idnits 2.17.1 draft-ietf-speermint-requirements-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 25, 2010) is 4933 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-19) exists of draft-ietf-speermint-architecture-12 == Outdated reference: A later version (-19) exists of draft-ietf-speermint-voip-consolidated-usecases-18 == Outdated reference: A later version (-09) exists of draft-ietf-speermint-voipthreats-05 -- Obsolete informational reference (is this intentional?): RFC 3455 (Obsoleted by RFC 7315) -- Obsolete informational reference (is this intentional?): RFC 3466 (Obsoleted by RFC 7336) -- Obsolete informational reference (is this intentional?): RFC 3570 (Obsoleted by RFC 6770) -- Obsolete informational reference (is this intentional?): RFC 3920 (Obsoleted by RFC 6120) -- Obsolete informational reference (is this intentional?): RFC 4347 (Obsoleted by RFC 6347) -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) -- Obsolete informational reference (is this intentional?): RFC 4572 (Obsoleted by RFC 8122) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SPEERMINT Working Group J-F. Mule 3 Internet-Draft CableLabs 4 Intended status: Informational October 25, 2010 5 Expires: April 28, 2011 7 Requirements for SIP-based Session Peering 8 draft-ietf-speermint-requirements-10.txt 10 Abstract 12 This memo captures protocol requirements to enable session peering of 13 voice, presence, instant messaging and other types of multimedia 14 traffic. This informational document is intended to link the various 15 use cases described for session peering to protocol solutions. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on April 28, 2011. 34 Copyright Notice 36 Copyright (c) 2010 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 54 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 3.2. Border Elements . . . . . . . . . . . . . . . . . . . . . 5 56 3.3. Session Establishment Data . . . . . . . . . . . . . . . . 9 57 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 9 58 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 10 59 4. Requirements for Session Peering of Presence and Instant 60 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . 11 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 62 5.1. Security Properties for the Acquisition of Session 63 Establishment Data . . . . . . . . . . . . . . . . . . . . 13 64 5.2. Security Properties for the SIP signaling exchanges . . . 14 65 5.3. End-to-End Media Security . . . . . . . . . . . . . . . . 15 66 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 69 8.1. Normative References . . . . . . . . . . . . . . . . . . . 18 70 8.2. Informative References . . . . . . . . . . . . . . . . . . 18 71 Appendix A. Policy Parameters for Session Peering . . . . . . . . 22 72 A.1. Categories of Parameters for VoIP Session Peering and 73 Justifications . . . . . . . . . . . . . . . . . . . . . . 22 74 A.2. Summary of Parameters for Consideration in Session 75 Peering Policies . . . . . . . . . . . . . . . . . . . . . 25 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 27 78 1. Introduction 80 Peering at the session level represents an agreement between parties 81 to exchange multimedia traffic. In this document, we assume that the 82 Session Initiation Protocol (SIP) is used to establish sessions 83 between SIP Service Providers (SSPs). SIP Service Providers are 84 referred to as peers and they are typically represented by users, 85 user groups, enterprises, real-time collaboration service 86 communities, or other service providers offering voice or multimedia 87 services using SIP. 89 A number of documents have been developed to provide background 90 information about SIP session peering. It is expected that the 91 reader is familiar with the reference architecture described in 92 [I-D.ietf-speermint-architecture], use cases for voice 93 ([I-D.ietf-speermint-voip-consolidated-usecases]) and instant 94 messaging and presence ([RFC5344]). 96 Peering at the session layer can be achieved on a bilateral basis 97 (direct peering established directly between two SSPs), or on an 98 indirect basis via a session intermediary (indirect peering via a 99 third-party SSP that has a trust relationship with the SSPs) - see 100 the terminology document for more details. 102 This document first describes general requirements. The use cases 103 are then analyzed in the spirit of extracting relevant protocol 104 requirements that must be met to accomplish the use cases. These 105 requirements are intended to be independent of the type of media 106 exchanged such as Voice over IP (VoIP), video telephony, and instant 107 messaging. Requirements specific to presence and instant messaging 108 are defined in Section 4. 110 It is not the goal of this document to mandate any particular use of 111 IETF protocols other than SIP by SIP Service Providers in order to 112 establish session peering. Instead, the document highlights what 113 requirements should be met and what protocols might be used to define 114 the solution space. 116 Finally, we conclude with a list of parameters for the definition of 117 a session peering policy, provided in an informative appendix. It 118 should be considered as an example of the information SIP Service 119 Providers may have to discuss or agree on to exchange SIP traffic. 121 2. Terminology 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in [RFC2119]. 127 This document also reuses the terminology defined in [RFC5486]. It 128 is assumed that the reader is familiar with the Session Description 129 Protocol (SDP) [RFC4566] and the Session Initiation Protocol (SIP) 130 [RFC3261]. Finally, when used with capital letters, the terms 131 'Authentication Service' are to be understood as defined by SIP 132 Identity [RFC4474]. 134 3. General Requirements 136 The following sub-sections contain general requirements applicable to 137 multiple use cases for multimedia session peering. 