Tech-invite3GPPspaceIETF RFCsSIP
93929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7866

Session Recording Protocol

Pages: 45
Proposed Standard
Part 2 of 2 – Pages 20 to 45
First   Prev   None

Top   ToC   RFC7866 - Page 20   prevText

8. RTP Handling

This section provides recommendations and guidelines for RTP and the Real-time Transport Control Protocol (RTCP) in the context of SIPREC [RFC6341]. In order to communicate most effectively, the SRC, the SRS, and any recording-aware UAs should utilize the mechanisms provided by RTP in a well-defined and predictable manner. It is the goal of this document to make the reader aware of these mechanisms and to provide recommendations and guidelines.

8.1. RTP Mechanisms

This section briefly describes important RTP/RTCP constructs and mechanisms that are particularly useful within the context of SIPREC.

8.1.1. RTCP

The RTP data transport is augmented by a control protocol (RTCP) to allow monitoring of the data delivery. RTCP, as defined in [RFC3550], is based on the periodic transmission of control packets to all participants in the RTP session, using the same distribution mechanism as the data packets. Support for RTCP is REQUIRED, per [RFC3550], and it provides, among other things, the following important functionality in relation to SIPREC: 1) Feedback on the quality of the data distribution This feedback from the receivers may be used to diagnose faults in the distribution. As such, RTCP is a well-defined and efficient mechanism for the SRS to inform the SRC, and for the SRC to inform recording-aware UAs, of issues that arise with respect to the reception of media that is to be recorded. 2) Including a persistent transport-level identifier -- the CNAME, or canonical name -- for an RTP source The synchronization source (SSRC) [RFC3550] identifier may change if a conflict is discovered or a program is restarted, in which case receivers can use the CNAME to keep track of each participant. Receivers may also use the CNAME to associate
Top   ToC   RFC7866 - Page 21
      multiple data streams from a given participant in a set of related
      RTP sessions -- for example, to synchronize audio and video.
      Synchronization of media streams is also facilitated by the NTP
      and RTP timestamps included in RTCP packets by data senders.

8.1.2. RTP Profile

The RECOMMENDED RTP profiles for the SRC, SRS, and recording-aware UAs are "Extended Secure RTP Profile for Real-time Transport Control Protocol (RTCP)-Based Feedback (RTP/SAVPF)" [RFC5124] when using encrypted RTP streams, and "Extended RTP Profile for Real-time Transport Control Protocol (RTCP)-Based Feedback (RTP/AVPF)" [RFC4585] when using non-encrypted media streams. However, as these are not requirements, some implementations may use "The Secure Real-time Transport Protocol (SRTP)" [RFC3711] and "RTP Profile for Audio and Video Conferences with Minimal Control" [RFC3551]. Therefore, it is RECOMMENDED that the SRC, SRS, and recording-aware UAs not rely entirely on RTP/SAVPF or RTP/AVPF for core functionality that may be at least partially achievable using RTP/SAVP and RTP/AVP. AVPF and SAVPF provide an improved RTCP timer model that allows more flexible transmission of RTCP packets in response to events, rather than strictly according to bandwidth. AVPF-based codec control messages provide efficient mechanisms for an SRC, an SRS, and recording-aware UAs to handle events such as scene changes, error recovery, and dynamic bandwidth adjustments. These messages are discussed in more detail later in this document. SAVP and SAVPF provide media encryption, integrity protection, replay protection, and a limited form of source authentication. They do not contain or require a specific keying mechanism.

8.1.3. SSRC

The SSRC, as defined in [RFC3550], is carried in the RTP header and in various fields of RTCP packets. It is a random 32-bit number that is required to be globally unique within an RTP session. It is crucial that the number be chosen with care, in order that participants on the same network or starting at the same time are not likely to choose the same number. Guidelines regarding SSRC value selection and conflict resolution are provided in [RFC3550]. The SSRC may also be used to separate different sources of media within a single RTP session. For this reason, as well as for conflict resolution, it is important that the SRC, SRS, and recording-aware UAs handle changes in SSRC values and properly identify the reason for the change. The CNAME values carried in RTCP facilitate this identification.
Top   ToC   RFC7866 - Page 22

8.1.4. CSRC

The contributing source (CSRC), as defined in [RFC3550], identifies the source of a stream of RTP packets that has contributed to the combined stream produced by an RTP mixer. The mixer inserts a list of the SSRC identifiers of the sources that contributed to the generation of a particular packet into the RTP header of that packet. This list is called the CSRC list. It is RECOMMENDED that an SRC or recording-aware UA, when acting as a mixer, set the CSRC list accordingly, and that the SRC and SRS interpret the CSRC list per [RFC3550] when received.

