[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01 02 03 04                                                
IETF SIPPING Working Group                                       C. Shen
Internet-Draft                                            H. Schulzrinne
Intended status: Standards Track                             Columbia U.
Expires: May 7, 2009                                            A. Koike
                                                        November 3, 2008

     A Session Initiation Protocol (SIP) Load Control Event Package

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on May 7, 2009.


   This document defines a load control event package for the Session
   Initiation Protocol (SIP).  It allows SIP servers to distribute user
   load control information to SIP servers.  The load control
   information can throttle outbound calls based on their destination
   domain, telephone number prefix or for a specific user.  The
   mechanism helps to prevent signaling overload and complements
   feedback-based SIP overload control efforts.

Shen, et al.               Expires May 7, 2009                  [Page 1]

Internet-Draft       SIP Load Control Event Package        November 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Requirements Notation  . . . . . . . . . . . . . . . . . . . .  4
   3.  Design Requirements  . . . . . . . . . . . . . . . . . . . . .  4
   4.  Load Filtering Control Distribution  . . . . . . . . . . . . .  5
     4.1.  Operation Overview and Examples  . . . . . . . . . . . . .  5
     4.2.  Filter Contents  . . . . . . . . . . . . . . . . . . . . .  7
     4.3.  Filter Computation . . . . . . . . . . . . . . . . . . . .  8
     4.4.  Applicability in Different Network Environments  . . . . .  8
   5.  Load Control Event Package . . . . . . . . . . . . . . . . . .  8
     5.1.  Event Package Name . . . . . . . . . . . . . . . . . . . .  9
     5.2.  Event Package Parameters . . . . . . . . . . . . . . . . .  9
     5.3.  SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . .  9
     5.4.  SUBSCRIBE Duration . . . . . . . . . . . . . . . . . . . .  9
     5.5.  NOTIFY Bodies  . . . . . . . . . . . . . . . . . . . . . .  9
     5.6.  Notifier Processing of SUBSCRIBE Requests  . . . . . . . .  9
     5.7.  Notifier Generation of NOTIFY Requests . . . . . . . . . . 10
     5.8.  Subscriber Processing of NOTIFY Requests . . . . . . . . . 10
     5.9.  Handling of Forked Requests  . . . . . . . . . . . . . . . 11
     5.10. Rate of Notifications  . . . . . . . . . . . . . . . . . . 11
     5.11. State Agents . . . . . . . . . . . . . . . . . . . . . . . 11
   6.  Load Control Document  . . . . . . . . . . . . . . . . . . . . 11
     6.1.  Format . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     6.2.  Namespace  . . . . . . . . . . . . . . . . . . . . . . . . 12
     6.3.  Conditions . . . . . . . . . . . . . . . . . . . . . . . . 12
       6.3.1.  Call Identity  . . . . . . . . . . . . . . . . . . . . 12
       6.3.2.  Validity . . . . . . . . . . . . . . . . . . . . . . . 14
     6.4.  Actions  . . . . . . . . . . . . . . . . . . . . . . . . . 15
     6.5.  Complete Examples  . . . . . . . . . . . . . . . . . . . . 15
   7.  XML Schema Definition for Load Control . . . . . . . . . . . . 17
   8.  Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 19
     8.1.  Relationship with Load Filtering in PSTN . . . . . . . . . 19
     8.2.  Relationship with Other IETF SIP Load Control Efforts  . . 20
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 20
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 21
     10.1. Load Control Event Package Registration  . . . . . . . . . 21
     10.2. application/load-control+xml MIME Registration . . . . . . 22
     10.3. Load Control Schema Registration . . . . . . . . . . . . . 23
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 23
     11.2. Informative References . . . . . . . . . . . . . . . . . . 24
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
   Intellectual Property and Copyright Statements . . . . . . . . . . 26

Shen, et al.               Expires May 7, 2009                  [Page 2]

Internet-Draft       SIP Load Control Event Package        November 2008

1.  Introduction

   Proper functioning of Session Initiation Protocol (SIP) [RFC3265]
   signaling servers is critical in SIP-based communications networks.
   The performance of SIP severs can be severely degraded when the sever
   is overloaded with excessive number of signaling requests.  Both
   legitimate and malicious traffic can overload SIP servers, despite
   appropriate capacity planning.

   There are three common examples of legitimate short-term increases in
   call volumes.  Viewer-voting TV shows or ticket giveaways may
   generate millions of calls within a few minutes.  Call volume may
   also spike during special holidays such as New Year's Day and
   Mother's Day. Finally, callers may want to reach friends and family
   in natural disaster areas such as those affected by earthquakes.
   When possible, only calls traversing overloaded servers should be
   throttled under those conditions.

   SIP load control mechanisms are needed to prevent congestion collapse
   in these cases [I-D.ietf-sipping-overload-reqs].  There are two types
   of load control approaches.  In the first approach, feedback control,
   SIP servers provide load limits to upstream servers, to reduce the
   incoming rate of all SIP requests [I-D.hilt-sipping-overload].  These
   upstream servers then drop or delay incoming SIP requests.  Feedback
   control is reactive and affects signaling messages that have already
   been issued by user agent clients.  They work well if core or
   destination-specific SIP proxies are overloaded.  By their nature,
   they need to distribute rate, drop or window information to all
   upstream SIP proxies and generally affect all calls equally,
   regardless of destination.  However, feedback control is ineffective
   for edge-server overload.  For example, for the ticket giveaway case,
   almost all such calls will fail in the core SIP server.  If the edge
   server is also overloaded, calls to other destinations will also be
   rejected or dropped.

