IETF SIPPING Working Group C. Shen Internet-Draft H. Schulzrinne Intended status: Standards Track Columbia U. Expires: April 28, 2010 A. Koike NTT October 25, 2009 A Session Initiation Protocol (SIP) Load Control Event Package draft-shen-sipping-load-control-event-package-03.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 28, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract This document defines a load control event package for the Session Shen, et al. Expires April 28, 2010 [Page 1] Internet-Draft SIP Load Control Event Package October 2009 Initiation Protocol (SIP). It allows SIP servers to distribute user load control information to SIP servers. The load control information can throttle outbound calls based on their destination domain, telephone number prefix or for a specific user. The mechanism helps to prevent signaling overload and complements feedback-based SIP overload control efforts. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 3. Design Requirements . . . . . . . . . . . . . . . . . . . . . 5 4. Load Filtering Control Distribution . . . . . . . . . . . . . 6 4.1. Operation Overview and Examples . . . . . . . . . . . . . 6 4.2. Filter Contents . . . . . . . . . . . . . . . . . . . . . 8 4.3. Filter Computation . . . . . . . . . . . . . . . . . . . . 9 4.4. Applicability in Different Network Environments . . . . . 9 5. Load Control Event Package . . . . . . . . . . . . . . . . . . 9 5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 10 5.2. Event Package Parameters . . . . . . . . . . . . . . . . . 10 5.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 10 5.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . . 10 5.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 10 5.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 10 5.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 11 5.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 11 5.9. Handling of Forked Requests . . . . . . . . . . . . . . . 12 5.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 12 5.11. State Agents . . . . . . . . . . . . . . . . . . . . . . . 12 6. Load Control Document . . . . . . . . . . . . . . . . . . . . 13 6.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 13 6.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . . 13 6.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 13 6.3.2. Validity . . . . . . . . . . . . . . . . . . . . . . . 16 6.3.3. Method . . . . . . . . . . . . . . . . . . . . . . . . 16 6.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 16 6.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 17 7. XML Schema Definition for Load Control . . . . . . . . . . . . 19 8. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 21 8.1. Relationship with Load Filtering in PSTN . . . . . . . . . 21 8.2. Relationship with Other IETF SIP Load Control Efforts . . 22 9. Security Considerations . . . . . . . . . . . . . . . . . . . 22 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 10.1. Load Control Event Package Registration . . . . . . . . . 23 10.2. application/load-control+xml MIME Registration . . . . . . 24 10.3. Load Control Schema Registration . . . . . . . . . . . . . 25 Shen, et al. Expires April 28, 2010 [Page 2] Internet-Draft SIP Load Control Event Package October 2009 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 12.1. Normative References . . . . . . . . . . . . . . . . . . . 25 12.2. Informative References . . . . . . . . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 Shen, et al. Expires April 28, 2010 [Page 3] Internet-Draft SIP Load Control Event Package October 2009 1. Introduction Proper functioning of Session Initiation Protocol (SIP) [RFC3265] signaling servers is critical in SIP-based communications networks. The performance of SIP severs can be severely degraded when the sever is overloaded with excessive number of signaling requests. Both legitimate and malicious traffic can overload SIP servers, despite appropriate capacity planning. There are three common examples of legitimate short-term increases in call volumes. Viewer-voting TV shows or ticket giveaways may generate millions of calls within a few minutes. Call volume may also spike during special holidays such as New Year's Day and Mother's Day. Finally, callers may want to reach friends and family in natural disaster areas such as those affected by earthquakes. When possible, only calls traversing overloaded servers should be throttled under those conditions. SIP load control mechanisms are needed to prevent congestion collapse in these cases [I-D.ietf-sipping-overload-reqs]. There are two types of load control approaches. In the first approach, feedback control, SIP servers provide load limits to upstream servers, to reduce the incoming rate of all SIP requests [I-D.hilt-sipping-overload]. These upstream servers then drop or delay incoming SIP requests. Feedback control is reactive and affects signaling messages that have already been issued by user agent clients. They work well if core or destination-specific SIP proxies are overloaded. By their nature, they need to distribute rate, drop or window information to all upstream SIP proxies and generally affect all calls equally, regardless of destination. However, feedback control is ineffective for edge-server overload. For example, for the ticket giveaway case, almost all such calls will fail in the core SIP server. If the edge server is also overloaded, calls to other destinations will also be rejected or dropped. Here, we propose an additional, complementary mechanism, called load filtering. Network operators create filters that indicate that calls to specific destinations or from specific sources should be rate- limited or randomly dropped. These filters are then distributed to SIP servers and