8.1.5. SDES

The Source Description (SDES), as defined in [RFC3550], contains an SSRC/CSRC identifier followed by a list of zero or more items that carry information about the SSRC/CSRC. End systems send one SDES packet containing their own source identifier (the same as the SSRC in the fixed RTP header). A mixer sends one SDES packet containing a chunk for each CSRC from which it is receiving SDES information, or multiple complete SDES packets if there are more than 31 such sources. The ability to identify individual CSRCs is important in the context of SIPREC. Metadata [RFC7865] provides a mechanism to achieve this at the signaling level. SDES provides a mechanism at the RTP level.
8.1.5.1. CNAME
The Canonical End-Point Identifier (CNAME), as defined in [RFC3550], provides the binding from the SSRC identifier to an identifier for the source (sender or receiver) that remains constant. It is important that the SRC and recording-aware UAs generate CNAMEs appropriately and that the SRC and SRS interpret and use them for this purpose. Guidelines for generating CNAME values are provided in "Guidelines for Choosing RTP Control Protocol (RTCP) Canonical Names (CNAMEs)" [RFC7022].

8.1.6. Keepalive

It is anticipated that media streams in SIPREC may exist in an inactive state for extended periods of time for any of a number of valid reasons. In order for the bindings and any pinholes in NATs/firewalls to remain active during such intervals, it is RECOMMENDED that the SRC, SRS, and recording-aware UAs follow the keepalive procedure recommended in "Application Mechanism for Keeping Alive the NAT Mappings Associated with RTP / RTP Control Protocol (RTCP) Flows" [RFC6263] for all RTP media streams.
Top   ToC   RFC7866 - Page 23

8.1.7. RTCP Feedback Messages

"Codec Control Messages in the RTP Audio-Visual Profile with Feedback (AVPF)" [RFC5104] specifies extensions to the messages defined in AVPF [RFC4585]. Support for and proper usage of these messages are important to SRC, SRS, and recording-aware UA implementations. Note that these messages are applicable only when using the AVPF or SAVPF RTP profiles.
8.1.7.1. Full Intra Request
A Full Intra Request (FIR) command, when received by the designated media sender, requires that the media sender send a decoder refresh point at the earliest opportunity. Using a decoder refresh point implies refraining from using any picture sent prior to that point as a reference for the encoding process of any subsequent picture sent in the stream. Decoder refresh points, especially Intra or Instantaneous Decoding Refresh (IDR) pictures for H.264 video codecs, are in general several times larger in size than predicted pictures. Thus, in scenarios in which the available bit rate is small, the use of a decoder refresh point implies a delay that is significantly longer than the typical picture duration.
8.1.7.1.1. Deprecated Usage of SIP INFO Instead of FIR
"XML Schema for Media Control" [RFC5168] defines an Extensible Markup Language (XML) Schema for video fast update. Implementations are discouraged from using the method described in [RFC5168], except for purposes of backward compatibility. Implementations SHOULD use FIR messages instead. To make sure that a common mechanism exists between the SRC and SRS, the SRS MUST support both mechanisms (FIR and SIP INFO), using FIR messages when negotiated successfully with the SRC and using SIP INFO otherwise.
8.1.7.2. Picture Loss Indication
Picture Loss Indication (PLI), as defined in [RFC4585], informs the encoder of the loss of an undefined amount of coded video data belonging to one or more pictures. [RFC4585] recommends using PLI instead of FIR messages to recover from errors. FIR is appropriate only in situations where not sending a decoder refresh point would render the video unusable for the users. Examples where sending FIR messages is appropriate include a multipoint conference when a new
Top   ToC   RFC7866 - Page 24
   user joins the conference and no regular decoder refresh point
   interval is established, and a video-switching Multipoint Control
   Unit (MCU) that changes streams.

   Appropriate use of PLI and FIR is important to ensure, with minimum
   overhead, that the recorded video is usable (e.g., the necessary
   reference frames exist for a player to render the recorded video).

