1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
|
Independent Submission M. Munakata
Request for Comments: 5379 S. Schubert
Category: Informational T. Ohba
ISSN: 2070-1721 NTT
February 2010
Guidelines for Using the Privacy Mechanism for SIP
Abstract
This is an informational document that provides guidelines for using
the privacy mechanism for the Session Initiation Protocol (SIP) that
is specified in RFC 3323 and subsequently extended in RFCs 3325 and
4244. It is intended to clarify the handling of the target SIP
headers/parameters and the Session Description Protocol (SDP)
parameters for each of the privacy header values (priv-values).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5379.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Munakata Informational [Page 1]
^L
RFC 5379 SIP Privacy Guidelines February 2010
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................3
3. Semantics of Existing priv-values ...............................4
4. Target for Each priv-value ......................................5
4.1. Target SIP Headers for Each priv-value .....................5
4.2. Target SDP Parameters for Each priv-value ..................6
4.3. Treatment of priv-value Not Supported by the
Privacy Service ............................................7
5. Recommended Treatment of User-Privacy-Sensitive Information .....7
5.1. Target SIP Headers .........................................7
5.1.1. Call-ID .............................................7
5.1.2. Call-Info ...........................................8
5.1.3. Contact .............................................8
5.1.4. From ................................................9
5.1.5. History-Info .......................................10
5.1.6. In-Reply-To ........................................10
5.1.7. Organization .......................................11
5.1.8. P-Asserted-Identity ................................11
5.1.9. Record-Route .......................................12
5.1.10. Referred-By .......................................13
5.1.11. Reply-To ..........................................14
5.1.12. Server ............................................14
5.1.13. Subject ...........................................15
5.1.14. User-Agent ........................................15
5.1.15. Via ...............................................15
5.1.16. Warning ...........................................16
5.2. Target SDP Parameters .....................................16
5.2.1. c/m Lines ..........................................16
5.2.2. o Line .............................................17
5.2.3. i/u/e/p Lines ......................................17
5.3. Considerations for Non-Target SIP Headers/Parameters ......17
5.3.1. Identity/Identity-Info .............................17
5.3.2. Path ...............................................18
5.3.3. Replaces Header/Parameter ..........................18
5.3.4. Route ..............................................21
5.3.5. Service-Route ......................................21
5.3.6. Target-Dialog ......................................21
6. Security Considerations ........................................21
7. Acknowledgements ...............................................22
8. References .....................................................22
8.1. Normative References ......................................22
8.2. Informative References ....................................22
Munakata Informational [Page 2]
^L
RFC 5379 SIP Privacy Guidelines February 2010
1. Introduction
This document clarifies the privacy mechanism for the Session
Initiation Protocol (SIP) [RFC3261] defined in [RFC3323], which was
later extended in [RFC3325] and [RFC4244]. This document describes
the practical manner of operations of the privacy mechanism as a
guideline and does not change the existing privacy mechanism.
In RFC 3323, the semantics of the basic set of priv-values (header,
session, user, none, and critical) is defined, but there are some
ambiguities in regards to the target information to be obscured per
priv-value, which are not explicitly specified. An ambiguity such as
this could result in different interpretations of privacy handling
for each of the priv-values defined, both at an entity setting a
Privacy header and at an entity processing a Privacy header, which
could have an adverse impact on interoperability.
Additional priv-values "id" and "history" are defined in RFCs 3325
and 4244, respectively.
In RFC 4244, the priv-value "history" is defined in order to request
privacy for History-Info headers, and the target to be obscured for
"history" priv-value is specified as only the History-Info headers.
In addition, the RFC clearly describes that History-Info headers are
also the target when "header"- and "session"-level privacy are
requested.
On the other hand, RFC 3325 defines the P-Asserted-Identity header
and a priv-value "id", which is used to request privacy for only the
P-Asserted-Identity header, but it does not specify how other priv-
values may impact the privacy handling of the P-Asserted-Identity
header. Because of this lack of specification, it has been observed
that some implementations are suffering from the inability to achieve
the intended privacy due to discrepancies in interpretations.
This document tries to clarify the SIP headers and SDP parameters to
be obscured for each of the priv-values to alleviate the potential
interoperability issues already seen due to a lack of explicit text.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Munakata Informational [Page 3]
^L
RFC 5379 SIP Privacy Guidelines February 2010
Note: This document is informational; therefore, it does not specify
any new normative behaviors of privacy mechanism. All the RFC
2119 language in this document is derived from the normative
text in the existing RFCs, such as RFC 3323.
priv-value:
Values registered with IANA to be used in the Privacy header.
Registered priv-values are "header", "session", "user", "none",
and "critical" defined in [RFC3323]; "id" defined in [RFC3325];
and "history" defined in [RFC4244].
privacy service:
A network entity that executes privacy functions before
forwarding messages to the next hop. It is sometimes
abbreviated to PS in this document.
user-level privacy:
Privacy for user-inserted information that can be anonymized by
the user agent itself.
