idnits 2.17.1 draft-ietf-speermint-requirements-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 11, 2011) is 4795 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-19) exists of draft-ietf-speermint-voip-consolidated-usecases-18 == Outdated reference: A later version (-09) exists of draft-ietf-speermint-voipthreats-07 -- Obsolete informational reference (is this intentional?): RFC 3455 (Obsoleted by RFC 7315) -- Obsolete informational reference (is this intentional?): RFC 3466 (Obsoleted by RFC 7336) -- Obsolete informational reference (is this intentional?): RFC 3570 (Obsoleted by RFC 6770) -- Obsolete informational reference (is this intentional?): RFC 3920 (Obsoleted by RFC 6120) -- Obsolete informational reference (is this intentional?): RFC 4347 (Obsoleted by RFC 6347) -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) -- Obsolete informational reference (is this intentional?): RFC 4572 (Obsoleted by RFC 8122) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SPEERMINT Working Group J-F. Mule 3 Internet-Draft CableLabs 4 Intended status: Informational March 11, 2011 5 Expires: September 12, 2011 7 Requirements for SIP-based Session Peering 8 draft-ietf-speermint-requirements-11.txt 10 Abstract 12 This memo captures protocol requirements to enable session peering of 13 voice, presence, instant messaging and other types of multimedia 14 traffic. This informational document is intended to link the various 15 use cases described for session peering to protocol solutions. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 12, 2011. 34 Copyright Notice 36 Copyright (c) 2011 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. General Requirements . . . . . . . . . . . . . . . . . . . . . 5 54 3.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 3.2. Border Elements . . . . . . . . . . . . . . . . . . . . . 5 56 3.3. Session Establishment Data . . . . . . . . . . . . . . . . 9 57 3.3.1. User Identities and SIP URIs . . . . . . . . . . . . . 9 58 3.3.2. URI Reachability . . . . . . . . . . . . . . . . . . . 10 59 4. Requirements for Session Peering of Presence and Instant 60 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . 11 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 62 5.1. Security Properties for the Acquisition of Session 63 Establishment Data . . . . . . . . . . . . . . . . . . . . 13 64 5.2. Security Properties for the SIP signaling exchanges . . . 14 65 5.3. End-to-End Media Security . . . . . . . . . . . . . . . . 15 66 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 68 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 69 8.1. Normative References . . . . . . . . . . . . . . . . . . . 18 70 8.2. Informative References . . . . . . . . . . . . . . . . . . 18 71 Appendix A. Policy Parameters for Session Peering . . . . . . . . 22 72 A.1. Categories of Parameters for VoIP Session Peering and 73 Justifications . . . . . . . . . . . . . . . . . . . . . . 22 74 A.2. Summary of Parameters for Consideration in Session 75 Peering Policies . . . . . . . . . . . . . . . . . . . . . 25 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 27 78 1. Introduction 80 Peering at the session level represents an agreement between parties 81 to exchange multimedia traffic. In this document, we assume that the 82 Session Initiation Protocol (SIP) is used to establish sessions 83 between SIP Service Providers (SSPs). SIP Service Providers are 84 referred to as peers and they are typically represented by users, 85 user groups, enterprises, real-time collaboration service 86 communities, or other service providers offering voice or multimedia 87 services using SIP. 89 A number of documents have been developed to provide background 90 information about SIP session peering. It is expected that the 91 reader is familiar with the reference architecture described in 92 [I-D.ietf-speermint-architecture], use cases for voice 93 ([I-D.ietf-speermint-voip-consolidated-usecases]) and instant 94 messaging and presence ([RFC5344]). 96 Peering at the session layer can be achieved on a bilateral basis 97 (direct peering established directly between two SSPs), or on an 98 indirect basis via a session intermediary (indirect peering via a 99 third-party SSP that has a trust relationship with the SSPs) - see 100 the terminology document [RFC5486] for more details. 102 This document first describes general requirements. The use cases 103 are then analyzed in the spirit of extracting relevant protocol 104 requirements that must be met to accomplish the use cases. These 105 requirements are intended to be independent of the type of media 106 exchanged such as Voice over IP (VoIP), video telephony, and instant 107 messaging. Requirements specific to presence and instant messaging 108 are defined in Section 4. 110 It is not the goal of this document to mandate any particular use of 111 IETF protocols other than SIP by SIP Service Providers in order to 112 establish session peering. Instead, the document highlights what 113 requirements should be met and what protocols might be used to define 114 the solution space. 116 Finally, we conclude with a list of parameters for the definition of 117 a session peering policy, provided in an informative appendix. It 118 should be considered as an example of the information SIP Service 119 Providers may have to discuss or agree on to exchange SIP traffic. 121 2. Terminology 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in [RFC2119]. 127 This document also reuses the terminology defined in [RFC5486]. 129 It is assumed that the reader is familiar with the Session 130 Description Protocol (SDP) [RFC4566] and the Session Initiation 131 Protocol (SIP) [RFC3261]. Finally, when used with capital letters, 132 the terms 'Authentication Service' are to be understood as defined by 133 SIP Identity [RFC4474]. 135 3. General Requirements 137 The following sub-sections contain general requirements applicable to 138 multiple use cases for multimedia session peering. 