   Here, we propose an additional, complementary mechanism, called load
   filtering.  Network operators create filters that indicate that calls
   to specific destinations or from specific sources should be rate-
   limited or randomly dropped.  These filters are then distributed to
   SIP servers and possibly user agents likely to generate calls to the
   affected destinations or from the affected sources.  Load filters
   work best if they prevent calls as close to the user agent client as

   Performing SIP load filtering control requires three components: the
   filter distribution mechanism, the filter content format definition,
   and the filter content computation methods.  This document addresses
   the first two components.  The filter distribution mechanism is built

Shen, et al.               Expires May 7, 2009                  [Page 3]

Internet-Draft       SIP Load Control Event Package        November 2008

   upon the existing SIP event framework and the filter content format
   definition is defined by the contents of a SIP load control event
   package.  The third component, filter content computation, depends
   heavily on the actual network topology and service provider policies.
   Therefore it is out of scope of this document.

   The rest of this document is structured as follows: we begin by
   listing the design requirements for this work in Section 3.  We then
   describe the SIP event framework based load filtering distribution
   operation in Section 4.  The load control event package is detailed
   in Section 5.  The load filter content definition is discussed in the
   two sections that follow, with Section 6 defining the load control
   XML document and Section 7 defining the corresponding XML schema.
   Section 8 relates this work to corresponding mechanisms in PSTN and
   other IETF efforts addressing SIP load control.  Finally, Section 9
   presents security considerations and Section 10 provides IANA

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

3.  Design Requirements

   The SIP load filtering control mechanism needs to satisfy the
   following requirements:

   o  To simplify the solution, we focus on SIP load control, rather
      than a generic application-layer mechanism.
   o  The load filter information needs to be distributed efficiently to
      possibly a large subset of all SIP elements.
   o  It is desirable to re-use existing SIP protocol mechanisms to
      reduce implementation and deployment complexity.
   o  For predictable overload situations, such as holidays and call-in
      events, the mechanism should specify during what time period it is
      to be applied, so that the information can be distributed ahead of
   o  For destination-specific overload situations, the load filter
      needs to be able to describe the callee.
   o  To address accidental and intentional high-volume call generators,
      the filter should allow to specify the caller.
   o  Caller and callee need to be specified as both Tel and SIP URIs.
   o  For telephone numbers, specifying prefixes allows control over
      limited regionally-focused overloads.

Shen, et al.               Expires May 7, 2009                  [Page 4]

Internet-Draft       SIP Load Control Event Package        November 2008

   o  Solutions should draw upon experiences from related PSTN
      mechanisms where applicable.
   o  Solutions need to be extensible to meet future needs.

4.  Load Filtering Control Distribution

4.1.  Operation Overview and Examples

   Although it may be possible to manually configure load filters in the
   corresponding entities, an automated distribution mechanism can have
   many benefits such as efficiency, scalability and human error
   avoidance, provided that the concerned entities satisfy the required
   security and trust relationship of sending and accepting load control

   To meet the requirements enumerated in the previous section, this
   document defines the SIP event package for load control, which is an
   "instantiation" of the generic SIP events framework [RFC3265].  The
   SIP events framework provides an existing method for SIP entities to
   subscribe to and receive notifications when certain events have
   occurred.  Such a framework forms a scalable event distribution
   architecture that suits our needs.  This document also defines the
   XML schema used to encode the load control document.  The choice of
   XML allows us to reuse existing SIP-specific policy related XML
   schemas when applicable, and also fits our goal of flexibility and

   The load filter distribution operation based on the SIP load control
   event package is illustrated with the example architecture shown in
   Figure 1.  This scenario consists of two networks belonging to
   Service Provider A and Service Provider B, respectively.  Each
   provider's network is made up of two SIP Core Proxies (CPs) and four
   SIP Edge Proxies (EPs).  The CPs and EPs of Service Provider A are
   denoted as CPa1 to CPa2 and EPa1 to EPa4; the CPs and EPs of Service
   Provider B are denoted as CPb1 to CPb2 and EPb1 to EPb4.

   With the load filtering control mechanism, each SIP proxy in the
   network is required to subscribe to the load control event package
   from all its outgoing signaling neighbors.  Signaling neighbors are
   defined by sending signaling messages.  For instance, if A sends
   signaling requests to B, B is an outgoing signaling neighbor of A. A
   needs to subscribe to the load control event package of B in case B
   wants to curb requests from A. On the other hand, if B also sends
   signaling requests to A, then B also subscribes to A. In the example
   topology of Figure 1, assuming all signaling relationship is bi-
   directional, each proxy will need to subscribe to all its neighbors.
   That is, EPa1 subscribes to CPa1; CPa1 subscribes to EPa1, EPa2, CPa2

Shen, et al.               Expires May 7, 2009                  [Page 5]

Internet-Draft       SIP Load Control Event Package        November 2008

   and CPb1, so on and so forth.  Notifications are always sent to all
   subscribing entities.

