Speermint Working Group H. Kaplan (Ed.) Internet Draft Acme Packet Intended status: Informational R. Penno Expires: September 2009 Juniper Networks D. Malas CableLabs S. Khan Comcast A. Uzelac Global Crossing March 9, 2009 SPEERMINT Routing Architecture Message Flows draft-ietf-speermint-flows-05 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 9, 2009. Copyright and License Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Kaplan, et al Expires September 9, 2009 [Page 1] Internet-Draft draft-ietf-speermint-flows-05 March 2009 Abstract This document describes example message flows associated with the SPEERMINT routing architecture, relative to various peering scenarios. Table of Contents 1. Introduction...................................................3 2. Definitions....................................................3 3. Peering Scenarios..............................................4 4. Legend for Message Flows.......................................6 5. Basic Peering Message Flow.....................................8 5.1. Message Examples for Basic Peering Model..................9 6. On-Demand Peering.............................................11 6.1. Transport Layer Security.................................11 7. Static Peering................................................13 7.1. TLS......................................................13 7.2. IPsec....................................................14 7.3. Co-Location..............................................14 8. Federation Based Peering......................................15 8.1. Central Federation Proxy.................................15 8.2. Central ENUM Federation..................................17 9. Media Relay...................................................19 10. Peering Message Flow Phases..................................19 10.1. Discovery Phase.........................................21 10.2. Security Establishment Phase............................22 10.3. Signaling Exchange Phase................................22 10.4. Media Exchange Phase....................................23 11. Security Considerations......................................23 12. IANA Considerations..........................................24 13. Acknowledgments..............................................24 14. References...................................................24 14.1. Normative References....................................24 14.2. Informative References..................................25 Author's Addresses...............................................25 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1]. The Kaplan, et al Expires September 9, 2009 [Page 2] Internet-Draft draft-ietf-speermint-flows-05 March 2009 terminology in this document conforms to RFC 2828, "Internet Security Glossary". 1. Introduction This document shows the message flows associated with the most relevant SPEERMINT routing architecture peering scenarios. Most of the message diagrams were based on previous work described within existing IETF standards documents. The document focuses on the messages exchanged for the purpose of Layer 5 peering [7] between two domains. Messages exchanged for the purpose of setting up SIP sessions within a domain are considered out of scope and are already defined in other IETF documents. 2. Definitions SSP: SIP Service Provider, the administrative entity providing SIP services utilizing SIP. Note that an SSP may be a traditional Service Provider, an Enterprise, or any administrative domain context. LUF: Look-Up Function, the functional step(s) necessary to determine for a given SIP request, which terminating domain it should be sent to. LRF: Location Routing Function, the functional step(s) necessary to determine for a given SIP request's terminating domain, the path to follow to reach the terminating domain. Routing: In the context of this document, it is forwarding of an out- of-dialog SIP request. SED: Session Establishment Data, the LUF and LRF data needed and used to route a SIP request to the next-hop(s) associated with reaching the terminating domain. SBE: Signaling-path Border Element, the logical SIP node that represents the logical boundaries between SSP domains (a.k.a., the signaling portion of an SBC, I-BCF, etc.). SF: Signaling Function, the logical functional role for processing SIP requests for peering/routing; i.e., the SBE's role. Kaplan, et al Expires September 9, 2009 [Page 3] Internet-Draft draft-ietf-speermint-flows-05 March 2009 DBE: Data-path Border Element, the logical node that relays media between the logical boundaries of SSP domains (a.k.a., the media portion of an SBC, I-BGF, etc.). MF: Media Function, the logical functional role for processing media for peering purposes, including relaying media; i.e., the DBE's role. 3. Peering Scenarios This draft separates the Layer 5 peering scenarios into two major peering scenarios: o On-demand: In this scenario the SIP proxies in domains A and B establish a peering relationship driven by the necessity to deliver a SIP message to another domain, without a pre-existing relationship. This is sometimes referred as the "email" model. o Static: In this scenario the peering relationship between proxies A and B is statically pre-provisioned independent of the establishment of any SIP session between users in different domains. Media for a given SIP session may follow a different path from signaling, only following the IP routed transport path when crossing peering domains. Alternatively, media for a given session can be directed to traverse the same SIP device used for Layer 5 peering, i.e., the same device that handles signaling when crossing domains. This produces three different models: o Media-direct: In this model SIP proxies perform Layer 5 peering Signaling Function (SF), while media is sent directly between the User Agent's (UA's) involved in the session, as shown in Figure 1. Therefore signaling and media follow different paths. o Integrated: In this model, the device that performs Layer 5 SIP peering SF/SBE also processes the associated media when crossing domains, as an MF/DBE, as shown in Figure 2. This function is usually referred to as media relay and is usually performed by a B2BUA or SBC (Session Border Controller). See [6] for a complete discussion of such SBC functions. We will refer to this picture throughout this document. Kaplan, et al Expires September 9, 2009 [Page 4] Internet-Draft draft-ietf-speermint-flows-05 March 2009 o Decomposed: In this model, media is relayed by a DBE/MF which is physically separated from the SBE/SF. A control protocol, typically H.248 or MGCP, is used by the SBE to control the DBE. From the UA and peering domain's perspective, the decomposed SBE and DBE do not function any differently than an integrated SBC. For the purposes of this document, one can consider this model as just a specific variant of the integrated model, and is not discussed separately. ............................ .............................. . . . . . +-------+ . . +-------+ . . | | . . | | . . | DNS | . . | DNS | . . | 1 | . . | 2 | . . | | . . | | . . +-------+ . . +-------+ . . | . . | . . | . . | . . +-------+ . . +-------+ . . | SF | . . | SF | . . | Proxy |--------------| Proxy | . . | 1 | . . | 2 | . . | | . . | | . . / +-------+ . . +-------+ \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . / . . \ . . +-------+ . . +-------+ . . | | . . | | . . | | . Media . | | . . | UA 1 |<========================================>| UA 2 | . . | | . . | | . . +-------+ . . +-------+ . . Domain A . . Domain B . ............................ .............................. Figure 1: Basic Peering Picture (media-direct) Kaplan, et al Expires September 9, 2009 [Page 5] Internet-Draft draft-ietf-speermint-flows-05 March 2009 The integrated model is shown below: ............................ .............................. . . . . . +-------+ . . +-------+ . . | | . . | | . . | DNS | . . | DNS | . . | 1 | . . | 2 | . . | | . . | | . . +-------+ . . +-------+ . . | . . | . . | . . | . . +-------+ . . +-------+ . . | SBE/SF| . . | SBE/SF| . . | & |--------------| & | . . | DBE/MF|**************| DBE/MF|\ . . /| | . . | | \ . . / +-------+ . . +-------+* \ signaling . . / * . . * \ . . / * . . * \ . . / * . . * \ . . / * media . . * \ . . / * . . * \ . . / * . . * \ . . / * . . * \ . . +-------+ . . +-------+ . . | | . . | | . . | | . . | | . . | UA 1 | . . | UA 2 | . . | | . . | | . . +-------+ . . +-------+ . . Domain A . . Domain B . ............................ .............................. Figure 2: Integrated Peering Picture In a decomposed model, the Signaling Function (SF) of an SBE, and the Media Function (MF) of a DBE, are implemented in separate physical entities. A B2BUA is generally on the SIP path performing the SF. A vertical control protocol between the SF and MF is out of the scope of this document. 