3. Semantics of Existing priv-values
This section provides the semantics of each priv-value defined in
RFCs 3323, 3325, and 4244. The descriptions are taken from the IANA
registration.
Privacy Type Description Reference
------------- ---------------------------------- ----------
user Request that privacy services [RFC3323]
provide a user-level privacy function
header Request that privacy services modify [RFC3323]
headers that cannot be set arbitrarily
by the user (Contact/Via).
session Request that privacy services provide [RFC3323]
privacy for session media
none Privacy services must not perform any [RFC3323]
privacy function
critical Privacy service must perform the [RFC3323]
specified services or fail the request
id Privacy requested for Third-Party [RFC3325]
Asserted Identity
Munakata Informational [Page 4]
^L
RFC 5379 SIP Privacy Guidelines February 2010
history Privacy requested for [RFC4244]
History-Info header(s)
4. Target for Each priv-value
Tables in this section show the recommended treatment of SIP headers
and SDP parameters per priv-value. SIP headers and SDP parameters
not shown in the tables are regarded as non-targets of these priv-
values. Some non-target SIP headers/SDP parameters may carry
privacy-sensitive information that may need privacy treatment
regardless of the privacy level requested. This is further described
in 5.3.
The way in which SIP headers and SDP parameters listed here are
obscured may depend on the implementation and network policy. This
document does not prevent different variations that may exist based
on local policy but tries to provide recommendations for how a
privacy service treats SIP headers and SDP parameters.
Note: The scope of these tables is SIP headers and related parameters
specified in RFCs.
4.1. Target SIP Headers for Each priv-value
Table 1 below shows a recommended treatment of each SIP header for
each priv-value. Detailed descriptions of the recommended treatment
per SIP header are covered in Section 5.
The "where" column describes the request and response types in which
the header needs the treatment to maintain privacy. Values in this
column are:
R: The header needs the treatment when it appears in a request.
r: The header needs the treatment when it appears in a response.
The next five columns show the recommended treatment for each priv-
value:
delete: The header is recommended to be deleted at a privacy
service.
not add: The header is recommended not to be added at a privacy
service.
anonymize: The header is recommended to be anonymized at a privacy
service. How to anonymize the header depends on the header.
Details are given in Section 5.
Munakata Informational [Page 5]
^L
RFC 5379 SIP Privacy Guidelines February 2010
anonymize*: An asterisk indicates that the involvement of a
privacy service and treatment of the relevant header depend on
the circumstance. Details are given in Section 5.
Target headers where user header session id history
--------------------------------------------------------------------
Call-ID (Note) R anonymize - - - -
Call-Info Rr delete not add - - -
Contact R - anonymize - - -
From R anonymize - - - -
History-Info Rr - delete delete - delete
In-Reply-To R delete - - - -
Organization Rr delete not add - - -
P-Asserted-Identity Rr - delete - delete -
Record-Route Rr - anonymize - - -
Referred-By R anonymize* - - - -
Reply-To Rr delete - - - -
Server r delete not add - - -
Subject R delete - - - -
User-Agent R delete - - - -
Via R - anonymize - - -
Warning r anonymize - - - -
Table 1: Recommended PS behavior for each SIP header
Note: Any time a privacy service modifies a Call-ID, it MUST retain
the former and modified values as indicated in Section 5.3 in
RFC 3323. It MUST then restore the former value in a Call-ID
header and other corresponding headers and parameters (such as
In-Reply-To, Replaces, and Target-Dialog) in any messages that
are sent using the modified Call-ID to the originating user
agent. It should also modify a Call-ID header and other
corresponding headers/parameters (such as Target-Dialog and
"replaces" parameter) in any further relevant messages that are
sent by the originating user agent. Refer to Section 5.1.1
(Call-ID) for the detailed behavior.
Identity/Identity-Info, Path, Replaces, Route, Service-Route, and
Target-Dialog headers are not targets of these priv-values (and
should not be anonymized or modified by a privacy service based on a
priv-value in a Privacy header). Refer to Section 5.3 for details.
4.2. Target SDP Parameters for Each priv-value
The recommended PS behaviors for each SDP parameters are simple. The
c, m, o, i, u, e, and p lines in SIP request/response are recommended
to be anonymized when user privacy is requested with Privacy:session.
Munakata Informational [Page 6]
^L
RFC 5379 SIP Privacy Guidelines February 2010
4.3. Treatment of priv-value Not Supported by the Privacy Service
As specified in RFC 3323, if the priv-value of "critical" is present
in the Privacy header of a request, and if the privacy service is
incapable of performing all of the levels of privacy specified in the
Privacy header, it MUST fail the request with a 500 (Server Error)
response code as indicated in Section 5 in RFC 3323.
Since the protection of privacy is important, even if the priv-value
"critical" is not present in the Privacy header, the privacy service
should fail the request with a 500 response code when it is incapable
of performing all of the levels of privacy specified in the Privacy
header.
5. Recommended Treatment of User-Privacy-Sensitive Information
The following SIP headers and related parameters may concern privacy.