139 3.1. Scope 141 The primary focus of this document is on the requirements applicable 142 to the boundaries of Layer 5 SIP networks: SIP entities, Signaling 143 path Border Elements (SBEs), and the associated protocol requirements 144 for the look-up and location routing of the session establishment 145 data. The requirements applicable to SIP User Agents or related to 146 the provisioning of the session data are considered out of scope. 148 SIP Service Providers have to reach an agreement on numerous points 149 when establishing session peering relationships . 150 This document highlights only certain aspects of a session peering 151 agreement, mostly the requirements relevant to protocols: the 152 declaration, advertisement and management of ingress and egress 153 border elements for session signaling and media, information related 154 to the Session Establishment Data (SED), and the security properties 155 that may be desirable for secure session exchanges. 156 Numerous other considerations of session peering arrangements are 157 critical to reach a successful agreement but they are considered out 158 of scope of this document. They include information about SIP 159 protocol support (e.g. SIP extensions and field conventions), media 160 (e.g., type of media traffic to be exchanged, compatible media codecs 161 and transport protocols, mechanisms to ensure differentiated quality 162 of service for media), layer-3 IP connectivity between the Signaling 163 and Data path Border Elements, accounting and traffic capacity 164 control (e.g. the maximum number of SIP sessions at each ingress 165 point, or the maximum number of concurrent IM or VoIP sessions). 167 The informative Appendix A lists parameters that may be considered 168 when discussing the technical parameters of SIP session peering. The 169 purpose of this list is to capture the parameters that are considered 170 outside the scope of the protocol requirements. 172 3.2. Border Elements 174 For border elements to be operationally manageable, maximum 175 flexibility should be given for how they are declared or dynamically 176 advertised. Indeed, in any session peering environment, there is a 177 need for a SIP Service Provider to declare or dynamically advertise 178 the SIP entities that will face the peer's network. The data path 179 border elements are typically signaled dynamically in the session 180 description. 182 The use cases defined in 183 [I-D.ietf-speermint-voip-consolidated-usecases] catalog the various 184 border elements between SIP Service Providers; they include Signaling 185 path Border Elements (SBEs) and SIP proxies (or any SIP entity at the 186 boundary of the Layer 5 network). 188 o Requirement #1: 189 Protocol mechanisms MUST be provided to enable a SIP Service 190 Provider to communicate the ingress Signaling Path Border Elements 191 of its service domain. 193 Notes on solution space: 194 The SBEs may be advertised to session peers using static 195 mechanisms or they may be dynamically advertised. There is 196 general agreement that [RFC3263] provides a solution for 197 dynamically advertising ingress SBEs in most cases of Direct or 198 Indirect peering. We discussed the DNS-based solution space 199 further in Requirement #4 below, especially in cases where the DNS 200 response varies based on who sends the query (peer-dependent 201 SBEs). 203 o Requirement #2: 204 Protocol mechanisms MUST be provided to enable a SIP Service 205 Provider to communicate the egress SBEs of its service domain. 207 Notes on motivations for this requirement: 208 For the purposes of capacity planning, traffic engineering and 209 call admission control, a SIP Service Provider may be asked where 210 it will generate SIP calls from. The SSP accepting calls from a 211 peer may wish to know where SIP calls will originate from (this 212 information is typically used by the terminating SSP). 213 While provisioning requirements are out-of-scope, some SSPs may 214 find use for a mechanism to dynamically advertise or discover the 215 egress SBEs of a peer. 217 If the SSP also provides media streams to its users as shown in the 218 use cases for "Originating" and "Terminating" SSPs, a mechanism must 219 exist to allow SSPs to advertise their egress and ingress data path 220 border elements (DBEs), if applicable. While some SSPs may have open 221 policies and accept media traffic from anywhere outside their network 222 to anywhere inside their network, some SSPs may want to optimize 223 media delivery and identify media paths between peers prior to 224 traffic being sent (layer 5 to layer 3 QoS mapping). 226 o Requirement #3: 227 Protocol mechanisms MUST be provided to allow a SIP Service 228 Provider to communicate its DBEs to its peers. 230 Notes: Some SSPs engaged in SIP interconnects do exchange this 231 type of DBE information in a static manner. Some SSPs do not. 233 In some SIP networks, SSPs may expose the same border elements to all 234 peers. In other environments, it is common for SSPs to advertise 235 specific SBEs and DBEs to certain peers. This is done by SSPs to 236 meet specific objectives for a given peer: routing optimization of 237 the signaling and media exchanges, optimization of the latency or 238 throughput based on the 'best' SBE and DBE combination, and other 239 service provider policy parameters. These are some of the reasons 240 why advertisement of SBEs and DBEs may be peer-dependent. 242 o Requirement #4: 243 The mechanisms recommended for the declaration or advertisement of 244 SBE and DBE entities MUST allow for peer variability. 246 Notes on solution space: 247 A simple solution is to advertise SBE entities using DNS and 248 [RFC3263] by providing different DNS names to different peers. 249 This approach has some practical limitations because the SIP URIs 250 containing the DNS names used to resolve the SBEs may be 251 propagated by users, for example in the form of sip:user@domain. 