1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
|
Network Working Group O. Levin
Request for Comments: 4488 Microsoft Corporation
Category: Standards Track May 2006
Suppression of Session Initiation Protocol (SIP)
REFER Method Implicit Subscription
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The Session Initiation Protocol (SIP) REFER extension as defined in
RFC 3515 automatically establishes a typically short-lived event
subscription used to notify the party sending a REFER request about
the receiver's status in executing the transaction requested by the
REFER. These notifications are not needed in all cases. This
specification provides a way to prevent the automatic establishment
of an event subscription and subsequent notifications using a new SIP
extension header field that may be included in a REFER request.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Preventing Forking of REFER Requests . . . . . . . . . . . . . 4
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 7
10.2. Informative References . . . . . . . . . . . . . . . . . 7
Levin Standards Track [Page 1]
^L
RFC 4488 SIP REFER without Subscription May 2006
1. Introduction
The REFER specification [3] specifies that every REFER creates an
implicit subscription between the REFER-Issuer and the REFER-
Recipient.
This document defines a new SIP header field: "Refer-Sub" meaningful
within a REFER transaction only. This header field, when set to
"false", specifies that a REFER-Issuer requests that the REFER-
Recipient doesn't establish an implicit subscription and the
resultant dialog.
This document defines a new option tag: "norefersub". This tag, when
included in the Supported header field, indicates that a User Agent
(UA) is capable of accepting a REFER request without creating an
implicit subscription when acting as a REFER-Recipient.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
To simplify discussions of the REFER method and its extensions, the
three terms below are being used throughout the document:
o REFER-Issuer: the UA issuing the REFER request
o REFER-Recipient: the UA receiving the REFER request
o REFER-Target: the UA designated in the Refer-To Uniform Resource
Identifier (URI)
3. Motivation
The REFER specification mandates that every REFER creates an implicit
subscription between the REFER-Issuer and the REFER-Recipient. This
subscription results in at least one NOTIFY being sent from the
REFER-Recipient to the REFER-Issuer. The REFER-Recipient may choose
to cancel the implicit subscription with this NOTIFY. The REFER-
Issuer may choose to cancel this implicit subscription with an
explicit SUBSCRIBE (Expires: 0) after receipt of the initial NOTIFY.
One purpose of requiring the implicit subscription and initial NOTIFY
is to allow for the situation where the REFER request gets forked and
the REFER-Issuer needs a way to see the multiple dialogs that may be
established as a result of the forked REFER. This is the same
approach used to handle forking of SUBSCRIBE [4] requests. Where the
Levin Standards Track [Page 2]
^L
RFC 4488 SIP REFER without Subscription May 2006
REFER-Issuer explicitly specifies that forking not occur, the
requirement that an implicit subscription be established is
unnecessary.
Another purpose of the NOTIFY is to inform the REFER-Issuer of the
progress of the SIP transaction that results from the REFER at the
REFER-Recipient. In the case where the REFER-Issuer is already aware
of the progress of the requested operation, such as when the REFER-
Issuer has an explicit subscription to the dialog event package at
the REFER-Recipient, the implicit subscription and resultant NOTIFY
traffic related to the REFER can create an unnecessary network
overhead.
4. Definitions
This document defines a new SIP header field: "Refer-Sub". This
header field is meaningful and MAY be used with a REFER request and
the corresponding 2XX response only. This header field set to
"false" specifies that a REFER-Issuer requests that the REFER-
Recipient doesn't establish an implicit subscription and the
resultant dialog. Note that when using this extension, the REFER
remains a target refresh request (as in the default case -- when the
extension is not used).
This document adds the following entry to Table 2 of [2]. The
additions to this table are also provided for extension methods at
the time of publication of this document. This is provided as a
courtesy to the reader and is not normative in any way:
Header field where proxy ACK BYE CAN INV OPT REG MSG
Refer-Sub R, 2xx - - - - - - -
Header field where SUB NOT REF INF UPD PRA PUB
Refer-Sub R, 2xx - - o - - - -
The Refer-Sub header field MAY be encrypted as part of end-to-end
encryption.
The syntax of the header field follows the BNF defined below:
Refer-Sub = "Refer-Sub" HCOLON refer-sub-value *(SEMI exten)
refer-sub-value = "true" / "false"
exten = generic-param
where the syntax of generic-param is defined in [2].
Levin Standards Track [Page 3]
^L
RFC 4488 SIP REFER without Subscription May 2006
The "Refer-Sub" header field set to "false" MAY be used by the REFER-
Issuer only when the REFER-Issuer can be certain that the REFER
request will not be forked.
If the REFER-Recipient supports the extension and is willing to
process the REFER transaction without establishing an implicit
subscription, it MUST insert the "Refer-Sub" header field set to
"false" in the 2xx response to the REFER-Issuer. In this case, no
implicit subscription is created. Consequently, no new dialog is
created if this REFER was issued outside any existing dialog.
If the REFER-Issuer inserts the "Refer-Sub" header field set to
"false", but the REFER-Recipient doesn't grant the suggestion (i.e.,
either does not include the "Refer-Sub" header field or includes the
"Refer-Sub" header field set to "true" in the 2xx response), an
implicit subscription is created as in the default case.
This document also defines a new option tag, "norefersub". This tag,
when included in the Supported header field, specifies that a User
Agent (UA) is capable of accepting a REFER request without creating
an implicit subscription when acting as a REFER-Recipient.
The REFER-Issuer can know the capabilities of the REFER-Recipient
from the presence of the option tags in the Supported header field of
the dialog initiating request or response. Another way of learning
the capabilities would be by using presence, such as defined in [6].