This section describes what kind of user-privacy-sensitive
information may be included in each SIP header/parameter, and how to
maintain privacy for such information at a user agent or a privacy
service when the information is indeed privacy-sensitive.
5.1. Target SIP Headers
This section describes privacy considerations and recommended
treatment for each SIP header that may reveal user-privacy-sensitive
information. This section goes into details about how each header
affects privacy, the desired treatment of the value by the user agent
and privacy service, and other instructions/additional notes
necessary to provide privacy.
5.1.1. Call-ID
This field frequently contains an IP address or hostname of a UAC
(User Agent Client) appended to the Call-ID value.
A user agent executing a user-level privacy function on its own
SHOULD substitute for the IP address or hostname that is frequently
appended to the Call-ID value a suitably long random value (the value
used as the 'tag' for the From header of the request might even be
reused) as indicated in Section 4.1 in RFC 3323.
A privacy service MAY anonymize the Call-ID header when the request
contains Privacy:user by substituting for the IP address or hostname
in the Call-ID a suitably long random value (such as a From tag
value) so that it is sufficiently unique as indicated in Section 5.3
in RFC 3323.
Munakata Informational [Page 7]
^L
RFC 5379 SIP Privacy Guidelines February 2010
Call-ID is essential to dialog matching, so any time a privacy
service modifies this field, it MUST retain the former value and
restore it in a Call-ID header in any messages that are sent to/by
the originating user agent inside the dialog as indicated in Section
5.3 in RFC 3323. A privacy service should be prepared to receive a
request outside the dialog containing the value of the Call-ID set by
the PS in other SIP headers (e.g., In-Reply-To/Replaces/
Target-Dialog), at least while the dialog state is active for the
dialog whose Call-ID was modified by that PS. When such a request is
received, the Call-ID value contained in the relevant headers
indicated above should be replaced by the retained value.
Note: This is possible only if the privacy service maintains the
state and retains all the information it modified to provide
privacy. Some PSs are known to encrypt information prior to
obfuscation in the Via header, etc. In this case, the PS
cannot correlate the modified Call-ID value with the original
Call-ID. Further challenges are imposed when the PS needs to
stay on a signaling path to ensure that it receives all the
messages targeted towards the caller for which a PS provides
privacy, especially when the request is out-of-dialog.
Refer to the corresponding sections, 5.1.6 (In-Reply-To), 5.3.3
(Replaces Header/Parameter), and 5.3.6 (Target-Dialog), for detailed
discussion.
5.1.2. Call-Info
This field contains additional information about the user.
A user agent executing a user-level privacy function on its own
SHOULD NOT add a Call-Info header as indicated in Section 4.1 in RFC
3323.
A privacy service MUST delete a Call-Info header if one exists when
user privacy is requested with Privacy:user as indicated in Section
5.3 in RFC 3323. A privacy service SHOULD NOT add a Call-Info header
when user privacy is requested with Privacy:header as indicated in
Section 5.1 in RFC 3323.
5.1.3. Contact
This field contains a URI used to reach the user agent for mid-dialog
requests and possibly out-of-dialog requests, such as REFER
[RFC3315]. Since the Contact header is essential for routing further
requests to the user agent, it must include a functional URI even
when it is anonymized.
Munakata Informational [Page 8]
^L
RFC 5379 SIP Privacy Guidelines February 2010
A user agent MUST NOT anonymize a Contact header, unless it can
obtain an IP address or contact address that is functional yet has a
characteristic of anonymity as indicated in Section 4.1.1.3 in RFC
3323.
Since RFC 3323 was published, there have been proposals that allow
UAs to obtain an IP address or contact address with a characteristic
of anonymity.
The mechanisms that are discussed at the time of this writing are
Globally Routable User Agent URIs (GRUU) [SIPGRUU], which provides a
functional Contact address with a short life span, making it ideal
for privacy sensitive calls, and Traversal Using Relays around NAT
(TURN) [TURN], through which an IP address of a relay can be obtained
for use in a Contact header.
A privacy service SHOULD anonymize a Contact header by replacing the
existing Contact header field value with the URI that dereferences to
the privacy service when user privacy is requested with
Privacy:header, as indicated in Section 5.1 in RFC 3323. This is
generally done by replacing the IP address or hostname with that of
the privacy service.
5.1.4. From
This field contains the identity of the user, such as display-name
and URI.
A user agent executing a user-level privacy function on its own
SHOULD anonymize a From header using an anonymous display-name and an
anonymous URI as indicated in Section 4.1 in RFC 3323.
A privacy service should anonymize a From header when user privacy is
requested with Privacy:user.
Note: This does not prevent a privacy service from anonymizing the
From header based on local policy.
The anonymous display-name and anonymous URI mentioned in this
section use display-name "Anonymous", a URI with "anonymous" in the
user portion of the From header, and the hostname value
"anonymous.invalid" as indicated in Section 4.1.1.3 in RFC 3323.
