idnits 2.17.1 

draft-ietf-soc-overload-design-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (July 9, 2011) is 4668 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Obsolete informational reference (is this intentional?): RFC  793
     (Obsoleted by RFC 9293)


     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	SOC Working Group                                                V. Hilt
3	Internet-Draft                                  Bell Labs/Alcatel-Lucent
4	Intended status: Informational                                   E. Noel
5	Expires: January 10, 2012                                      AT&T Labs
6	                                                                 C. Shen
7	                                                     Columbia University
8	                                                              A. Abdelal
9	                                                          Sonus Networks
10	                                                            July 9, 2011

12	  Design Considerations for Session Initiation Protocol (SIP) Overload
13	                                Control
14	                   draft-ietf-soc-overload-design-07

16	Abstract

18	   Overload occurs in Session Initiation Protocol (SIP) networks when
19	   SIP servers have insufficient resources to handle all SIP messages
20	   they receive.  Even though the SIP protocol provides a limited
21	   overload control mechanism through its 503 (Service Unavailable)
22	   response code, SIP servers are still vulnerable to overload.  This
23	   document discusses models and design considerations for a SIP
24	   overload control mechanism.

26	Status of this Memo

28	   This Internet-Draft is submitted in full conformance with the
29	   provisions of BCP 78 and BCP 79.

31	   Internet-Drafts are working documents of the Internet Engineering
32	   Task Force (IETF).  Note that other groups may also distribute
33	   working documents as Internet-Drafts.  The list of current Internet-
34	   Drafts is at http://datatracker.ietf.org/drafts/current/.

36	   Internet-Drafts are draft documents valid for a maximum of six months
37	   and may be updated, replaced, or obsoleted by other documents at any
38	   time.  It is inappropriate to use Internet-Drafts as reference
39	   material or to cite them other than as "work in progress."

41	   This Internet-Draft will expire on January 10, 2012.

43	Copyright Notice

45	   Copyright (c) 2011 IETF Trust and the persons identified as the
46	   document authors.  All rights reserved.

48	   This document is subject to BCP 78 and the IETF Trust's Legal
49	   Provisions Relating to IETF Documents
50	   (http://trustee.ietf.org/license-info) in effect on the date of
51	   publication of this document.  Please review these documents
52	   carefully, as they describe your rights and restrictions with respect
53	   to this document.  Code Components extracted from this document must
54	   include Simplified BSD License text as described in Section 4.e of
55	   the Trust Legal Provisions and are provided without warranty as
56	   described in the Simplified BSD License.

58	Table of Contents

60	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
61	   2.  SIP Overload Problem . . . . . . . . . . . . . . . . . . . . .  4
62	   3.  Explicit vs. Implicit Overload Control . . . . . . . . . . . .  5
63	   4.  System Model . . . . . . . . . . . . . . . . . . . . . . . . .  6
64	   5.  Degree of Cooperation  . . . . . . . . . . . . . . . . . . . .  7
65	     5.1.  Hop-by-Hop . . . . . . . . . . . . . . . . . . . . . . . .  9
66	     5.2.  End-to-End . . . . . . . . . . . . . . . . . . . . . . . . 10
67	     5.3.  Local Overload Control . . . . . . . . . . . . . . . . . . 11
68	   6.  Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . 12
69	   7.  Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
70	   8.  Performance Metrics  . . . . . . . . . . . . . . . . . . . . . 14
71	   9.  Explicit Overload Control Feedback . . . . . . . . . . . . . . 15
72	     9.1.  Rate-based Overload Control  . . . . . . . . . . . . . . . 16
73	     9.2.  Loss-based Overload Control  . . . . . . . . . . . . . . . 17
74	     9.3.  Window-based Overload Control  . . . . . . . . . . . . . . 18
75	     9.4.  Overload Signal-based Overload Control . . . . . . . . . . 19
76	     9.5.  On-/Off Overload Control . . . . . . . . . . . . . . . . . 20
77	   10. Implicit Overload Control  . . . . . . . . . . . . . . . . . . 20
78	   11. Overload Control Algorithms  . . . . . . . . . . . . . . . . . 20
79	   12. Message Prioritization . . . . . . . . . . . . . . . . . . . . 21
80	   13. Security Considerations  . . . . . . . . . . . . . . . . . . . 21
81	   14. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 23
82	   15. Informative References . . . . . . . . . . . . . . . . . . . . 23
83	   Appendix A.  Contributors  . . . . . . . . . . . . . . . . . . . . 24
84	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24

86	1.  Introduction

88	   As with any network element, a Session Initiation Protocol (SIP)
89	   [RFC3261] server can suffer from overload when the number of SIP
90	   messages it receives exceeds the number of messages it can process.
91	   Overload occurs if a SIP server does not have sufficient resources to
92	   process all incoming SIP messages.  These resources may include CPU,
93	   memory, input/output, or disk resources.

95	   Overload can pose a serious problem for a network of SIP servers.
96	   During periods of overload, the throughput of SIP messages in a
97	   network of SIP servers can be significantly degraded.  In fact,
98	   overload in a SIP server may lead to a situation in which the
99	   overload is amplified by retransmissions of SIP messages causing the
100	   throughput to drop down to a very small fraction of the original
101	   processing capacity.  This is often called congestion collapse.

103	   An overload control mechanism enables a SIP server to process SIP
104	   messages close to its capacity limit during times of overload.
105	   Overload control is used by a SIP server if it is unable to process
106	   all SIP requests due to resource constraints.  There are other
107	   failure cases in which a SIP server can successfully process incoming
108	   requests but has to reject them for other reasons.  For example, a
109	   PSTN gateway that runs out of trunk lines but still has plenty of
110	   capacity to process SIP messages should reject incoming INVITEs using
111	   a response such as 488 (Not Acceptable Here), as described in
112	   [RFC4412].  Similarly, a SIP registrar that has lost connectivity to
113	   its registration database but is still capable of processing SIP
114	   messages should reject REGISTER requests with a 500 (Server Error)
115	   response [RFC3261].  Overload control mechanisms do not apply in
116	   these cases and SIP provides appropriate response codes for them.

118	   There are cases in which a SIP server runs other services that do not
119	   involve the processing of SIP messages (e.g., processing of RTP
120	   packets, database queries, software updates and event handling).
121	   These services may, or may not, be correlated with the SIP message
122	   volume.  These services can use up a substantial share of resources
123	   available on the server (e.g., CPU cycles) and leave the server in a
124	   condition where it is unable to process all incoming SIP requests.
125	   In these cases, the SIP server applies SIP overload control
126	   mechanisms to avoid congestion collapse on the SIP signaling plane.
127	   However, controlling the number of SIP requests may not significantly
128	   reduce the load on the server if the resource shortage was created by
129	   another service.  In these cases, it is to be expected that the
130	   server uses appropriate methods of controlling the resource usage of
131	   other services.  The specifics of controlling the resource usage of
132	   other services and their coordination is out of scope for this
133	   document.

