tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 4497

 
 
 

Interworking between the Session Initiation Protocol (SIP) and QSIG

Part 3 of 4, p. 32 to 44
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 32 
9.  Number Mapping

   In QSIG, users are identified by numbers, as defined in [1].  Numbers
   are conveyed within the Called party number, Calling party number,
   and Connected number information elements.  The Calling party number
   and Connected number information elements also contain a presentation
   indicator, which can indicate that privacy is required (presentation
   restricted), and a screening indicator, which indicates the source
   and authentication status of the number.

   In SIP, users are identified by Universal Resource Identifiers (URIs)
   conveyed within the Request-URI and various headers, including the
   From and To headers specified in [10] and optionally the P-Asserted-
   Identity header specified in [14].  In addition, privacy is indicated
   by the Privacy header specified in [13].

Top      Up      ToC       Page 33 
   This clause specifies the mapping between QSIG Called party number,
   Calling party number, and Connected number information elements and
   corresponding elements in SIP.

   A gateway MAY implement the P-Asserted-Identity header in accordance
   with [14].  If a gateway implements the P-Asserted-Identity header,
   it SHALL also implement the Privacy header in accordance with [13].
   If a gateway does not implement the P-Asserted-Identity header, it
   MAY implement the Privacy header.

9.1.  Mapping from QSIG to SIP

   The method used to convert a number to a URI is outside the scope of
   this specification.  However, the gateway SHOULD take account of the
   Numbering Plan (NPI) and Type Of Number (TON) fields in the QSIG
   information element concerned when interpreting a number.

   Some aspects of mapping depend on whether the gateway is in the same
   trust domain (as defined in [14]) as the next hop SIP node (i.e., the
   proxy or UA to which the INVITE request is sent or from which INVITE
   request is received) to honour requests for identity privacy in the
   Privacy header.  This will be network-dependent, and it is
   RECOMMENDED that gateways supporting the P-Asserted-Identity header
   hold a configurable list of next hop nodes that are to be trusted in
   this respect.

9.1.1.  Using Information from the QSIG Called Party Number Information
        Element

   When mapping a QSIG SETUP message to a SIP INVITE request, the
   gateway SHALL convert the number in the QSIG Called party number
   information to a URI and include that URI in the SIP Request-URI and
   in the To header.

9.1.2.  Using Information from the QSIG Calling Party Number Information
        Element

   When mapping a QSIG SETUP message to a SIP INVITE request, the
   gateway SHALL use the Calling party number information element, if
   present, as follows.

   If the information element contains a number, the gateway SHALL
   attempt to derive a URI from that number.  Further behaviour depends
   on whether a URI has been derived and the value of the presentation
   indication.

Top      Up      ToC       Page 34 
9.1.2.1.  No URI derived, and presentation indicator does not have value
          "presentation restricted"

   In this case (including the case where the Calling party number
   information element is absent), the gateway SHALL include a URI
   identifying the gateway in the From header.  Also, if the gateway
   supports the mechanism defined in [14], the gateway SHALL NOT
   generate a P-Asserted-Identity header.

9.1.2.2.  No URI derived, and presentation indicator has value
          "presentation restricted"

   In this case, the gateway SHALL generate an anonymous From header.
   Also, if the gateway supports the mechanism defined in [14], the
   gateway SHALL generate a Privacy header field with parameter
   priv-value = "id" and SHALL NOT generate a P-Asserted-Identity
   header.  The inclusion of additional values of the priv-value
   parameter in the Privacy header is outside the scope of this
   specification.

9.1.2.3.  URI derived, and presentation indicator has value
          "presentation restricted"

   If the gateway supports the P-Asserted-Identity header and trusts the
   next hop proxy to honour the Privacy header, the gateway SHALL
   generate a P-Asserted-Identity header containing the derived URI,
   SHALL generate a Privacy header with parameter priv-value = "id", and
   SHALL generate an anonymous From header.  The inclusion of additional
   values of the priv-value parameter in the Privacy header is outside
   the scope of this specification.

