One document matched: draft-ietf-sipping-policy-package-05.xml
<?xml version='1.0' ?>
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd' [
<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc3261 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3261.xml'>
<!ENTITY rfc3263 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3263.xml'>
<!ENTITY rfc3265 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3265.xml'>
<!ENTITY rfc3264 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3264.xml'>
<!ENTITY rfc4346 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4346.xml'>
<!ENTITY rfc4566 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4566.xml'>
]>
<rfc ipr='full3978' category='std' docName='draft-ietf-sipping-policy-package-05'>
<?rfc toc='yes'?>
<?rfc compact='yes'?>
<?rfc sortrefs='yes'?>
<front>
<title abbrev='Session Policy Event Package'>A Session Initiation Protocol
(SIP) Event Package for Session-Specific Session Policies.</title>
<author initials='V.H.' surname='Hilt' fullname='Volker Hilt'>
<organization>Bell Labs/Alcatel-Lucent</organization>
<address>
<postal>
<street>791 Holmdel-Keyport Rd</street>
<city>Holmdel</city> <region>NJ</region>
<code>07733</code>
<country>USA</country>
</postal>
<email>volkerh@bell-labs.com</email>
</address>
</author>
<author initials="G." surname="Camarillo" fullname="Gonzalo Camarillo">
<organization>Ericsson</organization>
<address>
<postal>
<street>Hirsalantie 11</street>
<code>02420</code>
<city>Jorvas</city>
<country>Finland</country>
</postal>
<email>Gonzalo.Camarillo@ericsson.com</email>
</address>
</author>
<date month='July' year='2008' />
<area>Transport</area>
<workgroup>SIPPING Working Group</workgroup>
<keyword>SIP</keyword>
<keyword>Event Package</keyword>
<keyword>Session Policy</keyword>
<abstract>
<t>This specification defines a Session Initiation Protocol (SIP)
event package for session-specific policies. This event package
enables user agents to subscribe to session policies for a SIP
session and to receive notifications if these policies change.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>The Framework for Session Initiation Protocol (SIP) <xref
target="RFC3261" /> <xref
target="I-D.ietf-sip-session-policy-framework"> Session
Policies</xref> defines a protocol framework that enables a proxy
to define and impact
policies on sessions such as the codecs or media types to be
used. This framework identifies two types of session policies:
session-specific and session-independent
policies. Session-specific policies are policies that are created
for one particular session, based on the session description of
this session. They enable a network intermediary to inspect the
session description a UA is proposing and to return a policy
specifically generated for this session description. For example,
an intermediary could open pinholes in a firewall/NAT for each
media stream in a session and return a policy that replaces the
internal IP addresses and ports in the session description with
external ones. Since
session-specific policies are tailored to a session, they only
apply to the session they are created for. A user agent requests
session-specific policies on a session-by-session basis at the
time a session is created and the session description is
known. Session-independent policies on the other hand are policies
that are created independent of a session and generally apply to
all the SIP sessions set up by a user agent.</t>
<t>The <xref
target="I-D.ietf-sip-session-policy-framework">Framework for SIP
Session Policies</xref> defines a
mechanism that enables UAs to discover the URIs of
session-specific policy servers. This specification defines a SIP
event package <xref target="RFC3265" /> that enables UAs to
subscribe to session-specific policies on a policy
server. Subscribing to session-specific policies involves the
following steps (see the <xref
target="I-D.ietf-sip-session-policy-framework">Session Policy
Framework</xref>):</t>
<t><list style="numbers">
<t>A user agent submits the details of the session it is
trying to establish to the policy server and asks whether a
session using these parameters is permissible. For example, a
user agent might propose a session that contains the media types
audio and video.</t>
<t>The policy server generates a policy decision for this
session and returns the decision to the user agent. Possible
policy decisions are (1) to deny the session, (2) to propose
changes to the session parameters with which the session would
be acceptable, or (3) to accept the session as it was
proposed. An example for a policy decision is to disallow the
use of video but agree to all other aspects of the proposed
