thank Jari Arkko, Richard Barnes, Stewart
1202	   Bryant, Gonzalo Camarillo, Bruno Chatras, Benoit Claise, Spencer
1203	   Dawkins, Martin Dolly, Keith Drage, Ashutosh Dutta, Donald Eastlake,
1204	   Adrian Farrel, Stephen Farrell, Janet Gunn, Vijay Gurbani, Brian
1205	   Haberman, Volker Hilt, Geoff Hunt, Carolyn Johnson, Hadriel Kaplan,
1206	   Paul Kyzivat, Barry Leiba, Pearl Liang, Salvatore Loreto, Timothy
1207	   Moran, Eric Noel, Parthasarathi R, Pete Resnick, Adam Roach, Dan
1208	   Romascanu, Shida Schubert, Robert Sparks, Martin Stiemerling, Sean
1209	   Turner, Phil Williams and other members of the SOC and SIPPING
1210	   working group for many helpful comments.  In particular, Bruno
1211	   Chatras proposed the <method> and <target-sip-entity> condition
1212	   elements along with many other text improvements.  Janet Gunn
1213	   provided detailed text suggestions including Section 10.3.  Eric Noel
1214	   suggested clarification on load filtering policy distribution
1215	   initialization process.  Shida Schubert made many suggestions such as
1216	   terminology usage.  Phil Williams suggested adding support for delta
1217	   updates.  Ashutosh Dutta gave pointers to PSTN references.  Adam
1218	   Roach suggested RFC6665-related and other helpful clarifications.
1219	   Richard Barnes made many suggestions such as referencing the Trust
1220	   Domain concept of RFC3324 and RFC3325, the use of a separate element
1221	   for 'tel' URI grouping and addressing the "redirect" action security
1222	   threat.

1224	10.  Appendix

1226	10.1.  Definitions

1228	   This specification reuses the definitions for "Event Package",
1229	   "Notification", "Notifier", "Subscriber", "Subscription" as in
1230	   [RFC6665].  The following additional definitions are also used.

1232	   Load Filtering:  A load control mechanism which applies specific
1233	      actions to selected loads (e.g., SIP requests) matching specific
1234	      conditions.

1236	   Load Filtering Policy:  A set of zero or more load filtering rules,
1237	      also known as load filtering rule set.

1239	   Load Filtering Rule:  Conditions and actions to be applied for load
1240	      filtering.

1242	   Load Filtering Condition:  Elements that describe how to select loads
1243	      to apply load filtering actions.  This specification defines the
1244	      "call identity", "method", "target SIP identity", and "validity"
1245	      condition elements (Section 5.3).

1247	   Load Filtering Action:  An operation to be taken by a load filtering
1248	      server on loads that match the load filtering conditions.  This
1249	      specification allows actions such as accept, reject and redirect
1250	      of loads (Section 5.4).

1252	   Load Filtering Server:  A server which performs load filtering.  In
1253	      the context of this specification, the load filtering server is
1254	      the subscriber, which receives load filtering policies from the
1255	      notifier and enforces those policies during load filtering.

1257	   Load Control Document:  An XML document that describes the load
1258	      filtering policies (Section 5).  It inherits and enhances the
1259	      common policy document defined in [RFC4745].

1261	10.2.  Design Requirements

1263	   The SIP load filtering mechanism needs to satisfy the following
1264	   requirements:

1266	   o  For simplicity, the solution should focus on a method for
1267	      controlling SIP load, rather than a generic application-layer
1268	      mechanism.

1270	   o  The load filtering policy needs to be distributed efficiently to
1271	      possibly a large subset of all SIP elements.

1273	   o  The solution should re-use existing SIP protocol mechanisms to
1274	      reduce implementation and deployment complexity.

1276	   o  For predictable overload situations, such as holidays and mass
1277	      calling events, the load filtering policy should specify during
1278	      what time it is to be applied, so that the information can be
1279	      distributed ahead of time.

1281	   o  For destination-specific overload situations, the load filtering
1282	      policy should be able to describe the destination domain or the
1283	      callee.

1285	   o  To address accidental and intentional high-volume call generators,
1286	      the load filtering policy should be able to specify the caller.

