1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
|
Network Working Group T. Froment
Request for Comments: 5658 Tech-invite
Category: Standards Track C. Lebel
B. Bonnaerens
Alcatel-Lucent
October 2009
Addressing Record-Route Issues in
the Session Initiation Protocol (SIP)
Abstract
A typical function of a Session Initiation Protocol (SIP) Proxy is to
insert a Record-Route header into initial, dialog-creating requests
in order to make subsequent, in-dialog requests pass through it.
This header contains a SIP Uniform Resource Identifier (URI) or SIPS
(secure SIP) URI indicating where and how the subsequent requests
should be sent to reach the proxy. These SIP or SIPS URIs can
contain IPv4 or IPv6 addresses and URI parameters that could
influence the routing such as the transport parameter (for example,
transport=tcp), or a compression indication like "comp=sigcomp".
When a proxy has to change some of those parameters between its
incoming and outgoing interfaces (multi-homed proxies, transport
protocol switching, or IPv4 to IPv6 scenarios, etc.), the question
arises on what should be put in Record-Route header(s). It is not
possible to make one header have the characteristics of both
interfaces at the same time. This document aims to clarify these
scenarios and fix bugs already identified on this topic; it formally
recommends the use of the double Record-Route technique as an
alternative to the current RFC 3261 text, which describes only a
Record-Route rewriting solution.
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Froment, et al. Standards Track [Page 1]
^L
RFC 5658 SIP Record-Route Fix October 2009
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................3
3. Problem Statement ...............................................4
3.1. Background: Multi-Homed Proxies ............................4
3.2. Identified Problems ........................................5
4. Record-Route Rewriting ..........................................6
5. Double Record-Routing ...........................................6
6. Usage of Transport Protocol Parameter ..........................10
6.1. UA Implementation Problems and Recommendations ............10
6.2. Proxy Implementation Problems and Recommendations .........14
7. Conclusion .....................................................15
8. Security Considerations ........................................16
9. Acknowledgments ................................................16
10. References ....................................................17
10.1. Normative References .....................................17
10.2. Informative References ...................................17
Froment, et al. Standards Track [Page 2]
^L
RFC 5658 SIP Record-Route Fix October 2009
1. Introduction
Over the years, it has been noticed in interoperability events like
SIPit, that many implementations had interoperability problems due to
various Record-Routing issues or misinterpretations of [RFC3261]; in
particular, when a change occurs between the incoming and outgoing
sides of a proxy: transport protocol switching, "multi-homed" proxies
(including IPv4 to IPv6 interface changes), etc. Multiple documents
have addressed the question, each of them generally providing an
adequate recommendation for its specific use case, but none of them
gives a general solution or provides a coherent set of
clarifications:
- [RFC3486], Section 6, describes the double Record-Routing as an
alternative to the Record-Route rewriting in responses. This
document is limited in scope to the "comp=sigcomp" parameter
when doing compression with Signalling Compression (SIGCOMP).
- [RFC3608], Section 6.2, recommends the usage of double Record-
Routing instead of the rewriting solution described in [RFC3261]
for "Dual-homed" proxies. Those are defined as "proxies
connected to two (or more) different networks such that requests
are received on one interface and proxied out through another
network interface".
- Section 3.1.1 of [V6Tran] mandates double Record-Routing for
multi-homed proxies doing IPv4/IPv6 transitions, when the proxy
inserts IP addresses in the Record-Route header URI.
The observed interoperability problems can be explained by the fact
that, despite these multiple documents, the RFC 3261 description has
not been changed, and many implementations don't support extensions
like Service-Route ([RFC3608]) or SIGCOMP ([RFC3486]).
This document also aims to clarify an identified bug referenced in
[BUG664]. In particular, it takes into account the [BUG664]
recommendation, which says that "the language that describes this,
needs to clearly capture that this applies to all types of different
interface on each side issues, including IPv4 on one side and IPv6 on
the other".
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Froment, et al. Standards Track [Page 3]
^L
RFC 5658 SIP Record-Route Fix October 2009
3. Problem Statement
3.1. Background: Multi-Homed Proxies
A multi-homed proxy is a proxy connected, like a router, to two or
more different networks, with an interface into each network, such
that traffic comes "in" one network and goes "out" a different one.