The recommended form of the From header for anonymity is:
From: "Anonymous" <sip:anonymous@anonymous.invalid>;tag=1928301774
Munakata Informational [Page 9]
^L
RFC 5379 SIP Privacy Guidelines February 2010
The tag value varies from dialog to dialog, but the rest of this
header form is recommended as shown.
5.1.5. History-Info
History-Info [RFC4244] header URIs to which the request was forwarded
or retargeted can reveal general routing information.
A user agent executing a user-level privacy function on its own
SHOULD NOT add a History-Info header as indicated in Section 3.3 in
RFC 4244.
A privacy service SHOULD delete the History-Info headers when user
privacy is requested with Privacy:header, Privacy:session, or
Privacy:history as indicated in Section 3.3 in RFC 4244.
The privacy could be also expressed for a specific History-Info entry
by inserting "privacy=history" in the History-Info header. In such a
case, a privacy service SHOULD delete the History-Info entry as
indicated in Section 4.3.3.1.1 in RFC 4244.
Refer to [RFC4244] for detailed behavior for dealing with History-
Info headers.
5.1.6. In-Reply-To
The In-Reply-To header contains a Call-ID of the referenced dialog.
The replying user may be identified by the Call-ID in an In-Reply-To
header.
Alice > INV(Call-ID:C1) > Bob
Bob > INV(In-Reply-To:C1) > Alice
In this case, unless the In-Reply-To header is deleted, Alice might
notice that the replying user is Bob because Alice's UA knows that
the Call-ID relates to Bob.
A user agent executing a user-level privacy function on its own
should not add an In-Reply-To header as implied in Section 4.1 in RFC
3323.
A privacy service MUST delete the In-Reply-To header when user
privacy is requested with Privacy:user as indicated in Section 5.3 in
RFC 3323.
In addition, since an In-Reply-To header contains the Call-ID of the
dialog to which it is replying, special attention is required, as
described in Section 5.1.1 (Call-ID), regardless of the priv-value or
Munakata Informational [Page 10]
^L
RFC 5379 SIP Privacy Guidelines February 2010
presence of a Privacy header. Once a privacy service modifies a
Call-ID in the request, a privacy service should restore the former
value in an In-Reply-To header, if present in the INVITE request
replying to the original request, as long as the privacy service
maintains the dialog state.
Example:
Alice > INV(Call-ID:C1, Privacy:user) > PS > INV(Call-ID:C2) > Bob
Bob > INV(In-Reply-To:C2, Privacy:none) > PS >
INV(In-Reply-To:C1) > Alice
Note: This is possible only if the privacy service maintains the
state and retains all the information that it modified to
provide privacy even after the dialog has been terminated,
which is unlikely. Call-back is difficult to achieve when a
privacy service is involved in forming the dialog to be
referenced.
5.1.7. Organization
This field contains additional information about the user.
A user agent executing a user-level privacy function on its own
should not add an Organization header as implied in Section 4.1 in
RFC 3323.
A privacy service MUST delete the Organization header if one exists
when user privacy is requested with Privacy:user as indicated in
Section 5.3 in RFC 3323. A privacy service SHOULD NOT add an
Organization header when user privacy is requested with Privacy:
header as indicated in Section 5.1 in RFC 3323.
5.1.8. P-Asserted-Identity
This header contains a network-verified and network-asserted identity
of the user sending a SIP message.
A privacy service MUST delete the P-Asserted-Identity headers when
user privacy is requested with Privacy:id as indicated in Section 7
in RFC 3325 and should delete the P-Asserted-Identity headers when
user privacy is requested with Privacy:header before it forwards the
message to an entity that is not trusted.
It is recommended for a privacy service to remove the P-Asserted-
Identity header if user privacy is requested with Privacy:id or
Privacy:header even when forwarding to a trusted entity, unless it
can be confident that the message will not be routed to an untrusted
entity without going through another privacy service.
Munakata Informational [Page 11]
^L
RFC 5379 SIP Privacy Guidelines February 2010
5.1.9. Record-Route
This field may reveal information about the administrative domain of
the user.
In order to hide Record-Route headers while keeping routability to
the sender, privacy services can execute a practice referred to as
"stripping". Stripping means removing all the Record-Route headers
that have been added to the request prior to its arrival at the
privacy service and then adding a single Record-Route header
representing itself. In this case, the privacy service needs to
retain the removed headers and restore them in a response.
Alternatively, privacy services can remove the Record-Route headers
and encrypt them into a single Record-Route header field. In this
case, the privacy service needs to decrypt the header and restore the
former values in a response.
A privacy service SHOULD strip or encrypt any Record-Route headers
that have been added to a message before it reaches the privacy
service when user privacy is requested with Privacy:header as
indicated in Section 5.1 in RFC 3323.
As in the case of a Call-ID, if a privacy service modifies the
Record-Route headers, it MUST be able to restore Route headers with
retained values as indicated in Section 5.1 in RFC 3323. Some
examples where the restoration of the Route headers is necessary and
unnecessary are given below.