   If the gateway does not support the P-Asserted-Identity header or
   does not trust the proxy to honour the Privacy header, the gateway
   SHALL behave as in Section 9.1.2.2.

9.1.2.4.  URI derived, and presentation indicator does not have value
          "presentation restricted"

   In this case, the gateway SHALL generate a P-Asserted-Identity header
   containing the derived URI if the gateway supports this header, SHALL
   NOT generate a Privacy header, and SHALL include the derived URI in
   the From header.  In addition, the gateway MAY use S/MIME, as
   described in Section 23 of [10], to sign a copy of the From header
   included in a message/sipfrag body of the INVITE request as described
   in [20].

Top      Up      ToC       Page 35 
9.1.3.  Using Information from the QSIG Connected Number Information
        Element

   When mapping a QSIG CONNECT message to a SIP 200 (OK) response to an
   INVITE request, the gateway SHALL use the Connected number
   information element, if present, as follows.

   If the information element contains a number, the gateway SHALL
   attempt to derive a URI from that number.  Further behaviour depends
   on whether a URI has been derived and the value of the presentation
   indication.

9.1.3.1.  No URI derived, and presentation indicator does not have value
          "presentation restricted"

   In this case (including the case where the Connected number
   information element is absent), the gateway SHALL NOT generate a
   P-Asserted-Identity header and SHALL NOT generate a Privacy header.

9.1.3.2.  No URI derived, and presentation indicator has value
          "presentation restricted"

   In this case, if the gateway supports the mechanism defined in [14],
   the gateway SHALL generate a Privacy header field with parameter
   priv-value = "id" and SHALL NOT generate a P-Asserted-Identity
   header.  The inclusion of additional values of the priv-value
   parameter in the Privacy header is outside the scope of this
   specification.

9.1.3.3.  URI derived, and presentation indicator has value
          "presentation restricted"

   If the gateway supports the P-Asserted-Identity header and trusts the
   next hop proxy to honour the Privacy header, the gateway SHALL
   generate a P-Asserted-Identity header containing the derived URI and
   SHALL generate a Privacy header with parameter priv-value = "id".
   The inclusion of additional values of the priv-value parameter in the
   Privacy header is outside the scope of this specification.

   If the gateway does not support the P-Asserted-Identity header or
   does not trust the proxy to honour the Privacy header, the gateway
   SHALL behave as in Section 9.1.3.2.

Top      Up      ToC       Page 36 
9.1.3.4.  URI derived, and presentation indicator does not have value
          "presentation restricted"

   In this case, the gateway SHALL generate a P-Asserted-Identity header
   containing the derived URI if the gateway supports this header and
   SHALL NOT generate a Privacy header.  In addition, the gateway MAY
   use S/MIME, as described in Section 23 of [10], to sign a To header
   containing the derived URI, the To header being included in a
   message/sipfrag body of the INVITE response as described in [20].

   NOTE: The To header in the message/sipfrag body may differ from the
   to header in the response's headers.

9.2.  Mapping from SIP to QSIG

   The method used to convert a URI to a number is outside the scope of
   this specification.  However, NPI and TON fields in the QSIG
   information element concerned SHALL be set to appropriate values in
   accordance with [1].

   Some aspects of mapping depend on whether the gateway trusts the next
   hop SIP node (i.e., the proxy or UA to which the INVITE request is
   sent or from which INVITE request is received) to provide accurate
   information in the P-Asserted-Identity header.  This will be
   network-dependent, and it is RECOMMENDED that gateways hold a
   configurable list of next hop nodes that are to be trusted in this
   respect.

   Some aspects of mapping depend on whether the gateway is prepared to
   use a URI in the From header to derive a number for the Calling party
   number information element.  The default behaviour SHOULD be not to
   use an unsigned or unvalidated From header for this purpose, since in
   principle the information comes from an untrusted source (the remote
   UA).  However, it is recognised that some network administrations may
   believe that the benefits to be derived from supplying a calling
   party number outweigh any risks of supplying false information.
   Therefore, a gateway MAY be configurable to use an unsigned or
   unvalidated From header for this purpose.