A simple example is shown here:
+-----+
| UA1 |
+--+--+
| .66
192.0.2.64/26 |
----------------+---+-...
|
| .65
+-+-+
| P |
+-+-+
| .129
| 192.0.2.128/26
...---+------+------------------
|
| .130
+--+--+
| UA2 |
+--+--+
Figure 1: Multi-Homed Proxy Illustration
UA1 has one interface with IP address 192.0.2.66.
The Proxy P has two interfaces and two addresses:
--192.0.2.65
--192.0.2.129
UA2 has one interface with address, 192.0.2.130. There is
potentially no IP-level route between UA1 and UA2 (pinging or
traceroute does not work between these two hosts). They live in
entirely different subnetworks. But they can still exchange SIP
messages, because P is a SIP Proxy. This works in SIP because P can
apply Record-Routing.
Froment, et al. Standards Track [Page 4]
^L
RFC 5658 SIP Record-Route Fix October 2009
In most cases, there is still some IP connectivity between UA1 and
UA2, but SIP proxy has to manage the SIP traffic between the two
different "sides", e.g., with two different IP addresses, or one side
using SIGCOMP and the other side not, etc.
3.2. Identified Problems
Handling of the Record-Route header in SIP Proxies is specified by
following sections of [RFC3261]:
On the request processing side, [RFC3261], item 4 of Section 16.6
states that:
The URI placed in the Record-Route header field value MUST be a
SIP or SIPS URI. [...] The URI SHOULD NOT contain the transport
parameter unless the proxy has knowledge (such as in a private
network) that the next downstream element that will be in the path
of subsequent requests supports that transport.
Following this statement, it is not clear how to decide when the
proxy should insert the transport protocol parameter in the Record-
Route URI.
On the response processing side, [RFC3261] recommends in step 8 of
Section 16.7 that:
If the selected response contains a Record-Route header field
value originally provided by this proxy, the proxy MAY choose to
rewrite the value before forwarding the response. This allows the
proxy to provide different URIs for itself to the next upstream
and downstream elements. A proxy may choose to use this mechanism
for any reason. For instance, it is useful for multi-homed hosts.
If the proxy received the request over Transport Layer Security
(TLS), and sent it out over a non-TLS connection, the proxy MUST
rewrite the URI in the Record-Route header field to be a SIPS URI.
Note that [RFC5630] has weakened the SIP/SIPS URI rewriting
requirement in the Record-Route header by removing this second
paragraph.
Indeed, [RFC3261] suggests rewriting the Record-Route header in
responses.
This list highlights the utility of rewriting and double Record-
Routing techniques that apply for any multi-homed proxy use case:
whenever the proxy changes its IP address, the transport protocol, or
the URI scheme between incoming and outgoing interfaces. Rewriting
Froment, et al. Standards Track [Page 5]
^L
RFC 5658 SIP Record-Route Fix October 2009
and double Record-Routing are described, compared, and discussed in
Sections 4 and 5; the specific question of whether or not to insert
the transport parameter in the Record-Route URI is then discussed in
Section 6.
4. Record-Route Rewriting
As frequently outlined in IETF mailing list discussions, Record-Route
rewriting in responses is not the optimal way of handling multi-
homed and transport protocol switching situations. Additionally, the
consequence of doing rewriting is that the route set seen by the
caller is different from the route set seen by the callee, and this
has at least two negative implications:
1) The callee cannot sign the route set, because it gets edited by
the proxy in the response. Consequently, end-to-end protection of
the route set cannot be supported by the protocol. This means the
Internet's principles of openness and end-to-end connectivity are
broken.
2) A proxy must implement special "multi-homed" logic. During the
request forwarding phase, it performs an output interface
calculation and writes information resolving to the output
interface into the URI of the Record-Route header. When handling
responses, the proxy must inspect the Record-Route header(s), look
for an input interface, and selectively edit them to reference the
correct output interface. Since this lookup has to be done for
all responses forwarded by the proxy, this technique implies a CPU
drag.
Therefore, this document recommends using the double Record-Route
approach to avoid rewriting the Record-Route. This recommendation
applies to all uses of Record-Route rewriting by proxies, including
transport protocol switching and multi-homed proxies.