      +-----------+   +-----------+   +-----------+   +-----------+
      |           |   |           |   |           |   |           |
      |   EPa1    |   |   EPa2    |   |   EPa3    |   |   EPa4    |
      |           |   |           |   |           |   |           |
      +-----------+   +-----------+   +-----------+   +-----------+
              \         /                    \          /
               \       /                      \        /
                \     /                        \      /
              +-----------+                  +-----------+
              |           |                  |           |
              |   CPa1    |------------------|   CPa2    |
              |           |                  |           |
              +-----------+                  +-----------+
                    |                              |
      Service       |                              |
      Provider A    |                              |
                    |                              |
                    |                              |
      Service       |                              |
      Provider B    |                              |
                    |                              |
              +-----------+                  +-----------+
              |           |                  |           |
              |   CPb1    |------------------|   CPb2    |
              |           |                  |           |
              +-----------+                  +-----------+
                /      \                        /     \
               /        \                      /       \
              /          \                    /         \
      +-----------+   +-----------+   +-----------+   +-----------+
      |           |   |           |   |           |   |           |
      |   EPb1    |   |   EPb2    |   |   EPb3    |   |   EPb4    |
      |           |   |           |   |           |   |           |
      +-----------+   +-----------+   +-----------+   +-----------+

      Figure 1: Example Network Scenario with SIP Load Control Event

   To begin load filter distribution on a network when the appropriate
   subscriptions among the entities are ready, the initial filter
   contents determined through a mechanism out of scope of this document

Shen, et al.               Expires May 7, 2009                  [Page 6]

Internet-Draft       SIP Load Control Event Package        November 2008

   is introduced to a SIP server which acts as the network entry point
   for load filtering control.  The filter is then propagated to the
   rest of the entities throughout the network.  We show two examples

   Case I: EPa1 serves a TV program hotline and decides to limit the
   total number of incoming calls to the hotline to prevent an overload.
   To do so, EPa1 sends a notification to CPa1 with the specific hotline
   number, time of activation and total acceptable call rate.  CPa1 then
   allocates the received total acceptable rate among its neighbors,
   namely, EPa2, CPa2, and CPb1 and notifies them about the resulting
   allocation along with the hotline number and the activation time.
   CPa2 and CPb1 then perform further allocation among their own
   neighbors and notify the corresponding servers.  This process
   continues until all edge proxies in the network has been informed
   about the event and have proper load filter configured.

   Case II: an earthquake affected the region covered by CPb2, EPb3 and
   EPb4.  All the three servers are overloaded.  The rescue services
   determine that outbound calls are more valuable than inbound calls in
   this specific situation.  Therefore, CPb2, EPb3 and EPb4 configure
   themselves to accept more outbound calls than inbound calls.  CPb2
   also sends out notifications to its outside neighbors, namely CPb1
   and CPa2, specifying a limit on the acceptable rate of inbound calls
   to the CPb2's responsible region.  CPb1 and CPa2 subsequently notify
   their neighbors about limiting the calls to CPb2's area.  The same
   process continues until all edge proxy servers are notified and have
   filters configured.

   Note that this version of the document does not define the
   provisioning interface between the load control policy maker and the
   policy entry point in the network.  One of the potential solutions
   for the provisioning interface is the Extensible Markup Language
   (XML) Configuration Access Protocol (XCAP) [RFC4825].

4.2.  Filter Contents

   The above two examples covered the two typical resource limits in a
   possible overload condition: human destination limits (N call takers)
   and proxy capacity limits.  The overloaded identities in the two
   cases can be represented by a callee number specific filter and a
   wildcard domain based filter, respectively.  In addition, source
   identity based filter can also be helpful in curbing the load.

   Besides the identity of the load source and destination, the filter
   content in the above examples also specifies the actions to be taken
   and during which time period the control should be active.  All these
   aspects are detailed in the filter specification in Section 6.

Shen, et al.               Expires May 7, 2009                  [Page 7]

Internet-Draft       SIP Load Control Event Package        November 2008

4.3.  Filter Computation

   The filter content computation methods are very important in ensuring
   a correct operation of the load filtering control mechanism.
   Whatever computation algorithm is used, it needs to take into
   consideration the network topology and related policies; it needs to
   ensure there is no load filter allocation loop and loads are
   allocated in a way that both prevents overload and minimizes the
   possibility of an under-utilization of the network.

4.4.  Applicability in Different Network Environments

   The load filtering control is more effective when the filter can be
   pushed to the proximity of the signaling sources.  But even if only
   part of the signaling path towards the signaling source could be
   covered, use of this mechanism can still be beneficial.  In fact, due
   to possibly sophisticated call routing and security concerns, trying
   to apply automated load filter distribution in the entire inter-
   domain network path could get extremely complicated and be

   The scenarios where this mechanism could be most useful are
   environments consisting of servers with secure and trust relationship
   and with relatively straightforward routing configuration known to
   the filter computation decision maker.  These scenarios may include
   intra-domain environments such as inside a service provider or
   enterprise domain; inter-domain environments such as enterprise
   connecting to a few service providers or between service providers
   with manageable routing configurations.

   Another important aspect that affects the applicability of the load
   filtering control is that all possible signaling source neighbors
   must participate and enforce the designated filter.  Otherwise, a
   single non-conforming neighbor could easily make the whole control
   efforts useless by pumping in excessive traffic.  Therefore, the
   entity that initiates the filter needs to take counter-measures
   towards any non-conforming neighbors.  A simple model is to just drop
   excessive requests with a 500 response as if they were obeying the
   rate.  This works as long as the dropping cost is sufficiently low
   that the entity doing the dropping is not overloaded.  Note that this
   issue is a generic problem that applies to any overload control

5.  Load Control Event Package

   This section defines the details of the SIP event package for load
   control according to [RFC3265].

Shen, et al.               Expires May 7, 2009                  [Page 8]

Internet-Draft       SIP Load Control Event Package        November 2008

5.1.  Event Package Name

   The name of this event package is "load-control".  This name is
   carried in the Event and Allow-Events header, as specified in

5.2.  Event Package Parameters

   No package specific event header field parameters are defined for
   this event package.