session.</t>
<t>The policy server can update the policy decision at a later
time. A policy decision update can require
additional changes to the session (e.g., because the available
bandwidth has changed) or deny a previously accepted session
(i.e., disallow the continuation of a session).</t>
</list></t>
<t>The event package for session-specific policies enables a user
agent to subscribe to the policies for a SIP session following the
above model. The subscriber initiates a subscription by submitting
the details of the session it is trying to establish to the
notifier (i.e., the policy server) in the body of a SUBSCRIBE
request. The notifier uses this information to determine the
policy decision for this session. It conveys the initial policy
decision to the subscriber in a NOTIFY and all changes to this
decision in subsequent NOTIFYs.</t>
</section>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
<xref target="RFC2119">RFC 2119</xref>.</t>
</section>
<section title="Event Package Formal Definition" anchor='sec:package'>
<t>This document provides the details for defining a SIP event
package as required by <xref target="RFC3265">RFC 3265</xref>.</t>
<section title="Event Package Name">
<t>The name of the event package defined in this specification
is "session-spec-policy".</t>
</section>
<section title="Event Package Parameters">
<t>This package defines the following two event package
parameters:</t>
<t><list style='hanging'>
<t hangText="local-only:">The "local-only" parameter is
optional and only defined for NOTIFY requests. It MUST be
ignored if received in a SUBSCRIBE request. The usage of the
"local-only" parameter is described in <xref
target="sec:subgen" />, <xref target="sec:notgen" /> and <xref
target="sec:notproc" />.</t>
<t hangText="insufficient-info:">The "insufficient-info"
parameter is optional and only defined for NOTIFY requests. It
MUST be ignored if received in a SUBSCRIBE request. The usage
of the "insufficient-info" parameter is described in <xref
target="sec:subproc" />, <xref target="sec:notgen" /> and
<xref target="sec:notproc" />.</t>
</list></t>
</section>
<section title="SUBSCRIBE Bodies" anchor='sec:subbody'>
<t>A SUBSCRIBE for this event package MUST contain a body that
describes a SIP session. The purpose of this body is to enable
the notifier to generate the policies the subscriber is
interested in. In this event package, the Request-URI, the event
package name and event parameters are not sufficient to
determine the resource a subscription is for. However, with the
session description in the SUBSCRIBE body, the notifier can
generate the requested policy decision and create policy events
for this resource.</t>
<t>All subscribers and notifiers MUST support the MIME type
"application/media-policy-dataset+xml" as defined in the User Agent
Profile Data Set for Media Policy <xref
target="I-D.ietf-sipping-media-policy-dataset" />. The
"application/media-policy-dataset+xml" format is the default format
for SUBSCRIBE bodies in this event package. Subscribers and
notifiers MAY negotiate the use of other formats capable of
representing a session. </t>
<t><list>
<t>Note: It has been proposed to directly use SDP <xref
target="RFC4566" /> instead of encoding the session
descriptions in the Media Policy <xref
target="I-D.ietf-sipping-media-policy-dataset" />
format. However, using a separate format such as the Media
Policy format has a number of advantages over the direct use
of SDP: i) the Media Policy format is more flexible and allows
the inclusion of information that can't be expressed in SDP
(e.g., the target URI), ii) the Media Policy format enables the
encoding of local and remote session descriptions in a single
document (not requiring the use of MIME multipart and new
content disposition types), and iii) it aligns the formats
used for session-specific and session-independent policies. A
drawback is that it requires the UA to encode SDP and session
information in Media Policy documents.</t>
</list></t>
</section>
<section title="Subscription Duration">
<t>A subscription to the session-specific policy package is
usually established at the beginning of a session and terminated
when the corresponding session ends. A typical duration of a
phone call is a few minutes. </t>
<t>Since the duration of a subscription to the session-specific
policy package is related to the lifetime of the corresponding
session, the value for the duration of a subscription is largely
irrelevant. However, the duration SHOULD be longer than the typical
duration of a session. The default subscription duration for
this event package is set to two hours.</t>
<t>A subscription MAY be terminated before a session ends by the
