idnits 2.17.1 draft-ietf-speermint-requirements-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 26, 2009) is 5295 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-07) exists of draft-ietf-pmol-sip-perf-metrics-04 == Outdated reference: A later version (-19) exists of draft-ietf-speermint-architecture-08 == Outdated reference: A later version (-19) exists of draft-ietf-speermint-voip-consolidated-usecases-14 -- Obsolete informational reference (is this intentional?): RFC 3455 (Obsoleted by RFC 7315) -- Obsolete informational reference (is this intentional?): RFC 3466 (Obsoleted by RFC 7336) -- Obsolete informational reference (is this intentional?): RFC 3570 (Obsoleted by RFC 6770) -- Obsolete informational reference (is this intentional?): RFC 3920 (Obsoleted by RFC 6120) -- Obsolete informational reference (is this intentional?): RFC 4347 (Obsoleted by RFC 6347) -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) -- Obsolete informational reference (is this intentional?): RFC 4572 (Obsoleted by RFC 8122) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SPEERMINT Working Group J-F. Mule 3 Internet-Draft CableLabs 4 Intended status: Informational October 26, 2009 5 Expires: April 29, 2010 7 SPEERMINT Requirements for SIP-based Session Peering 8 draft-ietf-speermint-requirements-09.txt 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 This Internet-Draft will expire on April 29, 2010. 33 Copyright Notice 35 Copyright (c) 2009 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents in effect on the date of 40 publication of this document (http://trustee.ietf.org/license-info). 41 Please review these documents carefully, as they describe your rights 42 and restrictions with respect to this document. 44 Abstract 46 This memo captures protocol requirements to enable session peering of 47 voice, presence, instant messaging and other types of multimedia 48 traffic. It is based on the use cases that have been described in 49 the SPEERMINT working group. This informational document is intended 50 to link the session peering use cases to protocol solutions. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 57 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 3.2. Border Elements . . . . . . . . . . . . . . . . . . . . . 5 59 3.3. Session Establishment Data . . . . . . . . . . . . . . . . 9 60 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 9 61 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 10 62 4. Requirements for Session Peering of Presence and Instant 63 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . 11 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 65 5.1. Security Properties for the Acquisition of Session 66 Establishment Data . . . . . . . . . . . . . . . . . . . . 13 67 5.2. Security Properties for the SIP signaling exchanges . . . 14 68 5.3. End-to-End Media Security . . . . . . . . . . . . . . . . 15 69 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 72 8.1. Normative References . . . . . . . . . . . . . . . . . . . 18 73 8.2. Informative References . . . . . . . . . . . . . . . . . . 18 74 Appendix A. Policy Parameters for Session Peering . . . . . . . . 22 75 A.1. Categories of Parameters for VoIP Session Peering and 76 Justifications . . . . . . . . . . . . . . . . . . . . . . 22 77 A.2. Summary of Parameters for Consideration in Session 78 Peering Policies . . . . . . . . . . . . . . . . . . . . . 25 79 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 27 81 1. Introduction 83 Peering at the session level represents an agreement between parties 84 to exchange multimedia traffic. In this document, we assume that the 85 Session Initiation Protocol (SIP) is used to establish sessions 86 between SIP Service Providers (SSPs). SIP Service Providers are 87 referred to as peers and they are typically represented by users, 88 user groups, enterprises, real-time collaboration service 89 communities, or other service providers offering voice or multimedia 90 services using SIP. 92 A number of documents have been developed to provide background 93 information about SIP session peering. It is expected that the 94 reader is familiar with the reference architecture described in 95 [I-D.ietf-speermint-architecture], use cases for voice 96 ([I-D.ietf-speermint-voip-consolidated-usecases]) and instant 97 messaging and presence ([RFC5344]). 99 Peering at the session layer can be achieved on a bilateral basis 100 (direct peering established directly between two SSPs), or on an 101 indirect basis via a session intermediary (indirect peering via a 102 third-party SSP that has a trust relationship with the SSPs) - see 103 the terminology document for more details. 105 This document first describes general requirements. The use cases 106 are then analyzed in the spirit of extracting relevant protocol 107 requirements that must be met to accomplish the use cases. These 108 requirements are intended to be independent of the type of media 109 exchanged such as Voice over IP (VoIP), video telephony, and instant 110 messaging. Requirements specific to presence and instant messaging 111 are defined in Section 4. 113 It is not the goal of this document to mandate any particular use of 114 IETF protocols by SIP Service Providers in order to establish session 115 peering. Instead, the document highlights what requirements should 116 be met and what protocols may be used to define the solution space. 118 Finally, we conclude with a list of parameters for the definition of 119 a session peering policy, provided in an informative appendix. It 120 should be considered as an example of the information SIP Service 121 Providers may have to discuss or agree on to exchange SIP traffic. 123 2. Terminology 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in [RFC2119]. 