9.2.1.  Generating the QSIG Called Party Number Information Element

   When mapping a SIP INVITE request to a QSIG SETUP message, the
   gateway SHALL convert the URI in the SIP Request-URI to a number and
   include that number in the QSIG Called party number information
   element.

Top      Up      ToC       Page 37 
   NOTE: The To header should not be used for this purpose.  This is
   because re-targeting of the request in the SIP network can change the
   Request-URI but leave the To header unchanged.  It is important that
   routing in the QSIG network be based on the final target from the SIP
   network.

9.2.2.  Generating the QSIG Calling Party Number Information Element

   When mapping a SIP INVITE request to a QSIG SETUP message, the
   gateway SHALL generate a Calling party number information element as
   follows.

   If the SIP INVITE request contains an S/MIME signed message/sipfrag
   body [20] containing a From header, and if the gateway supports this
   capability and can verify the authenticity and trustworthiness of
   this information, the gateway SHALL attempt to derive a number from
   the URI in that header.  If no number is derived from a
   message/sipfrag body, if the SIP INVITE request contains a P-
   Asserted-Identity header, and if the gateway supports that header and
   trusts the information therein, the gateway SHALL attempt to derive a
   number from the URI in that header.  If a number is derived from one
   of these headers, the gateway SHALL include it in the Calling party
   number information element and include value "network provided" in
   the screening indicator.

   If no number is derivable as described above and if the gateway is
   prepared to use the unsigned or unvalidated From header, the gateway
   SHALL attempt to derive a number from the URI in the From header.  If
   a number is derived from the From header, the gateway SHALL include
   it in the Calling party number information element and include value
   "user provided, not screened" in the screening indicator.

   If no number is derivable, the gateway SHALL NOT include a number in
   the Calling party number information element.

   If the SIP INVITE request contains a Privacy header with value "id"
   in parameter priv-value and the gateway supports this header, or if
   the value in the From header indicates anonymous, the gateway SHALL
   include value "presentation restricted" in the presentation
   indicator.  Based on local policy, the gateway MAY use the presence
   of other priv-values to set the presentation indicator to
   "presentation restricted".  Otherwise the gateway SHALL include value
   "presentation allowed" if a number is present or "not available due
   to interworking" if no number is present.

Top      Up      ToC       Page 38 
   If the resulting Calling party number information element contains no
   number and contains value "not available due to interworking" in the
   presentation indicator, the gateway MAY omit the information element
   from the QSIG SETUP message.

9.2.3.  Generating the QSIG Connected Number Information Element

   When mapping a SIP 2xx response to an INVITE request to a QSIG
   CONNECT message, the gateway SHALL generate a Connected number
   information element as follows.

   If the SIP 2xx response contains an S/MIME signed message/sipfrag
   [20] body containing a To header and the gateway supports this
   capability and can verify the authenticity and trustworthiness of
   this information, the gateway SHALL attempt to derive a number from
   the URI in that header.  If no number is derived from a
   message/sipfrag body, if the SIP 2xx response contains a
   P-Asserted-Identity header, and if the gateway supports that header
   and trusts the information therein, the gateway SHALL attempt to
   derive a number from the URI in that header.  If a number is derived
   from one of these headers, the gateway SHALL include it in the
   Connected number information element and include value "network
   provided" in the screening indicator.

   If no number is derivable as described above, the gateway SHOULD NOT
   include a number in the Connected number information element.

   If the SIP 2xx response contains a Privacy header with value "id" in
   parameter priv-value and the gateway supports this header, the
   gateway SHALL include value "presentation restricted" in the
   presentation indicator.  Based on local policy, the gateway MAY use
   the presence of other priv-values to set the presentation indicator
   to "presentation restricted".  Otherwise, the gateway SHALL include
   value "presentation allowed" if a number is present or "not available
   due to interworking" if no number is present.

