tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 7200

Proposed STD
Pages: 44
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: SOC

A Session Initiation Protocol (SIP) Load-Control Event Package

Part 1 of 2, p. 1 to 20
None       Next RFC Part

 


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                           C. Shen
Request for Comments: 7200                                H. Schulzrinne
Category: Standards Track                                    Columbia U.
ISSN: 2070-1721                                                 A. Koike
                                                                     NTT
                                                              April 2014


     A Session Initiation Protocol (SIP) Load-Control Event Package

Abstract

   This specification defines a load-control event package for the
   Session Initiation Protocol (SIP).  It allows SIP entities to
   distribute load-filtering policies to other SIP entities in the
   network.  The load-filtering policies contain rules to throttle calls
   from a specific user or based on their source or destination domain,
   telephone number prefix.  The mechanism helps to prevent signaling
   overload and complements feedback-based SIP overload control efforts.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7200.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Top       Page 2 
Table of Contents

   1. Introduction ....................................................3
   2. Conventions .....................................................3
   3. SIP Load-Filtering Overview .....................................4
      3.1. Load-Filtering Policy Format ...............................4
      3.2. Load-Filtering Policy Computation ..........................4
      3.3. Load-Filtering Policy Distribution .........................4
      3.4. Applicable Network Domains .................................8
   4. Load-Control Event Package ......................................9
      4.1. Event Package Name .........................................9
      4.2. Event Package Parameters ...................................9
      4.3. SUBSCRIBE Bodies ...........................................9
      4.4. SUBSCRIBE Duration .........................................9
      4.5. NOTIFY Bodies .............................................10
      4.6. Notifier Processing of SUBSCRIBE Requests .................10
      4.7. Notifier Generation of NOTIFY Requests ....................10
      4.8. Subscriber Processing of NOTIFY Requests ..................10
      4.9. Handling of Forked Requests ...............................12
      4.10. Rate of Notifications ....................................12
      4.11. State Delta ..............................................12
   5. Load-Control Document ..........................................13
      5.1. Format ....................................................13
      5.2. Namespace .................................................13
      5.3. Conditions ................................................14
           5.3.1. Call Identity ......................................14
           5.3.2. Method .............................................16
           5.3.3. Target SIP Entity ..................................17
           5.3.4. Validity ...........................................18
      5.4. Actions ...................................................18
   6. XML Schema Definition for Load Control .........................20
   7. Security Considerations ........................................23
   8. IANA Considerations ............................................24
      8.1. Load-Control Event Package Registration ...................24
      8.2. application/load-control+xml Media Type Registration ......24
      8.3. URN Sub-Namespace Registration ............................25
      8.4. Load-Control Schema Registration ..........................26
   9. Acknowledgements ...............................................27
   10. References ....................................................27
      10.1. Normative References .....................................27
      10.2. Informative References ...................................28
   Appendix A. Definitions ...........................................30
   Appendix B. Design Requirements ...................................30
   Appendix C. Discussion of How This Specification Meets the
               Requirements of RFC 5390 ..............................31
   Appendix D. Complete Examples .....................................36
      D.1. Load-Control Document Examples ............................36
      D.2. Message Flow Examples .....................................40

Top      ToC       Page 3 
   Appendix E.  Related Work .........................................41
      E.1. Relationship to Load Filtering in PSTN ....................41
      E.2. Relationship with Other IETF SIP Overload Control Efforts .42

1.  Introduction

   SIP load-control mechanisms are needed to prevent congestion collapse
   [RFC6357] in cases of SIP server overload [RFC5390].  There are two
   types of load-control approaches.  In the first approach, feedback
   control, SIP servers provide load limits to upstream servers, to
   reduce the incoming rate of all SIP requests [SIP-OVERLOAD].  These
   upstream servers then drop or delay incoming SIP requests.  Feedback
   control is reactive and affects signaling messages that have already
   been issued by user agent clients.  This approach works well when SIP
   proxy servers in the core networks (core proxy servers) or
   destination-specific SIP proxy servers in the edge networks (edge
   proxy servers) are overloaded.  By their nature, they need to
   distribute rate, drop, or window information to all upstream SIP
   proxy servers and normally affect all calls equally, regardless of
   destination.

   This specification proposes an additional, complementary load-control
   mechanism, called "load filtering".  It is most applicable for
   situations where a traffic surge and its source/destination
   distribution can be predicted in advance.  In those cases, network
   operators create load-filtering policies that indicate calls to
   specific destinations or from specific sources should be rate-limited
   or randomly dropped.  These load-filtering policies are then
   distributed to SIP servers and possibly SIP user agents that are
   likely to generate calls to the affected destinations or from the
   affected sources.  Load filtering works best if it prevents calls as
   close to the originating user agent clients as possible.  The
   applicability of SIP load filtering can also be extended beyond
   overload control, e.g., to implement service level agreement
   commitments.

