diff options
Diffstat (limited to 'doc/rfc/rfc6795.txt')
-rw-r--r-- | doc/rfc/rfc6795.txt | 1011 |
1 files changed, 1011 insertions, 0 deletions
diff --git a/doc/rfc/rfc6795.txt b/doc/rfc/rfc6795.txt new file mode 100644 index 0000000..67f3c5a --- /dev/null +++ b/doc/rfc/rfc6795.txt @@ -0,0 +1,1011 @@ + + + + + + +Internet Engineering Task Force (IETF) V. Hilt +Request for Comments: 6795 Bell Labs/Alcatel-Lucent +Category: Standards Track G. Camarillo +ISSN: 2070-1721 Ericsson + December 2012 + + + A Session Initiation Protocol (SIP) Event Package for + Session-Specific Policies + +Abstract + + This specification defines a Session Initiation Protocol (SIP) event + package for session-specific policies. This event package enables + user agents (UAs) to subscribe to session policies for a SIP session + and to receive notifications if these policies change. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6795. + +Copyright Notice + + Copyright (c) 2012 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + +Hilt & Camarillo Standards Track [Page 1] + +RFC 6795 Session Policy Event Package December 2012 + + +Table of Contents + + 1. Introduction ....................................................2 + 2. Terminology .....................................................3 + 3. Event Package Formal Definition .................................3 + 3.1. Event Package Name .........................................4 + 3.2. Event Package Parameters ...................................4 + 3.3. SUBSCRIBE Bodies ...........................................4 + 3.4. Subscription Duration ......................................5 + 3.5. NOTIFY Bodies ..............................................5 + 3.6. Subscriber Generation of SUBSCRIBE Requests ................6 + 3.7. Notifier Processing of SUBSCRIBE Requests ..................8 + 3.8. Notifier Generation of NOTIFY Requests .....................9 + 3.9. Subscriber Processing of NOTIFY Requests ..................10 + 3.10. Handling of Forked Requests ..............................11 + 3.11. Rate of Notifications ....................................11 + 3.12. State Agents .............................................11 + 3.13. Examples .................................................11 + 4. Security Considerations ........................................14 + 5. IANA Considerations ............................................16 + 5.1. Event Package Name ........................................16 + 6. References .....................................................16 + 6.1. Normative References ......................................16 + 6.2. Informative References ....................................17 + Appendix A. Acknowledgements ......................................18 + +1. Introduction + + The Framework for Session Initiation Protocol (SIP) [RFC3261] Session + Policies [RFC6794] defines a protocol framework that enables a proxy + to define and impact policies on sessions such as the codecs or media + types to be used. This framework identifies two types of session + policies: session-specific and session-independent policies. + Session-specific policies are policies that are created for one + particular session, based on the session description of this session. + They enable a network intermediary to inspect the session description + that a UA is proposing and to return a policy specifically generated + for this session description. For example, an intermediary could + open pinholes in a firewall/NAT for each media stream in a session + and return a policy that replaces the internal IP addresses and ports + in the session description with external ones. Since session- + specific policies are tailored to a session, they only apply to the + session for which they are created. A UA requests session-specific + policies on a session-by-session basis at the time a session is + created and the session description is known. Session-independent + policies, on the other hand, are policies that are created + independently of a session and generally apply to all the SIP + sessions set up by a user agent. + + + +Hilt & Camarillo Standards Track [Page 2] + +RFC 6795 Session Policy Event Package December 2012 + + + "A Framework for Session Initiation Protocol (SIP) Session Policies" + [RFC6794] defines a mechanism that enables UAs to discover the URIs + of session-specific policy servers. This specification defines a SIP + event package [RFC6665] that enables UAs to subscribe to session- + specific policies on a policy server. Subscribing to session- + specific policies involves the following steps (see the Session + Policy Framework [RFC6794]): + + 1. A user agent submits the details of the session it is trying to + establish to the policy server and asks whether a session using + these parameters is permissible. For example, a