Internet Engineering Task Force Mike Pierce Internet Draft Artel draft-pierce-tsvwg-assured-service-arch-01.txt Don Choi October 20, 2004 DISA Expires April 20, 2005 Architecture for Assured Service Capabilities in Voice over IP draft-pierce-tsvwg-assured-service-arch-01.txt Status of this memo By submitting this Internet-Draft, each author certifies that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with RFC 3668. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt To view the list Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. Copyright Copyright (C) Internet Society 2004. All rights reserved. Reproduction or translation of the complete document, but not of extracts, including this notice, is freely permitted. Abstract Assured Service refers to the set of capabilities used to ensure that mission critical communications are setup and remain connected. This memo describes the architecture required to meet the requirements detailed in [Pierce1]. Mike Pierce Expires April 20, 2005 [Page 1] Internet Draft Architecture for Assured Service October 20, 2004 Table of Contents 0. History......................................................2 1. Introduction.................................................2 2. Architectures................................................3 2.1. End-to-end Architecture.................................3 2.2. Service Provider Network Architecture...................4 3. Required Architecture........................................4 4. Required Procedures..........................................6 4.1. Authentication..........................................6 4.2. Function of Proxy.......................................6 4.3. Function of the Edge Router.............................7 4.4. Function of User Agent..................................7 4.5. Session Control.........................................8 5. Security Considerations......................................8 6. References...................................................8 6.1. Normative References....................................8 6.2. Informative References..................................8 0. History (To be removed before publication.) This draft was originally submitted under SIPPING and then IEPREP. This revision is being submitted under TSVWG since IEPREP is essentially inactive. (SIPPING) -00: Original (IEPREP) -00: Added Access Router to architecture required to support Assured Service. -01 Updated references -02 Updated references and minor editorial changes. (TSVWG) -00 Updated references and added references to CAC. -01 Changed "Access Router" to "Edge Router". Added description of "call-stateful" proxy. Added references. 1. Introduction The requirements for Assured Service are given in [Pierce1]. Many other drafts and RFCs have addressed the assumed architecture for the provision of SIP-based services. A lot of consideration has been Mike Pierce Expires April 20, 2005 [Page 2] Internet Draft Architecture for Assured Service October 20, 2004 given to continued reliance on the pure peer-to-peer model on which the Internet (and especially HTTP) has been based vs. migration to centralized control models in which dedicated proxies perform specific functions for the control of telephony services. This would include, possibly, full knowledge of the state of each call. While there is an wide-spread desire expressed in various IETF discussions to maintain (or return to) the pure peer-to-peer architecture, there has been increasing admissions in various drafts that centralized control or intelligent "middleboxes" are required in many cases. Some examples are: 1. RFC 3261 defines the notion of a "Call Stateful proxy", which "retains state for a dialog from the initiating INVITE to the terminating BYE request", i.e., for the duration of a call. However, no use of this state has been included in the current version of SIP [RFC3261]. 2. Draft-ietf-sipping-cc-framework-02 included the concept of a "central control" signaling model. 3. The abstract for draft-ietf-sipping-service-examples-06 recognizes that "some [services] require the assistance of a SIP Proxy", and it states that the flows shown assume "a network of proxies, registrars, PSTN gateways, and other SIP servers". 4. RFC 3325 for identity and privacy is based fully on use of a network of trusted SIP servers. It states that "these mechanisms provide no means by which end users can securely share identity information end-to-end without a trusted service provider." 2. Architectures Various discussions and memos have identified two potential network architectures for the provision of SIP services. They are briefly: 2.1. End-to-end Architecture All service provision is between and under control of the calling and called party, referred to as "User Agent Client (UAC)" and "User Agent Server (UAS)", respectively. This terminology of "client" and "server" are based on the HTTP model from which this model is derived and have no real significance to this model. Either end can initiate a transaction. There is no device in-between which provides service support, only routers for packets. Other required devices (address translation, etc.) which the calling user must access are simply additional UAS's. There is no "Service Provider" for the voice service, only a provider of the packet switched infrastructure. Mike Pierce Expires April 20, 2005 [Page 3] Internet Draft Architecture for Assured Service October 20, 2004 2.2. Service Provider Network Architecture A Service Provider maintains and controls network elements which play an active role in the provision of services to end users. These network elements may be referred to as back-to-back user agents (B2BUA), proxies, servers, middleboxes, or intermediaries but they all have the common characteristic of being provided by a trusted Service Provider and they provide an important logical function between the end users. These elements terminate SIP messages, perform service control, and send new or modified SIP messages to other network elements or to the other user. The result is that no SIP message goes directly from one UA to the other (unless specifically authorized by the control element). The "Service Provider" may be the same company or entity which provides part or all of the packet switched infrastructure. 