idnits 2.17.1 

draft-ietf-soc-overload-design-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (June 27, 2010) is 5049 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	SOC Working Group                                                V. Hilt
3	Internet-Draft                                  Bell Labs/Alcatel-Lucent
4	Intended status: Informational                                   E. Noel
5	Expires: December 29, 2010                                     AT&T Labs
6	                                                                 C. Shen
7	                                                     Columbia University
8	                                                              A. Abdelal
9	                                                          Sonus Networks
10	                                                           June 27, 2010

12	  Design Considerations for Session Initiation Protocol (SIP) Overload
13	                                Control
14	                   draft-ietf-soc-overload-design-00

16	Abstract

18	   Overload occurs in Session Initiation Protocol (SIP) networks when
19	   SIP servers have insufficient resources to handle all SIP messages
20	   they receive.  Even though the SIP protocol provides a limited
21	   overload control mechanism through its 503 (Service Unavailable)
22	   response code, SIP servers are still vulnerable to overload.  This
23	   document discusses models and design considerations for a SIP
24	   overload control mechanism.

26	Status of this Memo

28	   This Internet-Draft is submitted in full conformance with the
29	   provisions of BCP 78 and BCP 79.

31	   Internet-Drafts are working documents of the Internet Engineering
32	   Task Force (IETF).  Note that other groups may also distribute
33	   working documents as Internet-Drafts.  The list of current Internet-
34	   Drafts is at http://datatracker.ietf.org/drafts/current/.

36	   Internet-Drafts are draft documents valid for a maximum of six months
37	   and may be updated, replaced, or obsoleted by other documents at any
38	   time.  It is inappropriate to use Internet-Drafts as reference
39	   material or to cite them other than as "work in progress."

41	   This Internet-Draft will expire on December 29, 2010.

43	Copyright Notice

45	   Copyright (c) 2010 IETF Trust and the persons identified as the
46	   document authors.  All rights reserved.

48	   This document is subject to BCP 78 and the IETF Trust's Legal
49	   Provisions Relating to IETF Documents
50	   (http://trustee.ietf.org/license-info) in effect on the date of
51	   publication of this document.  Please review these documents
52	   carefully, as they describe your rights and restrictions with respect
53	   to this document.  Code Components extracted from this document must
54	   include Simplified BSD License text as described in Section 4.e of
55	   the Trust Legal Provisions and are provided without warranty as
56	   described in the Simplified BSD License.

58	Table of Contents

60	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
61	   2.  SIP Overload Problem . . . . . . . . . . . . . . . . . . . . .  4
62	   3.  Explicit vs. Implicit Overload Control . . . . . . . . . . . .  5
63	   4.  System Model . . . . . . . . . . . . . . . . . . . . . . . . .  5
64	   5.  Degree of Cooperation  . . . . . . . . . . . . . . . . . . . .  7
65	     5.1.  Hop-by-Hop . . . . . . . . . . . . . . . . . . . . . . . .  8
66	     5.2.  End-to-End . . . . . . . . . . . . . . . . . . . . . . . .  9
67	     5.3.  Local Overload Control . . . . . . . . . . . . . . . . . . 10
68	   6.  Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . 10
69	   7.  Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
70	   8.  Performance Metrics  . . . . . . . . . . . . . . . . . . . . . 13
71	   9.  Explicit Overload Control Feedback . . . . . . . . . . . . . . 14
72	     9.1.  Rate-based Overload Control  . . . . . . . . . . . . . . . 14
73	     9.2.  Loss-based Overload Control  . . . . . . . . . . . . . . . 15
74	     9.3.  Window-based Overload Control  . . . . . . . . . . . . . . 16
75	     9.4.  Overload Signal-based Overload Control . . . . . . . . . . 17
76	     9.5.  On-/Off Overload Control . . . . . . . . . . . . . . . . . 18
77	   10. Implicit Overload Control  . . . . . . . . . . . . . . . . . . 18
78	   11. Overload Control Algorithms  . . . . . . . . . . . . . . . . . 18
79	   12. Message Prioritization . . . . . . . . . . . . . . . . . . . . 19
80	   13. Security Considerations  . . . . . . . . . . . . . . . . . . . 19
81	   14. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 19
82	   15. Informative References . . . . . . . . . . . . . . . . . . . . 19
83	   Appendix A.  Contributors  . . . . . . . . . . . . . . . . . . . . 20
84	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20

86	1.  Introduction

88	   As with any network element, a Session Initiation Protocol (SIP)
89	   [RFC3261] server can suffer from overload when the number of SIP
90	   messages it receives exceeds the number of messages it can process.
91	   Overload occurs if a SIP server does not have sufficient resources to
92	   process all incoming SIP messages.  These resources may include CPU,
93	   memory, input/output, or disk resources.

95	   Overload can pose a serious problem for a network of SIP servers.
96	   During periods of overload, the throughput of a network of SIP
97	   servers can be significantly degraded.  In fact, overload may lead to
98	   a situation in which the throughput drops down to a small fraction of
99	   the original processing capacity.  This is often called congestion
100	   collapse.