5. Double Record-Routing
The serious drawbacks of the rewriting technique explain why the
double Record-Routing solution has consequently been recommended in
SIP extensions like [RFC3486] or [RFC3608].
This technique consists of inserting before any existing Record-Route
header, a Record-Route header with the URI reflecting to the input
interface, including schemes and/or URI parameters, and secondly, a
Record-Route header with the URI reflecting to the output interface.
When processing the response, no modification of the recorded route
is required. This is completely backward compatible with [RFC3261].
Generally speaking, the time complexity will be less in double
Froment, et al. Standards Track [Page 6]
^L
RFC 5658 SIP Record-Route Fix October 2009
Record-Routing since, on processing the response, the proxy does not
have to do any rewrites (and thus, no searching). Moreover, the
handling of in-dialog requests and responses requires no special
handling anymore.
When double Record-Routing, the proxy will have to handle the
subsequent in-dialog request(s) as a spiral, and consequently devote
resources to maintain transactions required to handle the spiral.
What is considered to be a spiraling request is explained in Section
6 of [RFC3261]. In order to avoid a spiral, the proxy can be smart
and scan an extra Route header ahead to determine whether the request
will spiral through it. If it does, it can optimize the second
spiral through itself. Even though this is an implementation
decision, it is much more efficient to avoid spiraling. So, this
means, in Section 16.4, "Route Information Preprocessing" [RFC3261],
implementors can choose that a proxy MAY remove two Route headers
instead of one when using the double Record-Routing.
The following example is an extension of the example given in
[V6Tran]. It illustrates a basic call flow using double Record-
Routing in a multi-homed IPv4 to IPv6 proxy, and annotates the dialog
state on each User Agent (UA). In this example, proxy P1,
responsible for the domain biloxy.example.com, receives a request
from an IPv4-only upstream client. It proxies this request to an
IPv6-only downstream server. Proxy P1 is running on a dual-stack
host; on the IPv4 interface, it has an address of 192.0.2.254. On
the IPv6 interface, it is configured with an address of 2001:db8::1.
Some mandatory SIP headers have been omitted to ease readability.
Froment, et al. Standards Track [Page 7]
^L
RFC 5658 SIP Record-Route Fix October 2009
UA1 Proxy "P1" UA2
(IPv4) (IPv4/IPv6) (IPv6)
| | |
| F1 INVITE | |
|------------------->| F2 INVITE |
| |------------------->|
| 100 Trying | |
|<-------------------| |
| | F3 200 OK |
| F4 200 OK |<-------------------|
|<-------------------| |
| | |
| F5 ACK | |
|------------------->| F6 ACK |
| |------------------->|
| | |
| | F7 BYE |
| F8 BYE |<-------------------|
|<-------------------| |
Figure 2: IPv4 to IPv6 Multi-Homed Proxy Illustration
F1 INVITE UA1 -> P1 (192.0.2.254:5060)
INVITE sip:bob@biloxi.example.com SIP/2.0
Route: <sip:192.0.2.254:5060;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>
Contact: <sip:alice@192.0.2.1>
F2 INVITE P1 (2001:db8::1) -> UA2
INVITE sip:bob@biloxi.example.com SIP/2.0
Record-Route: <sip:[2001:db8::1];lr>
Record-Route: <sip:192.0.2.254:5060;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>
Contact: <sip:alice@192.0.2.1>
Dialog State at UA2:
Local URI = sip:bob@biloxi.example.com
Remote URI = sip:alice@atlanta.example.com
Remote target = sip:alice@192.0.2.1
Route Set = sip:[2001:db8::1];lr
sip:192.0.2.254:5060:lr
Froment, et al. Standards Track [Page 8]
^L
RFC 5658 SIP Record-Route Fix October 2009
F3 200 OK UA2 -> P1 (2001:db8::1)
SIP/2.0 200 OK
Record-Route: <sip:[2001:db8::1];lr>
Record-Route: <sip:192.0.2.254:5060;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
Contact: <sip:bob@[2001:db8::33]>
F4 200 OK P1 -> UA1
SIP/2.0 200 OK
Record-Route: <sip:[2001:db8::1];lr>
Record-Route: <sip:192.0.2.254:5060;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