8.1.7.3. Temporary Maximum Media Stream Bit Rate Request
A receiver, translator, or mixer uses the Temporary Maximum Media Stream Bit Rate Request (TMMBR) [RFC5104] to request a sender to limit the maximum bit rate for a media stream to the provided value. Appropriate use of TMMBR facilitates rapid adaptation to changes in available bandwidth.
8.1.7.3.1. Renegotiation of SDP Bandwidth Attribute
If it is likely that the new value indicated by TMMBR will be valid for the remainder of the session, the TMMBR sender is expected to perform a renegotiation of the session upper limit using the session signaling protocol. Therefore, for SIPREC, implementations are RECOMMENDED to use TMMBR for temporary changes and renegotiation of bandwidth via SDP offer/answer for more permanent changes.

8.1.8. Symmetric RTP/RTCP for Sending and Receiving

Within an SDP offer/answer exchange, RTP entities choose the RTP and RTCP transport addresses (i.e., IP addresses and port numbers) on which to receive packets. When sending packets, the RTP entities may use the same source port or a different source port than those signaled for receiving packets. When the transport address used to send and receive RTP is the same, it is termed "symmetric RTP" [RFC4961]. Likewise, when the transport address used to send and receive RTCP is the same, it is termed "symmetric RTCP" [RFC4961]. When sending RTP, the use of symmetric RTP is REQUIRED. When sending RTCP, the use of symmetric RTCP is REQUIRED. Although an SRS will not normally send RTP, it will send RTCP as well as receive RTP and RTCP. Likewise, although an SRC will not normally receive RTP from the SRS, it will receive RTCP as well as send RTP and RTCP. Note: Symmetric RTP and symmetric RTCP are different from RTP/RTCP multiplexing [RFC5761].
Top   ToC   RFC7866 - Page 25

8.2. Roles

An SRC has the task of gathering media from the various UAs in one or more CSs and forwarding the information to the SRS within the context of a corresponding RS. There are numerous ways in which an SRC may do this, including, but not limited to, appearing as a UA within a CS, or as a B2BUA between UAs within a CS. (Recording Session) +---------+ +------------SIP------->| | | +------RTP/RTCP----->| SRS | | | +-- Metadata -->| | | | | +---------+ v v | +---------+ | SRC | |---------| (Communication Session) +---------+ | |<----------SIP---------->| | | UA-A | | UA-B | | |<-------RTP/RTCP-------->| | +---------+ +---------+ Figure 8: UA as SRC (Recording Session) +---------+ +------------SIP------->| | | +------RTP/RTCP----->| SRS | | | +-- Metadata -->| | | | | +---------+ v v | +---------+ | SRC | +---------+ |---------| +---------+ | |<----SIP----->| |<----SIP----->| | | UA-A | | B2BUA | | UA-B | | |<--RTP/RTCP-->| |<--RTP/RTCP-->| | +---------+ +---------+ +---------+ |_______________________________________________| (Communication Session) Figure 9: B2BUA as SRC The following subsections define a set of roles an SRC may choose to play, based on its position with respect to a UA within a CS, and an SRS within an RS. A CS and a corresponding RS are independent sessions; therefore, an SRC may play a different role within a CS than it does within the corresponding RS.
Top   ToC   RFC7866 - Page 26