   If the resulting Connected number information element contains no
   number and value "not available due to interworking" in the
   presentation indicator, the gateway MAY omit the information element
   from the QSIG CONNECT message.

Top      Up      ToC       Page 39 
10.  Requirements for Support of Basic Services

   This document specifies signalling interworking for basic services
   that provide a bi-directional transfer capability for speech,
   facsimile, and modem media between the two networks.

10.1.  Derivation of QSIG Bearer Capability Information Element

   The gateway SHALL generate the Bearer Capability Information Element
   in the QSIG SETUP message based on SDP offer information received
   along with the SIP INVITE request.  If the SIP INVITE request does
   not contain SDP offer information or the media type in the SDP offer
   information is only 'audio', then the Bearer capability information
   element SHALL BE generated according to Table 3.  Coding of the
   Bearer capability information element for other media types is
   outside the scope of this specification.

   In addition, the gateway MAY include a Low layer compatibility
   information element and/or High layer compatibility information in
   the QSIG SETUP message if the gateway is able to derive relevant
   information from the SDP offer information.  Specific mappings are
   outside the scope of this specification.

      Table 3: Bearer capability encoding for 'audio' transfer

   Field                          Value
   -----------------------------------------------------------------
   Coding Standard                "CCITT standardized coding" (00)
   Information transfer           "3,1 kHz audio" (10000)
   capability
   Transfer mode                  "circuit mode" (00)
   Information transfer rate      "64 Kbits/s" (10000)
   Multiplier                     Octet omitted
   User information layer 1       Generated by gateway based on
   protocol                       Information of the PISN.  Supported
                                  values are
                                  "CCITT recommendation G.711 mu-law"
                                  (00010)
                                  "CCITT recommendation G.711 A-law"
                                  (00011)

10.2.  Derivation of Media Type in SDP

   The gateway SHALL generate SDP offer information to include in the
   SIP INVITE request based on information in the QSIG SETUP message.
   The gateway MAY take account of QSIG Low layer compatibility and/or
   High layer compatibility information elements, if present in the QSIG
   SETUP message, when deriving SDP offer information, in which case

Top      Up      ToC       Page 40 
   specific mappings are outside the scope of this specification.
   Otherwise, the gateway shall generate SDP offer information based
   only on the Bearer capability information element in the QSIG SETUP
   message, in which case the media type SHALL be derived according to
   Table 4.

      Table 4: Media type setting in SDP based on Bearer capability
      information element

   Information transfer capability in          Media type in SDP
   Bearer capability information element
   ---------------------------------------------------------------
   "speech" (00000)                            audio
   "3,1 kHz audio" (10000)                     audio

11.  Security Considerations

11.1.  General

   Normal considerations apply for UA use of SIP security measures,
   including digest authentication, TLS, and S/MIME as described in
   [10].

   The translation of QSIG information elements into SIP headers can
   introduce some privacy and security concerns.  For example, care
   needs to be taken to provide adequate privacy for a user requesting
   presentation restriction if the Calling party number information
   element is openly mapped to the From header.  Procedures for dealing
   with this particular situation are specified in Section 9.1.2.
   However, since the mapping specified in this document is mainly
   concerned with translating information elements into the headers and
   fields used to route SIP requests, gateways consequently reveal
   (through this translation process) the minimum possible amount of
   information.

   There are some concerns, however, that arise from the other direction
   of mapping, the mapping of SIP headers to QSIG information elements,
   which are enumerated in the following paragraphs.

11.2.  Calls from QSIG to Invalid or Restricted Numbers

   When end users dial numbers in a PISN, their selections populate the
   Called party number information element in the QSIG SETUP message.
   Similarly, the SIP URI or tel URL and its optional parameters in the
   Request-URI of a SIP INVITE request, which can be created directly by
   end users of a SIP device, map to that information element at a
   gateway.  However, in a PISN, policy can prevent the user from
   dialing certain (invalid or restricted) numbers.  Thus, gateway

Top      Up      ToC       Page 41 
   implementers may wish to provide a means for gateway administrators
   to apply policies restricting the use of certain SIP URIs or tel
   URLs, or SIP URI or tel URL parameters, when authorizing a call from
   SIP to QSIG.