102	   An overload control mechanism enables a SIP server to perform close
103	   to its capacity limit during times of overload.  Overload control is
104	   used by a SIP server if it is unable to process all SIP requests due
105	   to resource constraints.  There are other failure cases in which a
106	   SIP server can successfully process incoming requests but has to
107	   reject them for other reasons.  For example, a PSTN gateway that runs
108	   out of trunk lines but still has plenty of capacity to process SIP
109	   messages should reject incoming INVITEs using a 488 (Not Acceptable
110	   Here) response [RFC4412].  Similarly, a SIP registrar that has lost
111	   connectivity to its registration database but is still capable of
112	   processing SIP messages should reject REGISTER requests with a 500
113	   (Server Error) response [RFC3261].  Overload control mechanisms do
114	   not apply in these cases and SIP provides appropriate response codes
115	   for them.

117	   The SIP protocol provides a limited mechanism for overload control
118	   through its 503 (Service Unavailable) response code and the Retry-
119	   After header.  However, this mechanism cannot prevent overload of a
120	   SIP server and it cannot prevent congestion collapse.  In fact, it
121	   may cause traffic to oscillate and to shift between SIP servers and
122	   thereby worsen an overload condition.  A detailed discussion of the
123	   SIP overload problem, the problems with the 503 (Service Unavailable)
124	   response code and the Retry-After header and the requirements for a
125	   SIP overload control mechanism can be found in [RFC5390].

127	   This document discusses the models, assumptions and design
128	   considerations for a SIP overload control mechanism.  The document is
129	   a product of the SIP overload control design team.

131	2.  SIP Overload Problem

133	   A key contributor to the SIP congestion collapse [RFC5390] is the
134	   regenerative behavior of overload in the SIP protocol.  When SIP is
135	   running over the UDP protocol, it will retransmit messages that were
136	   dropped by a SIP server due to overload and thereby increase the
137	   offered load for the already overloaded server.  This increase in
138	   load worsens the severity of the overload condition and, in turn,
139	   causes more messages to be dropped.  A congestion collapse can occur
140	   [Noel et al.], [Shen et al.] and [Hilt et al.].

142	   Regenerative behavior under overload should ideally be avoided by any
143	   protocol as this would lead to stable operation under overload.
144	   However, this is often difficult to achieve in practice.  For
145	   example, changing the SIP retransmission timer mechanisms can reduce
146	   the degree of regeneration during overload but will impact the
147	   ability of SIP to recover from message losses.  Without any
148	   retransmission each message that is dropped due to SIP server
149	   overload will eventually lead to a failed call.

151	   For a SIP INVITE transaction to be successful a minimum of three
152	   messages need to be forwarded by a SIP server.  Often an INVITE
153	   transaction consists of five or more SIP messages.  If a SIP server
154	   under overload randomly discards messages without evaluating them,
155	   the chances that all messages belonging to a transaction are
156	   successfully forwarded will decrease as the load increases.  Thus,
157	   the number of transactions that complete successfully will decrease
158	   even if the message throughput of a server remains up and assuming
159	   the overload behavior is fully non-regenerative.  A SIP server might
160	   (partially) parse incoming messages to determine if it is a new
161	   request or a message belonging to an existing transaction.  However,
162	   after having spend resources on parsing a SIP message, discarding
163	   this message is expensive as the resources already spend are lost.
164	   The number of successful transactions will therefore decline with an
165	   increase in load as less and less resources can be spent on
166	   forwarding messages and more and more resources are consumed by
167	   inspecting messages that will eventually be dropped.  The slope of
168	   the decline depends on the amount of resources spent to inspect each
169	   message.

171	   Another challenge for SIP overload control is that the rate of the
172	   true traffic source usually cannot be controlled.  Overload is often
173	   caused by a large number of UAs each of which creates only a single
174	   message.  These UAs cannot be rate controlled as they only send one
175	   message.  However, the sum of their traffic can overload a SIP
176	   server.

178	3.  Explicit vs. Implicit Overload Control

180	   The main differences between explicit and implicit overload control
181	   is the way overload is signaled from a SIP server that is reaching
182	   overload condition to its upstream neighbors.

184	   In an explicit overload control mechanism, a SIP server uses an
185	   explicit overload signal to indicate that it is reaching its capacity
186	   limit.  Upstream neighbors receiving this signal can adjust their
187	   transmission rate as indicated by the overload signal to a level that
188	   is acceptable to the downstream server.  The overload signal enables
189	   a SIP server to steer the load it is receiving to a rate at which it
190	   can perform at maximum capacity.

192	   Implicit overload control uses the absence of responses and packet
193	   loss as an indication of overload.  A SIP server that is sensing such
194	   a condition reduces the load it is forwarding a downstream neighbor.
195	   Since there is no explicit overload signal, this mechanism is robust
196	   as it does not depend on actions taken by the SIP server running into
197	   overload.

199	   The ideas of explicit and implicit overload control are in fact
200	   complementary.  By considering implicit overload indications a server
201	   can avoid overloading an unresponsive downstream neighbor.  An
202	   explicit overload signal enables a SIP server to actively steer the
203	   incoming load to a desired level.

205	4.  System Model

207	   The model shown in Figure 1 identifies fundamental components of an
208	   explicit SIP overload control mechanism:

210	   SIP Processor:  The SIP Processor processes SIP messages and is the
211	      component that is protected by overload control.
212	   Monitor:  The Monitor measures the current load of the SIP processor
213	      on the receiving entity.  It implements the mechanisms needed to
214	      determine the current usage of resources relevant for the SIP
215	      processor and reports load samples (S) to the Control Function.
216	   Control Function:  The Control Function implements the overload
217	      control algorithm.  The control function uses the load samples (S)
218	      and determines if overload has occurred and a throttle (T) needs
219	      to be set to adjust the load sent to the SIP processor on the
220	      receiving entity.  The control function on the receiving entity
221	      sends load feedback (F) to the sending entity.