252 It is impractical to ask users to use different target URIs based 253 upon their SIP service provider's desire to receive incoming 254 session signaling at different ingress SBEs based upon the 255 originator. The solution described in [RFC3263] and based on DNS 256 to advertise SBEs is therefore under-specified for this 257 requirement. 258 Other DNS mechanisms have been used extensively in other areas of 259 the Internet, in particular in Content Distribution 260 Internetworking to make the DNS responses vary based on the 261 originator of the DNS query (see [RFC3466], [RFC3568] and 262 [RFC3570]). The applicability of such solutions needs for session 263 peering needs further analysis. 264 Finally, other techniques such as Anycast services ([RFC4786]) may 265 be employed at lower layers than Layer 5 to provide a solution to 266 this requirement. For example, anycast nodes could be defined by 267 SIP service providers to expose a common address for SBEs into 268 DNS, allowing the resolution of the anycast node address to the 269 appropriate peer-dependent service address based on the routing 270 topology or other criteria gathered from the combined use of 271 anycast and DNS techniques. 273 Notes on variability of the SBE advertisements based on the media 274 capabilities: 275 Some SSPs may have some restrictions on the type of media traffic 276 their SBEs can accept. For SIP sessions however, it is not 277 possible to communicate those restrictions in advance of the 278 session initiation: a SIP target may support voice-only media, 279 voice and video, or voice and instant messaging communications. 280 While the inability to find out whether a particular type of SIP 281 session can be terminated by a certain SBE can cause failed 282 session establishment attempts, there is consensus to not add a 283 new requirement in this document. These aspects are essentially 284 covered by SSPs when discussing traffic exchange policies and are 285 deemed out of scope of this document. 287 In the use cases provided as part of direct and indirect peering 288 scenarios, an SSP deals with multiple SIP entities and multiple SBEs 289 in its own domain. There is often a many-to-many relationship 290 between the SIP Proxies considered inside the trusted network 291 boundary of the SSP and its Signaling path Border Elements at the 292 network boundaries. 293 It should be possible for an SSP to define which egress SBE a SIP 294 entity must use based on a given peer destination. 295 For example, in the case of an indirect peering scenario (section 5. 296 of [I-D.ietf-speermint-voip-consolidated-usecases]), it should be 297 possible for the SIP proxy in the originating network (O-Proxy) to 298 select the appropriate egress SBE (O-SBE) to reach the SIP target 299 based on the information the proxy receives from the Lookup Function 300 (O-LUF) and/or Location Routing Function (O-LRF) - message response 301 labeled (2). Note that this example also applies to the case of 302 Direct Peering when a service provider has multiple service areas and 303 each service area involves multiple SIP Proxies and a few SBEs. 305 o Requirement #5: 306 The mechanisms recommended for the Look-Up Function (LUF) and the 307 Location Routing Functions (LRF) MUST be capable of returning both 308 a target URI destination and a value providing the next SIP 309 hop(s). 311 Notes: solutions may exist depending on the choice of the protocol 312 used between the Proxy and its LUF/LRF. The idea is for the 313 O-Proxy to be provided with the next SIP hop and the equivalent of 314 one or more SIP Route header values. If ENUM is used as a 315 protocol for the LUF, the solution space is undefined. 317 It is desirable for an SSP to be able to communicate how 318 authentication of a peer's SBEs will occur (see the security 319 requirements for more details). 321 o Requirement #6: 322 The mechanisms recommended for locating a peer's SBE MUST be able 323 to convey how a peer should initiate secure session establishment. 325 Notes: some mechanisms exist. For example, the required protocol 326 use of SIP over TLS may be discovered via [RFC3263] and guidelines 327 concerning the use of the SIPS URI scheme in SIP have been 328 documented in [RFC5630]. 330 3.3. Session Establishment Data 332 The Session Establishment Data (SED) is defined in [RFC5486] as the 333 data used to route a call to the next hop associated with the called 334 domain's ingress point. The following paragraphs capture some 335 general requirements on the SED data. 337 3.3.1. User Identities and SIP URIs 339 User identities used between peers can be represented in many 340 different formats. Session Establishment Data should rely on URIs 341 (Uniform Resource Identifiers, [RFC3986]) and SIP URIs should be 342 preferred over tel URIs ([RFC3966]) for session peering of VoIP 343 traffic. 344 The use of DNS domain names and hostnames is recommended in SIP URIs 345 and they should be resolvable on the public Internet. As for the 346 user part of the SIP URIs, the mechanisms for session peering should 347 not require an SSP to be aware of which individual user identities 348 are valid within its peer's domain. 350 o Requirement #7: 351 The protocols used for session peering MUST accommodate the use of 352 different types of URIs. URIs with the same domain-part SHOULD 353 share the same set of peering policies, thus the domain of the SIP 354 URI may be used as the primary key to any information regarding 355 the reachability of that SIP URI. The host part of SIP URIs 356 SHOULD contain a fully-qualified domain name instead of a numeric 357 IPv4 or IPv6 address. 359 o Requirement #8: 360 The mechanisms for session peering should not require an SSP to be 361 aware of which individual user identities are valid within its 362 peer's domain. 