SIP                                                         J. Rosenberg
Internet-Draft                                             Cisco Systems
Expires: January 12, 2006                                  July 11, 2005

    Clarifying Construction of the Route Header Field in the Session
                       Initiation Protocol (SIP)

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on January 12, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).


   The Route header field in the Session Initiation Protocol (SIP)
   protocol is used to cause a request to visit a set of hops on its way
   towards the final destination.  The SIP specification defines
   construction of the Route header field at user agents.  However,
   numerous other mechanisms have been described, such as Service-Route
   and the 305 response, which cause the client to set its Route header
   field for a request.  As such, the specific behavior for a UA in
   construction of its Route header field is unclear.  This document

Rosenberg               Expires January 12, 2006                [Page 1]

Internet-Draft               Route Construct                   July 2005

   attempts to define a consistent set of logic.

Table of Contents

   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.   Existing Sources . . . . . . . . . . . . . . . . . . . . . .   3
     2.1  Default Outbound Proxies . . . . . . . . . . . . . . . . .   3
     2.2  Service Route  . . . . . . . . . . . . . . . . . . . . . .   4
     2.3  Record-Routes  . . . . . . . . . . . . . . . . . . . . . .   4
     2.4  305 Use Proxy  . . . . . . . . . . . . . . . . . . . . . .   4
   3.   Problems with Current Specifications . . . . . . . . . . . .   5
   4.   Overview of Operation  . . . . . . . . . . . . . . . . . . .   6
   5.   Detailed Processing Rules  . . . . . . . . . . . . . . . . .   6
     5.1  Registrar Behavior . . . . . . . . . . . . . . . . . . . .   6
     5.2  UAC Behavior . . . . . . . . . . . . . . . . . . . . . . .   7
     5.3  Client Behavior  . . . . . . . . . . . . . . . . . . . . .   7
     5.4  Server Behavior  . . . . . . . . . . . . . . . . . . . . .   8
   6.   Backwards Compatibility  . . . . . . . . . . . . . . . . . .   9
   7.   Security Considerations  . . . . . . . . . . . . . . . . . .  10
   8.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  10
   9.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  10
   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  11
     10.1   Normative References . . . . . . . . . . . . . . . . . .  11
     10.2   Informative References . . . . . . . . . . . . . . . . .  11
        Author's Address . . . . . . . . . . . . . . . . . . . . . .  11
        Intellectual Property and Copyright Statements . . . . . . .  12

Rosenberg               Expires January 12, 2006                [Page 2]

Internet-Draft               Route Construct                   July 2005

1.  Introduction

   The Route header field in the Session Initiation Protocol (SIP)
   protocol is used to cause a request to visit a set of hops on its way
   towards the final destination.  RFC 3261 [2] discusses how a client
   constructs the Route header field for requests.  However, this logic
   is restricted to mid-dialog requests, where the route set was learned
   as a result of record-routing.

   However, additional sources of routes can exist for a UA.  These
   include default outbound proxies, a service route learned from the
   Service-Route header field [3], and a redirection coming from a 305
   response.  In total, there are four sources of potential route
   headers.  The way in which these various sources are reconciled is
   unclear.  Furthermore, the various specifications are unclear about
   which requests these Route headers are applicable to.  Do they apply
   to REGISTER?  Do they apply to mid-dialog requests?

   Section 2 reviews the existing sources of route sources.  Section 3
   discusses problems with the existing specifications.  Section 4
   overviews the proposed changes in behavior.  Section 5 provides a
   detailed description of element behavior, and Section 6 discusses
   backwards compatibility issues.

2.  Existing Sources

   This section examines the current set of route header field sources.

2.1  Default Outbound Proxies

   RFC 3261 discusses default outbound proxies.  In Section, it
   makes reference to its interaction with Route header fields:

      In some special circumstances, the presence of a pre-existing
      route set can affect the Request-URI of the message.  A pre-
      existing route set is an ordered set of URIs that identify a chain
      of servers, to which a UAC will send outgoing requests that are
      outside of a dialog.  Commonly, they are configured on the UA by a
      user or service provider manually, or through some other non-SIP
      mechanism.  When a provider wishes to configure a UA with an
      outbound proxy, it is RECOMMENDED that this be done by providing
      it with a pre-existing route set with a single URI, that of the
      outbound proxy.