When a UAC (Alice) requires privacy for a request, a privacy service
does not have to restore the Route headers in the subsequent request
(see Example 1).
On the other hand, when a UAS (User Agent Server) (Bob) requires
privacy for a response, a privacy service has to restore the Route
headers in the subsequent request (see Example 2).
Example 1:
Restoration of Route header is UNNECESSARY when UAC requires privacy
Alice > INV(Privacy:header) > P1 >
INV(Record-Route:P1, Privacy:header) > PS >
INV(Record-Route:PS) > P2 >
INV(Record-Route:P2,PS) > Bob
Bob > 200(Record-Route:P2,PS) > P2 > PS >
200(Record-Route:P2,PS,P1) > P1 > Alice
Alice > re-INV(Route:P2,PS,P1, Privacy:header) > P1 >
re-INV(Route:P2,PS, Privacy:header) > PS >
re-INV(Route:P2) > P2 > re-INV > Bob
Munakata Informational [Page 12]
^L
RFC 5379 SIP Privacy Guidelines February 2010
Alice P1 PS P2 Bob
| | | | |
| INV Priv |INV Priv RR:P1 | INV RR:PS | INV RR:P2,PS |
|---------------->|---------------->|---------------->|-------------->|
| | | | |
| 200 RR:P2,PS,P1 | 200 RR:P2,PS,P1 | 200 RR:P2,PS | 200 RR:P2,PS |
|<----------------|<----------------|<----------------|<--------------|
| | | | |
| INV R:P2,PS,P1 | INV R:P2,PS | INV R:P2 | INV |
|---------------->|---------------->|---------------->|-------------->|
| | | | |
Figure 1: Example when restoration of Route header is UNNECESSARY
Example 2:
Restoration of Route header is NECESSARY when UAS requires privacy
Alice > INV > P1 > INV(Record-Route:P1) > P2 >
INV(Record-Route:P2,P1) > Bob
Bob > 200(Record-Route:P2,P1, Privacy:header) > P2 > PS' >
200(Record-Route:PS',P1) > P1 > Alice
Alice > re-INV(Route:PS',P1) > P1 > re-INV(Route:PS') > PS' >
re-INV(Route:P2) > P2 > Bob
Alice P1 PS' P2 Bob
| | | | |
| INV |INV RR:P1 | | INV RR:P2,P1 |
|-------------->|---------------------------------->|---------------->|
| | | | |
| 200 RR:PS',P1 | 200 RR:PS',P1 |200 Priv RR:P2,P1|200 Priv RR:P2,P1|
|<--------------|<----------------|<----------------|<----------------|
| | | | |
| INV R:PS',P1 | INV R:PS' | INV R:P2 | INV |
|-------------->|---------------->|---------------->|---------------->|
| | | (Restored) | |
Figure 2: Example when restoration of Route header is NECESSARY
Note: In Figures 1 and 2, Priv means Privacy:header, RR means Record-
Route header, and R means Route header.
5.1.10. Referred-By
The Referred-By [RFC3892] header carries a SIP URI representing the
identity of the referrer.
The Referred-By header is an anonymization target when the REFER
request with the Referred-By header is sent by the user (referrer)
whose privacy is requested to be processed in the privacy service.
Munakata Informational [Page 13]
^L
RFC 5379 SIP Privacy Guidelines February 2010
A user agent that constructs REFER requests executing a user-level
privacy function on its own should anonymize a Referred-By header by
using an anonymous URI.
A privacy service should anonymize a Referred-By header in a REFER
request by using an anonymous URI when user privacy is requested with
Privacy:user.
On the other hand, the Referred-By header is not an anonymization
target when it appears in a request other than REFER (e.g., INVITE)
because the URI in the Referred-By header does not represent the
sender of the request.
Example 1:
Referrer requests no privacy and referee requests privacy
Alice > REF(Referred-By:Alice) > Bob
Bob > INV(Referred-By:Alice, Privacy:user) > PS >
INV(Referred-By:Alice) > Carol
Example 2:
Referrer requests privacy and referee requests privacy
Alice > REF(Referred-By:Alice, Privacy:user) > PS >
REF(Referred-By:X) > Bob
Bob > INV(Referred-By:X, Privacy:user) > PS >
INV(Referred-By:X) > Carol
5.1.11. Reply-To
This field contains a URI that can be used to reach the user on
subsequent call-backs.
A user agent executing a user-level privacy function on its own
should not add a Reply-To header in the message as implied in Section
4.1 in RFC 3323.
A privacy service MUST delete a Reply-To header when user privacy is
requested with Privacy:user as indicated in Section 5.3 in RFC 3323.
5.1.12. Server
This field contains information about the software used by the UAS to
handle the request.
A user agent executing a user-level privacy function on its own
should not add a Server header in the response as implied in Section
4.1 in RFC 3323.
Munakata Informational [Page 14]
^L
RFC 5379 SIP Privacy Guidelines February 2010
A privacy service must delete a Server header in a response when user
privacy is requested with Privacy:user. A privacy service SHOULD NOT
add a Server header in a response when user privacy is requested with
Privacy:header as indicated in Section 5.1 in RFC 3323.