223	   Actuator:  The Actuator implements the algorithms needed to act on
224	      the throttles (T) and ensures that the amount of traffic forwarded
225	      to the receiving entity meets the criteria of the throttle.  For
226	      example, a throttle may instruct the Actuator to not forward more
227	      than 100 INVITE messages per second.  The Actuator implements the
228	      algorithms to achieve this objective, e.g., using message gapping.
229	      It also implements algorithms to select the messages that will be
230	      affected and determine whether they are rejected or redirected.

232	   The type of feedback (F) conveyed from the receiving to the sending
233	   entity depends on the overload control method used (i.e., loss-based,
234	   rate-based, window-based or signal-based overload control; see
235	   Section 9), the overload control algorithm (see Section 11) as well
236	   as other design parameters.  The feedback (F) enables the sending
237	   entity to adjust the amount of traffic forwarded to the receiving
238	   entity to a level that is acceptable to the receiving entity without
239	   causing overload.

241	   Figure 1 depicts a general system model for overload control.  In
242	   this diagram, one instance of the control function is on the sending
243	   entity (i.e., associated with the actuator) and one is on the
244	   receiving entity (i.e., associated with the monitor).  However, a
245	   specific mechanism may not require both elements.  In this case, one
246	   of two control function elements can be empty and simply passes along
247	   feedback.  E.g., if (F) is defined as a loss-rate (e.g., reduce
248	   traffic by 10%) there is no need for a control function on the
249	   sending entity as the content of (F) can be copied directly into (T).

251	   The model in Figure 1 shows a scenario with one sending and one
252	   receiving entity.  In a more realistic scenario a receiving entity
253	   will receive traffic from multiple sending entities and vice versa
254	   (see Section 6).  The feedback generated by a Monitor will therefore
255	   often be distributed across multiple Actuators.  A Monitor needs to
256	   be able to split the load it can process across multiple sending
257	   entities and generate feedback that correctly adjusts the load each
258	   sending entity is allowed to send.  Similarly, an Actuator needs to
259	   be prepared to receive different levels of feedback from different
260	   receiving entities and throttle traffic to these entities
261	   accordingly.

263	          Sending                Receiving
264	           Entity                  Entity
265	     +----------------+      +----------------+
266	     |    Server A    |      |    Server B    |
267	     |  +----------+  |      |  +----------+  |    -+
268	     |  | Control  |  |  F   |  | Control  |  |     |
269	     |  | Function |<-+------+--| Function |  |     |
270	     |  +----------+  |      |  +----------+  |     |
271	     |     T |        |      |       ^        |     | Overload
272	     |       v        |      |       | S      |     | Control
273	     |  +----------+  |      |  +----------+  |     |
274	     |  | Actuator |  |      |  | Monitor  |  |     |
275	     |  +----------+  |      |  +----------+  |     |
276	     |       |        |      |       ^        |    -+
277	     |       v        |      |       |        |    -+
278	     |  +----------+  |      |  +----------+  |     |
279	   <-+--|   SIP    |  |      |  |   SIP    |  |     |  SIP
280	   --+->|Processor |--+------+->|Processor |--+->   | System
281	     |  +----------+  |      |  +----------+  |     |
282	     +----------------+      +----------------+    -+

284	           Figure 1: System Model for Explicit Overload Control

286	5.  Degree of Cooperation

288	   A SIP request is usually processed by more than one SIP server on its
289	   path to the destination.  Thus, a design choice for an explicit
290	   overload control mechanism is where to place the components of
291	   overload control along the path of a request and, in particular,
292	   where to place the Monitor and Actuator.  This design choice
293	   determines the degree of cooperation between the SIP servers on the
294	   path.  Overload control can be implemented hop-by-hop with the
295	   Monitor on one server and the Actuator on its direct upstream
296	   neighbor.  Overload control can be implemented end-to-end with
297	   Monitors on all SIP servers along the path of a request and an
298	   Actuator on the sender.  In this case, the Control Functions
299	   associated with each Monitor have to cooperate to jointly determine
300	   the overall feedback for this path.  Finally, overload control can be
301	   implemented locally on a SIP server if Monitor and Actuator reside on
302	   the same server.  In this case, the sending entity and receiving
303	   entity are the same SIP server and Actuator and Monitor operate on
304	   the same SIP processor (although, the Actuator typically operates on
305	   a pre-processing stage in local overload control).  Local overload
306	   control is an internal overload control mechanism as the control loop
307	   is implemented internally on one server.  Hop-by-hop and end-to-end
308	   are external overload control mechanisms.  All three configurations
309	   are shown in Figure 2.