129 This document also reuses the terminology defined in [RFC5486]. It 130 is assumed that the reader is familiar with the Session Description 131 Protocol (SDP) [RFC4566] and the Session Initiation Protocol (SIP) 132 [RFC3261]. Finally, when used with capital letters, the terms 133 'Authentication Service' are to be understood as defined by SIP 134 Identity [RFC4474]. 136 3. General Requirements 138 The following sub-sections contain general requirements applicable to 139 multiple use cases for multimedia session peering. 141 3.1. Scope 143 The primary focus of this document is on the requirements applicable 144 to the boundaries of Layer 5 SIP networks: SIP entities, Signaling 145 path Border Elements (SBEs), and the associated protocol requirements 146 for the look-up and location routing of the session establishment 147 data. The requirements applicable to SIP User Agents or related to 148 the provisioning of the session data are considered out of scope. 150 SIP Service Providers have to reach an agreement on numerous points 151 when establishing session peering relationships . 152 This document highlights only certain aspects of a session peering 153 agreement, mostly the requirements relevant to protocols: the 154 declaration, advertisement and management of ingress and egress 155 border elements for session signaling and media, information related 156 to the Session Establishment Data (SED), and the security properties 157 that may be desirable for secure session exchanges. 158 Numerous other considerations of session peering arrangements are 159 critical to reach a successful agreement but they are considered out 160 of scope of this document. They include information about SIP 161 protocol support (e.g. SIP extensions and field conventions), media 162 (e.g., type of media traffic to be exchanged, compatible media codecs 163 and transport protocols, mechanisms to ensure differentiated quality 164 of service for media), layer-3 IP connectivity between the Signaling 165 and Data path Border Elements, accounting and traffic capacity 166 control (e.g. the maximum number of SIP sessions at each ingress 167 point, or the maximum number of concurrent IM or VoIP sessions). 169 The informative Appendix A lists parameters that may be considered 170 when discussing the technical parameters of SIP session peering. The 171 purpose of this list is to capture the parameters that are considered 172 outside the scope of the protocol requirements. 174 3.2. Border Elements 176 For border elements to be operationally manageable, maximum 177 flexibility should be given for how they are declared or dynamically 178 advertised. Indeed, in any session peering environment, there is a 179 need for a SIP Service Provider to declare or dynamically advertise 180 the SIP entities that will face the peer's network. The data path 181 border elements are typically signaled dynamically in the session 182 description. 184 The use cases defined in 185 [I-D.ietf-speermint-voip-consolidated-usecases] catalog the various 186 border elements between SIP Service Providers; they include Signaling 187 path Border Elements (SBEs) and SIP proxies (or any SIP entity at the 188 boundary of the Layer 5 network). 190 o Requirement #1: 191 Protocol mechanisms MUST be provided to enable a SIP Service 192 Provider to communicate the ingress Signaling Path Border Elements 193 of its service domain. 195 Notes on solution space: 196 The SBEs may be advertised to session peers using static 197 mechanisms or they may be dynamically advertised. There is 198 general agreement that [RFC3263] provides a solution for 199 dynamically advertising ingress SBEs in most cases of Direct or 200 Indirect peering. We discussed the DNS-based solution space 201 further in Requirement #4 below, especially in cases where the DNS 202 response varies based on who sends the query (peer-dependent 203 SBEs). 205 o Requirement #2: 206 Protocol mechanisms MUST be provided to enable a SIP Service 207 Provider to communicate the egress SBEs of its service domain. 209 Notes on motivations for this requirement: 210 For the purposes of capacity planning, traffic engineering and 211 call admission control, a SIP Service Provider may be asked where 212 it will generate SIP calls from. The SSP accepting calls from a 213 peer may wish to know where SIP calls will originate from (this 214 information is typically used by the terminating SSP). 215 While provisioning requirements are out-of-scope, some SSPs may 216 find use for a mechanism to dynamically advertise or discover the 217 egress SBEs of a peer. 219 If the SSP also provides media streams to its users as shown in the 220 use cases for "Originating" and "Terminating" SSPs, a mechanism must 221 exist to allow SSPs to advertise their egress and ingress data path 222 border elements (DBEs), if applicable. While some SSPs may have open 223 policies and accept media traffic from anywhere outside their network 224 to anywhere inside their network, some SSPs may want to optimize 225 media delivery and identify media paths between peers prior to 226 traffic being sent (layer 5 to layer 3 QoS mapping). 228 o Requirement #3: 229 Protocol mechanisms MUST be provided to allow a SIP Service 230 Provider to communicate its DBEs to its peers. 232 Notes: Some SSPs engaged in SIP interconnects do exchange this 233 type of DBE information in a static manner. Some SSPs do not. 235 In some SIP networks, SSPs may expose the same border elements to all 236 peers. In other environments, it is common for SSPs to advertise 237 specific SBEs and DBEs to certain peers. This is done by SSPs to 238 meet specific objectives for a given peer: routing optimization of 239 the signaling and media exchanges, optimization of the latency or 240 throughput based on the 'best' SBE and DBE combination, and other 241 service provider policy parameters. These are some of the reasons 242 why advertisement of SBEs and DBEs may be peer-dependent. 244 o Requirement #4: 245 The mechanisms recommended for the declaration or advertisement of 246 SBE and DBE entities MUST allow for peer variability. 