From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3487.txt | 955 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 955 insertions(+) create mode 100644 doc/rfc/rfc3487.txt (limited to 'doc/rfc/rfc3487.txt') diff --git a/doc/rfc/rfc3487.txt b/doc/rfc/rfc3487.txt new file mode 100644 index 0000000..3966de4 --- /dev/null +++ b/doc/rfc/rfc3487.txt @@ -0,0 +1,955 @@ + + + + + + +Network Working Group H. Schulzrinne +Request for Comments: 3487 Columbia University +Category: Informational February 2003 + + + Requirements for Resource Priority Mechanisms for the + Session Initiation Protocol (SIP) + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + This document summarizes requirements for prioritizing access to + circuit-switched network, end system and proxy resources for + emergency preparedness communications using the Session Initiation + Protocol (SIP). + +Table of Contents + + 1. Introduction ................................................ 2 + 2. Terminology ................................................. 3 + 3. Resources ................................................... 4 + 4. Network Topologies .......................................... 5 + 5. Network Models .............................................. 6 + 6. Relationship to Emergency Call Services ..................... 7 + 7. SIP Call Routing ............................................ 8 + 8. Policy and Mechanism ........................................ 8 + 9. Requirements ................................................ 9 + 10. Security Requirements ....................................... 12 + 10.1 Authentication and Authorization ....................... 12 + 10.2 Confidentiality and Integrity .......................... 13 + 10.3 Anonymity .............................................. 14 + 10.4 Denial-of-Service Attacks .............................. 14 + 11. Security Considerations ..................................... 15 + 12. Acknowledgements ............................................ 15 + 13. Normative References ........................................ 15 + 14. Informative References ...................................... 15 + 15. Author's Address ............................................ 16 + 16. Full Copyright Statement .................................... 17 + + + + +Schulzrinne Informational [Page 1] + +RFC 3487 IEPREP SIP Requirements February 2003 + + +1. Introduction + + During emergencies, communications resources including telephone + circuits, IP bandwidth and gateways between the circuit-switched and + IP networks may become congested. Congestion can occur due to heavy + usage, loss of resources caused by the natural or man-made disaster + and attacks on the network during man-made emergencies. This + congestion may make it difficult for persons charged with emergency + assistance, recovery or law enforcement to coordinate their efforts. + As IP networks become part of converged or hybrid networks along with + public and private circuit-switched (telephone) networks, it becomes + necessary to ensure that these networks can assist during such + emergencies. + + There are many IP-based services that can assist during emergencies. + This memo only covers requirements for real-time communications + applications involving the Session Initiation Protocol (SIP) [1], + including voice-over-IP, multimedia conferencing and instant + messaging/presence. + + This document takes no position as to which mode of communication is + preferred during an emergency, as such discussion appears to be of + little practical value. Based on past experience, real-time + communications is likely to be an important component of any overall + suite of applications, particularly for coordination of emergency- + related efforts. + + As we will describe in detail below, such Session Initiation Protocol + (SIP) [1] applications involve at least five different resources that + may become scarce and congested during emergencies. In order to + improve emergency response, it may become necessary to prioritize + access to such resources during periods of emergency-induced resource + scarcity. We call this "resource prioritization". + + This document describes requirements rather than possible existing or + new protocol features. Although it is scoped to deal with SIP-based + applications, this should not be taken to imply that mechanisms have + to be SIP protocol features such as header fields, methods or URI + parameters. + + The document is organized as follows. In Section 2, we explain core + technical terms and acronyms that are used throughout the document. + Section 3 describes the five types of resources that may be subject + to resource prioritization. Section 4 enumerates four network + hybrids that determine which of these resources are relevant. Since + the design choices may be constrained by the assumptions placed on + + + + + +Schulzrinne Informational [Page 2] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + the IP network, Section 5 attempts to classify networks into + categories according to the restrictions