364 o Notes on the solution space for #7 and #8: 365 This is generally well supported by IETF protocols. When 366 telephone numbers are in tel URIs, SIP requests cannot be routed 367 in accordance with the traditional DNS resolution procedures 368 standardized for SIP as indicated in [RFC3824]. This means that 369 the solutions built for session peering must not solely use PSTN 370 identifiers such as Service Provider IDs (SPIDs) or Trunk Group 371 IDs (they should not be precluded but solutions should not be 372 limited to these). 373 Motivations: 375 Although SED data may be based on E.164-based SIP URIs for voice 376 interconnects, a generic peering methodology should not rely on 377 such E.164 numbers. 379 3.3.2. URI Reachability 381 Based on a well-known URI type (for e.g. sip:, pres:, or im: URIs), 382 it must be possible to determine whether the SSP domain servicing the 383 URI allows for session peering, and if it does, it should be possible 384 to locate and retrieve the domain's policy and SBE entities. 385 For example, an originating service provider must be able to 386 determine whether a SIP URI is open for direct interconnection 387 without requiring an SBE to initiate a SIP request. Furthermore, 388 since each call setup implies the execution of any proposed 389 algorithm, the establishment of a SIP session via peering should 390 incur minimal overhead and delay, and employ caching wherever 391 possible to avoid extra protocol round trips. 393 o Requirement #9: 394 The mechanisms for session peering MUST allow an SBE to locate its 395 peer SBE given a URI type and the target SSP domain name. 397 4. Requirements for Session Peering of Presence and Instant Messaging 399 This section describes requirements for presence and instant 400 messaging session peering. 402 Two SSPs create a peering relationship to enable their IM and 403 presence users to collaborate with users on the other SSP network. 404 We focus the requirements on inter-domain subscriptions to presence 405 information, the exchange of messages and privacy settings and the 406 use of standard presence document formats across domains. 407 Several use cases for presence and instant messaging peering are 408 described in [RFC5344], a document authored by A. Houri, E. Aoki and 409 S. Parameswar. Credits for the original content captured from these 410 use cases into requirements in this section must go to them. 412 o Requirement #10: 413 The mechanisms recommended for the exchange of presence 414 information between SSPs SHOULD allow a user of one presence 415 community to send a presence subscription request to presentities 416 served by another SSP via its local community, including 417 subscriptions to a single presentity, a personal, public or ad-hoc 418 group list of presentities. 420 Notes: see sections 2.1 and 2.2 of [RFC5344]. 422 o Requirement #11: 423 The mechanisms recommended for Instant Messaging exchanges between 424 SSPs SHOULD allow a user of one SSP's community to communicate 425 with users of the other SSP community via their local community 426 using the various methods. Note that some SSPs may exercise some 427 control over which methods are allowed based on service policies. 428 Such methods include sending a one-time IM message, initiating a 429 SIP session for transporting sessions of messages, participating 430 in n-way chats using chat rooms with users from the peer SSPs, 431 etc. 433 Notes: see sections 2.4, 2.5 and 2.6 of [RFC5344]. 435 o Requirement #12: Privacy Sharing 436 In some presence communities, users can define the list of 437 watchers that receive presence notifications for a given 438 presentity. Such privacy settings for watcher notifications per 439 presentity are typically not shared across SSPs causing multiple 440 notifications to be sent for one presentity change between SSPs. 441 The sharing of those privacy settings per presentity between SSPs 442 would allow fewer notifications: a single notification would be 443 sent per presentity and the terminating SSP would send 444 notifications to the appropriate watchers according to the 445 presentity's privacy information. 446 The mechanisms recommended for Presence information exchanges 447 between SSPs SHOULD allow the sharing of some user privacy 448 settings in order for users to convey the list of watchers that 449 can receive notification of presence information changes on a per 450 presentity basis. 451 The privacy sharing mechanism must be done with the express 452 consent of the user whose privacy settings will be shared with the 453 other community. Because of the privacy-sensitive information 454 exchanged between SSPs, the protocols used for the exchange of 455 presence information must follow the security recommendations 456 defined in section 6 of [RFC3863]. 458 Notes: see section 2.3 of [RFC5344]. 460 o Requirement #13: Multiple Watchers 461 It should be possible to send a presence document with a list of 462 watchers on the other community that should receive the presence 463 document notification. This will enable sending less presence 464 document notifications between the communities while avoiding the 465 need to share privacy information of presentities from one 466 community to the other. 467 The systems used to exchange presence documents between SSPs 468 SHOULD allow a presence document to be delivered to one or more 469 watchers. 470 Note: The privacy sharing mechanisms defined in Requirement #12 471 also apply to this requirement. 