248 Notes on solution space: 249 A simple solution is to advertise SBE entities using DNS and 250 [RFC3263] by providing different DNS names to different peers. 251 This approach has some practical limitations because the SIP URIs 252 containing the DNS names used to resolve the SBEs may be 253 propagated by users, for example in the form of sip:user@domain. 254 It is impractical to ask users to use different target URIs based 255 upon their SIP service provider's desire to receive incoming 256 session signaling at different ingress SBEs based upon the 257 originator. The solution described in [RFC3263] and based on DNS 258 to advertise SBEs is therefore under-specified for this 259 requirement. 260 Other DNS mechanisms have been used extensively in other areas of 261 the Internet, in particular in Content Distribution 262 Internetworking to make the DNS responses vary based on the 263 originator of the DNS query (see [RFC3466], [RFC3568] and 264 [RFC3570]). The applicability of such solutions needs for session 265 peering needs further analysis. 266 Finally, other techniques such as Anycast services ([RFC4786]) may 267 be employed at lower layers than Layer 5 to provide a solution to 268 this requirement. For example, anycast nodes could be defined by 269 SIP service providers to expose a common address for SBEs into 270 DNS, allowing the resolution of the anycast node address to the 271 appropriate peer-dependent service address based on the routing 272 topology or other criteria gathered from the combined use of 273 anycast and DNS techniques. 275 Notes on variability of the SBE advertisements based on the media 276 capabilities: 277 Some SSPs may have some restrictions on the type of media traffic 278 their SBEs can accept. For SIP sessions however, it is not 279 possible to communicate those restrictions in advance of the 280 session initiation: a SIP target may support voice-only media, 281 voice and video, or voice and instant messaging communications. 282 While the inability to find out whether a particular type of SIP 283 session can be terminated by a certain SBE can cause failed 284 session establishment attempts, there is consensus to not add a 285 new requirement in this document. These aspects are essentially 286 covered by SSPs when discussing traffic exchange policies and are 287 deemed out of scope of this document. 289 In the use cases provided as part of direct and indirect peering 290 scenarios, an SSP deals with multiple SIP entities and multiple SBEs 291 in its own domain. There is often a many-to-many relationship 292 between the SIP Proxies considered inside the trusted network 293 boundary of the SSP and its Signaling path Border Elements at the 294 network boundaries. 295 It should be possible for an SSP to define which egress SBE a SIP 296 entity must use based on a given peer destination. 297 For example, in the case of an indirect peering scenario (section 5. 298 of [I-D.ietf-speermint-voip-consolidated-usecases]), it should be 299 possible for the SIP proxy in the originating network (O-Proxy) to 300 select the appropriate egress SBE (O-SBE) to reach the SIP target 301 based on the information the proxy receives from the Lookup Function 302 (O-LUF) and/or Location Routing Function (O-LRF) - message response 303 labeled (2). Note that this example also applies to the case of 304 Direct Peering when a service provider has multiple service areas and 305 each service area involves multiple SIP Proxies and a few SBEs. 307 o Requirement #5: 308 The mechanisms recommended for the Look-Up Function (LUF) and the 309 Location Routing Functions (LRF) MUST be capable of returning both 310 a target URI destination and a value providing the next SIP 311 hop(s). 313 Notes: solutions may exist depending on the choice of the protocol 314 used between the Proxy and its LUF/LRF. The idea is for the 315 O-Proxy to be provided with the next SIP hop and the equivalent of 316 one or more SIP Route header values. If ENUM is used as a 317 protocol for the LUF, the solution space is undefined. 319 It is desirable for an SSP to be able to communicate how 320 authentication of a peer's SBEs will occur (see the security 321 requirements for more details). 323 o Requirement #6: 324 The mechanisms recommended for locating a peer's SBE MUST be able 325 to convey how a peer should initiate secure session establishment. 327 Notes: some mechanisms exist. For example, the required protocol 328 use of SIP over TLS may be discovered via [RFC3263] and guidelines 329 concerning the use of the SIPS URI scheme in SIP have been 330 documented in [RFC5630]. 332 3.3. Session Establishment Data 334 The Session Establishment Data (SED) is defined in [RFC5486] as the 335 data used to route a call to the next hop associated with the called 336 domain's ingress point. The following paragraphs capture some 337 general requirements on the SED data. 339 3.3.1. User Identities and SIP URIs 341 User identities used between peers can be represented in many 342 different formats. Session Establishment Data should rely on URIs 343 (Uniform Resource Identifiers, [RFC3986]) and SIP URIs should be 344 preferred over tel URIs ([RFC3966]) for session peering of VoIP 345 traffic. 346 The use of DNS domain names and hostnames is recommended in SIP URIs 347 and they should be resolvable on the public Internet. As for the 348 user part of the SIP URIs, the mechanisms for session peering should 349 not require an SSP to be aware of which individual user identities 350 are valid within its peer's domain. 352 o Requirement #7: 353 The protocols used for session peering MUST accommodate the use of 354 different types of URIs. URIs with the same domain-part SHOULD 355 share the same set of peering policies, thus the domain of the SIP 356 URI may be used as the primary key to any information regarding 357 the reachability of that SIP URI. The host part of SIP URIs 358 SHOULD contain a fully-qualified domain name instead of a numeric 359 IPv4 or IPv6 address. 