2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Top      ToC       Page 4 
3.  SIP Load-Filtering Overview

3.1.  Load-Filtering Policy Format

   Load-filtering policies are specified by sets of rules.  Each rule
   contains both load-filtering conditions and actions.  The load-
   filtering conditions define identities of the targets to be filtered
   (Section 5.3.1).  For example, there are two typical resource limits
   in a possible overload situation, i.e., human destination limits
   (number of call takers) and node capacity limits.  The load-filtering
   targets in these two cases can be the specific callee numbers or the
   destination domain corresponding to the overload.  Load-filtering
   conditions also indicate the specific message type to be matched
   (Section 5.3.2), with which target SIP entity the filtering policy is
   associated (Section 5.3.3), and the period of time when the filtering
   policy should be activated and deactivated (Section 5.3.4).  Load-
   filtering actions describe the desired control functions such as
   keeping the request rate below a specified level (Section 5.4).

3.2.  Load-Filtering Policy Computation

   When computing the load-filtering policies, one needs to take into
   consideration information such as overload time, scope and network
   topology, as well as service policies.  It is also important to make
   sure that there is no resource allocation loop and that server
   capacity is allocated in a way that both prevents overload and
   maximizes effective throughput (commonly called goodput).  In some
   cases, in order to better utilize system resources, it may be
   preferable to employ an algorithm that dynamically computes the load-
   filtering policies based on currently observed server load status,
   rather than using a purely static filtering policy assignment.  The
   computation algorithm for load-filtering policies is beyond the scope
   of this specification.

3.3.  Load-Filtering Policy Distribution

   For distributing load-filtering policies, this specification defines
   the SIP event package for load control, which is an "instantiation"
   of the generic SIP event notification framework [RFC6665].  This
   specification also defines the XML schema of a load-control document
   (Section 5), which is used to encode load-filtering policies.

   In order for load-filtering policies to be properly distributed, each
   capable SIP entity in the network subscribes to the SIP load-control
   event package of each SIP entity to which it sends signaling
   requests.  A SIP entity that accepts subscription requests is called
   a "notifier" (Section 4.6).  Subscription is initiated and maintained
   during normal server operation.  The subscription of neighboring SIP

Top      ToC       Page 5 
   entities needs to be persistent, as described in Sections 4.1 and 4.2
   of [RFC6665].  The refresh procedure is described in Section 4.7
   below.  Subscribers may terminate the subscription if they have not
   received notifications for an extended time period, and can
   resubscribe if they determine that signaling with the notifier
   becomes active again.

   An example architecture is shown in Figure 1 to illustrate SIP load-
   filtering policy distribution.  This scenario consists of two
   networks belonging to Service Provider A and Service Provider B,
   respectively.  Each provider's network is made up of two SIP core
   proxy servers and four SIP edge proxy servers.  The core proxy
   servers and edge proxy servers of Service Provider A are denoted as
   CPa1 to CPa2 and EPa1 to EPa4; the core proxy servers and edge proxy
   servers of Service Provider B are denoted as CPb1 to CPb2 and EPb1 to
   EPb4.

Top      ToC       Page 6 
      +-----------+   +-----------+   +-----------+   +-----------+
      |           |   |           |   |           |   |           |
      |   EPa1    |   |   EPa2    |   |   EPa3    |   |   EPa4    |
      |           |   |           |   |           |   |           |
      +-----------+   +-----------+   +-----------+   +-----------+
              \         /                    \          /
               \       /                      \        /
                \     /                        \      /
              +-----------+                  +-----------+
              |           |                  |           |
              |   CPa1    |------------------|   CPa2    |
              |           |                  |           |
              +-----------+                  +-----------+
                    |                              |
      Service       |                              |
      Provider A    |                              |
                    |                              |
     =================================================================
                    |                              |
      Service       |                              |
      Provider B    |                              |
                    |                              |
              +-----------+                  +-----------+
              |           |                  |           |
              |   CPb1    |------------------|   CPb2    |
              |           |                  |           |
              +-----------+                  +-----------+
                /      \                        /     \
               /        \                      /       \
              /          \                    /         \
      +-----------+   +-----------+   +-----------+   +-----------+
      |           |   |           |   |           |   |           |
      |   EPb1    |   |   EPb2    |   |   EPb3    |   |   EPb4    |
      |           |   |           |   |           |   |           |
      +-----------+   +-----------+   +-----------+   +-----------+

      Figure 1: Example Network Scenario Using SIP Load-Control Event
                             Package Mechanism

   During the initialization stage, the proxy servers first identify all
   their outgoing signaling neighbors and subscribe to them.  Service
   providers can provision neighbors, or the proxy servers can
   incrementally learn who their neighbors are by inspecting signaling
   messages that they send and receive.  Assuming all signaling
   relationships in Figure 1 are bidirectional, after this
   initialization stage, each proxy server will be subscribed to all its
   neighbors.