3. Required Architecture In order to provide the security and feature control required for Assured Service as defined in [Pierce1], it is necessary to utilize the Service Provider Network Architecture in which proxies are used to support call origination and termination for each user involved in the service. The architecture is the "trapezoid" described in SIP [RFC3261] as follows (figure actually copied from RFC 3263): ........................... ............................. . . . . . +-------+ . . +-------+ . . | | . . | | . . | Proxy |---------- | Proxy | . . | 1 | . . | 2 | . . | | . . | | . . / +-------+ . . +-------+ \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . +-------+ . . +-------+ . . | | . . | | . . | | . . | | . . | UA 1 | . . | UA 2 | . . | | . . | | . . +-------+ . . +-------+ . . Domain A . . Domain B . ........................... ............................. Interfaces: (1) Originating UA 1 to Proxy 1: Authentication and all SIP messages Mike Pierce Expires April 20, 2005 [Page 4] Internet Draft Architecture for Assured Service October 20, 2004 to/from UA 1 (2) Proxy 1 to Proxy 2 (and to other devices such as policy servers): SIP messages and policy actions (3) Proxy 2 to terminating UA 2: Authentication and all SIP messages to/from U 2 (4) Originating UA 1 to terminating UA 2: Voice packets, no signaling messages However, the above architecture requires the addition of another component to provide control of the user's data packets (voice) in the Assured Service case. This is important since the packets themselves need to be marked for preferential treatment, including the ability to get preferential treatment" over the packet transfer of another user. There must be an edge router, as described in [RFC 2998] and RFC [3313], generally at the boundary between the local network and the core network. This may be between the Ethernet LAN and the IP "cloud" or it may be between the locally controlled IP network and the global IP network. In any case, its function is to regulate the transport of priority marked packets into the core. The following figure depicts this architecture: ............................ ............................ . . . . . +-------+ . . +-------+ . . | | . (2) . | | . . | Proxy |---------------------- | Proxy | . . | 1 | . . | 2 | . . | | . . | | . . +-------+ . . +-------+ . . / \ . . / \ . . (1) / \ (1a) . . (3a) / \ (3) . . / \ . . / \ . . / \ . . / \ . . +-------+ +----+ . . +----+ +-------+ . . | | (4a) | ER | . (4b) . | ER | (4c) | | . . | UA 1 |------>| 1 |-------------->| 2 |------>| UA 2 | . . | | | | . . | | | | . . +-------+ +----+ . . +----+ +-------+ . . Domain A . . Domain B . ............................ ............................ Interfaces: (1) Originating UA 1 to Proxy 1: Authentication and all SIP messages to/from UA 1 (1a and 3a) Proxy to ER: instructions to allow voice packet transport (2) Proxy 1 to Proxy 2 (and to other devices such as policy servers): SIP messages and policy actions (3) Proxy 2 to terminating UA 2: Authentication and all SIP Mike Pierce Expires April 20, 2005 [Page 5] Internet Draft Architecture for Assured Service October 20, 2004 messages to/from U 2 (4a) Originating UA 1 to ER 1: attempted voice packets (4b) ER 1 to ER 2: authorized voice packets (4c) ER 2 to UA 2: authorized voice packets 4. Required Procedures 4.1. Authentication Each UA which might use the Assured Service capability must authenticate with a designated proxy before any service activation is attempted. Normally, this would be at the time the device is powered on, connected to the network, or is initialized, or it might be done at pre-determined time intervals. Whether or not this authentication requires a user interaction (human entry of a password, retina scan, etc.) is not important and depends on the application. Such an authentication may be very time consuming, with password verification and policy data-base look-ups. After this authentication, this proxy must handle all session establishments, both to and from this UA. This authentication function may be performed when the user attempts the first session setup, for example, when an individual is allowed to use a common device by first "logging on" with their identity and password. In fact, this is still an "authentication" function performed before the session setup is attempted. However, in this case, it must be understood that there may be an additional delay due to the authentication process before a call can be placed. This authentication process is not unique to the provision of the Assured Service capability. It is also required for many other services which are to be provided by the service provider's proxy based on pre-established authorizations. 