361 o Requirement #8: 362 The mechanisms for session peering should not require an SSP to be 363 aware of which individual user identities are valid within its 364 peer's domain. 366 o Notes on the solution space for #7 and #8: 367 This is generally well supported by IETF protocols. When 368 telephone numbers are in tel URIs, SIP requests cannot be routed 369 in accordance with the traditional DNS resolution procedures 370 standardized for SIP as indicated in [RFC3824]. This means that 371 the solutions built for session peering must not solely use PSTN 372 identifiers such as Service Provider IDs (SPIDs) or Trunk Group 373 IDs (they should not be precluded but solutions should not be 374 limited to these). 375 Motivations: 377 Although SED data may be based on E.164-based SIP URIs for voice 378 interconnects, a generic peering methodology should not rely on 379 such E.164 numbers. 381 3.3.2. URI Reachability 383 Based on a well-known URI type (for e.g. sip:, pres:, or im: URIs), 384 it must be possible to determine whether the SSP domain servicing the 385 URI allows for session peering, and if it does, it should be possible 386 to locate and retrieve the domain's policy and SBE entities. 387 For example, an originating service provider must be able to 388 determine whether a SIP URI is open for direct interconnection 389 without requiring an SBE to initiate a SIP request. Furthermore, 390 since each call setup implies the execution of any proposed 391 algorithm, the establishment of a SIP session via peering should 392 incur minimal overhead and delay, and employ caching wherever 393 possible to avoid extra protocol round trips. 395 o Requirement #9: 396 The mechanisms for session peering MUST allow an SBE to locate its 397 peer SBE given a URI type and the target SSP domain name. 399 4. Requirements for Session Peering of Presence and Instant Messaging 401 This section describes requirements for presence and instant 402 messaging session peering. Several use cases for presence and 403 instant messaging peering are described in [RFC5344], a document 404 authored by A. Houri, E. Aoki and S. Parameswar. Credits for the 405 original content captured in this section must go to them. 407 o Requirement #10: 408 The mechanisms recommended for the exchange of presence 409 information between SSPs SHOULD allow a user of one presence 410 community to send a presence subscription request to presentities 411 served by another SSP via its local community, including 412 subscriptions to a single presentity, a personal, public or ad-hoc 413 group list of presentities. 415 Notes: see section 2.2 of [RFC5344]. 417 o Requirement #11: 418 The mechanisms recommended for Instant Messaging exchanges between 419 SSPs SHOULD allow a user of one SSP's community to communicate 420 with users of the other SSP community via their local community 421 using the various methods. Note that some SSPs may exercise some 422 control over which methods are allowed based on service policies. 423 Such methods include sending a one-time IM message, initiating a 424 SIP session for transporting sessions of messages, participating 425 in n-way chats using chat rooms with users from the peer SSPs, 426 etc. 428 Notes: see section 2.6 of [RFC5344]. 430 o Requirement #12: Privacy Sharing 431 In some presence communities, users can define the list of 432 watchers that receive presence notifications for a given 433 presentity. Such privacy settings for watcher notifications per 434 presentity are typically not shared across SSPs causing multiple 435 notifications to be sent for one presentity change between SSPs. 436 The sharing of those privacy settings per presentity between SSPs 437 would allow fewer notifications: a single notification would be 438 sent per presentity and the terminating SSP would send 439 notifications to the appropriate watchers according to the 440 presentity's privacy information. 441 The mechanisms recommended for Presence information exchanges 442 between SSPs SHOULD allow the sharing of some user privacy 443 settings in order for users to convey the list of watchers that 444 can receive notification of presence information changes on a per 445 presentity basis. 446 The privacy sharing mechanism must be done with the express 447 consent of the user whose privacy settings will be shared with to 448 the other community. Because of the privacy-sensitive information 449 exchanged between SSPs, the protocols used for the exchange of 450 presence information must follow the security recommendations 451 defined in section 6 of [RFC3863]. 453 Notes: see section 2.3 of [RFC5344]. 455 o Requirement #13: Multiple Watchers 456 It should be possible to send a presence document with a list of 457 watchers on the other community that should receive the presence 458 document notification. This will enable sending less presence 459 document notifications between the communities while avoiding the 460 need to share privacy information of presentities from one 461 community to the other. 462 The systems used to exchange presence documents between SSPs 463 SHOULD allow more than one watchers to be passed with a presence 464 document. 466 o Requirement #14: Standard PIDF Documents and Mappings 467 Early deployments of SIP-based presence and Instant Messaging 468 gateways have been done in front of legacy proprietary systems 469 that use different naming schemes or name values for the elements 470 and properties defined in a Presence Information Data Format 471 (PIDF) document ([RFC3863]). For example the value "Do Not 472 Disturb" in one presence service may be mapped to "Busy" in 473 another system for the status element. Beyond this example of 474 status values, it is important to ensure that the meaning of the 475 presence information is preserved between SSPs. 476 The systems used to exchange presence documents between SSPs 477 SHOULD use standard PIDF documents and translate any non-standard 478 value of a PIDF element to a standard one. 480 5. Security Considerations 482 This section describes the security properties that are desirable for 483 the protocol exchanges in scope of session peering. Three types of 484 information flows are described in the architecture and use case 485 documents: the acquisition of the Session Establishment Data (SED) 486 based on a destination target via the Lookup and Location Routing 487 Functions (LUF and LRF), the SIP signaling between SIP Service 488 Providers, and the associated media exchanges. 