5.1.13. Subject
This field contains free-form text about the subject of the call. It
may include text describing something about the user.
A user agent executing a user-level privacy function on its own
should not include any information identifying the caller in a
Subject header.
A privacy service MUST delete a Subject header when user privacy is
requested with Privacy:user as indicated in Section 5.3 in RFC 3323.
5.1.14. User-Agent
This field contains the UAC's information.
A user agent executing a user-level privacy function on its own
should not add a User-Agent header as implied in Section 4.1 in RFC
3323.
A privacy service MUST delete a User-Agent header when user privacy
is requested with Privacy:user as indicated in Section 5.3 in RFC
3323.
5.1.15. Via
The bottommost Via header added by a user agent contains the IP
address and port or hostname that are used to reach the user agent
for responses. Via headers added by proxies may reveal information
about the administrative domain of the user.
A user agent MUST NOT anonymize a Via header as indicated in Section
4.1.1.3 in RFC 3323, unless it can obtain an IP address that is
functional yet has a characteristic of anonymity. This may be
possible by obtaining an IP address specifically for this purpose
either from the service provider or through features such as TURN.
A privacy service SHOULD strip or encrypt any Via headers that have
been added prior to reaching the privacy service when user privacy is
requested with Privacy:header as indicated in Section 5.1 in RFC
3323. Refer to Section 5.1.9 (Record-Route) for details of stripping
and encryption.
Munakata Informational [Page 15]
^L
RFC 5379 SIP Privacy Guidelines February 2010
A privacy service MUST restore the original values of Via headers
when handling a response in order to route the response to the
originator as indicated in Section 5.1 in RFC 3323.
No Via stripping is required when handling responses.
5.1.16. Warning
This field may contain the hostname of the UAS.
A user agent executing a user-level privacy function on its own
should not include the hostname representing its identity in a
Warning header.
A privacy service should anonymize a Warning header by deleting the
hostname portion (if it represents a UAS's identity) from the header
when user privacy is requested with Privacy:user.
5.2. Target SDP Parameters
This section describes privacy considerations for each SDP [RFC4566]
parameter that may reveal information about the user.
When privacy functions for user-inserted information are requested to
be executed at a privacy service, user agents MUST NOT encrypt SDP
bodies in messages as indicated in Section 4.2 in RFC 3323.
5.2.1. c/m Lines
The c and m lines in the SDP body convey the IP address and port for
receiving media.
A user agent must not anonymize the IP address and port in the c and
m lines, unless it can obtain an IP address that is functional yet
has a characteristic of anonymity as implied in Section 4.1.1.3 in
RFC 3323. This may be possible by obtaining an IP address
specifically for this purpose either from the service provider or
through features such as TURN.
A privacy service must anonymize the IP address and port in c and m
lines using a functional anonymous IP address and port when user
privacy is requested with Privacy:session. This is generally done by
replacing the IP address and port present in the SDP with that of a
relay server.
Munakata Informational [Page 16]
^L
RFC 5379 SIP Privacy Guidelines February 2010
5.2.2. o Line
The username and IP address in this parameter may reveal information
about the user.
A user agent may anonymize the username in an o line by setting
username to "-" and anonymize the IP address in the o line by
replacing it with a value so that it is sufficiently unique.
A privacy service must anonymize the username and IP address in the o
line by setting the username to "-" and replacing the IP address with
a value so that it is sufficiently unique when user privacy is
requested with Privacy:session.
5.2.3. i/u/e/p Lines
These lines may contain information about the user.
A user agent executing a session-level privacy function on its own
should not include user's information in the i, u, e, and p lines.
A privacy service should modify the i, u, e, and p lines to delete
the user's identity information when user privacy is requested with
Privacy:session.
5.3. Considerations for Non-Target SIP Headers/Parameters
5.3.1. Identity/Identity-Info
The Identity [RFC4474] header field contains a signature used for
validating the identity. The Identity-Info header field contains a
reference to the certificate of the signer of Identity headers. An
Identity-Info header may reveal information about the administrative
domain of the user.
The signature in an Identity header provides integrity protection
over the From, To, Call-ID, Cseq, Date, and Contact headers and over
the message body. The integrity protection is violated if a privacy
service modifies these headers and/or the message body for the
purpose of user privacy protection.
Once those integrity-protected headers (such as From and Call-ID) are
modified, the Identity/Identity-Info header fields are not valid any
more. Thus, a privacy service acting on a request for Privacy:user,
Privacy:header, or Privacy:session can invalidate integrity
protection provided by an upstream authentication service that has
inserted Identity/Identity-Info header fields. The use of such a
privacy service should be avoided if integrity protect needs to be
Munakata Informational [Page 17]
^L
RFC 5379 SIP Privacy Guidelines February 2010
retained. Otherwise, if the privacy service invalidates the
integrity protection, it should remove the Identity/Identity-Info
header fields.
