Tech-invite3GPPspaceIETF RFCsSIP
9190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7200

A Session Initiation Protocol (SIP) Load-Control Event Package

Pages: 44
Proposed Standard
Part 2 of 2 – Pages 20 to 44
First   Prev   None

Top   ToC   RFC7200 - Page 20   prevText

6. XML Schema Definition for Load Control

This section defines the XML schema for the load-control document. It extends the Common Policy schema in [RFC4745] in two ways. Firstly, it defines two mandatory attributes for the <ruleset> element: "version" and "state". The "version" attribute allows the recipient of the notification to properly order them. Versions start at zero and increase by one for each new document sent to a subscriber within the same subscription. Versions MUST be representable using a non-negative 32-bit integer. The "state" attribute indicates whether the document contains a full load- filtering policy update or only state delta as partial update. Secondly, it defines new members of the <conditions> and <actions> elements. <?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:ietf:params:xml:ns:load-control" xmlns:lc="urn:ietf:params:xml:ns:load-control" xmlns:cp="urn:ietf:params:xml:ns:common-policy" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributedFormDefault="unqualified"> <xs:import namespace="urn:ietf:params:xml:ns:common-policy"/> <!-- RULESET --> <xs:element name="ruleset"> <xs:complexType> <xs:complexContent> <xs:restriction base="xs:anyType"> <xs:sequence> <xs:element name="rule" type="cp:ruleType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexContent>
Top   ToC   RFC7200 - Page 21
       <xs:attribute name="version" type="xs:integer" use="required"/>
       <xs:attribute name="state" use="required">
         <xs:simpleType>
           <xs:restriction base="xs:string">
             <xs:enumeration value="full"/>
             <xs:enumeration value="partial"/>
           </xs:restriction>
         </xs:simpleType>
       </xs:attribute>
     </xs:complexType>
   </xs:element>

   <!-- CONDITIONS -->

   <!-- CALL IDENTITY -->
   <xs:element name="call-identity" type="lc:call-identity-type"/>

   <!-- CALL IDENTITY TYPE -->
   <xs:complexType name="call-identity-type">
     <xs:choice>
       <xs:element name="sip" type="lc:sip-id-type"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
       maxOccurs="unbounded"/>
     </xs:choice>
     <anyAtrribute namespace="##other" processContents="lax"/>
   </xs:complexType>

   <!-- SIP ID TYPE -->
   <xs:complexType name="sip-id-type">
     <xs:sequence>
       <element name="from" type="lc:identityType" minOccurs="0"/>
       <element name="to" type="lc:identityType" minOccurs="0"/>
       <element name="request-uri" type="lc:identityType"
       minOccurs="0"/>
       <element name="p-asserted-identity" type="lc:identityType"
       minOccurs="0"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
       maxOccurs="unbounded"/>
     </xs:sequence>
     <anyAtrribute namespace="##other" processContents="lax"/>
   </xs:complexType>

   <!-- IDENTITY TYPE -->
   <xs:complexType name="identityType">
     <xs:complexContent>
       <xs:restriction base="xs:anyType">
         <xs:choice minOccurs="1" maxOccurs="unbounded">
           <xs:element name="one" type="cp:oneType"/>
Top   ToC   RFC7200 - Page 22
           <xs:element name="many" type="lc:manyType"/>
           <xs:element name="many-tel" type="lc:manyTelType"/>
           <xs:any namespace="##other" processContents="lax"/>
         </xs:choice>
       </xs:restriction>
     </xs:complexContent>
   </xs:complexType>

   <!-- MANY-TEL TYPE -->
   <xs:complexType name="manyTelType">
     <xs:complexContent>
       <xs:restriction base="xs:anyType">
         <xs:choice minOccurs="0" maxOccurs="unbounded">
           <xs:element name="except-tel" type="lc:exceptTelType"/>
           <xs:any namespace="##other"
           minOccurs="0" processContents="lax"/>
         </xs:choice>
         <xs:attribute name="prefix"
         use="optional" type="xs:string"/>
       </xs:restriction>
     </xs:complexContent>
   </xs:complexType>

   <!-- EXCEPT-TEL TYPE -->
   <xs:complexType name="exceptTelType">
     <xs:attribute name="prefix" type="xs:string" use="optional"/>
     <xs:attribute name="id" type="xs:anyURI" use="optional"/>
   </xs:complexType>

   <!-- METHOD -->
   <xs:element name="method" type="lc:method-type"/>

   <!-- METHOD TYPE -->
   <xs:simpleType name="method-type">
     <xs:restriction base="xs:string">
       <xs:enumeration value="INVITE"/>
       <xs:enumeration value="MESSAGE"/>
       <xs:enumeration value="REGISTER"/>
       <xs:enumeration value="SUBSCRIBE"/>
       <xs:enumeration value="OPTIONS"/>
       <xs:enumeration value="PUBLISH"/>
     </xs:restriction>
   </xs:simpleType>