user agent might + propose a session that contains the media types audio and video. + + 2. The policy server generates a policy decision for this session + and returns the decision to the user agent. Possible policy + decisions are (1) to deny the session, (2) to propose changes to + the session parameters with which the session would be + acceptable, or (3) to accept the session as it was proposed. An + example for a policy decision is to disallow the use of video but + agree to all other aspects of the proposed session. + + 3. The policy server can update the policy decision at a later time. + A policy decision update can require additional changes to the + session (e.g., because the available bandwidth has changed) or + deny a previously accepted session (i.e., disallow the + continuation of a session). + + The event package for session-specific policies enables a user agent + to subscribe to the policies for a SIP session following the above + model. The subscriber initiates a subscription by submitting the + details of the session it is trying to establish to the notifier + (i.e., the policy server) in the body of a SUBSCRIBE request. The + notifier uses this information to determine the policy decision for + this session. It conveys the initial policy decision to the + subscriber in a NOTIFY request and all changes to this decision in + subsequent NOTIFY requests. + +2. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +3. Event Package Formal Definition + + This document provides the details for defining a SIP event package + as required by RFC 6665 [RFC6665]. + + + + +Hilt & Camarillo Standards Track [Page 3] + +RFC 6795 Session Policy Event Package December 2012 + + +3.1. Event Package Name + + The name of the event package defined in this specification is + "session-spec-policy". + +3.2. Event Package Parameters + + This package defines the following two event package parameters: + + local-only: The "local-only" parameter is optional and only defined + for NOTIFY requests. The "local-only" parameter indicates that + the remote session description is not required by the notifier. + It MUST be ignored if received in a SUBSCRIBE request. The usage + of the "local-only" parameter is described in Sections 3.6, 3.8 + and 3.9. + + insufficient-info: The "insufficient-info" parameter is optional and + only defined for NOTIFY requests. It is used by the notifier to + indicate that a policy decision could not be made due to + insufficient information. The "insufficient-info" parameter MUST + be ignored if received in a SUBSCRIBE request. The usage of the + "insufficient-info" parameter is described in Sections 3.7, 3.8 + and 3.9. + +3.3. SUBSCRIBE Bodies + + A SUBSCRIBE for this event package MUST contain a body that describes + a SIP session. The purpose of this body is to enable the notifier to + generate the policies in which the subscriber is interested. In this + event package, the Request-URI, the event package name, and event + parameters are not sufficient to determine the resource a + subscription is for. However, with the session description in the + SUBSCRIBE body, the notifier can generate the requested policy + decision and create policy events for this resource. + + All subscribers and notifiers MUST support the MIME type + "application/media-policy-dataset+xml" as defined in "A User Agent + Profile Data Set for Media Policy" [RFC6796]. The "application/ + media-policy-dataset+xml" format is the default format for SUBSCRIBE + bodies in this event package. Subscribers and notifiers MAY + negotiate the use of other formats capable of representing a session. + + Note: It has been proposed to directly use Session Description + Protocol (SDP) [RFC4566] instead of encoding the session + descriptions in the Media Policy [RFC6796] format. However, using + a separate format such as the Media Policy format has a number of + advantages over the direct use of SDP: i) the Media Policy format + is more flexible and allows the inclusion of information that + + + +Hilt & Camarillo Standards Track [Page 4] + +RFC 6795 Session Policy Event Package December 2012 + + + can't be expressed in SDP (e.g., the target URI), ii) the Media + Policy format enables the encoding of local and remote session + descriptions in a single document (not requiring the use of MIME + multipart and new content disposition types), and iii) the Media + Policy format aligns the formats used for session-specific and + session-independent policies. A drawback is that it requires the + UA to encode SDP and session information in Media Policy + documents. + +3.4. Subscription Duration + + A subscription to the session-specific policy package is usually + established at the beginning of a session and terminated when the + corresponding session ends. A typical duration of a phone