placed on modifications and + traffic classes. + + Since this is a major source of confusion due to similar names, + Section 6 attempts to distinguish emergency call services placed by + civilians from the topic of this document. + + Request routing is a core component of SIP, covered in Section 7. + + Providing resource priority entails complex implementation choices, + so that a single priority scheme leads to a set of algorithms that + manage queues, resource consumption and resource usage of existing + calls. Even within a single administrative domain, the combination + of mechanisms is likely to vary. Since it will also depend on the + interaction of different policies, it appears inappropriate to have + SIP applications specify the precise mechanisms. Section 8 discusses + the call-by-value (specification of mechanisms) and call-by-reference + (invoke labeled policy) distinction. + + Based on these discussions, Section 9 summarizes some general + requirements that try to achieve generality and feature-transparency + across hybrid networks. + + The most challenging component of resource prioritization is likely + to be security (Section 10). Without adequate security mechanisms, + resource priority may cause more harm than good, so that the section + attempts to enumerate some of the specific threats present when + resource prioritization is being employed. + +2. Terminology + + CSN: Circuit-switched network, encompassing both private + (closed) networks and the public switched telephone network + (PSTN). + + ETS: Emergency telecommunications service, identifying a + communications service to be used during large-scale emergencies + that allows authorized individuals to communicate. Such + communication may reach end points either within a closed network + or any endpoint on the CSN or the Internet. The communication + service may use voice, video, text or other multimedia streams. + + Request: In this document, we define "request" as any SIP + request. This includes call setup requests, instant message + requests and event notification requests. + + + + + +Schulzrinne Informational [Page 3] + +RFC 3487 IEPREP SIP Requirements February 2003 + + +3. Resources + + Prioritized access to at least five resource types may be useful: + + Gateway resources: The number of channels (trunks) on a CSN + gateway is finite. Resource prioritization may prioritize access + to these channels, by priority queuing or preemption. + + CSN resources: Resources in the CSN itself, away from the access + gateway, may be congested. This is the domain of traditional + resource prioritization mechanisms such as MLPP and GETS, where + circuits are granted to ETS communications based on queuing + priority or preemption (if allowed by local telecommunication + regulatory policy and local administrative procedures). A gateway + may also use alternate routing (Section 8) to increase the + probability of call completion. + + Specifying CSN behavior is beyond the scope of this document, but + as noted below, a central requirement is to be able to invoke all + such behaviors from an IP endpoint. + + IP network resources: SIP may initiate voice and multimedia + sessions. In many cases, audio and video streams are inelastic + and have tight delay and loss requirements. Under conditions of + IP network overload, emergency services applications may not be + able to obtain sufficient bandwidth in any network. When there + are insufficient network resources for all users and it is not + practical to simply add more resources, quality of service + management is necessary to solve this problem. This is orthogonal + to SIP, out of the scope for SIP, and as such these requirements + will be discussed in another document. + + Bandwidth used for SIP signaling itself may be subject to + prioritization. + + Receiving end system resources: End systems may include + automatic call distribution systems (ACDs) or media servers as + well as traditional telephone-like devices. Gateways are also end + systems, but have been discussed earlier. + + Since the receiving end system can only manage a finite number of + sessions, a prioritized call may need to preempt an existing call + or indicate to the callee that a high-priority call is waiting. + (The precise user agent behavior is beyond the scope of this + document and considered a matter of policy and implementation.) + + + + + + +Schulzrinne Informational [Page 4] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + Such terminating services may be needed to avoid overloading, say, + an emergency coordination center. However, other approaches beyond + prioritization, e.g., random request dropping by geographic + origin, need to be employed if the number of prioritized calls + exceeds the terminating capacity. Such approaches are beyond the + scope of this memo. + + SIP proxy resources: While SIP proxies often have large request + handling capacities, their capacity is likely to be smaller than + their access network bandwidth. (This is true in particular since + different SIP requests