notifier. For example, a notifier may terminate the subscription
after the initial policy notification has been sent to the
subscriber if it knows that these policies will not change
during the session. A subscriber MUST NOT terminate a
subscription unless it is terminating the session this
subscription is for or discovers that the notifier has been
removed from the list of policy servers relevant for this session (see
the <xref target="I-D.ietf-sip-session-policy-framework">Session
Policy Framework</xref>).</t>
</section>
<section title="NOTIFY Bodies">
<t>In this event package, the body of a notification contains
the session policy requested by the subscriber. All subscribers
and notifiers MUST support the format
"application/media-policy-dataset+xml" <xref
target="I-D.ietf-sipping-media-policy-dataset" /> as a format
for NOTIFY bodies.</t>
<t>The SUBSCRIBE request MAY contain an Accept header field. If
no such header field is present, it has a default value of
"application/media-policy-dataset+xml". If the header field is
present, it MUST include "application/media-policy-dataset+xml", and
MAY include any other MIME type capable of representing
session-specific policies. As defined in <xref target="RFC3265">RFC
3265</xref>, the body of notifications MUST be in one of the
formats defined in the Accept header of the SUBSCRIBE request or
in the default format.</t>
<t>If the notifier uses the same format in NOTIFY bodies that was
used by the subscriber in the SUBSCRIBE body
(e.g., "application/media-policy-dataset+xml"), the notifier can expect
that the subscriber supports all format extensions that were
used in the SUBSCRIBE body. The notifier cannot assume that the
subscriber supports other extensions beyond that and SHOULD NOT
use such extensions.</t>
<t>If the SUBSCRIBE request contained a representation of the local
session description and the subscription was accepted, then the
NOTIFY body MUST contain a policy for the local session
description. If the SUBSCRIBE request of an accepted subscription
contained the local and the remote session description, then the
NOTIFY body MUST contain two policies, one for the local and one
for the remote session description.</t>
</section>
<section title="Subscriber generation of SUBSCRIBE requests"
anchor='sec:subgen'>
<t>The subscriber follows the general rules for generating
SUBSCRIBE requests defined in <xref target="RFC3265">RFC
3265</xref>. The subscriber MUST provide sufficient information
in the SUBSCRIBE body to fully describe the session for which it
seeks to receive session-specific policies. The subscriber MUST
use the most recent session description as a basis for this
information.</t>
<t>If the "application/media-policy-dataset+xml" format is used in
SUBSCRIBE bodies, the subscriber MUST provide a value for each
field that is defined for session information documents <xref
target="I-D.ietf-sipping-media-policy-dataset" /> and for which
the subscriber has information available. In other words, the
subscriber MUST fill in the elements of a session information
document as complete as possible. If the subscriber supports
extensions of the "application/media-policy-dataset+xml" format,
the subscriber MUST also provide a value for each field defined
by this extension for session information documents, if
possible. Providing as much information as possible avoids that
a session is rejected due to a lack of session information and
the negotiation of the information to be disclosed between
notifier and subscriber. </t>
<t>Subscriptions to this event package are typically created in
conjunction with an SDP offer/answer exchange <xref
target="RFC3264" /> during the establishment of a session (see
the <xref target="I-D.ietf-sip-session-policy-framework">Session
Policy Framework</xref>). If used with an offer/answer exchange,
the subscriber MUST insert
the representation of the local session description in the
SUBSCRIBE body. The local session description is the one that
was created by the subscriber (e.g., the offer if the subscriber
has initiated the offer/answer exchange). Under certain
circumstances, a UA may not have a session description when
subscribing to session-specific policies, for example, when it
is composing an empty INVITE request (i.e., an INVITE request
that does not contain an offer). In these cases, a UA SHOULD
establish a subscription without including a representation of
the local session description. The UA MUST refresh the
subscription with a SUBSCRIBE request that contains this session
description as soon as the session description becomes
available, for example, when the UA receives a 200 OK to an