490 This section is focused on three security services, authentication, 491 data confidentiality and data integrity as summarized in [RFC3365]. 492 However, this text does not specify the mandatory-to-implement 493 security mechanisms as required by [RFC3365]; this is left for future 494 protocol solutions that meet the requirements. 496 A security threat analysis provides additional guidance for session 497 peering ([I-D.niccolini-speermint-voipthreats]). 499 5.1. Security Properties for the Acquisition of Session Establishment 500 Data 502 The Look-Up Function (LUF) and Location Routing Function (LRF) are 503 defined in [RFC5486]. They provide mechanisms for determining the 504 SIP target address and domain the request should be sent to, and the 505 associated SED to route the request to that domain. 507 o Requirement #15: 508 The protocols used to query the Lookup and Location Routing 509 Functions SHOULD support mutual authentication. 511 Motivations: 512 A mutual authentication service should be provided for the LUF and 513 LRF protocol exchanges. The content of the response returned by 514 the LUF and LRF may depend on the identity of the requestor: the 515 authentication of the LUF & LRF requests is therefore a desirable 516 property. Mutual authentication is also desirable: the requestor 517 may verify the identity of the systems that provided the LUF & LRF 518 responses given the nature of the data returned in those 519 responses. Authentication also provides some protection for the 520 availability of the LUF and LRF against attackers that would 521 attempt to launch DoS attacks by sending bogus requests causing 522 the LUF to perform a lookup and consume resources. 524 o Requirement #16: 525 The protocols used to query the Lookup and Location Routing 526 Functions SHOULD provide support for data confidentiality and 527 integrity. 529 Motivations: 530 Given the sensitive nature of the session establishment data 531 exchanged with the LUF and LRF functions, the protocol mechanisms 532 chosen for the lookup and location routing should offer data 533 confidentiality and integrity protection (SED data may contain 534 user addresses, SIP URI, location of SIP entities at the 535 boundaries of SIP Service Provider domains, etc.). 537 o Notes on the solution space for Requirements #15 and #16: ENUM, 538 SIP and proprietary protocols are typically used today for 539 accessing these functions. Even though SSPs may use lower layer 540 security mechanisms to guarantee some of those security 541 properties, candidate protocols for the LUF and LRF should meet 542 the above requirements. 544 5.2. Security Properties for the SIP signaling exchanges 546 The SIP signaling exchanges are out of scope of this document. This 547 section describes some of the security properties that are desirable 548 in the context of SIP interconnects between SSPs without formulating 549 any normative requirements. 551 In general, the security properties desirable for the SIP exchanges 552 in an inter-domain context apply to session peering. These include: 554 o securing the transport of SIP messages between the peers' SBEs. 555 Authentication of SIP communications is desirable, especially in 556 the context of session peering involving SIP intermediaries. Data 557 confidentiality and integrity of the SIP message body may be 558 desirable as well given some of the levels of session peering 559 indirection (indirect/assisted peering), but they could be harmful 560 as they may prevent intermediary SSPs from "inserting" SBEs/DBEs 561 along the signaling and data paths. 563 o providing an Authentication Service to authenticate the identity 564 of connected users based on the SIP Service Provider domains (for 565 both the SIP requests and the responses). 567 The fundamental mechanisms for securing SIP between proxy servers 568 intra- and inter-domain are applicable to session peering; refer to 569 Section 26.2 of [RFC3261] for transport-layer security of SIP 570 messages using TLS, [I-D.ietf-sip-connect-reuse] for establishing TLS 571 connections between proxies, [RFC4474] for the protocol mechanisms to 572 verify the identity of the senders of SIP requests in an inter-domain 573 context, and [RFC4916] for verifying the identity of the sender of 574 SIP responses). 576 5.3. End-to-End Media Security 578 Media security is critical to guarantee end-to-end confidentiality of 579 the communication between the end-users' devices, independently of 580 how many direct or indirect peers are present along the signaling 581 path. A number of desirable security properties emerge from this 582 goal. 584 The establishment of media security may be achieved along the media 585 path and not over the signaling path given the indirect peering use 586 cases. 587 For example, media carried over the Real-Time Protocol (RTP) can be 588 secured using secure RTP (SRTP [RFC3711]). A framework for 589 establishing SRTP security using Datagram TLS [RFC4347] is described 590 in [I-D.ietf-sip-dtls-srtp-framework]: it allows for end-to-end media 591 security establishment using extensions to DTLS 592 ([I-D.ietf-avt-dtls-srtp]). 593 It should also be noted that media can be carried in numerous 594 protocols other than RTP such as SIP (SIP MESSAGE method), MSRP (the 595 Message Session Relay Protocol, [RFC4975], XMPP (the Extensible 596 Messaging and Presence Protocol, [RFC3920]) and many others. Media 597 may also be carried over TCP ([RFC4571]), and it can be encrypted 598 over secure connection-oriented transport sessions over TLS 599 ([RFC4572]). 