140 3.1. Scope 142 The primary focus of this document is on the requirements applicable 143 to the boundaries of Layer 5 SIP networks: SIP entities, Signaling 144 path Border Elements (SBEs), and the associated protocol requirements 145 for the look-up and location routing of the session establishment 146 data. The requirements applicable to SIP User Agents or related to 147 the provisioning of the session data are considered out of scope. 149 SIP Service Providers have to reach an agreement on numerous points 150 when establishing session peering relationships . 151 This document highlights only certain aspects of a session peering 152 agreement. It describes the requirements relevant to protocols in 153 four areas: the declaration, advertisement and management of ingress 154 and egress border elements for session signaling and media (section 155 Section 3.2), the information exchange related to the Session 156 Establishment Data (SED, section Section 3.3), specific requirements 157 for presence and instant message (section Section 4) and the security 158 properties that may be desirable to secure session exchanges (section 159 Section 5). 160 Numerous other considerations of session peering arrangements are 161 critical to reach a successful agreement but they are considered out 162 of scope of this document. They include information about SIP 163 protocol support (e.g. SIP extensions and field conventions), media 164 (e.g. type of media traffic to be exchanged, compatible media codecs 165 and transport protocols, mechanisms to ensure differentiated quality 166 of service for media), layer-3 IP connectivity between the Signaling 167 and Data path Border Elements, accounting and traffic capacity 168 control (e.g. the maximum number of SIP sessions at each ingress 169 point, or the maximum number of concurrent IM or VoIP sessions). 171 The informative Appendix A lists parameters that may be considered 172 when discussing the technical parameters of SIP session peering. The 173 purpose of this list is to capture the parameters that are considered 174 outside the scope of the protocol requirements. 176 3.2. Border Elements 178 For border elements to be operationally manageable, maximum 179 flexibility should be given for how they are declared or dynamically 180 advertised. Indeed, in any session peering environment, there is a 181 need for a SIP Service Provider to declare or dynamically advertise 182 the SIP entities that will face the peer's network. The data path 183 border elements are typically signaled dynamically in the session 184 description. 186 The use cases defined in 187 [I-D.ietf-speermint-voip-consolidated-usecases] catalog the various 188 border elements between SIP Service Providers; they include Signaling 189 path Border Elements (SBEs) and SIP proxies (or any SIP entity at the 190 boundary of the Layer 5 network). 192 o Requirement #1: 193 Protocol mechanisms MUST be provided to enable a SIP Service 194 Provider to communicate the ingress Signaling Path Border Elements 195 of its service domain. 197 Notes on solution space: 198 The SBEs may be advertised to session peers using static 199 mechanisms or they may be dynamically advertised. There is 200 general agreement that [RFC3263] provides a solution for 201 dynamically advertising ingress SBEs in most cases of Direct or 202 Indirect peering. We discuss the DNS-based solution space further 203 in Requirement #4 below, especially in cases where the DNS 204 response varies based on who sends the query (peer-dependent 205 SBEs). 207 o Requirement #2: 208 Protocol mechanisms MUST be provided to enable a SIP Service 209 Provider to communicate the egress SBEs of its service domain. 211 Notes on motivations for this requirement: 212 For the purposes of capacity planning, traffic engineering and 213 call admission control, a SIP Service Provider may be asked where 214 it will generate SIP calls from. The SSP accepting calls from a 215 peer may wish to know where SIP calls will originate from (this 216 information is typically used by the terminating SSP). 217 While provisioning requirements are out-of-scope, some SSPs may 218 find use for a mechanism to dynamically advertise or discover the 219 egress SBEs of a peer. 221 If the SSP also provides media streams to its users as shown in the 222 use cases for "Originating" and "Terminating" SSPs, a mechanism must 223 exist to allow SSPs to advertise their egress and ingress data path 224 border elements (DBEs), if applicable. While some SSPs may have open 225 policies and accept media traffic from anywhere outside their network 226 to anywhere inside their network, some SSPs may want to optimize 227 media delivery and identify media paths between peers prior to 228 traffic being sent (layer 5 to layer 3 QoS mapping). 230 o Requirement #3: 231 Protocol mechanisms MUST be provided to allow a SIP Service 232 Provider to communicate its DBEs to its peers. 234 Notes: Some SSPs engaged in SIP interconnects do exchange this 235 type of DBE information in a static manner. Some SSPs do not. 237 In some SIP networks, SSPs may expose the same border elements to all 238 peers. In other environments, it is common for SSPs to advertise 239 specific SBEs and DBEs to certain peers. This is done by SSPs to 240 meet specific objectives for a given peer: routing optimization of 241 the signaling and media exchanges, optimization of the latency or 242 throughput based on the 'best' SBE and DBE combination, and other 243 service provider policy parameters. These are some of the reasons 244 why advertisement of SBEs and DBEs may be peer-dependent. 246 o Requirement #4: 247 The mechanisms recommended for the declaration or advertisement of 248 SBE and DBE entities MUST allow for peer variability. 250 Notes on solution space: 251 A simple solution is to advertise SBE entities using DNS and 252 [RFC3263] by providing different DNS names to different peers. 