call is a + few minutes. + + Since the duration of a subscription to the session-specific policy + package is related to the lifetime of the corresponding session, the + value for the duration of a subscription is largely irrelevant. + However, the duration SHOULD be longer than the typical duration of a + session. The default subscription duration for this event package is + set to two hours. + + A subscription MAY be terminated before a session ends by the + notifier. For example, a notifier may terminate the subscription + after the initial policy notification has been sent to the subscriber + if it knows that these policies will not change during the session. + A subscriber MUST NOT terminate a subscription unless it is + terminating the session this subscription is for or discovers that + the notifier has been removed from the list of policy servers + relevant for this session (see the Session Policy Framework + [RFC6794]). A subscriber MUST refresh a subscription with a + SUBSCRIBE request before the last SUBSCRIBE request expires to avoid + that the subscription times out. + +3.5. NOTIFY Bodies + + In this event package, the body of a notification contains the + session policy requested by the subscriber. All subscribers and + notifiers MUST support the format "application/ + media-policy-dataset+xml" [RFC6796] as a format for NOTIFY bodies. + + The SUBSCRIBE request MAY contain an Accept header field. If no such + header field is present, it has a default value of "application/ + media-policy-dataset+xml". If the header field is present, it MUST + include "application/media-policy-dataset+xml", and it MAY include + any other MIME type capable of representing session-specific + + + + +Hilt & Camarillo Standards Track [Page 5] + +RFC 6795 Session Policy Event Package December 2012 + + + policies. As defined in RFC 6665 [RFC6665], the body of + notifications MUST be in one of the formats defined in the Accept + header of the SUBSCRIBE request or in the default format. + + If the notifier uses the same format in NOTIFY bodies that was used + by the subscriber in the SUBSCRIBE body (e.g., "application/ + media-policy-dataset+xml"), the notifier can expect that the + subscriber supports all format extensions that were used in the + SUBSCRIBE body. The notifier cannot assume that the subscriber + supports other extensions beyond that and SHOULD NOT use such + extensions. + + If the SUBSCRIBE request contained a representation of the local + session description and the subscription was accepted, then the + NOTIFY body MUST contain a policy for the local session description. + If the SUBSCRIBE request of an accepted subscription contained the + local and the remote session description, then the NOTIFY body MUST + contain two policies: one for the local and one for the remote + session description. + +3.6. Subscriber Generation of SUBSCRIBE Requests + + The subscriber follows the general rules for generating SUBSCRIBE + requests defined in RFC 6665 [RFC6665]. The subscriber MUST provide + sufficient information in the SUBSCRIBE body to fully describe the + session for which it seeks to receive session-specific policies. The + subscriber MUST use the most recent session description as a basis + for this information. + + If the "application/media-policy-dataset+xml" format is used in + SUBSCRIBE bodies, the subscriber MUST provide a value for each field + that is defined for session information documents [RFC6796] and for + which the subscriber has information available. In other words, the + subscriber MUST fill in the elements of a session information + document as complete as possible. If the subscriber supports + extensions of the "application/media-policy-dataset+xml" format, the + subscriber MUST also provide a value for each field defined by this + extension for session information documents, if possible. Providing + as much information as possible avoids that a session is rejected due + to a lack of session information and the negotiation of the + information to be disclosed between notifier and subscriber. + + Subscriptions to this event package are typically created in + conjunction with an SDP offer/answer exchange [RFC3264] during the + establishment of a session (see the Session Policy Framework + [RFC6794]). If used with an offer/answer exchange, the subscriber + MUST insert the representation of the local session description in + the SUBSCRIBE body. The local session description is the one that + + + +Hilt & Camarillo Standards Track [Page 6] + +RFC 6795 Session Policy Event Package December 2012 + + + was created by the subscriber (e.g., the offer if the subscriber has + initiated the offer/answer exchange). Under certain circumstances, a + UA may not have a session description when subscribing to session- + specific policies, for example, when