IETF SIPPING Working Group C. Shen
Internet-Draft H. Schulzrinne
Intended status: Standards Track Columbia U.
Expires: January 8, 2009 A. Koike
NTT
July 7, 2008
A Session Initiation Protocol (SIP) Load Control Event Package
draft-shen-sipping-load-control-event-package-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 8, 2009.
Abstract
This document defines a load control event package for the Session
Initiation Protocol (SIP). It allows SIP servers to distribute user
load control information to SIP servers. The load control
information can throttle outbound calls based on their destination
domain, telephone number prefix or for a specific user. The
mechanism helps to prevent signaling overload and complements
feedback-based SIP overload control efforts.
Shen, et al. Expires January 8, 2009 [Page 1]
Internet-Draft SIP Load Control Event Package July 2008
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Requirements Notation . . . . . . . . . . . . . . . . . . . . 6
5. Load Control Event Package . . . . . . . . . . . . . . . . . . 6
5.1. Event Package Name . . . . . . . . . . . . . . . . . . . . 7
5.2. Event Package Parameters . . . . . . . . . . . . . . . . . 7
5.3. SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 7
5.4. SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . . 7
5.5. NOTIFY Bodies . . . . . . . . . . . . . . . . . . . . . . 7
5.6. Notifier Processing of SUBSCRIBE Requests . . . . . . . . 8
5.7. Notifier Generation of NOTIFY Requests . . . . . . . . . . 8
5.8. Subscriber Processing of NOTIFY Requests . . . . . . . . . 8
5.9. Handling of Forked Requests . . . . . . . . . . . . . . . 9
5.10. Rate of Notifications . . . . . . . . . . . . . . . . . . 9
5.11. State Agents . . . . . . . . . . . . . . . . . . . . . . . 9
6. Load Control Document . . . . . . . . . . . . . . . . . . . . 9
6.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.2. Namespace . . . . . . . . . . . . . . . . . . . . . . . . 10
6.3. Conditions . . . . . . . . . . . . . . . . . . . . . . . . 10
6.3.1. Call Identity . . . . . . . . . . . . . . . . . . . . 10
6.3.2. Validity . . . . . . . . . . . . . . . . . . . . . . . 12
6.4. Actions . . . . . . . . . . . . . . . . . . . . . . . . . 13
6.5. Complete Examples . . . . . . . . . . . . . . . . . . . . 14
7. XML Schema Definition for Load Control . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
9.1. Load Control Event Package Registration . . . . . . . . . 17
9.2. application/load-control+xml MIME Registration . . . . . . 18
9.3. Load Control Schema Registration . . . . . . . . . . . . . 18
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
10.2. Informative References . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
Intellectual Property and Copyright Statements . . . . . . . . . . 22
Shen, et al. Expires January 8, 2009 [Page 2]
Internet-Draft SIP Load Control Event Package July 2008
1. Introduction
Proper functioning of Session Initiation Protocol (SIP) [RFC3265]
signaling servers is critical in SIP-based communications networks.
The performance of SIP severs can be severely degraded when the sever
is overloaded with excessive number of signaling requests. Both
legitimate and malicious traffic can overload SIP servers, despite
appropriate capacity planning.
There are three common examples of legitimate short-term increases in
call volumes. Viewer-voting TV shows or ticket giveaways may
generate millions of calls within a few minutes. Call volume may
also spike during special holidays such as New Year's Day and
Mother's Day. Finally, callers may want to reach friends and family
in natural disaster areas such as those affected by earthquakes.
When possible, only calls traversing overloaded servers should be
throttled under those conditions.
SIP load control mechanisms are needed to prevent congestion collapse
in these cases [I-D.ietf-sipping-overload-reqs]. There are two types
of load control approaches. In the first approach, feedback control,
SIP servers provide load limits to upstream servers, to reduce the
incoming rate of all SIP requests [I-D.hilt-sipping-overload]. These
upstream servers then drop or delay incoming SIP requests. Feedback
control is reactive and affects signaling messages that have already
been issued by user agent clients. They work well if core or
destination-specific SIP proxies are overloaded. By their nature,
they need to distribute rate, drop or window information to all
upstream SIP proxies and generally affect all calls equally,
regardless of destination. However, feedback control is ineffective
for edge-server overload. For example, for the ticket giveaway case,
almost all such calls will fail in the core SIP server. If the edge
server is also overloaded, calls to other destinations will also be
rejected or dropped.