135	   The SIP protocol provides a limited mechanism for overload control
136	   through its 503 (Service Unavailable) response code and the Retry-
137	   After header.  However, this mechanism cannot prevent overload of a
138	   SIP server and it cannot prevent congestion collapse.  In fact, it
139	   may cause traffic to oscillate and to shift between SIP servers and
140	   thereby worsen an overload condition.  A detailed discussion of the
141	   SIP overload problem, the problems with the 503 (Service Unavailable)
142	   response code and the Retry-After header and the requirements for a
143	   SIP overload control mechanism can be found in [RFC5390].  In
144	   addition, 503 is used for other situations, not just SIP Server
145	   overload.  A SIP Overload Control process based on 503 would have to
146	   specify exactly which cause values trigger the Overload Control.

148	   This document discusses the models, assumptions and design
149	   considerations for a SIP overload control mechanism.  The document
150	   originated in the SIP overload control design team and has been
151	   further developed by the SIP Overload Control (SOC) working group.

153	2.  SIP Overload Problem

155	   A key contributor to SIP congestion collapse [RFC5390] is the
156	   regenerative behavior of overload in the SIP protocol.  When SIP is
157	   running over the UDP protocol, it will retransmit messages that were
158	   dropped or excessively delayed by a SIP server due to overload and
159	   thereby increase the offered load for the already overloaded server.
160	   This increase in load worsens the severity of the overload condition
161	   and, in turn, causes more messages to be dropped.  A congestion
162	   collapse can occur [Hilt et al.], [Noel et al.], [Shen et al.] and
163	   [Abdelal et al.].

165	   Regenerative behavior under overload should ideally be avoided by any
166	   protocol as this would lead to unstable operation under overload.
167	   However, this is often difficult to achieve in practice.  For
168	   example, changing the SIP retransmission timer mechanisms can reduce
169	   the degree of regeneration during overload but will impact the
170	   ability of SIP to recover from message losses.  Without any
171	   retransmission each message that is dropped due to SIP server
172	   overload will eventually lead to a failed transaction.

174	   For a SIP INVITE transaction to be successful, a minimum of three
175	   messages need to be forwarded by a SIP server.  Often an INVITE
176	   transaction consists of five or more SIP messages.  If a SIP server
177	   under overload randomly discards messages without evaluating them,
178	   the chances that all messages belonging to a transaction are
179	   successfully forwarded will decrease as the load increases.  Thus,
180	   the number of transactions that complete successfully will decrease
181	   even if the message throughput of a server remains up and assuming
182	   the overload behavior is fully non-regenerative.  A SIP server might
183	   (partially) parse incoming messages to determine if it is a new
184	   request or a message belonging to an existing transaction.
185	   Discarding a SIP message after spending the resources to parse it is
186	   expensive.  The number of successful transactions will therefore
187	   decline with an increase in load as fewer resources can be spent on
188	   forwarding messages and more resources are consumed by inspecting
189	   messages that will eventually be dropped.  The rate of the decline
190	   depends on the amount of resources spent to inspect each message.

192	   Another challenge for SIP overload control is controlling the rate of
193	   the true traffic source.  Overload is often caused by a large number
194	   of user agents (UAs) each of which creates only a single message.
195	   However, the sum of their traffic can overload a SIP server.  The
196	   overload mechanisms suitable for controlling a SIP server (e.g., rate
197	   control) may not be effective for individual UAs.  In some cases,
198	   there are other non-SIP mechanisms for limiting the load from the
199	   UAs.  These may operate independently from, or in conjunction with,
200	   the SIP overload mechanisms described here.  In either case, they are
201	   out of scope for this document.

203	3.  Explicit vs. Implicit Overload Control

205	   The main differences between explicit and implicit overload control
206	   is the way overload is signaled from a SIP server that is reaching
207	   overload condition to its upstream neighbors.

209	   In an explicit overload control mechanism, a SIP server uses an
210	   explicit overload signal to indicate that it is reaching its capacity
211	   limit.  Upstream neighbors receiving this signal can adjust their
212	   transmission rate according to the overload signal to a level that is
213	   acceptable to the downstream server.  The overload signal enables a
214	   SIP server to steer the load it is receiving to a rate at which it
215	   can perform at maximum capacity.

217	   Implicit overload control uses the absence of responses and packet
218	   loss as an indication of overload.  A SIP server that is sensing such
219	   a condition reduces the load it is forwarding a downstream neighbor.
220	   Since there is no explicit overload signal, this mechanism is robust
221	   as it does not depend on actions taken by the SIP server running into
222	   overload.

224	   The ideas of explicit and implicit overload control are in fact
225	   complementary.  By considering implicit overload indications a server
226	   can avoid overloading an unresponsive downstream neighbor.  An
227	   explicit overload signal enables a SIP server to actively steer the
228	   incoming load to a desired level.

230	4.  System Model

232	   The model shown in Figure 1 identifies fundamental components of an
233	   explicit SIP overload control mechanism:

235	   SIP Processor:  The SIP Processor processes SIP messages and is the
236	      component that is protected by overload control.
237	   Monitor:  The Monitor measures the current load of the SIP processor
238	      on the receiving entity.  It implements the mechanisms needed to
239	      determine the current usage of resources relevant for the SIP
240	      processor and reports load samples (S) to the Control Function.
241	   Control Function:  The Control Function implements the overload
242	      control algorithm.  The control function uses the load samples (S)
243	      and determines if overload has occurred and a throttle (T) needs
244	      to be set to adjust the load sent to the SIP processor on the
245	      receiving entity.  The control function on the receiving entity
246	      sends load feedback (F) to the sending entity.
247	   Actuator:  The Actuator implements the algorithms needed to act on
248	      the throttles (T) and ensures that the amount of traffic forwarded
249	      to the receiving entity meets the criteria of the throttle.  For
250	      example, a throttle may instruct the Actuator to not forward more
251	      than 100 INVITE messages per second.  The Actuator implements the
252	      algorithms to achieve this objective, e.g., using message gapping.
253	      It also implements algorithms to select the messages that will be
254	      affected and determine whether they are rejected or redirected.