253 This approach has some practical limitations because the SIP URIs 254 containing the DNS names used to resolve the SBEs may be 255 propagated by users, for example in the form of sip:user@domain. 256 It is impractical to ask users to use different target URIs based 257 upon their SIP service provider's desire to receive incoming 258 session signaling at different ingress SBEs based upon the 259 originator. The solution described in [RFC3263] and based on DNS 260 to advertise SBEs is therefore under-specified for this 261 requirement. 262 Other DNS mechanisms have been used extensively in other areas of 263 the Internet, in particular in Content Distribution 264 Internetworking to make the DNS responses vary based on the 265 originator of the DNS query (see [RFC3466], [RFC3568] and 266 [RFC3570]). The applicability of such solutions for session 267 peering needs further analysis. 268 Finally, other techniques such as Anycast services ([RFC4786]) may 269 be employed at lower layers than Layer 5 to provide a solution to 270 this requirement. For example, anycast nodes could be defined by 271 SIP service providers to expose a common address for SBEs into 272 DNS, allowing the resolution of the anycast node address to the 273 appropriate peer-dependent service address based on the routing 274 topology or other criteria gathered from the combined use of 275 anycast and DNS techniques. 277 Notes on variability of the SBE advertisements based on the media 278 capabilities: 279 Some SSPs may have some restrictions on the type of media traffic 280 their SBEs can accept. For SIP sessions however, it is not 281 possible to communicate those restrictions in advance of the 282 session initiation: a SIP target may support voice-only media, 283 voice and video, or voice and instant messaging communications. 284 While the inability to find out whether a particular type of SIP 285 session can be terminated by a certain SBE can cause session 286 attempts to fail, there is consensus to not add a new requirement 287 in this document. These aspects are essentially covered by SSPs 288 when discussing traffic exchange policies and are deemed out of 289 scope of this document. 291 In the use cases provided as part of direct and indirect peering 292 scenarios, an SSP deals with multiple SIP entities and multiple SBEs 293 in its own domain. There is often a many-to-many relationship 294 between the SIP Proxies considered inside the trusted network 295 boundary of the SSP and its Signaling path Border Elements at the 296 network boundaries. 297 It should be possible for an SSP to define which egress SBE a SIP 298 entity must use based on a given peer destination. 299 For example, in the case of a static direct peering scenario (Figure 300 2 in section 5.2. of 301 [I-D.ietf-speermint-voip-consolidated-usecases]), it should be 302 possible for the SIP proxy in the originating network (O-Proxy) to 303 select the appropriate egress SBE (O-SBE) to reach the SIP target 304 based on the information the proxy receives from the Lookup Function 305 (O-LUF) and/or Location Routing Function (O-LRF) - message response 306 labeled (2). Note that this example also applies to the case of 307 indirect peering when a service provider has multiple service areas 308 and each service area involves multiple SIP Proxies and a few SBEs. 310 o Requirement #5: 311 The mechanisms recommended for the Look-Up Function (LUF) and the 312 Location Routing Functions (LRF) MUST be capable of returning both 313 a target URI destination and a value providing the next SIP 314 hop(s). 316 Notes: solutions may exist depending on the choice of the protocol 317 used between the Proxy and its LUF/LRF. The idea is for the 318 O-Proxy to be provided with the next SIP hop and the equivalent of 319 one or more SIP Route header values. If ENUM is used as a 320 protocol for the LUF, the solution space is undefined. 322 It is desirable for an SSP to be able to communicate how 323 authentication of a peer's SBEs will occur (see the security 324 requirements for more details). 326 o Requirement #6: 327 The mechanisms recommended for locating a peer's SBE MUST be able 328 to convey how a peer should initiate secure session establishment. 330 Notes: some mechanisms exist. For example, the required use of 331 SIP over TLS may be discovered via [RFC3263] and guidelines 332 concerning the use of the SIPS URI scheme in SIP have been 333 documented in [RFC5630]. 335 3.3. Session Establishment Data 337 The Session Establishment Data (SED) is defined in [RFC5486] as the 338 data used to route a call to the next hop associated with the called 339 domain's ingress point. The following paragraphs capture some 340 general requirements on the SED data. 342 3.3.1. User Identities and SIP URIs 344 User identities used between peers can be represented in many 345 different formats. Session Establishment Data should rely on URIs 346 (Uniform Resource Identifiers, [RFC3986]) and SIP URIs should be 347 preferred over tel URIs ([RFC3966]) for session peering of VoIP 348 traffic. 349 The use of DNS domain names and hostnames is recommended in SIP URIs 350 and they should be resolvable on the public Internet. As for the 351 user part of the SIP URIs, the mechanisms for session peering should 352 not require an SSP to be aware of which individual user identities 353 are valid within its peer's domain. 355 o Requirement #7: 356 The protocols used for session peering MUST accommodate the use of 357 different types of URIs. URIs with the same domain-part SHOULD 358 share the same set of peering policies, thus the domain of the SIP 359 URI may be used as the primary key to any information regarding 360 the reachability of that SIP URI. The host part of SIP URIs 361 SHOULD contain a fully-qualified domain name instead of a numeric 362 IPv4 or IPv6 address. 364 o Requirement #8: 365 The mechanisms for session peering should not require an SSP to be 366 aware of which individual user identities are valid within its 367 peer's domain. 