SIPPING Working Group G. Camarillo Internet-Draft Ericsson Expires: January 5, 2005 July 7, 2004 Requirements and Framework for Session Initiation Protocol (SIP) Uniform Resource Identifier (URI)-List Services draft-ietf-sipping-uri-services-00.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 5, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document describes the need for SIP URI-List Services and provides requirements for their invocation. Additionaly, it defines a framework which includes all the SIP extensions needed to meet these requirements. Camarillo Expires January 5, 2005 [Page 1] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1 Requirements for Request-Contained URI-List Services . . . 4 3.2 General Requirements for URI-List Services . . . . . . . . 4 4. Framework . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1 Carrying URI-Lists in SIP . . . . . . . . . . . . . . . . 5 4.2 Processing of URI-Lists . . . . . . . . . . . . . . . . . 5 4.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5.1 List Integrity and Confidentiality . . . . . . . . . . . . 6 5.2 Amplification Attacks . . . . . . . . . . . . . . . . . . 6 5.3 Unsolicited Requests . . . . . . . . . . . . . . . . . . . 8 5.4 General Issues . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledges . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.1 Normative References . . . . . . . . . . . . . . . . . . . . 8 7.2 Informational References . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . 10 Camarillo Expires January 5, 2005 [Page 2] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 1. Introduction Some applications require that, at a given moment, a SIP [2] UA (User Agent) performs a similar transaction with a number of remote UAs. For example, an instant messaging application that needs to send a particular message (e.g., "Hello folks") to n receivers needs to send n MESSAGE requests; one to each receiver. When the transacton that needs to be repeated consists of a large request, or the number of recipients is high, or both, the access network of the UA needs to carry a considerable amount of traffic. Completing all the transactions on a low-bandwidth access would require a long time. This is unacceptable for a number of applications. A solution to this problem consists of introducing URI-list services in the network. The task of a SIP URI-list service is to receive a request that contains or references a URI-list and send a number of similar requests to the destinations in this list. Once the requests are sent, the URI-list service typically informs the UA about their status. Effectively, the URI-list service behaves as a B2BUA (Back-To-Back-User-Agent). If the request references an external URI-list (e.g., the Request-URI is a SIP URI which is associated with a URI-list at the server), this URI-list is referred to as an stored URI-list. If the request contains the URI-list, the URI-list is referred to as a request-contained URI-list. Stored URI-lists are typically set up using out-of-band mechanisms (e.g., XCAP [9]). An example of a URI-list service for SUBSCRIBE requests that uses stored URI-lists is described in [4]. The Advanced Instant Messaging Requirements for SIP [5] mentions the need for request-contained URI-list services for MESSAGE transactions "REQ-GROUP-3: It MUST be possible for a user to send to an ad-hoc group, where the identities of the recipients are carried in the message itself." The remainder of this document provides requirements for both stored and request-contained SIP URI-list services. 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as Camarillo Expires January 5, 2005 [Page 3] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 described in BCP 14, RFC 2119 [1] and indicate requirement levels for compliant implementations. 3. Requirements Section 3.1 discusses requirements that only apply to request-contained URI-list services and Section 3.2 discusses requirements that apply to both stored and request-contained URI-list services. 3.1 Requirements for Request-Contained URI-List Services 1. The URI-list service invocation mechanism MUST allow the invoker to provide a list of destination URIs to the URI-list service. This URI-list MAY consist of one or more URIs. 2. The mechanism to provide the URI-list to the URI-list service MUST NOT be request specific. 3. The invocation mechanism SHOULD NOT require more than one RTT (Round-Trip Time). 3.2 General Requirements for URI-List Services 1. An URI-list service MAY include services beyond sending requests to the URIs in the URI-list. That is, URI-list services can be modelled as application servers. For example, a URI-list service handling INVITE requests may behave as a conference server and perform media mixing for all the participants. 2. The interpretation of the meaning of the URI-list sent by the invoker MUST be at the discretion of the application to which the list is sent. 3. It MUST be possible for the invoker to find out about the result of the operations performed by the URI-list service with the URI-list. An invoker may, for instance, be interested in the status of the transactions initiated by the URI-list service. 4. URI-list services MUST NOT send requests to multiple destinations without authenticating the invoker. 