256	   The type of feedback (F) conveyed from the receiving to the sending
257	   entity depends on the overload control method used (i.e., loss-based,
258	   rate-based, window-based or signal-based overload control; see
259	   Section 9), the overload control algorithm (see Section 11) as well
260	   as other design parameters.  The feedback (F) enables the sending
261	   entity to adjust the amount of traffic forwarded to the receiving
262	   entity to a level that is acceptable to the receiving entity without
263	   causing overload.

265	   Figure 1 depicts a general system model for overload control.  In
266	   this diagram, one instance of the control function is on the sending
267	   entity (i.e., associated with the actuator) and one is on the
268	   receiving entity (i.e., associated with the monitor).  However, a
269	   specific mechanism may not require both elements.  In this case, one
270	   of two control function elements can be empty and simply passes along
271	   feedback.  E.g., if (F) is defined as a loss-rate (e.g., reduce
272	   traffic by 10%) there is no need for a control function on the
273	   sending entity as the content of (F) can be copied directly into (T).

275	   The model in Figure 1 shows a scenario with one sending and one
276	   receiving entity.  In a more realistic scenario a receiving entity
277	   will receive traffic from multiple sending entities and vice versa
278	   (see Section 6).  The feedback generated by a Monitor will therefore
279	   often be distributed across multiple Actuators.  A Monitor needs to
280	   be able to split the load it can process across multiple sending
281	   entities and generate feedback that correctly adjusts the load each
282	   sending entity is allowed to send.  Similarly, an Actuator needs to
283	   be prepared to receive different levels of feedback from different
284	   receiving entities and throttle traffic to these entities
285	   accordingly.

287	   In a realistic deployment, SIP messages will flow in both directions,
288	   from server B to server A as well as server A to server B. The
289	   overload control mechanisms in each direction can be considered
290	   independently.  For messages flowing from server A to server B, the
291	   sending entity is server A and the receiving entity is server B and
292	   vice versa.  The control loops in both directions operate
293	   independently.

295	          Sending                Receiving
296	           Entity                  Entity
297	     +----------------+      +----------------+
298	     |    Server A    |      |    Server B    |
299	     |  +----------+  |      |  +----------+  |    -+
300	     |  | Control  |  |  F   |  | Control  |  |     |
301	     |  | Function |<-+------+--| Function |  |     |
302	     |  +----------+  |      |  +----------+  |     |
303	     |     T |        |      |       ^        |     | Overload
304	     |       v        |      |       | S      |     | Control
305	     |  +----------+  |      |  +----------+  |     |
306	     |  | Actuator |  |      |  | Monitor  |  |     |
307	     |  +----------+  |      |  +----------+  |     |
308	     |       |        |      |       ^        |    -+
309	     |       v        |      |       |        |    -+
310	     |  +----------+  |      |  +----------+  |     |
311	   <-+--|   SIP    |  |      |  |   SIP    |  |     |  SIP
312	   --+->|Processor |--+------+->|Processor |--+->   | System
313	     |  +----------+  |      |  +----------+  |     |
314	     +----------------+      +----------------+    -+

316	           Figure 1: System Model for Explicit Overload Control

318	5.  Degree of Cooperation

320	   A SIP request is usually processed by more than one SIP server on its
321	   path to the destination.  Thus, a design choice for an explicit
322	   overload control mechanism is where to place the components of
323	   overload control along the path of a request and, in particular,
324	   where to place the Monitor and Actuator.  This design choice
325	   determines the degree of cooperation between the SIP servers on the
326	   path.  Overload control can be implemented hop-by-hop with the
327	   Monitor on one server and the Actuator on its direct upstream
328	   neighbor.  Overload control can be implemented end-to-end with
329	   Monitors on all SIP servers along the path of a request and an
330	   Actuator on the sender.  In this case, the Control Functions
331	   associated with each Monitor have to cooperate to jointly determine
332	   the overall feedback for this path.  Finally, overload control can be
333	   implemented locally on a SIP server if Monitor and Actuator reside on
334	   the same server.  In this case, the sending entity and receiving
335	   entity are the same SIP server and Actuator and Monitor operate on
336	   the same SIP processor (although, the Actuator typically operates on
337	   a pre-processing stage in local overload control).  Local overload
338	   control is an internal overload control mechanism as the control loop
339	   is implemented internally on one server.  Hop-by-hop and end-to-end
340	   are external overload control mechanisms.  All three configurations
341	   are shown in Figure 2.

343	               +---------+             +------(+)---------+
344	      +------+ |         |             |       ^          |
345	      |      | |        +---+          |       |         +---+
346	      v      | v    //=>| C |          v       |     //=>| C |
347	   +---+    +---+ //    +---+       +---+    +---+ //    +---+
348	   | A |===>| B |                   | A |===>| B |
349	   +---+    +---+ \\    +---+       +---+    +---+ \\    +---+
350	               ^    \\=>| D |          ^       |     \\=>| D |
351	               |        +---+          |       |         +---+
352	               |         |             |       v          |
353	               +---------+             +------(+)---------+

355	         (a) hop-by-hop                   (b) end-to-end

357	                         +-+
358	                         v |
359	    +-+      +-+        +---+
360	    v |      v |    //=>| C |
361	   +---+    +---+ //    +---+
362	   | A |===>| B |
363	   +---+    +---+ \\    +---+
364	                    \\=>| D |
365	                        +---+
366	                         ^ |
367	                         +-+

369	           (c) local

371	    ==> SIP request flow
372	    <-- Overload feedback loop

374	              Figure 2: Degree of Cooperation between Servers

376	5.1.  Hop-by-Hop

378	   The idea of hop-by-hop overload control is to instantiate a separate
379	   control loop between all neighboring SIP servers that directly
380	   exchange traffic.  I.e., the Actuator is located on the SIP server
381	   that is the direct upstream neighbor of the SIP server that has the
382	   corresponding Monitor.  Each control loop between two servers is
383	   completely independent of the control loop between other servers
384	   further up- or downstream.  In the example in Figure 2(a), three
385	   independent overload control loops are instantiated: A - B, B - C and
386	   B - D. Each loop only controls a single hop.  Overload feedback
387	   received from a downstream neighbor is not forwarded further
388	   upstream.  Instead, a SIP server acts on this feedback, for example,
389	   by rejecting SIP messages if needed.  If the upstream neighbor of a
390	   server also becomes overloaded, it will report this problem to its
391	   upstream neighbors, which again take action based on the reported
392	   feedback.  Thus, in hop-by-hop overload control, overload is always
393	   resolved by the direct upstream neighbors of the overloaded server
394	   without the need to involve entities that are located multiple SIP
395	   hops away.