5.3.  SUBSCRIBE Bodies

   A SUBSCRIBE request for load control policy MAY contain a body to
   filter the requested load control notification.  For example, a
   subscriber may be interested in some specific types of load control
   information only.  The details of the subscription filter
   specification are not yet defined.

   A SUBSCRIBE request sent without a body implies the default
   subscription behavior as specified in Section 5.7.

5.4.  SUBSCRIBE Duration

   The default expiration time for a subscription to load control policy
   is one hour.  Since the desired expiration time may vary
   significantly for subscriptions among SIP entities with different
   signaling relationships, the subscribers and notifiers are
   RECOMMENDED to explicitly negotiate appropriate subscription
   durations when knowledge about the mutual signaling relationship is

5.5.  NOTIFY Bodies

   The body of a NOTIFY message in this event package contains policy
   information regarding load control.  As specified in [RFC3265], the
   format of the NOTIFY body MUST be in one of the formats defined in
   the Accept header field of the SUBSCRIBE request or be the default
   format.  The default data format for the NOTIFY body of this event
   package is "application/load-control+xml" (defined in Section 6).
   This means that if no Accept header field is specified to a SUBSCRIBE
   request, the NOTIFY will contain a body in the "application/
   load-control+xml" format.  If the Accept header field is present, it
   MUST include "application/load-control+xml" and MAY include any other

5.6.  Notifier Processing of SUBSCRIBE Requests

Shen, et al.               Expires May 7, 2009                  [Page 9]

Internet-Draft       SIP Load Control Event Package        November 2008

   The effectiveness of load filtering control relies on the
   distribution and installation of the control policies as widely as
   possible in the network.  Therefore, a SIP entity notifier MUST
   accept subscriptions from all neighboring SIP entities with whom they
   have a direct signaling relationship.

5.7.  Notifier Generation of NOTIFY Requests

   Following the [RFC3265] specification, a notifier MUST send a NOTIFY
   with its current load control policy to the subscriber upon
   successfully accepting or refreshing a subscription.  A notifier
   SHOULD generate NOTIFY requests each time the load control policy
   changes, with the maximum notification rate not exceeding values
   defined in Section 5.10.

   A SIP entity subscriber which itself is also a notifier may need to
   forward a NOTIFY message to its own subscribers after receiving a
   load control update from its own notifier.  In such cases, the
   forwarding SIP entity MUST make proper modifications to the contents
   of the NOTIFY message as needed before sending it out.  For example,
   if a SIP entity receives a rate limit of 100 requests per second for
   a particular downstream SIP entity and it needs to forward the policy
   to its three upstream neighbors which all subscribe to it, then the
   total rate limit for the specific downstream SIP entity in the three
   NOTIFY messages sent to those three upstream neighbors must not
   exceed 100 requests per second.

   This event package does not support notifications that contain deltas
   to previous information or partial information.

5.8.  Subscriber Processing of NOTIFY Requests

   The way subscribers process NOTIFY requests depends on the contents
   of the notifications.  Typically, a load control notification
   consists of rules that should be applied to requests matching certain
   identities.  A SIP entity subscriber receiving the notification first
   installs these rules and then filter incoming call requests to
   enforce actions on appropriate requests, for example, limiting the
   sending rate of call requests destined for a specific SIP entity.

   In the case when load control rules specify a future validity time,
   it is possible that when the validity time comes, the subscription to
   the specific notifier that conveyed the rules has expired.  In this
   case, it is RECOMMENDED that the subscriber re-activate its
   subscription with the corresponding notifier.  Regardless of whether
   this re-activation of subscription is successful or not, when the
   validity time is reached, the subscriber SHOULD enforce the
   corresponding rules.

Shen, et al.               Expires May 7, 2009                 [Page 10]

Internet-Draft       SIP Load Control Event Package        November 2008

5.9.  Handling of Forked Requests

   Forking is not applicable when the load control event package is used
   within a single-hop distance between neighboring SIP entities.  If
   the communication scope of the load-control event package is among
   multiple hops, forking is not expected to happen either because the
   subscription request is addressed to a clearly defined SIP entity.
   However, in the unlikely case when forking does happen, the load-
   control event package only allows the first potential dialog-
   establishing message to create a dialog, as specified in Section
   4.4.9 of [RFC3265].

5.10.  Rate of Notifications

   Rate of notifications is likely not a concern for this event package
   because it is expected to be used in a non-real-time mode for
   relatively static load control policies.  Nevertheless, if situation
   does arise that a rather frequent load control policy update is
   needed, it is RECOMMENDED that the notifier does not generate
   notifications at a rate higher than once per-second in all cases, in
   order to avoid the NOTIFY message itself overloading the system.

5.11.  State Agents

   The load control policy information can be directly generated by
   concerned SIP entities distributed in the network.  Alternatively,
   qualified state agents external to the SIP entities MAY be defined to
   take charge of load control policy making.

6.  Load Control Document

6.1.  Format

   A load control document is an XML document that inherits and enhances
   the common policy document defined in [RFC4745].  A common policy
   document contains a set of rules.  Each rule consists of three parts:
   conditions, actions and transformations.  The conditions part is a
   set of expressions containing attributes such as identity, domain,
   and validity time information.  Each expression evaluates to TRUE or
   FALSE.  Conditions are matched on "equality" or "greater than" style
   comparison.  There is no regular expression matching.  If a request
   matches all conditions in a rule set, the action part and the
   transformation part are consulted to determine the "permission" on
   how to handle the request.  Each action or transformation specifies a
   positive grant to the policy server to perform the resulting actions.
   Well-defined mechanism are available for combining actions and
   transformations obtained from more than one sources.