4. Legend for Message Flows Kaplan, et al Expires September 9, 2009 [Page 6] Internet-Draft draft-ietf-speermint-flows-05 March 2009 Dashed lines (---) represent signaling messages that are mandatory to the call scenario. These messages can be SIP or DNS protocols. The arrow indicates the direction of message flow. The Actors: Element URI IP Address ------- --- ---------- User Agent +12125551212@sp1.example.com 192.0.10.10 User Agent +17815551212@sp2.example.net 192.0.20.20 SBE/Peer-Proxy/SF-1 sbe1.sp1.example.com 192.0.10.111 SBE/Peer-Proxy/SF-2 sbe2.sp2.example.net 192.0.20.222 Kaplan, et al Expires September 9, 2009 [Page 7] Internet-Draft draft-ietf-speermint-flows-05 March 2009 5. Basic Peering Message Flow This section depicts the "basic" Peering message flow. This does not imply this is the most common peering scenario - just a baseline. The various scenarios differ mostly of how and when peering is implemented. As stated earlier, peering can be establish dynamically following the arrival of a message at a border proxy, or statically based on an agreement between both domains. Alice SF-1 DNS SF-2 Bob | | | | | | INVITE | | | | |------->| | | | | 100 | | | | |<-------| | | | | | NAPTR | | | | | Query | | | | |--------->| | | | | NAPTR | | | | | Reply | | | | |"SIP+D2U" | | | | |<---------| | | | | SRV | | | | | Query | | | | |--------->| | | | | SRV | | | | | Reply | | | | |<---------| | | | | | | | | Peering | | | | Phase | | | | [On-Demand] | | | |<------------------>| | | | INVITE | | | |------------------->| INVITE | | | 100 |---------->| | |<-------------------| | | | | 180 | | | 180 |<----------| | 180 |<-------------------| | |<-------| | 200 | | | 200 |<----------| | 200 |<-------------------| | |<-------| | | | ACK | | | |------->| ACK | | | |------------------->| ACK | Kaplan, et al Expires September 9, 2009 [Page 8] Internet-Draft draft-ietf-speermint-flows-05 March 2009 | | |---------->| | Both Way RTP Media | |<=======================================>| | | | BYE | | | BYE |<----------| | BYE |<-------------------| | |<-------| | | | 200 | | | |------->| 200 | | | |------------------->| 200 | | | |---------->| | | | | In the integrated model, media would follow the path shown below. All other signaling call flows remain the same. In the decomposed model, the media would also go to a MF/DBE functional entity, but it would just be physically separate from the SF/SBE. Alice SF/MF-1 DNS SF/MF-2 Bob | | | | | | | | | | | Both Way RTP Media | |<======>|<==================>|<=========>| | | | | 5.1. Message Examples for Basic Peering Model Message Details F1 INVITE Alice -> SF-1 INVITE sip:+17815551213@sp2.example.net SIP/2.0 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Route: Max-Forwards: 70 To: From: +12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: [sum of MIME body length] Kaplan, et al Expires September 9, 2009 [Page 9] Internet-Draft draft-ietf-speermint-flows-05 March 2009 v=0 o=- 2890844526 2890844526 IN IP4 192.0.10.10 s=- c=IN IP4 192.0.10.10 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 F2 DNS NAPTR Reply DNS -> SF-1 IN NAPTR 50 50 "s" "SIP+D2U" "" _sip._udp.sp1.example.com. F3 DNS SRV Reply DNS -> SF-1 IN SRV 0 1 5060 sbe2.sp2.example.net F4 INVITE SF-1 -> SF-2 INVITE sip:+17815551213@sp2.example.net SIP/2.0 Via: SIP/2.0/UDP 192.0.10.111:5060;branch=z9hG4bK87298 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Route: Max-Forwards: 69 To: From: 12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: [sum of MIME body length] v=0 o=- 2890844526 2890844526 IN IP4 192.0.10.10 s=- c=IN IP4 192.0.10.10 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 Kaplan, et al Expires September 9, 2009 [Page 10] Internet-Draft draft-ietf-speermint-flows-05 March 2009 6. On-Demand Peering In the on-demand peering scenario, the relationship between proxies in domains A and B is driven by the arrival of a SIP message at proxy A directed to a user in domain B (or vice-versa). 6.1. Transport Layer Security In case this is in fact the first SIP request between two SSPs in an on-demand peering relationship, then the SIP request will trigger the establishment of the TLS connection. Otherwise it is assumed the TLS connection has been established by some other means and may be reused. Kaplan, et al Expires September 9, 2009 [Page 11] Internet-Draft draft-ietf-speermint-flows-05 March 2009 Alice Proxy 1 DNS Proxy 2 Bob | | | | | | | | | | | INVITE | | | | |------->| | | | | 100 | | | | |<-------| | | | | | NAPTR | | | | | Query | | | | |--------->| | | | | NAPTR | | | | | Reply | | | | |"SIPS+D2T"| | | | |<---------| | | | | SRV | | | | | Query | | | | |--------->| | | | | SRV | | | | | Reply | | | | |<---------| | | | | | | | | | Peering | | | | [TLS Connection] | | | |<------------------>| | | | | | | | INVITE | | | |------------------->| INVITE | | | 100 |---------->| | |<-------------------| | | | | 180 | | | 180 |<----------| | 