397	   Hop-by-hop overload control reduces the impact of overload on a SIP
398	   network and can avoid congestion collapse.  It is simple and scales
399	   well to networks with many SIP entities.  An advantage is that it
400	   does not require feedback to be transmitted across multiple-hops,
401	   possibly crossing multiple trust domains.  Feedback is sent to the
402	   next hop only.  Furthermore, it does not require a SIP entity to
403	   aggregate a large number of overload status values or keep track of
404	   the overload status of SIP servers it is not communicating with.

406	5.2.  End-to-End

408	   End-to-end overload control implements an overload control loop along
409	   the entire path of a SIP request, from user agent client (UAC) to
410	   user agent server (UAS).  An end-to-end overload control mechanism
411	   consolidates overload information from all SIP servers on the way
412	   (including all proxies and the UAS) and uses this information to
413	   throttle traffic as far upstream as possible.  An end-to-end overload
414	   control mechanism has to be able to frequently collect the overload
415	   status of all servers on the potential path(s) to a destination and
416	   combine this data into meaningful overload feedback.

418	   A UA or SIP server only throttles requests if it knows that these
419	   requests will eventually be forwarded to an overloaded server.  For
420	   example, if D is overloaded in Figure 2(b), A should only throttle
421	   requests it forwards to B when it knows that they will be forwarded
422	   to D. It should not throttle requests that will eventually be
423	   forwarded to C, since server C is not overloaded.  In many cases, it
424	   is difficult for A to determine which requests will be routed to C
425	   and D since this depends on the local routing decision made by B.
426	   These routing decisions can be highly variable and, for example,
427	   depend on call routing policies configured by the user, services
428	   invoked on a call, load balancing policies, etc.  The fact that a
429	   previous message to a target has been routed through an overloaded
430	   server does not necessarily mean the next message to this target will
431	   also be routed through the same server.

433	   The main problem of end-to-end overload control is its inherent
434	   complexity since UAC or SIP servers need to monitor all potential
435	   paths to a destination in order to determine which requests should be
436	   throttled and which requests may be sent.  Even if this information
437	   is available, it is not clear which path a specific request will
438	   take.

440	   A variant of end-to-end overload control is to implement a control
441	   loop between a set of well-known SIP servers along the path of a SIP
442	   request.  For example, an overload control loop can be instantiated
443	   between a server that only has one downstream neighbor or a set of
444	   closely coupled SIP servers.  A control loop spanning multiple hops
445	   can be used if the sending entity has full knowledge about the SIP
446	   servers on the path of a SIP message.

448	   Overload control for SIP servers is different from end-to-end
449	   congestion control used by transport protocols such as TCP.  The
450	   traffic exchanged between SIP servers consists of many individual SIP
451	   messages.  Each SIP message is created by a SIP UA to achieve a
452	   specific goal (e.g., to start setting up a call).  All messages have
453	   their own source and destination addresses.  Even SIP messages
454	   containing identical SIP URIs (e.g., a SUBSCRIBE and a INVITE message
455	   to the same SIP URI) can be routed to different destinations.  This
456	   is different from TCP where the traffic exchanged between routers
457	   consists of packets belonging to a usually longer flow of messages
458	   exchanged between a source and a destination (e.g., to transmit a
459	   file).  If congestion occurs, the sources can detect this condition
460	   and adjust the rate at which next packets are transmitted.

462	5.3.  Local Overload Control

464	   The idea of local overload control (see Figure 2(c)) is to run the
465	   Monitor and Actuator on the same server.  This enables the server to
466	   monitor the current resource usage and to reject messages that can't
467	   be processed without overusing the local resources.  The fundamental
468	   assumption behind local overload control is that it is less resource
469	   consuming for a server to reject messages than to process them.  A
470	   server can therefore reject the excess messages it cannot process to
471	   stop all retransmissions of these messages.  Since rejecting messages
472	   does consume resources on a SIP server, local overload control alone
473	   cannot prevent a congestion collapse.

475	   Local overload control can be used in conjunction with an other
476	   overload control mechanisms and provides an additional layer of
477	   protection against overload.  It is fully implemented within a SIP
478	   server and does not require cooperation between servers.  In general,
479	   SIP servers should apply other overload control techniques to control
480	   load before a local overload control mechanism is activated as a
481	   mechanism of last resort.

483	6.  Topologies

485	   The following topologies describe four generic SIP server
486	   configurations.  These topologies illustrate specific challenges for
487	   an overload control mechanism.  An actual SIP server topology is
488	   likely to consist of combinations of these generic scenarios.

490	   In the "load balancer" configuration shown in Figure 3(a) a set of
491	   SIP servers (D, E and F) receives traffic from a single source A. A
492	   load balancer is a typical example for such a configuration.  In this
493	   configuration, overload control needs to prevent server A (i.e., the
494	   load balancer) from sending too much traffic to any of its downstream
495	   neighbors D, E and F. If one of the downstream neighbors becomes
496	   overloaded, A can direct traffic to the servers that still have
497	   capacity.  If one of the servers serves as a backup, it can be
498	   activated once one of the primary servers reaches overload.

500	   If A can reliably determine that D, E and F are its only downstream
501	   neighbors and all of them are in overload, it may choose to report
502	   overload upstream on behalf of D, E and F. However, if the set of
503	   downstream neighbors is not fixed or only some of them are in
504	   overload then A should not activate an overload control since A can
505	   still forward the requests destined to non-overloaded downstream
506	   neighbors.  These requests would be throttled as well if A would use
507	   overload control towards its upstream neighbors.

509	   In some cases, the servers D, E, and F are in a server farm and
510	   configured to appear as a single server to their upstream neighbors.
511	   In this case, server A can report overload on behalf of the server
512	   farm.  If the load balancer is not a SIP entity, servers D, E, and F
513	   can report the overall load of the server farm (i.e., the load of the
514	   virtual server) in their messages.  As an alternative, one of the
515	   servers (e.g., server E) can report overload on behalf of the server
516	   farm.  In this case, not all messages contain overload control
517	   information and it needs to be ensured that all upstream neighbors
518	   are periodically served by server E to received updated information.

520	   In the "multiple sources" configuration shown in Figure 3(b), a SIP
521	   server D receives traffic from multiple upstream sources A, B and C.
522	   Each of these sources can contribute a different amount of traffic,
523	   which can vary over time.  The set of active upstream neighbors of D
524	   can change as servers may become inactive and previously inactive
525	   servers may start contributing traffic to D.