Shen, et al.               Expires May 7, 2009                 [Page 11]

Internet-Draft       SIP Load Control Event Package        November 2008

6.2.  Namespace

   The namespace URI for elements defined by this specification is a
   Uniform Resource Namespace (URN) ([RFC2141]), using the namespace
   identifier 'ietf' defined by [RFC2648] and extended by [RFC3688].
   The URN is as follows:


6.3.  Conditions

   [RFC4745] defined three condition elements: <identity>, <sphere> and
   <validity>.  In this document, we re-define an element for identity
   and reuse the <validity> element.  The <sphere> element is not used.

6.3.1.  Call Identity

   Since the problem space of this document is different from that of
   [RFC4745], the [RFC4745] <identity> element is not sufficient for use
   with load control.  First, load control may be applied to different
   identity information contained in a request, including identities of
   both the receiving entity and the sending entity.  Second, the
   importance of authentication varies when different identities of a
   request are concerned.  This document defines new identity conditions
   that can accommodate the granularity of specific SIP identity header
   fields.  Requirement for authentication depends on which field is to
   be matched.

   The identity condition for load control is specified by the <call-
   identity> element and its sub-element <sip>.  The <sip> element
   itself contains sub-elements representing SIP sending and receiving
   identity header fields: <from>, <to>, <request-uri> and <p-asserted-
   identity>, each is of the same type as the <identity> element in
   [RFC4745].  Therefore, they also inherit the sub-elements of the
   <identity> element, including <one>, <except>, and <many>.  When the
   <call-identity> element or its sub-elements contain multiple sub-
   elements, the result is combined using logical OR.

   The [RFC4745] <one> and <except> elements may contain an "id"
   attribute, which is the URI of a single entity to be included or
   excluded in the condition.  When used in the <from>, <to>, <request-
   uri> and <p-asserted-identity> elements, this "id" value is the URI
   contained in the corresponding SIP header field, i.e., From, To,
   Request-URI, and P-Asserted-Identity.

   The following shows an example of the <call-identity> element:

Shen, et al.               Expires May 7, 2009                 [Page 12]

Internet-Draft       SIP Load Control Event Package        November 2008

                           <one id="sip:alice@hotline.example.com"/>
                           <one id="tel:+1-212-555-1234"/>

   This example matches call requests whose To header field contains the
   SIP URI "sip:alice@hotline.example.com", or 'tel' URI

   The [RFC4745] <many> and <except> elements may take a "domain"
   attribute.  The "domain" attribute specifies a domain name to be
   matched by the domain part of the candidate identity.  Thus, it
   allows matching a large and possibly unknown number of entities
   within a domain.  The "domain" attribute works well for SIP URIs.

   A URI identifying a SIP user, however, can also be a 'tel' URI
   [RFC3966].  We therefore need a similar way to match a group of 'tel'
   URIs.  There are two formats of 'tel' URIs: global format and local
   format.  All phone numbers must be expressed in the global format
   when possible.  The global format 'tel' URIs start with a "+".  The
   rest of the phone numbers are expressed in a local format, which must
   be qualified by a "phone-context" parameter.  The "phone-context"
   parameter may be labelled as a global number or any number of its
   leading digits, or a domain name.  Both formats of the 'tel' URI make
   the resulting URI globally unique.

   'Tel' URIs of global format can be grouped by prefixes consisting of
   any number of common leading digits.  For example, a prefix formed by
   a country code or both the country and area code identifies telephone
   numbers within a country or an area.  Since the length of the country
   and area code for different regions are different, the length of the
   number prefix is also variable.  This allows further flexibility such
   as grouping the numbers into sub-areas within the same area code.
   'Tel' URIs of local-number format can be grouped by the value of the
   "phone-context" parameter.

   To include the two formats of 'tel' URI grouping in the <many> and
   <except> elements, one approach is to add a new attribute similar to
   the "domain" attribute.  In this document, we decided on a simpler
   approach.  There are basically two forms of grouping attribute values
   for both SIP URIs and 'tel' URIs: domain name or number prefix
   starting with "+".  Both of them can be expressed as strings.
   Therefore, we re-interpret the existing "domain" attribute of the

Shen, et al.               Expires May 7, 2009                 [Page 13]

Internet-Draft       SIP Load Control Event Package        November 2008

   <many> and <except> elements to allow it to contain both forms of
   grouping attribute values.  In particular, when the "domain"
   attribute value starts with "+", it denotes a number prefix,
   otherwise, the value denotes a domain name.  Note that the tradeoff
   of this simpler approach is the overlapping in matching different
   types of URIs.  Specifically, a domain name in the "domain" attribute
   could be matched by both a SIP URI with that domain name and a local
   format 'tel' URI containing the same domain name in the "phone-
   context".  On the other hand, a number prefix in the "domain"
   attribute could be matched by both global 'tel' URIs starting with
   those leading digits, and local 'tel' URIs having the same prefix in
   the "phone-context" parameter.  These overlapping situations would
   not be a big problem because of two reasons.  First, when the "phone-
   context" coincides with the SIP domain name or the global number
   prefix, it is usually the case that the related phone numbers indeed
   belong to the same domain or the same area, which means the
   overlapping is not inappropriate.  Second, the use of the local
   format 'tel' URI in practice is expected to be rare.  As a result,
   the chance of such overlapping happening is very small.

   The following example shows the use of the re-interpreted "domain"

                               <except domain="+1-212"/>
                               <except domain="manhattan.example.com"/>

   This example matches those call requests whose domain field in the
   From SIP URI is different from "manhattan.example.com", or those call
   requests whose 'Tel' URI indicates a caller number starting from a
   prefix other than "+1-212".