4.2. Function of Proxy Besides the processing of the authentication, each proxy is responsible for a number of functions important to the provision of Assured Service (as well as other services) and the handling of interactions, where required, between different services. This includes: - maintaining state of all existing sessions which exist on all UAs under its control (both originating and terminating proxies). The proxy is fully "call-stateful" where "state" in this case includes the identity of the endpoints in the session, the priority of the session, and the addresses required to send further messages up- and down-stream in the session, that is, any information which might be needed for further processing of the session. - maintaining knowledge of other services being used by the UA which might need to be taken into consideration when applying the Assured Service capabilities (both originating and terminating Mike Pierce Expires April 20, 2005 [Page 6] Internet Draft Architecture for Assured Service October 20, 2004 proxies). - verifying that the originating UA is allowed to establish the session at the precedence level requested (originating proxy). - performing a Call Admission Control function of deciding whether or not a new call (and the resulting packet flow) can be setup based on knowledge of the current load and the allowable load (originating proxy). - establish permission at the edge router for it to handle the precedence marked packets from the UA (both originating and terminating proxies). - performing the timing function to control the diversion service (terminating proxy). - deciding when to preempt the end user and sending the appropriate preempt messages to the other party (both originating and terminating proxies). - maintaining records of the use of the service, whether for accounting or auditing purposes (both originating and terminating proxies). 4.3. Function of the Edge Router The edge router serves the functions of ingress router and egress router referred to in various RFCs. "Edge Router" is described in RFCs [2998], [3313], and [3521]. The edge router, under control of the proxy, decides which packets are to be transported between networks or domains. If authorization has not been granted for the transport of a specific packet flow at the precedence level indicated in the packets, the edge router must discard the packets. Additionally, there may be cases in which a currently transported packet stream must be stopped, for example, to support preemption. Since the Assured Service may not be able to rely on the UA to stop the flow, it may be necessary for the edge router, again under control of the proxy, to stop transporting a particular flow. An edge router may also be capable of recognizing traffic overload and notifying other network entities of this situation. It may also contain procedures to provide short-term relief from such overload conditions, such as providing preferential treatment of some packets based on their markings (for example, as defined in DiffServ). 4.4. Function of User Agent The User Agent may be either the end user's telephone device or a gateway to a non-IP network. It is responsible for initiating or terminating a call setup request with the responsible proxy. In Mike Pierce Expires April 20, 2005 [Page 7] Internet Draft Architecture for Assured Service October 20, 2004 addition, it is responsible for sending voice packets to and receiving them from the appropriate edge router. 4.5. Session Control Session establishment and release should follow the same message sequence as defined in SIP and its extensions for non-Assured Service calls. There should not be any additional messages to setup an Assured Service call. The only additional requirements are the inclusion of: - the priority level as defined in [Resource] in the INVITE - security related information in every message which might consist of an authentication header (AH) using cryptographic techniques to allow the receiving end (user or proxy) to validate the authenticity of the message before acting on it. (This requirement is not unique to Assured Service, but is also required to provide security for other capabilities.) If preemption of sessions (calls) is supported, there may be unique messages to control this function. 5. Security Considerations This memo mostly deals with the architecture required to support the necessary security. While it does not attempt to define the actual security mechanisms used for authentication and authorization, it establishes the service architecture required as a basis for security. 6. References 6.1. Normative References None 6.2. Informative References [RFC2998] RFC 2998, "A Framework for Integrated Services Operation over Diffserv Networks", Y. Bernet, et al, November 2000. [RFC3261] RFC 3261, "SIP: Session Initiation Protocol", J. Rosenberg, et al, June 2002. [RFC3263] RFC 3263, "Session Initiation Protocol (SIP): Locating SIP Servers", J. Rosenberg, et al, June 2002. [RFC3313] RFC 3313, "Private SIP Extensions for Media Authorization", W. Marshall, May 2002. [RFC3323] RFC 3323 "A Privacy Mechanism for the Session Initiation Protocol (SIP)", J. Peterson, November 2002. Mike Pierce Expires April 20, 2005 [Page 8] Internet Draft Architecture for Assured Service October 20, 2004 [RFC3325] RFC 3325, "SIP extensions for Network-asserted Caller Identity and Privacy within Trusted Networks", C. Jennings, et al, February 2002. [RFC3521] RFC 3521, "Framework for Session Set-up with Media Authorization", L-N. Hamer, et al, April 2003. [Pierce1] draft-pierce-tsvwg-assured-service-req-01, "Requirements for Assured Service Capabilities in Voice over IP", Mike Pierce, et al, October 2004. [Resource] draft-ietf-sip-resource-priority-04, "SIP Communications Resource Priority Header", Henning Schulzrinne and James Polk, August 2004. Authors' Addresses Michael Pierce Artel 1893 Preston White Drive Reston, VA 20191 Phone: +1 410.817.4795 Email: pierce1m@ncr.disa.mil Don Choi DISA 5600 Columbia Pike Falls Church, VA 22041-2717 Phone: +1 703.681.2312 Email: choid@ncr.disa.mil Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and the contributor, the organization he/she represents or is sponsored by (if any), the Internet Society, and the Internet Engineering Task Force disclaim all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties of merchantability or fitness for a particular purpose. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC Mike Pierce Expires April 20, 2005 [Page 9] Internet Draft Architecture for Assured Service October 20, 2004 documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Full Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and, except as set forth therein, the authors retain all their rights. Mike Pierce Expires April 20, 2005 [Page 10]