527	   If D becomes overloaded, it needs to generate feedback to reduce the
528	   amount of traffic it receives from its upstream neighbors.  D needs
529	   to decide by how much each upstream neighbor should reduce traffic.
530	   This decision can require the consideration of the amount of traffic
531	   sent by each upstream neighbor and it may need to be re-adjusted as
532	   the traffic contributed by each upstream neighbor varies over time.
533	   Server D can use a local fairness policy to determine how much
534	   traffic it accepts from each upstream neighbor.

536	   In many configurations, SIP servers form a "mesh" as shown in
537	   Figure 3(c).  Here, multiple upstream servers A, B and C forward
538	   traffic to multiple alternative servers D and E. This configuration
539	   is a combination of the "load balancer" and "multiple sources"
540	   scenario.

542	                   +---+              +---+
543	                /->| D |              | A |-\
544	               /   +---+              +---+  \
545	              /                               \   +---+
546	       +---+-/     +---+              +---+    \->|   |
547	       | A |------>| E |              | B |------>| D |
548	       +---+-\     +---+              +---+    /->|   |
549	              \                               /   +---+
550	               \   +---+              +---+  /
551	                \->| F |              | C |-/
552	                   +---+              +---+

554	       (a) load balancer             (b) multiple sources

556	       +---+
557	       | A |---\                        a--\
558	       +---+-\  \---->+---+                 \
559	              \/----->| D |             b--\ \--->+---+
560	       +---+--/\  /-->+---+                 \---->|   |
561	       | B |    \/                      c-------->| D |
562	       +---+---\/\--->+---+                       |   |
563	               /\---->| E |            ...   /--->+---+
564	       +---+--/   /-->+---+                 /
565	       | C |-----/                      z--/
566	       +---+

568	             (c) mesh                   (d) edge proxy

570	                           Figure 3: Topologies

572	   Overload control that is based on reducing the number of messages a
573	   sender is allowed to send is not suited for servers that receive
574	   requests from a very large population of senders, each of which only
575	   sends a very small number of requests.  This scenario is shown in
576	   Figure 3(d).  An edge proxy that is connected to many UAs is a
577	   typical example for such a configuration.  Since each UA typically
578	   only infrequently sends requests, which are often related to the same
579	   session, it can't decrease its message rate to resolve the overload.

581	   A SIP server that receives traffic from many sources, which each
582	   contribute only a small number of requests can resort to local
583	   overload control by rejecting a percentage of the requests it
584	   receives with 503 (Service Unavailable) responses.  Since it has many
585	   upstream neighbors it can send 503 (Service Unavailable) to a
586	   fraction of them to gradually reduce load without entirely stopping
587	   all incoming traffic.  The Retry-After header can be used in 503
588	   (Service Unavailable) responses to ask upstream neighbors to wait a
589	   given number of seconds before trying the request again.  Using 503
590	   (Service Unavailable) can, however, not prevent overload if a large
591	   number of sources create requests (e.g., to place calls) at the same
592	   time.

594	      Note: The requirements of the "edge proxy" topology are different
595	      from the ones of the other topologies, which may require a
596	      different method for overload control.

598	7.  Fairness

600	   There are many different ways to define fairness between multiple
601	   upstream neighbors of a SIP server.  In the context of SIP server
602	   overload, it is helpful to describe two categories of fairness: basic
603	   fairness and customized fairness.  With basic fairness a SIP server
604	   treats all requests equally and ensures that each request has the
605	   same chance of succeeding.  With customized fairness, the server
606	   allocates resources according to different priorities.  An example
607	   application of the basic fairness criteria is the "Third caller
608	   receives free tickets" scenario, where each call attempt should have
609	   an equal success probability in making calls through an overloaded
610	   SIP server, irrespective of the service provider where it was
611	   initiated.  An example of customized fairness would be a server which
612	   assigns different resource allocations to its upstream neighbors
613	   (e.g., service providers) as defined in a service level agreement
614	   (SLA).

616	8.  Performance Metrics

618	   The performance of an overload control mechanism can be measured
619	   using different metrics.

621	   A key performance indicator is the goodput of a SIP server under
622	   overload.  Ideally, a SIP server will be enabled to perform at its
623	   capacity limit during periods of overload.  E.g., if a SIP server has
624	   a processing capacity of 140 INVITE transactions per second then an
625	   overload control mechanism should enable it to process 140 INVITEs
626	   per second even if the offered load is much higher.  The delay
627	   introduced by a SIP server is another important indicator.  An
628	   overload control mechanism should ensure that the delay encountered
629	   by a SIP message is not increased significantly during periods of
630	   overload.  Significantly increased delay can lead to time-outs, and
631	   retransmission of SIP messages, making the overload worse.

633	   Responsiveness and stability are other important performance
634	   indicators.  An overload control mechanism should quickly react to an
635	   overload occurrence and ensure that a SIP server does not become
636	   overloaded even during sudden peaks of load.  Similarly, an overload
637	   control mechanism should quickly stop rejecting requests if the
638	   overload disappears.  Stability is another important criteria.  An
639	   overload control mechanism should not cause significant oscillations
640	   of load on a SIP server.  The performance of SIP overload control
641	   mechanisms is discussed in [Noel et al.], [Shen et al.], [Hilt et
642	   al.] and [Abdelal et al.].

644	   In addition to the above metrics, there are other indicators that are
645	   relevant for the evaluation of an overload control mechanism:

647	   Fairness:  Which types of fairness does the overload control
648	      mechanism implement?
649	   Self-limiting:  Is the overload control self-limiting if a SIP server
650	      becomes unresponsive?
651	   Changes in neighbor set:  How does the mechanism adapt to a changing
652	      set of sending entities?
653	   Data points to monitor:  Which and how many data points does an
654	      overload control mechanism need to monitor?
655	   Computational load:  What is the (cpu) load created by the overload
656	      "monitor" and "actuator"

658	9.  Explicit Overload Control Feedback

660	   Explicit overload control feedback enables a receiver to indicate how
661	   much traffic it wants to receive.  Explicit overload control
662	   mechanisms can be differentiated based on the type of information
663	   conveyed in the overload control feedback and whether the control
664	   function is in the receiving or sending entity (receiver- vs. sender-
665	   based overload control), or both.

667	9.1.  Rate-based Overload Control

669	   The key idea of rate-based overload control is to limit the request
670	   rate at which an upstream element is allowed to forward traffic to
671	   the downstream neighbor.  If overload occurs, a SIP server instructs
672	   each upstream neighbor to send at most X requests per second.  Each
673	   upstream neighbor can be assigned a different rate cap.