   <!-- TARGET SIP ENTITY -->
   <xs:element name="target-sip-entity" type="xs:anyURI" minOccurs="0"/>

   <!-- ACTIONS -->
Top   ToC   RFC7200 - Page 23
   <xs:element name="accept">
     <xs:choice>
       <element name="rate" type="xs:decimal" minOccurs="0"/>
       <element name="win" type="xs:integer" minOccurs="0"/>
       <element name="percent" type="xs:decimal" minOccurs="0"/>
       <any namespace="##other" processContents="lax" minOccurs="0"
       maxOccurs="unbounded"/>
     </xs:choice>
     <xs:attribute name="alt-action" type="xs:string" default="reject"/>
     <xs:attribute name="alt-target" type="lc:alt-target-type"
     use="optional"/>
     <anyAtrribute namespace="##other" processContents="lax"/>
   </xs:element>

   <!-- ALT TARGET TYPE -->
   <xs:simpleType name="alt-target-type">
     <xs:list itemType="xs:anyURI"/>
   </xs:simpleType>

   </xs:schema>

7. Security Considerations

Two primary security considerations arise from this specification. One is the distribution mechanism for the load filtering policy that is based on the SIP event notification framework, and the other is the enforcement mechanism for the load-filtering policy. Security considerations for SIP event package mechanisms are covered in Section 6 of [RFC6665]. A particularly relevant security concern for this event package is that if the notifiers can be spoofed, attackers can send fake notifications asking subscribers to throttle all traffic, leading to denial-of-service (DoS) attacks. Therefore, this SIP load-filtering mechanism MUST be used in a Trust Domain (Section 3.4). But if a legitimate notifier in the Trust Domain is itself compromised, additional mechanisms will be needed to detect the attack. Security considerations for load-filtering policy enforcement depends very much on the contents of the policy. This specification defines a possible match of the following SIP header fields in a load- filtering policy: <from>, <to>, <request-uri>, and <p-asserted-identity>. The exact requirement to authenticate and authorize these fields is up to the service provider. In general, if the identity field represents the source of the request, it SHOULD be authenticated and authorized; if the identity field represents the destination of the request, the authentication and authorization is optional.
Top   ToC   RFC7200 - Page 24
   In addition, the "redirect" action (Section 5.4) could facilitate a
   reflection denial-of-service attack.  If a number of SIP proxy
   servers in a Trust Domain are using UDP and configured to get their
   policies from a central server.  An attacker spoofs the central
   server's address to send a number of NOTIFY bodies telling the proxy
   servers to redirect all calls to victim@outside-of-trust-domain.com.
   The proxy servers then redirect all calls to the victim, who then
   becomes a victim of Denial of Service attack and becomes
   inaccessiable from the Internet.  To address this type of threat,
   this specification requires that a Trust Domain agrees on what types
   of calls can be affected as well as on the destinations to which
   calls may be redirected, as in Section 3.4.

8. IANA Considerations

This specification registers a SIP event package, a new media type, a new XML namespace, and a new XML schema.

8.1. Load-Control Event Package Registration

This section registers an event package based on the registration procedures defined in [RFC6665]. Package name: load-control Type: package Published specification: This specification Person to contact: Charles Shen, charles@cs.columbia.edu

8.2. application/load-control+xml Media Type Registration

This section registers a new media type based on the procedures defined in [RFC6838] and guidelines in [RFC3023]. Type name: application Subtype name: load-control+xml Required parameters: none Optional parameters: Same as charset parameter of application/xml as specified in [RFC3023]. Encoding considerations: Same as encoding considerations of application/xml as specified in [RFC3023].
Top   ToC   RFC7200 - Page 25
   Security considerations: See Section 10 of [RFC3023] and Section 7 of
   this specification.

   Interoperability considerations: none

   Published specification: This specification

   Applications that use this media type: Applications that perform load
   control of SIP entities.

   Fragment identifier considerations: Same as fragment identifier
   considerations of application/xml as specified in [RFC3023].