1288	   o  Caller and callee need to be specified as both SIP URIs and 'tel'
1289	      URIs [RFC3966] in load filtering policies.

1291	   o  It should be possible to specify particular information in the SIP
1292	      headers (e.g., prefixes in telephone numbers) which allow load
1293	      filtering over limited regionally-focused overloads.

1295	   o  The solution should draw upon experiences from related PSTN
1296	      mechanisms [Q.1248.2][E.412][E.300SerSup3] where applicable.

1298	   o  The solution should be extensible to meet future needs.

1300	10.3.  Discussion of this specification meeting the requirements of
1301	       RFC5390

1303	   This section evaluates whether the load control event package
1304	   mechanism defined in this specification satisfies various SIP
1305	   overload control requirements set forth by RFC5390 [RFC5390].  As
1306	   mentioned in Section 1, this specification has its particular scope
1307	   that complements other efforts in the overall SIP load control
1308	   solution space.  Therefore, not all RFC5390 requirements are found
1309	   applicable to this specification.  This specification categorize the
1310	   assessment results into Yes (meet the requirement), P/A (Partially
1311	   Applicable), No (must be used in conjunction with another mechanism
1312	   to meet the requirement), and N/A (Not Applicable).

1314	      REQ 1: The overload mechanism shall strive to maintain the overall
1315	      useful throughput (taking into consideration the quality-of-
1316	      service needs of the using applications) of a SIP server at
1317	      reasonable levels, even when the incoming load on the network is
1318	      far in excess of its capacity.  The overall throughput under load
1319	      is the ultimate measure of the value of an overload control
1320	      mechanism.

1322	   P/A. The goal of the load filtering is to prevent overload or
1323	   maintain overall goodput during the time of overload, but it is
1324	   dependent on the advance predictions of the load and the computations
1325	   as well as distribution of the filtering policies.  If the load
1326	   predictions or filtering policy computations are incorrect, or the
1327	   filtering policy distribution is not properly done, the effectiveness
1328	   of the mechanism will be affected.  On the other hand, if the load
1329	   can be accurately predicted and filtering policies be computed and
1330	   distributed appropriately, this requirement can be met.

1332	      REQ 2: When a single network element fails, goes into overload, or
1333	      suffers from reduced processing capacity, the mechanism should
1334	      strive to limit the impact of this on other elements in the
1335	      network.  This helps to prevent a small-scale failure from
1336	      becoming a widespread outage.

1338	   N/A if load filtering policies are installed in advance and do not
1339	   change during the potential overload period.  P/A if load filtering
1340	   policies are dynamically adjusted.  The algorithm to dynamically
1341	   compute load filtering policies is outside the scope of this
1342	   specification, while the distribution of the updated filtering
1343	   policies uses the event package mechanism of this specification.

1345	      REQ 3: The mechanism should seek to minimize the amount of
1346	      configuration required in order to work.  For example, it is
1347	      better to avoid needing to configure a server with its SIP message
1348	      throughput, as these kinds of quantities are hard to determine.

1350	   No.  This mechanism is entirely dependent on advance configuration,
1351	   based on advance knowledge.  In order to satisfy Req 3, it should be
1352	   used in conjunction with other mechanisms which are not based on
1353	   advance configuration.

1355	      REQ 4: The mechanism must be capable of dealing with elements that
1356	      do not support it, so that a network can consist of a mix of
1357	      elements that do and don't support it.  In other words, the
1358	      mechanism should not work only in environments where all elements
1359	      support it.  It is reasonable to assume that it works better in
1360	      such environments, of course.  Ideally, there should be
1361	      incremental improvements in overall network throughput as
1362	      increasing numbers of elements in the network support the
1363	      mechanism.

1365	   No.  This mechanism is entirely dependent on the participation of all
1366	   possible neighbors.  In order to satisfy Req 4, it should be used in
1367	   conjunction with other mechanisms, some of which are described in
1368	   Section 3.4.