675	   An example algorithm for an Actuator in the sending entity is request
676	   gapping.  After transmitting a request to a downstream neighbor, a
677	   server waits for 1/X seconds before it transmits the next request to
678	   the same neighbor.  Requests that arrive during the waiting period
679	   are not forwarded and are either redirected, rejected or buffered.
680	   Request gapping only affects requests that are targeted by overload
681	   control (e.g., requests that initiate a transaction and not
682	   retransmissions in an ongoing transaction).

684	   The rate cap ensures that the number of requests received by a SIP
685	   server never increases beyond the sum of all rate caps granted to
686	   upstream neighbors.  Rate-based overload control protects a SIP
687	   server against overload even during load spikes assuming there are no
688	   new upstream neighbors that start sending traffic.  New upstream
689	   neighbors need to be considered in the rate caps assigned to all
690	   upstream neighbors.  The rate assigned to upstream neighbors needs to
691	   be adjusted when new neighbors join.  During periods when new
692	   neighbors are joining, overload can occur in extreme cases until the
693	   rate caps of all servers are adjusted to again match the overall rate
694	   cap of the server.  The overall rate cap of a SIP server is
695	   determined by an overload control algorithm, e.g., based on system
696	   load.

698	   Rate-based overload control requires a SIP server to assign a rate
699	   cap to each of its upstream neighbors while it is activated.
700	   Effectively, a server needs to assign a share of its overall capacity
701	   to each upstream neighbor.  A server needs to ensure that the sum of
702	   all rate caps assigned to upstream neighbors does not substantially
703	   oversubscribe its actual processing capacity.  This requires a SIP
704	   server to keep track of the set of upstream neighbors and to adjust
705	   the rate cap if a new upstream neighbor appears or an existing
706	   neighbor stops transmitting.  For example, if the capacity of the
707	   server is X and this server is receiving traffic from two upstream
708	   neighbors, it can assign a rate of X/2 to each of them.  If a third
709	   sender appears, the rate for each sender is lowered to X/3.  If the
710	   overall rate cap is too high, a server may experience overload.  If
711	   the cap is too low, the upstream neighbors will reject requests even
712	   though they could be processed by the server.

714	   An approach for estimating a rate cap for each upstream neighbor is
715	   using a fixed proportion of a control variable, X, where X is
716	   initially equal to the capacity of the SIP server.  The server then
717	   increases or decreases X until the workload arrival rate matches the
718	   actual server capacity.  Usually, this will mean that the sum of the
719	   rate caps sent out by the server (=X) exceeds its actual capacity,
720	   but enables upstream neighbors who are not generating more than their
721	   fair share of the work to be effectively unrestricted.  In this
722	   approach, the server only has to measure the aggregate arrival rate.
723	   However, since the overall rate cap is usually higher than the actual
724	   capacity, brief periods of overload may occur.

726	9.2.  Loss-based Overload Control

728	   A loss percentage enables a SIP server to ask an upstream neighbor to
729	   reduce the number of requests it would normally forward to this
730	   server by X%.  For example, a SIP server can ask an upstream neighbor
731	   to reduce the number of requests this neighbor would normally send by
732	   10%.  The upstream neighbor then redirects or rejects 10% of the
733	   traffic that is destined for this server.

735	   An algorithm for the sending entity to implement a loss percentage is
736	   to draw a random number between 1 and 100 for each request to be
737	   forwarded.  The request is not forwarded to the server if the random
738	   number is less than or equal to X.

740	   An advantage of loss-based overload control is that, the receiving
741	   entity does not need to track the set of upstream neighbors or the
742	   request rate it receives from each upstream neighbor.  It is
743	   sufficient to monitor the overall system utilization.  To reduce
744	   load, a server can ask its upstream neighbors to lower the traffic
745	   forwarded by a certain percentage.  The server calculates this
746	   percentage by combining the loss percentage that is currently in use
747	   (i.e., the loss percentage the upstream neighbors are currently using
748	   when forwarding traffic), the current system utilization and the
749	   desired system utilization.  For example, if the server load
750	   approaches 90% and the current loss percentage is set to a 50%
751	   traffic reduction, then the server can decide to increase the loss
752	   percentage to 55% in order to get to a system utilization of 80%.
753	   Similarly, the server can lower the loss percentage if permitted by
754	   the system utilization.

756	   Loss-based overload control requires that the throttle percentage is
757	   adjusted to the current overall number of requests received by the
758	   server.  This is particularly important if the number of requests
759	   received fluctuates quickly.  For example, if a SIP server sets a
760	   throttle value of 10% at time t1 and the number of requests increases
761	   by 20% between time t1 and t2 (t1<t2), then the server will see an
762	   increase in traffic by 10% between time t1 and t2.  This is even
763	   though all upstream neighbors have reduced traffic by 10% as told.
764	   Thus, percentage throttling requires an adjustment of the throttling
765	   percentage in response to the traffic received and may not always be
766	   able to prevent a server from encountering brief periods of overload
767	   in extreme cases.

769	9.3.  Window-based Overload Control

771	   The key idea of window-based overload control is to allow an entity
772	   to transmit a certain number of messages before it needs to receive a
773	   confirmation for the messages in transit.  Each sender maintains an
774	   overload window that limits the number of messages that can be in
775	   transit without being confirmed.  Window-based overload control is
776	   inspired by TCP [RFC0793].

778	   Each sender maintains an unconfirmed message counter for each
779	   downstream neighbor it is communicating with.  For each message sent
780	   to the downstream neighbor, the counter is increased.  For each
781	   confirmation received, the counter is decreased.  The sender stops
782	   transmitting messages to the downstream neighbor when the unconfirmed
783	   message counter has reached the current window size.

785	   A crucial parameter for the performance of window-based overload
786	   control is the window size.  Each sender has an initial window size
787	   it uses when first sending a request.  This window size can be
788	   changed based on the feedback it receives from the receiver.

790	   The sender adjusts its window size as soon as it receives the
791	   corresponding feedback from the receiver.  If the new window size is
792	   smaller than the current unconfirmed message counter, the sender
793	   stops transmitting messages until more messages are confirmed and the
794	   current unconfirmed message counter is less than the window size.

796	   Note that the reception of a 100 Trying response does not provide a
797	   confirmation for the successful processing of a message. 100 Trying
798	   responses are often created by a SIP server very early in processing
799	   and do not indicate that a message has been successfully processed
800	   and cleared from the input buffer.  If the downstream neighbor is a
801	   stateless proxy, it will not create 100 Trying responses at all and
802	   instead pass through 100 Trying responses created by the next
803	   stateful server.  Also, 100 Trying responses are typically only
804	   created for INVITE requests.  Explicit message confirmations do not
805	   have these problems.