consume vastly different amounts of proxy + computational resources, depending on whether they invoke external + services, sip-cgi [2] and CPL [3] scripts, etc. Thus, avoiding + proxy overload by restricting access bandwidth is likely to lead + to inefficient utilization of the proxy.) Therefore, some types + of proxies may need to silently drop selected SIP requests under + overload, reject requests, with overload indication or provide + multiple queues with different drop and scheduling priorities for + different types of SIP requests. However, this is strictly an + implementation issue and does not appear to influence the protocol + requirements nor the on-the-wire protocol. Thus, it is out of + scope for the protocol requirements discussion pursued here. + + Responses should naturally receive the same treatment as the + corresponding request. Responses already have to be securely + mapped to requests, so this requirement does not pose a + significant burden. Since proxies often do not maintain call + state, it is not generally feasible to assign elevated priority to + requests originating from a lower-privileged callee back to the + higher-privileged caller. + + There is no requirement that a single mechanism be used for all five + resources. + +4. Network Topologies + + We consider four types of combinations of IP and circuit-switched + networks. + + IP end-to-end: Both request originator and destination are on an + IP network, without intervening CSN-IP gateways. Here, any SIP + request could be subject to prioritization. + + IP-to-CSN (IP at the start): The request originator is in the IP + network, while the callee is in the CSN. Clearly, this model only + applies to SIP-originated phone calls, not generic SIP requests + such as those supporting instant messaging services. + + + + +Schulzrinne Informational [Page 5] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + CSN-to-IP (IP at the end): A call originates in the CSN and + terminates, via an Internet telephony gateway, in the IP network. + + CSN-IP-CSN (IP bridging): This is a concatenation of the two + previous ones. It is worth calling out specifically to note that + the two CSN sides may use different signaling protocols. Also, + the originating CSN endpoint and the gateway to the IP network may + not know the nature of the terminating CSN. Thus, encapsulation + of originating CSN information is insufficient. + + The bridging model (IP-CSN-IP) can be treated as the concatenation of + the IP-to-CSN and CSN-to-IP cases. + + It is worth emphasizing that CSN-to-IP gateways are unlikely to know + whether the final destination is in the IP network, the CSN or, via + SIP forking, in both. + + These models differ in the type of controllable resources, identified + as gateway, CSN, IP network resources, proxy and receiver. Items + marked as (x) are beyond the scope of this document. + + Topology Gateway CSN IP proxy receiver + _________________________________________________ + IP-end-to-end (x) (x) x + IP-to-CSN x x (x) (x) (x) + CSN-to-IP x x (x) (x) x + CSN-IP-CSN x x (x) (x) (x) + +5. Network Models + + There are at least four IP network models that influence the + requirements for resource priority. Each model inherits the + restrictions of the model above it. + + Pre-configured for ETS: In a pre-configured network, an ETS + application can use any protocol carried in IP packets and modify + the behavior of existing protocols. As an example, if an ETS + agency owns the IP network, it can add traffic shaping, scheduling + or support for a resource reservation protocol to routers. + + Transparent: In a transparent network, an ETS application can + rely on the network to forward all valid IP packets, however, the + ETS application cannot modify network elements. Commercial ISP + offer transparent networks as long as they do not filter certain + types of packets. Networks employing firewalls, NATs and + "transparent" proxies are not transparent. Sometimes, these types + of networks are also called common-carrier networks since they + carry IP packets without concern as to their content. + + + +Schulzrinne Informational [Page 6] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + SIP/RTP transparent: Networks that are SIP/RTP transparent allow + users to place and receive SIP calls. The network allows ingress + and egress for all valid SIP messages, possibly subject to + authentication. Similarly, it allows RTP media streams in both + directions. However, it may block, in either inbound or outbound + direction, other protocols such as RSVP or it may disallow non- + zero DSCPs. There are many degrees of SIP/RTP transparency, e.g., + depending on whether firewalls require inspection of SDP content, + thus precluding end-to-end encryption of certain SIP message + bodies, or whether only outbound calls are allowed. Many + firewalled corporate networks and semi-public access networks such + as in hotels are likely to fall into this category. + + Restricted SIP networks: In restricted SIP networks, users may + be restricted to particular