An authentication service downstream of the privacy service may add
Identity/Identity-Info header fields if the domain name of the From
header field URI has not been anonymized (e.g.,
'sip:anonymous@example.com'), which makes it possible for the service
to authenticate the UAC. This authenticated yet anonymous From
header means "this is a known user in my domain that I have
authenticated, but I am keeping its identity private" as indicated in
Section 12 in RFC 4474.
The desired deployment will have a privacy service located before or
co-located with the identity service; thus, integrity and privacy can
both be provided seamlessly.
5.3.2. Path
This field may contain information about the administrative domain
and/or the visited domain of the user agent. However, the Path
header is not the target of any priv-values.
Given that the Path header [RFC3327] only appears in REGISTER
requests/responses and is essential for a call to reach the
registered UA in the visited domain, it serves no purpose to withhold
or hide the information contained in the Path header; rather, it is
harmful.
The only reason privacy may be considered desirable is if the visited
domain wants to withhold its topology from the home domain of the
user. In doing so, the domain withholding the topology needs to
ensure that it provides sufficient information so that the home
domain can route the call to the visited domain, thus reaching the
UA.
However, anonymization of network-privacy-sensitive information is
out of scope.
5.3.3. Replaces Header/Parameter
The Replaces [RFC3891] header and the "replaces" parameter contain
identifiers of a dialog to be replaced, which are composed of Call-
ID, local tag, and remote tag.
Munakata Informational [Page 18]
^L
RFC 5379 SIP Privacy Guidelines February 2010
The sender of the INVITE with a Replaces header is usually not the
originating user agent or terminating user agent of the target dialog
to be replaced. Therefore, the Call-ID within the Replaces header is
unlikely to be generated by the sender, and thus this header is
outside the anonymization target per priv-value.
The "replaces" parameter, which appears in a Refer-To header in a
REFER request, is not the target of any particular priv-values
either. As described in Section 5.1.1 (Call-ID), regardless of the
priv-value or the presence of a Privacy header, once a privacy
service modifies a Call-ID in the request, it should monitor headers
that may contain Call-ID and restore the portion of the value
representing the modified Call-ID to the original Call-ID value in a
Replaces header received.
The main challenge for this to function properly is that a privacy
service has to be on a signaling path to the originator for every
dialog. This is generally not possible and results in REFER requests
not functioning at all times. This is a trade-off that is
anticipated when privacy is imposed.
The privacy requirements mentioned in Section 5.1.1 will cause the
Replaces header and "replaces" parameter to contain values that will
fail the resulting dialog establishment in some situations. This
loss of functionality is allowed and/or intended as illustrated above
(i.e., it is not the responsibility of a privacy service to ensure
that these features always work).
The functionality of the Replaces header/parameter when anonymized
depends on the circumstances in which it is used. REFER may work or
may not work depending on the following three criteria.
1. Who generated the Call-ID.
2. Where the privacy service is on the signaling path.
3. Who initiates the REFER with the "replaces" parameter.
A few examples that explore when the Replaces header/parameter works
or fails are given below.
Example 1:
Transfer initiated by the originator, PS added for first INV and REF
Alice > INV(Call-ID:C1, Privacy:user) > PS > INV(Call-ID:C2) > Bob
Alice > REF(Refer-To:Bob?Replaces=C1, Privacy:user) > PS >
REF(Refer-To:Bob?Replaces=C2) > Carol
Carol > INV(Replaces:C2) > Bob (SUCCEED)
Munakata Informational [Page 19]
^L
RFC 5379 SIP Privacy Guidelines February 2010
Example 2:
Transfer initiated by the originator, PS added only for first INV
Alice > INV(Call-ID:C1, Privacy:user) > PS > INV(Call-ID:C2) > Bob
Alice > REF(Refer-To:Bob?Replaces=C1) > Carol
Carol > INV(Replaces:C1) > Bob (FAIL)
Note: Example 2 would succeed if the same PS (that modifies the Call-
ID in the INVITE from Alice) is also added for REFER and
modifies the value in the "replaces" parameter from C1 to C2
even if there is no Privacy header in the REFER.
Example 3:
Transfer initiated by the originator, PS added only for REF
Alice > INV(Call-ID:C1) > INV(Call-ID:C1) > Bob
Alice > REF(Refer-To:Bob?Replaces=C1, Privacy:user) > PS >
REF(Refer-To:Bob?Replaces=C1) > Carol
Carol > INV(Replaces:C1, Privacy:user) > PS' >
INV(Replaces:C1) > Bob (SUCCEED)
Example 4:
Transfer initiated by the terminating party, PS added for both INV
Alice > INV(Call-ID:C1, Privacy:user) > PS > INV(Call-ID:C2) > Bob
Bob > REF(Refer-To:Alice?Replaces=C2) > Carol
Carol > INV(Replaces:C2) > PS > INV(Replaces:C1) > Alice (SUCCEED)
Note: Example 4 succeeds because the same PS (that modifies the Call-
ID in the INVITE from Alice) checks the incoming requests and
modifies the value in a Replaces header in the INVITE from
Carol to the former value of Call-ID (C1).