      When a pre-existing route set is present, the procedures for
      populating the Request-URI and Route header field detailed in
      Section MUST be followed (even though there is no
      dialog), using the desired Request-URI as the remote target URI.

Rosenberg               Expires January 12, 2006                [Page 3]

Internet-Draft               Route Construct                   July 2005

   The default outbound proxy can be learned either through DHCP [4],
   through configuration (such as the SIP configuration framework [6]),
   or through other means.  In the IMS, the default outbound proxy is
   the P-CSCF and is learned through GPRS specific techniques.

   RFC 3261 does not explicitly say the set of messages to which this
   route set applies.  However, the text above implies that it is for
   all requests outside of a dialog.

2.2  Service Route

   RFC 3608 specifies the Service-Route header field.  This header field
   is provided to the UA in a 2xx response to a REGISTER request.  The
   client uses this to populate its Route header fields for outgoing
   requests.  However, RFC 3608 explicitly says that the decision a UA
   makes about how it combines the service route with other outbound
   routes is a matter of local policy.  Furthermore, RFC 3608 does not
   clearly define to which requests the service route applies, and in
   particular, whether or not it applies to a REGISTER request or a mid-
   dialog request.

2.3  Record-Routes

   RFC 3261 provides a detailed description of the record-routing
   mechanism, and how the user agents in a dialog construct route sets
   from the Record-Route header field values.  RFC 3261 is also clear
   that the resulting route set applies to mid-dialog requests.  It
   implies (though does not explicitly say) that the resulting route set
   overrides any default outbound proxies (which represent a pre-loaded
   route set).

2.4  305 Use Proxy

   RFC 3261 defines the 305 "Use Proxy" response code, but says
   extremely little about exactly how it is used.  It has this to say:

      The requested resource MUST be accessed through the proxy given by
      the Contact field.  The Contact field gives the URI of the proxy.
      The recipient is expected to repeat this single request via the
      proxy. 305 (Use Proxy) responses MUST only be generated by UASs.

   It is unclear how the Contact in the redirect is used.  Does it
   populate the request URI of the resulting request?  Or, does it get
   used to populate the Route header field?  The restriction to UASs is
   also not explained.

   Historically, the reason for the restriction to UAs was to avoid
   routing loops.  Consider an outbound proxy that generates a 305,

Rosenberg               Expires January 12, 2006                [Page 4]

Internet-Draft               Route Construct                   July 2005

   instead of proxying the request.  The concern was that the client
   would then recurse on the response, populate the Contact into a new
   request URI, and send the request to its default outbound proxy,
   which redirects once more.  To avoid this, the RFC says that only a
   UAS can redirect with a 305, not a proxy.

   However, this design decision on 305 handling was made prior to the
   conception of loose routing, although both ended up in RFC 3261.  The
   design of the 305 mechanism, unfortunately, was not revisited after
   loose routing was specified.  As such, the draft is not clear about
   whether or not the contact gets utilized as a Route header field
   value or whether it replaces the Request URI.

3.  Problems with Current Specifications

   Because the interactions between these various sources of routes are
   unspecified, certain features have proven impossible to provide,
   and/or interoperability problems have resulted.

   One problem is that, depending on the way a client constructs its
   route set, it may be impossible to change a users outbound proxy
   without updating its configuration.  Such changes are extremely
   useful for many operational reasons.  One example is movement of
   subscribers between geographically distributed sites in cases where a
   site must be gracefully taken out of service, and the subscribers
   using it need to be moved.  If the client uses the service route to
   augment the route from corresponding to its default outbound proxy, a
   network provider cannot move a subscriber.

