1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
|
Network Working Group H. Schulzrinne
Request for Comments: 3487 Columbia University
Category: Informational February 2003
Requirements for Resource Priority Mechanisms for the
Session Initiation Protocol (SIP)
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document summarizes requirements for prioritizing access to
circuit-switched network, end system and proxy resources for
emergency preparedness communications using the Session Initiation
Protocol (SIP).
Table of Contents
1. Introduction ................................................ 2
2. Terminology ................................................. 3
3. Resources ................................................... 4
4. Network Topologies .......................................... 5
5. Network Models .............................................. 6
6. Relationship to Emergency Call Services ..................... 7
7. SIP Call Routing ............................................ 8
8. Policy and Mechanism ........................................ 8
9. Requirements ................................................ 9
10. Security Requirements ....................................... 12
10.1 Authentication and Authorization ....................... 12
10.2 Confidentiality and Integrity .......................... 13
10.3 Anonymity .............................................. 14
10.4 Denial-of-Service Attacks .............................. 14
11. Security Considerations ..................................... 15
12. Acknowledgements ............................................ 15
13. Normative References ........................................ 15
14. Informative References ...................................... 15
15. Author's Address ............................................ 16
16. Full Copyright Statement .................................... 17
Schulzrinne Informational [Page 1]
^L
RFC 3487 IEPREP SIP Requirements February 2003
1. Introduction
During emergencies, communications resources including telephone
circuits, IP bandwidth and gateways between the circuit-switched and
IP networks may become congested. Congestion can occur due to heavy
usage, loss of resources caused by the natural or man-made disaster
and attacks on the network during man-made emergencies. This
congestion may make it difficult for persons charged with emergency
assistance, recovery or law enforcement to coordinate their efforts.
As IP networks become part of converged or hybrid networks along with
public and private circuit-switched (telephone) networks, it becomes
necessary to ensure that these networks can assist during such
emergencies.
There are many IP-based services that can assist during emergencies.
This memo only covers requirements for real-time communications
applications involving the Session Initiation Protocol (SIP) [1],
including voice-over-IP, multimedia conferencing and instant
messaging/presence.
This document takes no position as to which mode of communication is
preferred during an emergency, as such discussion appears to be of
little practical value. Based on past experience, real-time
communications is likely to be an important component of any overall
suite of applications, particularly for coordination of emergency-
related efforts.
As we will describe in detail below, such Session Initiation Protocol
(SIP) [1] applications involve at least five different resources that
may become scarce and congested during emergencies. In order to
improve emergency response, it may become necessary to prioritize
access to such resources during periods of emergency-induced resource
scarcity. We call this "resource prioritization".
This document describes requirements rather than possible existing or
new protocol features. Although it is scoped to deal with SIP-based
applications, this should not be taken to imply that mechanisms have
to be SIP protocol features such as header fields, methods or URI
parameters.
The document is organized as follows. In Section 2, we explain core
technical terms and acronyms that are used throughout the document.
Section 3 describes the five types of resources that may be subject
to resource prioritization. Section 4 enumerates four network
hybrids that determine which of these resources are relevant. Since
the design choices may be constrained by the assumptions placed on
Schulzrinne Informational [Page 2]
^L
RFC 3487 IEPREP SIP Requirements February 2003
the IP network, Section 5 attempts to classify networks into
categories according to the restrictions placed on modifications and
traffic classes.
Since this is a major source of confusion due to similar names,
Section 6 attempts to distinguish emergency call services placed by
civilians from the topic of this document.
Request routing is a core component of SIP, covered in Section 7.
Providing resource priority entails complex implementation choices,
so that a single priority scheme leads to a set of algorithms that
manage queues, resource consumption and resource usage of existing
calls. Even within a single administrative domain, the combination
of mechanisms is likely to vary. Since it will also depend on the
interaction of different policies, it appears inappropriate to have
SIP applications specify the precise mechanisms. Section 8 discusses
the call-by-value (specification of mechanisms) and call-by-reference
(invoke labeled policy) distinction.