Here, we propose an additional, complementary mechanism, called load
filtering. Network operators create filters that indicate that calls
to specific destinations should be rate-limited or randomly dropped.
These filters are then distributed to SIP servers and possibly user
agents likely to generate calls to the affected destinations. Load
filters work best if they prevent calls as close to the user agent
client as possible.
2. Requirements
The SIP load filtering control mechanism needs to satisfy the
following requirements:
Shen, et al. Expires January 8, 2009 [Page 3]
Internet-Draft SIP Load Control Event Package July 2008
o To simplify the solution, we focus on SIP load control, rather
than a generic application-layer mechanism.
o The load filter information needs to be distributed efficiently to
possibly a large subset of all SIP elements.
o It is desirable to re-use existing SIP protocol mechanisms to
reduce implementation and deployment complexity.
o For predictable overload situations, such as holidays and call-in
events, the mechanism should specify during what time period it is
to be applied, so that the information can be distributed ahead of
time.
o For destination-specific overload situations, the load filter
needs to be able to describe the callee.
o To address accidental and intentional high-volume call generators,
the filter should allow to specify the caller.
o Caller and callee need to be specified as both tel and SIP URIs.
o For telephone numbers, specifying prefixes allows control over
limited regionally-focused overloads.
o Solutions need to be extensible to meet future needs.
3. Overview
To meet the requirements enumerated in the previous section, this
document defines the SIP event package for load control, which is an
"instantiation" of the generic SIP events framework [RFC3265]. The
SIP events framework provides an existing method for SIP entities to
subscribe to and receive notifications when certain events have
occurred. Such a framework forms a scalable event distribution
architecture that suits our needs. This specification also defines
the XML schema used to encode the load control document. The choice
of XML allows us to reuse existing SIP-specific policy related XML
schemas when applicable, and also fits our goal of flexibility and
extensibility.
The usage of the defined SIP load control event package is
illustrated with the example architecture shown in Figure 1. This
scenario consists of two networks belonging to Service Provider A and
Service Provider B, respectively. Each provider's network is made up
of two Core proxies (CPs) and four Edge Proxies (EPs). The CPs and
EPs of Service Provider A are denoted as CPa1 to CPa2 and EPa1 to
EPa4; the CPs and EPs of Service Provider B are denoted as CPb1 to
CPb2 and EPb1 to EPb4.
In the load control mechanism, a policy maker such as a human
operator or an intelligent software module first makes up the
policies (the algorithms for making the policy decisions are out of
the scope of this document) and introduces them into a SIP server
which acts as the network entry point for load control policies.
Shen, et al. Expires January 8, 2009 [Page 4]
Internet-Draft SIP Load Control Event Package July 2008
Each SIP server in the network is required to subscribe to the load
control event package from all its signaling neighbors. For example,
EPa1 needs to subscribe to CPa1, while CPa1 needs to subscribe to
EPa1, EPa2, CPa2 and CPb1, so on and so forth. Notifications are
always sent to all subscribing entities.
+-----------+ +-----------+ +-----------+ +-----------+
| | | | | | | |
| EPa1 | | EPa2 | | EPa3 | | EPa4 |
| | | | | | | |
+-----------+ +-----------+ +-----------+ +-----------+
\ / \ /
\ / \ /
\ / \ /
+-----------+ +-----------+
| | | |
| CPa1 |------------------| CPa2 |
| | | |
+-----------+ +-----------+
| |
Service | |
Provider A | |
| |
=================================================================
| |
Service | |
Provider B | |
| |
+-----------+ +-----------+
| | | |
| CPb1 |------------------| CPb2 |
| | | |
+-----------+ +-----------+
/ \ / \
/ \ / \
/ \ / \
+-----------+ +-----------+ +-----------+ +-----------+
| | | | | | | |
| EPb1 | | EPb2 | | EPb3 | | EPb4 |
| | | | | | | |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 1: Example Network Scenario with SIP Load Control Event
Notification
Shen, et al. Expires January 8, 2009 [Page 5]
Internet-Draft SIP Load Control Event Package July 2008
Case I: EPa1 serves a TV program hotline and decides to limit the
total number of incoming calls to the hotline to prevent an overload.