180 |<-------------------| | |<-------| | 200 | | | 200 |<----------| | 200 |<-------------------| | |<-------| | | | ACK | | | |------->| ACK | | | |------------------->| ACK | | | |---------->| | Both Way RTP Media | |<=======================================>| | | | BYE | | | BYE |<----------| | BYE |<-------------------| | |<-------| | | | 200 | | | Kaplan, et al Expires September 9, 2009 [Page 12] Internet-Draft draft-ietf-speermint-flows-05 March 2009 |------->| 200 | | | |------------------->| 200 | | | |---------->| | | | | [TBD: add TLS connection for upstream requests?] F1 INVITE request is the same as for previous direct peering flow. F2 DNS NAPTR Reply DNS -> SF-1 IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.sp1.example.com. F3 DNS SRV Reply DNS -> SF-1 IN SRV 0 1 5061 sbe2.sp2.example.net F4 INVITE SF-1 -> SF-2 INVITE sip:+17815551213@sp2.example.net SIP/2.0 Via: SIP/2.0/TLS 192.0.10.111:12345;branch=z9hG4bK98479 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Route: Max-Forwards: 69 To: From: 12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: ... [SDP omitted from example] 7. Static Peering In the static peering scenario the relationship between proxies A and B is not driven by a SIP request, but before-hand through manual provisioning. 7.1. TLS In this model a TLS connection between proxies A and B is provisioned following an agreement between the two domains. Creation of the TLS connection may be established through previous SIP message exchanges, Kaplan, et al Expires September 9, 2009 [Page 13] Internet-Draft draft-ietf-speermint-flows-05 March 2009 or by continuous message exchange such as OPTIONS requests/responses. If Mutual-TLS is used, reverse-path requests may use the same connection as defined in [13], or separate TLS connections may be used for each request direction. 7.2. IPsec In this model an IPSec connection between proxies A and B is provisioned following an agreement between the two domains. Typically either transport-mode ESP is used for SIP signaling only, or tunnel-mode is used for either just signaling, or both signaling and media. If tunneling is used, media-relay must be performed as described later. No diagram is shown for the IPsec case, since the changes are only at the network layer. 7.3. Co-Location In this scenario the two proxies are co-located in a physically secure location and/or are members of a segregated network, such as a VPN. In this case messages between Proxy 1 and Proxy 2 would be sent as clear text. Alice Proxy 1 DNS Proxy 2 Bob | | | | | | | | | | | [Peering] | | | | Co-Location | | | |<------------------>| | | | | | | \ / \ / \ / \ / \ / | | | | | | INVITE | | | | |------->| | | | | 100 | | | | |<-------| | | | \ / \ / \ / \ / \ / | | BYE |<----------| | BYE |<-------------------| | |<-------| | | | 200 | | | Kaplan, et al Expires September 9, 2009 [Page 14] Internet-Draft draft-ietf-speermint-flows-05 March 2009 8. Federation Based Peering Multiple SSP's may be members of the same Federation, such that their policies and relationships are defined to be the same for a given federation. Federations are one way for a source and destination network to find a common set of procedures for peering. 8.1. Central Federation Proxy Federation rules can dictate that calls are to be routed via a federation-maintained central SIP proxy. In that case no further NAPTR/SRV/A lookups need be made. Instead, the INVITE will be sent directly via a preconfigured connection to that proxy. This proxy acts as a redirect proxy, returning SIP 3xx responses with the Contact URI(s) identifying the next target(s), which may need subsequent DNS resolution per RFC 3263 to resolve. The SIP Redirect proxy essentially performs the role of the LUF and potentially the LRF, using SIP as the query protocol. The following message flow provides an example describing this process: Peer Proxy 1 Federation Proxy Peer Proxy 2 Bob | | | | | INVITE | | | |--------------->| | | | 302 | | | |<---------------| | | | ACK | | | |--------------->| | | | INVITE | | |-------------------------------->| INVITE | | 100 |--------------->| |<--------------------------------| 180 | | 180 |<---------------| |<--------------------------------| | | | 200 | | 200 |<---------------| |<--------------------------------| | | ACK | | |-------------------------------->| ACK | | |--------------->| | Both Way RTP Media | |<================================================>| | | BYE | | BYE |<---------------| Kaplan, et al Expires September 9, 2009 [Page 15] Internet-Draft draft-ietf-speermint-flows-05 March 2009 |<--------------------------------| | | 200 | | |-------------------------------->| 200 | | |--------------->| F1 INVITE Peer Proxy 1 -> Federation Redirect Server INVITE sip:+17815551213@fed.example.org SIP/2.0 Via: SIP/2.0/UDP 192.0.10.111:5060;branch=z9hG4bK98479 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Max-Forwards: 69 To: From: 12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: ... [SDP omitted from example] F2 Redirect response Federation Proxy -> Peer Proxy 1 SIP/2.0 302 Moved Temporarily Via: SIP/2.0/UDP 192.0.10.111:5060;branch=z9hG4bK98479 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Contact: To: From: 12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Content-Length: 0 F3 INVITE Peer Proxy 1 -> Peer Proxy 2 INVITE sip:+17815551213@sbe2.sp2.example.net SIP/2.0 Via: SIP/2.0/UDP 192.0.10.111:5060;branch=z9hG4bK141344 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Max-Forwards: 69 To: From: 12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Contact: Content-Type: application/sdp Kaplan, et al Expires September 9, 2009 [Page 16] Internet-Draft draft-ietf-speermint-flows-05 March 2009 Content-Length: ... [SDP omitted from example] 8.2. Central ENUM Federation Another form of centralized Federation is to use an ENUM infrastructure instead of SIP Redirect Proxy, and thus DNS as the query protocol for the LUF, and possibly LRF. The originating SSP performs a NAPTR query to a pre-arranged ENUM server (a private DNS server deployed for this role), for the destination calling party E.164 number, with a private domain root for the Federation. If the ENUM server provides just an LUF function, it will provide SED data identifying the terminating SSP domain, and any number portability data required, in its NAPTR response; but then relies on the originating SSP to either know how to reach the terminating domain or to perform some means of performing the LRF. If the ENUM serve provides both, it will resolve not only the number portability information, if any, but also return the next-hop URI target(s) for the originating SSP to send the SIP request to. The following diagram shows a scenario whereby the originating SSP performs an LUF query using ENUM-DNS to a central Federation ENUM server, which responds with the resolved peer SSP's domain. In this particular case the originating SSP can reach the terminating SSP directly, and happens to perform just a DNS request to resolve the connection information for the Peer, to reach the Peer's SF-2 SBE. This is only one particular scenario - many others are possible. Kaplan, et al Expires September 9, 2009 [Page 17] Internet-Draft draft-ietf-speermint-flows-05 March 2009 Alice SF-1 ENUM DNS SF-2 Bob | | LUF| | | | | INVITE | | | | | |------->| | | | | | 100 | | | | | |<-------| | | | | | | NAPTR | | | | | | Query | | | | | |-------->| | | | | | NAPTR | | | | | | Reply | | | | | |"E2U+sip"| | | | | |<--------| | | | | | SRV | | | | | Query | | | | |------------->| | | | | SRV | | | | | Reply | | | | |<-------------| | | | | | | | | Peering | | | | Phase | | | | [On-Demand] | | | |<------------------>| | | | INVITE | | | |------------------->| INVITE | | | 100 |---------->| | |<-------------------| | | | | 180 | | | 180 |<----------| | 180 |<-------------------| | |<-------| | 200 | | | 200 |<----------| | 200 |<-------------------| | |<-------| | | | ACK | | | |------->| ACK | | | |------------------->| ACK | | | |---------->| | Both Way RTP Media | |<=======================================>| Kaplan, et al Expires September 9, 2009 [Page 18] Internet-Draft draft-ietf-speermint-flows-05 March 2009 F1 INVITE Alice -> SF-1 INVITE sip:+17815551213@sp2.example.net SIP/2.0 Via: SIP/2.0/UDP 192.0.10.10:5060;branch=z9hG4bK74b43 Route: Max-Forwards: 70 To: From: +12125551212 ;tag=9fxced76sl Call-ID: 3848276298220188511 CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: ... [SDP omitted from example] F2 DNS ENUM (LUF) query for +17815551213 NAPTR query for "3.1.2.1.5.5.5.1.8.7.1.e164.sp1.example.com" F3 NAPTR Reply IN NAPTR 10 100 "u" "E2U+sip" "!^.