   Additional Information:

      Deprecated alias names for this type: none

      Magic Number(s): none

      File Extension(s): .xml

      Macintosh file type code(s): "TEXT"

   Person and email address for further information: Charles Shen,
   charles@cs.columbia.edu

   Intended usage: COMMON

   Restrictions on usage: none

   Author: Charles Shen, Henning Schulzrinne, Arata Koike

   Change controller: IESG

   Provisional registration? (standards tree only): no

8.3. URN Sub-Namespace Registration

This section registers a new XML namespace, as per the guidelines in [RFC3688] URI: The URI for this namespace is urn:ietf:params:xml:ns:load-control Registrant Contact: IETF SOC Working Group <sip-overload@ietf.org>, as designated by the IESG <iesg@ietf.org>
Top   ToC   RFC7200 - Page 26
   XML:

   BEGIN
   <?xml version="1.0"?>
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
                "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml">
   <head>
     <meta http-equiv="content-type"
       content="text/html;charset=iso-8859-1"/>
     <title>SIP Load-Control Namespace</title>
   </head>
   <body>
     <h1>Namespace for SIP Load Control</h1>
     <h2>urn:ietf:params:xml:ns:load-control</h2>
     <p>See <a href="http://www.rfc-editor.org/rfc/rfc7200.txt">
         RFC 7200</a>.</p>
   </body>
   </html>
   END

8.4. Load-Control Schema Registration

URI: urn:ietf:params:xml:schema:load-control Registrant Contact: IETF SOC working group, Charles Shen (charles@cs.columbia.edu). XML: the XML schema contained in Section 6 has been registered. Its first line is <?xml version="1.0" encoding="UTF-8"?> and its last line is </xs:schema>
Top   ToC   RFC7200 - Page 27

9. Acknowledgements

The authors would like to thank Jari Arkko, Richard Barnes, Stewart Bryant, Gonzalo Camarillo, Bruno Chatras, Benoit Claise, Spencer Dawkins, Martin Dolly, Keith Drage, Ashutosh Dutta, Donald Eastlake, Adrian Farrel, Stephen Farrell, Janet Gunn, Vijay Gurbani, Brian Haberman, Volker Hilt, Geoff Hunt, Carolyn Johnson, Hadriel Kaplan, Paul Kyzivat, Barry Leiba, Pearl Liang, Salvatore Loreto, Timothy Moran, Eric Noel, Parthasarathi R, Pete Resnick, Adam Roach, Dan Romascanu, Shida Schubert, Robert Sparks, Martin Stiemerling, Sean Turner, Phil Williams, and other members of the SOC and SIPPING working groups for many helpful comments. In particular, Bruno Chatras proposed the <method> and <target-sip-entity> condition elements along with many other text improvements. Janet Gunn provided detailed text suggestions including Appendix C. Eric Noel suggested clarification on load-filtering policy distribution initialization process. Shida Schubert made many suggestions such as terminology usage. Phil Williams suggested adding support for delta updates. Ashutosh Dutta gave pointers to Public Switched Telephone Network (PSTN) references. Adam Roach suggested improvements related to RFC 6665 and offered other helpful clarifications. Richard Barnes made many suggestions such as referencing the Trust Domain concept of RFCs 3324 and 3325, the use of a separate element for 'tel' URI grouping, and addressing the "redirect" action security threat.

10. References

10.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC3023] Murata, M., St. Laurent, S., and D. Kohn, "XML Media Types", RFC 3023, January 2001. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3966, December 2004.
Top   ToC   RFC7200 - Page 28
   [RFC4745]  Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
              Polk, J., and J. Rosenberg, "Common Policy: A Document
              Format for Expressing Privacy Preferences", RFC 4745,
              February 2007.

   [RFC6665]  Roach, A., "SIP-Specific Event Notification", RFC 6665,
              July 2012.

   [RFC6838]  Freed, N., Klensin, J., and T. Hansen, "Media Type
              Specifications and Registration Procedures", BCP 13, RFC
              6838, January 2013.

10.2. Informative References

[E.300SerSup3] ITU-T, "North American Precise Audible Tone Plan", Recommendation E.300 Series Supplement 3, November 1988. [E.412] ITU-T, "Network Management Controls", Recommendation E.412-2003, January 2003. [Q.1248.2] ITU-T, "Interface Recommendation for Intelligent Network Capability Set4:SCF-SSF interface", Recommendation Q.1248.2, July 2001. [RFC2648] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, August 1999. [RFC3324] Watson, M., "Short Term Requirements for Network Asserted Identity", RFC 3324, November 2002. [RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks", RFC 3325, November 2002. [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource Priority for the Session Initiation Protocol (SIP)", RFC 4412, February 2006. [RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", RFC 4825, May 2007. [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for Emergency and Other Well-Known Services", RFC 5031, January 2008.
Top   ToC   RFC7200 - Page 29
   [RFC5390]  Rosenberg, J., "Requirements for Management of Overload in
              the Session Initiation Protocol", RFC 5390, December 2008.

   [RFC6357]  Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design
              Considerations for Session Initiation Protocol (SIP)
              Overload Control", RFC 6357, August 2011.