To do so, EPa1 sends a notification to CPa1 with the specific hotline
number, time of activation and total acceptable call rate. CPa1 then
allocates the received total acceptable rate among its neighbors,
namely, EPa2, CPa2, and CPb1 and notifies them about the resulting
allocation along with the hotline number and the time. CPa2 and CPb1
then perform further allocation among their own neighbors and notify
the corresponding servers. This process continues until all edge
proxies in the network has been informed about the event and have
proper load filter configured.
Case II: an earthquake affected the region covered by CPb2, EPb3 and
EPb4. All the three servers are overloaded. The rescue services
determine that outbound calls are more valuable than inbound calls in
this specific situation. Therefore, CPb2, EPb3 and EPb4 configure
themselves to accept more outbound calls than inbound calls. CPb2
also sends out notifications to its outside neighbors, namely CPb1
and CPa2, specifying a limit on the acceptable rate of inbound calls
to the CPb2's responsible region. CPb1 and CPa2 subsequently notify
their neighbors about limiting the calls to CPb2's area. The same
process continues until all edge proxy servers are notified and have
filters configured.
Note that this version of the document does not define the
provisioning interface between the load control policy maker and the
policy entry point in the network. One of the potential solutions
for the provisioning interface is the Extensible Markup Language
(XML) Configuration Access Protocol (XCAP) [RFC4825].
The rest of this document is structured as follows. After defining
terminology in Section 4, we define the load control event package
details in Section 5 and then describe the load control XML document
in Section 6. The XML schema definition for load control is
presented in Section 7. Section 8 discusses security issues and
finally Section 9 registers the parameters related to this document
with IANA.
4. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
5. Load Control Event Package
Shen, et al. Expires January 8, 2009 [Page 6]
Internet-Draft SIP Load Control Event Package July 2008
This section defines the details of the SIP event package for load
control according to [RFC3265].
5.1. Event Package Name
The name of this event package is "load-control". This name is
carried in the Event and Allow-Events header, as specified in
[RFC3265].
5.2. Event Package Parameters
No package specific event header field parameters are defined for
this event package.
5.3. SUBSCRIBE Bodies
A SUBSCRIBE request for load control policy MAY contain a body to
filter the requested load control notification. For example, a
subscriber may be interested in some specific types of load control
information only. The details of the subscription filter
specification are not yet defined.
A SUBSCRIBE request sent without a body implies the default
subscription behavior as specified in Section 5.7.
5.4. SUBSCRIBE Duration
The default expiration time for a subscription to load control policy
is one hour. Since the desired expiration time may vary
significantly for subscriptions among SIP entities with different
signaling relationships, the subscribers and notifiers are
RECOMMENDED to explicitly negotiate appropriate subscription
durations when knowledge about the mutual signaling relationship is
available.
5.5. NOTIFY Bodies
The body of a NOTIFY message in this event package contains policy
information regarding load control. As specified in [RFC3265], the
format of the NOTIFY body MUST be in one of the formats defined in
the Accept header field of the SUBSCRIBE request or be the default
format. The default data format for the NOTIFY body of this event
package is "application/load-control+xml" (defined in Section 6).
This means that if no Accept header field is specified to a SUBSCRIBE
request, the NOTIFY will contain a body in the "application/
load-control+xml" format. If the Accept header field is present, it
MUST include "application/load-control+xml" and MAY include any other
types.
Shen, et al. Expires January 8, 2009 [Page 7]
Internet-Draft SIP Load Control Event Package July 2008
5.6. Notifier Processing of SUBSCRIBE Requests
The effectiveness of load filtering control relies on the
distribution and installation of the control policies as widely as
possible in the network. Therefore, a SIP entity notifier MUST
accept subscriptions from all neighboring SIP entities with whom they
have a direct signaling relationship.