possibly user agents likely to generate calls to the affected destinations or from the affected sources. Load filters work best if they prevent calls as close to the user agent client as possible. Performing SIP load filtering control requires three components: the filter distribution mechanism, the filter content format definition, and the filter content computation methods. This document addresses the first two components. The filter distribution mechanism is built Shen, et al. Expires April 28, 2010 [Page 4] Internet-Draft SIP Load Control Event Package October 2009 upon the existing SIP event framework and the filter content format definition is defined by the contents of a SIP load control event package. The third component, filter content computation, depends heavily on the actual network topology and service provider policies. Therefore it is out of scope of this document. The rest of this document is structured as follows: we begin by listing the design requirements for this work in Section 3. We then describe the SIP event framework based load filtering distribution operation in Section 4. The load control event package is detailed in Section 5. The load filter content definition is discussed in the two sections that follow, with Section 6 defining the load control XML document and Section 7 defining the corresponding XML schema. Section 8 relates this work to corresponding mechanisms in PSTN and other IETF efforts addressing SIP load control. Finally, Section 9 presents security considerations and Section 10 provides IANA considerations. 2. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Design Requirements The SIP load filtering control mechanism needs to satisfy the following requirements: o To simplify the solution, we focus on SIP load control, rather than a generic application-layer mechanism. o The load filter information needs to be distributed efficiently to possibly a large subset of all SIP elements. o It is desirable to re-use existing SIP protocol mechanisms to reduce implementation and deployment complexity. o For predictable overload situations, such as holidays and call-in events, the mechanism should specify during what time period it is to be applied, so that the information can be distributed ahead of time. o For destination-specific overload situations, the load filter needs to be able to describe the callee. o To address accidental and intentional high-volume call generators, the filter should allow to specify the caller. o Caller and callee need to be specified as both Tel and SIP URIs. o For telephone numbers, specifying prefixes allows control over limited regionally-focused overloads. Shen, et al. Expires April 28, 2010 [Page 5] Internet-Draft SIP Load Control Event Package October 2009 o Solutions should draw upon experiences from related PSTN mechanisms where applicable. o Solutions need to be extensible to meet future needs. 4. Load Filtering Control Distribution 4.1. Operation Overview and Examples Although it may be possible to manually configure load filters in the corresponding entities, an automated distribution mechanism can have many benefits such as efficiency, scalability and human error avoidance, provided that the concerned entities satisfy the required security and trust relationship of sending and accepting load control information. To meet the requirements enumerated in the previous section, this document defines the SIP event package for load control, which is an "instantiation" of the generic SIP events framework [RFC3265]. The SIP events framework provides an existing method for SIP entities to subscribe to and receive notifications when certain events have occurred. Such a framework forms a scalable event distribution architecture that suits our needs. This document also defines the XML schema used to encode the load control document. The choice of XML allows us to reuse existing SIP-specific policy related XML schemas when applicable, and also fits our goal of flexibility and extensibility. The load filter distribution operation based on the SIP load control event package is illustrated with the example architecture shown in Figure 1. This scenario consists of two networks belonging to Service Provider A and Service Provider B, respectively. Each provider's network is made up of two SIP Core Proxies (CPs) and four SIP Edge Proxies (EPs). The CPs and EPs of Service Provider A are denoted as CPa1 to CPa2 and EPa1 to EPa4; the CPs and EPs of Service Provider B are denoted as CPb1 to CPb2 and EPb1 to EPb4. With the load filtering control mechanism, each SIP proxy in the network is required to subscribe to the load control event package from all its outgoing signaling neighbors. Signaling neighbors are defined by sending signaling messages. For instance, if A sends signaling requests to B, B is an outgoing signaling neighbor of A. A needs to subscribe to the load control event package of B in case B wants to curb requests from A. On the other hand, if B also sends signaling requests to A, then B also subscribes to A. In the example topology of Figure 1, assuming all signaling relationship is bi- directional, each proxy will need to subscribe to all its neighbors. That is, EPa1 subscribes to CPa1; CPa1 subscribes to EPa1, EPa2, CPa2 Shen, et al. Expires April 28, 2010 [Page 6] Internet-Draft SIP Load Control Event Package October 2009 and CPb1, so on and so forth. Notifications are always sent to all subscribing entities. +-----------+ +-----------+ +-----------+ +-----------+ | | | | | | | | | EPa1 | | EPa2 | | EPa3 | | EPa4 | | | | | | | | | +-----------+ +-----------+ +-----------+ +-----------+ \ / \ / \ / \ / \ / \ / +-----------+ +-----------+ | | | | | CPa1 |------------------| CPa2 | | | | | +-----------+ +-----------+ | | Service | | Provider A | | | | ================================================================= | | Service | | Provider B | | | | +-----------+ +-----------+ | | | | | CPb1 |------------------| CPb2 | | | | | +-----------+ +-----------+ / \ / \ / \ / \ / \ / \ +-----------+ +-----------+ +-----------+ +-----------+ | | | | | | | | | EPb1 | | EPb2 | | EPb3 | | EPb4 | | | | | | | | | +-----------+ +-----------+ +-----------+ +-----------+ Figure 1: Example Network Scenario with SIP Load Control Event Notification To begin load filter distribution on a network when the appropriate subscriptions among the entities are ready, the initial filter contents determined through a mechanism out of scope of this document Shen, et al. Expires April 28, 2010 [Page 7] Internet-Draft SIP Load Control Event Package October 2009 is introduced to a SIP server which acts as the network entry point for load filtering control. The filter is then propagated to the rest of the entities throughout the network. We show two examples below. Case I: EPa1 serves a TV program hotline and decides to limit the total number of incoming calls to the hotline to prevent an overload. To do so, EPa1 sends a notification to CPa1 with the specific hotline number, time of activation and total acceptable call rate. CPa1 then allocates the received total acceptable rate among its neighbors, namely, EPa2, CPa2, and CPb1 and notifies them about the resulting allocation along with the hotline number and the activation time. CPa2 and CPb1 then perform further allocation among their own neighbors and notify the corresponding servers. This process continues until all edge proxies in the network has been informed about the event and have proper load filter configured. Case II: an earthquake affected the region covered by CPb2, EPb3 and EPb4. All the three servers are overloaded. The rescue services determine that outbound calls are more valuable than inbound calls in this specific situation. Therefore, CPb2, EPb3 and EPb4 configure themselves to accept more outbound calls than inbound calls. CPb2 also sends out notifications to its outside neighbors, namely CPb1 and CPa2, specifying a limit on the acceptable rate of inbound calls to the CPb2's responsible region. CPb1 and CPa2 subsequently notify their neighbors about limiting the calls to CPb2's area. The same process continues until all edge proxy servers are notified and have filters configured. Note that this version of the document does not define the provisioning interface between the load control policy maker and the policy entry point in the network. One of the potential solutions for the provisioning interface is the Extensible Markup Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. 4.2. Filter Contents The above two examples covered the two typical resource limits in a possible overload condition: human destination limits (N call takers) and proxy capacity limits. The overloaded identities in the two cases can be represented by a callee number specific filter and a wildcard domain based filter, respectively. In addition, source identity based filter can also be helpful in curbing the load. Besides the identity of the load source and destination, the filter content in the above examples also specifies the actions to be taken and during which time period the control should be active. All these aspects are detailed in the filter specification in Section 6. Shen, et al. Expires April 28, 2010 [Page 8] Internet-Draft SIP Load Control Event Package October 2009 4.3. Filter Computation The filter content computation methods are very important in ensuring a correct operation of the load filtering control mechanism. Whatever computation algorithm is used, it needs to take into consideration the network topology and related policies; it needs to ensure there is no load filter allocation loop and loads are allocated in a way that both prevents overload and minimizes the possibility of an under-utilization of the network. 4.4. Applicability in Different Network Environments The load filtering control is more effective when the filter can be pushed to the proximity of the signaling sources. But even if only part of the signaling path towards the signaling source could be covered, use of this mechanism can still be beneficial. In fact, due to possibly sophisticated call routing and security concerns, trying to apply automated load filter distribution in the entire inter- domain network path could get extremely complicated and be unrealistic. The scenarios where this mechanism could be most useful are environments consisting of servers with secure and trust relationship and with relatively straightforward routing configuration known to the filter computation decision maker. These scenarios may include intra-domain environments such as inside a service provider or enterprise domain; inter-domain environments such as enterprise connecting to a few service providers or between service providers with manageable routing configurations. Another important aspect that affects the applicability of the load filtering control is that all possible signaling source neighbors must participate and enforce the designated filter. Otherwise, a single non-conforming neighbor could easily make the whole control efforts useless by pumping in excessive traffic. Therefore, the entity that initiates the filter needs to take counter-measures towards any non-conforming neighbors. A simple model is to just drop excessive requests with a 500 response as if they were obeying the rate. This works as long as the dropping cost is sufficiently low that the entity doing the dropping is not overloaded. Note that this issue is a generic problem that applies to any overload control mechanisms. 