   [SIP-OVERLOAD]
              Gurbani, V., Ed., Hilt, V., and H. Schulzrinne, "Session
              Initiation Protocol (SIP) Overload Control", Work in
              Progress, March 2014.
Top   ToC   RFC7200 - Page 30

Appendix A. Definitions

This specification reuses the definitions for "Event Package", "Notification", "Notifier", "Subscriber", and "Subscription" as in [RFC6665]. The following additional definitions are also used. Load Filtering: A load-control mechanism that applies specific actions to selected loads (e.g., SIP requests) matching specific conditions. Load-Filtering Policy: A set of zero or more load-filtering rules, also known as load-filtering rule set. Load-Filtering Rule: Conditions and actions to be applied for load filtering. Load-Filtering Condition: Elements that describe how to select loads to apply load-filtering actions. This specification defines the <call-identity>, <method>, <target-sip-identity>, and <validity> condition elements (Section 5.3). Load-Filtering Action: An operation to be taken by a load-filtering server on loads that match the load-filtering conditions. This specification allows actions such as accept, reject, and redirect of loads (Section 5.4). Load-Filtering Server: A server that performs load filtering. In the context of this specification, the load-filtering server is the subscriber, which receives load-filtering policies from the notifier and enforces those policies during load filtering. Load-Control Document: An XML document that describes the load- filtering policies (Section 5). It inherits and enhances the common policy document defined in [RFC4745].

Appendix B. Design Requirements

The SIP load-filtering mechanism needs to satisfy the following requirements: o For simplicity, the solution should focus on a method for controlling SIP load, rather than a generic application-layer mechanism. o The load-filtering policy needs to be distributed efficiently to possibly a large subset of all SIP elements.
Top   ToC   RFC7200 - Page 31
   o  The solution should reuse existing SIP protocol mechanisms to
      reduce implementation and deployment complexity.

   o  For predictable overload situations, such as holidays and mass
      calling events, the load-filtering policy should specify during
      what time it is to be applied, so that the information can be
      distributed ahead of time.

   o  For destination-specific overload situations, the load-filtering
      policy should be able to describe the destination domain or the
      callee.

   o  To address accidental and intentional high-volume call generators,
      the load-filtering policy should be able to specify the caller.

   o  Caller and callee need to be specified as both SIP URIs and 'tel'
      URIs [RFC3966] in load-filtering policies.

   o  It should be possible to specify particular information in the SIP
      headers (e.g., prefixes in telephone numbers) that allow load
      filtering over limited regionally focused overloads.

   o  The solution should draw upon experiences from related PSTN
      mechanisms [Q.1248.2] [E.412] [E.300SerSup3] where applicable.

   o  The solution should be extensible to meet future needs.

Appendix C. Discussion of How This Specification Meets the Requirements of RFC 5390

This section evaluates whether the load-control event package mechanism defined in this specification satisfies various SIP overload control requirements set forth by [RFC5390]. As mentioned in Section 1, this specification complements other efforts in the overall SIP load-control solution space. Therefore, not all RFC 5390 requirements are found applicable to this specification. This specification categorizes the assessment results into Yes (the requirement is met), P/A (Partially Applicable), No (must be used in conjunction with another mechanism to meet the requirement), and N/A (Not Applicable). REQ 1: The overload mechanism shall strive to maintain the overall useful throughput (taking into consideration the quality-of- service needs of the using applications) of a SIP server at reasonable levels, even when the incoming load on the network is far in excess of its capacity. The overall throughput under load is the ultimate measure of the value of an overload control mechanism.
Top   ToC   RFC7200 - Page 32
   P/A.  The goal of load filtering is to prevent overload or maintain
   overall goodput during the time of overload, but it is dependent on
   the predictions of the load and the computations as well as
   distribution of the filtering policies.  If the load predictions or
   filtering policy computations are incorrect, or the filtering policy
   is not properly distributed, the mechanism will be less effective.
   On the other hand, if the load can be accurately predicted and
   filtering policies be computed and distributed appropriately, this
   requirement can be met.

      REQ 2: When a single network element fails, goes into overload, or
      suffers from reduced processing capacity, the mechanism should
      strive to limit the impact of this on other elements in the
      network.  This helps to prevent a small-scale failure from
      becoming a widespread outage.

   N/A if load-filtering policies are installed in advance and do not
   change during the potential overload period, P/A if load-filtering
   policies are dynamically adjusted.  The algorithm to dynamically
   compute load-filtering policies is outside the scope of this
   specification, while the distribution of the updated filtering
   policies uses the event package mechanism of this specification.

      REQ 3: The mechanism should seek to minimize the amount of
      configuration required in order to work.  For example, it is
      better to avoid needing to configure a server with its SIP message
      throughput, as these kinds of quantities are hard to determine.

   No.  This mechanism is entirely dependent on advance configuration,
   based on advance knowledge.  In order to satisfy REQ 3, it should be
   used in conjunction with other mechanisms that are not based on
   advance configuration.