   Another problem is the client bootstrapping problem.  Consider the
   same SIP network that utilizes geographically distributed sites.
   Each site contains a subset of the user database - the subset for the
   users in that site.  When a SIP UA first boots up, it needs to obtain
   its configuration.  As such, it has a hard-coded default proxy it
   uses for an initial SUBSCRIBE to enroll in its configuration [6].
   This proxy, however, may not be the one in site to which the user of
   that SIP UA is associated.  Ideally, the initial SUBSCRIBE could be
   routed to a server that redirects the client to the right proxy in
   the user's actual site.  This redirection needs to override the
   default outbound proxy for the phone.  However, there is not
   currently a way to do that.

   An interoperability problem that has arisen is keeping an outbound
   proxy on the path for outbound requests.  Consider a proxy in a hotel
   which a client discovers via DHCP and uses as its outbound proxy.
   This proxy wishes to be used for incoming and outgoing requests, both
   in and out of a dialog.  So, it includes itself on the Path header
   field of the REGISTER.  However, it has no idea if the registrar will

Rosenberg               Expires January 12, 2006                [Page 5]

Internet-Draft               Route Construct                   July 2005

   reflect the Path header field into the Service-Route, and cannot
   determine whether putting itself on the Path is effective for getting
   on the service route.  Per RFC 3608 it cannot modify the Service-
   Route in the response to REGISTER.  As such, if the registrar does
   not include the proxy in the Service-Route, and the endpoint
   overrides its outbound proxy setting with the Service-Route, the
   local proxy falls off the outbound path despite its best efforts.

4.  Overview of Operation

   Firstly, new behavior for generation and processing of the 305 Use
   Proxy is specified.  Any element in the network, proxy or UAS, can
   generate a 305, not just a UAS as specified in RFC3261.  This
   redirect can be recursed by any upstream element, but it is ideally
   recursed by the element directly upstream from the one that genreated
   the redirect.  To recurse on the redirect, the proxy or UAC takes the
   Contact header field value from the 305, and uses it to replace the
   top value of the Route header field used previously.  If no Route
   header field was used previously, one is added.  However, in neither
   case is the Request-URI modified.

   When a UAC goes to send a request, whether it is a mid-dialog request
   or a new request with any method (except CANCEL or ACK to a non-2xx
   response), the client first uses any route set learned from a record-
   route (which covers mid-dialog requests).  If the request is not a
   mid-dialog reuqest, the client sees if it has any service routes
   learned through RFC 3608.  If there are none, the client next uses
   any configured default outbound proxies.  These three sources -
   record-routes, service routes and default outbound proxies - are
   never mixed, and one and only one of them applies to each request.
   After it is applied however, if the request results in a 305 Use
   Proxy response, the topmost Route header field is updated as
   described above.

   A registrar, upon receipt of a REGISTER, uses the Path header field
   values to construct the Service-Route in the response.  The values
   from the Path are copied into the Service-Route, and the registrar
   can then add some additional ones if they are within the domain of
   the provider.

5.  Detailed Processing Rules

5.1  Registrar Behavior

   The registrar MUST construct the Service-Route in the registration
   response by taking each URI from the Path header field in the
   REGISTER request, and inverting the order.  After inversion, the
   registrar MAY add additional URIs at the end of the list (that is,

Rosenberg               Expires January 12, 2006                [Page 6]

Internet-Draft               Route Construct                   July 2005

   the right hand side of the list, corresponding to proxy elements that
   will be the farthest away from the UA).

   Furthermore, the registrar MAY replace or remove any URIs that are
   within a domain under the control of the registrar.  When replacing a
   URI, one or more new ones can take its place.  If the registrar is in, this would include any URIs whose domain part is  It would also include any URIs whose domain is a
   subdomain of, as long as that subdomain is under the
   control of  It could also include URIs whose domain part
   is unrelated to, as long as those are within the control
   of  It is difficult to provide a concise definition of
   "under the control", but generally it means that the administrative
   policies for the subservient domain are completely defined by the
   controlling domain.

   This behavior ensures that proxies outside of the domain of the
   registrar have a way to appear on the service route, but provides a
   way, within a domain, to provide service routes that are not coupled
   to the Path.

5.2  UAC Behavior

   A UAC compliant to this specification MUST include the "lr305" option
   tag in the Supported header field of requests that it generates.