473 o Requirement #14: Standard PIDF Documents and Mappings 474 Early deployments of SIP-based presence and Instant Messaging 475 gateways have been done in front of legacy proprietary systems 476 that use different naming schemes or name values for the elements 477 and properties defined in a Presence Information Data Format 478 (PIDF) document ([RFC3863]). For example the value "Do Not 479 Disturb" in one presence service may be mapped to "Busy" in 480 another system for the status element. Beyond this example of 481 status values, it is important to ensure that the meaning of the 482 presence information is preserved between SSPs. 483 The systems used to exchange presence documents between SSPs 484 SHOULD use standard PIDF documents and translate any non-standard 485 value of a PIDF element to a standard one. 487 5. Security Considerations 489 This section describes the security properties that are desirable for 490 the protocol exchanges in scope of session peering. Three types of 491 information flows are described in the architecture and use case 492 documents: the acquisition of the Session Establishment Data (SED) 493 based on a destination target via the Lookup and Location Routing 494 Functions (LUF and LRF), the SIP signaling between SIP Service 495 Providers, and the associated media exchanges. 497 This section is focused on three security services, authentication, 498 data confidentiality and data integrity as summarized in [RFC3365]. 499 However, this text does not specify the mandatory-to-implement 500 security mechanisms as required by [RFC3365]; this is left for future 501 protocol solutions that meet the requirements. 503 A security threat analysis provides additional guidance for session 504 peering ([I-D.ietf-speermint-voipthreats]). 506 5.1. Security Properties for the Acquisition of Session Establishment 507 Data 509 The Look-Up Function (LUF) and Location Routing Function (LRF) are 510 defined in [RFC5486]. They provide mechanisms for determining the 511 SIP target address and domain the request should be sent to, and the 512 associated SED to route the request to that domain. 514 o Requirement #15: 515 The protocols used to query the Lookup and Location Routing 516 Functions SHOULD support mutual authentication. 518 Motivations: 519 A mutual authentication service should be provided for the LUF and 520 LRF protocol exchanges. The content of the response returned by 521 the LUF and LRF may depend on the identity of the requestor: the 522 authentication of the LUF & LRF requests is therefore a desirable 523 property. Mutual authentication is also desirable: the requestor 524 may verify the identity of the systems that provided the LUF & LRF 525 responses given the nature of the data returned in those 526 responses. Authentication also provides some protection for the 527 availability of the LUF and LRF against attackers that would 528 attempt to launch DoS attacks by sending bogus requests causing 529 the LUF to perform a lookup and consume resources. 531 o Requirement #16: 532 The protocols used to query the Lookup and Location Routing 533 Functions SHOULD provide support for data confidentiality and 534 integrity. 536 Motivations: 537 Given the sensitive nature of the session establishment data 538 exchanged with the LUF and LRF functions, the protocol mechanisms 539 chosen for the lookup and location routing should offer data 540 confidentiality and integrity protection (SED data may contain 541 user addresses, SIP URI, location of SIP entities at the 542 boundaries of SIP Service Provider domains, etc.). 544 o Notes on the solution space for Requirements #15 and #16: ENUM, 545 SIP and proprietary protocols are typically used today for 546 accessing these functions. Even though SSPs may use lower layer 547 security mechanisms to guarantee some of those security 548 properties, candidate protocols for the LUF and LRF should meet 549 the above requirements. 551 5.2. Security Properties for the SIP signaling exchanges 553 The SIP signaling exchanges are out of scope of this document. This 554 section describes some of the security properties that are desirable 555 in the context of SIP interconnects between SSPs without formulating 556 any normative requirements. 558 In general, the security properties desirable for the SIP exchanges 559 in an inter-domain context apply to session peering. These include: 561 o securing the transport of SIP messages between the peers' SBEs. 562 Authentication of SIP communications is desirable, especially in 563 the context of session peering involving SIP intermediaries. Data 564 confidentiality and integrity of the SIP message body may be 565 desirable as well given some of the levels of session peering 566 indirection (indirect/assisted peering), but they could be harmful 567 as they may prevent intermediary SSPs from "inserting" SBEs/DBEs 568 along the signaling and data paths. 570 o providing an Authentication Service to authenticate the identity 571 of connected users based on the SIP Service Provider domains (for 572 both the SIP requests and the responses). 574 The fundamental mechanisms for securing SIP between proxy servers 575 intra- and inter-domain are applicable to session peering; refer to 576 Section 26.2 of [RFC3261] for transport-layer security of SIP 577 messages using TLS, [RFC5923] for establishing TLS connections 578 between proxies, [RFC4474] for the protocol mechanisms to verify the 579 identity of the senders of SIP requests in an inter-domain context, 580 and [RFC4916] for verifying the identity of the sender of SIP 581 responses). 583 5.3. End-to-End Media Security 585 Media security is critical to guarantee end-to-end confidentiality of 586 the communication between the end-users' devices, independently of 587 how many direct or indirect peers are present along the signaling 588 path. A number of desirable security properties emerge from this 589 goal. 591 The establishment of media security may be achieved along the media 592 path and not over the signaling path given the indirect peering use 593 cases. 594 For example, media carried over the Real-Time Protocol (RTP) can be 595 secured using secure RTP (SRTP [RFC3711]). A framework for 596 establishing SRTP security using Datagram TLS [RFC4347] is described 597 in [RFC5763]: it allows for end-to-end media security establishment 598 using extensions to DTLS ([RFC5764]). 