      REQ 4: The mechanism must be capable of dealing with elements that
      do not support it, so that a network can consist of a mix of
      elements that do and don't support it.  In other words, the
      mechanism should not work only in environments where all elements
      support it.  It is reasonable to assume that it works better in
      such environments, of course.  Ideally, there should be
      incremental improvements in overall network throughput as
      increasing numbers of elements in the network support the
      mechanism.

   No.  This mechanism is entirely dependent on the participation of all
   possible neighbors.  In order to satisfy REQ 4, it should be used in
   conjunction with other mechanisms, some of which are described in
   Section 3.4.
Top   ToC   RFC7200 - Page 33
      REQ 5: The mechanism should not assume that it will only be
      deployed in environments with completely trusted elements.  It
      should seek to operate as effectively as possible in environments
      where other elements are malicious; this includes preventing
      malicious elements from obtaining more than a fair share of
      service.

   No.  This mechanism is entirely dependent on the non-malicious
   participation of all possible neighbors.  In order to satisfy REQ 5,
   it should be used in conjunction with other mechanisms, some of which
   are described in Section 3.4.

      REQ 6: When overload is signaled by means of a specific message,
      the message must clearly indicate that it is being sent because of
      overload, as opposed to other, non overload-based failure
      conditions.  This requirement is meant to avoid some of the
      problems that have arisen from the reuse of the 503 response code
      for multiple purposes.  Of course, overload is also signaled by
      lack of response to requests.  This requirement applies only to
      explicit overload signals.

   N/A.  This mechanism signals anticipated overload, not actual
   overload.  However, the signals in this mechanism are not used for
   any other purpose.

      REQ 7: The mechanism shall provide a way for an element to
      throttle the amount of traffic it receives from an upstream
      element.  This throttling shall be graded so that it is not all-
      or-nothing as with the current 503 mechanism.  This recognizes the
      fact that "overload" is not a binary state and that there are
      degrees of overload.

   Yes.  This event package allows rate-/loss-/window-based overload
   control options as discussed in Section 5.4.

      REQ 8: The mechanism shall ensure that, when a request was not
      processed successfully due to overload (or failure) of a
      downstream element, the request will not be retried on another
      element that is also overloaded or whose status is unknown.  This
      requirement derives from REQ 1.

   N/A to the load-control event package mechanism itself.

      REQ 9: That a request has been rejected from an overloaded element
      shall not unduly restrict the ability of that request to be
      submitted to and processed by an element that is not overloaded.
      This requirement derives from REQ 1.
Top   ToC   RFC7200 - Page 34
   Yes.  For example, load-filtering policy (Section 3.1) can include
   alternative forwarding destinations for rejected requests.

      REQ 10: The mechanism should support servers that receive requests
      from a large number of different upstream elements, where the set
      of upstream elements is not enumerable.

   No.  Because this mechanism requires advance configuration of
   specifically identified neighbors, it does not support environments
   where the number and identity of the upstream neighbors are not known
   in advance.  In order to satisfy REQ 10, it should be used in
   conjunction with other mechanisms.

      REQ 11: The mechanism should support servers that receive requests
      from a finite set of upstream elements, where the set of upstream
      elements is enumerable.

   Yes.  See also answer to REQ 10.

      REQ 12: The mechanism should work between servers in different
      domains.

   Yes.  The load-control event package mechanism is not limited by
   domain boundaries.  However, it is likely more applicable in intra-
   domain scenarios than in inter-domain scenarios due to security and
   other concerns (see also Section 3.4).

      REQ 13: The mechanism must not dictate a specific algorithm for
      prioritizing the processing of work within a proxy during times of
      overload.  It must permit a proxy to prioritize requests based on
      any local policy, so that certain ones (such as a call for
      emergency services or a call with a specific value of the
      Resource-Priority header field [RFC4412]) are given preferential
      treatment, such as not being dropped, being given additional
      retransmission, or being processed ahead of others.

   P/A.  This mechanism does not specifically address the prioritizing
   of work during times of overload.  But it does not preclude any
   particular local policy.

      REQ 14: The mechanism should provide unambiguous directions to
      clients on when they should retry a request and when they should
      not.  This especially applies to TCP connection establishment and
      SIP registrations, in order to mitigate against avalanche restart.

   N/A to the load-control event package mechanism itself.
Top   ToC   RFC7200 - Page 35
      REQ 15: In cases where a network element fails, is so overloaded
      that it cannot process messages, or cannot communicate due to a
      network failure or network partition, it will not be able to
      provide explicit indications of the nature of the failure or its
      levels of congestion.  The mechanism must properly function in
      these cases.