Top      ToC       Page 7 
   Case I: EPa1 serves a TV program hotline and decides to limit the
   total number of incoming calls to the hotline to prevent an overload.
   To do so, EPa1 sends a notification to CPa1 with the specific hotline
   number, time of activation, and total acceptable call rate.
   Depending on the load-filtering policy computation algorithm, CPa1
   may allocate the received total acceptable call rate among its
   neighbors, namely, EPa2, CPa2, and CPb1, and notify them about the
   resulting allocation along with the hotline number and the activation
   time.  CPa2 and CPb1 may perform further allocation among their own
   neighbors and notify the corresponding proxy servers.  This process
   continues until all edge proxy servers in the network have been
   informed about the event and have proper load-filtering policies
   configured.

   In the above case, the network entity where load-filtering policy is
   first introduced is the SIP server providing access to the resource
   that creates the overload situation.  In other cases, the network
   entry point of introducing load-filtering policy could also be an
   entity that hosts this resource.  For example, an operator may host
   an application server that performs toll-free-number ("800 number")
   translation services.  The application server itself may be a SIP
   proxy server or a SIP Back-to-Back User Agent (B2BUA).  If one of the
   toll-free numbers hosted at the application server creates the
   overload condition, the load-filtering policies can be introduced
   from the application server and then propagated to other SIP proxy
   servers in the network.

   Case II: A hurricane affects the region covered by CPb2, EPb3, and
   EPb4.  All three of these SIP proxy servers are overloaded.  The
   rescue team determines that outbound calls are more valuable than
   inbound calls in this specific situation.  Therefore, EPb3 and EPb4
   are configured with load-filtering policies to accept more outbound
   calls than inbound calls.  CPb2 may be configured the same way or
   receive dynamically computed load-filtering policies from EPb3 and
   EPb4.  Depending on the load-filtering policy computation algorithm,
   CPb2 may also send out notifications to its outside neighbors, namely
   CPb1 and CPa2, specifying a limit on the acceptable rate of inbound
   calls to CPb2's responsible domain.  CPb1 and CPa2 may subsequently
   notify their neighbors about limiting the calls to CPb2's area.  The
   same process could continue until all edge proxy servers are notified
   and have load-filtering policies configured.

   Note that this specification does not define the provisioning
   interface between the party who determines the load-filtering policy
   and the network entry point where the policy is introduced.  One of
   the options for the provisioning interface is the Extensible Markup
   Language (XML) Configuration Access Protocol (XCAP) [RFC4825].

Top      ToC       Page 8 
3.4.  Applicable Network Domains

   This specification MUST be applied inside a "Trust Domain".  The
   concept of a Trust Domain is similar to that defined in [RFC3324] and
   [RFC3325].  A Trust Domain, for the purpose of SIP load filtering, is
   a set of SIP entities such as SIP proxy servers that are trusted to
   exchange load-filtering policies defined in this specification.  In
   the simplest case, a Trust Domain is a network of SIP entities
   belonging to a single service provider who deploys it and accurately
   knows the behavior of those SIP entities.  Such simple Trust Domains
   may be joined to form larger Trust Domains by bilateral agreements
   between the service providers of the SIP entities.

   The key requirement of a Trust Domain for the purpose of SIP load
   filtering is that the behavior of all SIP entities within a given
   Trust Domain is known to comply to the following set of
   specifications.

   o  SIP entities in the Trust Domain agree on the mechanisms used to
      secure the communication among SIP entities within the Trust
      Domain.

   o  SIP entities in the Trust Domain agree on the manner used to
      determine which SIP entities are part of the Trust Domain.

   o  SIP entities in the Trust Domain are compliant to SIP [RFC3261].

   o  SIP entities in the Trust Domain are compliant to SIP-Specific
      Event Notification[RFC6665].

   o  SIP entities in the Trust Domain are compliant to this
      specification.

   o  SIP entities in the Trust Domain agree on what types of calls can
      be affected by this SIP load-filtering mechanism.  For example,
      <call-identity> condition elements (Section 5.3.1) <one> and
      <many> might be limited to describe within certain prefixes.

   o  SIP entities in the Trust Domain agree on the destinations to
      which calls may be redirected when the "redirect" action
      (Section 5.4) is used.  For example, the URI might have to match a
      given set of domains.