5.7. Notifier Generation of NOTIFY Requests
Following the [RFC3265] specification, a notifier MUST send a NOTIFY
with its current load control policy to the subscriber upon
successfully accepting or refreshing a subscription. A notifier
SHOULD generate NOTIFY requests each time the load control policy
changes, with the maximum notification rate not exceeding values
defined in Section 5.10.
A SIP entity subscriber which itself is also a notifier may need to
forward a NOTIFY message to its own subscribers after receiving a
load control update from its own notifier. In such cases, the
forwarding SIP entity MUST make proper modifications to the contents
of the NOTIFY message as needed before sending it out. For example,
if a SIP entity receives a rate limit of 100 requests per second for
a particular downstream SIP entity and it needs to forward the policy
to its three upstream neighbors which all subscribe to it, then the
total rate limit for the specific downstream SIP entity in the three
NOTIFY messages sent to those three upstream neighbors must not
exceed 100 requests per second.
This event package does not support notifications that contain deltas
to previous information or partial information.
5.8. Subscriber Processing of NOTIFY Requests
The way subscribers process NOTIFY requests depends on the contents
of the notifications. Typically, a load control notification
consists of rules that should be applied to requests matching certain
identities. A SIP entity subscriber receiving the notification first
installs these rules and then filter incoming call requests to
enforce actions on appropriate requests, for example, limiting the
sending rate of call requests destined for a specific SIP entity.
In the case when load control rules specify a future validity time,
it is possible that when the validity time comes, the subscription to
the specific notifier that conveyed the rules has expired. In this
case, it is RECOMMENDED that the subscriber re-activate its
subscription with the corresponding notifier. Regardless of whether
this re-activation of subscription is successful or not, when the
Shen, et al. Expires January 8, 2009 [Page 8]
Internet-Draft SIP Load Control Event Package July 2008
validity time is reached, the subscriber SHOULD enforce the
corresponding rules.
5.9. Handling of Forked Requests
Forking is not applicable when the load control event package is used
within a single-hop distance between neighboring SIP entities. If
the communication scope of the load-control event package is among
multiple hops, forking is not expected to happen either because the
subscription request is addressed to a clearly defined SIP entity.
However, in the unlikely case when forking does happen, the load-
control event package only allows the first potential dialog-
establishing message to create a dialog, as specified in Section
4.4.9 of [RFC3265].
5.10. Rate of Notifications
Rate of notifications is likely not a concern for this event package
because it is expected to be used in a non-real-time mode for
relatively static load control policies. Nevertheless, if situation
does arise that a rather frequent load control policy update is
needed, it is RECOMMENDED that the notifier does not generate
notifications at a rate higher than once per-second in all cases, in
order to avoid the NOTIFY message itself overloading the system.
5.11. State Agents
The load control policy information can be directly generated by
concerned SIP entities distributed in the network. Alternatively,
qualified state agents external to the SIP entities MAY be defined to
take charge of load control policy making.
6. Load Control Document
6.1. Format
A load control document is an XML document that inherits and enhances
the common policy document defined in [RFC4745]. A common policy
document contains a set of rules. Each rule consists of three parts:
conditions, actions and transformations. The conditions part is a
set of expressions containing attributes such as identity, domain,
and validity time information. Each expression evaluates to TRUE or
FALSE. Conditions are matched on "equality" or "greater than" style
comparison. There is no regular expression matching. If a request
matches all conditions in a rule set, the action part and the
transformation part are consulted to determine the "permission" on
how to handle the request. Each action or transformation specifies a
Shen, et al. Expires January 8, 2009 [Page 9]
Internet-Draft SIP Load Control Event Package July 2008
positive grant to the policy server to perform the resulting actions.
Well-defined mechanism are available for combining actions and
transformations obtained from more than one sources.
6.2. Namespace
The namespace URI for elements defined by this specification is a
Uniform Resource Namespace (URN) ([RFC2141]), using the namespace
identifier 'ietf' defined by [RFC2648] and extended by [RFC3688].
The URN is as follows:
urn:ietf:params:xml:ns:load-control
6.3. Conditions
[RFC4745] defined three condition elements: <identity>, <sphere> and
<validity>. In this document, we re-define an element for identity
and reuse the <validity> element. The <sphere> element is not used.