599 It should also be noted that media can be carried in numerous 600 protocols other than RTP such as SIP (SIP MESSAGE method), MSRP (the 601 Message Session Relay Protocol, [RFC4975], XMPP (the Extensible 602 Messaging and Presence Protocol, [RFC3920]) and many others. Media 603 may also be carried over TCP ([RFC4571]), and it can be encrypted 604 over secure connection-oriented transport sessions over TLS 605 ([RFC4572]). 607 A desirable security property for session peering is for SIP entities 608 to be transparent to the end-to-end media security negotiations: SIP 609 entities should not intervene in the Session Description Protocol 610 (SDP) exchanges for end-to-end media security. 612 o Requirement #17: 613 The protocols used to enable session peering MUST NOT interfere 614 with the exchanges of media security attributes in SDP. Media 615 attribute lines that are not understood by SBEs MUST be ignored 616 and passed along the signaling path untouched. 618 6. Acknowledgments 620 This document is based on the input and contributions made by a large 621 number of people including: Bernard Aboba, Edwin Aoki, Scott Brim, 622 John Elwell, Mike Hammer, Avshalom Houri, Richard Shocky, Henry 623 Sinnreich, Richard Stastny, Patrik Faltstrom, Otmar Lendl, Daryl 624 Malas, Dave Meyer, Sriram Parameswar, Jon Peterson, Jason Livingood, 625 Bob Natale, Benny Rodrig, Brian Rosen, Eric Rosenfeld, Peter Saint- 626 Andre, David Schwartz and Adam Uzelac. 628 Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their 629 initial drafts describing guidelines or best current practices in 630 various environments, to Avshalom Houri, Edwin Aoki and Sriram 631 Parameswar for authoring the presence and instant messaging 632 requirements and to Dan Wing for providing detailed feedback on the 633 security consideration sections. 635 7. IANA Considerations 637 This document does not register any values in IANA registries. 639 8. References 641 8.1. Normative References 643 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 644 Requirement Levels", BCP 14, RFC 2119, March 1997. 646 8.2. Informative References 648 [I-D.ietf-pmol-sip-perf-metrics] 649 Malas, D. and A. Morton, "Basic Telephony SIP End-to-End 650 Performance Metrics", draft-ietf-pmol-sip-perf-metrics-07 651 (work in progress), September 2010. 653 [I-D.ietf-speermint-architecture] 654 Malas, D. and J. Livingood, "SPEERMINT Peering 655 Architecture", draft-ietf-speermint-architecture-12 (work 656 in progress), October 2010. 658 [I-D.ietf-speermint-voip-consolidated-usecases] 659 Uzelac, A. and Y. Lee, "VoIP SIP Peering Use Cases", 660 draft-ietf-speermint-voip-consolidated-usecases-18 (work 661 in progress), April 2010. 663 [I-D.ietf-speermint-voipthreats] 664 Seedorf, J., Niccolini, S., Chen, E., and H. Scholz, 665 "SPEERMINT Security Threats and Suggested 666 Countermeasures", draft-ietf-speermint-voipthreats-05 667 (work in progress), September 2010. 669 [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., 670 Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- 671 Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, 672 September 1997. 674 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 675 A., Peterson, J., Sparks, R., Handley, M., and E. 676 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 677 June 2002. 679 [RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation 680 Protocol (SIP): Locating SIP Servers", RFC 3263, 681 June 2002. 683 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 684 Engineering Task Force Standard Protocols", BCP 61, 685 RFC 3365, August 2002. 687 [RFC3455] Garcia-Martin, M., Henrikson, E., and D. Mills, "Private 688 Header (P-Header) Extensions to the Session Initiation 689 Protocol (SIP) for the 3rd-Generation Partnership Project 690 (3GPP)", RFC 3455, January 2003. 692 [RFC3466] Day, M., Cain, B., Tomlinson, G., and P. Rzewski, "A Model 693 for Content Internetworking (CDI)", RFC 3466, 694 February 2003. 696 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 697 Jacobson, "RTP: A Transport Protocol for Real-Time 698 Applications", STD 64, RFC 3550, July 2003. 700 [RFC3568] Barbir, A., Cain, B., Nair, R., and O. Spatscheck, "Known 701 Content Network (CN) Request-Routing Mechanisms", 702 RFC 3568, July 2003. 704 [RFC3570] Rzewski, P., Day, M., and D. Gilletti, "Content 705 Internetworking (CDI) Scenarios", RFC 3570, July 2003. 707 [RFC3611] Friedman, T., Caceres, R., and A. Clark, "RTP Control 708 Protocol Extended Reports (RTCP XR)", RFC 3611, 709 November 2003. 711 [RFC3702] Loughney, J. and G. Camarillo, "Authentication, 712 Authorization, and Accounting Requirements for the Session 713 Initiation Protocol (SIP)", RFC 3702, February 2004. 715 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 716 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 717 RFC 3711, March 2004. 719 [RFC3824] Peterson, J., Liu, H., Yu, J., and B. Campbell, "Using 720 E.164 numbers with the Session Initiation Protocol (SIP)", 721 RFC 3824, June 2004. 723 [RFC3863] Sugano, H., Fujimoto, S., Klyne, G., Bateman, A., Carr, 724 W., and J. Peterson, "Presence Information Data Format 725 (PIDF)", RFC 3863, August 2004. 727 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence 728 Protocol (XMPP): Core", RFC 3920, October 2004. 730 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 731 RFC 3966, December 2004. 733 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 734 Resource Identifier (URI): Generic Syntax", STD 66, 735 RFC 3986, January 2005. 737 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 738 Security", RFC 4347, April 2006. 740 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for 741 Authenticated Identity Management in the Session 742 Initiation Protocol (SIP)", RFC 4474, August 2006. 744 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 745 Description Protocol", RFC 4566, July 2006. 747 [RFC4571] Lazzaro, J., "Framing Real-time Transport Protocol (RTP) 748 and RTP Control Protocol (RTCP) Packets over Connection- 749 Oriented Transport", RFC 4571, July 2006. 