   For a request sent by a UAC that is not the result of recursion on a
   305, the following logic MUST be used to compute the route set used
   to populate the Route header field of the request.  If the request is
   a mid-dialog request, the route set is computed per the procedures in
   Section of RFC 3261.  This route set overrides routes
   learned from configuration, DHCP, Service-Route or any other
   mechanism.  If the request is not a mid-dialog request, the client
   checks to see if it has learned a service route as a result of
   registering the AOR it has populated in the From header field of the
   request.  If it has learned a service route, the URIs from the
   Service-Route header field is used as the route set for the request.
   This route set overrides routes learned from configuration, DHCP, or
   any other mechanism.  This route set is used in all requests outside
   of a dialog, including REGISTER.  If the UA has not learned a service
   route, it uses the route set learned through configuration.  [[OPEN
   ISSUE: Do we need to specify how to reconcile route sources learned
   across disparate configuration sources?  For example DHCP and a
   config file?]]

5.3  Client Behavior

   The following logic defined here applies to all clients, both UAC and

Rosenberg               Expires January 12, 2006                [Page 7]

Internet-Draft               Route Construct                   July 2005

   proxies, and applies to the processing of a 305 response.

   It is RECOMMENDED that a client in receipt of a 305 recurse on that
   redirection, rather than forwarding it upstream.  To compute the
   request that is sent as a result of the recursion, the client MUST
   take the route set used for the request that generated the 305
   response.  If that request had a Route header field, the first value
   MUST be replaced with the value of the Contact header field in the
   305 with the highest q-value.  If there are multiple such Contacts
   with the same q-value, one is chosen at random.  The result is used
   as the route set for the new request.  If the original request did
   not have a Route header field, the new request MUST contain a single
   Route header field value, equal to the URI provided in the Contact
   header field of the 305 with the highest q-value.  This processing
   applies to requests both inside and outside of a dialog, and applies
   to all request methods, including REGISTER, with the exception of ACK
   and CANCEL.

   If a 305 response had multiple Contact header field values, and the
   recursed request generated a 503 response, and the client had
   exhausted all alternative servers learned from DNS [5] for the
   previous Contact header field value, the client SHOULD choose the
   Contact from the 305 with the next highest q-value, and construct
   another recursed request using the procedures defined above.  In the
   event the 305 had multiple Contact header field values with
   equivalent q-values, the next highest one might have a q-value equal
   to the one that was just tried.

   If the policy of the client is such that it a request must visit a
   particular set of hops subsequent to being processed, and the route
   set constructed as a result of the recursion does not meet those
   policy constraints, the client MAY push additional route header field
   values in order for the request to meet those policy requirements.
   Proxies that do this SHOULD verify that the URI placed into the
   topmost Route header field value is an acceptable next hop, and not
   just blindly push route header field values.

5.4  Server Behavior

   Any server, either a UAS or a proxy, MAY generate a 305 in response
   to a request.  Such a response can be generated either for initial or
   mid-dialog requests.  The 305 SHOULD NOT be generated unless one of
   the following conditions is met:

   o  The server generating the 305 has an administrative relationship
      with the previous hop element, and knows that it is capable of
      supporting this specification and will recurse on a 305 that it

Rosenberg               Expires January 12, 2006                [Page 8]

Internet-Draft               Route Construct                   July 2005

   o  The server generating the 305 believes that its previous hop is a
      UAC, and the request being redirected included a Supported header
      field with the option tag "lr305".

   These requirements provide a limited form of backwards compatibility.
   See Section 6 for a thorough discussion.

6.  Backwards Compatibility

   This specification defines a different behavior for the processing of
   305 than is implied in RFC 3261 (although the behavior is not
   entirely clear).  Because of this, there are two backwards
   compatibility scenarios that need to be considered:

   1.  The element that recurses on the redirection does not support
       this specification.  As a result, it replaces its Request-URI in
       the recursed request with the value from the Contact header field
       of the 305.

   2.  The element that recurses supports this specification, and
       correctly populates the Contact header field value into the Route
       header field of the recursed request.  However, the element that
       performed the recursion was not the element immediately upstream
       from the one that generated the 305.  As a result, an
       intermediate element is bypassed even though the desire was for
       it to remain on the route set.