4. Framework Although Section 3 contains specific requirements for SIP URI-list services, this framework is not restricted to application servers that only provide request fan-out services. Per the general requirement number 1, we also deal with application servers that provide a particular service that includes a request fan-out (e.g., a conference server that INVITEs several participants which are chosen by a user agent). Camarillo Expires January 5, 2005 [Page 4] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 4.1 Carrying URI-Lists in SIP The requirements that relate to request-contained URI-list services identify the need for a request-independent mechanism to provide a SIP URI-list service with a URI-list in a single RTT. The mechanism described in (draft-ietf-sipping-uri-list-00.txt) [3] meets these three requirements. UAs (User Agents) use body parts whose disposition type is uri-list to transport URI-lists. The default URI-list format for SIP entities is the XCAP resource list format defined in [6]. 4.2 Processing of URI-Lists According to the general requirements 1 and 2, URI-list services can behave as application servers. That is, taking a URI-list as an input, they can provide arbitrary services. So, the interpretation of the URI-list by the server depends on the service to be provided. For example, for a conference server, the URIs in the list may identify the initial set of participants. On the other hand, for a server dealing with MESSAGEs, the URIs in the list may identify the recipients of an instant message. At the SIP level, this implies that the behavior of application servers receiving requests with URI-lists SHOULD be specified on a per method basis. Examples of such specifications are [draft-ietf-sipping-uri-list-conferencing-00.txt] for INVITE, [draft-ietf-sipping-multiple-refer-00.txt] for REFER, [draft-ietf-sipping-uri-list-message-00.txt] for MESSAGE, and [draft-ietf-sipping-uri-list-subscribe-00.txt] for SUBSCRIBE. 4.3 Results According to requirement 6, user agents should have a way to obtain information about the operations performed by the application server. Since these operations are service specific, the way user agents are kept informed is also service specific. For example, a user agent establishing an adhoc conference with an INVITE with a URI-list may discover which participants were successfully brought in into the conference by using the conference package [8]. 5. Security Considerations Security plays an important role in the implementation of any URI-list service. By definition, a URI-list service takes one request in and sends a potentially large number of them out. Attackers may attempt to use URI-list services as traffic amplifiers to launch DoS Camarillo Expires January 5, 2005 [Page 5] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 attacks. In addition, malicious users may attempt to use URI-list services to distribute unsolicited messages (i.e., SPAM) or to make unsolicited VoIP calls. This section provides guidelines to avoid these attacks. 5.1 List Integrity and Confidentiality Attackers may attempt to modify URI-lists sent from clients to servers. This would cause a different behavior at the server than expected by the client (e.g., requests being sent to different recipients as the ones specified by the client). To prevent this attack, clients SHOULD integrity protect URI-lists using mechanisms such as S/MIME, which can also provide URI-list confidentiality if needed. 5.2 Amplification Attacks URI-list services take a request in and send a potentially large number of them out. Given that URI-list services are typically implemented on top of powerful servers with high-bandwidth access links, we should be careful to keep attackers from using them as amplification tools to launch DoS (Denial of Service) attacks. Attackers may attempt to send a URI-list containing URIs whose host parts route to the victims of the DoS attack. These victims do not need to be SIP nodes; they can be non-SIP endpoints or even routers. If this attack is successful, the result is that an attacker can flood with traffic a set of nodes, or a single node, without needing to generate a high volume of traffic itself. Note, in any case, that this problem is not specific to SIP URI-list services; it also appears in scenarios which relate to multihoming where a server needs to contact a set of IP addresses provided by a client (e.g., an SCTP [10] endpoint using HEARTBEATs to check the status of the IP addresses provided by its peer at association establishment). There are several measures that need to be taken to prevent this type of attack. The first one is keeping unauthorized users from using URI-list services. So, URI-list services MUST NOT perform any request explosion for an unauthorized user. URI-list services MUST authenticate users and check whether they are authorized to request the service before performing any request fan-out. Note that the risk of this attack also exists when a client uses stored URI-lists. Application servers MUST use authentication and authorization mechanisms with equivalent security properties when dealing with stored and request-contained URI-lists. Camarillo Expires January 5, 2005 [Page 6] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 Even though the previous rule keeps unauthorized users from using URI-list services, authorized users may still launch attacks using a these services. To prevent these attacks, we introduce the concept of opt-in lists. That is, URI-list services should not allow a client to place a user (identified by his or her URI) in a URI-list unless the