369 o Notes on the solution space for #7 and #8: 370 This is generally well supported by IETF protocols. When 371 telephone numbers are in tel URIs, SIP requests cannot be routed 372 in accordance with the traditional DNS resolution procedures 373 standardized for SIP as indicated in [RFC3824]. This means that 374 the solutions built for session peering must not solely use PSTN 375 identifiers such as Service Provider IDs (SPIDs) or Trunk Group 376 IDs (they should not be precluded but solutions should not be 377 limited to these). 378 Motivations: 379 Although SED data may be based on E.164-based SIP URIs for voice 380 interconnects, a generic peering methodology should not rely on 381 such E.164 numbers. 383 3.3.2. URI Reachability 385 Based on a well-known URI type (for e.g. sip:, pres:, or im: URIs), 386 it must be possible to determine whether the SSP domain servicing the 387 URI allows for session peering, and if it does, it should be possible 388 to locate and retrieve the domain's policy and SBE entities. 389 For example, an originating service provider must be able to 390 determine whether a SIP URI is open for direct interconnection 391 without requiring an SBE to initiate a SIP request. Furthermore, 392 since each call setup implies the execution of any proposed 393 algorithm, the establishment of a SIP session via peering should 394 incur minimal overhead and delay, and employ caching wherever 395 possible to avoid extra protocol round trips. 397 o Requirement #9: 398 The mechanisms for session peering MUST allow an SBE to locate its 399 peer SBE given a URI type and the target SSP domain name. 401 4. Requirements for Session Peering of Presence and Instant Messaging 403 This section describes requirements for presence and instant 404 messaging session peering. 406 Two SSPs create a peering relationship to enable their IM and 407 presence users to collaborate with users on the other SSP network. 408 We focus the requirements on inter-domain subscriptions to presence 409 information, the exchange of messages and privacy settings and the 410 use of standard presence document formats across domains. 411 Several use cases for presence and instant messaging peering are 412 described in [RFC5344], a document authored by A. Houri, E. Aoki and 413 S. Parameswar. Credits for the original content captured from these 414 use cases into requirements in this section must go to them. 416 o Requirement #10: 417 The mechanisms recommended for the exchange of presence 418 information between SSPs SHOULD allow a user of one presence 419 community to send a presence subscription request to presentities 420 served by another SSP via its local community, including 421 subscriptions to a single presentity, a personal, public or ad-hoc 422 group list of presentities. 424 Notes: see sections 2.1 and 2.2 of [RFC5344]. 426 o Requirement #11: 427 The mechanisms recommended for Instant Messaging exchanges between 428 SSPs SHOULD allow a user of one SSP's community to communicate 429 with users of the other SSP community via their local community 430 using the various methods. Note that some SSPs may exercise some 431 control over which methods are allowed based on service policies. 432 Such methods include sending a one-time IM message, initiating a 433 SIP session for transporting sessions of messages, participating 434 in n-way chats using chat rooms with users from the peer SSPs, 435 etc. 437 Notes: see sections 2.4, 2.5 and 2.6 of [RFC5344]. 439 o Requirement #12: Privacy Sharing 440 In some presence communities, users can define the list of 441 watchers that receive presence notifications for a given 442 presentity. Such privacy settings for watcher notifications per 443 presentity are typically not shared across SSPs causing multiple 444 notifications to be sent for one presentity change between SSPs. 445 The sharing of those privacy settings per presentity between SSPs 446 would allow fewer notifications: a single notification would be 447 sent per presentity and the terminating SSP would send 448 notifications to the appropriate watchers according to the 449 presentity's privacy information. 450 The mechanisms recommended for Presence information exchanges 451 between SSPs SHOULD allow the sharing of some user privacy 452 settings in order for users to convey the list of watchers that 453 can receive notification of presence information changes on a per 454 presentity basis. 455 The privacy sharing mechanism must be done with the express 456 consent of the user whose privacy settings will be shared with the 457 other community. Because of the privacy-sensitive information 458 exchanged between SSPs, the protocols used for the exchange of 459 presence information must follow the security recommendations 460 defined in section 6 of [RFC3863]. 462 Notes: see section 2.3 of [RFC5344]. 464 o Requirement #13: Multiple Watchers 465 It should be possible for an SPP to associate a presence document 466 with a list of watchers in the peer SSP community so that the peer 467 watchers can receive the presence document notifications. This 468 will enable sending less presence document notifications between 469 the communities while avoiding the need to share privacy 470 information of presentities from one community to the other. 471 The systems used to exchange presence documents between SSPs 472 SHOULD allow a presence document to be delivered to one or more 473 watchers. 474 Note: The presence document and the list of authorized watchers in 475 the peer SSP may be sent separately. Also, the privacy sharing 476 mechanisms defined in Requirement #12 also apply to this 477 requirement. 