Based on these discussions, Section 9 summarizes some general
requirements that try to achieve generality and feature-transparency
across hybrid networks.
The most challenging component of resource prioritization is likely
to be security (Section 10). Without adequate security mechanisms,
resource priority may cause more harm than good, so that the section
attempts to enumerate some of the specific threats present when
resource prioritization is being employed.
2. Terminology
CSN: Circuit-switched network, encompassing both private
(closed) networks and the public switched telephone network
(PSTN).
ETS: Emergency telecommunications service, identifying a
communications service to be used during large-scale emergencies
that allows authorized individuals to communicate. Such
communication may reach end points either within a closed network
or any endpoint on the CSN or the Internet. The communication
service may use voice, video, text or other multimedia streams.
Request: In this document, we define "request" as any SIP
request. This includes call setup requests, instant message
requests and event notification requests.
Schulzrinne Informational [Page 3]
^L
RFC 3487 IEPREP SIP Requirements February 2003
3. Resources
Prioritized access to at least five resource types may be useful:
Gateway resources: The number of channels (trunks) on a CSN
gateway is finite. Resource prioritization may prioritize access
to these channels, by priority queuing or preemption.
CSN resources: Resources in the CSN itself, away from the access
gateway, may be congested. This is the domain of traditional
resource prioritization mechanisms such as MLPP and GETS, where
circuits are granted to ETS communications based on queuing
priority or preemption (if allowed by local telecommunication
regulatory policy and local administrative procedures). A gateway
may also use alternate routing (Section 8) to increase the
probability of call completion.
Specifying CSN behavior is beyond the scope of this document, but
as noted below, a central requirement is to be able to invoke all
such behaviors from an IP endpoint.
IP network resources: SIP may initiate voice and multimedia
sessions. In many cases, audio and video streams are inelastic
and have tight delay and loss requirements. Under conditions of
IP network overload, emergency services applications may not be
able to obtain sufficient bandwidth in any network. When there
are insufficient network resources for all users and it is not
practical to simply add more resources, quality of service
management is necessary to solve this problem. This is orthogonal
to SIP, out of the scope for SIP, and as such these requirements
will be discussed in another document.
Bandwidth used for SIP signaling itself may be subject to
prioritization.
Receiving end system resources: End systems may include
automatic call distribution systems (ACDs) or media servers as
well as traditional telephone-like devices. Gateways are also end
systems, but have been discussed earlier.
Since the receiving end system can only manage a finite number of
sessions, a prioritized call may need to preempt an existing call
or indicate to the callee that a high-priority call is waiting.
(The precise user agent behavior is beyond the scope of this
document and considered a matter of policy and implementation.)
Schulzrinne Informational [Page 4]
^L
RFC 3487 IEPREP SIP Requirements February 2003
Such terminating services may be needed to avoid overloading, say,
an emergency coordination center. However, other approaches beyond
prioritization, e.g., random request dropping by geographic
origin, need to be employed if the number of prioritized calls
exceeds the terminating capacity. Such approaches are beyond the
scope of this memo.
SIP proxy resources: While SIP proxies often have large request
handling capacities, their capacity is likely to be smaller than
their access network bandwidth. (This is true in particular since
different SIP requests consume vastly different amounts of proxy
computational resources, depending on whether they invoke external
services, sip-cgi [2] and CPL [3] scripts, etc. Thus, avoiding
proxy overload by restricting access bandwidth is likely to lead
to inefficient utilization of the proxy.) Therefore, some types
of proxies may need to silently drop selected SIP requests under
overload, reject requests, with overload indication or provide
multiple queues with different drop and scheduling priorities for
different types of SIP requests. However, this is strictly an
implementation issue and does not appear to influence the protocol
requirements nor the on-the-wire protocol. Thus, it is out of
scope for the protocol requirements discussion pursued here.