   P/A.  Because the load-filtering policies are provisioned in advance,
   they are not affected by the overload or failure of other network
   elements.  On the other hand, they may not, in those cases, be able
   to protect the overloaded network elements (see REQ 1).

      REQ 16: The mechanism should attempt to minimize the overhead of
      the overload control messaging.

   Yes.  The standardized SIP event package mechanism [RFC6665] is used.

      REQ 17: The overload mechanism must not provide an avenue for
      malicious attack, including DoS and DDoS attacks.

   P/A.  This mechanism does provide a potential avenue for malicious
   attacks.  Therefore, the security mechanisms for SIP event packages,
   in general, [RFC6665] and Section 7 of this specification should be
   used.

      REQ 18: The overload mechanism should be unambiguous about whether
      a load indication applies to a specific IP address, host, or URI,
      so that an upstream element can determine the load of the entity
      to which a request is to be sent.

   Yes.  The identity of load indication is covered in the load-
   filtering policy format definition in Section 3.1.

      REQ 19: The specification for the overload mechanism should give
      guidance on which message types might be desirable to process over
      others during times of overload, based on SIP-specific
      considerations.  For example, it may be more beneficial to process
      a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh
      with a non-zero expiration (since the former reduces the overall
      amount of load on the element), or to process re-INVITEs over new
      INVITEs.

   N/A to the load-control event package mechanism itself.

      REQ 20: In a mixed environment of elements that do and do not
      implement the overload mechanism, no disproportionate benefit
      shall accrue to the users or operators of the elements that do not
      implement the mechanism.
Top   ToC   RFC7200 - Page 36
   No.  This mechanism is entirely dependent on the participation of all
   possible neighbors.  In order to satisfy REQ 20, it should be used in
   conjunction with other mechanisms, some of which are described in
   Section 3.4.

      REQ 21: The overload mechanism should ensure that the system
      remains stable.  When the offered load drops from above the
      overall capacity of the network to below the overall capacity, the
      throughput should stabilize and become equal to the offered load.

   N/A to the load-control event package mechanism itself.

      REQ 22: It must be possible to disable the reporting of load
      information towards upstream targets based on the identity of
      those targets.  This allows a domain administrator who considers
      the load of their elements to be sensitive information, to
      restrict access to that information.  Of course, in such cases,
      there is no expectation that the overload mechanism itself will
      help prevent overload from that upstream target.

   N/A to the load-control event package mechanism itself.

      REQ 23: It must be possible for the overload mechanism to work in
      cases where there is a load balancer in front of a farm of
      proxies.

   Yes.  The load-control event package mechanism does not preclude its
   use in a scenario with server farms.

Appendix D. Complete Examples

D.1. Load-Control Document Examples

This section presents two complete examples of load-control documents valid with respect to the XML schema defined in Section 6. The first example assumes that a set of hotlines are set up at "sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The hotlines are activated from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31. The goal is to limit the incoming calls to the hotlines to 100 requests per second. Calls that exceed the rate limit are explicitly rejected.
Top   ToC   RFC7200 - Page 37
   <?xml version="1.0" encoding="UTF-8"?>
   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
               xmlns:lc="urn:ietf:params:xml:ns:load-control"
               version="0" state="full">

       <rule id="f3g44k1">
           <conditions>
               <lc:call-identity>
                   <lc:sip>
                       <lc:to>
                           <one id="sip:alice@hotline.example.com"/>
                           <one id="tel:+1-212-555-1234"/>
                       </lc:to>
                   </lc:sip>
               </lc:call-identity>
               <method>INVITE</method>
               <validity>
                   <from>2008-05-31T12:00:00-05:00</from>
                   <until>2008-05-31T15:00:00-05:00</until>
               </validity>
           </conditions>
           <actions>
               <lc:accept alt-action="reject">
                   <lc:rate>100</lc:rate>
               </lc:accept>
           </actions>

       </rule>
   </ruleset>

   The second example optimizes the usage of server resources during the
   three-day period following a hurricane.  Incoming calls to the domain
   "sandy.example.com" or to call destinations with prefix "+1-212" will
   be limited to a rate of 100 requests per second, except for those
   calls originating from a particular rescue team domain
   "rescue.example.com".  Outgoing calls from the hurricane domain or
   calls within the local domain are never limited.  All calls that are
   throttled due to the rate limit will be forwarded to an answering
   machine with updated hurricane rescue information.
Top   ToC   RFC7200 - Page 38
   <?xml version="1.0" encoding="UTF-8"?>
   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
       xmlns:lc="urn:ietf:params:xml:ns:load-control"
       version="1" state="full">