311	               +---------+             +------(+)---------+
312	      +------+ |         |             |       ^          |
313	      |      | |        +---+          |       |         +---+
314	      v      | v    //=>| C |          v       |     //=>| C |
315	   +---+    +---+ //    +---+       +---+    +---+ //    +---+
316	   | A |===>| B |                   | A |===>| B |
317	   +---+    +---+ \\    +---+       +---+    +---+ \\    +---+
318	               ^    \\=>| D |          ^       |     \\=>| D |
319	               |        +---+          |       |         +---+
320	               |         |             |       v          |
321	               +---------+             +------(+)---------+

323	         (a) hop-by-hop                   (b) end-to-end

325	                         +-+
326	                         v |
327	    +-+      +-+        +---+
328	    v |      v |    //=>| C |
329	   +---+    +---+ //    +---+
330	   | A |===>| B |
331	   +---+    +---+ \\    +---+
332	                    \\=>| D |
333	                        +---+
334	                         ^ |
335	                         +-+

337	           (c) local

339	    ==> SIP request flow
340	    <-- Overload feedback loop

342	              Figure 2: Degree of Cooperation between Servers

344	5.1.  Hop-by-Hop

346	   The idea of hop-by-hop overload control is to instantiate a separate
347	   control loop between all neighboring SIP servers that directly
348	   exchange traffic.  I.e., the Actuator is located on the SIP server
349	   that is the direct upstream neighbor of the SIP server that has the
350	   corresponding Monitor.  Each control loop between two servers is
351	   completely independent of the control loop between other servers
352	   further up- or downstream.  In the example in Figure 2(a), three
353	   independent overload control loops are instantiated: A - B, B - C and
354	   B - D. Each loop only controls a single hop.  Overload feedback
355	   received from a downstream neighbor is not forwarded further
356	   upstream.  Instead, a SIP server acts on this feedback, for example,
357	   by rejecting SIP messages if needed.  If the upstream neighbor of a
358	   server also becomes overloaded, it will report this problem to its
359	   upstream neighbors, which again take action based on the reported
360	   feedback.  Thus, in hop-by-hop overload control, overload is always
361	   resolved by the direct upstream neighbors of the overloaded server
362	   without the need to involve entities that are located multiple SIP
363	   hops away.

365	   Hop-by-hop overload control reduces the impact of overload on a SIP
366	   network and can avoid congestion collapse.  It is simple and scales
367	   well to networks with many SIP entities.  An advantage is that it
368	   does not require feedback to be transmitted across multiple-hops,
369	   possibly crossing multiple trust domains.  Feedback is sent to the
370	   next hop only.  Furthermore, it does not require a SIP entity to
371	   aggregate a large number of overload status values or keep track of
372	   the overload status of SIP servers it is not communicating with.

374	5.2.  End-to-End

376	   End-to-end overload control implements an overload control loop along
377	   the entire path of a SIP request, from UAC to UAS.  An end-to-end
378	   overload control mechanism consolidates overload information from all
379	   SIP servers on the way (including all proxies and the UAS) and uses
380	   this information to throttle traffic as far upstream as possible.  An
381	   end-to-end overload control mechanism has to be able to frequently
382	   collect the overload status of all servers on the potential path(s)
383	   to a destination and combine this data into meaningful overload
384	   feedback.

386	   A UA or SIP server only throttles requests if it knows that these
387	   requests will eventually be forwarded to an overloaded server.  For
388	   example, if D is overloaded in Figure 2(b), A should only throttle
389	   requests it forwards to B when it knows that they will be forwarded
390	   to D. It should not throttle requests that will eventually be
391	   forwarded to C, since server C is not overloaded.  In many cases, it
392	   is difficult for A to determine which requests will be routed to C
393	   and D since this depends on the local routing decision made by B.
394	   These routing decisions can be highly variable and, for example,
395	   depend on call routing policies configured by the user, services
396	   invoked on a call, load balancing policies, etc.  The fact that a
397	   previous message to a target has been routed through an overloaded
398	   server does not necessarily mean the next message to this target will
399	   also be routed through the same server.

401	   The main problem of end-to-end overload control is its inherent
402	   complexity since UAC or SIP servers need to monitor all potential
403	   paths to a destination in order to determine which requests should be
404	   throttled and which requests may be sent.  Even if this information
405	   is available, it is not clear which path a specific request will
406	   take.

408	   A variant of end-to-end overload control is to implement a control
409	   loop between a set of well-known SIP servers along the path of a SIP
410	   request.  For example, an overload control loop can be instantiated
411	   between a server that only has one downstream neighbor or a set of
412	   closely coupled SIP servers.  A control loop spanning multiple hops
413	   can be used if the sending entity has full knowledge about the SIP
414	   servers on the path of a SIP message.

416	   A key difference to transport protocols using end-to-end congestion
417	   control such as TCP is that the traffic exchanged between SIP servers
418	   consists of many individual SIP messages.  Each of these SIP messages
419	   has its own source and destination.  Even SIP messages containing
420	   identical SIP URIs (e.g., a SUBSCRIBE and a INVITE message to the
421	   same SIP URI) can be routed to different destinations.  This is
422	   different from TCP which controls a stream of packets between a
423	   single source and a single destination.

425	5.3.  Local Overload Control

427	   The idea of local overload control (see Figure 2(c)) is to run the
428	   Monitor and Actuator on the same server.  This enables the server to
429	   monitor the current resource usage and to reject messages that can't
430	   be processed without overusing the local resources.  The fundamental
431	   assumption behind local overload control is that it is less resource
432	   consuming for a server to reject messages than to process them.  A
433	   server can therefore reject the excess messages it cannot process to
434	   stop all retransmissions of these messages.

436	   Local overload control can be used in conjunction with an other
437	   overload control mechanisms and provides an additional layer of
438	   protection against overload.  It is fully implemented within a SIP
439	   server and does not require cooperation between servers.  In general,
440	   SIP servers should apply other overload control techniques to control
441	   load before a local overload control mechanism is activated as a
442	   mechanism of last resort.

444	6.  Topologies

446	   The following topologies describe four generic SIP server
447	   configurations.  These topologies illustrate specific challenges for
448	   an overload control mechanism.  An actual SIP server topology is
449	   likely to consist of combinations of these generic scenarios.