   SIP load filtering is only effective if all neighbors that are
   possible signaling sources participate and enforce the designated
   load-filtering policies.  Otherwise, a single non-conforming neighbor
   could make all filtering efforts useless by pumping in excessive
   traffic to overload the server.  Therefore, the SIP server that

Top      ToC       Page 9 
   distributes load-filtering policies needs to take countermeasures
   towards any non-conforming neighbors.  A simple method is to reject
   excessive requests with 503 "Service Unavailable" response messages
   as if they were obeying the rate.  Considering the rejection costs, a
   more complicated but fairer method would be to allocate at the
   overloaded server the same amount of processing to the combination of
   both normal processing and rejection as the overloaded server would
   devote to processing requests for a conforming upstream SIP server.
   These approaches work as long as the total rejection cost does not
   overwhelm the entire server resources.  In addition, SIP servers need
   to handle message prioritization properly while performing load
   filtering, which is described in Section 4.8.

4.  Load-Control Event Package

   The SIP load-filtering mechanism defines a load-control event package
   for SIP based on [RFC6665].

4.1.  Event Package Name

   The name of this event package is "load-control".  This name is
   carried in the Event and Allow-Events header, as specified in
   [RFC6665].

4.2.  Event Package Parameters

   No package-specific event header field parameters are defined for
   this event package.

4.3.  SUBSCRIBE Bodies

   This specification does not define the content of SUBSCRIBE bodies.
   Future specifications could define bodies for SUBSCRIBE messages, for
   example, to request specific types of load-control event
   notifications.

   A SUBSCRIBE request sent without a body implies the default
   subscription behavior as specified in Section 4.7.

4.4.  SUBSCRIBE Duration

   The default expiration time for a subscription to load-filtering
   policy is one hour.  Since the desired expiration time may vary
   significantly for subscriptions among SIP entities with different
   signaling relationships, the subscribers and notifiers are
   RECOMMENDED to explicitly negotiate appropriate subscription duration
   when knowledge about the mutual signaling relationship is available.

Top      ToC       Page 10 
4.5.  NOTIFY Bodies

   The body of a NOTIFY request in this event package contains load-
   filtering policies.  The format of the NOTIFY request body MUST be in
   one of the formats defined in the Accept header field of the
   SUBSCRIBE request or be the default format, as specified in
   [RFC6665].  The default data format for the NOTIFY request body of
   this event package is "application/load-control+xml" (defined in
   Section 5).  This means that when a NOTIFY request body exists but no
   Accept header field is specified in a SUBSCRIBE request, the NOTIFY
   request body MUST contain content conforming to the "application/
   load-control+xml" format.

4.6.  Notifier Processing of SUBSCRIBE Requests

   The notifier accepts a new subscription or updates an existing
   subscription upon receiving a valid SUBSCRIBE request.

   If the identity of the subscriber sending the SUBSCRIBE request is
   not allowed to receive load-filtering policies, the notifier MUST
   return a 403 "Forbidden" response.

   If none of the media types specified in the Accept header of the
   SUBSCRIBE request are supported, the notifier SHOULD return a 406
   "Not Acceptable" response.

4.7.  Notifier Generation of NOTIFY Requests

   A notifier MUST send a NOTIFY request with its current load-filtering
   policy to the subscriber upon successfully accepting or refreshing a
   subscription.  If no load-filtering policy needs to be distributed
   when the subscription is received, the notifier SHOULD sent a NOTIFY
   request without a body to the subscriber.  The content-type header
   field of this NOTIFY request MUST indicate the correct body format as
   if the body were present (e.g., "application/load-control+xml").
   Notifiers are likely to send NOTIFY requests without a body when a
   subscription is initiated for the first time, e.g., when a SIP entity
   is just introduced, because there may be no planned events that
   require load filtering at that time.  A notifier SHOULD generate
   NOTIFY requests each time the load-filtering policy changes, with the
   maximum notification rate not exceeding values defined in
   Section 4.10.

4.8.  Subscriber Processing of NOTIFY Requests

   The subscriber is the load-filtering server that enforces load-
   filtering policies received from the notifier.  The way subscribers
   process NOTIFY requests depends on the load-filtering policies

Top      ToC       Page 11 
   conveyed in the notifications.  Typically, load-filtering policies
   consist of rules specifying actions to be applied to requests
   matching certain conditions.  A subscriber receiving a notification
   first installs these rules and then enforces corresponding actions on
   requests matching those conditions, for example, limiting the sending
   rate of call requests destined for a specific callee.

   In the case when load-filtering policies specify a future validity,
   it is possible that when the validity time arrives, the subscription
   to the specific notifier that conveyed the rules has expired.  In
   this case, it is RECOMMENDED that the subscriber re-activate its
   subscription with the corresponding notifier.  Regardless of whether
   or not this re-activation of subscription is successful, when the
   validity time is reached, the subscriber SHOULD enforce the
   corresponding rules.