8.2.1. SRC Acting as an RTP Translator

The SRC may act as a translator, as defined in [RFC3550]. A defining characteristic of a translator is that it forwards RTP packets with their SSRC identifier intact. There are two types of translators: one that simply forwards, and another that performs transcoding (e.g., from one codec to another) in addition to forwarding.
8.2.1.1. Forwarding Translator
When acting as a forwarding translator, RTP received as separate streams from different sources (e.g., from different UAs with different SSRCs) cannot be mixed by the SRC and MUST be sent separately to the SRS. All RTCP reports MUST be passed by the SRC between the UAs and the SRS, such that the UAs and SRS are able to detect any SSRC collisions. RTCP Sender Reports generated by a UA sending a stream MUST be forwarded to the SRS. RTCP Receiver Reports generated by the SRS MUST be forwarded to the relevant UA. UAs may receive multiple sets of RTCP Receiver Reports -- one or more from other UAs participating in the CS, and one from the SRS participating in the RS. A UA SHOULD process the RTCP Receiver Reports from the SRS if it is recording aware. If SRTP is used on both the CS and the RS, decryption and/or re-encryption may occur. For example, if different keys are used, it will occur. If the same keys are used, it need not occur. Section 12 provides additional information on SRTP and keying mechanisms. If packet loss occurs, either from the UA to the SRC or from the SRC to the SRS, the SRS SHOULD detect and attempt to recover from the loss. The SRC does not play a role in this, other than forwarding the associated RTP and RTCP packets.
8.2.1.2. Transcoding Translator
When acting as a transcoding translator, an SRC MAY perform transcoding (e.g., from one codec to another), and this may result in a different rate of packets between what the SRC receives on the CS and what the SRC sends on the RS. As when acting as a forwarding translator, RTP received as separate streams from different sources (e.g., from different UAs with different SSRCs) cannot be mixed by the SRC and MUST be sent separately to the SRS. All RTCP reports MUST be passed by the SRC between the UAs and the SRS, such that the UAs and SRS are able to detect any SSRC collisions.
Top   ToC   RFC7866 - Page 27
   RTCP Sender Reports generated by a UA sending a stream MUST be
   forwarded to the SRS.  RTCP Receiver Reports generated by the SRS
   MUST be forwarded to the relevant UA.  The SRC may need to manipulate
   the RTCP Receiver Reports to take into account any transcoding that
   has taken place.

   UAs may receive multiple sets of RTCP Receiver Reports -- one or more
   from other UAs participating in the CS, and one from the SRS
   participating in the RS.  A recording-aware UA SHOULD be prepared to
   process the RTCP Receiver Reports from the SRS, whereas a recording-
   unaware UA may discard such RTCP packets as irrelevant.

   If SRTP is used on both the CS and the RS, decryption and/or
   re-encryption may occur.  For example, if different keys are used, it
   will occur.  If the same keys are used, it need not occur.
   Section 12 provides additional information on SRTP and keying
   mechanisms.

   If packet loss occurs, either from the UA to the SRC or from the SRC
   to the SRS, the SRS SHOULD detect and attempt to recover from the
   loss.  The SRC does not play a role in this, other than forwarding
   the associated RTP and RTCP packets.

8.2.2. SRC Acting as an RTP Mixer

In the case of the SRC acting as an RTP mixer, as defined in [RFC3550], the SRC combines RTP streams from different UAs and sends them towards the SRS using its own SSRC. The SSRCs from the contributing UA SHOULD be conveyed as CSRC identifiers within this stream. The SRC may make timing adjustments among the received streams and generate its own timing on the stream sent to the SRS. Optionally, an SRC acting as a mixer can perform transcoding and can even cope with different codings received from different UAs. RTCP Sender Reports and Receiver Reports are not forwarded by an SRC acting as a mixer, but there are requirements for forwarding RTCP Source Description (SDES) packets. The SRC generates its own RTCP Sender Reports and Receiver Reports toward the associated UAs and SRS. The use of SRTP between the SRC and the SRS for the RS is independent of the use of SRTP between the UAs and the SRC for the CS. Section 12 provides additional information on SRTP and keying mechanisms. If packet loss occurs from the UA to the SRC, the SRC SHOULD detect and attempt to recover from the loss. If packet loss occurs from the SRC to the SRS, the SRS SHOULD detect and attempt to recover from the loss.
Top   ToC   RFC7866 - Page 28

8.2.3. SRC Acting as an RTP Endpoint

The case of the SRC acting as an RTP endpoint, as defined in [RFC3550], is similar to the mixer case, except that the RTP session between the SRC and the SRS is considered completely independent from the RTP session that is part of the CS. The SRC can, but need not, mix RTP streams from different participants prior to sending to the SRS. RTCP between the SRC and the SRS is completely independent of RTCP on the CS. The use of SRTP between the SRC and the SRS for the RS is independent of the use of SRTP between the UAs and SRC for the CS. Section 12 provides additional information on SRTP and keying mechanisms. If packet loss occurs from the UA to the SRC, the SRC SHOULD detect and attempt to recover from the loss. If packet loss occurs from the SRC to the SRS, the SRS SHOULD detect and attempt to recover from the loss.