451	   In the "load balancer" configuration shown in Figure 3(a) a set of
452	   SIP servers (D, E and F) receives traffic from a single source A. A
453	   load balancer is a typical example for such a configuration.  In this
454	   configuration, overload control needs to prevent server A (i.e., the
455	   load balancer) from sending too much traffic to any of its downstream
456	   neighbors D, E and F. If one of the downstream neighbors becomes
457	   overloaded, A can direct traffic to the servers that still have
458	   capacity.  If one of the servers serves as a backup, it can be
459	   activated once one of the primary servers reaches overload.

461	   If A can reliably determine that D, E and F are its only downstream
462	   neighbors and all of them are in overload, it may choose to report
463	   overload upstream on behalf of D, E and F. However, if the set of
464	   downstream neighbors is not fixed or only some of them are in
465	   overload then A should not activate an overload control since A can
466	   still forward the requests destined to non-overloaded downstream
467	   neighbors.  These requests would be throttled as well if A would use
468	   overload control towards its upstream neighbors.

470	   In the "multiple sources" configuration shown in Figure 3(b), a SIP
471	   server D receives traffic from multiple upstream sources A, B and C.
472	   Each of these sources can contribute a different amount of traffic,
473	   which can vary over time.  The set of active upstream neighbors of D
474	   can change as servers may become inactive and previously inactive
475	   servers may start contributing traffic to D.

477	   If D becomes overloaded, it needs to generate feedback to reduce the
478	   amount of traffic it receives from its upstream neighbors.  D needs
479	   to decide by how much each upstream neighbor should reduce traffic.
480	   This decision can require the consideration of the amount of traffic
481	   sent by each upstream neighbor and it may need to be re-adjusted as
482	   the traffic contributed by each upstream neighbor varies over time.
483	   Server D can use a local fairness policy to determine much traffic it
484	   accepts from each upstream neighbor.

486	   In many configurations, SIP servers form a "mesh" as shown in
487	   Figure 3(c).  Here, multiple upstream servers A, B and C forward
488	   traffic to multiple alternative servers D and E. This configuration
489	   is a combination of the "load balancer" and "multiple sources"
490	   scenario.

492	                   +---+              +---+
493	                /->| D |              | A |-\
494	               /   +---+              +---+  \
495	              /                               \   +---+
496	       +---+-/     +---+              +---+    \->|   |
497	       | A |------>| E |              | B |------>| D |
498	       +---+-\     +---+              +---+    /->|   |
499	              \                               /   +---+
500	               \   +---+              +---+  /
501	                \->| F |              | C |-/
502	                   +---+              +---+

504	       (a) load balancer             (b) multiple sources

506	       +---+
507	       | A |---\                        a--\
508	       +---+-\  \---->+---+                 \
509	              \/----->| D |             b--\ \--->+---+
510	       +---+--/\  /-->+---+                 \---->|   |
511	       | B |    \/                      c-------->| D |
512	       +---+---\/\--->+---+                       |   |
513	               /\---->| E |            ...   /--->+---+
514	       +---+--/   /-->+---+                 /
515	       | C |-----/                      z--/
516	       +---+

518	             (c) mesh                   (d) edge proxy

520	                           Figure 3: Topologies

522	   Overload control that is based on reducing the number of messages a
523	   sender is allowed to send is not suited for servers that receive
524	   requests from a very large population of senders, each of which only
525	   infrequently sends a request.  This scenario is shown in Figure 3(d).
526	   An edge proxy that is connected to many UAs is a typical example for
527	   such a configuration.

529	   Since each UA typically only contributes a few requests, which are
530	   often related to the same call, it can't decrease its message rate to
531	   resolve the overload.  In such a configuration, a SIP server can
532	   resort to local overload control by rejecting a percentage of the
533	   requests it receives with 503 (Service Unavailable) responses.  Since
534	   there are many upstream neighbors that contribute to the overall
535	   load, sending 503 (Service Unavailable) to a fraction of them can
536	   gradually reduce load without entirely stopping all incoming traffic.
537	   The Retry-After header can be used in 503 (Service Unavailable)
538	   responses to ask UAs to wait a given number of seconds before trying
539	   the call again.  Using 503 (Service Unavailable) towards individual
540	   sources can, however, not prevent overload if a large number of users
541	   places calls at the same time.

543	      Note: The requirements of the "edge proxy" topology are different
544	      than the ones of the other topologies, which may require a
545	      different method for overload control.

547	7.  Fairness

549	   There are many different ways to define fairness between multiple
550	   upstream neighbors of a SIP server.  In the context of SIP server
551	   overload, it is helpful to describe two categories of fairness: basic
552	   fairness and customized fairness.  With basic fairness a SIP server
553	   treats all end users equally and ensures that each end user has the
554	   same chance of reaching the destination server.  With customized
555	   fairness, the server allocates resources according to different
556	   priorities.  An example application of the basic fairness criteria is
557	   the "Third caller receives free tickets" scenario, where each end
558	   user should have an equal success probability in making calls through
559	   an overloaded SIP server, regardless of which service provider he/she
560	   is subscribed to.  An example of customized fairness would be a
561	   server which assigns different resource allocations to its upstream
562	   neighbors (e.g., service providers) as defined in a service level
563	   agreement (SLA).