1370	      REQ 5: The mechanism should not assume that it will only be
1371	      deployed in environments with completely trusted elements.  It
1372	      should seek to operate as effectively as possible in environments
1373	      where other elements are malicious; this includes preventing
1374	      malicious elements from obtaining more than a fair share of
1375	      service.

1377	   No.  This mechanism is entirely dependent on the non-malicious
1378	   participation of all possible neighbors.  In order to satisfy Req 5,
1379	   it should be used in conjunction with other mechanisms, some of which
1380	   are described in Section 3.4.

1382	      REQ 6: When overload is signaled by means of a specific message,
1383	      the message must clearly indicate that it is being sent because of
1384	      overload, as opposed to other, non overload-based failure
1385	      conditions.  This requirement is meant to avoid some of the
1386	      problems that have arisen from the reuse of the 503 response code
1387	      for multiple purposes.  Of course, overload is also signaled by
1388	      lack of response to requests.  This requirement applies only to
1389	      explicit overload signals.

1391	   N/A. This mechanism signals anticipated overload, not actual
1392	   overload.  However the signals in this mechanism are not used for any
1393	   other purpose.

1395	      REQ 7: The mechanism shall provide a way for an element to
1396	      throttle the amount of traffic it receives from an upstream
1397	      element.  This throttling shall be graded so that it is not all-
1398	      or-nothing as with the current 503 mechanism.  This recognizes the
1399	      fact that "overload" is not a binary state and that there are
1400	      degrees of overload.

1402	   Yes. This event package allows rate/loss/window-based overload
1403	   control options as discussed in Section 5.4.

1405	      REQ 8: The mechanism shall ensure that, when a request was not
1406	      processed successfully due to overload (or failure) of a
1407	      downstream element, the request will not be retried on another
1408	      element that is also overloaded or whose status is unknown.  This
1409	      requirement derives from REQ 1.

1411	   N/A to the load control event package mechanism itself.

1413	      REQ 9: That a request has been rejected from an overloaded element
1414	      shall not unduly restrict the ability of that request to be
1415	      submitted to and processed by an element that is not overloaded.
1416	      This requirement derives from REQ 1.

1418	   Yes. For example, load filtering policy [Section 3.1] allows the
1419	   inclusion of alternative forwarding destinations for rejected
1420	   requests.

1422	      REQ 10: The mechanism should support servers that receive requests
1423	      from a large number of different upstream elements, where the set
1424	      of upstream elements is not enumerable.

1426	   No.  Because this mechanism requires advance configuration of
1427	   specifically identified neighbors, it does not support environments
1428	   where the number and identity of the upstream neighbors are not known
1429	   in advance.  In order to satisfy Req 10, it should be used in
1430	   conjunction with other mechanisms.

1432	      REQ 11: The mechanism should support servers that receive requests
1433	      from a finite set of upstream elements, where the set of upstream
1434	      elements is enumerable.

1436	   Yes. See also answer to REQ 10.

1438	      REQ 12: The mechanism should work between servers in different
1439	      domains.

1441	   Yes. The load control event package mechanism is not limited by
1442	   domain boundaries.  However, it is likely more applicable in intra-
1443	   domain scenarios than in inter-domain scenarios due to security and
1444	   other concerns (See also Section 3.4).

1446	      REQ 13: The mechanism must not dictate a specific algorithm for
1447	      prioritizing the processing of work within a proxy during times of
1448	      overload.  It must permit a proxy to prioritize requests based on
1449	      any local policy, so that certain ones (such as a call for
1450	      emergency services or a call with a specific value of the
1451	      Resource-Priority header field [RFC4412]) are given preferential
1452	      treatment, such as not being dropped, being given additional
1453	      retransmission, or being processed ahead of others.

1455	   P/A. This mechanism does not specifically address the prioritizing of
1456	   work during times of overload.  But it does not preclude any
1457	   particular local policy.

1459	      REQ 14: The mechanism should provide unambiguous directions to
1460	      clients on when they should retry a request and when they should
1461	      not.  This especially applies to TCP connection establishment and
1462	      SIP registrations, in order to mitigate against avalanche restart.