6.3.1. Call Identity
Since the problem space of this document is different from that of
[RFC4745], the [RFC4745] <identity> element is not sufficient for use
with load control. First, load control may be applied to different
identity information contained in a request, including identities of
both the receiving entity and the sending entity. Second, the
importance of authentication varies when different identities of a
request are concerned. This document defines new identity conditions
that can accommodate the granularity of specific SIP identity header
fields. Requirement for authentication depends on which field is to
be matched.
The identity condition for load control is specified by the <call-
identity> element and its sub-element <sip>. The <sip> element
itself contains sub-elements representing SIP sending and receiving
identity header fields: <from>, <to>, <request-uri> and <p-asserted-
identity>, each is of the same type as the <identity> element in
[RFC4745]. Therefore, they also inherit the sub-elements of the
<identity> element, including <one>, <except>, and <many>. When the
<call-identity> element or its sub-elements contain multiple sub-
elements, the result is combined using logical OR.
The [RFC4745] <one> and <except> elements may contain an "id"
attribute, which is the URI of a single entity to be included or
excluded in the condition. When used in the <from>, <to>, <request-
uri> and <p-asserted-identity> elements, this "id" value is the URI
contained in the corresponding SIP header field, i.e., From, To,
Request-URI, and P-Asserted-Identity.
Shen, et al. Expires January 8, 2009 [Page 10]
Internet-Draft SIP Load Control Event Package July 2008
The following shows an example of the <call-identity> element:
<call-identity>
<sip>
<to>
<one id="sip:alice@hotline.example.com"/>
<one id="tel:+1-212-555-1234"/>
</to>
</sip>
</call-identity>
This example matches call requests whose To header field contains the
SIP URI "sip:alice@hotline.example.com", or 'tel' URI
"tel:+1-212-555-1234".
The [RFC4745] <many> and <except> elements may take a "domain"
attribute. The "domain" attribute specifies a domain name to be
matched by the domain part of the candidate identity. Thus, it
allows matching a large and possibly unknown number of entities
within a domain. The "domain" attribute works well for SIP URIs.
A URI identifying a SIP user, however, can also be a 'tel' URI
[RFC3966]. We therefore need a similar way to match a group of 'tel'
URIs. There are two formats of 'tel' URIs: global format and local
format. All phone numbers must be expressed in the global format
when possible. The global format 'tel' URIs start with a "+". The
rest of the phone numbers are expressed in a local format, which must
be qualified by a "phone-context" parameter. The "phone-context"
parameter may be labelled as a global number or any number of its
leading digits, or a domain name. Both formats of the 'tel' URI make
the resulting URI globally unique.
'Tel' URIs of global format can be grouped by prefixes consisting of
any number of common leading digits. For example, a prefix formed by
a country code or both the country and area code identifies telephone
numbers within a country or an area. Since the length of the country
and area code for different regions are different, the length of the
number prefix is also variable. This allows further flexibility such
as grouping the numbers into sub-areas within the same area code.
'Tel' URIs of local-number format can be grouped by the value of the
"phone-context" parameter.
To include the two formats of 'tel' URI grouping in the <many> and
<except> elements, one approach is to add a new attribute similar to
the "domain" attribute. In this document, we decided on a simpler
approach. There are basically two forms of grouping attribute values
Shen, et al. Expires January 8, 2009 [Page 11]
Internet-Draft SIP Load Control Event Package July 2008
for both SIP URIs and 'tel' URIs: domain name or number prefix
starting with "+". Both of them can be expressed as strings.
Therefore, we re-interpret the existing "domain" attribute of the
<many> and <except> elements to allow it to contain both forms of
grouping attribute values. In particular, when the "domain"
attribute value starts with "+", it denotes a number prefix,
otherwise, the value denotes a domain name. Note that the tradeoff
of this simpler approach is the overlapping in matching different
types of URIs. Specifically, a domain name in the "domain" attribute
could be matched by both a SIP URI with that domain name and a local
format 'tel' URI containing the same domain name in the "phone-
context". On the other hand, a number prefix in the "domain"
attribute could be matched by both global 'tel' URIs starting with
those leading digits, and local 'tel' URIs having the same prefix in
the "phone-context" parameter. These overlapping situations would
not be a big problem because of two reasons. First, when the "phone-
context" coincides with the SIP domain name or the global number
prefix, it is usually the case that the related phone numbers indeed
belong to the same domain or the same area, which means the
overlapping is not inappropriate. Second, the use of the local
format 'tel' URI in practice is expected to be rare. As a result,
the chance of such overlapping happening is very small.