479 o Requirement #14: Standard PIDF Documents and Mappings 480 Early deployments of SIP-based presence and Instant Messaging 481 gateways have been done in front of legacy proprietary systems 482 that use different naming schemes or name values for the elements 483 and properties defined in a Presence Information Data Format 484 (PIDF) document ([RFC3863]). For example the value "Do Not 485 Disturb" in one presence service may be mapped to "Busy" in 486 another system for the status element. Beyond this example of 487 status values, it is important to ensure that the meaning of the 488 presence information is preserved between SSPs. 489 The systems used to exchange presence documents between SSPs 490 SHOULD use standard PIDF documents and translate any non-standard 491 value of a PIDF element to a standard one. 493 5. Security Considerations 495 This section describes the security properties that are desirable for 496 the protocol exchanges in scope of session peering. Three types of 497 information flows are described in the architecture and use case 498 documents: the acquisition of the Session Establishment Data (SED) 499 based on a destination target via the Lookup and Location Routing 500 Functions (LUF and LRF), the SIP signaling between SIP Service 501 Providers, and the associated media exchanges. 503 This section is focused on three security services, authentication, 504 data confidentiality and data integrity as summarized in [RFC3365]. 505 However, this text does not specify the mandatory-to-implement 506 security mechanisms as required by [RFC3365]; this is left for future 507 protocol solutions that meet the requirements. 509 A security threat analysis provides additional guidance for session 510 peering ([I-D.ietf-speermint-voipthreats]). 512 5.1. Security Properties for the Acquisition of Session Establishment 513 Data 515 The Look-Up Function (LUF) and Location Routing Function (LRF) are 516 defined in [RFC5486]. They provide mechanisms for determining the 517 SIP target address and domain the request should be sent to, and the 518 associated SED to route the request to that domain. 520 o Requirement #15: 521 The protocols used to query the Lookup and Location Routing 522 Functions SHOULD support mutual authentication. 524 Motivations: 525 A mutual authentication service should be provided for the LUF and 526 LRF protocol exchanges. The content of the response returned by 527 the LUF and LRF may depend on the identity of the requestor: the 528 authentication of the LUF & LRF requests is therefore a desirable 529 property. Mutual authentication is also desirable: the requestor 530 may verify the identity of the systems that provided the LUF & LRF 531 responses given the nature of the data returned in those 532 responses. Authentication also provides some protection for the 533 availability of the LUF and LRF against attackers that would 534 attempt to launch DoS attacks by sending bogus requests causing 535 the LUF to perform a lookup and consume resources. 537 o Requirement #16: 538 The protocols used to query the Lookup and Location Routing 539 Functions SHOULD provide support for data confidentiality and 540 integrity. 542 Motivations: 543 Given the sensitive nature of the session establishment data 544 exchanged with the LUF and LRF functions, the protocol mechanisms 545 chosen for the lookup and location routing should offer data 546 confidentiality and integrity protection (SED data may contain 547 user addresses, SIP URI, location of SIP entities at the 548 boundaries of SIP Service Provider domains, etc.). 550 o Notes on the solution space for Requirements #15 and #16: ENUM, 551 SIP and proprietary protocols are typically used today for 552 accessing these functions. Even though SSPs may use lower layer 553 security mechanisms to guarantee some of those security 554 properties, candidate protocols for the LUF and LRF should meet 555 the above requirements. 557 5.2. Security Properties for the SIP signaling exchanges 559 The SIP signaling exchanges are out of scope of this document. This 560 section describes some of the security properties that are desirable 561 in the context of SIP interconnects between SSPs without formulating 562 any normative requirements. 564 In general, the security properties desirable for the SIP exchanges 565 in an inter-domain context apply to session peering. These include: 567 o securing the transport of SIP messages between the peers' SBEs. 568 Authentication of SIP communications is desirable, especially in 569 the context of session peering involving SIP intermediaries. Data 570 confidentiality and integrity of the SIP message body may be 571 desirable as well given some of the levels of session peering 572 indirection (indirect/assisted peering), but they could be harmful 573 as they may prevent intermediary SSPs from "inserting" SBEs/DBEs 574 along the signaling and data paths. 576 o providing an Authentication Service to authenticate the identity 577 of connected users based on the SIP Service Provider domains (for 578 both the SIP requests and the responses). 580 The fundamental mechanisms for securing SIP between proxy servers 581 intra- and inter-domain are applicable to session peering; refer to 582 Section 26.2 of [RFC3261] for transport-layer security of SIP 583 messages using TLS, [RFC5923] for establishing TLS connections 584 between proxies, [RFC4474] for the protocol mechanisms to verify the 585 identity of the senders of SIP requests in an inter-domain context, 586 and [RFC4916] for verifying the identity of the sender of SIP 587 responses). 589 5.3. End-to-End Media Security 591 Media security is critical to guarantee end-to-end confidentiality of 592 the communication between the end-users' devices, independently of 593 how many direct or indirect peers are present along the signaling 594 path. A number of desirable security properties emerge from this 595 goal. 597 The establishment of media security may be achieved along the media 598 path and not over the signaling path given the indirect peering use 599 cases. 600 For example, media carried over the Real-Time Protocol (RTP) can be 601 secured using secure RTP (SRTP [RFC3711]). A framework for 602 establishing SRTP security using Datagram TLS [RFC4347] is described 603 in [RFC5763]: it allows for end-to-end media security establishment 604 using extensions to DTLS ([RFC5764]). 