SIP applications and cannot add SIP + protocol elements such as header fields or use SIP methods beyond + a prescribed set. It appears likely that 3GPP/3GPP2 networks will + fall into this category, at least initially. + + A separate and distinct problem are SIP networks that + administratively prohibit or fail to configure access to special + access numbers, e.g., the 710 area code used by GETS. Such + operational failures are beyond the reach of a protocol + specification. + + It appears desirable that ETS users can employ the broadest possible + set of networks during an emergency. Thus, it appears preferable + that protocol enhancements work at least in SIP/RTP transparent + networks and are added explicitly to restricted SIP networks. + + The existing GETS system relies on a transparent network, allowing + use from most unmodified telephones, while MLPP systems are typically + pre-configured. + +6. Relationship to Emergency Call Services + + The resource priority mechanisms are used to have selected + individuals place calls with elevated priority during times when the + network is suffering from a shortage of resources. Generally, calls + for emergency help placed by non-officials (e.g., "911" and "112" + calls) do not need resource priority under normal circumstances. If + such emergency calls are placed during emergency-induced network + resource shortages, the call identifier itself is sufficient to + identify the emergency nature of the call. Adding an indication of + resource priority may be less appropriate, as this would require that + all such calls carry this indicator. Also, it opens another attack + + + + + +Schulzrinne Informational [Page 7] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + mechanism, where non-emergency calls are marked as emergency calls. + (If network elements can recognize the request URI as an emergency + call, they would not need the resource priority mechanism.) + +7. SIP Call Routing + + The routing of a SIP request, i.e., the proxies it visits and the UAs + it ends up at, may depend on the fact that the SIP request is an ETS + request. The set of destinations may be larger or smaller, depending + on the SIP request routing policies implemented by proxies. For + example, certain gateways may be reserved for ETS use and thus only + be reached by labeled SIP requests. + +8. Policy and Mechanism + + Most priority mechanisms can be roughly categorized by whether they: + + o use a priority queue for resource attempts, + + o make additional resources available (e.g., via alternate routing + (ACR)), or + + o preempt existing resource users (e.g., calls.) + + For example, in GETS, alternate routing attempts to use alternate + GETS-enabled interexchange carriers (IXC) if it cannot be completed + through the first-choice carrier. + + Priority mechanisms may also exempt certain calls from network + management traffic controls. + + The choice between these mechanisms depends on the operational needs + and characteristics of the network, e.g., on the number of active + requests in the system and the fraction of prioritized calls. + Generally, if the number of prioritized calls is small compared to + the system capacity and the system capacity is large, it is likely + that another call will naturally terminate in short order when a + higher-priority call arrives. Thus, it is conceivable that the + priority indication can cause preemption in some network entities, + while elsewhere it just influences whether requests are queued + instead of discarded and what queueing policy is being applied. + + Some namespaces may inherently imply a preemption policy, while + others may be silent on whether preemption is to be used or not, + leaving this to local entity policy. + + + + + + +Schulzrinne Informational [Page 8] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + Similarly, the precise relationships between labels, e.g., what + fraction of capacity is set aside for each priority level, is also a + matter of local policy. This is similar to how differentiated + services labels are handled. + +9. Requirements + + In the PSTN and certain private circuit-switched networks, such as + those run by military organizations, calls are marked in various ways + to indicate priorities. We call this a "priority scheme". + + Below are some requirements for providing a similar feature in a SIP + environment; security requirements are discussed in Section 10. We + will refer to the feature as a "SIP indication" and to requests + carrying such an indication as "labelled requests". + + Note: Not all the following requirements are possible to meet at + once. They may represent in some case tradeoffs that must be + considered by the designer. + + REQ-1: Not specific to one scheme or country: The SIP indication + should support existing and future priority schemes. For example, + there are currently at least four priority schemes in widespread + use: Q.735, also implemented by the U.S. defense telephone + network ("DSN" or "Autovon") and NATO, has five levels, the United + States