11.3.  Abuse of SIP Response Code

   Some additional risks may result from the mapping of SIP response
   codes to QSIG cause values.  SIP user agents could conceivably
   respond to an INVITE request from a gateway with any arbitrary SIP
   response code, and thus they can dictate (within the boundaries of
   the mappings supported by the gateway) the Q.850 cause code that will
   be sent by the gateway in the resulting QSIG call clearing message.
   Generally speaking, the manner in which a call is rejected is
   unlikely to provide any avenue for fraud or denial of service (e.g.,
   by signalling that a call should not be billed, or that the network
   should take critical resources off-line).  However, gateway
   implementers may wish to make provision for gateway administrators to
   modify the response code to cause value mappings to avoid any
   undesirable network-specific behaviour resulting from the mappings
   recommended in Section 8.4.4.

11.4.  Use of the To Header URI

   This specification requires the gateway to map the Request-URI rather
   than the To header in a SIP INVITE request to the Called party number
   information element in a QSIG SETUP message.  Although a SIP UA is
   expected to put the same URI in the To header and in the Request-URI,
   this is not policed by other SIP entities.  Therefore, a To header
   URI that differs from the Request-URI received at the gateway cannot
   be used as a reliable indication that the call has been re-targeted
   in the SIP network or as a reliable indication of the original
   target. Gateway implementers making use of the To header for mapping
   to QSIG elements (e.g., as part of QSIG call diversion signalling)
   may wish to make provision for disabling this mapping when deployed
   in situations where the reliability of the QSIG elements concerned is
   important.

11.5.  Use of the From Header URI

   The arbitrary population of the From header of requests by SIP user
   agents has some well-understood security implications for devices
   that rely on the From header as an accurate representation of the
   identity of the originator.  Any gateway that intends to use an
   unsigned or unverified From header to populate the Calling party
   number information element of a QSIG SETUP message should
   authenticate the originator of the request and make sure that it is
   authorized to assert that calling number (or make use of some more

Top      Up      ToC       Page 42 
   secure method to ascertain the identity of the caller).  Note that
   gateways, like all other SIP user agents, MUST support Digest
   authentication as described in [10].  Similar considerations apply to
   the use of the SIP P-Asserted-Identity header for mapping to the QSIG
   Calling party number or Connected number information element, i.e.,
   the source of this information should be authenticated.  Use of a
   signed message/sipfrag body to derive a QSIG Calling party number or
   Connected number information element is another secure alternative.

11.6.  Abuse of Early Media

   There is another class of potential risk that is related to the cut-
   through of the backwards media path before the call is answered.
   Several practices described in this document involve the connection
   of media streams to user information channels on inter-PINX links and
   the sending of progress description number 1 or 8 in a backward QSIG
   message.  This can result in media being cut through end-to-end, and
   it is possible for the called user agent then to play arbitrary audio
   to the caller for an indefinite period of time before transmitting a
   final response (in the form of a 2xx or higher response code) to an
   INVITE request.  This is useful since it also permits network
   entities (particularly legacy networks that are incapable of
   transmitting Q.850 cause values) to play tones and announcements to
   indicate call failure or call progress, without triggering charging
   by transmitting a 2xx response.  Also, early cut-through can help
   prevent clipping of the initial media when the call is answered.
   There are conceivable respects in which this capability could be used
   fraudulently by the called user agent for transmitting arbitrary
   information without answering the call or before answering the call.
   However, in corporate networks, charging is often not an issue, and
   for calls arriving at a corporate network from a carrier network, the
   carrier network normally takes steps to prevent fraud.

   The usefulness of this capability appears to outweigh any risks
   involved, which may in practice be no greater than in existing
   PISN/ISDN environments.  However, gateway implementers may wish to
   make provision for gateway administrators to turn off cut-through or
   minimise its impact (e.g., by imposing a time limit) when deployed in
   situations where problems can arise.