6.3.2.  Validity

   A rule is usually associated with a validity period condition.  This
   document reuses the <validity> element of [RFC4745], which specifies
   a period of validity time by pairs of <from> and <until> sub-
   elements.  When multiple time periods are defined, the validity
   condition is evaluated to TRUE if the current time falls into any of
   the specified time periods. i.e., it represents a logical OR
   operation across all validity time periods.

Shen, et al.               Expires May 7, 2009                 [Page 14]

Internet-Draft       SIP Load Control Event Package        November 2008

   The following example shows a <validity> element specifying a valid
   period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31.


6.4.  Actions

   As [RFC4745] specified, conditions form the 'if'-part of rules, while
   actions and transformations form the 'then'-part.  Transformations
   are not used in the load control document.  The actions for load
   control are defined by the <accept> element, which takes any one of
   the three sub-elements <rate>, <percent>, and <win>.  The <rate>
   element denotes an absolute value of the maximum acceptable request
   rate in requests per second; the <percent> element specifies the
   relative percentage of incoming requests that should be accepted; the
   <win> element describes the acceptable window size supplied by the
   receiver, which is applicable in window-based load control (See
   [I-D.hilt-sipping-overload] for more details on rate-based and
   window-based load control).

   In addition, the <accept> element takes an optional "alt-action"
   attribute which can be used to explicitly specify the desired action
   in case a request is not accepted.  The possible "alt-action" values
   are "Drop" for simple drop, "Reject" for explicit rejection (e.g.,
   sending a "503 Service Unavailable" response message to an INVITE
   request), and "Forward".  The default value is "Drop".  If the "alt-
   action" value is "Forward", an "alt-target" attribute MUST be
   defined.  The "alt-target" specifies a URI where the request should
   be forwarded (e.g., an answering machine with explanation of why the
   request cannot be accepted).

   In the following <actions> element example, the server accepts
   maximum of 100 call requests per second.  The remaining calls are
   forwarded to an answering machine.

               <accept alt-action="Forward" alt-target=

6.5.  Complete Examples

   This section presents two complete examples of rule sets.

Shen, et al.               Expires May 7, 2009                 [Page 15]

Internet-Draft       SIP Load Control Event Package        November 2008

   The example below assumes a hotline reachable through
   "sip:alice@hotline.example.com" or "tel:+1-212-555-1234".  The
   hotline is activated from 12:00 to 15:00 US Eastern Standard Time on
   2008-05-31.  The goal is to limit the incoming calls to 100 requests
   per second.  Calls that exceed the rate limit are explicitly

   <?xml version="1.0" encoding="UTF-8"?>
   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"

       <rule id="f3g44k1">
                           <one id="sip:alice@hotline.example.com"/>
                           <one id="tel:+1-212-555-1234"/>
               <lc:accept alt-action="reject">


   The following example assumes a three-day period during the aftermath
   of an earthquake.  To optimize resource usage, 50 percent of the
   inbound calls to the region will be throttled but no throttle is
   placed on outbound calls.  In addition, calls originating from the
   local domain and the rescue team domain are never throttled.  All
   throttled inbound calls will be forwarded to an answering machine
   with updated earthquake information.

   <?xml version="1.0" encoding="UTF-8"?>
   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"

Shen, et al.               Expires May 7, 2009                 [Page 16]

Internet-Draft       SIP Load Control Event Package        November 2008

       <rule id="f3g44k2">
                           <many domain="pompeii.example.com"/>
                               <except domain="pompeii.example.com"/>
                               <except domain="rescue.example.com"/>
               <lc:accept alt-action="Forward" alt-target=


7.  XML Schema Definition for Load Control

   This section defines the XML schema for the load-control document.
   It extends the Common Policy schema in [RFC4745] by defining new
   members of the <condition> and <action> elements.

   <?xml version="1.0" encoding="UTF-8"?>
   <xs:schema targetNamespace="urn:ietf:params:xml:ns:load-control"

Shen, et al.               Expires May 7, 2009                 [Page 17]

Internet-Draft       SIP Load Control Event Package        November 2008


       <xs:import namespace="urn:ietf:params:xml:ns:common-policy"/>

   <!-- CONDITIONS -->

   <!-- CALL IDENTITY -->
   <xs:element name="call-identity" type="lc:call-type"/>

   <!-- CALL TYPE -->
   <xs:complexType name="call-type">
     <xs:element name="sip" type="lc:sip-id-type"/>
     <any namespace="##other" processContents="lax" minOccurs="0"
     <anyAtrribute namespace="##other" processContents="lax"/>

   <!-- SIP ID TYPE -->
   <xs:complexType name="sip-id-type">
     <element name="from" type="cp:identityType" minOccurs="0"/>
     <element name="to" type="cp:identityType" minOccurs="0"/>
     <element name="request-uri" type="cp:identityType" minOccurs="0"/>
     <element name="p-asserted-identity" type="cp:identityType"
     <any namespace="##other" processContents="lax" minOccurs="0"
     <anyAtrribute namespace="##other" processContents="lax"/>

   <!-- Action -->

   <xs:element name="accept">
     <element name="rate" type="xs:decimal" minOccurs="0"/>
     <element name="win" type="xs:integer" minOccurs="0"/>
     <element name="percent" type="xs:decimal" minOccurs="0"/>
     <any namespace="##other" processContents="lax" minOccurs="0"
     <xs:attribute name="alt-action" type="xs:string" default="drop"/>
     <xs:attribute name="alt-target" type="xs:anyURI"/>
     <anyAtrribute namespace="##other" processContents="lax"/>

Shen, et al.               Expires May 7, 2009                 [Page 18]

Internet-Draft       SIP Load Control Event Package        November 2008


8.  Related Work

8.1.  Relationship with Load Filtering in PSTN

   It is known that the existing PSTN network also uses a load filtering
   mechanism to prevent overload and the filter configuration is done
   manually.  This document defines the SIP event framework based
   distribution mechanism which allows automated filter distribution in
   suitable environments.