605 It should also be noted that media can be carried in numerous 606 protocols other than RTP such as SIP (SIP MESSAGE method), MSRP (the 607 Message Session Relay Protocol, [RFC4975], XMPP (the Extensible 608 Messaging and Presence Protocol, [RFC3920]) and many others. Media 609 may also be carried over TCP ([RFC4571]), and it can be encrypted 610 over secure connection-oriented transport sessions over TLS 611 ([RFC4572]). 613 A desirable security property for session peering is for SIP entities 614 to be transparent to the end-to-end media security negotiations: SIP 615 entities should not intervene in the Session Description Protocol 616 (SDP) exchanges for end-to-end media security. 618 o Requirement #17: 619 The protocols used to enable session peering MUST NOT interfere 620 with the exchanges of media security attributes in SDP. Media 621 attribute lines that are not understood by SBEs MUST be ignored 622 and passed along the signaling path untouched. 624 6. Acknowledgments 626 This document is based on the input and contributions made by a large 627 number of people including: Bernard Aboba, Edwin Aoki, Scott Brim, 628 John Elwell, Mike Hammer, Avshalom Houri, Richard Shocky, Henry 629 Sinnreich, Richard Stastny, Patrik Faltstrom, Otmar Lendl, Daryl 630 Malas, Dave Meyer, Sriram Parameswar, Jon Peterson, Jason Livingood, 631 Bob Natale, Benny Rodrig, Brian Rosen, Eric Rosenfeld, Peter Saint- 632 Andre, David Schwartz and Adam Uzelac. 634 Specials thanks go to Rohan Mahy, Brian Rosen, John Elwell for their 635 initial drafts describing guidelines or best current practices in 636 various environments, to Avshalom Houri, Edwin Aoki and Sriram 637 Parameswar for authoring the presence and instant messaging 638 requirements and to Dan Wing for providing detailed feedback on the 639 security consideration sections. 641 7. IANA Considerations 643 This document does not register any values in IANA registries. 645 8. References 647 8.1. Normative References 649 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 650 Requirement Levels", BCP 14, RFC 2119, March 1997. 652 8.2. Informative References 654 [I-D.ietf-speermint-architecture] 655 Malas, D. and J. Livingood, "Session PEERing for 656 Multimedia INTerconnect Architecture", 657 draft-ietf-speermint-architecture-19 (work in progress), 658 February 2011. 660 [I-D.ietf-speermint-voip-consolidated-usecases] 661 Uzelac, A. and Y. Lee, "VoIP SIP Peering Use Cases", 662 draft-ietf-speermint-voip-consolidated-usecases-18 (work 663 in progress), April 2010. 665 [I-D.ietf-speermint-voipthreats] 666 Seedorf, J., Niccolini, S., Chen, E., and H. Scholz, 667 "Session Peering for Multimedia Interconnect (SPEERMINT) 668 Security Threats and Suggested Countermeasures", 669 draft-ietf-speermint-voipthreats-07 (work in progress), 670 January 2011. 672 [RFC2198] Perkins, C., Kouvelas, I., Hodson, O., Hardman, V., 673 Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse- 674 Parisis, "RTP Payload for Redundant Audio Data", RFC 2198, 675 September 1997. 677 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 678 A., Peterson, J., Sparks, R., Handley, M., and E. 679 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 680 June 2002. 682 [RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation 683 Protocol (SIP): Locating SIP Servers", RFC 3263, 684 June 2002. 686 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 687 Engineering Task Force Standard Protocols", BCP 61, 688 RFC 3365, August 2002. 690 [RFC3455] Garcia-Martin, M., Henrikson, E., and D. Mills, "Private 691 Header (P-Header) Extensions to the Session Initiation 692 Protocol (SIP) for the 3rd-Generation Partnership Project 693 (3GPP)", RFC 3455, January 2003. 695 [RFC3466] Day, M., Cain, B., Tomlinson, G., and P. Rzewski, "A Model 696 for Content Internetworking (CDI)", RFC 3466, 697 February 2003. 699 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 700 Jacobson, "RTP: A Transport Protocol for Real-Time 701 Applications", STD 64, RFC 3550, July 2003. 703 [RFC3568] Barbir, A., Cain, B., Nair, R., and O. Spatscheck, "Known 704 Content Network (CN) Request-Routing Mechanisms", 705 RFC 3568, July 2003. 707 [RFC3570] Rzewski, P., Day, M., and D. Gilletti, "Content 708 Internetworking (CDI) Scenarios", RFC 3570, July 2003. 710 [RFC3611] Friedman, T., Caceres, R., and A. Clark, "RTP Control 711 Protocol Extended Reports (RTCP XR)", RFC 3611, 712 November 2003. 714 [RFC3702] Loughney, J. and G. Camarillo, "Authentication, 715 Authorization, and Accounting Requirements for the Session 716 Initiation Protocol (SIP)", RFC 3702, February 2004. 718 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 719 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 720 RFC 3711, March 2004. 722 [RFC3824] Peterson, J., Liu, H., Yu, J., and B. Campbell, "Using 723 E.164 numbers with the Session Initiation Protocol (SIP)", 724 RFC 3824, June 2004. 726 [RFC3863] Sugano, H., Fujimoto, S., Klyne, G., Bateman, A., Carr, 727 W., and J. Peterson, "Presence Information Data Format 728 (PIDF)", RFC 3863, August 2004. 730 [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence 731 Protocol (XMPP): Core", RFC 3920, October 2004. 733 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", 734 RFC 3966, December 2004. 736 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 737 Resource Identifier (URI): Generic Syntax", STD 66, 738 RFC 3986, January 2005. 740 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 741 Security", RFC 4347, April 2006. 743 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for 744 Authenticated Identity Management in the Session 745 Initiation Protocol (SIP)", RFC 4474, August 2006. 747 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 748 Description Protocol", RFC 4566, July 2006. 750 [RFC4571] Lazzaro, J., "Framing Real-time Transport Protocol (RTP) 751 and RTP Control Protocol (RTCP) Packets over Connection- 752 Oriented Transport", RFC 4571, July 2006. 754 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 755 Transport Layer Security (TLS) Protocol in the Session 756 Description Protocol (SDP)", RFC 4572, July 2006. 