However, if the capabilities of the REFER-Recipient are not known,
using the "norefersub" tag with the Require header field is NOT
RECOMMENDED. This is due to the fact that in the event the REFER-
Recipient doesn't support the extension, in order to fall back to the
normal REFER, the REFER-Issuer will need to issue a new REFER
transaction thus resulting in additional round-trips.
As described in Section 8.2.2.3 in [2], a REFER-Recipient will reject
a REFER request containing a Require: norefersub header field with a
420 (Bad Extension) response unless it supports this extension. Note
that Require: norefersub can be present with a Refer-Sub: false
header field.
5. Preventing Forking of REFER Requests
The REFER specification allows for the possibility of forking a REFER
request that is sent outside of an existing dialog. In addition, a
proxy may fork an unknown method type. Should forking occur, the
sender of the REFER with "Refer-Sub" will not be aware as only a
single 2xx response will be forwarded by the forking proxy. As a
result, the responsibility is on the issuer of the REFER with "Refer-
Sub" to ensure that no forking will result.
Levin Standards Track [Page 4]
^L
RFC 4488 SIP REFER without Subscription May 2006
If a REFER request to a given Request-URI might fork, the REFER-
Issuer SHOULD NOT include the "Refer-Sub" header field. The REFER-
Issuer SHOULD use standardized mechanisms for ensuring the REFER
request does not fork. In absence of any other mechanism, the
Request-URI of the REFER request SHOULD have Globally Routable User
Agent URI (GRUU) properties according to the definitions of [5] as
those properties ensure the request will not fork.
6. Example
An example of REFER that suppresses the implicit subscription is
shown below. Note that the conventions used in the SIP Torture Test
Messages [7] document are reused, specifically the <allOneLine> tag.
REFER sip:pc-b@example.com SIP/2.0
Via: SIP/2.0/TCP issuer.example.com;branch=z9hG4bK-a-1
From: <sip:a@example.com>;tag=1a
<allOneLine>
To: sip:b@example.com;opaque=urn:uuid:f8
1d4fae-7dec-11d0-a765-00a0c91e6bf6;grid=99a
</allOneLine>
Call-ID: 1@issuer.example.com
CSeq: 234234 REFER
Max-Forwards: 70
Refer-To: <sip:c@example.com;method=INVITE>
Refer-Sub: false
Supported: norefersub
Contact: sip:a@issuer.example.com
Content-Length: 0
7. IANA Considerations
This document registers a new SIP header field "Refer-Sub". This
header field is only meaningful for the REFER request defined in RFC
3515 [3] and the corresponding response. The following information
has been added to the SIP Header field sub-registry in the SIP
Parameters Registry:
o Header Name: Refer-Sub
o Compact Form: None
o Reference: RFC 4488
This document also registers a new SIP option tag, "norefersub",
adding it to the SIP Option Tags sub-registry in the SIP Parameters
Registry. The required information for this registration, as
specified in RFC 3261 [2], is:
Levin Standards Track [Page 5]
^L
RFC 4488 SIP REFER without Subscription May 2006
o Name: norefersub
o Description: This option tag specifies a User Agent ability of
accepting a REFER request without establishing an implicit
subscription (compared to the default case defined in RFC 3515
[3]).
8. Security Considerations
The purpose of this SIP extension is to modify the expected behavior
of the REFER-Recipient. The change in behavior is for the REFER-
Recipient not to establish a dialog and not to send NOTIFY messages
back to the REFER-Issuer. As such, a malicious inclusion of a
"Refer-Sub" header field set to "false" reduces the processing and
state requirements on the recipient. As a result, its use in a
denial-of-service attack seems limited.
On the other hand, by inserting a "Refer-Sub" header field set to
"false", a man-in-the-middle (MitM) can potentially exploit the
mechanism for easier (than an interception) suppression of the
notifications from the REFER-Receiver without the REFER-Issuer
noticing it. Also, by removing a "Refer-Sub" header field set to
"false", a MitM can cause the REFER-Receiver to generate
notifications over the implicit dialog that otherwise had been
suppressed by the REFER-Issuer.
To protect against these kinds of MitM attacks, integrity protection
should be used. For example, the REFER-Issuer could use S/MIME as
discussed in RFC 3261 [2] to protect against these kinds of attacks.
9. Acknowledgements
The SIP community would like to thank Sriram Parameswar for his
ideas, originally presented in "Suppressing Refer Implicit
Subscription" (October 2002), which served as the basis for this
specification.
Levin Standards Track [Page 6]
^L
RFC 4488 SIP REFER without Subscription May 2006
10. References
10.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
[3] Sparks, R., "The Session Initiation Protocol (SIP) Refer
Method", RFC 3515, April 2003.
[4] Roach, A.B., "Session Initiation Protocol (SIP)-Specific Event
Notification", RFC 3265, June 2002.
10.2. Informative References
[5] Rosenberg, J., "Obtaining and Using Globally Routable User Agent
(UA) URIs (GRUU) in the Session Initiation Protocol (SIP)",
Work in Progress, October 2005.
[6] Lonnfors, M. and K. Kiss, "Session Initiation Protocol (SIP)
User Agent Capability Extension to Presence Information Data
Format (PIDF)", Work in Progress, January 2006.
[7] Sparks, R., Ed., Hawrylyshen, A., Johnston, A., Rosenberg, J.,
and H. Schulzrinne, "Session Initiation Protocol (SIP) Torture
Test Messages", RFC 4475, May 2006.
Author's Address
Orit Levin
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
USA
Phone: 425-722-2225
EMail: oritl@microsoft.com
Levin Standards Track [Page 7]
^L
RFC 4488 SIP REFER without Subscription May 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Levin Standards Track [Page 8]
^L
|