Responses should naturally receive the same treatment as the
corresponding request. Responses already have to be securely
mapped to requests, so this requirement does not pose a
significant burden. Since proxies often do not maintain call
state, it is not generally feasible to assign elevated priority to
requests originating from a lower-privileged callee back to the
higher-privileged caller.
There is no requirement that a single mechanism be used for all five
resources.
4. Network Topologies
We consider four types of combinations of IP and circuit-switched
networks.
IP end-to-end: Both request originator and destination are on an
IP network, without intervening CSN-IP gateways. Here, any SIP
request could be subject to prioritization.
IP-to-CSN (IP at the start): The request originator is in the IP
network, while the callee is in the CSN. Clearly, this model only
applies to SIP-originated phone calls, not generic SIP requests
such as those supporting instant messaging services.
Schulzrinne Informational [Page 5]
^L
RFC 3487 IEPREP SIP Requirements February 2003
CSN-to-IP (IP at the end): A call originates in the CSN and
terminates, via an Internet telephony gateway, in the IP network.
CSN-IP-CSN (IP bridging): This is a concatenation of the two
previous ones. It is worth calling out specifically to note that
the two CSN sides may use different signaling protocols. Also,
the originating CSN endpoint and the gateway to the IP network may
not know the nature of the terminating CSN. Thus, encapsulation
of originating CSN information is insufficient.
The bridging model (IP-CSN-IP) can be treated as the concatenation of
the IP-to-CSN and CSN-to-IP cases.
It is worth emphasizing that CSN-to-IP gateways are unlikely to know
whether the final destination is in the IP network, the CSN or, via
SIP forking, in both.
These models differ in the type of controllable resources, identified
as gateway, CSN, IP network resources, proxy and receiver. Items
marked as (x) are beyond the scope of this document.
Topology Gateway CSN IP proxy receiver
_________________________________________________
IP-end-to-end (x) (x) x
IP-to-CSN x x (x) (x) (x)
CSN-to-IP x x (x) (x) x
CSN-IP-CSN x x (x) (x) (x)
5. Network Models
There are at least four IP network models that influence the
requirements for resource priority. Each model inherits the
restrictions of the model above it.
Pre-configured for ETS: In a pre-configured network, an ETS
application can use any protocol carried in IP packets and modify
the behavior of existing protocols. As an example, if an ETS
agency owns the IP network, it can add traffic shaping, scheduling
or support for a resource reservation protocol to routers.
Transparent: In a transparent network, an ETS application can
rely on the network to forward all valid IP packets, however, the
ETS application cannot modify network elements. Commercial ISP
offer transparent networks as long as they do not filter certain
types of packets. Networks employing firewalls, NATs and
"transparent" proxies are not transparent. Sometimes, these types
of networks are also called common-carrier networks since they
carry IP packets without concern as to their content.
Schulzrinne Informational [Page 6]
^L
RFC 3487 IEPREP SIP Requirements February 2003
SIP/RTP transparent: Networks that are SIP/RTP transparent allow
users to place and receive SIP calls. The network allows ingress
and egress for all valid SIP messages, possibly subject to
authentication. Similarly, it allows RTP media streams in both
directions. However, it may block, in either inbound or outbound
direction, other protocols such as RSVP or it may disallow non-
zero DSCPs. There are many degrees of SIP/RTP transparency, e.g.,
depending on whether firewalls require inspection of SDP content,
thus precluding end-to-end encryption of certain SIP message
bodies, or whether only outbound calls are allowed. Many
firewalled corporate networks and semi-public access networks such
as in hotels are likely to fall into this category.
Restricted SIP networks: In restricted SIP networks, users may
be restricted to particular SIP applications and cannot add SIP
protocol elements such as header fields or use SIP methods beyond
a prescribed set. It appears likely that 3GPP/3GPP2 networks will
fall into this category, at least initially.
A separate and distinct problem are SIP networks that
administratively prohibit or fail to configure access to special
access numbers, e.g., the 710 area code used by GETS. Such
operational failures are beyond the reach of a protocol
specification.