The following example shows the use of the re-interpreted "domain"
attribute.
<call-identity>
<sip>
<from>
<many>
<except domain="+1-212"/>
<except domain="manhattan.example.com"/>
</many>
</from>
</sip>
</call-identity>
This example matches those call requests whose domain field in the
From SIP URI is different from "manhattan.example.com", or those call
requests whose 'Tel' URI indicates a caller number starting from a
prefix other than "+1-212".
6.3.2. Validity
A rule is usually associated with a validity period condition. This
document reuses the <validity> element of [RFC4745], which specifies
a period of validity time by pairs of <from> and <until> sub-
elements. When multiple time periods are defined, the validity
Shen, et al. Expires January 8, 2009 [Page 12]
Internet-Draft SIP Load Control Event Package July 2008
condition is evaluated to TRUE if the current time falls into any of
the specified time periods. i.e., it represents a logical OR
operation across all validity time periods.
The following example shows a <validity> element specifying a valid
period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31.
<validity>
<from>2008-05-31T12:00:00-05:00</from>
<until>2008-05-31T15:00:00-05:00</until>
</validity>
6.4. Actions
As [RFC4745] specified, conditions form the 'if'-part of rules, while
actions and transformations form the 'then'-part. Transformations
are not used in the load control document. The actions for load
control are defined by the <accept> element, which takes any one of
the three sub-elements <rate>, <percent>, and <win>. The <rate>
element denotes an absolute value of the maximum acceptable request
rate in requests per second; the <percent> element specifies the
relative percentage of incoming requests that should be accepted; the
<win> element describes the acceptable window size supplied by the
receiver, which is applicable in window-based load control (See
[I-D.hilt-sipping-overload] for more details on rate-based and
window-based load control).
In addition, the <accept> element takes an optional "alt-action"
attribute which can be used to explicitly specify the desired action
in case a request is not accepted. The possible "alt-action" values
are "Drop" for simple drop, "Reject" for explicit rejection (e.g.,
sending a "503 Service Unavailable" response message to an INVITE
request), and "Forward". The default value is "Drop". If the "alt-
action" value is "Forward", an "alt-target" attribute MUST be
defined. The "alt-target" specifies a URI where the request should
be forwarded (e.g., an answering machine with explanation of why the
request cannot be accepted).
In the following <actions> element example, the server accepts
maximum of 100 call requests per second. The remaining calls are
forwarded to an answering machine.
<actions>
<accept alt-action="Forward" alt-target=
"sip:answer-machine@example.com">
<rate>100</rate>
</accept>
</actions>
Shen, et al. Expires January 8, 2009 [Page 13]
Internet-Draft SIP Load Control Event Package July 2008
6.5. Complete Examples
This section presents two complete examples of rule sets.
The example below assumes a hotline reachable through
"sip:alice@hotline.example.com" or "tel:+1-212-555-1234". The
hotline is activated from 12:00 to 15:00 US Eastern Standard Time on
2008-05-31. The goal is to limit the incoming calls to 100 requests
per second. Calls that exceed the rate limit are explicitly
rejected.
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
xmlns:lc="urn:ietf:params:xml:ns:load-control">
<rule id="f3g44k1">
<condition>
<lc:call-identity>
<lc:sip>
<lc:to>
<one id="sip:alice@hotline.example.com"/>
<one id="tel:+1-212-555-1234"/>
</lc:to>
</lc:sip>
</lc:call-identity>
<validity>
<from>2008-05-31T12:00:00-05:00</from>
<until>2008-05-31T15:00:00-05:00</until>
</validity>
</condition>
<actions>
<lc:accept alt-action="reject">
<lc:rate>100</lc:rate>
</lc:accept>
</actions>
</rule>
</ruleset>
The following example assumes a three-day period during the aftermath
of an earthquake. To optimize resource usage, 50 percent of the
inbound calls to the region will be throttled but no throttle is
placed on outbound calls. In addition, calls originating from the
local domain and the rescue team domain are never throttled. All
throttled inbound calls will be forwarded to an answering machine
with updated earthquake information.