565	8.  Performance Metrics

567	   The performance of an overload control mechanism can be measured
568	   using different metrics.

570	   A key performance indicator is the goodput of a SIP server under
571	   overload.  Ideally, a SIP server will be enabled to perform at its
572	   capacity limit during periods of overload.  E.g., if a SIP server has
573	   a processing capacity of 140 INVITE transactions per second then an
574	   overload control mechanism should enable it to process 140 INVITEs
575	   per second even if the offered load is much higher.  The delay
576	   introduced by a SIP server is another important indicator.  An
577	   overload control mechanism should ensure that the delay encountered
578	   by a SIP message is not increased significantly during periods of
579	   overload.

581	   Reactiveness and stability are other important performance
582	   indicators.  An overload control mechanism should quickly react to an
583	   overload occurrence and ensure that a SIP server does not become
584	   overloaded even during sudden peaks of load.  Similarly, an overload
585	   control mechanism should quickly remove all throttles if the overload
586	   disappears.  Stability is another important criteria.  An overload
587	   control mechanism should not cause significant oscillations of load
588	   on a SIP server.  The performance of SIP overload control mechanisms
589	   is discussed in [Noel et al.], [Shen et al.] and [Hilt et al.].

591	   In addition to the above metrics, there are other indicators that are
592	   relevant for the evaluation of an overload control mechanism:

594	   Fairness:  Which types of fairness does the overload control
595	      mechanism implement?
596	   Self-limiting:  Is the overload control self-limiting if a SIP server
597	      becomes unresponsive?
598	   Changes in neighbor set:  How does the mechanism adapt to a changing
599	      set of sending entities?
600	   Data points to monitor:  Which and how many data points does an
601	      overload control mechanism need to monitor?

603	9.  Explicit Overload Control Feedback

605	   Explicit overload control feedback enables a receiver to indicate how
606	   much traffic it wants to receive.  Explicit overload control
607	   mechanisms can be differentiated based on the type of information
608	   conveyed in the overload control feedback and whether the control
609	   function is in the receiving or sending entity (receiver- vs. sender-
610	   based overload control).

612	9.1.  Rate-based Overload Control

614	   The key idea of rate-based overload control is to limit the request
615	   rate at which an upstream element is allowed to forward traffic to
616	   the downstream neighbor.  If overload occurs, a SIP server instructs
617	   each upstream neighbor to send at most X requests per second.  Each
618	   upstream neighbor can be assigned a different rate cap.

620	   An example algorithm for an Actuator in the sending entity is request
621	   gapping.  After transmitting a request to a downstream neighbor, a
622	   server waits for 1/X seconds before it transmits the next request to
623	   the same neighbor.  Requests that arrive during the waiting period
624	   are not forwarded and are either redirected, rejected or buffered.

626	   The rate cap ensures that the number of requests received by a SIP
627	   server never increases beyond the sum of all rate caps granted to
628	   upstream neighbors.  Rate-based overload control protects a SIP
629	   server against overload even during load spikes assuming there are no
630	   new upstream neighbors that start sending traffic.  New upstream
631	   neighbors need to be considered in all rate caps assigned to upstream
632	   neighbors.  The overall rate cap of a SIP server is determined by an
633	   overload control algorithm, e.g., based on system load.

635	   Rate-based overload control requires a SIP server to assign a rate
636	   cap to each of its upstream neighbors while it is activated.
637	   Effectively, a server needs to assign a share of its overall capacity
638	   to each upstream neighbor.  A server needs to ensure that the sum of
639	   all rate caps assigned to upstream neighbors is not higher than its
640	   actual processing capacity.  This requires a SIP server to keep track
641	   of the set of upstream neighbors and to adjust the rate cap if a new
642	   upstream neighbor appears or an existing neighbor stops transmitting.
643	   For example, if the capacity of the server is X and this server is
644	   receiving traffic from two upstream neighbors, it can assign a rate
645	   of X/2 to each of them.  If a third sender appears, the rate for each
646	   sender is lowered to X/3.  If the overall rate cap is too high, a
647	   server may experience overload.  If the cap is too low, the upstream
648	   neighbors will reject requests even though they could be processed by
649	   the server.

651	   An approach for estimating a rate cap for each upstream neighbor is
652	   using a fixed proportion of a control variable, X, where X is
653	   initially equal to the capacity of the SIP server.  The server then
654	   increases or decreases X until the workload arrival rate matches the
655	   actual server capacity.  Usually, this will mean that the sum of the
656	   rate caps sent out by the server (=X) exceeds its actual capacity,
657	   but enables upstream neighbors who are not generating more than their
658	   fair share of the work to be effectively unrestricted.  In this
659	   approach, the server only has to measure the aggregate arrival rate.
660	   However, since the overall rate cap is usually higher than the actual
661	   capacity, brief periods of overload may occur.

663	9.2.  Loss-based Overload Control

665	   A loss percentage enables a SIP server to ask an upstream neighbor to
666	   reduce the number of requests it would normally forward to this
667	   server by a percentage X. For example, a SIP server can ask an
668	   upstream neighbor to reduce the number of requests this neighbor
669	   would normally send by 10%.  The upstream neighbor then redirects or
670	   rejects X percent of the traffic that is destined for this server.

672	   An algorithm for the sending entity to implement a loss percentage is
673	   to draw a random number between 1 and 100 for each request to be
674	   forwarded.  The request is not forwarded to the server if the random
675	   number is less than or equal to X.