it is composing an empty INVITE + request (i.e., an INVITE request that does not contain an offer). In + these cases, a UA SHOULD establish a subscription without including a + representation of the local session description. The UA MUST refresh + the subscription with a SUBSCRIBE request that contains this session + description as soon as the session description becomes available, for + example, when the UA receives a 200 OK to an empty INVITE request. A + policy server can choose to admit a session only after the UA has + disclosed the session descriptions. + + The subscriber SHOULD also include a representation of the remote + session description in the SUBSCRIBE body. The remote session + description is the one the subscriber has received (i.e., the answer + if the subscriber has initiated the offer/answer exchange). In some + scenarios, the remote session description is not available to the + subscriber at the time the subscription to session-specific policies + is established. In this case, the initial SUBSCRIBE message SHOULD + only contain a representation of the local session description. When + the remote description becomes available, the subscriber SHOULD + refresh the subscription by sending another SUBSCRIBE request, which + then contains the local and the remote session description, unless + the subscriber has received a NOTIFY request with the "local-only" + parameter. This parameter indicates that the notifier does not need + to see the remote session description. + + A user agent can change the session description of an ongoing + session. A change in the session description will typically affect + the policy decisions for this session. A subscriber MUST refresh the + subscription to session-specific policies every time the session + description of a session changes. It does this by sending a + SUBSCRIBE request, which contains the details of the updated session + descriptions. + + A subscriber may receive an error that indicates a server failure in + response to a SUBSCRIBE request. In this case, the subscriber SHOULD + try to locate an alternative server, for example, using the + procedures described in [RFC3263]. If no alternative server can be + located, the subscriber MAY continue with the session for which it + wanted to receive session-specific policies without subscribing to + session-specific policies. This is to avoid that a failed policy + server prevents a UA from setting up or continuing with a session. + Since the sessions created by the UA may not be policy compliant + without this subscription, they may be blocked by policy enforcement + mechanisms if they are in place. + + + + +Hilt & Camarillo Standards Track [Page 7] + +RFC 6795 Session Policy Event Package December 2012 + + + Session policies can contain sensitive information. Moreover, policy + decisions can significantly impact the behavior of a user agent. A + user agent should therefore verify the identity of a policy server + and make sure that policies have not been altered in transit. All + implementations of this package MUST support Transport Layer Security + (TLS) [RFC5246] and the Session Initiation Protocol Secure (SIPS) URI + scheme. A subscriber SHOULD use SIPS URIs when subscribing to + session-specific policies so that policies are transmitted over TLS. + See Section 4. + +3.7. Notifier Processing of SUBSCRIBE Requests + + All subscriptions to session-specific policies SHOULD be + authenticated and authorized before approval. However, a policy + server may frequently encounter UAs it cannot authenticate. In these + cases, the policy server MAY provide a generic policy that does not + reveal sensitive information to these UAs. For details, see + Section 4. + + The authorization policy is at the discretion of the administrator. + In general, all users SHOULD be allowed to subscribe to the session- + specific policies of their sessions. A subscription to this event + package will typically be established by a device that needs to know + about the policies for its sessions. However, subscriptions may also + be established by applications (e.g., a conference server). In those + cases, an authorization policy will typically be provided for these + applications. + + Responding in a timely manner to a SUBSCRIBE request is crucial for + this event package. A notifier must minimize the time needed for + processing SUBSCRIBE requests and generating the initial NOTIFY + request. This includes minimizing the time needed to generate an + initial policy decision. In particular, a short response time is + important for this event package since it minimizes the delay for + fetching policies during an INVITE transaction and therefore reduces + call setup time. In addition, subscriptions to session-specific + policies can be established while the subscriber is in