It appears desirable that ETS users can employ the broadest possible
set of networks during an emergency. Thus, it appears preferable
that protocol enhancements work at least in SIP/RTP transparent
networks and are added explicitly to restricted SIP networks.
The existing GETS system relies on a transparent network, allowing
use from most unmodified telephones, while MLPP systems are typically
pre-configured.
6. Relationship to Emergency Call Services
The resource priority mechanisms are used to have selected
individuals place calls with elevated priority during times when the
network is suffering from a shortage of resources. Generally, calls
for emergency help placed by non-officials (e.g., "911" and "112"
calls) do not need resource priority under normal circumstances. If
such emergency calls are placed during emergency-induced network
resource shortages, the call identifier itself is sufficient to
identify the emergency nature of the call. Adding an indication of
resource priority may be less appropriate, as this would require that
all such calls carry this indicator. Also, it opens another attack
Schulzrinne Informational [Page 7]
^L
RFC 3487 IEPREP SIP Requirements February 2003
mechanism, where non-emergency calls are marked as emergency calls.
(If network elements can recognize the request URI as an emergency
call, they would not need the resource priority mechanism.)
7. SIP Call Routing
The routing of a SIP request, i.e., the proxies it visits and the UAs
it ends up at, may depend on the fact that the SIP request is an ETS
request. The set of destinations may be larger or smaller, depending
on the SIP request routing policies implemented by proxies. For
example, certain gateways may be reserved for ETS use and thus only
be reached by labeled SIP requests.
8. Policy and Mechanism
Most priority mechanisms can be roughly categorized by whether they:
o use a priority queue for resource attempts,
o make additional resources available (e.g., via alternate routing
(ACR)), or
o preempt existing resource users (e.g., calls.)
For example, in GETS, alternate routing attempts to use alternate
GETS-enabled interexchange carriers (IXC) if it cannot be completed
through the first-choice carrier.
Priority mechanisms may also exempt certain calls from network
management traffic controls.
The choice between these mechanisms depends on the operational needs
and characteristics of the network, e.g., on the number of active
requests in the system and the fraction of prioritized calls.
Generally, if the number of prioritized calls is small compared to
the system capacity and the system capacity is large, it is likely
that another call will naturally terminate in short order when a
higher-priority call arrives. Thus, it is conceivable that the
priority indication can cause preemption in some network entities,
while elsewhere it just influences whether requests are queued
instead of discarded and what queueing policy is being applied.
Some namespaces may inherently imply a preemption policy, while
others may be silent on whether preemption is to be used or not,
leaving this to local entity policy.
Schulzrinne Informational [Page 8]
^L
RFC 3487 IEPREP SIP Requirements February 2003
Similarly, the precise relationships between labels, e.g., what
fraction of capacity is set aside for each priority level, is also a
matter of local policy. This is similar to how differentiated
services labels are handled.
9. Requirements
In the PSTN and certain private circuit-switched networks, such as
those run by military organizations, calls are marked in various ways
to indicate priorities. We call this a "priority scheme".
Below are some requirements for providing a similar feature in a SIP
environment; security requirements are discussed in Section 10. We
will refer to the feature as a "SIP indication" and to requests
carrying such an indication as "labelled requests".
Note: Not all the following requirements are possible to meet at
once. They may represent in some case tradeoffs that must be
considered by the designer.
REQ-1: Not specific to one scheme or country: The SIP indication
should support existing and future priority schemes. For example,
there are currently at least four priority schemes in widespread
use: Q.735, also implemented by the U.S. defense telephone
network ("DSN" or "Autovon") and NATO, has five levels, the United
States GETS (Government Emergency Telecommunications Systems)
scheme with implied higher priority and the British Government
Telephone Preference Scheme (GTPS) system, which provides three
priority levels for receipt of dial tone.
The SIP indication may support these existing CSN priority schemes
through the use of different namespaces.
Private-use namespaces may also be useful for certain
applications.
REQ-2: Independent of particular network architecture: The SIP
indication should work in the widest variety of SIP-based systems.