empty INVITE request. A policy server can choose to admit a
session only after the UA has disclosed the session
descriptions.</t>
<t>The subscriber SHOULD also include a representation of the
remote session description in the SUBSCRIBE body. The remote
session description is the one the subscriber has received
(i.e., the answer if the subscriber has initiated the
offer/answer exchange). In some scenarios, the remote session
description is not available to the subscriber at the time the
subscription to session-specific policies is established. In
this case, the initial SUBSCRIBE message SHOULD only contain a
representation of the local session description. When the remote
description becomes available, the subscriber SHOULD refresh the
subscription by sending another SUBSCRIBE request, which then
contains the local and the remote session description, unless
the subscriber has received a NOTIFY with the "local-only"
parameter. This parameter indicates that the notifier does not
need to see the remote session description.</t>
<t>A user agent can change the session description of an ongoing
session. A change in the session description will typically
affect the policy decisions for this session. A subscriber MUST
refresh the subscription to session-specific policies every time
the session description of a session changes. It does this by
sending a SUBSCRIBE request, which contains the details of the
updated session descriptions.</t>
<t>A subscriber may receive an error that indicates a server
failure in response to a SUBSCRIBE request. In this case, the
subscriber SHOULD try to locate an alternative server, for
example, using the procedures described in <xref
target="RFC3263" />. If no alternative server can be located,
the subscriber MAY continue with the session for which it wanted
to receive session-specific policies without subscribing to
session-specific policies. This is to avoid that a failed policy
server prevents a UA from setting up or continuing with a
session. Since the sessions created by the UA may not be policy
compliant without this subscription, they may be blocked by
policy enforcement mechanisms if they are in place.</t>
<t>Session policies can contain sensitive information. Moreover,
policy decisions can significantly impact the behavior of a user
agent. A user agent should therefore verify the identity of a
policy server and make sure that policies have not been altered
in transit. All implementations of this package MUST support TLS
<xref target="RFC4346" /> and the SIPS URI scheme. A subscriber
SHOULD use SIPS URIs when subscribing to session-specific
policies so that policies are transmitted over TLS. See <xref
target="sec:security" />.</t>
</section>
<section title="Notifier processing of SUBSCRIBE requests"
anchor='sec:subproc'>
<t>All subscriptions to session-specific policies SHOULD be
authenticated and authorized before approval. However, a policy
server may frequently encounter UAs it cannot authenticate. In
these cases, the policy server MAY provide a generic policy that
does not reveal sensitive information to these UAs. For details
see <xref target="sec:security" />.</t>
<t>The authorization policy is at the discretion of the
administrator. In general, all users SHOULD be allowed to
subscribe to the session-specific policies of their sessions. A
subscription to this event package will typically be established
by a device that needs to know about the policies for its
sessions. However, subscriptions may also be established by
applications (e.g., a conference server). In those cases, an
authorization policy will typically be provided for these
applications.</t>
<t>Responding in a timely manner to a SUBSCRIBE request is
crucial for this event package. A notifier must minimize the
time needed for processing SUBSCRIBE requests and generating the
initial NOTIFY. This includes minimizing the time needed to
generate an initial policy decision. A short response time is in
particular important for this event package since it minimizes
the delay for fetching policies during an INVITE transaction and
therefore reduces call setup time. In addition, subscriptions to
session-specific policies can be established while the
subscriber is in an INVITE transaction at a point where it has
received the 200 OK but before sending the ACK. Delaying the
creation of the initial NOTIFY would delay the transmission of
the ACK. A more detailed discussion of this scenario can be
found in the <xref
target="I-D.ietf-sip-session-policy-framework">Session Policy
Framework</xref>.</t>
<t>A subscriber may not have disclosed enough information in the
SUBSCRIBE request to enable the notifier to generate a policy
decision. For example, a UA may have subscribed to