Contact: <sip:bob@[2001:db8::33]>
Dialog State at UA1:
Local URI = sip:alice@atlanta.example.com
Remote URI = sip:bob@biloxi.example.com
Remote target = sip:bob@[2001:db8::33]
Route Set = sip:192.0.2.254:5060:lr
sip:[2001:db8::1];lr
F5 ACK UA1 -> P1 (192.0.2.254:5060)
ACK sip:bob@[2001:db8::33] SIP/2.0
Route: <sip:192.0.2.254:5060:lr>
Route: <sip:[2001:db8::1];lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
F6 ACK P1 (2001:db8::1) -> UA2
ACK sip:bob@[2001:db8::33] SIP/2.0
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
(both Route headers have been removed by the proxy)
F7 BYE UA2 -> P1 (2001:db8::1)
BYE sip:alice@192.0.2.1 SIP/2.0
Route: <sip:[2001:db8::1];lr>
Route: <sip:192.0.2.254:5060:lr>
From: Bob <sip:bob@biloxi.example.com>;tag=4567
To: Alice <sip:alice@atlanta.example.com>;tag=1234
Froment, et al. Standards Track [Page 9]
^L
RFC 5658 SIP Record-Route Fix October 2009
F8 BYE P1 (192.0.2.254:5060) -> UA1
BYE sip:alice@192.0.2.1 SIP/2.0
From: Bob <sip:bob@biloxi.example.com>;tag=4567
To: Alice <sip:alice@atlanta.example.com>;tag=1234
Figure 3: Multi-Homed IPv4 to IPv6 Double Record-Routing Illustration
6. Usage of Transport Protocol Parameter
This section describes a set of problems that is related to the usage
of transport protocol URI parameters in the Record-Route header. In
some circumstances, interoperability problems occur because it is not
clear whether or not to include the transport parameter on the URI of
the Record-Route header. This was identified as a frequent problem
in past SIPit events.
[RFC3261], step 8 of Section 16.7 says:
The URI SHOULD NOT contain the transport parameter unless the
proxy has knowledge (such as in a private network) that the next
downstream element that will be in the path of subsequent requests
supports that transport.
The preceding seems to confuse implementors, resulting in proxies
that insert a single Record-Route without a transport URI parameter,
resulting in the problems described in this section.
6.1. UA Implementation Problems and Recommendations
Consider the following scenario: a SIP proxy, doing TCP to UDP
transport protocol switching.
In this example, proxy P1, responsible for the domain
biloxy.example.com, receives a request from Alice UA1, which uses
TCP. It proxies this request to Bob UA2, which registered with a
Contact specifying UDP as transport protocol. Thus, P1 receives an
initial request from Alice over TCP and forwards it to Bob over UDP.
For subsequent requests, it is expected that TCP could continue to be
used between Alice and P1, and UDP between P1 and Bob, but this can
not happen if a numeric IP address is used and no transport parameter
is set on Record-Route URI. This happens because of procedures
described in [RFC3263]. Some mandatory SIP headers have been omitted
to ease readability.
Froment, et al. Standards Track [Page 10]
^L
RFC 5658 SIP Record-Route Fix October 2009
Alice UA1 ===== TCP ===== Proxy P1 ===== UDP ===== Bob UA2
| | |
| F1 INVITE | |
|----------------------->| F2 INVITE |
| |------------------------>|
| 100 Trying | |
|<-----------------------| |
| | F3 200 OK |
| F4 200 OK |<------------------------|
|<-----------------------| |
| | |
| F5 ACK | |
|---(sent over UDP) X--->| ACK |
| |------------------------>|
| | |
| | F6 BYE |
| BYE |<------------------------|
|<-----------------------| |
Figure 4: TCP to UDP Transport Protocol
Switching Issue Illustration
F1 INVITE UA1 -> P1 (192.0.2.1/tcp)
INVITE sip:bob@biloxi.example.com SIP/2.0
Route: <sip:192.0.2.1;lr;transport=tcp>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>
Contact: <sip:alice@ua1.atlanta.example.com;transport=tcp>
F2 INVITE P1 -> UA2 (ua2.biloxi.example.com/udp)
INVITE sip:bob@ua2.biloxi.example.com;transport=udp SIP/2.0
Record-Route: <sip:192.0.2.1;lr> (NO transport param)
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>
Contact: <sip:alice@ua1.atlanta.example.com;transport=tcp>
Dialog State at UA2:
Local URI = sip:bob@biloxi.example.com
Remote URI = sip:alice@atlanta.example.com
Remote target = sip:alice@ua1.atlanta.example.com;transport=tcp
Route Set = sip:192.0.2.1;lr
Froment, et al. Standards Track [Page 11]
^L
RFC 5658 SIP Record-Route Fix October 2009
F3 200 OK UA2 -> P1 (192.0.2.1/udp)
SIP/2.0 200 OK
Record-Route: <sip:192.0.2.1;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
Contact: <sip:bob@ua2.biloxi.example.com>
F4 200 OK P1 -> UA1 (ua1.atlanta.example.com/tcp)
SIP/2.0 200 OK
Record-Route: <sip:192.0.2.1;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
Contact: <sip:bob@ua2.biloxi.example.com>
Dialog State at UA1:
Local URI = sip:alice@atlanta.example.com
Remote URI = sip:bob@biloxi.example.com
Remote target = sip:bob@ua2.biloxi.example.com
Route Set = sip:192.0.2.1;lr
F5 ACK UA1 -> P1 (192.0.2.1/udp)
ACK sip:bob@ua2.biloxi.example.com SIP/2.0
Route: <sip:192.0.2.1;lr>
From: Alice <sip:alice@atlanta.example.com>;tag=1234
To: Bob <sip:bob@biloxi.example.com>;tag=4567
F6 BYE UA2 -> P1 (192.0.2.1/udp)
BYE sip:alice@ua1.atlanta.example.com;transport=tcp SIP/2.0
Route: <sip:192.0.2.1;lr>
From: Bob <sip:bob@biloxi.example.com>;tag=4567
To: Alice <sip:alice@atlanta.example.com>;tag=1234
Figure 5: TCP to UDP Transport Protocol
Switching Issue Description
Since the proxy P1 does not insert any transport parameter in the
Record-Route URI, subsequent in-dialog requests of UA1, like the ACK
sent in F5, will be sent according to the behavior specified in
Section 12.2 (requests within a Dialog) of [RFC3261]. That means
that the routeset is used, and then, applying [RFC3263], the Route
"sip:192.0.2.1" will resolve to a UDP transport by default (since no
transport parameter is present here), and no Naming Authority Pointer
(NAPTR) request will be performed since this is a numeric IP address.
Froment, et al. Standards Track [Page 12]
^L
RFC 5658 SIP Record-Route Fix October 2009
In general, the interoperability problems arise when UA1 is trying to
send the ACK: it is not ready to change its transport protocol for a
mid-dialog request and just fails to do so, requiring the proxy
implementor to insert the transport protocol in the Record-Route URI.
What happens if the proxy had Record-Routed its logical name
(biloxi.example.com)? Since Bob is to be contacted over UDP,
protocol switching will be avoided only if the resulting transport
protocol of [RFC3263] procedures is UDP. For any other resulting
transport protocol, the transport protocol switching issue described
above will occur. Also, if one of the UAs sends an initial request
using a different transport than the one retrieved from DNS, this
scenario would be problematic.
In practice, there are multiple situations where UA implementations
don't use logical names and NAPTR records when sending an initial
request to a proxy. This happens, for instance, when:
1) UAs offer the ability to "choose" the transport to be used for
initial requests, even if they support [RFC3263]. This is a
frequent UA functionality that is justified by the following use
cases:
- when it is not possible to change the DNS server configuration
and the implementation doesn't support all the transport
protocols that could be configured by default in DNS (e.g.,
TLS).
- when the end-user wants to choose his transport protocol for
whatever reason, e.g., needing to force TCP, avoiding
UDP/congestion, retransmitting, or fragmenting, etc.
This ability to force the transport protocol in UAs for initial
requests SHOULD be avoided: selecting the transport protocol in the
configuration of an outbound proxy means that [RFC3263] procedure is
bypassed for initial requests. As a consequence, if the proxy
Record-Routed with no transport parameter as is recommended in
[RFC3261], the UA will be forced to use the [RFC3263]-preferred
transport for subsequent requests anyway, which leads to the
problematic scenario described in Figure 4.
2) UAs decide to always keep the same transport for a given dialog.