   There are control messages associated with PSTN overload control
   which would specify an outgoing control list, call gap duration and
   control duration [AINGR].  These items could be roughly correlated to
   the identity, action and the time fields in the SIP load filter
   content definition in this document.  However, the filter defined in
   this document is much more generic and flexible as opposed to its
   PSTN counterpart.

   Firstly, PSTN filtering only applies to telephone numbers, and the
   number of prefix to be matched for a group of telephone numbers is
   usually a fixed set.  The SIP filter identity allows both SIP URI and
   telephone numbers (through Tel URI) to be specified.  The identities
   can be arbitrary grouped by SIP domains or any number of leading
   prefix of the telephone number.

   Secondly, the PSTN filtering action is usually limited to call
   gapping, and there is also a fixed set of allowed gapping intervals.
   The action field in the SIP load filter allows more possibilities
   such as rate throttle, window-based throttle and others.

   Thirdly, the duration field in PSTN filtering specifies a value in
   seconds for the control duration only and the allowed values are
   mapped into a value sets.  The time field in the SIP load filter can
   not only specify a duration, but also a future activation time which
   could be especially useful for automating overload control for
   predictable overloads.

   PSTN filtering can be performed in both edge switches and transit
   switches; SIP filtering can also be applied in both edge proxies and
   core proxies, and even in capable user agents.

   PSTN overload control also has special accommodation for High
   Probability of Completion (HPC) calls, which would be similar to the
   calls designated by the SIP Resource Priority Headers [RFC4412].  SIP

Shen, et al.               Expires May 7, 2009                 [Page 19]

Internet-Draft       SIP Load Control Event Package        November 2008

   filtering mechanism can also prioritize the treatment of these calls
   by specifying favorable actions for these calls.

   PSTN filtering also provides administrative option for routing failed
   call attempts to either Reorder Tone or a special announcement.
   Similar capability can be provided in the SIP filtering mechanism by
   specifying the appropriate "alt-action" attribute in the SIP
   filtering action field.

8.2.  Relationship with Other IETF SIP Load Control Efforts

   The filter content definition in this document is based on identity,
   action and time.  The identity can range from a single specific user
   to an arbitrary user aggregate, domains or areas.  The user can be
   identified by either the source or the destination.  When the user is
   identified by the source and a favorable action is specified, the
   result may be comparable to identifying a priority user based on
   authorized Resource Priority Headers [RFC4412] in the requests.
   Specifying a source user identity with an unfavorable action would
   cause an effect comparable to an inverse SIP resource priority

   The filter content defined in this document is generic and is
   expected to be applicable not only to the load filtering control
   mechanism but also to the feedback overload control mechanism in
   [I-D.hilt-sipping-overload].  In particular, both of them could use
   specific or wildcard filter identities for load control and could
   share well-known load control actions.  The time duration field in
   the filter content could also be used in both mechanisms.  As
   mentioned in Section 1, the load filter distribution mechanism and
   the feedback overload control mechanism address complementary areas
   in the load control problem space.  Load filtering is more proactive
   and focuses on distributing the filter towards the source of the
   traffic; the hop-by-hop feedback based approach is reactive and
   targets more at traffic already accepted in the network.  Therefore,
   they could also make different use of the generic filter components.
   For example, the load filtering mechanism may use the time field in
   the filter to specify not only a control duration but also a future
   activation time to accommodate a predicable overload such as caused
   by Mother's Day or a viewer-voting program; the feedback-based
   control might not need to use the time field or might use the time
   field to specify an immediate control duration.

9.  Security Considerations

   Two aspects of security considerations arise from this document: one
   is the SIP event framework based filter distribution mechanism, the

Shen, et al.               Expires May 7, 2009                 [Page 20]

Internet-Draft       SIP Load Control Event Package        November 2008

   other is the filter enforcement mechanism.

   Security considerations for the SIP event framework based mechanism
   is covered in Section 5 of [RFC3265].  In addition, we would like to
   emphasize the following two points specific to this document.

   o  Subscription control: the effectiveness of load filtering requires
      that all incoming signaling neighbors be under control.
      Therefore, the notifier MUST open the load control subscription to
      all its legitimate neighbors from which it is expected to accept
      signaling requests from.  It is important to note that, accepting
      load control subscription from a neighbor does not mean the
      specific neighbor will correctly enforce the contents of load
      control notification as expected.  When there are neighbors that
      are non-conforming, additional measures need to be taken as
      discussed in Section 4.4.

   o  Notification control: in order to prevent the load control
      notification being used to launch denial of service attacks, all
      load control notification MUST be authenticated and authorized
      before being accepted.  Standard authentication and authorization
      mechanisms recommended in [RFC3261] such as HTTP authentication
      [RFC2617], TLS [RFC2246] and IPSec [RFC2401] can serve this

   Security considerations for filter enforcements vary depending on the
   filter contents.  This document defines possible filter match of the
   following SIP header fields: <from>, <to>, <request-uri> and
   <p-asserted-identity>.  The exact requirement to authenticate and
   authorize these fields is up to the service provider.  In general, if
   the identity field represents the source of the request, it SHOULD be
   authenticated and authorized; if the identity field represents the
   destination of the request the authentication and authorization is

10.  IANA Considerations

   This specification registers a SIP event package, a new MIME type, a
   new XML namespace, and a new XML schema.