751 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 752 Transport Layer Security (TLS) Protocol in the Session 753 Description Protocol (SDP)", RFC 4572, July 2006. 755 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 756 Services", BCP 126, RFC 4786, December 2006. 758 [RFC4916] Elwell, J., "Connected Identity in the Session Initiation 759 Protocol (SIP)", RFC 4916, June 2007. 761 [RFC4975] Campbell, B., Mahy, R., and C. Jennings, "The Message 762 Session Relay Protocol (MSRP)", RFC 4975, September 2007. 764 [RFC5344] Houri, A., Aoki, E., and S. Parameswar, "Presence and 765 Instant Messaging Peering Use Cases", RFC 5344, 766 October 2008. 768 [RFC5411] Rosenberg, J., "A Hitchhiker's Guide to the Session 769 Initiation Protocol (SIP)", RFC 5411, February 2009. 771 [RFC5486] Malas, D. and D. Meyer, "Session Peering for Multimedia 772 Interconnect (SPEERMINT) Terminology", RFC 5486, 773 March 2009. 775 [RFC5503] Andreasen, F., McKibben, B., and B. Marshall, "Private 776 Session Initiation Protocol (SIP) Proxy-to-Proxy 777 Extensions for Supporting the PacketCable Distributed Call 778 Signaling Architecture", RFC 5503, March 2009. 780 [RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session 781 Initiation Protocol (SIP)", RFC 5630, October 2009. 783 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 784 for Establishing a Secure Real-time Transport Protocol 785 (SRTP) Security Context Using Datagram Transport Layer 786 Security (DTLS)", RFC 5763, May 2010. 788 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 789 Security (DTLS) Extension to Establish Keys for the Secure 790 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 792 [RFC5923] Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in 793 the Session Initiation Protocol (SIP)", RFC 5923, 794 June 2010. 796 Appendix A. Policy Parameters for Session Peering 798 This informative section lists various types of parameters that 799 should be considered by implementers when deciding what configuration 800 variables to expose to system administrators or management stations, 801 as well as SSPs or federations of SSPs when discussing the technical 802 part of a session peering policy. 804 In the context of session peering, a policy can be defined as the set 805 of parameters and other information needed by an SSP to exchange 806 traffic with another peer. Some of the session policy parameters may 807 be statically exchanged and set throughout the lifetime of the 808 peering relationship. Others parameters may be discovered and 809 updated dynamically using by some explicit protocol mechanisms. 810 These dynamic parameters may be session-dependent, or the may apply 811 over multiple sessions or peers. 813 Various types of policy information may need to be discovered or 814 exchanged in order to establish session peering. At a minimum, a 815 policy should specify information related to session establishment 816 data in order to avoid session establishment failures. A policy may 817 also include information related to QoS, billing and accounting, 818 layer-3 related interconnect requirements which are out of the scope 819 of this document. 821 Some aspects of session peering policies must be agreed to and 822 manually implemented; they are static and are typically documented as 823 part of a business contract, technical document or agreement between 824 parties. For some parameters linked to protocol support and 825 capabilities, standard ways of expressing those policy parameters may 826 be defined among SSP and exchanged dynamically. For e.g., templates 827 could be created in various document formats so that it could be 828 possible to dynamically discover some of the domain policy. Such 829 templates could be initiated by implementers (for each software/ 830 hardware release, a list of supported RFCs, RFC parameters is 831 provided in a standard format) and then adapted by each SSP based on 832 its service description, server or device configurations and variable 833 based on peer relationships. 835 A.1. Categories of Parameters for VoIP Session Peering and 836 Justifications 838 The following list should be considered as an initial list of 839 "discussion topics" to be addressed by peers when initiating a VoIP 840 peering relationship. 842 o IP Network Connectivity: 843 Session peers should define the IP network connectivity between 844 their respective SBEs and DBEs. While this is out of scope of 845 session peering, SSPs must agree on a common mechanism for IP 846 transport of session signaling and media. This may be accomplish 847 via private (e.g. IPVPN, IPsec, etc.) or public IP networks. 849 o Media-related Parameters: 851 * Media Codecs: list of supported media codecs for audio, real- 852 time fax (version of T.38, if applicable), real-time text (RFC 853 4103), DTMF transport, voice band data communications (as 854 applicable) along with the supported or recommended codec 855 packetization rates, level of RTP payload redundancy, audio 856 volume levels, etc. 858 * Media Transport: level of support for RTP-RTCP [RFC3550], RTP 859 Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , 860 T.38 transport over RTP, etc. 862 * Media variability at the Signaling path Border Elements: list 863 of media types supported by the various ingress points of a 864 peer's network. 866 * Other: support of the VoIP metric block as defined in RTP 867 Control Protocol Extended Reports [RFC3611] , etc. 869 o SIP: 871 * A session peering policy should include the list of supported 872 and required SIP RFCs, supported and required SIP methods 873 (including private p headers if applicable), error response 874 codes, supported or recommended format of some header field 875 values , etc. 877 * It should also be possible to describe the list of supported 878 SIP RFCs by various functional groupings. A group of SIP RFCs 879 may represent how a call feature is implemented (call hold, 880 transfer, conferencing, etc.), or it may indicate a functional 881 grouping as in [RFC5411]. 