601 A desirable security property for session peering is for SIP entities 602 to be transparent to the end-to-end media security negotiations: SIP 603 entities should not intervene in the Session Description Protocol 604 (SDP) exchanges for end-to-end media security. 606 o Requirement #17: 607 The protocols used to enable session peering MUST NOT interfere 608 with the exchanges of media security attributes in SDP. Media 609 attribute lines that are not understood by SBEs MUST be ignored 610 and passed along the signaling path untouched. 612 6. Acknowledgments 614 This document is based on the input and contributions made by a large 615 number of people including: Bernard Aboba, Edwin Aoki, Scott Brim, 616 John Elwell, Mike Hammer, Avshalom Houri, Richard Shocky, Henry 617 Sinnreich, Richard Stastny, Patrik Faltstrom, Otmar Lendl, Daryl 618 Malas, Dave Meyer, Sriram Parameswar, Jon Peterson, Jason Livingood, 619 Bob Natale, Benny Rodrig, Brian Rosen, Eric Rosenfeld, Peter Saint- 620 Andre, David Schwartz and Adam Uzelac. 622 Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their 623 initial drafts describing guidelines or best current practices in 624 various environments, to Avshalom Houri, Edwin Aoki and Sriram 625 Parameswar for authoring the presence and instant messaging 626 requirements and to Dan Wing for providing detailed feedback on the 627 security consideration sections. 629 7. IANA Considerations 631 This document does not register any values in IANA registries. 633 8. References 635 8.1. Normative References 637 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 638 Requirement Levels", BCP 14, RFC 2119, March 1997. 640 8.2. Informative References 642 [I-D.ietf-avt-dtls-srtp] 643 McGrew, D. and E. Rescorla, "Datagram Transport Layer 644 Security (DTLS) Extension to Establish Keys for Secure 645 Real-time Transport Protocol (SRTP)", 646 draft-ietf-avt-dtls-srtp-07 (work in progress), 647 February 2009. 649 [I-D.ietf-pmol-sip-perf-metrics] 650 Malas, D. and A. Morton, "SIP End-to-End Performance 651 Metrics", draft-ietf-pmol-sip-perf-metrics-04 (work in 652 progress), September 2009. 654 [I-D.ietf-sip-connect-reuse] 655 Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in 656 the Session Initiation Protocol (SIP)", 657 draft-ietf-sip-connect-reuse-14 (work in progress), 658 August 2009. 660 [I-D.ietf-sip-dtls-srtp-framework] 661 Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 662 for Establishing an SRTP Security Context using DTLS", 663 draft-ietf-sip-dtls-srtp-framework-07 (work in progress), 664 March 2009. 666 [I-D.ietf-speermint-architecture] 667 Penno, R. and S. Khan, "SPEERMINT Peering Architecture", 668 draft-ietf-speermint-architecture-08 (work in progress), 669 March 2009. 671 [I-D.ietf-speermint-voip-consolidated-usecases] 672 Uzelac, A. and Y. Lee, "VoIP SIP Peering Use Cases", 673 draft-ietf-speermint-voip-consolidated-usecases-14 (work 674 in progress), August 2009. 676 [I-D.niccolini-speermint-voipthreats] 677 Niccolini, S., Chen, E., Seedorf, J., and H. Scholz, 678 "SPEERMINT Security Threats and Suggested 679 Countermeasures", draft-niccolini-speermint-voipthreats-05 680 (work in progress), October 2008. 682 [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., 683 Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- 684 Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, 685 September 1997. 687 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 688 A., Peterson, J., Sparks, R., Handley, M., and E. 689 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 690 June 2002. 692 [RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation 693 Protocol (SIP): Locating SIP Servers", RFC 3263, 694 June 2002. 696 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 697 Engineering Task Force Standard Protocols", BCP 61, 698 RFC 3365, August 2002. 700 [RFC3455] Garcia-Martin, M., Henrikson, E., and D. Mills, "Private 701 Header (P-Header) Extensions to the Session Initiation 702 Protocol (SIP) for the 3rd-Generation Partnership Project 703 (3GPP)", RFC 3455, January 2003. 705 [RFC3466] Day, M., Cain, B., Tomlinson, G., and P. Rzewski, "A Model 706 for Content Internetworking (CDI)", RFC 3466, 707 February 2003. 709 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 710 Jacobson, "RTP: A Transport Protocol for Real-Time 711 Applications", STD 64, RFC 3550, July 2003. 713 [RFC3568] Barbir, A., Cain, B., Nair, R., and O. Spatscheck, "Known 714 Content Network (CN) Request-Routing Mechanisms", 715 RFC 3568, July 2003. 717 [RFC3570] Rzewski, P., Day, M., and D. Gilletti, "Content 718 Internetworking (CDI) Scenarios", RFC 3570, July 2003. 720 [RFC3611] Friedman, T., Caceres, R., and A. Clark, "RTP Control 721 Protocol Extended Reports (RTCP XR)", RFC 3611, 722 November 2003. 724 [RFC3702] Loughney, J. and G. Camarillo, "Authentication, 725 Authorization, and Accounting Requirements for the Session 726 Initiation Protocol (SIP)", RFC 3702, February 2004. 728 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 729 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 730 RFC 3711, March 2004. 732 [RFC3824] Peterson, J., Liu, H., Yu, J., and B. Campbell, "Using 733 E.164 numbers with the Session Initiation Protocol (SIP)", 734 RFC 3824, June 2004. 736 [RFC3863] Sugano, H., Fujimoto, S., Klyne, G., Bateman, A., Carr, 737 W., and J. Peterson, "Presence Information Data Format 738 (PIDF)", RFC 3863, August 2004. 740 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence 741 Protocol (XMPP): Core", RFC 3920, October 2004. 743 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 744 RFC 3966, December 2004. 746 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 747 Resource Identifier (URI): Generic Syntax", STD 66, 748 RFC 3986, January 2005. 750 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 751 Security", RFC 4347, April 2006. 