1464	   N/A to the load control event package mechanism itself.

1466	      REQ 15: In cases where a network element fails, is so overloaded
1467	      that it cannot process messages, or cannot communicate due to a
1468	      network failure or network partition, it will not be able to
1469	      provide explicit indications of the nature of the failure or its
1470	      levels of congestion.  The mechanism must properly function in
1471	      these cases.

1473	   P/A. Because the load filtering policies are provisioned in advance,
1474	   they are not affected by the overload or failure of other network
1475	   elements.  But, on the other hand, they may not, in those cases, be
1476	   able to protect the overloaded network elements (see Req 1).

1478	      REQ 16: The mechanism should attempt to minimize the overhead of
1479	      the overload control messaging.

1481	   Yes. The standardized SIP event package mechanism [RFC6665] is used.

1483	      REQ 17: The overload mechanism must not provide an avenue for
1484	      malicious attack, including DoS and DDoS attacks.

1486	   P/A. This mechanism does provide a potential avenue for malicious
1487	   attacks.  Therefore the security mechanisms for SIP event packages in
1488	   general [RFC6665] and of Section 7 of this specification should be
1489	   used.

1491	      REQ 18: The overload mechanism should be unambiguous about whether
1492	      a load indication applies to a specific IP address, host, or URI,
1493	      so that an upstream element can determine the load of the entity
1494	      to which a request is to be sent.

1496	   Yes. The identity of load indication is covered in the load filtering
1497	   policy format definition in Section 3.1.

1499	      REQ 19: The specification for the overload mechanism should give
1500	      guidance on which message types might be desirable to process over
1501	      others during times of overload, based on SIP-specific
1502	      considerations.  For example, it may be more beneficial to process
1503	      a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh
1504	      with a non-zero expiration (since the former reduces the overall
1505	      amount of load on the element), or to process re-INVITEs over new
1506	      INVITEs.

1508	   N/A to the load control event package mechanism itself.

1510	      REQ 20: In a mixed environment of elements that do and do not
1511	      implement the overload mechanism, no disproportionate benefit
1512	      shall accrue to the users or operators of the elements that do not
1513	      implement the mechanism.

1515	   No.  This mechanism is entirely dependent on the participation of all
1516	   possible neighbors.  In order to satisfy Req 20, it should be used in
1517	   conjunction with other mechanisms, some of which are described in
1518	   Section 3.4.

1520	      REQ 21: The overload mechanism should ensure that the system
1521	      remains stable.  When the offered load drops from above the
1522	      overall capacity of the network to below the overall capacity, the
1523	      throughput should stabilize and become equal to the offered load.

1525	   N/A to the load control event package mechanism itself.

1527	      REQ 22: It must be possible to disable the reporting of load
1528	      information towards upstream targets based on the identity of
1529	      those targets.  This allows a domain administrator who considers
1530	      the load of their elements to be sensitive information, to
1531	      restrict access to that information.  Of course, in such cases,
1532	      there is no expectation that the overload mechanism itself will
1533	      help prevent overload from that upstream target.

1535	   N/A to the load control event package mechanism itself.

1537	      REQ 23: It must be possible for the overload mechanism to work in
1538	      cases where there is a load balancer in front of a farm of
1539	      proxies.

1541	   Yes. The load control event package mechanism does not preclude its
1542	   use in a scenario with server farms.

1544	10.4.  Complete Examples

1546	10.4.1.  Load Control Document Examples
1547	   This section presents two complete examples of load control documents
1548	   valid with respect to the XML schema defined in Section 6.

1550	   The first example assumes that a set of hotlines are set up at
1551	   "sip:alice@hotline.example.com" and "tel:+1-212-555-1234".  The
1552	   hotlines are activated from 12:00 to 15:00 US Eastern Standard Time
1553	   on 2008-05-31.  The goal is to limit the incoming calls to the
1554	   hotlines to 100 requests per second.  Calls that exceed the rate
1555	   limit are explicitly rejected.

