SIP Extension Header for Service Route Discovery in Private Networks

3GPP established a requirement for discovering home proxies during SIP registration and published this requirement in [3GPPReq]. Unlike many other network environments, the 3GPP network dynamically assigns a home service proxy to each address-of-record. This assignment may occur in conjunction with a REGISTER operation, or out-of-band as needed to support call services when the address-of-record has no registrations. This home service proxy may provide both inbound (UA terminated) and outbound (UA originated) services.. The home proxy network routes inbound messages having a request-URI targeting the address-of-record associated with the UA to the assigned home service proxy by using some sort of look-up-mechanism outside the scope of this document. This mechanism deals with inbound (UA terminated) messages. Outbound (UA originated) messages raise another issue. Specifically, "How does the UA know which service proxy to use and how to get there?" Several mechanisms have been proposed in list discussions, including: Configuration data in the UA. This raises questions of UA configuration management and updating, especially if proxy assignment is very dynamic as in load-balancing scenarios. Use of some other protocol, such as HTTP, to get configuration data from a configuration server in the home network. While functional, this solution requires additional protocol engines, firewall complexity, operations overhead, and a significant additional "over the air" traffic. Use of lookup tables in the home network, as is done for inbound messages. This has a relatively high overhead in terms of database operations. Returning a 302 response indicating the service proxy as a new contact, causing the upstream node processing the 302 (ostensibly the UA) to retransmit the message toward the service proxy. While this shares the database operation of the previous alternative, it does explicitly allow for caching the 302 response thereby potentially reducing the frequency and number of database operations. Performing an operation equivalent to record-routing a REGISTER message between the UA and the associated registrar, then storing that route in the UA and reusing it as a service route on future messages originating from the UA. While efficient, this constrains the service route for proxy operations to be congruent with the route taken by the REGISTER message. Returning service route information as the value of a header in the REGISTER response. While similar to the previous alternative, this approach grants the ability for the registrar to selectively apply knowledge about the topology of the home network in constructing the service route. This document discusses this final alternative: using a header in the REGISTER response to indicate a service route that the UA may wish to use if requesting services from the proxy network associated with the registrar generating the response.

Scenario In this scenario, we have a "home network" containing routing proxy P2, registrar R, home service proxy HSP, and database DBMS used by both R and HSP. P2 represents the "edge" of the home network from a SIP perspective, and might be called an "edge proxy". UA1 is an external UA behind proxy P1. UA1 discovers P1 via DHCP. UA2 is another UA on the Internet, and does not use a default outbound proxy. We do not show DNS elements in this diagram, but will assume their reasonable availability in the discussion. The mission is for UA1 to discover HSP so that outbound messages from UA1 may be routed (at the discretion of UA1) through HSP, thereby receiving outbound services from HSP.

The proposed mechanism uses a private header "P-Service-Route" in the REGISTER response to indicate a service route that the UA may wish to use if requesting services from the proxy network associated with the registrar generating the response. Simply put, the registrar generates a service route for the registering UA and returns it in the response to each successful REGISTER request. This service route has the form of a Route header that the registering UA may use to send messages through the service proxy selected by the registrar. The UA would use this route by inserting it as a preloaded Route header in messages originated by the UA intended for routing through the service proxy. The mechanism by which the registrar constructs the header value is specific to the local implementation and outside the scope of this document.

The P-Service-Route mechanism is applicable when: The UA registers with a REGISTRAR in a given domain. The domain dynamically assigns a service proxy for the UA. The registrar(s) in the domain has/have sufficient knowledge of the network topology, policy, and situation such that a reasonable service route can be constructed. Other mechanisms for proposing a service route to the UA are not available or are inappropriate for use within the administrative domain.

The syntax for the P-Service-Route header is: P-Service-Route = "P-Service-Route" HCOLON 1#( p-sr-value) p-sr-value = name-addr *( SEMI rr-param ) rr-param = generic-param The allowable usage of headers is described in Table 2 of . The following additions to this table are needed for P-Service-Route.

Addition of P-Service-Route to SIP Table 2:

The UA performs a register as usual. The register response may contain a "P-Service-Route" header. If so, the UA MAY store the value of the P-Service-Route header in an association with the address-of-record for which the REGISTER message had registered a contact. If the UA supports multiple address of records, it may be able to store multiple service routes, one per address-of-record. The UA MAY choose to exercise a service route for future messages associated with a given address-of-record for which a service route is known. If so, it appends the given service route to any local required Route headers, and uses the result as a preloaded Route header in outgoing messages.

The P-Service-Route header is treated like any other unknown header by intermediate proxies. They simply forward it on towards the destination.