session-specific policies without including the representation
of a session description. The policy server SHOULD accept such a
subscription. The policy server SHOULD generate a NOTIFY request
that includes the "insufficient-info" event package parameter. A
NOTIFY request with this parameter indicates that a policy
decision could not be made due to insufficient information. The
body of such a NOTIFY request can either be empty or
contain a policy decision document that provides hints about
which information was missing.</t>
</section>
<section title="Notifier generation of NOTIFY requests"
anchor='sec:notgen'>
<t>A notifier sends a notification in response to SUBSCRIBE
requests as defined in <xref target="RFC3265">RFC
3265</xref>. In addition, a notifier MAY send a notification at
any time during the subscription. Typically, it will send one
every time the policy decision this subscription is for has
changed. When and why a policy decision changes is entirely at
the discretion of the administrator. A policy decision can
change for many reasons. For example, a network may become
congested due to an increase in traffic and reduce the
bandwidth available to an individual user. Another example is a
session that has been started during "business hours" and
continues into "evening hours" where more bandwidth or video
sessions are available to the user according to the service
level agreement.</t>
<t>Policy decisions are expressed in the format negotiated for
the NOTIFY body (e.g., "application/media-policy-dataset+xml"). The
policy document in a NOTIFY body MUST represent a complete
policy decision. Notifications that contain the deltas to
previous policy decisions or partial policy decisions are not
supported in this event package.</t>
<t>The notifier SHOULD terminate the subscription if the policy
decision is to reject a session and if it can be expected that
this decision will not change in the foreseeable future. The
notifier SHOULD keep the subscription alive, if it rejects a
session but expects that the session can be admitted soon. For
example, if the session was rejected due to a temporary shortage
of resources and the notifier expects that these resources will
become available again shortly it should keep the subscription
alive. The decision to reject a session is expressed in the
policy decision document. A session is admitted by returning a
policy decision document that requires some or no changes to the
session.</t>
<t>If the notifier has not received enough information to make a
policy decision from the subscriber (e.g., because it did not
receive a session description), the notifier SHOULD NOT
terminate the subscription since it can be expected that the UA
refreshes the subscription with a SUBSCRIBE request that
contains more information. The notifier SHOULD generate a NOTIFY
request with the "insufficient-info" event package parameter to
indicate that a policy decision could not be made due to
insufficient information. This NOTIFY request can contain an
empty body or a body that contains a policy decision document
indicating which information was missing.</t>
<t>Some session-specific policies do not require the disclosure
of the remote session description to the notifier. If a notifier
determines that this is the case after receiving a SUBSCRIBE
request, the notifier SHOULD include the "local-only" event
parameter in NOTIFY requests.</t>
</section>
<section title="Subscriber processing of NOTIFY requests"
anchor='sec:notproc'>
<t>A subscriber MUST apply the policy decision received in a
NOTIFY to the session associated with this subscription. If the
UA decides not to apply the received policy decision, the UA MUST
NOT set up the session and MUST terminate the session if the
session is already in progress. If the UA has a pending INVITE
transaction for this session, the UA MUST cancel or reject the
INVITE request.</t>
<t>If the subscriber receives a NOTIFY indicating that the
session has been rejected, the subscriber MUST NOT attempt to
establish this session. If the notifier has terminated the
subscription after rejecting the session, the subscriber SHOULD
NOT try to re-send the same SUBSCRIBE request again. The
termination of the subscription by the notifier indicates that
the policy decision for this session is final and will not
change in the foreseeable future. The subscriber MAY try to
re-subscribe for this session if at least one aspect of the
session (e.g., a parameter in the session description or the
target URI) has changed or if there is other reason to believe
that re-trying the subscription will be successful (e.g.,
because time has progressed significantly since the last