Example 5:
Hold, PS added only for first INV
Alice > INV(Call-ID:C1, Privacy:user) > PS > INV(Call-ID:C2) > Bob
Alice > REF(Refer-To:Bob?Replaces=C1) > Music-Server
Music-Server > INV(Replaces:C1) > Bob (FAIL)
Note: Example 5 would succeed if the same PS (that modifies the Call-
ID in the INVITE from Alice) is added for the INVITE from the
Music-Server and modifies the value in a Replaces header from
C1 to C2.
As the above examples show, in some scenarios, information carried in
the Replaces header/parameter would result in failure of the REFER.
This will not happen if the Call-ID is not modified at a privacy
service.
Munakata Informational [Page 20]
^L
RFC 5379 SIP Privacy Guidelines February 2010
5.3.4. Route
This field may contain information about the administrative domain of
the user agent, but the Route header is not the target of any priv-
values.
Route headers appear only in SIP requests to force routing through
the listed set of proxies. If a privacy service anonymizes the Route
header, the routing does not function. Furthermore, there is no risk
in revealing the information in the Route headers to further network
entities, including the terminating user agent, because a proxy
removes the value from the Route header when it replaces the value in
the Request-URI as defined in RFC 3261.
A privacy service that modifies Record-Route headers may need to
restore the values in Route headers as necessary. As indicated in
Section 5.1 in RFC 3323, if a privacy service modifies the Record-
Route headers, it MUST be able to restore Route headers with retained
values. Please refer to Section 5.1.9 (Record-Route) for further
detail and examples.
5.3.5. Service-Route
Service-Route headers [RFC3608] appear only in 200 OK responses to
REGISTER requests and contain information about the registrar. The
purpose of the privacy mechanism defined in RFC 3323 is to secure the
user's privacy, so the case where a registrar sets a Privacy header
is not considered here. Therefore, the Service-Route header is not
the target of any priv-values.
5.3.6. Target-Dialog
The Target-Dialog [RFC4538] header faces exactly the same issues as
seen for the Replaces header. Please refer to Section 5.3.3
(Replaces Header/Parameter) for why this is not a target for any
particular priv-values and how a privacy service still needs to
evaluate and modify the value contained, even if no privacy is
requested.
6. Security Considerations
This guideline document adds no new security considerations to those
discussed in [RFC3323], [RFC3325], and [RFC4244].
Munakata Informational [Page 21]
^L
RFC 5379 SIP Privacy Guidelines February 2010
7. Acknowledgements
The authors would like to thank John Elwell, Jon Peterson, Jonathan
Rosenberg, Mary Barnes, Paul Kyzivat, and Roland Jesske for their
reviews and comments.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3323] Peterson, J., "A Privacy Mechanism for the Session
Initiation Protocol (SIP)", RFC 3323, November 2002.
[RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private
Extensions to the Session Initiation Protocol (SIP) for
Asserted Identity within Trusted Networks", RFC 3325,
November 2002.
[RFC4244] Barnes, M., Ed., "An Extension to the Session Initiation
Protocol (SIP) for Request History Information", RFC 4244,
November 2005.
8.2. Informative References
[TURN] Rosenberg, J., Mahy, R., and P. Matthews, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", Work in Progress,
July 2008.
[SIPGRUU] Rosenberg, J., "Obtaining and Using Globally Routable User
Agent URIs (GRUUs) in the Session Initiation Protocol
(SIP)", RFC 5627, October 2009.
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3327] Willis, D. and B. Hoeneisen, "Session Initiation Protocol
(SIP) Extension Header Field for Registering Non-Adjacent
Contacts", RFC 3327, December 2002.
Munakata Informational [Page 22]
^L
RFC 5379 SIP Privacy Guidelines February 2010
[RFC3608] Willis, D. and B. Hoeneisen, "Session Initiation Protocol
(SIP) Extension Header Field for Service Route Discovery
During Registration", RFC 3608, October 2003.
[RFC3891] Mahy, R., Biggs, B., and R. Dean, "The Session Initiation
Protocol (SIP) "Replaces" Header", RFC 3891, September
2004.
[RFC3892] Sparks, R., "The Session Initiation Protocol (SIP)
Referred-By Mechanism", RFC 3892, September 2004.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC4538] Rosenberg, J., "Request Authorization through Dialog
Identification in the Session Initiation Protocol (SIP)",
RFC 4538, June 2006.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, July 2006.
Authors' Addresses
Mayumi Munakata
NTT Corporation
Phone: +81 422 36 7502
EMail: munakata.mayumi@lab.ntt.co.jp
Shida Schubert
NTT Corporation
EMail: shida@ntt-at.com
Takumi Ohba
NTT Corporation
9-11, Midori-cho 3-Chome
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81 422 59 7748
EMail: ohba.takumi@lab.ntt.co.jp
Munakata Informational [Page 23]
^L
|