GETS (Government Emergency Telecommunications Systems) + scheme with implied higher priority and the British Government + Telephone Preference Scheme (GTPS) system, which provides three + priority levels for receipt of dial tone. + + The SIP indication may support these existing CSN priority schemes + through the use of different namespaces. + + Private-use namespaces may also be useful for certain + applications. + + REQ-2: Independent of particular network architecture: The SIP + indication should work in the widest variety of SIP-based systems. + It should not be restricted to particular operators or types of + networks, such as wireless networks or protocol profiles and + dialects in certain types of networks. The originator of a SIP + request cannot be expected to know what kind of circuit-switched + technology is used by the destination gateway. + + REQ-3: Invisible to network (IP) layer: The SIP indication must + be usable in IP networks that are unaware of the enhancement and + in SIP/RTP-transparent networks. + + + + +Schulzrinne Informational [Page 9] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + This requirement can be translated to mean that the request has to + be a valid SIP request and that out-of-band signaling is not + acceptable. + + REQ-4: Mapping of existing schemes: Existing CSN schemes must be + translatable to SIP-based systems. + + REQ-5: No loss of information: For the CSN-IP-CSN case, there + should be no loss of signaling information caused by translation + from CSN signaling SIP and back from SIP to CSN signaling if both + circuit-switched networks use the same priority scheme. Loss of + information may be unavoidable if the destination CSN uses a + different priority scheme from the origin. + + One cannot assume that both CSNs are using the same signaling + protocol or protocol version, such as ISUP, so that transporting + ISUP objects in MIME [4,5] is unlikely to be sufficient. + + REQ-6: Extensibility: Any naming scheme specified as part of the + SIP indication should allow for future expansion. Expanded naming + schemes may be needed as resource priority is applied in + additional private networks, or if VoIP-specific priority schemes + are defined. + + REQ-7: Separation of policy and mechanism: The SIP indication + should not describe a particular detailed treatment, as it is + likely that this depends on the nature of the resource and local + policy. Instead, it should invoke a particular named policy. As + an example, instead of specifying that a certain SIP request + should be granted queueing priority, not cause preemption, but be + restricted to three-minute sessions, the request invokes a certain + named policy that may well have those properties in a particular + implementation. An IP-to-CSN gateway may need to be aware of the + specific actions required for the policy, but the protocol + indication itself should not. + + Even in the CSN, the same MLPP indication may result in different + behavior for different networks. + + REQ-8: Method-neutral: The SIP indication chosen should work for + any SIP method, not just, say, INVITE. + + REQ-9: Default behavior: Network terminals configured to use a + priority scheme may occasionally end up making calls in a network + that does not support such a scheme. In those cases, the protocol + must support a sensible default behavior that treats the call no + worse than a call that did not invoke the priority scheme. Some + networks may choose to disallow calls unless they have a suitable + + + +Schulzrinne Informational [Page 10] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + priority marking and appropriate authentication. This is a matter + of local policy. + + REQ-10: Address-neutral: Any address or URI scheme may be a + valid destination and must be usable with the priority scheme. + The SIP indication cannot rely on identifying a set of destination + addresses or URI schemes for special treatment. This requirement + is motivated by existing ETS systems. For example, in GETS and + similar systems, the caller can reach any PSTN destination with + increased probability of call completion, not just a limited set. + (This does not preclude local policy that allows or disallows, + say, calls to international numbers for certain users.) + + Some schemes may have an open set of destinations, such as any + valid E.164 number or any valid domestic telephone number, while + others may only reach a limited set of destinations. + + REQ-11: Identity-independent: The user identity, such as the + From header field in SIP, is insufficient to identify the priority + level of the request. The same identity can issue non-prioritized + requests as well as prioritized ones, with the range of priorities + determined by the job function of the caller. The choice of the + priority is made based on human judgement, following a set of + general rules that are likely to be applied by analogy rather than + precise mapping of each condition. For example, a particular + circumstance may be considered similarly grave compared