677	   An advantage of loss-based overload control is that, the receiving
678	   entity does not need to track the set of upstream neighbors or the
679	   request rate it receives from each upstream neighbor.  It is
680	   sufficient to monitor the overall system utilization.  To reduce
681	   load, a server can ask its upstream neighbors to lower the traffic
682	   forwarded by a certain percentage.  The server calculates this
683	   percentage by combining the loss percentage that is currently in use
684	   (i.e., the loss percentage the upstream neighbors are currently using
685	   when forwarding traffic), the current system utilization and the
686	   desired system utilization.  For example, if the server load
687	   approaches 90% and the current loss percentage is set to a 50%
688	   traffic reduction, then the server can decide to increase the loss
689	   percentage to 55% in order to get to a system utilization of 80%.
690	   Similarly, the server can lower the loss percentage if permitted by
691	   the system utilization.

693	   Loss-based overload control requires that the throttle percentage is
694	   adjusted to the current overall number of requests received by the
695	   server.  This is particularly important if the number of requests
696	   received fluctuates quickly.  For example, if a SIP server sets a
697	   throttle value of 10% at time t1 and the number of requests increases
698	   by 20% between time t1 and t2 (t1<t2), then the server will see an
699	   increase in traffic by 10% between time t1 and t2.  This is even
700	   though all upstream neighbors have reduced traffic by 10% as told.
701	   Thus, percentage throttling requires an adjustment of the throttling
702	   percentage in response to the traffic received and may not always be
703	   able to prevent a server from encountering brief periods of overload
704	   in extreme cases.

706	9.3.  Window-based Overload Control

708	   The key idea of window-based overload control is to allow an entity
709	   to transmit a certain number of messages before it needs to receive a
710	   confirmation for the messages in transit.  Each sender maintains an
711	   overload window that limits the number of messages that can be in
712	   transit without being confirmed.

714	   Each sender maintains an unconfirmed message counter for each
715	   downstream neighbor it is communicating with.  For each message sent
716	   to the downstream neighbor, the counter is increased.  For each
717	   confirmation received, the counter is decreased.  The sender stops
718	   transmitting messages to the downstream neighbor when the unconfirmed
719	   message counter has reached the current window size.

721	   A crucial parameter for the performance of window-based overload
722	   control is the window size.  Each sender has an initial window size
723	   it uses when first sending a request.  This window size can be
724	   changed based on the feedback it receives from the receiver.

726	   The sender adjusts its window size as soon as it receives the
727	   corresponding feedback from the receiver.  If the new window size is
728	   smaller than the current unconfirmed message counter, the sender
729	   stops transmitting messages until more messages are confirmed and the
730	   current unconfirmed message counter is less than the window size.

732	   Note that the reception of a 100 Trying response does not provide a
733	   confirmation for the reception of a message. 100 Trying responses are
734	   often created by a SIP server very early in processing and do not
735	   indicate that a message has been successfully processed and cleared
736	   from the input buffer.  If the downstream neighbor is a stateless
737	   proxy, it will not create 100 Trying responses at all and instead
738	   pass through 100 Trying responses created by the next stateful
739	   server.  Also, 100 Trying responses are typically only created for
740	   INVITE requests.  Explicit message confirmations do not have these
741	   problems.

743	   Window-based overload control is similar to rate-based overload
744	   control in that the total available receiver buffer space needs to be
745	   divided among all upstream neighbors.  However, unlike rate-based
746	   overload control, window-based overload control is self-limiting and
747	   can ensure that the receiver buffer does not overflow under normal
748	   conditions.  The transmission of messages by senders is clocked by
749	   message confirmations received from the receiver.  A buffer overflow
750	   can occur if a large number of new upstream neighbors arrives at the
751	   same time.  However, senders will eventually stop transmitting new
752	   requests once their initial sending window is closed.

754	   In window-based overload control, the number of messages a sender is
755	   allowed to send can frequently be set to zero.  In this state, the
756	   sender needs to be informed when it is allowed to send again and the
757	   receiver window has opened up.  However, since the sender is not
758	   allowed to transmit messages, the receiver cannot convey the new
759	   window size by piggybacking it in a response to another message.
760	   Instead, it needs to inform the sender through another mechanism,
761	   e.g., by sending a message that contains the new window size.

763	9.4.  Overload Signal-based Overload Control

765	   The key idea of overload signal-based overload control is to use the
766	   transmission of a 503 (Service Unavailable) response as a signal for
767	   overload in the downstream neighbor.  After receiving a 503 (Service
768	   Unavailable) response, the sender reduces the load forwarded to the
769	   downstream neighbor to avoid triggering more 503 (Service
770	   Unavailable) responses.  The sender keeps reducing the load if more
771	   503 (Service Unavailable) responses are received.  Note that this
772	   scheme is based on the use of 503 (Service Unavailable) responses
773	   without Retry-After header as the Retry-After header would require a
774	   sender to entirely stop forwarding requests.

776	   A sender which has not received 503 (Service Unavailable) responses
777	   for a while but is still throttling traffic can start to increase the
778	   offered load.  By slowly increasing the traffic forwarded a sender
779	   can detect that overload in the downstream neighbor has been resolved
780	   and more load can be forwarded.  The load is increased until the
781	   sender again receives another 503 (Service Unavailable) response or
782	   is forwarding all requests it has.  A possible algorithm for
783	   adjusting traffic is additive increase/multiplicative decrease
784	   (AIMD).