883 o Accounting: 884 Methods used for call or session accounting should be specified. 885 An SSP may require a peer to track session usage. It is critical 886 for peers to determine whether the support of any SIP extensions 887 for accounting is a pre-requisite for SIP interoperability. In 888 some cases, call accounting may feed data for billing purposes but 889 not always: some operators may decide to use accounting as a 'bill 890 and keep' model to track session usage and monitor usage against 891 service level agreements. 892 [RFC3702] defines the terminology and basic requirements for 893 accounting of SIP sessions. A few private SIP extensions have 894 also been defined and used over the years to enable call 895 accounting between SSP domains such as the P-Charging* headers in 896 [RFC3455], the P-DCS-Billing-Info header in [RFC5503], etc. 898 o Performance Metrics: 899 Layer-5 performance metrics should be defined and shared between 900 peers. The performance metrics apply directly to signaling or 901 media; they may be used pro-actively to help avoid congestion, 902 call quality issues or call signaling failures, and as part of 903 monitoring techniques, they can be used to evaluate the 904 performance of peering exchanges. 905 Examples of SIP performance metrics include the maximum number of 906 SIP transactions per second on per domain basis, Session 907 Completion Rate (SCR), Session Establishment Rate (SER), etc. 908 Some SIP end-to-end performance metrics are defined in 909 [I-D.ietf-pmol-sip-perf-metrics]; a subset of these may be 910 applicable to session peering and interconnects. 911 Some media-related metrics for monitoring VoIP calls have been 912 defined in the VoIP Metrics Report Block, in Section 4.7 of 913 [RFC3611]. 915 o Security: 916 An SSP should describe the security requirements that other peers 917 must meet in order to terminate calls to its network. While such 918 a list of security-related policy parameters often depends on the 919 security models pre-agreed to by peers, it is expected that these 920 parameters will be discoverable or signaled in the future to allow 921 session peering outside SSP clubs. The list of security 922 parameters may be long and composed of high-level requirements 923 (e.g. authentication, privacy, secure transport) and low level 924 protocol configuration elements like TLS parameters. 925 The following list is not intended to be complete, it provides a 926 preliminary list in the form of examples: 928 * Call admission requirements: for some providers, sessions can 929 only be admitted if certain criteria are met. For example, for 930 some providers' networks, only incoming SIP sessions signaled 931 over established IPsec tunnels or presented to the well-known 932 TLS ports are admitted. Other call admission requirements may 933 be related to some performance metrics as described above. 934 Finally, it is possible that some requirements be imposed on 935 lower layers, but these are considered out of scope of session 936 peering. 938 * Call authorization requirements and validation: the presence of 939 a caller or user identity may be required by an SSP. Indeed, 940 some SSPs may further authorize an incoming session request by 941 validating the caller's identity against white/black lists 942 maintained by the service provider or users (traditional caller 943 ID screening applications or IM white list). 945 * Privacy requirements: an SSP may demand that its SIP messages 946 be securely transported by its peers for privacy reasons so 947 that the calling/called party information be protected. Media 948 sessions may also require privacy and some SSP policies may 949 include requirements on the use of secure media transport 950 protocols such as SRTP, along with some constraints on the 951 minimum authentication/encryption options for use in SRTP. 953 * Network-layer security parameters: this covers how IPsec 954 security associated may be established, the IPsec key exchange 955 mechanisms to be used and any keying materials, the lifetime of 956 timed Security Associated if applicable, etc. 958 * Transport-layer security parameters: this covers how TLS 959 connections should be established as described in Section 960 Section 5. 962 A.2. Summary of Parameters for Consideration in Session Peering 963 Policies 965 The following is a summary of the parameters mentioned in the 966 previous section. They may be part of a session peering policy and 967 appear with a level of requirement (mandatory, recommended, 968 supported, ...). 970 o IP Network Connectivity (assumed, requirements out of scope of 971 this document) 973 o Media session parameters: 975 * Codecs for audio, video, real time text, instant messaging 976 media sessions 978 * Modes of communications for audio (voice, fax, DTMF), IM (page 979 mode, MSRP) 981 * Media transport and means to establish secure media sessions 983 * List of ingress and egress DBEs where applicable, including 984 STUN Relay servers if present 986 o SIP 988 * SIP RFCs, methods and error responses 990 * headers and header values 992 * possibly, list of SIP RFCs supported by groups (e.g. by call 993 feature) 995 o Accounting 997 o Capacity Control and Performance Management: any limits on, or, 998 means to measure and limit the maximum number of active calls to a 999 peer or federation, maximum number of sessions and messages per 1000 specified unit time, maximum number of active users or subscribers 1001 per specified unit time, the aggregate media bandwidth per peer or 1002 for the federation, specified SIP signaling performance metrics to 1003 measure and report; media-level VoIP metrics if applicable. 1005 o Security: Call admission control, call authorization, network and 1006 transport layer security parameters, media security parameters 1008 Author's Address 1010 Jean-Francois Mule 1011 CableLabs 1012 858 Coal Creek Circle 1013 Louisville, CO 80027 1014 USA 1016 Email: jf.mule@cablelabs.com