This choice is erratic, since if the proxy is not Record-Routing,
the callee MAY receive the subsequent request through a transport
that is not the one put in its Contact. If a UA really wants to
avoid transport protocol switching between the initial and
subsequent request, it SHOULD rely on DNS records for that; thus,
Froment, et al. Standards Track [Page 13]
^L
RFC 5658 SIP Record-Route Fix October 2009
it SHOULD avoid configuring statically the outbound proxy with a
numeric IP address. A logical name, with no transport parameter,
SHOULD be used instead.
3) UAs don't support [RFC3263] at all, or don't have any DNS server
available. In that case, as illustrated previously, forcing UA1
to switch from TCP to UDP between initial request and subsequent
request(s) is clearly not the desired default behavior, and it
typically leads to interoperability problems. UA implementations
SHOULD then be ready to change the transport protocol between
initial and subsequent requests. In theory, any UA or proxy using
UDP must also be prepared to use TCP for requests that exceed the
size limit of path MTU, as described in Section 18.1.1 of
[RFC3261].
6.2. Proxy Implementation Problems and Recommendations
In order to prevent UA implementation problems, and to maintain a
reasonable level of interoperability, the situation can be improved
on the proxy side. Thus, if the transport protocol changed between
its incoming and outgoing sides, the proxy SHOULD use the double
Record-Route technique and SHOULD add a transport parameter to each
of the Record-Route URIs it inserts. When TLS is used on the
transport on either side of the proxy, the URI placed in the Record-
Route header field MUST encode a next-hop that will be reached using
TLS. There are two ways for this to work. The first way is for the
URI placed in the Record-Route to be a SIPS URI. The second is for
the URI placed in the Record-Route to be constructed such that
application of [RFC3263] resolution procedures to that URI results in
TLS being selected. Proxies compliant with this specification MUST
NOT use a "transport=tls" parameter on the URI placed in the Record-
Route because the "transport=tls" usage was deprecated by [RFC3261].
Record-Route rewriting MAY also be used. However, the recommendation
to put a transport protocol parameter on Record-Route URI does not
apply when the proxy has changed the transport protocol due to the
size of UDP requests as per Section 18.1.1 of [RFC3261]. As an
illustration of the previous example, it means one of the following
processing will be performed:
- Double Record-Routing: the proxy inserts two Record-Route headers
into the SIP request. The first one is set, in this example, to
Record-Route: <sip:192.0.2.1;lr;transport=tcp>, the second one is
set to Record-Route: <sip:192.0.2.1;lr> with no transport, or with
transport=udp, which basically means the same thing.
- Record-Route rewriting on responses: in the INVITE request sent in
F2, the proxy puts the outgoing transport protocol in the transport
parameter of Record-Route URI. Doing so, UA2 will correctly send
Froment, et al. Standards Track [Page 14]
^L
RFC 5658 SIP Record-Route Fix October 2009
its BYE request in F6 using the same transport protocol as previous
messages of the same dialog. The proxy rewrites the Record-Route
when processing the 200 OK response, changing the transport
parameter "on the fly" to "transport=tcp", so that the Route set
will appear to be <sip:192.0.2.1;lr;transport=tcp> for UA1 and
<sip:192.0.2.1;lr;transport=udp> for UA2.
It is a common practice in proxy implementations to support double
Record-Route AND to insert the transport parameter in the Record-
Route URI. This practice is acceptable as long as all SIP elements
that may be in the path of subsequent requests support that
transport. This restriction needs an explanation. Let's imagine you
have two proxies, P1 at "p1.biloxi.example.com" and P2 on the path of
an initial request. P1 is Record-Routing and changes the transport
from UDP to Stream Control Transmission Protocol (SCTP) because the
P2 URI resolves to SCTP applying [RFC3263]. Consequently, the proxy
P1 inserts two Record-Route headers:
Record-Route: <sip:p1.biloxi.example.com;transport=udp> and
Record-Route: <sip:p1.biloxi.example.com;transport=sctp>.
The problem arises if P2 is not Record-Routing, because the SIP
element downstream of P2 will be asked to reach P1 using SCTP for any
subsequent, in-dialog request from the callee, and this downstream
SIP element may not support that transport.
In order to handle this situation, this document recommends that a
proxy SHOULD apply the double Record-Routing technique as soon as it
changes the transport protocol between its incoming and outgoing
sides. If proxy P2 in the example above would follow this
recommendation, it would perform double Record-Routing and the
downstream element would not be forced to send requests over a
transport it does not support.