753 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for 754 Authenticated Identity Management in the Session 755 Initiation Protocol (SIP)", RFC 4474, August 2006. 757 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 758 Description Protocol", RFC 4566, July 2006. 760 [RFC4571] Lazzaro, J., "Framing Real-time Transport Protocol (RTP) 761 and RTP Control Protocol (RTCP) Packets over Connection- 762 Oriented Transport", RFC 4571, July 2006. 764 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 765 Transport Layer Security (TLS) Protocol in the Session 766 Description Protocol (SDP)", RFC 4572, July 2006. 768 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 769 Services", BCP 126, RFC 4786, December 2006. 771 [RFC4916] Elwell, J., "Connected Identity in the Session Initiation 772 Protocol (SIP)", RFC 4916, June 2007. 774 [RFC4975] Campbell, B., Mahy, R., and C. Jennings, "The Message 775 Session Relay Protocol (MSRP)", RFC 4975, September 2007. 777 [RFC5344] Houri, A., Aoki, E., and S. Parameswar, "Presence and 778 Instant Messaging Peering Use Cases", RFC 5344, 779 October 2008. 781 [RFC5411] Rosenberg, J., "A Hitchhiker's Guide to the Session 782 Initiation Protocol (SIP)", RFC 5411, February 2009. 784 [RFC5486] Malas, D. and D. Meyer, "Session Peering for Multimedia 785 Interconnect (SPEERMINT) Terminology", RFC 5486, 786 March 2009. 788 [RFC5503] Andreasen, F., McKibben, B., and B. Marshall, "Private 789 Session Initiation Protocol (SIP) Proxy-to-Proxy 790 Extensions for Supporting the PacketCable Distributed Call 791 Signaling Architecture", RFC 5503, March 2009. 793 [RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session 794 Initiation Protocol (SIP)", RFC 5630, October 2009. 796 Appendix A. Policy Parameters for Session Peering 798 This informative section lists various types of parameters that 799 should be considered by implementers when deciding what configuration 800 variables to expose to system administrators or management stations, 801 as well as SSPs or federations of SSPs when discussing the technical 802 part of a session peering policy. 804 In the context of session peering, a policy can be defined as the set 805 of parameters and other information needed by an SSP to exchange 806 traffic with another peer. Some of the session policy parameters may 807 be statically exchanged and set throughout the lifetime of the 808 peering relationship. Others parameters may be discovered and 809 updated dynamically using by some explicit protocol mechanisms. 810 These dynamic parameters may be session-dependent, or the may apply 811 over multiple sessions or peers. 813 Various types of policy information may need to be discovered or 814 exchanged in order to establish session peering. At a minimum, a 815 policy should specify information related to session establishment 816 data in order to avoid session establishment failures. A policy may 817 also include information related to QoS, billing and accounting, 818 layer-3 related interconnect requirements which are out of the scope 819 of this document. 821 Some aspects of session peering policies must be agreed to and 822 manually implemented; they are static and are typically documented as 823 part of a business contract, technical document or agreement between 824 parties. For some parameters linked to protocol support and 825 capabilities, standard ways of expressing those policy parameters may 826 be defined among SSP and exchanged dynamically. For e.g., templates 827 could be created in various document formats so that it could be 828 possible to dynamically discover some of the domain policy. Such 829 templates could be initiated by implementers (for each software/ 830 hardware release, a list of supported RFCs, RFC parameters is 831 provided in a standard format) and then adapted by each SSP based on 832 its service description, server or device configurations and variable 833 based on peer relationships. 835 A.1. Categories of Parameters for VoIP Session Peering and 836 Justifications 838 The following list should be considered as an initial list of 839 "discussion topics" to be addressed by peers when initiating a VoIP 840 peering relationship. 842 o IP Network Connectivity: 843 Session peers should define how the IP network connectivity 844 between their respective SBEs and DBEs. While this is out of 845 scope of session peering, SSPs must agree on a common mechanism 846 for IP transport of session signaling and media. This may be 847 accomplish via private (e.g. IPVPN, IPsec, etc.) or public IP 848 networks. 850 o Media-related Parameters: 852 * Media Codecs: list of supported media codecs for audio, real- 853 time fax (version of T.38, if applicable), real-time text (RFC 854 4103), DTMF transport, voice band data communications (as 855 applicable) along with the supported or recommended codec 856 packetization rates, level of RTP payload redundancy, audio 857 volume levels, etc. 859 * Media Transport: level of support for RTP-RTCP [RFC3550], RTP 860 Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , 861 T.38 transport over RTP, etc. 863 * Media variability at the Signaling path Border Elements: list 864 of media types supported by the various ingress points of a 865 peer's network. 867 * Other: support of the VoIP metric block as defined in RTP 868 Control Protocol Extended Reports [RFC3611] , etc. 870 o SIP: 872 * A session peering policy should include the list of supported 873 and required SIP RFCs, supported and required SIP methods 874 (including private p headers if applicable), error response 875 codes, supported or recommended format of some header field 876 values , etc. 878 * It should also be possible to describe the list of supported 879 SIP RFCs by various functional groupings. A group of SIP RFCs 880 may represent how a call feature is implemented (call hold, 881 transfer, conferencing, etc.), or it may indicate a functional 882 grouping as in [RFC5411]. 