   Upon receipt of a NOTIFY request with a Subscription-State header
   field containing the value "terminated", the subscription status with
   the particular notifier will be terminated.  Meanwhile, subscribers
   MUST also terminate previously received load-filtering policies from
   that notifier.

   The subscriber MUST discard unknown bodies.  If the NOTIFY request
   contains several bodies, none of them being supported, it SHOULD
   unsubscribe unless it has knowledge that it will possibly receive
   NOTIFY requests with supported bodies from that notifier.  A NOTIFY
   request without a body indicates that no load-filtering policies need
   to be updated.

   When the subscriber enforces load-filtering policies, it needs to
   prioritize requests and select those requests that need to be
   rejected or redirected.  This selection is largely a matter of local
   policy.  It is expected that the subscriber will follow local policy
   as long as the result in reduction of traffic is consistent with the
   overload algorithm in effect at that node.  Accordingly, the
   normative behavior described in the next three paragraphs should be
   interpreted with the understanding that the subscriber will aim to
   preserve local policy to the fullest extent possible.

   o  The subscriber SHOULD honor the local policy for prioritizing SIP
      requests such as policies based on message type, e.g., INVITEs
      versus requests associated with existing sessions.

   o  The subscriber SHOULD honor the local policy for prioritizing SIP
      requests based on the content of the Resource-Priority header
      (RPH, [RFC4412]).  Specific (namespace.value) RPH contents may
      indicate high-priority requests that should be preserved as much

Top      ToC       Page 12 
      as possible during overload.  The RPH contents can also indicate a
      low-priority request that is eligible to be dropped during times
      of overload.

   o  The subscriber SHOULD honor the local policy for prioritizing SIP
      requests relating to emergency calls as identified by the sos URN
      [RFC5031] indicating an emergency request.

   A local policy can be expected to combine both the SIP request type
   and the prioritization markings and SHOULD be honored when overload
   conditions prevail.

4.9.  Handling of Forked Requests

   Forking is not applicable when this load-control event package
   mechanism is used within a single-hop distance between neighboring
   SIP entities.  If communication scope of the load-control event
   package mechanism is among multiple hops, forking is also not
   expected to happen because the subscription request is addressed to a
   clearly defined SIP entity.  However, in the unlikely case when
   forking does happen, the load-control event package only allows the
   first potential dialog-establishing message to create a dialog, as
   specified in Section 5.4.9 of [RFC6665].

4.10.  Rate of Notifications

   The rate of notifications is unlikely to be of concern for this local
   control event package mechanism when it is used in a non-real-time
   mode for relatively static load-filtering policies.  Nevertheless, if
   a situation does arise in which a rather frequently used load
   filtering policy update is needed, it is RECOMMENDED that the
   notifier not generate notifications at a rate higher than once per
   second in all cases, in order to avoid the NOTIFY request itself
   overloading the system.

4.11.  State Delta

   It is likely that updates to specific load-filtering policies are
   made by changing only part of the policy parameters (e.g., acceptable
   request rate or percentage, but not matching identities).  This will
   typically be because the utilization of a resource subject to
   overload depends upon dynamic unknowns such as holding time and the
   relative distribution of offered loads over subscribing SIP entities.
   The updates could originate manually or be determined automatically
   by an algorithm that dynamically computes the load-filtering policies
   (Section 3.2).  Another factor that is usually not known precisely or

Top      ToC       Page 13 
   needs to be computed automatically is the duration of the event
   requiring load filtering.  Therefore, it would also be common for the
   validity to change frequently.

   This event package allows the use of state delta as in [RFC6665] to
   accommodate frequent updates of partial policy parameters.  For each
   NOTIFY transaction in a subscription, a version number that increases
   by exactly one MUST be included in the NOTIFY request body when the
   body is present.  When the subscriber receives a state delta, it
   associates the partial updates to the particular policy by matching
   the appropriate rule id (Appendix D).  If the subscriber receives a
   NOTIFY request with a version number that is increased by more than
   one, it knows that it has missed a state delta and needs to ask for a
   full state snapshot.  Therefore, the subscriber ignores that NOTIFY
   request containing the state delta, and resends a SUBSCRIBE request
   to force a NOTIFY request containing a complete state snapshot.