Shen, et al. Expires January 8, 2009 [Page 14]
Internet-Draft SIP Load Control Event Package July 2008
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
xmlns:lc="urn:ietf:params:xml:ns:load-control">
<rule id="f3g44k2">
<condition>
<lc:call-identity>
<lc:sip>
<lc:to>
<many domain="pompeii.example.com"/>
</lc:to>
</lc:sip>
</lc:call-identity>
<lc:call-identity>
<lc:sip>
<lc:from>
<many>
<except domain="pompeii.example.com"/>
<except domain="rescue.example.com"/>
</many>
</lc:from>
</lc:sip>
</lc:call-identity>
<validity>
<from>79-08-24T09:00:00+01:00</from>
<until>79-08-27T09:00:00+01:00</until>
</validity>
</condition>
<actions>
<lc:accept alt-action="Forward" alt-target=
"sip:earthquake@update.example.com">
<lc:percent>50</lc:percent>
</lc:accept>
</actions>
</rule>
<ruleset>
7. XML Schema Definition for Load Control
This section defines the XML schema for the load-control document.
It extends the Common Policy schema in [RFC4745] by defining new
members of the <condition> and <action> elements.
<?xml version="1.0" encoding="UTF-8"?>
Shen, et al. Expires January 8, 2009 [Page 15]
Internet-Draft SIP Load Control Event Package July 2008
<xs:schema targetNamespace="urn:ietf:params:xml:ns:load-control"
xmlns:lc="urn:ietf:params:xml:ns:load-control"
xmlns:cp="urn:ietf:params:xml:ns:common-policy"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributedFormDefault="unqualified">
<xs:import namespace="urn:ietf:params:xml:ns:common-policy"/>
<!-- CONDITIONS -->
<!-- CALL IDENTITY -->
<xs:element name="call-identity" type="lc:call-type"/>
<!-- CALL TYPE -->
<xs:complexType name="call-type">
<xs:choice>
<xs:element name="sip" type="lc:sip-id-type"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:choice>
<anyAtrribute namespace="##other" processContents="lax"/>
</xs:complexType>
<!-- SIP ID TYPE -->
<xs:complexType name="sip-id-type">
<xs:sequence>
<element name="from" type="cp:identityType" minOccurs="0"/>
<element name="to" type="cp:identityType" minOccurs="0"/>
<element name="request-uri" type="cp:identityType" minOccurs="0"/>
<element name="p-asserted-identity" type="cp:identityType"
minOccurs="0"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
<anyAtrribute namespace="##other" processContents="lax"/>
</xs:complexType>
<!-- Action -->
<xs:element name="accept">
<xs:choice>
<element name="rate" type="xs:decimal" minOccurs="0"/>
<element name="win" type="xs:integer" minOccurs="0"/>
<element name="percent" type="xs:decimal" minOccurs="0"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:choice>
Shen, et al. Expires January 8, 2009 [Page 16]
Internet-Draft SIP Load Control Event Package July 2008
<xs:attribute name="alt-action" type="xs:string" default="drop"/>
<xs:attribute name="alt-target" type="xs:anyURI"/>
<anyAtrribute namespace="##other" processContents="lax"/>
</xs:element>
</xs:schema>
8. Security Considerations
To make load filtering control effective, SIP entity notifiers MUST
open load control subscription to all neighboring SIP entities to
whom they establish direct signaling exchange. In this sense, the
authentication and authorization requirements for load control
subscription is the same as those for establishing a direct signaling
relationship between the SIP entities.
In order to prevent denial of service attacks, a subscriber MUST
authenticate a notifier before accepting its load control
notifications. Standard security mechanisms recommended in [RFC3261]
such as HTTP authentication [RFC2617], TLS [RFC2246] and IPSec
[RFC2401] may serve this purpose.
Different call identity matching for load control imposes different
authentication requirements. The source identity of the request MUST
be authenticated if the condition matching is for a source (sender)
identity. The source identity authentication of the request is
optional if the condition matching is for a destination (receiver)
identity.