By extension, a proxy SHOULD also insert a Record-Route header for
any multi-homed situation (as the ones described in this document:
scheme changes, sigcomp, IPv4/IPv6, transport changes, etc.) that may
impact the processing of proxies being on the path of subsequent
requests.
7. Conclusion
As a conclusion of this document, it is to notice that:
- Record-Route rewriting is presented as a technique that MAY be
used, with the drawbacks outlined in Section 4.
Froment, et al. Standards Track [Page 15]
^L
RFC 5658 SIP Record-Route Fix October 2009
- Double Record-Routing is presented as the technique that SHOULD be
used, and is documented in Section 5.
- Record-Route header interoperability problems on transport protocol
switching scenarios have been outlined and described in Section 6.
This last section gives some recommendations to UA and proxy
implementations to improve the situation. Proxies SHOULD use
double Record-Routing for any multi-homed situation that MAY impact
the further processing, and they SHOULD put transport protocol
parameters on Record-Route URIs in some circumstances. UAs SHOULD
NOT offer options to overwrite the transport for initial requests.
Further, UAs SHOULD rely on DNS to express their desired transport
and SHOULD avoid IP addresses with transport parameters in this
case. Finally, UAs SHOULD be ready to switch transports between
the initial request and further in-dialog messages.
8. Security Considerations
The recommendations in this document describe a way to use the
existing protocol specified in RFC 3261 rather than introducing any
new protocol mechanism. As such, they do not introduce any new
security concerns, but additional consideration of already existing
concerns is warranted. In particular, when a message is transiting
two interfaces, the double Record-Route technique will carry
information about both interfaces to each of the involved endpoints
(and any intermediaries between this proxy and those endpoints),
where the rewriting technique would only expose information about the
interface closest to each given endpoint. If issues such as topology
hiding or privacy (as described in [RFC3323]) are a concern, the URI
values placed in the Record-Route for each interface should be
carefully constructed to avoid exposing more information than was
intended.
9. Acknowledgments
Thank you to Dean Willis, Vijay K. Gurbani, Joel Repiquet, Robert
Sparks, Jonathan Rosenberg, Cullen Jennings, Juha Heinanen, Paul
Kyzivat, Nils Ohlmeier, Tim Polk, Francois Audet, Adrian Farrel,
Ralph Droms, Tom Batsele, Yannick Bourget, Keith Drage, and John
Elwell for their reviews and comments.
Froment, et al. Standards Track [Page 16]
^L
RFC 5658 SIP Record-Route Fix October 2009
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation
Protocol (SIP): Locating SIP Servers", RFC 3263, June
2002.
[RFC3323] Peterson, J., "A Privacy Mechanism for the Session
Initiation Protocol (SIP)", RFC 3323, November 2002.
[RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session
Initiation Protocol (SIP)", RFC 5630, October 2009.
10.2. Informative References
[BUG664] Sparks, RS., "Bug 664: Double record routing,
http://bugs.sipit.net/show_bug.cgi?id=664", October 2002.
[RFC3486] Camarillo, G., "Compressing the Session Initiation
Protocol (SIP)", RFC 3486, February 2003.
[RFC3608] Willis, D. and B. Hoeneisen, "Session Initiation Protocol
(SIP) Extension Header Field for Service Route Discovery
During Registration", RFC 3608, October 2003.
[V6Tran] Camarillo, G., El Malki, K., and V. Gurbani, "IPv6
Transition in the Session Initiation Protocol (SIP)", Work
in Progress, August 2009.
Froment, et al. Standards Track [Page 17]
^L
RFC 5658 SIP Record-Route Fix October 2009
Authors' Addresses
Thomas Froment
Tech-invite
EMail: thomas.froment@tech-invite.com
Christophe Lebel
Alcatel-Lucent
Lieu dit Le Mail
Orvault 44708
France
EMail: christophe.lebel@alcatel-lucent.com
Ben Bonnaerens
Alcatel-Lucent
Copernicuslaan 50
Antwerpen 2018
Belgium
EMail: ben.bonnaerens@alcatel-lucent.com
Froment, et al. Standards Track [Page 18]
^L
|