an INVITE + transaction at a point where it has received the 200 OK but before + sending the ACK. Delaying the creation of the initial NOTIFY request + would delay the transmission of the ACK. A more detailed discussion + of this scenario can be found in the Session Policy Framework + [RFC6794]. + + A subscriber may not have disclosed enough information in the + SUBSCRIBE request to enable the notifier to generate a policy + decision. For example, a UA may have subscribed to session-specific + policies without including the representation of a session + description. The policy server SHOULD accept such a subscription. + + + +Hilt & Camarillo Standards Track [Page 8] + +RFC 6795 Session Policy Event Package December 2012 + + + The policy server SHOULD generate a NOTIFY request that includes the + "insufficient-info" event package parameter. A NOTIFY request with + this parameter indicates that a policy decision could not be made due + to insufficient information. The body of such a NOTIFY request can + either be empty or contain a policy decision document that provides + hints about which information was missing. + +3.8. Notifier Generation of NOTIFY Requests + + A notifier sends a notification in response to SUBSCRIBE requests as + defined in RFC 6665 [RFC6665]. In addition, a notifier MAY send a + notification at any time during the subscription. Typically, it will + send one every time the policy decision this subscription is for has + changed. When and why a policy decision changes is entirely at the + discretion of the administrator. A policy decision can change for + many reasons. For example, a network may become congested due to an + increase in traffic and reduce the bandwidth available to an + individual user. Another example is a session that has been started + during "business hours" and continues into "evening hours" where more + bandwidth or video sessions are available to the user according to + the service level agreement. + + Policy decisions are expressed in the format negotiated for the + NOTIFY body (e.g., "application/media-policy-dataset+xml"). The + policy document in a NOTIFY body MUST represent a complete policy + decision. Notifications that contain the deltas to previous policy + decisions or partial policy decisions are not supported in this event + package. + + The notifier SHOULD terminate the subscription if the policy decision + is to reject a session and if it can be expected that this decision + will not change in the foreseeable future. The notifier SHOULD keep + the subscription alive, if it rejects a session but expects that the + session can be admitted soon. For example, if the session was + rejected due to a temporary shortage of resources and the notifier + expects that these resources will become available again shortly it + should keep the subscription alive. The decision to reject a session + is expressed in the policy decision document. A session is admitted + by returning a policy decision document that requires some or no + changes to the session. + + If the notifier has not received enough information to make a policy + decision from the subscriber (e.g., because it did not receive a + session description), the notifier SHOULD NOT terminate the + subscription since it can be expected that the UA refreshes the + subscription with a SUBSCRIBE request that contains more information. + The notifier SHOULD generate a NOTIFY request with the "insufficient- + info" event package parameter to indicate that a policy decision + + + +Hilt & Camarillo Standards Track [Page 9] + +RFC 6795 Session Policy Event Package December 2012 + + + could not be made due to insufficient information. This NOTIFY + request can contain an empty body or a body that contains a policy + decision document indicating which information was missing. + + Some session-specific policies do not require the disclosure of the + remote session description to the notifier. If a notifier determines + that this is the case after receiving a SUBSCRIBE request, the + notifier SHOULD include the "local-only" event parameter in NOTIFY + requests. + +3.9. Subscriber Processing of NOTIFY Requests + + A subscriber MUST apply the policy decision received in a NOTIFY + request to the session associated with this subscription. If the UA + decides not to apply the received policy decision, the UA MUST NOT + set up the session and MUST terminate the session if the session is + already in progress. If the UA has a pending INVITE transaction for + this session, the UA MUST cancel or reject the INVITE request. + + If the subscriber receives a NOTIFY request indicating that the + session has been rejected, the subscriber MUST NOT attempt to + establish this session. If the notifier has terminated the + subscription after rejecting the session, the subscriber SHOULD