5.  Load-Control Document

5.1.  Format

   A load-control document is an XML document that describes the load-
   filtering policies.  It inherits and enhances the common policy
   document defined in [RFC4745].  A common policy document contains a
   set of rules.  Each rule consists of three parts: conditions,
   actions, and transformations.  The conditions part is a set of
   expressions containing attributes such as identity, domain, and
   validity time information.  Each expression evaluates to TRUE or
   FALSE.  Conditions are matched on "equality" or "greater than" style
   comparison.  There is no regular expression matching.  Conditions are
   evaluated on receipt of an initial SIP request for a dialog or
   standalone transaction.  If a request matches all conditions in a
   rule set, the action part and the transformation part are consulted
   to determine the "permission" on how to handle the request.  Each
   action or transformation specifies a positive grant to the policy
   server to perform the resulting actions.  Well-defined mechanism are
   available for combining actions and transformations obtained from
   more than one sources.

5.2.  Namespace

   The namespace URI for elements defined by this specification is a
   Uniform Resource Namespace (URN) ([RFC2141]), using the namespace
   identifier "ietf" defined by [RFC2648] and extended by [RFC3688].
   The URN is as follows:

   urn:ietf:params:xml:ns:load-control

Top      ToC       Page 14 
5.3.  Conditions

   [RFC4745] defines three condition elements: <identity>, <sphere>, and
   <validity>.  This specification defines new condition elements and
   reuses the <validity> element.  The <sphere> element is not used.

5.3.1.  Call Identity

   Since the problem space of this specification is different from that
   of [RFC4745], the [RFC4745] <identity> element is not sufficient for
   use with load filtering.  First, load filtering may be applied to
   different identities contained in a request, including identities of
   both the receiving entity and the sending entity.  Second, the
   importance of authentication varies when different identities of a
   request are concerned.  This specification defines new identity
   conditions that can accommodate the granularity of specific SIP
   identity header fields.  The requirement for authentication depends
   on which field is to be matched.

   The identity condition for load filtering is specified by the
   <call-identity> element and its sub-element <sip>.  The <sip> element
   itself contains sub-elements representing SIP sending and receiving
   identity header fields: <from>, <to>, <request-uri>, and
   <p-asserted-identity>.  All those sub-elements are of an extended
   form of the [RFC4745] <identity> element.  In addition to the sub-
   elements including <one>, <except>, and <many> in the <identity>
   element from [RFC4745], the extended form adds two new sub-elements,
   namely, <many-tel> and <except-tel>, which will be explained later in
   this section.

   The [RFC4745] <one> and <except> elements may contain an "id"
   attribute, which is the URI of a single entity to be included or
   excluded in the condition.  When used in the <from>, <to>,
   <request-uri>, and <p-asserted-identity> elements, this "id" value is
   the URI contained in the corresponding SIP header field, i.e., From,
   To, Request-URI, and P-Asserted-Identity.

   When the <call-identity> element contains multiple <sip> sub-
   elements, the result is combined using logical OR.  When the <from>,
   <to>, <request-uri>, and <p-asserted-identity> elements contain
   multiple <one>, <many>, or <many-tel> sub-elements, the result is
   also combined using logical OR.  When the <many> sub-element further
   contains one or more <except> sub-elements, or when the <many-tel>
   sub-element further contains one or more <except-tel> sub-elements,
   the result of each <except> or <except-tel> sub-element is combined
   using a logical OR, similar to that of the [RFC4745] <identity>
   element.  However, when the <sip> element contains multiple <from>,
   <to>, <request-uri>, and <p-asserted-identity> sub-elements, the

Top      ToC       Page 15 
   result is combined using logical AND.  This allows the call identity
   to be specified by multiple fields of a SIP request simultaneously,
   e.g., both the From and the To header fields.

   The following shows an example of the <call-identity> element, which
   matches call requests whose To header field contains the SIP URI
   "sip:alice@hotline.example.com" or the 'tel' URI
   "tel:+1-212-555-1234".

               <call-identity>
                   <sip>
                       <to>
                           <one id="sip:alice@hotline.example.com"/>
                           <one id="tel:+1-212-555-1234"/>
                       </to>
                   </sip>
               </call-identity>

   Before evaluating <call-identity> conditions, the subscriber shall
   convert URIs received in SIP header fields in canonical form as per
   [RFC3261], except that the "phone-context" parameter shall not be
   removed, if present.

   The [RFC4745] <many> and <except> elements may take a "domain"
   attribute.  The "domain" attribute specifies a domain name to be
   matched by the domain part of the candidate identity.  Thus, it
   allows matching a large and possibly unknown number of entities
   within a domain.  The "domain" attribute works well for SIP URIs.