9. IANA Considerations
This specification registers a SIP event package, a new MIME type, a
new XML namespace, and a new XML schema.
9.1. Load Control Event Package Registration
This section registers an event package based on the registration
procedures defined in [RFC3265].
Package name: load-control
Type: package
Published specification: This document
Shen, et al. Expires January 8, 2009 [Page 17]
Internet-Draft SIP Load Control Event Package July 2008
Person to contact: Charles Shen, charles@cs.columbia.edu
9.2. application/load-control+xml MIME Registration
This section registers a new MIME type based on the procedures
defined in [RFC4288] and guidelines in [RFC3023].
MIME media type name: application
MIME subtype name: load-control+xml
Mandatory parameters: none
Optional parameters: Same as charset parameter application/xml in
[RFC3023]
Encoding considerations: Same as encoding considerations of
application/xml in [RFC3023]
Security considerations: See Section 10 of [RFC3023] and Section 8 of
this specification
Interpretability considerations: None
Published Specification: This document
Applications which use this media type: load control of SIP entities
Additional information:
Magic number: None
File extension: .xml
Macintosh file type code: 'TEXT'
Personal and email address for further information:
Charles Shen, charles@cs.columbia.edu
Intended usage: COMMON
Author/Change Controller: IETF SIPPING Working Group
<sippping@ietf.org>, as designated by the IESG <iesg@ietf.org>
9.3. Load Control Schema Registration
URI: urn:ietf:params:xml:schema:load-control
Shen, et al. Expires January 8, 2009 [Page 18]
Internet-Draft SIP Load Control Event Package July 2008
Registrant Contact: IETF SIPPING working group, Charles Shen
(charles@cs.columbia.edu).
XML: the XML schema to be registered is contained in Section 7.
Its first line is
<?xml version="1.0" encoding="UTF-8"?>
and its last line is
</xs:schema>
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997.
[RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648,
August 1999.
[RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media
Types", RFC 3023, January 2001.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific
Event Notification", RFC 3265, June 2002.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004.
[RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers",
RFC 3966, December 2004.
[RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and
Registration Procedures", BCP 13, RFC 4288, December 2005.
[RFC4745] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
Polk, J., and J. Rosenberg, "Common Policy: A Document
Shen, et al. Expires January 8, 2009 [Page 19]
Internet-Draft SIP Load Control Event Package July 2008
Format for Expressing Privacy Preferences", RFC 4745,
February 2007.
10.2. Informative References
[I-D.hilt-sipping-overload]
Hilt, V., Widjaja, I., Malas, D., and H. Schulzrinne,
"Session Initiation Protocol (SIP) Overload Control",
draft-hilt-sipping-overload-04 (work in progress),
February 2008.
[I-D.ietf-sipping-overload-reqs]
Rosenberg, J., "Requirements for Management of Overload in
the Session Initiation Protocol",
draft-ietf-sipping-overload-reqs-04 (work in progress),
May 2008.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999.
[RFC4825] Rosenberg, J., "The Extensible Markup Language (XML)
Configuration Access Protocol (XCAP)", RFC 4825, May 2007.
Authors' Addresses
Charles Shen
Columbia University
Department of Computer Science
1214 Amsterdam Avenue, MC 0401
New York, NY 10027
USA
Phone: +1 212 854 3109
Email: charles@cs.columbia.edu
Henning Schulzrinne
Columbia University
Department of Computer Science
Shen, et al. Expires January 8, 2009 [Page 20]
Internet-Draft SIP Load Control Event Package July 2008
1214 Amsterdam Avenue, MC 0401
New York, NY 10027
USA
Phone: +1 212 939 7004
Email: schulzrinne@cs.columbia.edu
Arata Koike
NTT Service Integration Labs &
NTT Washington DC Representative Office
1100 13th St., NW, Suite 900
Washington DC, 20005
USA
Phone: +1 202 312 1451
Email: koike.arata@lab.ntt.co.jp
Shen, et al. Expires January 8, 2009 [Page 21]
Internet-Draft SIP Load Control Event Package July 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Shen, et al. Expires January 8, 2009 [Page 22]