It should not be restricted to particular operators or types of
networks, such as wireless networks or protocol profiles and
dialects in certain types of networks. The originator of a SIP
request cannot be expected to know what kind of circuit-switched
technology is used by the destination gateway.
REQ-3: Invisible to network (IP) layer: The SIP indication must
be usable in IP networks that are unaware of the enhancement and
in SIP/RTP-transparent networks.
Schulzrinne Informational [Page 9]
^L
RFC 3487 IEPREP SIP Requirements February 2003
This requirement can be translated to mean that the request has to
be a valid SIP request and that out-of-band signaling is not
acceptable.
REQ-4: Mapping of existing schemes: Existing CSN schemes must be
translatable to SIP-based systems.
REQ-5: No loss of information: For the CSN-IP-CSN case, there
should be no loss of signaling information caused by translation
from CSN signaling SIP and back from SIP to CSN signaling if both
circuit-switched networks use the same priority scheme. Loss of
information may be unavoidable if the destination CSN uses a
different priority scheme from the origin.
One cannot assume that both CSNs are using the same signaling
protocol or protocol version, such as ISUP, so that transporting
ISUP objects in MIME [4,5] is unlikely to be sufficient.
REQ-6: Extensibility: Any naming scheme specified as part of the
SIP indication should allow for future expansion. Expanded naming
schemes may be needed as resource priority is applied in
additional private networks, or if VoIP-specific priority schemes
are defined.
REQ-7: Separation of policy and mechanism: The SIP indication
should not describe a particular detailed treatment, as it is
likely that this depends on the nature of the resource and local
policy. Instead, it should invoke a particular named policy. As
an example, instead of specifying that a certain SIP request
should be granted queueing priority, not cause preemption, but be
restricted to three-minute sessions, the request invokes a certain
named policy that may well have those properties in a particular
implementation. An IP-to-CSN gateway may need to be aware of the
specific actions required for the policy, but the protocol
indication itself should not.
Even in the CSN, the same MLPP indication may result in different
behavior for different networks.
REQ-8: Method-neutral: The SIP indication chosen should work for
any SIP method, not just, say, INVITE.
REQ-9: Default behavior: Network terminals configured to use a
priority scheme may occasionally end up making calls in a network
that does not support such a scheme. In those cases, the protocol
must support a sensible default behavior that treats the call no
worse than a call that did not invoke the priority scheme. Some
networks may choose to disallow calls unless they have a suitable
Schulzrinne Informational [Page 10]
^L
RFC 3487 IEPREP SIP Requirements February 2003
priority marking and appropriate authentication. This is a matter
of local policy.
REQ-10: Address-neutral: Any address or URI scheme may be a
valid destination and must be usable with the priority scheme.
The SIP indication cannot rely on identifying a set of destination
addresses or URI schemes for special treatment. This requirement
is motivated by existing ETS systems. For example, in GETS and
similar systems, the caller can reach any PSTN destination with
increased probability of call completion, not just a limited set.
(This does not preclude local policy that allows or disallows,
say, calls to international numbers for certain users.)
Some schemes may have an open set of destinations, such as any
valid E.164 number or any valid domestic telephone number, while
others may only reach a limited set of destinations.
REQ-11: Identity-independent: The user identity, such as the
From header field in SIP, is insufficient to identify the priority
level of the request. The same identity can issue non-prioritized
requests as well as prioritized ones, with the range of priorities
determined by the job function of the caller. The choice of the
priority is made based on human judgement, following a set of
general rules that are likely to be applied by analogy rather than
precise mapping of each condition. For example, a particular
circumstance may be considered similarly grave compared to one
which is listed explicitly.
REQ-12: Independent of network location: While some existing CSN
schemes restrict the set of priorities based on the line identity,
it is recognized that future IP-based schemes should be flexible
enough to avoid such reliance. Instead, a combination of
authenticated user identity, user choice and policy determines the
request treatment.