884 o Accounting: 885 Methods used for call or session accounting should be specified. 886 An SSP may require a peer to track session usage. It is critical 887 for peers to determine whether the support of any SIP extensions 888 for accounting is a pre-requisite for SIP interoperability. In 889 some cases, call accounting may feed data for billing purposes but 890 not always: some operators may decide to use accounting as a 'bill 891 and keep' model to track session usage and monitor usage against 892 service level agreements. 893 [RFC3702] defines the terminology and basic requirements for 894 accounting of SIP sessions. A few private SIP extensions have 895 also been defined and used over the years to enable call 896 accounting between SSP domains such as the P-Charging* headers in 897 [RFC3455], the P-DCS-Billing-Info header in [RFC5503], etc. 899 o Performance Metrics: 900 Layer-5 performance metrics should be defined and shared between 901 peers. The performance metrics apply directly to signaling or 902 media; they may be used pro-actively to help avoid congestion, 903 call quality issues or call signaling failures, and as part of 904 monitoring techniques, they can be used to evaluate the 905 performance of peering exchanges. 906 Examples of SIP performance metrics include the maximum number of 907 SIP transactions per second on per domain basis, Session 908 Completion Rate (SCR), Session Establishment Rate (SER), etc. 909 Some SIP end-to-end performance metrics are defined in 910 [I-D.ietf-pmol-sip-perf-metrics]; a subset of these may be 911 applicable to session peering and interconnects. 912 Some media-related metrics for monitoring VoIP calls have been 913 defined in the VoIP Metrics Report Block, in Section 4.7 of 914 [RFC3611]. 916 o Security: 917 An SSP should describe the security requirements that other peers 918 must meet in order to terminate calls to its network. While such 919 a list of security-related policy parameters often depends on the 920 security models pre-agreed to by peers, it is expected that these 921 parameters will be discoverable or signaled in the future to allow 922 session peering outside SSP clubs. The list of security 923 parameters may be long and composed of high-level requirements 924 (e.g. authentication, privacy, secure transport) and low level 925 protocol configuration elements like TLS parameters. 926 The following list is not intended to be complete, it provides a 927 preliminary list in the form of examples: 929 * Call admission requirements: for some providers, sessions can 930 only be admitted if certain criteria are met. For example, for 931 some providers' networks, only incoming SIP sessions signaled 932 over established IPsec tunnels or presented to the well-known 933 TLS ports are admitted. Other call admission requirements may 934 be related to some performance metrics as described above. 935 Finally, it is possible that some requirements be imposed on 936 lower layers, but these are considered out of scope of session 937 peering. 939 * Call authorization requirements and validation: the presence of 940 a caller or user identity may be required by an SSP. Indeed, 941 some SSPs may further authorize an incoming session request by 942 validating the caller's identity against white/black lists 943 maintained by the service provider or users (traditional caller 944 ID screening applications or IM white list). 946 * Privacy requirements: an SSP may demand that its SIP messages 947 be securely transported by its peers for privacy reasons so 948 that the calling/called party information be protected. Media 949 sessions may also require privacy and some SSP policies may 950 include requirements on the use of secure media transport 951 protocols such as SRTP, along with some constraints on the 952 minimum authentication/encryption options for use in SRTP. 954 * Network-layer security parameters: this covers how IPsec 955 security associated may be established, the IPsec key exchange 956 mechanisms to be used and any keying materials, the lifetime of 957 timed Security Associated if applicable, etc. 959 * Transport-layer security parameters: this covers how TLS 960 connections should be established as described in Section 961 Section 5. 963 A.2. Summary of Parameters for Consideration in Session Peering 964 Policies 966 The following is a summary of the parameters mentioned in the 967 previous section. They may be part of a session peering policy and 968 appear with a level of requirement (mandatory, recommended, 969 supported, ...). 971 o IP Network Connectivity (assumed, requirements out of scope of 972 this document) 974 o Media session parameters: 976 * Codecs for audio, video, real time text, instant messaging 977 media sessions 979 * Modes of communications for audio (voice, fax, DTMF), IM (page 980 mode, MSRP) 982 * Media transport and means to establish secure media sessions 984 * List of ingress and egress DBEs where applicable, including 985 STUN Relay servers if present 987 o SIP 989 * SIP RFCs, methods and error responses 991 * headers and header values 993 * possibly, list of SIP RFCs supported by groups (e.g. by call 994 feature) 996 o Accounting 998 o Capacity Control and Performance Management: any limits on, or, 999 means to measure and limit the maximum number of active calls to a 1000 peer or federation, maximum number of sessions and messages per 1001 specified unit time, maximum number of active users or subscribers 1002 per specified unit time, the aggregate media bandwidth per peer or 1003 for the federation, specified SIP signaling performance metrics to 1004 measure and report; media-level VoIP metrics if applicable. 1006 o Security: Call admission control, call authorization, network and 1007 transport layer security parameters, media security parameters 1009 Author's Address 1011 Jean-Francois Mule 1012 CableLabs 1013 858 Coal Creek Circle 1014 Louisville, CO 80027 1015 USA 1017 Email: jf.mule@cablelabs.com