5. Load Control Event Package This section defines the details of the SIP event package for load control according to [RFC3265]. Shen, et al. Expires April 28, 2010 [Page 9] Internet-Draft SIP Load Control Event Package October 2009 5.1. Event Package Name The name of this event package is "load-control". This name is carried in the Event and Allow-Events header, as specified in [RFC3265]. 5.2. Event Package Parameters No package specific event header field parameters are defined for this event package. 5.3. SUBSCRIBE Bodies A SUBSCRIBE request for load control policy MAY contain a body to filter the requested load control notification. For example, a subscriber may be interested in some specific types of load control information only. The details of the subscription filter specification are not yet defined. A SUBSCRIBE request sent without a body implies the default subscription behavior as specified in Section 5.7. 5.4. SUBSCRIBE Duration The default expiration time for a subscription to load control policy is one hour. Since the desired expiration time may vary significantly for subscriptions among SIP entities with different signaling relationships, the subscribers and notifiers are RECOMMENDED to explicitly negotiate appropriate subscription durations when knowledge about the mutual signaling relationship is available. 5.5. NOTIFY Bodies The body of a NOTIFY message in this event package contains policy information regarding load control. As specified in [RFC3265], the format of the NOTIFY body MUST be in one of the formats defined in the Accept header field of the SUBSCRIBE request or be the default format. The default data format for the NOTIFY body of this event package is "application/load-control+xml" (defined in Section 6). This means that if no Accept header field is specified to a SUBSCRIBE request, the NOTIFY will contain a body in the "application/ load-control+xml" format. If the Accept header field is present, it MUST include "application/load-control+xml" and MAY include any other types. 5.6. Notifier Processing of SUBSCRIBE Requests Shen, et al. Expires April 28, 2010 [Page 10] Internet-Draft SIP Load Control Event Package October 2009 The effectiveness of load filtering control relies on the scope of distribution and installation of the control policies in the network. Since wide distribution of the policy information is desirable, SIP entity subscribers should try to subscribe to all those SIP entity notifiers with which they have regular signaling exchanges. Not all such SIP notifiers may permit such a subscription. If the identity of the entity sending the SUBSCRIBE message is not allowed to receive overload control information, the notifier MUST return a 403 "Forbidden" response. If none of MIME types specified in the Accept header of the SUBSCRIBE is supported, the Notifier SHOULD return 406 "Not Acceptable" response. 5.7. Notifier Generation of NOTIFY Requests Following the [RFC3265] specification, a notifier MUST send a NOTIFY with its current load control policy to the subscriber upon successfully accepting or refreshing a subscription. The NOTIFY request MAY include a body. If no applicable restriction is active when the subscription request is received, an empty document is attached to the NOTIFY request. A notifier SHOULD generate NOTIFY requests each time the load control policy changes, with the maximum notification rate not exceeding values defined in Section 5.10. A SIP entity subscriber which itself is also a notifier may need to forward a NOTIFY message to its own subscribers after receiving a load control update from its own notifier. In such cases, the forwarding SIP entity MUST make proper modifications to the contents of the NOTIFY message as needed before sending it out. For example, if a SIP entity receives a rate limit of 100 requests per second for a particular downstream SIP entity and it needs to forward the policy to its three upstream neighbors which all subscribe to it, then the total rate limit for the specific downstream SIP entity in the three NOTIFY messages sent to those three upstream neighbors must not exceed 100 requests per second, unless this SIP entity is itself under more stringent overload conditions. This event package does not support notifications that contain deltas to previous information or partial information. 5.8. Subscriber Processing of NOTIFY Requests The way subscribers process NOTIFY requests depends on the contents of the notifications. Typically, a load control notification consists of rules that should be applied to requests matching certain identities. A SIP entity subscriber receiving the notification first Shen, et al. Expires April 28, 2010 [Page 11] Internet-Draft SIP Load Control Event Package October 2009 installs these rules and then filter incoming call requests to enforce actions on appropriate requests, for example, limiting the sending rate of call requests destined for a specific SIP entity. In the case when load control rules specify a future validity time, it is possible that when the validity time comes, the subscription to the specific notifier that conveyed the rules has expired. In this case, it is RECOMMENDED that the subscriber re-activate its subscription with the corresponding notifier. Regardless of whether this re-activation of subscription is successful or not, when the validity time is reached, the subscriber SHOULD enforce the corresponding rules. Upon receipt of a NOTIFY request with a Subscription-State header field containing the value "terminated", the subscriber MUST remove all previoulsy received load control information and process all calls without applying any restriction. The subscriber SHALL discard unknown bodies. If the NOTIFY request contains several bodies, none of them being supported, it SHOULD unsubscribe. A NOTIFY request that does not contain a body MUST be ignored. 