NOT + try to re-send the same SUBSCRIBE request again. The termination of + the subscription by the notifier indicates that the policy decision + for this session is final and will not change in the foreseeable + future. The subscriber MAY try to re-subscribe for this session if + at least one aspect of the session (e.g., a parameter in the session + description or the target URI) has changed or if there is other + reason to believe that re-trying the subscription will be successful + (e.g., because time has progressed significantly since the last + attempt). + + The notifier may keep up the subscription after rejecting a session + to indicate that it may send an updated policy decision for this + session to the subscriber at a later time. This is useful, for + example, if the session was rejected due to a temporary shortage of + resources and the notifier expects that this problem to be resolved + shortly. In another example, the session was rejected because it was + attempted in a restricted period during the day but this period is + going to end soon. In this case, the subscriber SHOULD not terminate + the subscription to session-specific policies. + + The subscriber may receive a NOTIFY request that contains an + "insufficient-info" event package parameter to indicate that the + SUBSCRIBE request did not contain enough information. The subscriber + + + + + +Hilt & Camarillo Standards Track [Page 10] + +RFC 6795 Session Policy Event Package December 2012 + + + SHOULD refresh the subscription with more complete information as + soon as the missing information (e.g., the session description) is + available. + + A subscriber may receive an update to a policy decision for a session + that is already established. The subscriber MUST apply the new + policy decision to this session. If a UA decides that it does not + want to apply the new policy decision, the UA MUST terminate the + session. An updated policy decision may require the UA to generate a + re-INVITE or UPDATE request in this session if the session + description has changed or it may need to terminate this session. A + policy update that requires a UA to terminate a session can, for + example, be triggered by the user's account running out of credit or + the detection of an emergency that requires the termination of non- + emergency calls. + + If the subscriber receives a NOTIFY request that contains the "local- + only" event parameter, the subscriber SHOULD NOT include the remote + session description in subsequent SUBSCRIBE requests within this + subscription. + +3.10. Handling of Forked Requests + + This event package allows the creation of only one dialog as a result + of an initial SUBSCRIBE request. The techniques to achieve this + behavior are described in [RFC6665]. + +3.11. Rate of Notifications + + It is anticipated that the rate of policy changes will be very low. + In any case, notifications SHOULD NOT be generated at a rate of more + than once every five seconds. + +3.12. State Agents + + State agents play no role in this package. + +3.13. Examples + + The following message flow illustrates how a user agent (Alice's + phone) can subscribe to session-specific policies when establishing a + call (here to Bob's phone). The flow assumes that the user agent has + already received the policy server URI (e.g., through configuration + or as described in the Session Policy Framework [RFC6794]), and it + does not show messages for authentication on a transport or SIP + level. + + These call flow examples are informative and not normative. + + + +Hilt & Camarillo Standards Track [Page 11] + +RFC 6795 Session Policy Event Package December 2012 + + + Implementers should consult the main text of this document for exact + protocol details. + + + Policy Server Alice Bob + | | | + |(1) SUBSCRIBE | | + |<------------------| | + |(2) 200 OK | | + |------------------>| | + |(3) NOTIFY | | + |------------------>| | + |(4) 200 OK | | + |<------------------| | + | |(5) INVITE | + | |------------------>| + | | | + | |(6) 200 OK | + | |<------------------| + | |(7) ACK | + | |------------------>| + |(8) SUBSCRIBE | | + |<------------------| | + |(9) 200 OK | | + |------------------>| | + |(10) NOTIFY | | + |------------------>| | + |(11) 200 OK | | + |<------------------| | + | | | + + Message Details + + (1) SUBSCRIBE Alice -> Policy Server + + SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 + Via: SIP/2.0/TLS pc.biloxi.example.com:5061 + ;branch=z9hG4bK74bf + Max-Forwards: 70 + From: Alice <sips:alice@biloxi.example.com>;tag=8675309 + To: PS <sips:policy@biloxi.example.com> + Call-ID: rt4353gs2egg@pc.biloxi.example.com + CSeq: 1 SUBSCRIBE + Contact: <sips:alice@pc.biloxi.example.com> + Expires: 7200 + Event: session-spec-policy + Accept: application/media-policy-dataset+xml + Content-Type: application/media-policy-dataset+xml + + + +Hilt & Camarillo Standards Track [Page 12] + +RFC 6795 Session Policy Event Package December 2012 + + + Content-Length: ... + + [Local session description (offer)] + + + (2) 200 OK Policy Server -> Alice + + (3) NOTIFY Policy Server -> Alice + + NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 + Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 + ;branch=z9hG4bK74br + Max-Forwards: 70 + From: PS <sips:policy@biloxi.example.com>;tag=31451098 + To: Alice <sips:alice@biloxi.example.com>;tag=8675309 + Call-ID: rt4353gs2egg@pc.biloxi.example.com + CSeq: 1 NOTIFY + Event: session-spec-policy + Subscription-State: active;expires=7200 + Content-Type: application/media-policy-dataset+xml + Content-Length: ... + + [Policy for local session description (offer)] + + (4) 200 OK Alice -> Policy Server + + (5) INVITE Alice -> Bob + + (6) 200 OK Bob -> Alice + + (7) ACK Alice -> Bob + + (8) SUBSCRIBE Alice -> Policy Server + + SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 + Via: SIP/2.0/TLS pc.biloxi.example.com:5061 + ;branch=z9hG4bKna998sl + Max-Forwards: 70 + From: Alice <sips:alice@biloxi.example.com>;tag=8675309 + To: PS <sips:policy@biloxi.example.com>;tag=31451098 + Call-ID: rt4353gs2egg@pc.biloxi.example.com + CSeq: 2 SUBSCRIBE + Expires: 7200 + Event: session-spec-policy + Accept: application/media-policy-dataset+xml + Content-Type: application/media-policy-dataset+xml + Content-Length: ... + + + + +Hilt & Camarillo Standards Track [Page 13] + +RFC 6795 Session Policy Event Package December 2012 + + + [Local session description (offer)] + [Remote session description (answer)] + + + (9) 200 OK Policy Server -> Alice + + (10) NOTIFY Policy Server -> Alice + + NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 + Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 + ;branch=z9hG4bKna998sk + Max-Forwards: 70 + From: PS <sips:policy@biloxi.example.com>;tag=31451098 + To: Alice <sips:alice@biloxi.example.com>;tag=8675309 + Call-ID: rt4353gs2egg@pc.biloxi.example.com + CSeq: 2 NOTIFY + Event: session-spec-policy + Subscription-State: active;expires=7200 + Content-Type: application/media-policy-dataset+xml + Content-Length: ... + + [Policy for local session description (offer)] + [Policy for remote session description (answer)] + + F6 200 OK Alice -> Policy Server + + +4. Security Considerations + + Session policies can significantly change the behavior of a user + agent and can therefore be used by an attacker to compromise a user + agent. For example, session policies can be used to prevent a user + agent from successfully establishing a session (e.g., by setting the + available bandwidth to zero). Such a policy can be submitted to the + user agent during a session, which may cause the UA to terminate the + session. + + A user agent transmits session information to a policy server. This + information may contain sensitive data the user may not want an + eavesdropper or an unauthorized policy server to see. For example, + the session information may contain the encryption keys for media + streams. Vice versa, session policies may also contain sensitive + information about the network or service level agreements the service + provider may not want to disclose to an eavesdropper or an + unauthorized user agent. + + + + + + +Hilt & Camarillo Standards Track [Page 14] + +RFC 6795 Session Policy Event Package December 2012 + + + It is therefore important to secure the communication between the + user agent and the policy server. The following three discrete + attributes need to be protected: + + 1. authentication of the policy server and, if needed, the user + agent, + + 2. confidentiality of the messages exchanged between the user agent + and the policy server, and + + 3. ensuring that private information is not exchanged between the + two parties, even over a confidentiality-assured and + authenticated session. + + Authentication of the peers and protecting the confidentiality of the + policies in transit is achieved by existing SIP security mechanisms + (the use of TLS and SIPS URI scheme [RFC3261], [RFC5630]). + + Accordingly, policy servers SHOULD be addressable only through a SIPS + URI. Policy server and user agent MUST support TLS. The + confidentiality of the communication between the policy server and + the user agent will be assured as long as the policy server supports + TLS and is reached through a SIPS URI. + + Authenticating the two parties can be performed using X.509 + certificates exchanged through TLS and other techniques such as HTTP + Digest. When the user agent establishes a TLS session with the + policy server, the policy server will present it with an X.509 + certificate. The user agent SHOULD ensure that the identity of the + policy server encoded in the certificate matches the URI