758 [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast 759 Services", BCP 126, RFC 4786, December 2006. 761 [RFC4916] Elwell, J., "Connected Identity in the Session Initiation 762 Protocol (SIP)", RFC 4916, June 2007. 764 [RFC4975] Campbell, B., Mahy, R., and C. Jennings, "The Message 765 Session Relay Protocol (MSRP)", RFC 4975, September 2007. 767 [RFC5344] Houri, A., Aoki, E., and S. Parameswar, "Presence and 768 Instant Messaging Peering Use Cases", RFC 5344, 769 October 2008. 771 [RFC5411] Rosenberg, J., "A Hitchhiker's Guide to the Session 772 Initiation Protocol (SIP)", RFC 5411, February 2009. 774 [RFC5486] Malas, D. and D. Meyer, "Session Peering for Multimedia 775 Interconnect (SPEERMINT) Terminology", RFC 5486, 776 March 2009. 778 [RFC5503] Andreasen, F., McKibben, B., and B. Marshall, "Private 779 Session Initiation Protocol (SIP) Proxy-to-Proxy 780 Extensions for Supporting the PacketCable Distributed Call 781 Signaling Architecture", RFC 5503, March 2009. 783 [RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session 784 Initiation Protocol (SIP)", RFC 5630, October 2009. 786 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 787 for Establishing a Secure Real-time Transport Protocol 788 (SRTP) Security Context Using Datagram Transport Layer 789 Security (DTLS)", RFC 5763, May 2010. 791 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 792 Security (DTLS) Extension to Establish Keys for the Secure 793 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 795 [RFC5923] Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in 796 the Session Initiation Protocol (SIP)", RFC 5923, 797 June 2010. 799 [RFC6076] Malas, D. and A. Morton, "Basic Telephony SIP End-to-End 800 Performance Metrics", RFC 6076, January 2011. 802 Appendix A. Policy Parameters for Session Peering 804 This informative section lists various types of parameters that 805 should be considered by implementers when deciding what configuration 806 variables to expose to system administrators or management stations, 807 as well as SSPs or federations of SSPs when discussing the technical 808 part of a session peering policy. 810 In the context of session peering, a policy can be defined as the set 811 of parameters and other information needed by an SSP to exchange 812 traffic with another peer. Some of the session policy parameters may 813 be statically exchanged and set throughout the lifetime of the 814 peering relationship. Others parameters may be discovered and 815 updated dynamically using by some explicit protocol mechanisms. 816 These dynamic parameters may be session-dependent, or the may apply 817 over multiple sessions or peers. 819 Various types of policy information may need to be discovered or 820 exchanged in order to establish session peering. At a minimum, a 821 policy should specify information related to session establishment 822 data in order to avoid session establishment failures. A policy may 823 also include information related to QoS, billing and accounting, 824 layer-3 related interconnect requirements which are out of the scope 825 of this document. 827 Some aspects of session peering policies must be agreed to and 828 manually implemented; they are static and are typically documented as 829 part of a business contract, technical document or agreement between 830 parties. For some parameters linked to protocol support and 831 capabilities, standard ways of expressing those policy parameters may 832 be defined among SSP and exchanged dynamically. For e.g., templates 833 could be created in various document formats so that it could be 834 possible to dynamically discover some of the domain policy. Such 835 templates could be initiated by implementers (for each software/ 836 hardware release, a list of supported RFCs, RFC parameters is 837 provided in a standard format) and then adapted by each SSP based on 838 its service description, server or device configurations and variable 839 based on peer relationships. 841 A.1. Categories of Parameters for VoIP Session Peering and 842 Justifications 844 The following list should be considered as an initial list of 845 "discussion topics" to be addressed by peers when initiating a VoIP 846 peering relationship. 848 o IP Network Connectivity: 849 Session peers should define the IP network connectivity between 850 their respective SBEs and DBEs. While this is out of scope of 851 session peering, SSPs must agree on a common mechanism for IP 852 transport of session signaling and media. This may be accomplish 853 via private (e.g. IPVPN, IPsec, etc.) or public IP networks. 855 o Media-related Parameters: 857 * Media Codecs: list of supported media codecs for audio, real- 858 time fax (version of T.38, if applicable), real-time text (RFC 859 4103), DTMF transport, voice band data communications (as 860 applicable) along with the supported or recommended codec 861 packetization rates, level of RTP payload redundancy, audio 862 volume levels, etc. 864 * Media Transport: level of support for RTP-RTCP [RFC3550], RTP 865 Redundancy (RTP Payload for Redundant Audio Data - [RFC2198]) , 866 T.38 transport over RTP, etc. 868 * Media variability at the Signaling path Border Elements: list 869 of media types supported by the various ingress points of a 870 peer's network. 872 * Other: support of the VoIP metric block as defined in RTP 873 Control Protocol Extended Reports [RFC3611] , etc. 875 o SIP: 877 * A session peering policy should include the list of supported 878 and required SIP RFCs, supported and required SIP methods 879 (including private p headers if applicable), error response 880 codes, supported or recommended format of some header field 881 values , etc. 883 * It should also be possible to describe the list of supported 884 SIP RFCs by various functional groupings. A group of SIP RFCs 885 may represent how a call feature is implemented (call hold, 886 transfer, conferencing, etc.), or it may indicate a functional 887 grouping as in [RFC5411]. 