*$!sip:\1@sbe2.sp2.example.net" _. [The rest of the examples follow the previous sections] 9. Media Relay In the event that a source and/or destination SSP are part of a private network, or peer through a private network, the SSP peers must enable the SIP signaling and media to route between the peers. This process is implemented by an SBE and DBE, either in an integrated or decomposed model. The core of the process is media relaying, whereby the SBE forces the relay of media through its DBE by modifying the SDP. 10. Peering Message Flow Phases The message flow phases are Discovery, Security Establishment, Signaling Exchange, and Media Exchange. The following flow provides an overview of the phases. Each of the phases is described individually in the following subsections. For the following diagram, the signaling and media exchange phase descriptions have been omitted for clarity purposes, because their functionality has Kaplan, et al Expires September 9, 2009 [Page 19] Internet-Draft draft-ietf-speermint-flows-05 March 2009 not changed for the purposes of peering. However, they have been explained further in the following subsections. Alice Peer Proxy DNS Peer Policy/Proxy Bob | | | | | |INVITE | | | | |----------->| | | | | 100| | | | |<-----------| | | | |NAPTR Query | | | +---->|--------------->| | | | | NAPTR Reply| | | Discovery Phase | |<---------------| | | ----------------| |SRV Query | | | | |--------------->| | | | | SRV Reply| | | +---->|<---------------| | | | | | | Security Exch. | [TLS Connection] | | --------------------->|<--------------------------->| | Phase | INVITE | | |---------------------------->|INVITE | | | 100 Trying |------------->| | |<----------------------------| 180 Ringing| | | 180 Ringing |<-------------| | 180 Ringing|<----------------------------| 200OK | |<------------| 200OK |<-------------| | 200OK |<----------------------------| | |<------------| | | | ACK | | | |------------>| ACK | | | |---------------------------->|ACK | | | |------------->| | | Both Way RTP Media | | |<========================================================>| | | | BYE | | | BYE |<-------------| | BYE |<----------------------------| | |<------------| | | | 200OK | | | |------------>| 200OK | | | |---------------------------->|200OK | | | |------------->| Kaplan, et al Expires September 9, 2009 [Page 20] Internet-Draft draft-ietf-speermint-flows-05 March 2009 10.1. Discovery Phase The first phase of static or dynamic peering requests is discovery. The discovery process can be summarized by querying the Location Routing Function (LRF) to determine the next phase in the message flow. The discovery phase can take place via a local or external federation location function. Examples of the function may be comprised of an ENUM/DNS or redirect server. After the discovery phase has completed, the peering process will progress to a subsequent phase, usually the policy or authentication phase. The following message flows provide examples of the discovery phase. Discovery phase utilizing an ENUM/DNS server as a location function: Alice Peer Proxy DNS Peer Proxy | | | | |INVITE | | | |----------->| | | | 100| | | |<-----------| | | |NAPTR Query | | +---->|--------------->| | | | NAPTR Reply| | Discovery Phase | |<---------------| | -----------------| |SRV Query | | | |--------------->| | | | SRV Reply| | +---->|<---------------| | |INVITE | |------------------------------->| Discovery phase utilizing a REDIRECT server as a location function: Peer Proxy Federation Proxy Peer Proxy | | | | INVITE | | +---->|--------------->| | Discovery Phase | | 302 | | -----------------| |<---------------| | | | ACK | | +---->|--------------->| | | INVITE | |------------------------------->| Kaplan, et al Expires September 9, 2009 [Page 21] Internet-Draft draft-ietf-speermint-flows-05 March 2009 10.2. Security Establishment Phase The security establishment phase follows the described methods in previous sections of this document. This phase follows standard methods described in [2], so the following flow provides an example of this phase, but does not incorporate all possibilities. This phase assumes the previous phases were successfully completed or purposefully omitted per peering implementation. Peer Proxy Peer Proxy | | | INVITE | +---->|------------------------------->| | | [TLS Connection] | Security Exch. | |<------------------------------>| ----------------| | 401 Unauthorized | Phase | |<-------------------------------| | | INVITE | +---->|------------------------------->| | 100 Trying | |<-------------------------------| | 180 Ringing | |<-------------------------------| 10.3. Signaling Exchange Phase The signaling exchange phase is a necessary step to progress towards establishing peering. This phase may incorporate the security exchange phase, but it is not required. This phase follows standard methods described in [2], so the following flow provides an example of this phase, but does not incorporate all possibilities. Peer Proxy Peer Proxy | | | [TLS Connection] | +---->|<------------------------------>| | | INVITE | | |------------------------------->| Signaling Exch. | | 100 Trying | -----------------| |<-------------------------------| Phase | | 180 Ringing | | |<-------------------------------| | | 200 OK | | |<-------------------------------| | | ACK | | |------------------------------->| | | BYE | Kaplan, et al Expires September 9, 2009 [Page 22] Internet-Draft draft-ietf-speermint-flows-05 March 2009 | |<-------------------------------| | | 200 OK | +---->|------------------------------->| | | 10.4. Media Exchange Phase The media exchange phase is negotiated and established during the signaling exchange phase. This phase follows standard methods described in [2], so the following flow provides an example of this phase, but does not incorporate all possibilities. Alice Peer Proxy Peer Proxy Bob +---->|INVITE | | | | |----------->| INVITE | | | | 100 |------------------>| INVITE | | |<-----------| 100 Trying |----------->| Media Exch. | | |<------------------| 100 | ---------------| | | |<-----------| Phase | | | | 180 | | | | 180 Ringing |<-----------| | | 180 |<------------------| 200 | | |<-----------| 200 OK |<-----------| | | 200 |<------------------| | | |<-----------| | | | |ACK | | | +---->|----------->|ACK | | | |------------------>|ACK | | | |----------->| | Both Way RTP Media | | |<===========================================>| | | | | | | | BYE | | | BYE |<-----------| | BYE|<------------------| | |<-----------| | | |200 | | | |----------->|200 | | | |------------------>|200 | | | |----------->| 11. Security Considerations The level of security required during the establishment and maintenance of a SIP peering relationship between two proxies can Kaplan, et al Expires September 9, 2009 [Page 23] Internet-Draft draft-ietf-speermint-flows-05 March 2009 vary greatly. In general all security considerations related to the SIP protocol are also applicable in a peering relationship. If the two proxies communicate over an insecure network, and consequently are subject to attacks/eavesdropping/etc., the use of TLS or IPSec would be advisable. If there is physical security and the proxies are co-located, or the proxies are situated in a segregated network (such as a VPN), one could argue that weaker measures are sufficient. 12. IANA Considerations N/A 13. Acknowledgments Thanks to Reinaldo Penno for his work as the original author of this document, and to Otmar Lendl for his contributions. 14. References 14.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP:Session Initiation Protocol", RFC 3261, June 2002. [3] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002. [4] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001. [5] Johnston, A., Donovan, S., Sparks, R., Cunningham, C., and K. Summers, "Session Initiation Protocol (SIP) Basic Call Flow Examples", BCP 75, RFC 3665, December 2003. [6] ETSI TS 102 333: " Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Gate control protocol". [7] Roach, A., "Session Initiation Protocol (SIP)-Specific Event Notification", RFC 3265, June 2002. Kaplan, et al Expires September 9, 2009 [Page 24] Internet-Draft draft-ietf-speermint-flows-05 March 2009 [8] Crocker, D. and Overell, P.(Editors), "Augmented BNF for Syntax Specifications: ABNF", RFC 4234, October 2005. [9] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", RFC 1918, February 1996. 14.2. Informative References [10] Meyer, D., Malas, D., "SPEERMINT Terminology", Internet Draft, draft-ietf-speermint-terminology-16, February 2008. [11] Boulton, C., Rosenberg, J., Camarillo, G., "Best Current Practices for NAT Traversal for SIP", Internet Draft, draft- ietf-sipping-nat-scenarios-08, April 2008. [12] Camarillo, G., Penfield, R., Hawrylyshen, A., "Requirements from SIP (Session Initiation Protocol) Session Border Controller Deployments", Internet Draft, draft-camarillo- sipping-sbc-funcs-06, June 2008. [13] Gurbani, V., Mahy, R., Tate, B., " Connection Reuse in the Session Initiation Protocol (SIP)", draft-ietf-sip-connect- reuse-11, July 2008. Author's Addresses Hadriel Kaplan Acme Packet 71 Third Ave. Burlington, MA 01803, USA Email: hkaplan@acmepacket.com Daryl Malas CableLabs 858 Coal Creek Circle Louisville, CO, 80027, USA EMail: d.malas@cablelabs.com Sohel Khan, Ph.D. Comcast Cable Communications USA Email: sohel_khan@cable.comcast.com Kaplan, et al Expires September 9, 2009 [Page 25] Internet-Draft draft-ietf-speermint-flows-05 March 2009 Reinaldo Penno Juniper Networks 1194 N Mathilda Avenue Sunnyvale, CA, USA Email: rpenno@juniper.net Adam Uzelac Global Crossing 1120 Pittsford Victor Road PITTSFORD, NY 14534, USA Email: adam.uzelac@globalcrossing.com Kaplan, et al Expires September 9, 2009 [Page 26]