807	   Window-based overload control is similar to rate-based overload
808	   control in that the total available receiver buffer space needs to be
809	   divided among all upstream neighbors.  However, unlike rate-based
810	   overload control, window-based overload control is self-limiting and
811	   can ensure that the receiver buffer does not overflow under normal
812	   conditions.  The transmission of messages by senders is clocked by
813	   message confirmations received from the receiver.  A buffer overflow
814	   can occur in extreme cases when a large number of new upstream
815	   neighbors arrives at the same time.  However, senders will eventually
816	   stop transmitting new requests once their initial sending window is
817	   closed.

819	   In window-based overload control, the number of messages a sender is
820	   allowed to send can frequently be set to zero.  In this state, the
821	   sender needs to be informed when it is allowed to send again and the
822	   receiver window has opened up.  However, since the sender is not
823	   allowed to transmit messages, the receiver cannot convey the new
824	   window size by piggybacking it in a response to another message.
825	   Instead, it needs to inform the sender through another mechanism,
826	   e.g., by sending a message that contains the new window size.

828	9.4.  Overload Signal-based Overload Control

830	   The key idea of overload signal-based overload control is to use the
831	   transmission of a 503 (Service Unavailable) response as a signal for
832	   overload in the downstream neighbor.  After receiving a 503 (Service
833	   Unavailable) response, the sender reduces the load forwarded to the
834	   downstream neighbor to avoid triggering more 503 (Service
835	   Unavailable) responses.  The sender keeps reducing the load if more
836	   503 (Service Unavailable) responses are received.  Note that this
837	   scheme is based on the use of 503 (Service Unavailable) responses
838	   without Retry-After header as the Retry-After header would require a
839	   sender to entirely stop forwarding requests.  It should also be noted
840	   that 503 responses can be generated for other reasons than overload
841	   (e.g., server maintenance).

843	   A sender which has not received 503 (Service Unavailable) responses
844	   for a while but is still throttling traffic can start to increase the
845	   offered load.  By slowly increasing the traffic forwarded a sender
846	   can detect that overload in the downstream neighbor has been resolved
847	   and more load can be forwarded.  The load is increased until the
848	   sender again receives another 503 (Service Unavailable) response or
849	   is forwarding all requests it has.  A possible algorithm for
850	   adjusting traffic is additive increase/multiplicative decrease
851	   (AIMD).

853	   Overload Signal-based Overload Control is a sender-based overload
854	   control mechanism.

856	9.5.  On-/Off Overload Control

858	   On-/off overload control feedback enables a SIP server to turn the
859	   traffic it is receiving either on or off.  The 503 (Service
860	   Unavailable) response with Retry-After header implements on-/off
861	   overload control.  On-/off overload control is less effective in
862	   controlling load than the fine grained control methods above.  In
863	   fact, all above methods can realize on/-off overload control, e.g.,
864	   by setting the allowed rate to either zero or unlimited.

866	10.  Implicit Overload Control

868	   Implicit overload control ensures that the transmission of a SIP
869	   server is self-limiting.  It slows down the transmission rate of a
870	   sender when there is an indication that the receiving entity is
871	   experiencing overload.  Such an indication can be that the receiving
872	   entity is not responding within the expected timeframe or is not
873	   responding at all.  The idea of implicit overload control is that
874	   senders should try to sense overload of a downstream neighbor even if
875	   there is no explicit overload control feedback.  It avoids that an
876	   overloaded server, which has become unable to generate overload
877	   control feedback, will be overwhelmed with requests.

879	   Window-based overload control is inherently self-limiting since a
880	   sender cannot continue without receiving confirmations.  All other
881	   explicit overload control schemes described above do not have this
882	   property and require additional implicit controls to limit
883	   transmissions in case an overloaded downstream neighbor does not
884	   generate explicit feedback.

886	11.  Overload Control Algorithms

888	   An important aspect of the design of an overload control mechanism is
889	   the overload control algorithm.  The control algorithm determines
890	   when the amount of traffic to a SIP server needs to be decreased and
891	   when it can be increased.  In terms of the model described in
892	   Section 4 the control algorithm takes (S) as an input value and
893	   generates (T) as a result.

895	   Overload control algorithms have been studied to a large extent and
896	   many different overload control algorithms exist.  With many
897	   different overload control algorithms available, it seems reasonable
898	   to suggest a baseline algorithm in a specification for a SIP overload
899	   control mechanism and allow the use of other algorithms if they
900	   provide the same protocol semantics.  This will also allow the
901	   development of future algorithms, which may lead to a better
902	   performance.  Conversely, the overload control mechanism should allow
903	   the use of different algorithms if they adhere to the defined
904	   protocol semantics.

906	12.  Message Prioritization

908	   Overload control can require a SIP server to prioritize requests and
909	   select requests to be rejected or redirected.  The selection is
910	   largely a matter of local policy of the SIP server, the overall
911	   network, and the services it provides.

913	   While there are many factors which can affect the prioritization of
914	   SIP requests, the Resource-Priority Header (RPH) field [RFC4412] is a
915	   prime candidate for marking the prioritization of SIP requests.
916	   Depending on the particular network and the services it offers, a
917	   particular namespace and priority value in the RPH it could indicate
918	   i) a high priority request, which should be preserved if possible
919	   during overload, ii) a low priority request, which should be dropped
920	   during overload, or iii) a label, which has no impact on message
921	   prioritization in this network.

923	   For a number of reasons, responses should not be targeted in order to
924	   reduce SIP server load.  Responses cannot be rejected and would have
925	   to be dropped.  This triggers the retransmission of the request plus
926	   the response, leading to even more load.  In addition, the request
927	   associated with a response has already been processed and dropping
928	   the response will waste the efforts that have been spent on the
929	   request.  Most importantly, rejecting a request effectively also
930	   removes the request and the response.  If no requests are passed
931	   along there will be no responses coming back in return.

933	   Overload control does not change the retransmission behavior of SIP.
934	   Retransmissions are triggered using procedures defined in RFC 3261
935	   [RFC3261] and not subject to throttling.

937	13.  Security Considerations

939	   This document presents an overview of several overload control
940	   feedback mechanisms.  These mechanisms and design consideration are
941	   presented as input to other documents that will specify a particular
942	   feedback mechanism.  Specific security measures pertinent to a
943	   particular overload feedback mechanism will be discussed in the
944	   context of a document specifying that security mechanism.  However,
945	   there are common security considerations that must be taken in
946	   account regardless of the choice of a final mechanism.