5.9. Handling of Forked Requests Forking is not applicable when the load control event package is used within a single-hop distance between neighboring SIP entities. If the communication scope of the load-control event package is among multiple hops, forking is not expected to happen either because the subscription request is addressed to a clearly defined SIP entity. However, in the unlikely case when forking does happen, the load- control event package only allows the first potential dialog- establishing message to create a dialog, as specified in Section 4.4.9 of [RFC3265]. 5.10. Rate of Notifications Rate of notifications is likely not a concern for this event package because it is expected to be used in a non-real-time mode for relatively static load control policies. Nevertheless, if situation does arise that a rather frequent load control policy update is needed, it is RECOMMENDED that the notifier does not generate notifications at a rate higher than once per-second in all cases, in order to avoid the NOTIFY message itself overloading the system. 5.11. State Agents The load control policy information can be directly generated by Shen, et al. Expires April 28, 2010 [Page 12] Internet-Draft SIP Load Control Event Package October 2009 concerned SIP entities distributed in the network. Alternatively, qualified state agents external to the SIP entities MAY be defined to take charge of load control policy making. 6. Load Control Document 6.1. Format A load control document is an XML document that inherits and enhances the common policy document defined in [RFC4745]. A common policy document contains a set of rules. Each rule consists of three parts: conditions, actions and transformations. The conditions part is a set of expressions containing attributes such as identity, domain, and validity time information. Each expression evaluates to TRUE or FALSE. Conditions are matched on "equality" or "greater than" style comparison. There is no regular expression matching. Conditions are evaluated on receipt of an initial SIP request for a dialog or standalone transaction. If a request matches all conditions in a rule set, the action part and the transformation part are consulted to determine the "permission" on how to handle the request. Each action or transformation specifies a positive grant to the policy server to perform the resulting actions. Well-defined mechanism are available for combining actions and transformations obtained from more than one sources. 6.2. Namespace The namespace URI for elements defined by this specification is a Uniform Resource Namespace (URN) ([RFC2141]), using the namespace identifier 'ietf' defined by [RFC2648] and extended by [RFC3688]. The URN is as follows: urn:ietf:params:xml:ns:load-control 6.3. Conditions [RFC4745] defined three condition elements: , and . In this document, we re-define an element for identity and reuse the element. The element is not used. 6.3.1. Call Identity Since the problem space of this document is different from that of [RFC4745], the [RFC4745] element is not sufficient for use with load control. First, load control may be applied to different identity information contained in a request, including identities of both the receiving entity and the sending entity. Second, the Shen, et al. Expires April 28, 2010 [Page 13] Internet-Draft SIP Load Control Event Package October 2009 importance of authentication varies when different identities of a request are concerned. This document defines new identity conditions that can accommodate the granularity of specific SIP identity header fields. Requirement for authentication depends on which field is to be matched. The identity condition for load control is specified by the element and its sub-element . The element itself contains sub-elements representing SIP sending and receiving identity header fields: , , and , each is of the same type as the element in [RFC4745]. Therefore, they also inherit the sub-elements of the element, including , , and . When the element or its sub-elements contain multiple sub- elements, the result is combined using logical OR. The [RFC4745] and elements may contain an "id" attribute, which is the URI of a single entity to be included or excluded in the condition. When used in the , , and elements, this "id" value is the URI contained in the corresponding SIP header field, i.e., From, To, Request-URI, and P-Asserted-Identity. The following shows an example of the element: This example matches call requests whose To header field contains the SIP URI "sip:alice@hotline.example.com", or 'tel' URI "tel:+1-212-555-1234". The [RFC4745] and elements may take a "domain" attribute. The "domain" attribute specifies a domain name to be matched by the domain part of the candidate identity. Thus, it allows matching a large and possibly unknown number of entities within a domain. The "domain" attribute works well for SIP URIs. A URI identifying a SIP user, however, can also be a 'tel' URI [RFC3966]. We therefore need a similar way to match a group of 'tel' Shen, et al. Expires April 28, 2010 [Page 14] Internet-Draft SIP Load Control Event Package October 2009 URIs. There are two formats of 'tel' URIs: global format and local format. All phone numbers must be expressed in the global format when possible. The global format 'tel' URIs start with a "+". The rest of the phone numbers are expressed in a local format, which must be qualified by a "phone-context" parameter. The "phone-context" parameter may be labelled as a global number or any number of its leading digits, or a domain name. Both formats of the 'tel' URI make the resulting URI globally unique. 