to one + which is listed explicitly. + + REQ-12: Independent of network location: While some existing CSN + schemes restrict the set of priorities based on the line identity, + it is recognized that future IP-based schemes should be flexible + enough to avoid such reliance. Instead, a combination of + authenticated user identity, user choice and policy determines the + request treatment. + + REQ-13: Multiple simultaneous schemes: Some user agents will + need to support multiple different priority schemes, as several + will remain in use in networks run by different agencies and + operators. (Not all user agents will have the means of + authorizing callers using different schemes, and thus may be + configured at run-time to only recognize certain namespaces.) + + REQ-14: Discovery: A terminal should be able to discover which, + if any, priority namespaces are supported by a network element. + Discovery may be explicit, where a user agent requests a list of + the supported namespaces or it may be implicit, where it attempts + to use a particular namespace and is then told that this namespace + is not supported. This does not imply that every element has to + + + +Schulzrinne Informational [Page 11] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + support the priority scheme. However, entities should be able + discover whether a network element supports it or not. + + REQ-15: Testing: It must be possible to test the system outside + of emergency conditions, to increase the chances that all elements + work during an actual emergency. In particular, critical elements + such as indication, authentication, authorization and call routing + must be testable. Testing under load is desirable. Thus, it is + desirable that the SIP indication is available continuously, not + just during emergencies. + + REQ-16: 3PCC: The system has to work with SIP third-party call + control. + + REQ-17: Proxy-visible: Proxies may want to use the indication to + influence request routing (see Section 7) or impose additional + authentication requirements. + +10. Security Requirements + + Any resource priority mechanism can be abused to obtain resources and + thus deny service to other users. While the indication itself does + not have to provide separate authentication, any SIP request carrying + such information has more rigorous authentication requirements than + regular requests. Below, we describe authentication and + authorization aspects, confidentiality and privacy requirements, + protection against denial of service attacks and anonymity + requirements. Additional discussion can be found in [6]. + +10.1 Authentication and Authorization + + SEC-1: More rigorous: Prioritized access to network and end + system resources enumerated in Section 3 imposes particularly + stringent requirements on authentication and authorization + mechanisms since access to prioritized resources may impact + overall system stability and performance, not just result in theft + of, say, a single phone call. + + The authentication and authorization requirements for ETS calls + are, in particular, much stronger than for emergency calls (112, + 911), where wide access is the design objective, sacrificing + caller identification if necessary. + + SEC-2: Attack protection: Under certain emergency conditions, + the network infrastructure, including its authentication and + authorization mechanism, may be under attack. Thus, + authentication and authorization must be able to survive such + attacks and defend the resources against these attacks. + + + +Schulzrinne Informational [Page 12] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + Mechanisms to delegate authentication and to authenticate as early + as possible are required. In particular, the number of packets + and the amount of other resources such as computation or storage + that an unauthorized user can consume needs to be minimized. + + Unauthorized users must not be able to block CSN resources, as + they are likely to be more scarce than packet resources. This + implies that authentication and authorization must take place on + the IP network side rather than using, say, a CSN circuit to + authenticate the caller via a DTMF sequence. + + Given the urgency during emergency events, normal statistical + fraud detection may be less effective, thus placing a premium on + reliable authentication. + + SIP nodes should be able to independently verify the authorization + of requests to receive prioritized service and not rely on + transitive trust within the network. + + SEC-3: Independent of mechanism: Any indication of the resource + priority must be independent of the authentication mechanism, + since end systems will impose different constraints on the + applicable authentication mechanisms. For example, some end + systems may only allow user input via a 12-digit keypad, while + others may have the ability to acquire biometrics or read + smartcards. + + SEC-4: Non-trusted end systems: Since ETS users may use devices + that are not their own, systems should support authentication + mechanisms that do not require the user to reveal her secret, such + as a PIN or password, to the device. + + SEC-5: Replay: The authentication mechanisms must be resistant + to replay attacks. + + SEC-6: Cut-and-paste: The authentication mechanisms must be + resistant to cut-and-paste attacks. + + SEC-7: Bid-down: The authentication mechanisms must be resistant + to bid down attacks. + +10.2 Confidentiality and Integrity + + SEC-8: Confidentiality: All aspects of ETS are likely to be + sensitive and should be protected from unlawful intercept and + alteration. In particular, requirements for protecting the + confidentiality of communications relationships may be higher than + for normal commercial service. For SIP, the To, From, + + + +Schulzrinne Informational [Page 13] + +RFC 3487 IEPREP SIP Requirements February 2003 + + + Organization, Subject, Priority and Via header fields are examples + of particularly sensitive information. Callers may be willing to + sacrifice confidentiality if the only alternative is abandoning + the call attempt. + + Unauthorized users must not be able to discern that a particular + request is using a resource priority mechanism, as that may reveal + sensitive information about the nature of the request to the + attacker. Information not required for request routing should be + protected end-to-end from intermediate SIP nodes. + + The act of authentication, e.g., by contacting a particular + server, itself may reveal that a user is requesting prioritized + service. + + SIP allows protection of header fields not used for request + routing via S/MIME, while hop-by-hop channel confidentiality can + be provided by TLS or IPsec. + +10.3 Anonymity + + SEC-9: Anonymity: Some users may wish to remain anonymous to the + request destination. For the reasons noted earlier, users have to + authenticate themselves towards the network carrying the request. + The authentication may be based on capabilities and noms, not + necessarily their civil name. + + Clearly, they may remain anonymous towards the request + destination, using the network-asserted identity and general + privacy mechanisms [7,8]. + +10.4 Denial-of-Service Attacks + + SEC-10: Denial-of-service: ETS systems are likely to be subject + to deliberate denial-of-service attacks during certain + types of emergencies. DOS attacks may be launched on the + network itself as well as its authentication and + authorization mechanism. + + SEC-11: Minimize resource use by unauthorized users: Systems + should minimize the amount of state, computation and + network resources that an unauthorized user can command. + + SEC-12: Avoid amplification: The system must not amplify attacks + by causing the transmission of more than one packet or SIP + request to a network address whose reachability has not + been verified. + + + + +Schulzrinne Informational [Page 14] + +RFC 3487 IEPREP SIP Requirements February 2003 + + +11. Security Considerations + + Section 10 discusses the security issues related to priority + indication for SIP in detail and derives requirements for the SIP + indicator. As discussed in Section 6, identification of priority + service should avoid multiple concurrent mechanisms, to avoid + allowing attackers to exploit inconsistent labeling. + +12. Acknowledgements + + Ran Atkinson, Fred Baker, Scott Bradner, Ian Brown, Ken Carlberg, + Janet Gunn, Kimberly King, Rohan Mahy and James Polk provided helpful + comments. + +13. Normative References + + [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., + Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: + Session Initiation Protocol", RFC 3261, June 2002. + +14. Informative References + + [2] Lennox, J., Schulzrinne, H. and J. Rosenberg, "Common Gateway + Interface for SIP", RFC 3050, January 2001. + + [3] Lennox J. and H. Schulzrinne, "CPL: A language for user control + of internet telephony services", Work in Progress. + + [4] Zimmerer, E., Peterson, J., Vemuri, A., Ong, L., Audet, F., + Watson, M. and M. Zonoun, "MIME media types for ISUP and QSIG + objects", RFC 3204, December 2001. + + [5] Vemuri, A. and J. Peterson, "Session Initiation Protocol for + Telephones (SIP-T): (SIP-T)", BCP 63, RFC 3372, September 2002. + + [6] Brown, I., "A security framework for emergency communications", + Work in Progress. + + [7] Peterson, J., "A Privacy Mechanism for the Session Initiation + Protocol (SIP)", RFC 3323, November 2002. + + [8] Watson, M., "Short Term Requirements for Network Asserted + Identity", RFC 3324, November 2002. + + + + + + + + +Schulzrinne Informational [Page 15] + +RFC 3487 IEPREP SIP Requirements February 2003 + + +15. Author's Address + + Henning Schulzrinne + Dept. of Computer Science + Columbia University + 1214 Amsterdam Avenue + New York, NY 10027 + USA + + EMail: schulzrinne@cs.columbia.edu + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Schulzrinne Informational [Page 16] + +RFC 3487 IEPREP SIP Requirements February 2003 + + +16. Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Schulzrinne Informational [Page 17] + -- cgit v1.2.3