   A URI identifying a SIP user, however, can also be a 'tel' URI.
   Therefore, a similar way to match a group of 'tel' URIs is needed.
   There are two forms of 'tel' URIs: for global numbers and local
   numbers.  According to [RFC3966], "All phone numbers MUST use the
   global form unless they cannot be represented as such...Local numbers
   MUST be tagged with a 'phone-context'".  The global number 'tel' URIs
   start with a "+".  The "phone-context" parameter of local numbers may
   be labeled as a global number or any number of its leading digits or
   a domain name.  Both forms of the 'tel' URI make the resulting URI
   globally unique.

   'tel' URIs of global numbers can be grouped by prefixes consisting of
   any number of common leading digits.  For example, a prefix formed by
   a country code or both the country and area code identifies telephone
   numbers within a country or an area.  Since the length of the country
   and area code for different regions are different, the length of the
   number prefix also varies.  This allows further flexibility such as

Top      ToC       Page 16 
   grouping the numbers into sub-areas within the same area code. 'tel'
   URIs of local numbers can be grouped by the value of the
   "phone-context" parameter.

   The <many> and <except> sub-elements in the <identity> element of
   [RFC4745] do not allow additional attributes to be added directly.
   Redefining behavior of their existing "domain" attribute creates
   backward-compatibility issues.  Therefore, this specification defines
   the <many-tel> and <except-tel> sub-elements that extend the
   [RFC4745] <identity> element.  Both of them have a "prefix" attribute
   for grouping 'tel' URIs, similar to the "domain" attribute for
   grouping SIP URIs in existing <many> and <except> sub-elements.  For
   global numbers, the "prefix" attribute value holds any number of
   common leading digits, for example, "+1-212" for US phone numbers
   within area code "212" or "+1-212-854" for the organization with US
   area code "212" and local prefix "854".  For local numbers, the
   "prefix" attribute value contains the "phone-context" parameter
   value.  It should be noted that visual separators (such as the "-"
   sign) in 'tel' URIs are not used for URI comparison as per [RFC3966].

   The following example shows the use of the "prefix" attribute along
   with the "domain" attribute.  It matches those requests calling to
   the number "+1-202-999-1234" but are not calling from a "+1-212"
   prefix or a SIP From URI domain of "manhattan.example.com".

               <call-identity>
                   <sip>
                       <from>
                           <many>
                               <except domain="manhattan.example.com"/>
                           </many>
                           <many-tel>
                               <except-tel prefix="+1-212"/>
                           </many-tel>
                       </from>
                       <to>
                           <one id="tel:+1-202-999-1234"/>
                       </to>
                   </sip>
               </call-identity>

5.3.2.  Method

   The load created on a SIP server depends on the type of initial SIP
   requests for dialogs or standalone transactions.  The <method>
   element specifies the SIP method to which the load-filtering action
   applies.  When this element is not included, the load-filtering
   actions are applicable to all applicable initial requests.  These

Top      ToC       Page 17 
   requests include INVITE, MESSAGE, REGISTER, SUBSCRIBE, OPTIONS, and
   PUBLISH.  Non-initial requests, such as ACK, BYE, and CANCEL MUST NOT
   be subjected to load filtering.  In addition, SUBSCRIBE requests are
   not filtered if the event-type header field indicates the event
   package defined in this specification.

   The following example shows the use of the <method> element in the
   case the filtering actions should be applied to INVITE requests.

           <method>INVITE</method>

5.3.3.  Target SIP Entity

   A SIP server that performs load-filtering may have multiple paths to
   route call requests matching the same set of call identity elements.
   In those situations, the SIP load-filtering server may desire to take
   advantage of alternative paths and only apply load-filtering actions
   to matching requests for the next-hop SIP entity that originated the
   corresponding load-filtering policy.  To achieve that, the SIP load-
   filtering server needs to associate every load-filtering policy with
   its originating SIP entity.  The <target-sip-entity> element is
   defined for that purpose, and it contains the URI of the entity that
   initiated the load-filtering policy, which is generally the
   corresponding notifier.  A notifier MAY include this element as part
   of the condition of its filtering policy being sent to the
   subscriber, as below.

   <target-sip-entity>sip:biloxi.example.com</target-sip-entity>

   When a SIP load-filtering server receives a policy with a
   <target-sip-entity> element, it SHOULD record it and take it into
   consideration when making load-filtering decisions.  If the load-
   filtering server receives a load-filtering policy that does not
   contain a <target-sip-entity> element, it MAY still record the URI of
   the load-filtering policy's originator as the <target-sip-entity>
   information and consider it when making load-filtering decisions.

      The following are two examples of using the <target-sip-entity>
      element.