11.7.  Protection from Denial-of-Service Attacks

   Unlike a traditional PISN phone, a SIP user agent can launch multiple
   simultaneous requests in order to reach a particular resource.  It
   would be trivial for a SIP user agent to launch 100 SIP INVITE
   requests at a 100 port gateway, thereby tying up all of its ports.  A
   malicious user could choose to launch requests to telephone numbers
   that are known never to answer, or, where overlap signalling is used,

Top      Up      ToC       Page 43 
   to incomplete addresses.  This could saturate resources at the
   gateway indefinitely, potentially without incurring any charges.
   Gateway implementers may therefore wish to provide means of
   restricting according to policy the number of simultaneous requests
   originating from the same authenticated source, or similar mechanisms
   to address this possible denial-of-service attack.

12.  Acknowledgements

   This document is a product of the authors' activities in Ecma
   (www.ecma-international.org) on interoperability of QSIG with IP
   networks.  An earlier version is published as Standard ECMA-339.
   Ecma has made this work available to the IETF as the basis for
   publishing an RFC.

   The authors wish to acknowledge the assistance of Francois Audet,
   Adam Roach, Jean-Francois Rey, Thomas Stach, and members of Ecma
   TC32-TG17 in preparing and commenting on this document.

13.  Normative References

   [1]  International Standard ISO/IEC 11571 "Private Integrated
        Services Networks (PISN) - Addressing" (also published by Ecma
        as Standard ECMA-155).

   [2]  International Standard ISO/IEC 11572 "Private Integrated
        Services Network - Circuit-mode Bearer Services - Inter-Exchange
        Signalling Procedures and Protocol" (also published by Ecma as
        Standard ECMA-143).

   [3]  International Standard ISO/IEC 11582 "Private Integrated
        Services Network - Generic Functional Protocol for the Support
        of Supplementary Services - Inter-Exchange Signalling Procedures
        and Protocol" (also published by Ecma as Standard ECMA-165).

   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [5]  Postel, J., "Transmission Control Protocol", STD 7, RFC 793,
        September 1981.

   [6]  Postel, J., "User Datagram Protocol", STD 6, RFC 768, August
        1980.

   [7]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
        2246, January 1999.

Top      Up      ToC       Page 44 
   [8]  Handley, M. and V. Jacobson, "SDP: Session Description
        Protocol", RFC 2327, April 1998.

   [9]  Stewart, R., Xie, Q., Morneault, K., Sharp, C., Schwarzbauer,
        H., Taylor, T., Rytina, I., Kalla, M., Zhang, L., and V. Paxson,
        "Stream Control Transmission Protocol", RFC 2960, October 2000.

   [10] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [11] Rosenberg, J. and H. Schulzrinne, "Reliability of Provisional
        Responses in Session Initiation Protocol (SIP)", RFC 3262, June
        2002.

   [12] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with
        Session Description Protocol (SDP)", RFC 3264, June 2002.

   [13] Peterson, J., "A Privacy Mechanism for the Session Initiation
        Protocol (SIP)", RFC 3323, November 2002.

   [14] Jennings, C., Peterson, J., and M. Watson, "Private Extensions
        to the Session Initiation Protocol (SIP) for Asserted Identity
        within Trusted Networks", RFC 3325, November 2002.

   [15] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981.

   [16] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
        Specification", RFC 2460, December 1998.

   [17] ITU-T Recommendation E.164, "The International Public
        Telecommunication Numbering Plan", (1997-05).

   [18] Camarillo, G., Roach, A., Peterson, J., and L. Ong, "Mapping of
        Integrated Services Digital Network (ISDN) User Part (ISUP)
        Overlap Signalling to the Session Initiation Protocol (SIP)",
        RFC 3578, August 2003.

   [19] Rosenberg, J., "The Session Initiation Protocol (SIP) UPDATE
        Method", RFC 3311, October 2002.

   [20] Sparks, R., "Internet Media Type message/sipfrag", RFC 3420,
        November 2002.


Next RFC Part