1557	   <?xml version="1.0" encoding="UTF-8"?>
1558	   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
1559	               xmlns:lc="urn:ietf:params:xml:ns:load-control"
1560	               version="0" state="full">

1562	       <rule id="f3g44k1">
1563	           <conditions>
1564	               <lc:call-identity>
1565	                   <lc:sip>
1566	                       <lc:to>
1567	                           <one id="sip:alice@hotline.example.com"/>
1568	                           <one id="tel:+1-212-555-1234"/>
1569	                       </lc:to>
1570	                   </lc:sip>
1571	               </lc:call-identity>
1572	               <method>INVITE</method>
1573	               <validity>
1574	                   <from>2008-05-31T12:00:00-05:00</from>
1575	                   <until>2008-05-31T15:00:00-05:00</until>
1576	               </validity>
1577	           </conditions>
1578	           <actions>
1579	               <lc:accept alt-action="reject">
1580	                   <lc:rate>100</lc:rate>
1581	               </lc:accept>
1582	           </actions>

1584	       </rule>
1585	   </ruleset>

1587	   The second example considers optimizing server resource usage of a
1588	   three-day period during the aftermath of a hurricane.  Incoming calls
1589	   to the domain "sandy.example.com" or to call destinations with prefix
1590	   "+1-212" will be limited to a rate of 100 requests per second, except
1591	   for those calls originating from a particular rescue team domain
1592	   "rescue.example.com".  Outgoing calls from the hurricane domain or
1593	   calls within the local domain are never limited.  All calls that are
1594	   throttled due to the rate limit will be forwarded to an answering
1595	   machine with updated hurricane rescue information.

1597	   <?xml version="1.0" encoding="UTF-8"?>
1598	   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
1599	       xmlns:lc="urn:ietf:params:xml:ns:load-control"
1600	       version="1" state="full">

1602	       <rule id="f3g44k2">
1603	           <conditions>
1604	               <lc:call-identity>
1605	                   <lc:sip>
1606	                       <lc:to>
1607	                           <many domain="sandy.example.com"/>
1608	                           <many-tel prefix="+1-212"/>
1609	                       </lc:to>
1610	                       <lc:from>
1611	                           <many>
1612	                               <except domain="sandy.example.com"/>
1613	                               <except domain="rescue.example.com"/>
1614	                           </many>
1615	                       </lc:from>
1616	                   </lc:sip>
1617	               </lc:call-identity>
1618	               <method>INVITE</method>
1619	               <validity>
1620	                   <from>2012-10-25T09:00:00+01:00</from>
1621	                   <until>2012-10-28T09:00:00+01:00</until>
1622	               </validity>
1623	           </conditions>
1624	           <actions>
1625	               <lc:accept alt-action="redirect" alt-target=
1626	                       "sip:sandy@update.example.com">
1627	                   <lc:rate>100</lc:rate>
1628	               </lc:accept>
1629	           </actions>

1631	       </rule>
1632	   </ruleset>

1634	   Sometimes it may occur that multiple rules in a ruleset define
1635	   actions that match the same methods, call identity and validity.  In
1636	   those cases, the "first-match-wins" principle is used.  For example,
1637	   in the following ruleset, the first rule requires all calls from the
1638	   "example.com" domain to be rejected.  Even though the rule following
1639	   that one specifies that calls from "sip:alice@example.com" be
1640	   redirected to a specific target "sip:eve@example.com", the calls from
1641	   "sip:alice@example.com" will still be rejected because they have
1642	   already been matched by the earlier rule.

1644	   <?xml version="1.0" encoding="UTF-8"?>
1645	   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
1646	       xmlns:lc="urn:ietf:params:xml:ns:load-control"
1647	       version="1" state="full">

1649	       <rule id="f3g44k3">
1650	           <conditions>
1651	               <lc:call-identity>
1652	                   <lc:sip>
1653	                       <lc:from>
1654	                           <many domain="example.com"/>
1655	                       </lc:from>
1656	                   </lc:sip>
1657	               </lc:call-identity>
1658	               <method>INVITE</method>
1659	               <validity>
1660	                   <from>2013-7-2T09:00:00+01:00</from>
1661	                   <until>2013-7-3T09:00:00+01:00</until>
1662	               </validity>
1663	           </conditions>
1664	           <actions>
1665	               <lc:accept alt-action="reject">
1666	                   <lc:rate>0</lc:rate>
1667	               </lc:accept>
1668	           </actions>
1669	       </rule>