      Use case I: The network has user A connected to SIP Proxy 1 (SP1),
      user B connected to SIP Proxy 3 (SP3), SP1 and SP3 connected via
      SIP Proxy 2 (SP2), and SP2 connected to an Application Server
      (AS).  Under normal load conditions, a call from A to B is routed
      along the following path: A-SP1-SP2-AS-SP3-B.  The AS provides a
      nonessential service and can be bypassed in case of overload.  Now
      let's assume that AS is overloaded and sends to SP2 a load-
      filtering policy requesting that 50% of all INVITE requests be

Top      ToC       Page 18 
      dropped.  SP2 can maintain AS as the <target-sip-entity> for that
      policy so that it knows the 50% drop action is only applicable to
      call requests that must go through AS, without affecting those
      calls directly routed through SP3 to B.

      Use case II: A translation service for toll-free numbers is
      installed on two Application Servers, AS1 and AS2.  User A is
      connected to SP1 and calls 800-1234-4529, which is translated by
      AS1 and AS2 into a regular E.164 number depending on, e.g., the
      caller's location.  SP1 forwards INVITE requests with Request-URI
      = "800 number" to AS1 or AS2 based on a load-balancing strategy.
      As calls to 800-1234-4529 create a pre-overload condition in AS1,
      AS1 sends to SP1 a load-filtering policy requesting that 50% of
      calls towards 800-1234-4529 be rejected.  In this case, SP1 can
      maintain AS1 as the <target-sip-entity> for the rule, and only
      apply the load-filtering policy on incoming requests that are
      intended to be sent to AS1.  Those requests that are sent to AS2,
      although matching the <call-identity> of the filter, will not be
      affected.

5.3.4.  Validity

   A filtering policy is usually associated with a validity period
   condition.  This specification reuses the <validity> element of
   [RFC4745], which specifies a period of validity time by pairs of
   <from> and <until> sub-elements.  When multiple time periods are
   defined, the validity condition is evaluated to TRUE if the current
   time falls into any of the specified time periods.  That is, it
   represents a logical OR operation across all validity time periods.

   The following example shows a <validity> element specifying a valid
   period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31.

               <validity>
                   <from>2008-05-31T12:00:00-05:00</from>
                   <until>2008-05-31T15:00:00-05:00</until>
               </validity>

5.4.  Actions

   The actions a load-filtering server takes on loads matching the load-
   filtering conditions are defined by the <accept> element in the load-
   filtering policy, which includes any one of the three sub-elements
   <rate>, <percent>, and <win>.  The <rate> element denotes an absolute
   value of the maximum acceptable request rate in requests per second;
   the <percent> element specifies the relative percentage of incoming
   requests that should be accepted; the <win> element describes the
   acceptable window size supplied by the receiver, which is applicable

Top      ToC       Page 19 
   in window-based load-filtering.  In static load-filtering policy
   configuration scenarios, using the <rate> sub-element is RECOMMENDED
   because it is hard to enforce the percentage rate or window-based
   load filtering when incoming load from upstream or reactions from
   downstream are uncertain.  (See [SIP-OVERLOAD] and [RFC6357] for more
   details on rate-based, loss-based, and window-based load control.)

   In addition, the <accept> element takes an optional "alt-action"
   attribute that can be used to explicitly specify the desired action
   in case a request cannot be processed.  The "alt-action" can take one
   of the following three values: "reject", "redirect", or "drop".

   o  The "reject" action is the default value for "alt-action".  It
      means that the load-filtering server will reject the request with
      a 503 "Service Unavailable" response message.

   o  The "redirect" action means redirecting the request to another
      target.  When it is used, an "alt-target" attribute MUST be
      defined.  The "alt-target" specifies one URI or a list of URIs
      where the request should be redirected.  The server sends out the
      redirect URIs in a 300-class response message.

   o  The "drop" action means simply ignoring the request without doing
      anything, which can, in certain cases, help save processing
      capability during overload.  For example, when SIP is running over
      a reliable transport such as TCP, the "drop" action does not send
      out the rejection response, neither does it close the transport
      connection.  However, when running SIP over an unreliable
      transport such as UDP, using the "drop" action will create message
      retransmissions that further worsen the possible overload
      situation.  Therefore, any "drop" action applied to an unreliable
      transport MUST be treated as if it were "reject".

   The above "alt-action" processing can also be illustrated through the
   following pseudocode.

           SWITCH "alt-action"
             "redirect": "redirect"
             "drop":
               IF unreliable-transport
                 THEN treat as "reject"
               ELSE
                 "drop"
             "reject": "reject"
             default: "reject"
           END

Top      ToC       Page 20 
   In the following <actions> element example, the server accepts
   maximum of 100 call requests per second.  The remaining calls are
   redirected to an answering machine.

           <actions>
               <accept alt-action="redirect" alt-target=
                       "sip:answer-machine@example.com">
                   <rate>100</rate>
               </accept>
           </actions>



(page 20 continued on part 2)

Next RFC Part