786	   Overload Signal-based Overload Control is a sender-based overload
787	   control mechanism.

789	9.5.  On-/Off Overload Control

791	   On-/off overload control feedback enables a SIP server to turn the
792	   traffic it is receiving either on or off.  The 503 (Service
793	   Unavailable) response with Retry-After header implements on-/off
794	   overload control.  On-/off overload control is less effective in
795	   controlling load than the fine grained control methods above.  In
796	   fact, all above methods can realize on/-off overload control, e.g.,
797	   by setting the allowed rate to either zero or unlimited.

799	10.  Implicit Overload Control

801	   Implicit overload control ensures that the transmission of a SIP
802	   server is self-limiting.  It slows down the transmission rate of a
803	   sender when there is an indication that the receiving entity is
804	   experiencing overload.  Such an indication can be that the receiving
805	   entity is not responding within the expected timeframe or is not
806	   responding at all.  The idea of implicit overload control is that
807	   senders should try to sense overload of a downstream neighbor even if
808	   there is no explicit overload control feedback.  It avoids that an
809	   overloaded server, which has become unable to generate overload
810	   control feedback, will be overwhelmed with requests.

812	   Window-based overload control is inherently self-limiting since a
813	   sender cannot continue without receiving confirmations.  All other
814	   explicit overload control schemes described above do not have this
815	   property and require additional implicit controls to limit
816	   transmissions in case an overloaded downstream neighbor does not
817	   generate explicit feedback.

819	11.  Overload Control Algorithms

821	   An important aspect of the design of an overload control mechanism is
822	   the overload control algorithm.  The control algorithm determines
823	   when the amount of traffic to a SIP server needs to be decreased and
824	   when it can be increased.  In terms of the model described in
825	   Section 4 the control algorithm takes (S) as an input value and
826	   generates (T) as a result.

828	   Overload control algorithms have been studied to a large extent and
829	   many different overload control algorithms exist.  With many
830	   different overload control algorithms available, it seems reasonable
831	   to suggest a baseline algorithm in a specification for a SIP overload
832	   control mechanism and allow the use of other algorithms if they
833	   provide the same protocol semantics.  This will also allow the
834	   development of future algorithms, which may lead to a better
835	   performance.

837	12.  Message Prioritization

839	   Overload control can require a SIP server to prioritize messages and
840	   select messages that need to be rejected or redirected.  The
841	   selection is largely a matter of local policy of the SIP server.  As
842	   a general rule, a SIP server should preserve high-priority requests
843	   such as emergency service requests as much as possible during times
844	   of overload.  The Resource-Priority header field [RFC4412] enables a
845	   proxy to identify such requests and preserve them during overload.
846	   In additiona, a SIP server should prioritize messages for ongoing
847	   sessions over messages that set up a new session.

849	13.  Security Considerations

851	   Overload control mechanisms, in general, have security implications.
852	   If not designed carefully they can, for example, be used to launch a
853	   denial of service attack.  The specific security risks and their
854	   remedies depend on the actual protocol mechanisms chosen for overload
855	   control.  They need to be addressed in a document that specifies such
856	   a mechanism.

858	14.  IANA Considerations

860	   This document does not require any IANA considerations.

862	15.  Informative References

864	   [Hilt et al.]
865	              Hilt, V. and I. Widjaja, "Controlling Overload in Networks
866	              of SIP Servers", IEEE International Conference on Network
867	              Protocols (ICNP'08), Orlando, Florida, October 2008.

869	   [Noel et al.]
870	              Noel, E. and C. Johnson, "Initial Simulation Results That
871	              Analyze SIP Based VoIP Networks Under Overload",
872	              International Teletraffic Congress (ITC'07), Ottawa,
873	              Canada, June 2007.

875	   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
876	              A., Peterson, J., Sparks, R., Handley, M., and E.
877	              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
878	              June 2002.

880	   [RFC4412]  Schulzrinne, H. and J. Polk, "Communications Resource
881	              Priority for the Session Initiation Protocol (SIP)",
882	              RFC 4412, February 2006.

884	   [RFC5390]  Rosenberg, J., "Requirements for Management of Overload in
885	              the Session Initiation Protocol", RFC 5390, December 2008.

887	   [Shen et al.]
888	              Shen, C., Schulzrinne, H., and E. Nahum, "Session
889	              Initiation Protocol (SIP) Server Overload Control: Design
890	              and Evaluation, Principles", Systems and Applications of
891	              IP Telecommunications (IPTComm'08), Heidelberg, Germany,
892	              July 2008.

894	Appendix A.  Contributors

896	   Contributors to this document are: Mary Barnes (Nortel), Carolyn
897	   Johnson (AT&T Labs), Daryl Malas (CableLabs), Tom Phelan (Sonus
898	   Networks), Jonathan Rosenberg (Cisco), Henning Schulzrinne (Columbia
899	   University), Nick Stewart (British Telecommunications plc), Rich
900	   Terpstra (Level 3), Fangzhe Chang (Bell Labs/Alcatel-Lucent).  Many
901	   thanks!

903	Authors' Addresses

905	   Volker Hilt
906	   Bell Labs/Alcatel-Lucent
907	   791 Holmdel-Keyport Rd
908	   Holmdel, NJ  07733
909	   USA

911	   Email: volker.hilt@alcatel-lucent.com

913	   Eric Noel
914	   AT&T Labs

916	   Email: eric.noel@att.com

918	   Charles Shen
919	   Columbia University

921	   Email: charles@cs.columbia.edu

923	   Ahmed Abdelal
924	   Sonus Networks

926	   Email: aabdelal@sonusnet.com