user has previously agreed to be placed in such a URI-list. So, URI-list services MUST NOT send a request to a destination which has not agreed to receive requests from the URI-list service beforehand. Users can agree to receive requests from a URI-list service in several ways, such as filling a web page, sending an email, or signing a contract. Additionally, users MUST be able to further describe the requests they are willing to receive. For example, a user may only want to receive requests from a particular URI-list service on behalf of a particular user. Effectively, these rules make URI-lists used by URI-list services opt-in lists. When a URI-list service receives a request with a URI-list from a client, the URI-list service checks whether all the destinations have agreed beforehand to receive requests from the service on behalf of this client. If the URI-list has permission to send requests to all of the targets in the request, it does so. If not, the URI-list service rejects the request, indicating in the rejection the set of targets for which it did not have permission. This allows the client to request permission for those targets. DoS amplification would still happen if the URI-list service automatically contacted the full set of targets for which it did not have permission in order to request permission. The URI-list service would be receiving one SIP request and sending out a number of authorization request messages. In order to avoid this amplification, the URI-list service must ensure that the client generates roughly the same amount of traffic towards the URI-list service as the service generates towards the destinations. Consequently, the URI-list service MUST require that clients send and individual authorization request for each destination. These individual authorization requests sent by the client may or may not be routed through the URI-list service. In any case, the URI-list service MUST be informed about the destinations' responses to these authorization requests in order to authorize requests towards them. One possible mechanism for clients to send authorization requests to the destinations is specified in [draft-rosenberg-sipping-consent-framework-00.txt], which discusses consent-based communications in SIP. The requirements for consent-based communications in SIP are discussed in [draft-rosenberg-sipping-consent-reqs-00.txt] Camarillo Expires January 5, 2005 [Page 7] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 5.3 Unsolicited Requests Opt-in lists should help fighting SPAMMERS. Still, if a URI-list service is used to send unsolicited requests to one or several destinations, it should be possible to track down the sender of such requests. To do that, URI-list services MAY provide information about the identity of the original sender of the request in their outgoing requests. URI-list services can use Authenticated Identity Bodies (AIB) [7] to provide this information. 5.4 General Issues URI-list services MAY have policies that limit the number of URIs in the lists they accept, as a very long list could be used in a denial of service attack to place a large burden on the URI-list service to send a large number of SIP requests. The general requirement number 4, which states that URI-list services need to authenticate their clients, and the previous rules apply to URI-list services in general. In addition, specifications dealing with individual methods MUST describe the security issues that relate to each particular method. 6. Acknowledges Duncan Mills and Miguel A. Garcia-Martin supported the idea of 1 to n MESSAGEs. Jon Peterson and Dean Willis provided useful comments. 7. References 7.1 Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. 7.2 Informational References [3] Camarillo, G., "Providing a Session Initiation Protocol (SIP) Application Server with a List of URIs", draft-camarillo-sipping-uri-list-01 (work in progress), February 2004. [4] Roach, A., Rosenberg, J. and B. Campbell, "A Session Initiation Protocol (SIP) Event Notification Extension for Resource Camarillo Expires January 5, 2005 [Page 8] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 Lists", draft-ietf-simple-event-list-04 (work in progress), June 2003. [5] Rosenberg, J., "Advanced Instant Messaging Requirements for the Session Initiation Protocol (SIP)", draft-rosenberg-simple-messaging-requirements-01 (work in progress), February 2004. [6] Rosenberg, J., "An Extensible Markup Language (XML) Configuration Access Protocol (XCAP) Usage for Presence Lists", draft-ietf-simple-xcap-list-usage-02 (work in progress), February 2004. [7] Peterson, J., "SIP Authenticated Identity Body (AIB) Format", draft-ietf-sip-authid-body-02 (work in progress), July 2003. [8] Rosenberg, J. and H. Schulzrinne, "A Session Initiation Protocol (SIP) Event Package for Conference State", draft-ietf-sipping-conference-package-03 (work in progress), February 2004. [9] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", draft-ietf-simple-xcap-02 (work in progress), February 2004. [10] Bradner, S., "A Proposal for an MOU-Based ICANN Protocol Support Organization", RFC 2690, September 1999. Author's Address Gonzalo Camarillo Ericsson Hirsalantie 11 Jorvas 02420 Finland EMail: Gonzalo.Camarillo@ericsson.com Camarillo Expires January 5, 2005 [Page 9] Internet-Draft Reqs and Framework for SIP-URI Services July 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Camarillo Expires January 5, 2005 [Page 10]