   The first of these two cases causes the Request URI to be clobbered.
   The request will arrive at the server that was the target of the
   redirection, but it probably won't be able to process the request
   because the actual request URI is no longer present.  Unfortunately,
   avoiding this failure case entirely is quite difficult.  It requires
   the redirecting server to have an assurance that the element
   immediately upstream, whether it is a proxy or UAC, supports this
   specification.  There is no mechanism in the suite of RFC 3261
   compatibility tools that can provide such a function.  The only way
   to do this is to include another cookie in the Via branch ID, used as
   a signal that this extension is supported.  However, this results in
   substantial pollution of the Via header field, and increases each
   message substantially.

   It is believed that a 305 redirection is in fairly limited usage at
   the time of writing, and so this specification provides a weaker form
   of backwards compatibility.  The Supported header field is used to
   verify that clients support the mechanism.  Rather than explicit
   signaling, it is assumed that proxies can know whether the previous
   hop supports this mechanism based on an administrative relationship
   with that proxy.  This precludes 305 from being used inter-provider

Rosenberg               Expires January 12, 2006                [Page 9]

Internet-Draft               Route Construct                   July 2005

   until it is ubiquitously deployed.  However, this does not seem like
   a major limitation, since most of the use cases are intra-provider.
   The backwards compatibility mechanism also assumes that a proxy can
   determine that its previous hop is a UAC as opposed to a proxy; this
   is hard to know for certain.

   The second backwards compatibility issue is interesting.  What
   happens if the 305 is properly handled, but is recursed by an element
   that lies multiple hops upstream from the redirecting server?  The
   recursing element will replace its top Route header field with the
   value from the Contact in the 305, and presumably send the request
   there directly.  That may or may not be a problem, it depends on
   whether the previously-intervening proxies really need to be on the
   request path or not.  To deal with this case, the specification
   allows a recursing element to push additional route headers in order
   to make sure requests traverse paths that meet their policy

7.  Security Considerations

   An attacker that injects a fake route set, whether it is in a 305
   response, a Service-Route, a Record-Route or a configuration, can
   launch a multitude of attacks, including denial-of-service and fraud.
   For this reason, an element SHOULD NOT make use of a route set unless
   it has obtained it through a signaling channel that has been secured
   using the SIPS mechanism in RFC 3261 [2]

8.  IANA Considerations

   This specification registers a new option tag for SIP, according to
   Section 27.1 of RFC 3261.

   Name: lr305

   Description: This option tag is for support of the loose routing
      behavior for the 305 Use Proxy response.  It is used in the
      Supported header field of requests, and indicates that the UAC
      will properly recurse when it receives a 305.

9.  Acknowledgements

   The author would like to thank Paul Kyzivat and Anders Kristensen for
   their comments.

10.  References

Rosenberg               Expires January 12, 2006               [Page 10]

Internet-Draft               Route Construct                   July 2005

10.1  Normative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [3]  Willis, D. and B. Hoeneisen, "Session Initiation Protocol (SIP)
        Extension Header Field for Service Route Discovery During
        Registration", RFC 3608, October 2003.

10.2  Informative References

   [4]  Schulzrinne, H., "Dynamic Host Configuration Protocol (DHCP-for-
        IPv4) Option for Session Initiation Protocol (SIP) Servers",
        RFC 3361, August 2002.

   [5]  Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
        (SIP): Locating SIP Servers", RFC 3263, June 2002.

   [6]  Petrie, D., "A Framework for Session Initiation Protocol User
        Agent Profile Delivery", draft-ietf-sipping-config-framework-06
        (work in progress), February 2005.

Author's Address

   Jonathan Rosenberg
   Cisco Systems
   600 Lanidex Plaza
   Parsippany, NJ  07054

   Phone: +1 973 952-5000

Rosenberg               Expires January 12, 2006               [Page 11]

Internet-Draft               Route Construct                   July 2005

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at

Disclaimer of Validity

   This document and the information contained herein are provided on an

Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Rosenberg               Expires January 12, 2006               [Page 12]