of the + policy server the user agent has received either using the Session + Policy Framework [RFC6794] or other means such as configuration. + + When a policy server receives a new subscription (as opposed to a + refresh subscription), the policy server SHOULD try to authenticate + the user agent using any means at its disposal. If the user agent + has an X.509 certificate suitable for use with TLS, the identity of + the user agent SHOULD be contained in the certificate, or, if the + user agent does not possess a certificate, the policy server SHOULD + challenge the user agent using HTTP Digest. A policy server may + frequently encounter UAs it cannot authenticate. In these cases, the + policy server MAY provide a generic policy that does not reveal + sensitive information to these UAs. + + If the subscriber and notifier desire to protect the integrity of the + policy exchange in an end-to-end manner, they MAY use S/MIME to + protect the session policies. However, RFC3261 cautions that + "[i]mplementers should note, however, that there may be rare network + + + +Hilt & Camarillo Standards Track [Page 15] + +RFC 6795 Session Policy Event Package December 2012 + + + intermediaries (not typical proxy servers) that rely on viewing or + modifying the bodies of SIP messages (especially SDP), and that + secure MIME may prevent these sorts of intermediaries from + functioning" [RFC3261]. + + And finally, the fact that the user agent and the policy server have + successfully authenticated each other and have established a secure + TLS session does not absolve either one from ensuring that they do + not communicate sensitive information. For example, a session + description may contain sensitive information -- session keys, for + example -- that the user agent may not want to share with the policy + server; and indeed, the policy server does not need such information + to effectively formulate a policy. Thus, the user agent should not + insert such sensitive information in a session information document + that it sends to the policy server. Likewise, the policy server may + have information that is sensitive and of no use to the user agent -- + network service level agreements, or network statistics, for example. + Thus, the policy server should refrain from transmitting such + information to the user agent. + +5. IANA Considerations + +5.1. Event Package Name + + This specification registers an event package as follows, based on + the registration procedures defined in RFC 6665 [RFC6665]. + + Package Name: session-spec-policy + + Package or Template-Package: This is a package. + + Published Document: RFC 6795. + + Person to Contact: Volker Hilt, volker.hilt@bell-labs.com. + +6. References + +6.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, + A., Peterson, J., Sparks, R., Handley, M., and E. + Schooler, "SIP: Session Initiation Protocol", RFC 3261, + June 2002. + + + + + +Hilt & Camarillo Standards Track [Page 16] + +RFC 6795 Session Policy Event Package December 2012 + + + [RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation + Protocol (SIP): Locating SIP Servers", RFC 3263, + June 2002. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, August 2008. + + [RFC6665] Roach, A., "SIP-Specific Event Notification", RFC 6665, + July 2012. + + [RFC6794] Hilt, V., Camarillo, G., and J. Rosenberg, "A Framework + for Session Initiation Protocol (SIP) Session Policies", + RFC 6794, December 2012. + + [RFC6796] Hilt, V., Camarillo, G., Rosenberg, J., and D. Worley, "A + User Agent Profile Data Set for Media Policy", RFC 6796, + December 2012. + +6.2. Informative References + + [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model + with Session Description Protocol (SDP)", RFC 3264, + June 2002. + + [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session + Description Protocol", RFC 4566, July 2006. + + [RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session + Initiation Protocol (SIP)", RFC 5630, October 2009. + + + + + + + + + + + + + + + + + + + + + + +Hilt & Camarillo Standards Track [Page 17] + +RFC 6795 Session Policy Event Package December 2012 + + +Appendix A. Acknowledgements + + Many thanks to Jonathan Rosenberg for the discussions and suggestions + for this document. Many thanks to Roni Even, Bob Penfield, Mary + Barnes, Shida Schubert and Jon Peterson for reviewing the document + and to Vijay Gurbani for the contributions to the Security + Considerations section. + +Authors' Addresses + + Volker Hilt + Bell Labs/Alcatel-Lucent + Lorenzstrasse 10 + 70435 Stuttgart + Germany + + EMail: volker.hilt@bell-labs.com + + + Gonzalo Camarillo + Ericsson + Hirsalantie 11 + Jorvas 02420 + Finland + + EMail: Gonzalo.Camarillo@ericsson.com + + + + + + + + + + + + + + + + + + + + + + + + + +Hilt & Camarillo Standards Track [Page 18] + |