10.1.  Load Control Event Package Registration

   This section registers an event package based on the registration
   procedures defined in [RFC3265].

   Package name: load-control

Shen, et al.               Expires May 7, 2009                 [Page 21]

Internet-Draft       SIP Load Control Event Package        November 2008

   Type: package

   Published specification: This document

   Person to contact: Charles Shen, charles@cs.columbia.edu

10.2.  application/load-control+xml MIME Registration

   This section registers a new MIME type based on the procedures
   defined in [RFC4288] and guidelines in [RFC3023].

      MIME media type name: application

      MIME subtype name: load-control+xml

      Mandatory parameters: none

   Optional parameters: Same as charset parameter application/xml in

   Encoding considerations: Same as encoding considerations of
   application/xml in [RFC3023]

   Security considerations: See Section 10 of [RFC3023] and Section 9 of
   this specification

   Interpretability considerations: None

   Published Specification: This document

   Applications which use this media type: load control of SIP entities

   Additional information:

   Magic number: None

   File extension: .xml

   Macintosh file type code: 'TEXT'

   Personal and email address for further information:

   Charles Shen, charles@cs.columbia.edu

   Intended usage: COMMON

   Author/Change Controller: IETF SIPPING Working Group
   <sippping@ietf.org>, as designated by the IESG <iesg@ietf.org>

Shen, et al.               Expires May 7, 2009                 [Page 22]

Internet-Draft       SIP Load Control Event Package        November 2008

10.3.  Load Control Schema Registration

   URI: urn:ietf:params:xml:schema:load-control

   Registrant Contact: IETF SIPPING working group, Charles Shen

   XML: the XML schema to be registered is contained in Section 7.

   Its first line is

   <?xml version="1.0" encoding="UTF-8"?>

   and its last line is


11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2141]  Moats, R., "URN Syntax", RFC 2141, May 1997.

   [RFC2648]  Moats, R., "A URN Namespace for IETF Documents", RFC 2648,
              August 1999.

   [RFC3023]  Murata, M., St. Laurent, S., and D. Kohn, "XML Media
              Types", RFC 3023, January 2001.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              June 2002.

   [RFC3265]  Roach, A., "Session Initiation Protocol (SIP)-Specific
              Event Notification", RFC 3265, June 2002.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              January 2004.

   [RFC3966]  Schulzrinne, H., "The tel URI for Telephone Numbers",
              RFC 3966, December 2004.

   [RFC4288]  Freed, N. and J. Klensin, "Media Type Specifications and

Shen, et al.               Expires May 7, 2009                 [Page 23]

Internet-Draft       SIP Load Control Event Package        November 2008

              Registration Procedures", BCP 13, RFC 4288, December 2005.

   [RFC4745]  Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
              Polk, J., and J. Rosenberg, "Common Policy: A Document
              Format for Expressing Privacy Preferences", RFC 4745,
              February 2007.

11.2.  Informative References

   [AINGR]    Bell Communications Research, "AINGR: Service Control
              Point (SCP) Network Traffic Management", GR-2938-CORE ,
              December 1996.

              Hilt, V., Widjaja, I., and H. Schulzrinne, "Session
              Initiation Protocol (SIP) Overload Control",
              draft-hilt-sipping-overload-05 (work in progress),
              July 2008.

              Rosenberg, J., "Requirements for Management of Overload in
              the Session Initiation Protocol",
              draft-ietf-sipping-overload-reqs-05 (work in progress),
              July 2008.

   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, January 1999.

   [RFC2401]  Kent, S. and R. Atkinson, "Security Architecture for the
              Internet Protocol", RFC 2401, November 1998.

   [RFC2617]  Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
              Leach, P., Luotonen, A., and L. Stewart, "HTTP
              Authentication: Basic and Digest Access Authentication",
              RFC 2617, June 1999.

   [RFC4412]  Schulzrinne, H. and J. Polk, "Communications Resource
              Priority for the Session Initiation Protocol (SIP)",
              RFC 4412, February 2006.

   [RFC4825]  Rosenberg, J., "The Extensible Markup Language (XML)
              Configuration Access Protocol (XCAP)", RFC 4825, May 2007.

Authors' Addresses

   Charles Shen
   Columbia University

Shen, et al.               Expires May 7, 2009                 [Page 24]

Internet-Draft       SIP Load Control Event Package        November 2008

   Department of Computer Science
   1214 Amsterdam Avenue, MC 0401
   New York, NY  10027

   Phone: +1 212 854 3109
   Email: charles@cs.columbia.edu

   Henning Schulzrinne
   Columbia University
   Department of Computer Science
   1214 Amsterdam Avenue, MC 0401
   New York, NY  10027

   Phone: +1 212 939 7004
   Email: schulzrinne@cs.columbia.edu

   Arata Koike
   NTT Service Integration Labs &
   NTT Washington DC Representative Office
   1100 13th St., NW, Suite 900
   Washington DC,   20005

   Phone: +1 202 312 1451
   Email: koike.arata@lab.ntt.co.jp

Shen, et al.               Expires May 7, 2009                 [Page 25]

Internet-Draft       SIP Load Control Event Package        November 2008

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at

Shen, et al.               Expires May 7, 2009                 [Page 26]