attempt).</t>
<t>The notifier may keep up the subscription after rejecting a
session to indicate that it may send an updated policy decision
for this session to the subscriber at a later time. This is
useful, for example, if the session was rejected due to a
temporary shortage of resources and the notifier expects that
this problem to be resolved shortly. In another example, the
session was rejected because it was attempted in a restricted
period during the day but this period is going to end soon. In
this case, the subscriber SHOULD not terminate the subscription
to session-specific policies.</t>
<t>The subscriber may receive a NOTIFY which contains an
"insufficient-info" event package parameter to indicate that the
SUBSCRIBE request did not contain enough information. The
subscriber SHOULD refresh the subscription with more complete
information as soon as the missing information (e.g., the
session description) is available.</t>
<t>A subscriber may receive an update to a policy decision for a
session that is already established. The subscriber MUST apply
the new policy decision to this session. If a UA decides that it
does not want to apply the new policy decision, the UA MUST
terminate the session. An updated policy decision may require
the UA to generate a re-INVITE or UPDATE request in this session
if the session description has changed or it may need to
terminate this session. A policy update that requires a UA to
terminate a session can, for example, be triggered by the users
account running out of credit or the detection of an emergency
that requires the termination of non-emergency calls.</t>
<t>If the subscriber receives a NOTIFY that contains the
"local-only" event parameter, the subscriber SHOULD NOT include
the remote session description in subsequent SUBSCRIBE requests
within this subscription.</t>
</section>
<section title="Handling of forked requests">
<t>This event package allows the creation of only one dialog as
a result of an initial SUBSCRIBE request. The techniques to
achieve this behavior are described in <xref
target="RFC3265"/>.</t>
</section>
<section title="Rate of notifications">
<t>It is anticipated that the rate of policy changes will be
very low. In any case, notifications SHOULD NOT be generated at
a rate of more than once every five seconds.</t>
</section>
<section title="State Agents">
<t>State agents play no role in this package.</t>
</section>
<section title="Examples">
<t>The following message flow illustrates how a user agent
(Alice's phone) can subscribe to session-specific policies when
establishing a call (here to Bob's phone). The flow assumes that
the user agent has already received the policy server URI
(e.g., through configuration or as described in the <xref
target="I-D.ietf-sip-session-policy-framework">Session Policy
Framework</xref>) and it does not show messages for
authentication on a transport or SIP level.</t>
<t>These call flow examples are informative and not
normative. Implementers should consult the main text of this
document for exact protocol details.</t>
<figure>
<artwork><![CDATA[
Policy Server Alice Bob
| | |
|(1) SUBSCRIBE | |
|<------------------| |
|(2) 200 OK | |
|------------------>| |
|(3) NOTIFY | |
|------------------>| |
|(4) 200 OK | |
|<------------------| |
| |(5) INVITE |
| |------------------>|
| | |
| |(6) 200 OK |
| |<------------------|
| |(7) ACK |
| |------------------>|
|(8) SUBSCRIBE | |
|<------------------| |
|(9) 200 OK | |
|------------------>| |
|(10) NOTIFY | |
|------------------>| |
|(11) 200 OK | |
|<------------------| |
| | |
Message Details
(1) SUBSCRIBE Alice -> Policy Server
SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0
Via: SIP/2.0/TLS pc.biloxi.example.com:5061
;branch=z9hG4bK74bf
Max-Forwards: 70
From: Alice <sips:alice@biloxi.example.com>;tag=8675309
To: PS <sips:policy@biloxi.example.com>
Call-ID: rt4353gs2egg@pc.biloxi.example.com
CSeq: 1 SUBSCRIBE
Contact: <sips:alice@pc.biloxi.example.com>
Expires: 7200
Event: session-spec-policy
Accept: application/media-policy-dataset+xml
Content-Type: application/media-policy-dataset+xml
Content-Length: ...
[Local session description (offer)]
(2) 200 OK Policy Server -> Alice
(3) NOTIFY Policy Server -> Alice
NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0
Via: SIP/2.0/TLS srvr.biloxi.example.com:5061
;branch=z9hG4bK74br
Max-Forwards: 70
From: PS <sips:policy@biloxi.example.com>;tag=31451098
To: Alice <sips:alice@biloxi.example.com>;tag=8675309
Call-ID: rt4353gs2egg@pc.biloxi.example.com
CSeq: 1 NOTIFY
Event: session-spec-policy
Subscription-State: active;expires=7200
Content-Type: application/media-policy-dataset+xml
Content-Length: ...