1671	       <rule id="f3g44k4">
1672	           <conditions>
1673	               <lc:call-identity>
1674	                   <lc:sip>
1675	                       <lc:from>
1676	                           <one id="sip:alice@example.com"/>
1677	                       </lc:from>
1678	                   </lc:sip>
1679	               </lc:call-identity>
1680	               <method>INVITE</method>
1681	               <validity>
1682	                   <from>2013-7-2T09:00:00+01:00</from>
1683	                   <until>2013-7-3T09:00:00+01:00</until>
1684	               </validity>
1685	           </conditions>
1686	           <actions>
1687	               <lc:accept alt-action="redirect" alt-target=
1688	                       "sip:eve@example.com">

1690	                   <lc:rate>0</lc:rate>
1691	               </lc:accept>
1692	           </actions>
1693	       </rule>

1695	   </ruleset>

1697	10.4.2.  Message Flow Examples

1699	   This section presents an example message flow of using the load
1700	   control event package mechanism defined in this specification.

1702	      atlanta             biloxi
1703	         | F1 SUBSCRIBE      |
1704	         |------------------>|
1705	         | F2 200 OK         |
1706	         |<------------------|
1707	         | F3 NOTIFY         |
1708	         |<------------------|
1709	         | F4 200 OK         |
1710	         |------------------>|

1712	      F1 SUBSCRIBE atlanta.example.com -> biloxi.example.com

1714	         SUBSCRIBE sip:biloxi.example.com SIP/2.0
1715	         Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy7cjbu3
1716	         From: sip:atlanta.example.com;tag=162ab5
1717	         To: sip:biloxi.example.com
1718	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1719	         CSeq: 2012 SUBSCRIBE
1720	         Contact: sip:atlanta.example.com
1721	         Event: load-control
1722	         Max-Forwards: 70
1723	         Accept: application/load-control+xml
1724	         Expires: 3600
1725	         Content-Length: 0

1727	      F2 200 OK   biloxi.example.com -> atlanta.example.com

1729	         SIP/2.0 200 OK
1730	         Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy7cjbu3
1731	           ;received=192.0.2.1
1732	         To: <sip:biloxi.example.com>;tag=331dc8
1733	         From: <sip:atlanta.example.com>;tag=162ab5
1734	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1735	         CSeq: 2012 SUBSCRIBE
1736	         Expires: 3600
1737	         Contact: sip:biloxi.example.com
1738	         Content-Length: 0

1740	      F3 NOTIFY  biloxi.example.com -> atlanta.example.com

1742	         NOTIFY sip:atlanta.example.com SIP/2.0
1743	         Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy71g2ks
1744	         From: <sip:biloxi.example.com>;tag=331dc8
1745	         To: <sip:atlanta.example.com>;tag=162ab5
1746	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1747	         Event: load-control
1748	         Subscription-State: active;expires=3599
1749	         Max-Forwards: 70
1750	         CSeq: 1775 NOTIFY
1751	         Contact: sip:biloxi.example.com
1752	         Content-Type: application/load-control+xml
1753	         Content-Length: ...

1755	         [Load Control Document]

1757	      F4 200 OK atlanta.example.com -> biloxi.example.com

1759	         SIP/2.0 200 OK
1760	         Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy71g2ks
1761	           ;received=192.0.2.2
1762	         From: <sip:biloxi.example.com>;tag=331dc8
1763	         To: <sip:atlanta.example.com>;tag=162ab5
1764	         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
1765	         CSeq: 1775 NOTIFY
1766	         Content-Length: 0

1768	10.5.  Related Work

1770	10.5.1.  Relationship with Load Filtering in PSTN

1772	   It is known that existing PSTN network also uses a load filtering
1773	   mechanism to prevent overload and the filtering policy configuration
1774	   is done manually except in specific cases when the Intelligent
1775	   Network architecture is used [Q.1248.2][E.412].  This specification
1776	   defines a load filtering mechanism based on the SIP event
1777	   notification framework that allows automated filtering policy
1778	   distribution in suitable environments.