'Tel' URIs of global format can be grouped by prefixes consisting of any number of common leading digits. For example, a prefix formed by a country code or both the country and area code identifies telephone numbers within a country or an area. Since the length of the country and area code for different regions are different, the length of the number prefix is also variable. This allows further flexibility such as grouping the numbers into sub-areas within the same area code. 'Tel' URIs of local-number format can be grouped by the value of the "phone-context" parameter. To include the two formats of 'tel' URI grouping in the and elements, one approach is to add a new attribute similar to the "domain" attribute. In this document, we decided on a simpler approach. There are basically two forms of grouping attribute values for both SIP URIs and 'tel' URIs: domain name or number prefix starting with "+". Both of them can be expressed as strings. Therefore, we re-interpret the existing "domain" attribute of the and elements to allow it to contain both forms of grouping attribute values. In particular, when the "domain" attribute value starts with "+", it denotes a number prefix, otherwise, the value denotes a domain name. Note that the tradeoff of this simpler approach is the overlapping in matching different types of URIs. Specifically, a domain name in the "domain" attribute could be matched by both a SIP URI with that domain name and a local format 'tel' URI containing the same domain name in the "phone- context". On the other hand, a number prefix in the "domain" attribute could be matched by both global 'tel' URIs starting with those leading digits, and local 'tel' URIs having the same prefix in the "phone-context" parameter. These overlapping situations would not be a big problem because of two reasons. First, when the "phone- context" coincides with the SIP domain name or the global number prefix, it is usually the case that the related phone numbers indeed belong to the same domain or the same area, which means the overlapping is not inappropriate. Second, the use of the local format 'tel' URI in practice is expected to be rare. As a result, the chance of such overlapping happening is very small. The following example shows the use of the re-interpreted "domain" attribute. Shen, et al. Expires April 28, 2010 [Page 15] Internet-Draft SIP Load Control Event Package October 2009 This example matches those call requests whose domain field in the From SIP URI is different from "manhattan.example.com", or those call requests whose 'Tel' URI indicates a caller number starting from a prefix other than "+1-212". 6.3.2. Validity A rule is usually associated with a validity period condition. This document reuses the element of [RFC4745], which specifies a period of validity time by pairs of and sub- elements. When multiple time periods are defined, the validity condition is evaluated to TRUE if the current time falls into any of the specified time periods. i.e., it represents a logical OR operation across all validity time periods. The following example shows a element specifying a valid period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. 2008-05-31T12:00:00-05:00 2008-05-31T15:00:00-05:00 6.3.3. Method The load created on a SIP server depend on the type of of an initial SIP request for a dialog or standalone transaction. The element specifies the SIP method to which a particular action applies. When this element is not included, the rule actions are applicable to all initial methods. The following example shows the use of the element. INVITE 6.4. Actions Shen, et al. Expires April 28, 2010 [Page 16] Internet-Draft SIP Load Control Event Package October 2009 As [RFC4745] specified, conditions form the 'if'-part of rules, while actions and transformations form the 'then'-part. Transformations are not used in the load control document. The actions for load control are defined by the element, which takes any one of the three sub-elements , , and . The element denotes an absolute value of the maximum acceptable request rate in requests per second; the element specifies the relative percentage of incoming requests that should be accepted; the element describes the acceptable window size supplied by the receiver, which is applicable in window-based load control (See [I-D.hilt-sipping-overload] for more details on rate-based and window-based load control). In addition, the element takes an optional "alt-action" attribute which can be used to explicitly specify the desired action in case a request is not accepted. The possible "alt-action" values are "Drop" for simple drop, "Reject" for explicit rejection (e.g., sending a "503 Service Unavailable" response message to an INVITE request), and "Forward". The default value is "Drop". If the "alt- action" value is "Forward", an "alt-target" attribute MUST be defined. The "alt-target" specifies a URI where the request should be forwarded (e.g., an answering machine with explanation of why the request cannot be accepted). In the following element example, the server accepts maximum of 100 call requests per second. The remaining calls are forwarded to an answering machine. 100 6.5. Complete Examples This section presents two complete examples of rule sets. The example below assumes a hotline reachable through "sip:alice@hotline.example.com" or "tel:+1-212-555-1234". The hotline is activated from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. The goal is to limit the incoming calls to 100 requests per second. Calls that exceed the rate limit are explicitly rejected. 