889 o Accounting: 890 Methods used for call or session accounting should be specified. 891 An SSP may require a peer to track session usage. It is critical 892 for peers to determine whether the support of any SIP extensions 893 for accounting is a pre-requisite for SIP interoperability. In 894 some cases, call accounting may feed data for billing purposes but 895 not always: some operators may decide to use accounting as a 'bill 896 and keep' model to track session usage and monitor usage against 897 service level agreements. 898 [RFC3702] defines the terminology and basic requirements for 899 accounting of SIP sessions. A few private SIP extensions have 900 also been defined and used over the years to enable call 901 accounting between SSP domains such as the P-Charging* headers in 902 [RFC3455], the P-DCS-Billing-Info header in [RFC5503], etc. 904 o Performance Metrics: 905 Layer-5 performance metrics should be defined and shared between 906 peers. The performance metrics apply directly to signaling or 907 media; they may be used pro-actively to help avoid congestion, 908 call quality issues or call signaling failures, and as part of 909 monitoring techniques, they can be used to evaluate the 910 performance of peering exchanges. 911 Examples of SIP performance metrics include the maximum number of 912 SIP transactions per second on per domain basis, Session 913 Completion Rate (SCR), Session Establishment Rate (SER), etc. 914 Some SIP end-to-end performance metrics are defined in [RFC6076]; 915 a subset of these may be applicable to session peering and 916 interconnects. 917 Some media-related metrics for monitoring VoIP calls have been 918 defined in the VoIP Metrics Report Block, in Section 4.7 of 919 [RFC3611]. 921 o Security: 922 An SSP should describe the security requirements that other peers 923 must meet in order to terminate calls to its network. While such 924 a list of security-related policy parameters often depends on the 925 security models pre-agreed to by peers, it is expected that these 926 parameters will be discoverable or signaled in the future to allow 927 session peering outside SSP clubs. The list of security 928 parameters may be long and composed of high-level requirements 929 (e.g. authentication, privacy, secure transport) and low level 930 protocol configuration elements like TLS parameters. 931 The following list is not intended to be complete, it provides a 932 preliminary list in the form of examples: 934 * Call admission requirements: for some providers, sessions can 935 only be admitted if certain criteria are met. For example, for 936 some providers' networks, only incoming SIP sessions signaled 937 over established IPsec tunnels or presented to the well-known 938 TLS ports are admitted. Other call admission requirements may 939 be related to some performance metrics as described above. 940 Finally, it is possible that some requirements be imposed on 941 lower layers, but these are considered out of scope of session 942 peering. 944 * Call authorization requirements and validation: the presence of 945 a caller or user identity may be required by an SSP. Indeed, 946 some SSPs may further authorize an incoming session request by 947 validating the caller's identity against white/black lists 948 maintained by the service provider or users (traditional caller 949 ID screening applications or IM white list). 951 * Privacy requirements: an SSP may demand that its SIP messages 952 be securely transported by its peers for privacy reasons so 953 that the calling/called party information be protected. Media 954 sessions may also require privacy and some SSP policies may 955 include requirements on the use of secure media transport 956 protocols such as SRTP, along with some constraints on the 957 minimum authentication/encryption options for use in SRTP. 959 * Network-layer security parameters: this covers how IPsec 960 security associated may be established, the IPsec key exchange 961 mechanisms to be used and any keying materials, the lifetime of 962 timed Security Associated if applicable, etc. 964 * Transport-layer security parameters: this covers how TLS 965 connections should be established as described in section 966 Section 5. 968 A.2. Summary of Parameters for Consideration in Session Peering 969 Policies 971 The following is a summary of the parameters mentioned in the 972 previous section. They may be part of a session peering policy and 973 appear with a level of requirement (mandatory, recommended, 974 supported, ...). 976 o IP Network Connectivity (assumed, requirements out of scope of 977 this document) 979 o Media session parameters: 981 * Codecs for audio, video, real time text, instant messaging 982 media sessions 984 * Modes of communications for audio (voice, fax, DTMF), IM (page 985 mode, MSRP) 987 * Media transport and means to establish secure media sessions 989 * List of ingress and egress DBEs where applicable, including 990 STUN Relay servers if present 992 o SIP 994 * SIP RFCs, methods and error responses 996 * headers and header values 998 * possibly, list of SIP RFCs supported by groups (e.g. by call 999 feature) 1001 o Accounting 1003 o Capacity Control and Performance Management: any limits on, or, 1004 means to measure and limit the maximum number of active calls to a 1005 peer or federation, maximum number of sessions and messages per 1006 specified unit time, maximum number of active users or subscribers 1007 per specified unit time, the aggregate media bandwidth per peer or 1008 for the federation, specified SIP signaling performance metrics to 1009 measure and report; media-level VoIP metrics if applicable. 1011 o Security: Call admission control, call authorization, network and 1012 transport layer security parameters, media security parameters 1014 Author's Address 1016 Jean-Francois Mule 1017 CableLabs 1018 858 Coal Creek Circle 1019 Louisville, CO 80027 1020 USA 1022 Email: jf.mule@cablelabs.com