[Policy for local session description (offer)]
(4) 200 OK Alice -> Policy Server
(5) INVITE Alice -> Bob
(6) 200 OK Bob -> Alice
(7) ACK Alice -> Bob
(8) SUBSCRIBE Alice -> Policy Server
SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0
Via: SIP/2.0/TLS pc.biloxi.example.com:5061
;branch=z9hG4bKna998sl
Max-Forwards: 70
From: Alice <sips:alice@biloxi.example.com>;tag=8675309
To: PS <sips:policy@biloxi.example.com>;tag=31451098
Call-ID: rt4353gs2egg@pc.biloxi.example.com
CSeq: 2 SUBSCRIBE
Expires: 7200
Event: session-spec-policy
Accept: application/media-policy-dataset+xml
Content-Type: application/media-policy-dataset+xml
Content-Length: ...
[Local session description (offer)]
[Remote session description (answer)]
(9) 200 OK Policy Server -> Alice
(10) NOTIFY Policy Server -> Alice
NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0
Via: SIP/2.0/TLS srvr.biloxi.example.com:5061
;branch=z9hG4bKna998sk
Max-Forwards: 70
From: PS <sips:policy@biloxi.example.com>;tag=31451098
To: Alice <sips:alice@biloxi.example.com>;tag=8675309
Call-ID: rt4353gs2egg@pc.biloxi.example.com
CSeq: 2 NOTIFY
Event: session-spec-policy
Subscription-State: active;expires=7200
Content-Type: application/media-policy-dataset+xml
Content-Length: ...
[Policy for local session description (offer)]
[Policy for remote session description (answer)]
F6 200 OK Alice -> Policy Server
]]></artwork>
</figure>
</section>
</section>
<section anchor="sec:security" title="Security Considerations">
<t>Session policies can significantly change the behavior of a
user agent and can therefore be used by an attacker to compromise
a user agent. For example, session policies can be used to prevent
a user agent from successfully establishing a session (e.g., by
setting the available bandwidth to zero). Such a policy can be
submitted to the user agent during a session, which may cause the
UA to terminate the session.</t>
<t>A user agent transmits session information to a policy server.
This information may contain sensitive data the user may not want
an eavesdropper or an unauthorized policy server to see. For
example, the session information may contain the encryption keys
for media streams. Vice versa, session policies may also contain
sensitive information about the network or service level
agreements the service provider may not want to disclose to an
eavesdropper or an unauthorized user agent.</t>
<t>It is therefore important to secure the communication between
the user agent and the policy server. The following three discrete
attributes need to be protected:</t>
<t><list style="numbers">
<t>authentication of the policy server and, if needed, the user
agent,</t>
<t>confidentiality of the messages exchanged between the user
agent and the policy server and</t>
<t>ensuring that private information is not exchanged between
the two parties, even over a confidentiality-assured and
authenticated session.</t>
</list></t>
<t>The confidentiality of the messages exchanged between the two
parties can be protected by encrypting the data stream through a
TLS session using the cipher suites specified in <xref
target="RFC3261" />.</t>
<t>Accordingly, policy servers SHOULD be addressable only through
a SIPS URI. Policy server and user agent MUST support TLS. The
confidentiality of the communication between the policy server and
the user agent will be assured as long as the policy server
supports TLS and is reached through a SIPS URI.</t>
<t>Authenticating the two parties can be performed using X.509
certificates exchanged through TLS and other techniques such as
HTTP Digest. When the user agent establishes a TLS session with
the policy server, the policy server will present it a X.509
certificate. The user agent SHOULD ensure that the identity of
the policy server encoded in the certificate matches the URI of
the policy server the user agent has received either using the
<xref target="I-D.ietf-sip-session-policy-framework">Session
Policy Framework</xref> or other means such as configuration.</t>
<t>When a policy server receives a new subscription (as opposed to
a refresh subscription), the policy server SHOULD try to
authenticate the user agent using any means at its disposal. If
the user agent has a TLS certificate, the identity of the user
agent SHOULD be contained in the certificate, or if the user agent
does not possess a certificate, the policy server SHOULD challenge
the user agent using HTTP Digest. A policy server may frequently
encounter UAs it cannot authenticate. In these cases, the policy
server MAY provide a generic policy that does not reveal sensitive
information to these UAs.</t>
<t>And finally, the fact that the user agent and the policy server
have successfully authenticated each other and have established a
secure TLS session does not absolve either one from ensuring that
they do not communicate sensitive information. For example, a
session description may contain sensitive information -- session
keys, for example -- that the user agent may not want to share
with the policy server; and indeed, the policy server does not
need such information to effectively formulate a policy. Thus,
the user agent should not insert such sensitive information in a
session information document that it sends to the policy server.