       <rule id="f3g44k2">
           <conditions>
               <lc:call-identity>
                   <lc:sip>
                       <lc:to>
                           <many domain="sandy.example.com"/>
                           <many-tel prefix="+1-212"/>
                       </lc:to>
                       <lc:from>
                           <many>
                               <except domain="sandy.example.com"/>
                               <except domain="rescue.example.com"/>
                           </many>
                       </lc:from>
                   </lc:sip>
               </lc:call-identity>
               <method>INVITE</method>
               <validity>
                   <from>2012-10-25T09:00:00+01:00</from>
                   <until>2012-10-28T09:00:00+01:00</until>
               </validity>
           </conditions>
           <actions>
               <lc:accept alt-action="redirect" alt-target=
                       "sip:sandy@update.example.com">
                   <lc:rate>100</lc:rate>
               </lc:accept>
           </actions>

       </rule>
   </ruleset>

   Sometimes it may occur that multiple rules in a ruleset define
   actions that match the same methods, call identity and validity.  In
   those cases, the "first-match-wins" principle is used.  For example,
   in the following ruleset, the first rule requires all calls from the
   "example.com" domain to be rejected.  Even though the rule following
   that one specifies that calls from "sip:alice@example.com" be
   redirected to a specific target "sip:eve@example.com", the calls from
   "sip:alice@example.com" will still be rejected because they have
   already been matched by the earlier rule.
Top   ToC   RFC7200 - Page 39
   <?xml version="1.0" encoding="UTF-8"?>
   <ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
       xmlns:lc="urn:ietf:params:xml:ns:load-control"
       version="1" state="full">

       <rule id="f3g44k3">
           <conditions>
               <lc:call-identity>
                   <lc:sip>
                       <lc:from>
                           <many domain="example.com"/>
                       </lc:from>
                   </lc:sip>
               </lc:call-identity>
               <method>INVITE</method>
               <validity>
                   <from>2013-7-2T09:00:00+01:00</from>
                   <until>2013-7-3T09:00:00+01:00</until>
               </validity>
           </conditions>
           <actions>
               <lc:accept alt-action="reject">
                   <lc:rate>0</lc:rate>
               </lc:accept>
           </actions>
       </rule>

       <rule id="f3g44k4">
           <conditions>
               <lc:call-identity>
                   <lc:sip>
                       <lc:from>
                           <one id="sip:alice@example.com"/>
                       </lc:from>
                   </lc:sip>
               </lc:call-identity>
               <method>INVITE</method>
               <validity>
                   <from>2013-7-2T09:00:00+01:00</from>
                   <until>2013-7-3T09:00:00+01:00</until>
               </validity>
           </conditions>
           <actions>
               <lc:accept alt-action="redirect" alt-target=
                       "sip:eve@example.com">
                   <lc:rate>0</lc:rate>
               </lc:accept>
           </actions>
Top   ToC   RFC7200 - Page 40
       </rule>
   </ruleset>

D.2. Message Flow Examples

This section presents an example message flow of using the load- control event package mechanism defined in this specification. atlanta biloxi | F1 SUBSCRIBE | |------------------>| | F2 200 OK | |<------------------| | F3 NOTIFY | |<------------------| | F4 200 OK | |------------------>| F1 SUBSCRIBE atlanta.example.com -> biloxi.example.com SUBSCRIBE sip:biloxi.example.com SIP/2.0 Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy7cjbu3 From: sip:atlanta.example.com;tag=162ab5 To: sip:biloxi.example.com Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com CSeq: 2012 SUBSCRIBE Contact: sip:atlanta.example.com Event: load-control Max-Forwards: 70 Accept: application/load-control+xml Expires: 3600 Content-Length: 0 F2 200 OK biloxi.example.com -> atlanta.example.com SIP/2.0 200 OK Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy7cjbu3 ;received=192.0.2.1 To: <sip:biloxi.example.com>;tag=331dc8 From: <sip:atlanta.example.com>;tag=162ab5 Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com CSeq: 2012 SUBSCRIBE Expires: 3600 Contact: sip:biloxi.example.com Content-Length: 0
Top   ToC   RFC7200 - Page 41
      F3 NOTIFY  biloxi.example.com -> atlanta.example.com

         NOTIFY sip:atlanta.example.com SIP/2.0
         Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy71g2ks
         From: <sip:biloxi.example.com>;tag=331dc8
         To: <sip:atlanta.example.com>;tag=162ab5
         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
         Event: load-control
         Subscription-State: active;expires=3599
         Max-Forwards: 70
         CSeq: 1775 NOTIFY
         Contact: sip:biloxi.example.com
         Content-Type: application/load-control+xml
         Content-Length: ...