REQ-13: Multiple simultaneous schemes: Some user agents will
need to support multiple different priority schemes, as several
will remain in use in networks run by different agencies and
operators. (Not all user agents will have the means of
authorizing callers using different schemes, and thus may be
configured at run-time to only recognize certain namespaces.)
REQ-14: Discovery: A terminal should be able to discover which,
if any, priority namespaces are supported by a network element.
Discovery may be explicit, where a user agent requests a list of
the supported namespaces or it may be implicit, where it attempts
to use a particular namespace and is then told that this namespace
is not supported. This does not imply that every element has to
Schulzrinne Informational [Page 11]
^L
RFC 3487 IEPREP SIP Requirements February 2003
support the priority scheme. However, entities should be able
discover whether a network element supports it or not.
REQ-15: Testing: It must be possible to test the system outside
of emergency conditions, to increase the chances that all elements
work during an actual emergency. In particular, critical elements
such as indication, authentication, authorization and call routing
must be testable. Testing under load is desirable. Thus, it is
desirable that the SIP indication is available continuously, not
just during emergencies.
REQ-16: 3PCC: The system has to work with SIP third-party call
control.
REQ-17: Proxy-visible: Proxies may want to use the indication to
influence request routing (see Section 7) or impose additional
authentication requirements.
10. Security Requirements
Any resource priority mechanism can be abused to obtain resources and
thus deny service to other users. While the indication itself does
not have to provide separate authentication, any SIP request carrying
such information has more rigorous authentication requirements than
regular requests. Below, we describe authentication and
authorization aspects, confidentiality and privacy requirements,
protection against denial of service attacks and anonymity
requirements. Additional discussion can be found in [6].
10.1 Authentication and Authorization
SEC-1: More rigorous: Prioritized access to network and end
system resources enumerated in Section 3 imposes particularly
stringent requirements on authentication and authorization
mechanisms since access to prioritized resources may impact
overall system stability and performance, not just result in theft
of, say, a single phone call.
The authentication and authorization requirements for ETS calls
are, in particular, much stronger than for emergency calls (112,
911), where wide access is the design objective, sacrificing
caller identification if necessary.
SEC-2: Attack protection: Under certain emergency conditions,
the network infrastructure, including its authentication and
authorization mechanism, may be under attack. Thus,
authentication and authorization must be able to survive such
attacks and defend the resources against these attacks.
Schulzrinne Informational [Page 12]
^L
RFC 3487 IEPREP SIP Requirements February 2003
Mechanisms to delegate authentication and to authenticate as early
as possible are required. In particular, the number of packets
and the amount of other resources such as computation or storage
that an unauthorized user can consume needs to be minimized.
Unauthorized users must not be able to block CSN resources, as
they are likely to be more scarce than packet resources. This
implies that authentication and authorization must take place on
the IP network side rather than using, say, a CSN circuit to
authenticate the caller via a DTMF sequence.
Given the urgency during emergency events, normal statistical
fraud detection may be less effective, thus placing a premium on
reliable authentication.
SIP nodes should be able to independently verify the authorization
of requests to receive prioritized service and not rely on
transitive trust within the network.
SEC-3: Independent of mechanism: Any indication of the resource
priority must be independent of the authentication mechanism,
since end systems will impose different constraints on the
applicable authentication mechanisms. For example, some end
systems may only allow user input via a 12-digit keypad, while
others may have the ability to acquire biometrics or read
smartcards.
SEC-4: Non-trusted end systems: Since ETS users may use devices
that are not their own, systems should support authentication
mechanisms that do not require the user to reveal her secret, such
as a PIN or password, to the device.
SEC-5: Replay: The authentication mechanisms must be resistant
to replay attacks.
SEC-6: Cut-and-paste: The authentication mechanisms must be
resistant to cut-and-paste attacks.
SEC-7: Bid-down: The authentication mechanisms must be resistant
to bid down attacks.