2008-05-31T12:00:00-05:00 2008-05-31T15:00:00-05:00 100 The following example assumes a three-day period during the aftermath of an earthquake. To optimize resource usage, 50 percent of the inbound calls to the region will be throttled but no throttle is placed on outbound calls. In addition, calls originating from the local domain and the rescue team domain are never throttled. All throttled inbound calls will be forwarded to an answering machine with updated earthquake information. Shen, et al. Expires April 28, 2010 [Page 18] Internet-Draft SIP Load Control Event Package October 2009 79-08-24T09:00:00+01:00 79-08-27T09:00:00+01:00 50 7. XML Schema Definition for Load Control This section defines the XML schema for the load-control document. It extends the Common Policy schema in [RFC4745] by defining new members of the and elements. Shen, et al. Expires April 28, 2010 [Page 19] Internet-Draft SIP Load Control Event Package October 2009 Shen, et al. Expires April 28, 2010 [Page 20] Internet-Draft SIP Load Control Event Package October 2009 8. Related Work 8.1. Relationship with Load Filtering in PSTN It is known that the existing PSTN network also uses a load filtering mechanism to prevent overload and the filter configuration is done manually. This document defines the SIP event framework based distribution mechanism which allows automated filter distribution in suitable environments. There are control messages associated with PSTN overload control which would specify an outgoing control list, call gap duration and control duration [AINGR]. These items could be roughly correlated to the identity, action and the time fields in the SIP load filter content definition in this document. However, the filter defined in this document is much more generic and flexible as opposed to its PSTN counterpart. Firstly, PSTN filtering only applies to telephone numbers, and the number of prefix to be matched for a group of telephone numbers is usually a fixed set. The SIP filter identity allows both SIP URI and telephone numbers (through Tel URI) to be specified. The identities can be arbitrary grouped by SIP domains or any number of leading prefix of the telephone number. Secondly, the PSTN filtering action is usually limited to call gapping, and there is also a fixed set of allowed gapping intervals. The action field in the SIP load filter allows more possibilities such as rate throttle, window-based throttle and others. Thirdly, the duration field in PSTN filtering specifies a value in seconds for the control duration only and the allowed values are mapped into a value sets. The time field in the SIP load filter can not only specify a duration, but also a future activation time which could be especially useful for automating overload control for predictable overloads. PSTN filtering can be performed in both edge switches and transit switches; SIP filtering can also be applied in both edge proxies and core proxies, and even in capable user agents. PSTN overload control also has special accommodation for High Probability of Completion (HPC) calls, which would be similar to the calls designated by the SIP Resource Priority Headers [RFC4412]. SIP Shen, et al. Expires April 28, 2010 [Page 21] Internet-Draft SIP Load Control Event Package October 2009 filtering mechanism can also prioritize the treatment of these calls by specifying favorable actions for these calls. PSTN filtering also provides administrative option for routing failed call attempts to either Reorder Tone or a special announcement. Similar capability can be provided in the SIP filtering mechanism by specifying the appropriate "alt-action" attribute in the SIP filtering action field. 8.2. Relationship with Other IETF SIP Load Control Efforts The filter content definition in this document is based on identity, action and time. The identity can range from a single specific user to an arbitrary user aggregate, domains or areas. The user can be identified by either the source or the destination. When the user is identified by the source and a favorable action is specified, the result may be comparable to identifying a priority user based on authorized Resource Priority Headers [RFC4412] in the requests. Specifying a source user identity with an unfavorable action would cause an effect comparable to an inverse SIP resource priority mechanism. The filter content defined in this document is generic and is expected to be applicable not only to the load filtering control mechanism but also to the feedback overload control mechanism in [I-D.hilt-sipping-overload]. In particular, both of them could use specific or wildcard filter identities for load control and could share well-known load control actions. The time duration field in the filter content could also be used in both mechanisms. As mentioned in Section 1, the load filter distribution mechanism and the feedback overload control mechanism address complementary areas in the load control problem space. Load filtering is more proactive and focuses on distributing the filter towards the source of the traffic; the hop-by-hop feedback based approach is reactive and targets more at traffic already accepted in the network. Therefore, they could also make different use of the generic filter components. For example, the load filtering mechanism may use the time field in the filter to specify not only a control duration but also a future activation time to accommodate a predicable overload such as caused by Mother's Day or a viewer-voting program; the feedback-based control might not need to use the time field or might use the time field to specify an immediate control duration. 