When a registrar receives a successful REGISTER message, it MAY choose to return a P-Service-Route header in the 200 OK response. The determinations of whether to include this header into the 200 OK response and what value to insert are a matter of local policy and outside the scope of this document. Having inserted a P-Service-Route header, the registrar returns the 200 OK response to the UA in accordance with standard procedures.

We present example in the context of the scenario presented in the Background section earlier in this document. The network diagram is replicated below:

Scenario

This example shows the message sequence for UA1 registering to HOMEDOMAIN using registrar R. R returns a P-Service-Route indicating that UA1 may use home service proxy HSP to receive outbound services from HOMEDOMAIN.

Message sequence for REGISTER returning P-Service-Route: P1 REGISTER sip:HOMEDOMAIN SIP/2.0 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 To: UA@HOMEDOMAIN From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: . . . F2 Register P1 -> P2 REGISTER sip:HOMEDOMAIN SIP/2.0 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 To: UA@HOMEDOMAIN From: UA@REGISTAR ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: . . . F3 Register P2 -> R REGISTER sip:HOMEDOMAIN SIP/2.0 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 Via: SIP/2.0/UDP P2:5060;branch=iokioukju908 To: UA@HOMEDOMAIN From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: . . . F4 R executes Register R Stores: For UA1@P2 Contact = F5 R calculates Service Route Statically configured to reference HSP as a Service Route P-Service-Route= F6 Register Response r -> P2 SIP/2.0 200 OK Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 Via: SIP/2.0/UDP P2:5060;branch=iokioukju908 To: UA@HOMEDOMAIN From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: P-Service-Route= . . . F7 Register Response P2 -> P1 SIP/2.0 200 OK Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 To: UA@HOMEDOMAIN From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: P-Service-Route= . . . F8 Register Response P1 -> UA SIP/2.0 200 OK Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 To: UA@HOMEDOMAIN From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 1826 REGISTER Contact: P-Service-Route= . . . F9 UA stores service route for HOMEDOMAIN ]]>

This example shows the message sequence for an INVITE transaction originating from UA1 eventually arriving at UA2 using outbound services from HOMEDOMAIN, where UA1 has previously registered with HOMEDOMAIN and been informed of a service route through HSP. The service being provided by HOMEDOMAIN is a "speed dial" service, where the user's private speed dial code "Joe" is expanded to "sip:Joe@UA2" by the action of HSP.

Message sequence for INVITE using P-Service-Route: P1 INVITE sip:joe SIP/2.0 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 To: Joe From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 18 INVITE Contact: Route: . . . (note: P1 is selected using the "outbound proxy" rule in UA1) F2 INVITE P1 -> P2 INVITE sip:joe SIP/2.0 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 To: Joe From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 18 INVITE Contact: Record-Route Route: . . . (note: P2 is selected using a DNS lookup on the domain of HSP) F3 INVITE P2 -> HSP INVITE sip:joe SIP/2.0 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 Via: SIP/2.0/UDP P2:5060;branch=iokioukju908 To: Joe From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 18 INVITE Contact: Record-Route Record-Route Route: . . . (note: HSP is selected using a DNS lookup for HSP within HOMEDOMAIN) F4 HSP executes service looks up name "sip:joe" in UA1's profile, returns "sip:joe@UA2" This will be request-URI of next-hop INVITE F5 INVITE HSP->P2 INVITE sip:joe@UA2 Via: SIP/2.0/UDP 192.0.2.4:5060;branch=z9hG4bKnashds7 Via: SIP/2.0/UDP P1:5060;branch=34ghi7ab04 Via: SIP/2.0/UDP P2:5060;branch=iokioukju908 Via: SIP/2.0/USP HSP:5060;branch=HSP10120323 To: Joe From: UA@HOMEDOMAIN ;tag=456248 Call-ID: 843817637684230@998sdasdh09 CSeq: 18 INVITE Contact: Record-Route Record-Route Record-Route . . . (note: P2 selected by outbound proxy rule on HSP) INVITE propagates toward UA2 as usual. ]]>

It is possible for proxies between the UA and the registrar during the REGISTER transaction to modify the value of P-Service-Route returned by the registrar, or to insert a P-Service-Route even when one was not returned by the registrar. It is also possible for proxies on the INVITE path to execute many different attacks. It is therefore desirable to apply transitive mutual authentication using sips: or other available mechanisms in order to prevent such attacks.

This document defines the SIP extension header "P-Service-Route" which should be included in the registry of SIP headers defined in SIP. As required by the SIP change process draft-tsvarea-sipchange the SIP extension header name "Service-Route" should also be registered in association with this extension.