1780	   There are control messages associated with PSTN overload control
1781	   which would specify an outgoing control list, call gap duration and
1782	   control duration [Q.1248.2][E.412].  These items could be roughly
1783	   correlated to the identity, action and time fields of the SIP load
1784	   filtering policy defined in this specification.  However, the load
1785	   filtering policy defined in this specification is much more generic
1786	   and flexible as opposed to its PSTN counterpart.

1788	   Firstly, PSTN load filtering only applies to telephone numbers.  The
1789	   identity element of SIP load filtering policy allows both SIP URI and
1790	   telephone numbers (through 'tel' URI) to be specified.  These
1791	   identities can be arbitrarily grouped by SIP domains or any number of
1792	   leading prefix of the telephone numbers.

1794	   Secondly, the PSTN load filtering action is usually limited to call
1795	   gapping.  The action field in SIP load filtering policy allows more
1796	   flexible possibilities such as rate throttle and others.

1798	   Thirdly, the duration field in PSTN load filtering specifies a value
1799	   in seconds for the load filtering duration only, and the allowed
1800	   values are mapped into a value set.  The time field in SIP load
1801	   filtering policy may specify not only a duration, but also a future
1802	   activation time which could be especially useful for automating load
1803	   filtering for predictable overloads.

1805	   PSTN load filtering can be performed in both edge switches and
1806	   transit switches; SIP load filtering can also be applied in both edge
1807	   proxy servers and core proxy servers, and even in capable user
1808	   agents.

1810	   PSTN load filtering also has special accommodation for High
1811	   Probability of Completion (HPC) calls, which would be similar to
1812	   calls designated by the SIP Resource Priority Headers [RFC4412].  SIP
1813	   load filtering mechanism also allows prioritizing the treatment of
1814	   these calls by specifying favorable actions for them.

1816	   PSTN load filtering also provides administrative option for routing
1817	   failed call attempts to either a reorder tone [E.300SerSup3]
1818	   indicating overload conditions, or a special recorded announcement.
1819	   Similar capability can be provided in SIP load filtering mechanism by
1820	   specifying appropriate "alt-action" attribute in the SIP load
1821	   filtering action field.

1823	10.5.2.  Relationship with Other IETF SIP Overload Control Efforts

1825	   The load filtering policies in this specification consist of
1826	   identity, action and time.  The identity can range from a single
1827	   specific user to an arbitrary user aggregate, domains or areas.  The
1828	   user can be identified by either the source or the destination.  When
1829	   the user is identified by the source and a favorable action is
1830	   specified, the result is to some extent similar to identifying a
1831	   priority user based on authorized Resource Priority Headers [RFC4412]
1832	   in the requests.  Specifying a source user identity with an
1833	   unfavorable action would cause an effect to some extent similar to an
1834	   inverse SIP resource priority mechanism.

1836	   The load filtering policy defined in this specification is generic
1837	   and expected to be applicable not only to the load filtering
1838	   mechanism but also to the feedback overload control mechanism in
1839	   [I-D.ietf-soc-overload-control].  In particular, both mechanisms
1840	   could use specific or wildcard identities for load control and could
1841	   share well-known load control actions.  The time duration field in
1842	   the load filtering policy could also be used in both mechanisms.  As
1843	   mentioned in Section 1, the load filtering policy distribution
1844	   mechanism and the feedback overload control mechanism address
1845	   complementary areas in the overload control problem space.  Load
1846	   filtering is more proactive and focuses on distributing filtering
1847	   policies towards the source of the traffic; the hop-by-hop feedback-
1848	   based approach is reactive and targets more at traffic already
1849	   accepted in the network.  Therefore, they could also make different
1850	   use of the generic load filtering policy components.  For example,
1851	   the load filtering mechanism may use the time field in the filtering
1852	   policy to specify not only a control duration but also a future
1853	   activation time to accommodate a predicable overload such as the one
1854	   caused by Mother's Day greetings or a viewer-voting program; the
1855	   feedback-based control might not need to use the time field or might
1856	   use the time field to specify an immediate load control duration.

1858	11.  References

1860	11.1.  Normative References

1862	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1863	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1865	   [RFC2141]  Moats, R., "URN Syntax", RFC 2141, May 1997.