9. Security Considerations Two aspects of security considerations arise from this document: one is the SIP event framework based filter distribution mechanism, the Shen, et al. Expires April 28, 2010 [Page 22] Internet-Draft SIP Load Control Event Package October 2009 other is the filter enforcement mechanism. Security considerations for the SIP event framework based mechanism is covered in Section 5 of [RFC3265]. In addition, we would like to emphasize the following two points specific to this document. o Subscription control: the effectiveness of load filtering requires that all incoming signaling neighbors be under control. Therefore, the notifier MUST open the load control subscription to all its legitimate neighbors from which it is expected to accept signaling requests from. It is important to note that, accepting load control subscription from a neighbor does not mean the specific neighbor will correctly enforce the contents of load control notification as expected. When there are neighbors that are non-conforming, additional measures need to be taken as discussed in Section 4.4. o Notification control: in order to prevent the load control notification being used to launch denial of service attacks, all load control notification MUST be authenticated and authorized before being accepted. Standard authentication and authorization mechanisms recommended in [RFC3261] such as HTTP authentication [RFC2617], TLS [RFC2246] and IPSec [RFC2401] can serve this purpose. Security considerations for filter enforcements vary depending on the filter contents. This document defines possible filter match of the following SIP header fields: , , and . The exact requirement to authenticate and authorize these fields is up to the service provider. In general, if the identity field represents the source of the request, it SHOULD be authenticated and authorized; if the identity field represents the destination of the request the authentication and authorization is optional. 10. IANA Considerations This specification registers a SIP event package, a new MIME type, a new XML namespace, and a new XML schema. 10.1. Load Control Event Package Registration This section registers an event package based on the registration procedures defined in [RFC3265]. Package name: load-control Shen, et al. Expires April 28, 2010 [Page 23] Internet-Draft SIP Load Control Event Package October 2009 Type: package Published specification: This document Person to contact: Charles Shen, charles@cs.columbia.edu 10.2. application/load-control+xml MIME Registration This section registers a new MIME type based on the procedures defined in [RFC4288] and guidelines in [RFC3023]. MIME media type name: application MIME subtype name: load-control+xml Mandatory parameters: none Optional parameters: Same as charset parameter application/xml in [RFC3023] Encoding considerations: Same as encoding considerations of application/xml in [RFC3023] Security considerations: See Section 10 of [RFC3023] and Section 9 of this specification Interpretability considerations: None Published Specification: This document Applications which use this media type: load control of SIP entities Additional information: Magic number: None File extension: .xml Macintosh file type code: 'TEXT' Personal and email address for further information: Charles Shen, charles@cs.columbia.edu Intended usage: COMMON Author/Change Controller: IETF SIPPING Working Group , as designated by the IESG Shen, et al. Expires April 28, 2010 [Page 24] Internet-Draft SIP Load Control Event Package October 2009 10.3. Load Control Schema Registration URI: urn:ietf:params:xml:schema:load-control Registrant Contact: IETF SIPPING working group, Charles Shen (charles@cs.columbia.edu). XML: the XML schema to be registered is contained in Section 7. Its first line is and its last line is 11. Acknowledgements The authors would like to thank Bruno Chatras for helpful suggestions and comments, including adding the condition element. 12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, August 1999. [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media Types", RFC 3023, January 2001. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific Event Notification", RFC 3265, June 2002. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, Shen, et al. Expires April 28, 2010 [Page 25] Internet-Draft SIP Load Control Event Package October 2009 January 2004. [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3966, December 2004. [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and Registration Procedures", BCP 13, RFC 4288, December 2005. [RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., Polk, J., and J. Rosenberg, "Common Policy: A Document Format for Expressing Privacy Preferences", RFC 4745, February 2007. 12.2. Informative References [AINGR] Bell Communications Research, "AINGR: Service Control Point (SCP) Network Traffic Management", GR-2938-CORE , December 1996. [I-D.hilt-sipping-overload] Hilt, V., Widjaja, I., and H. Schulzrinne, "Session Initiation Protocol (SIP) Overload Control", draft-hilt-sipping-overload-06 (work in progress), March 2009. [I-D.ietf-sipping-overload-reqs] Rosenberg, J., "Requirements for Management of Overload in the Session Initiation Protocol", draft-ietf-sipping-overload-reqs-05 (work in progress), July 2008. [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource Priority for the Session Initiation Protocol (SIP)", RFC 4412, February 2006. [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", RFC 4825, May 2007. Shen, et al. Expires April 28, 2010 [Page 26] Internet-Draft SIP Load Control Event Package October 2009 Authors' Addresses Charles Shen Columbia University Department of Computer Science 1214 Amsterdam Avenue, MC 0401 New York, NY 10027 USA Phone: +1 212 854 3109 Email: charles@cs.columbia.edu Henning Schulzrinne Columbia University Department of Computer Science 1214 Amsterdam Avenue, MC 0401 New York, NY 10027 USA Phone: +1 212 939 7004 Email: schulzrinne@cs.columbia.edu Arata Koike NTT Service Integration Labs & NTT Washington DC Representative Office 1100 13th St., NW, Suite 900 Washington DC, 20005 USA Phone: +1 202 312 1451 Email: koike.arata@lab.ntt.co.jp Shen, et al. Expires April 28, 2010 [Page 27]