948	   First, the rate-based mechanism surveyed in Section 9.1 allocates a
949	   fixed portion of the total inbound traffic of a server to each of its
950	   upstream neighbors.  Consequently, an attacker can introduce a new
951	   upstream server for a short duration causing the overloaded server to
952	   lower the proportional traffic rate all other existing servers.
953	   Introducing many such short-lived servers will cause the aggregate
954	   rate arriving at the overloaded server to decrease substantially
955	   thereby affecting a reduction in the service offered by the server
956	   under attack and leading to a denial of service attack [RFC4732].

958	   The same problem exists in the windows-based mechanism discussed in
959	   Section 9.3, although here because of the window acknowledgements
960	   sent by the overloaded server, the effect is not as drastic (an
961	   attacker will have to spend resources by constantly send traffic to
962	   keep the receiver window full).

964	   All mechanisms assume that the upstream neighbors of an overloaded
965	   server follow the feedback received.  In the rate- and window-based
966	   mechanisms, a server can directly verify if upstream neighbors follow
967	   the requested policies.  As the loss-based mechanism described in
968	   Section 9.2 requires upstream neighbors to reduce traffic by a
969	   fraction and the current offered load in the upstream neighbor is
970	   unknown, a server cannot directly verify the compliance of upstream
971	   neighbors, except when traffic reduction is set to 100%.  In this
972	   case, a server has to rely on heuristics to identify upstream
973	   neighbors that try to gain an advantage by not reducing load or not
974	   reducing it at the requested loss-rate.  A policing mechanism can be
975	   used to throttle or block traffic from unfair or malicious upstream
976	   neighbors.  Barring such a widespread policing mechanism the
977	   communication link between the upstream neighbors and the overloaded
978	   server should be such that the identity of both the servers at the
979	   end of each link can be established and logged.  The use of TLS and
980	   mutual authentication of upstream neighbors [RFC3261], [RFC5922] can
981	   be used for this purpose.

983	   If an attacker controls a server, he or she may maliciously advertise
984	   overload feedback to all of the neighbors of the server even if the
985	   server is not experiencing overload.  This will have the effect of
986	   forcing all of the upstream neighbors to reject or queue messages
987	   arriving to them and destined for the apparently overloaded server
988	   (this, in essence, is diminishing the serving capacity of the
989	   upstream neighbors since they now have to deal with their normal
990	   traffic in addition to rejecting or quarantining the traffic destined
991	   to the overloaded server).  All mechanisms allow the attacker to
992	   advertise a capacity of 0, effectively disabling all traffic destined
993	   to the server pretending to be in overload and forcing all the
994	   upstream neighbors to spend resources dealing with this condition.

996	   As before, a remedy for this is to use communication link such that
997	   the identity of the servers at both end of the link is established
998	   and logged.  The use of TLS and mutual authentication of neighbors
999	   [RFC3261], [RFC5922] can be used for this purpose.

1001	   If an attacker controls several servers of a load balanced cluster,
1002	   he or she may maliciously advertise overload feedback from these
1003	   servers to all senders.  Senders with the policy to redirect traffic
1004	   that cannot be processed by an overloaded server will start to
1005	   redirect this traffic to the servers that have not reported overload.
1006	   This attack can be used to create a denial of service attack on these
1007	   servers.  If these servers are compromised, the attack can be used to
1008	   increase the amount of traffic that is passed through the compromised
1009	   servers.  This attack is ineffective if servers reject traffic based
1010	   on overload feedback instead of redirecting it.

1012	14.  IANA Considerations

1014	   This document does not require any IANA considerations.

1016	15.  Informative References

1018	   [Abdelal et al.]
1019	              Abdelal, A. and W. Matragi, "Signal-Based Overload Control
1020	              for SIP Servers", 7th Annual IEEE Consumer Communications
1021	              and Networking Conference (CCNC-10), Las Vegas, Nevada,
1022	              USA, January 2010.

1024	   [Hilt et al.]
1025	              Hilt, V. and I. Widjaja, "Controlling Overload in Networks
1026	              of SIP Servers", IEEE International Conference on Network
1027	              Protocols (ICNP'08), Orlando, Florida, October 2008.

1029	   [Noel et al.]
1030	              Noel, E. and C. Johnson, "Initial Simulation Results That
1031	              Analyze SIP Based VoIP Networks Under Overload",
1032	              International Teletraffic Congress (ITC'07), Ottawa,
1033	              Canada, June 2007.

1035	   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
1036	              RFC 793, September 1981.

1038	   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
1039	              A., Peterson, J., Sparks, R., Handley, M., and E.
1040	              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
1041	              June 2002.

1043	   [RFC4412]  Schulzrinne, H. and J. Polk, "Communications Resource
1044	              Priority for the Session Initiation Protocol (SIP)",
1045	              RFC 4412, February 2006.

1047	   [RFC4732]  Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
1048	              Service Considerations", RFC 4732, December 2006.

1050	   [RFC5390]  Rosenberg, J., "Requirements for Management of Overload in
1051	              the Session Initiation Protocol", RFC 5390, December 2008.

1053	   [RFC5922]  Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain
1054	              Certificates in the Session Initiation Protocol (SIP)",
1055	              RFC 5922, June 2010.

1057	   [Shen et al.]
1058	              Shen, C., Schulzrinne, H., and E. Nahum, "Session
1059	              Initiation Protocol (SIP) Server Overload Control: Design
1060	              and Evaluation, Principles", Systems and Applications of
1061	              IP Telecommunications (IPTComm'08), Heidelberg, Germany,
1062	              July 2008.

1064	Appendix A.  Contributors

1066	   Many thanks for the contributions, comments and feedback on this
1067	   document to: Mary Barnes (Nortel), Janet Gunn (CSC), Carolyn Johnson
1068	   (AT&T Labs), Paul Kyzivat (Cisco), Daryl Malas (CableLabs), Tom
1069	   Phelan (Sonus Networks), Jonathan Rosenberg (Cisco), Henning
1070	   Schulzrinne (Columbia University), Robert Sparks (Tekelec), Nick
1071	   Stewart (British Telecommunications plc), Rich Terpstra (Level 3),
1072	   Fangzhe Chang (Bell Labs/Alcatel-Lucent).

1074	Authors' Addresses

1076	   Volker Hilt
1077	   Bell Labs/Alcatel-Lucent
1078	   791 Holmdel-Keyport Rd
1079	   Holmdel, NJ  07733
1080	   USA

1082	   Email: volker.hilt@alcatel-lucent.com
1083	   Eric Noel
1084	   AT&T Labs

1086	   Email: eric.noel@att.com

1088	   Charles Shen
1089	   Columbia University

1091	   Email: charles@cs.columbia.edu

1093	   Ahmed Abdelal
1094	   Sonus Networks

1096	   Email: aabdelal@sonusnet.com