1867	   [RFC3023]  Murata, M., St. Laurent, S., and D. Kohn, "XML Media
1868	              Types", RFC 3023, January 2001.

1870	   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
1871	              A., Peterson, J., Sparks, R., Handley, M., and E.
1872	              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
1873	              June 2002.

1875	   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1876	              January 2004.

1878	   [RFC3966]  Schulzrinne, H., "The tel URI for Telephone Numbers", RFC
1879	              3966, December 2004.

1881	   [RFC4745]  Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
1882	              Polk, J., and J. Rosenberg, "Common Policy: A Document
1883	              Format for Expressing Privacy Preferences", RFC 4745,
1884	              February 2007.

1886	   [RFC6665]  Roach, A., "SIP-Specific Event Notification", RFC 6665,
1887	              July 2012.

1889	   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
1890	              Specifications and Registration Procedures", BCP 13, RFC
1891	              6838, January 2013.

1893	11.2.  Informative References

1895	   [E.300SerSup3]
1896	              ITU-T, , "North American Precise Audible Tone Plan", E.300
1897	              Series Supplement 3 , November 1988.

1899	   [E.412]    ITU-T, , "Network Management Controls", E.412-2003 ,
1900	              January 2003.

1902	   [I-D.ietf-soc-overload-control]
1903	              Gurbani, V., Hilt, V., and H. Schulzrinne, "Session
1904	              Initiation Protocol (SIP) Overload Control", draft-ietf-
1905	              soc-overload-control-13 (work in progress), May 2013.

1907	   [Q.1248.2]
1908	              ITU-T, , "Interface Recommendation for Intelligent Network
1909	              Capability Set4:SCF-SSF interface", Q.1248.2 , July 2001.

1911	   [RFC2648]  Moats, R., "A URN Namespace for IETF Documents", RFC 2648,
1912	              August 1999.

1914	   [RFC3324]  Watson, M., "Short Term Requirements for Network Asserted
1915	              Identity", RFC 3324, November 2002.

1917	   [RFC3325]  Jennings, C., Peterson, J., and M. Watson, "Private
1918	              Extensions to the Session Initiation Protocol (SIP) for
1919	              Asserted Identity within Trusted Networks", RFC 3325,
1920	              November 2002.

1922	   [RFC4412]  Schulzrinne, H. and J. Polk, "Communications Resource
1923	              Priority for the Session Initiation Protocol (SIP)", RFC
1924	              4412, February 2006.

1926	   [RFC4825]  Rosenberg, J., "The Extensible Markup Language (XML)
1927	              Configuration Access Protocol (XCAP)", RFC 4825, May 2007.

1929	   [RFC5031]  Schulzrinne, H., "A Uniform Resource Name (URN) for
1930	              Emergency and Other Well-Known Services", RFC 5031,
1931	              January 2008.

1933	   [RFC5390]  Rosenberg, J., "Requirements for Management of Overload in
1934	              the Session Initiation Protocol", RFC 5390, December 2008.

1936	   [RFC6357]  Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design
1937	              Considerations for Session Initiation Protocol (SIP)
1938	              Overload Control", RFC 6357, August 2011.

1940	Authors' Addresses

1942	   Charles Shen
1943	   Columbia University
1944	   Department of Computer Science
1945	   1214 Amsterdam Avenue, MC 0401
1946	   New York, NY   10027
1947	   USA

1949	   Phone: +1 212 854 3109
1950	   Email: charles@cs.columbia.edu

1952	   Henning Schulzrinne
1953	   Columbia University
1954	   Department of Computer Science
1955	   1214 Amsterdam Avenue, MC 0401
1956	   New York, NY   10027
1957	   USA

1959	   Phone: +1 212 939 7004
1960	   Email: schulzrinne@cs.columbia.edu

1962	   Arata Koike
1963	   NTT Service Integration Labs
1964	   3-9-11 Midori-cho Musashino-shi
1965	   Tokyo  184-0013
1966	   Japan

1968	   Phone: +81 422 59 6099
1969	   Email: koike.arata@lab.ntt.co.jp