         [Load-Control Document]

      F4 200 OK atlanta.example.com -> biloxi.example.com

         SIP/2.0 200 OK
         Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy71g2ks
           ;received=192.0.2.2
         From: <sip:biloxi.example.com>;tag=331dc8
         To: <sip:atlanta.example.com>;tag=162ab5
         Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
         CSeq: 1775 NOTIFY
         Content-Length: 0

Appendix E. Related Work

E.1. Relationship to Load Filtering in PSTN

It is known that an existing PSTN network also uses a load-filtering mechanism to prevent overload and the filtering policy configuration is done manually except in specific cases when the Intelligent Network architecture is used [Q.1248.2][E.412]. This specification defines a load-filtering mechanism based on the SIP event notification framework that allows automated filtering policy distribution in suitable environments. PSTN overload control uses messages that specify an outgoing control list, call gap duration, and control duration [Q.1248.2][E.412]. These items correspond roughly to the identity, action, and time fields of the SIP load-filtering policy defined in this specification. However, the load-filtering policy defined in this specification is much more generic and flexible as opposed to its PSTN counterpart.
Top   ToC   RFC7200 - Page 42
   Firstly, PSTN load filtering only applies to telephone numbers.  The
   identity element of SIP load-filtering policy allows both SIP URI and
   telephone numbers (through 'tel' URI) to be specified.  These
   identities can be arbitrarily grouped by SIP domains or any number of
   leading prefixes of the telephone numbers.

   Secondly, the PSTN load-filtering action is usually limited to call
   gapping.  The action field in SIP load-filtering policy allows more
   flexible possibilities such as rate throttle and others.

   Thirdly, the duration field in PSTN load filtering specifies a value
   in seconds for the load-filtering duration only, and the allowed
   values are mapped into a value set.  The time field in SIP load-
   filtering policy may specify not only a duration, but also a future
   activation time that could be especially useful for automating load
   filtering for predictable overloads.

   PSTN load filtering can be performed in both edge switches and
   transit switches; the SIP load filtering can also be applied in both
   edge proxy servers and core proxy servers, and even in capable user
   agents.

   PSTN load filtering also has special accommodation for High
   Probability of Completion (HPC) calls, which would be similar to
   calls designated by the SIP Resource Priority Headers [RFC4412].  The
   SIP load-filtering mechanism also allows prioritizing the treatment
   of these calls by specifying favorable actions for them.

   PSTN load filtering also provides an administrative option for
   routing failed call attempts to either a reorder tone [E.300SerSup3]
   indicating overload conditions or a special recorded announcement.  A
   similar capability can be provided in the SIP load-filtering
   mechanism by specifying appropriate "alt-action" attribute in the SIP
   load-filtering action field.

E.2. Relationship with Other IETF SIP Overload Control Efforts

The load-filtering policies in this specification consist of identity, action, and time. The identity can range from a single specific user to an arbitrary user aggregate, domains, or areas. The user can be identified by either the source or the destination. When the user is identified by the source and a favorable action is specified, the result is, to some extent, similar to identifying a priority user based on authorized Resource Priority Headers [RFC4412] in the requests. Specifying a source user identity with an unfavorable action would cause an effect to some extent similar to an inverse SIP resource priority mechanism.
Top   ToC   RFC7200 - Page 43
   The load-filtering policy defined in this specification is generic
   and expected to be applicable not only to the load-filtering
   mechanism but also to the feedback overload control mechanism in
   [SIP-OVERLOAD].  In particular, both mechanisms could use specific or
   wildcard identities for load control and could share well-known load-
   control actions.  The time duration field in the load-filtering
   policy could also be used in both mechanisms.  As mentioned in
   Section 1, the load-filtering policy distribution mechanism and the
   feedback overload control mechanism address complementary areas in
   the overload control problem space.  Load filtering is more proactive
   and focuses on distributing filtering policies towards the source of
   the traffic; the hop-by-hop feedback-based approach is reactive and
   reduces traffic already accepted by the network.  Therefore, they
   could also make different use of the generic load-filtering policy
   components.  For example, the load-filtering mechanism may use the
   time field in the filtering policy to specify not only a control
   duration but also a future activation time to accommodate a
   predicable overload such as the one caused by Mother's Day greetings
   or a viewer-voting program; the feedback-based control might not need
   to use the time field or might use the time field to specify an
   immediate load-control duration.
Top   ToC   RFC7200 - Page 44

Authors' Addresses

Charles Shen Columbia University Department of Computer Science 1214 Amsterdam Avenue, MC 0401 New York, NY 10027 USA Phone: +1 212 854 3109 EMail: charles@cs.columbia.edu Henning Schulzrinne Columbia University Department of Computer Science 1214 Amsterdam Avenue, MC 0401 New York, NY 10027 USA Phone: +1 212 939 7004 EMail: schulzrinne@cs.columbia.edu Arata Koike NTT Network Technology Labs 3-9-11 Midori-cho Musashino-shi Tokyo 180-8585 Japan Phone: +81 422 59 6099 EMail: koike.arata@lab.ntt.co.jp