Likewise, the policy server may have information that is sensitive
and of no use to the user agent -- network service level
agreements, or network statistics, for example. Thus, the policy
server should refrain from transmitting such information to the
user agent.</t>
</section>
<section anchor="sec:iana" title="IANA Considerations">
<section title="Event Package Name">
<t>This specification registers an event package, based on the
registration procedures defined in <xref target="RFC3265">RFC
3265</xref>. The following is the information required for such a
registration:</t>
<t>Package Name: session-spec-policy</t>
<t>Package or Template-Package: This is a package.</t>
<t>Published Document: RFC XXXX (Note to RFC Editor: Please fill
in XXXX with the RFC number of this specification).</t>
<t>Person to Contact: Volker Hilt, volkerh@bell-labs.com.</t>
</section>
</section>
</middle>
<back>
<references title='Normative References'>
&rfc2119;
&rfc4346;
<reference anchor='I-D.ietf-sipping-media-policy-dataset'>
<front>
<title abbrev='Media Policy Dataset'>A User Agent Profile Data Set
for Media Policy</title>
<author initials='V.H.' surname='Hilt' fullname='Volker Hilt'>
<organization>Bell Labs/Alcatel-Lucent</organization>
</author>
<author initials="G." surname="Camarillo" fullname="Gonzalo Camarillo">
<organization>Ericsson</organization>
</author>
<author initials='J.R.' surname='Rosenberg' fullname='Jonathan Rosenberg'>
<organization>Cisco Systems</organization>
</author>
<date month='July' year='2008' />
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-sipping-media-policy-dataset-07' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-ietf-sipping-media-policy-dataset-07.txt' />
</reference>
&rfc3265;
&rfc3261;
&rfc3263;
<reference anchor='I-D.ietf-sip-session-policy-framework'>
<front>
<title abbrev='Session Policy Framework'>A Framework for Session
Initiation Protocol (SIP) Session Policies</title>
<author initials='V.H.' surname='Hilt' fullname='Volker Hilt'>
<organization>Bell Labs/Alcatel-Lucent</organization>
</author>
<author initials="G." surname="Camarillo" fullname="Gonzalo Camarillo">
<organization>Ericsson</organization>
</author>
<author initials='J.R.' surname='Rosenberg' fullname='Jonathan Rosenberg'>
<organization>Cisco Systems</organization>
</author>
<date month='April' year='2008' />
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-sip-session-policy-framework-03' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-ietf-sip-session-policy-framework-03.txt' />
</reference>
</references>
<references title='Informative References'>
&rfc3264;
&rfc4566;
</references>
<section title="Acknowledgements">
<t>Many thanks to Jonathan Rosenberg for the discussions and
suggestions for this draft. Many thanks to Roni Even, Bob
Penfield, Mary Barnes, Shida Schubert and Jon Peterson for reviewing
the draft and to Vijay Gurbani for the contributions to the security
considerations section.</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 10:56:36 |