10.2 Confidentiality and Integrity
SEC-8: Confidentiality: All aspects of ETS are likely to be
sensitive and should be protected from unlawful intercept and
alteration. In particular, requirements for protecting the
confidentiality of communications relationships may be higher than
for normal commercial service. For SIP, the To, From,
Schulzrinne Informational [Page 13]
^L
RFC 3487 IEPREP SIP Requirements February 2003
Organization, Subject, Priority and Via header fields are examples
of particularly sensitive information. Callers may be willing to
sacrifice confidentiality if the only alternative is abandoning
the call attempt.
Unauthorized users must not be able to discern that a particular
request is using a resource priority mechanism, as that may reveal
sensitive information about the nature of the request to the
attacker. Information not required for request routing should be
protected end-to-end from intermediate SIP nodes.
The act of authentication, e.g., by contacting a particular
server, itself may reveal that a user is requesting prioritized
service.
SIP allows protection of header fields not used for request
routing via S/MIME, while hop-by-hop channel confidentiality can
be provided by TLS or IPsec.
10.3 Anonymity
SEC-9: Anonymity: Some users may wish to remain anonymous to the
request destination. For the reasons noted earlier, users have to
authenticate themselves towards the network carrying the request.
The authentication may be based on capabilities and noms, not
necessarily their civil name.
Clearly, they may remain anonymous towards the request
destination, using the network-asserted identity and general
privacy mechanisms [7,8].
10.4 Denial-of-Service Attacks
SEC-10: Denial-of-service: ETS systems are likely to be subject
to deliberate denial-of-service attacks during certain
types of emergencies. DOS attacks may be launched on the
network itself as well as its authentication and
authorization mechanism.
SEC-11: Minimize resource use by unauthorized users: Systems
should minimize the amount of state, computation and
network resources that an unauthorized user can command.
SEC-12: Avoid amplification: The system must not amplify attacks
by causing the transmission of more than one packet or SIP
request to a network address whose reachability has not
been verified.
Schulzrinne Informational [Page 14]
^L
RFC 3487 IEPREP SIP Requirements February 2003
11. Security Considerations
Section 10 discusses the security issues related to priority
indication for SIP in detail and derives requirements for the SIP
indicator. As discussed in Section 6, identification of priority
service should avoid multiple concurrent mechanisms, to avoid
allowing attackers to exploit inconsistent labeling.
12. Acknowledgements
Ran Atkinson, Fred Baker, Scott Bradner, Ian Brown, Ken Carlberg,
Janet Gunn, Kimberly King, Rohan Mahy and James Polk provided helpful
comments.
13. Normative References
[1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
14. Informative References
[2] Lennox, J., Schulzrinne, H. and J. Rosenberg, "Common Gateway
Interface for SIP", RFC 3050, January 2001.
[3] Lennox J. and H. Schulzrinne, "CPL: A language for user control
of internet telephony services", Work in Progress.
[4] Zimmerer, E., Peterson, J., Vemuri, A., Ong, L., Audet, F.,
Watson, M. and M. Zonoun, "MIME media types for ISUP and QSIG
objects", RFC 3204, December 2001.
[5] Vemuri, A. and J. Peterson, "Session Initiation Protocol for
Telephones (SIP-T): (SIP-T)", BCP 63, RFC 3372, September 2002.
[6] Brown, I., "A security framework for emergency communications",
Work in Progress.
[7] Peterson, J., "A Privacy Mechanism for the Session Initiation
Protocol (SIP)", RFC 3323, November 2002.
[8] Watson, M., "Short Term Requirements for Network Asserted
Identity", RFC 3324, November 2002.
Schulzrinne Informational [Page 15]
^L
RFC 3487 IEPREP SIP Requirements February 2003
15. Author's Address
Henning Schulzrinne
Dept. of Computer Science
Columbia University
1214 Amsterdam Avenue
New York, NY 10027
USA
EMail: schulzrinne@cs.columbia.edu
Schulzrinne Informational [Page 16]
^L
RFC 3487 IEPREP SIP Requirements February 2003
16. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Schulzrinne Informational [Page 17]
^L
|