8.3. RTP Session Usage by SRC

There are multiple ways that an SRC may choose to deliver recorded media to an SRS. In some cases, it may use a single RTP session for all media within the RS, whereas in others it may use multiple RTP sessions. The following subsections provide examples of basic RTP session usage by the SRC, including a discussion of how the RTP constructs and mechanisms covered previously are used. An SRC may choose to use one or more of the RTP session usages within a single RS. For the purpose of base interoperability between SRC and SRS, an SRC MUST support separate m-lines in SDP, one per CS media direction. The set of RTP session usages described is not meant to be exhaustive.

8.3.1. SRC Using Multiple m-lines

When using multiple m-lines, an SRC includes each m-line in an SDP offer to the SRS. The SDP answer from the SRS MUST include all m-lines, with any rejected m-lines indicated with a zero port, per [RFC3264]. Having received the answer, the SRC starts sending media to the SRS as indicated in the answer. Alternatively, if the SRC deems the level of support indicated in the answer to be unacceptable, it may initiate another SDP offer/answer exchange in which an alternative RTP session usage is negotiated.
Top   ToC   RFC7866 - Page 29
   In order to preserve the mapping of media to participant within the
   CSs in the RS, the SRC SHOULD map each unique CNAME within the CSs to
   a unique CNAME within the RS.  Additionally, the SRC SHOULD map each
   unique combination of CNAME/SSRC within the CSs to a unique
   CNAME/SSRC within the RS.  In doing so, the SRC may act as an
   RTP translator or as an RTP endpoint.

   Figure 10 illustrates a case in which each UA represents a
   participant contributing two RTP sessions (e.g., one for audio and
   one for video), each with a single SSRC.  The SRC acts as an RTP
   translator and delivers the media to the SRS using four RTP sessions,
   each with a single SSRC.  The CNAME and SSRC values used by the UAs
   within their media streams are preserved in the media streams from
   the SRC to the SRS.

                                                        +---------+
                                +------------SSRC Aa--->|         |
                                |  + --------SSRC Av--->|         |
                                |  |  +------SSRC Ba--->|   SRS   |
                                |  |  |  +---SSRC Bv--->|         |
                                |  |  |  |              +---------+
                                |  |  |  |
                                |  |  |  |
       +---------+             +----------+             +---------+
       |         |---SSRC Aa-->|   SRC    |<--SSRC Ba---|         |
       |  UA-A   |             |(CNAME-A, |             |  UA-B   |
       |(CNAME-A)|---SSRC Av-->| CNAME-B) |<--SSRC Bv---|(CNAME-B)|
       +---------+             +----------+             +---------+

                   Figure 10: SRC Using Multiple m-lines

8.3.2. SRC Using Mixing

When using mixing, the SRC combines RTP streams from different participants and sends them towards the SRS using its own SSRC. The SSRCs from the contributing participants SHOULD be conveyed as CSRC identifiers. The SRC includes one m-line for each RTP session in an SDP offer to the SRS. The SDP answer from the SRS MUST include all m-lines, with any rejected m-lines indicated with a zero port, per [RFC3264]. Having received the answer, the SRC starts sending media to the SRS as indicated in the answer. In order to preserve the mapping of media to participant within the CSs in the RS, the SRC SHOULD map each unique CNAME within the CSs to a unique CNAME within the RS. Additionally, the SRC SHOULD map each unique combination of CNAME/SSRC within the CSs to a unique
Top   ToC   RFC7866 - Page 30
   CNAME/SSRC within the RS.  The SRC MUST avoid SSRC collisions,
   rewriting SSRCs if necessary when used as CSRCs in the RS.  In
   doing so, the SRC acts as an RTP mixer.

   In the event that the SRS does not support this usage of CSRC values,
   it relies entirely on the SIPREC metadata to determine the
   participants included within each mixed stream.

   Figure 11 illustrates a case in which each UA represents a
   participant contributing two RTP sessions (e.g., one for audio and
   one for video), each with a single SSRC.  The SRC acts as an RTP
   mixer and delivers the media to the SRS using two RTP sessions,
   mixing media from each participant into a single RTP session
   containing a single SSRC and two CSRCs.

                                          SSRC Sa       +---------+
                                  +-------CSRC Aa,Ba--->|         |
                                  |                     |         |
                                  |       SSRC Sv       |   SRS   |
                                  |   +---CSRC Av,Bv--->|         |
                                  |   |                 +---------+
                                  |   |
                               +----------+
       +---------+             |   SRC    |             +---------+
       |         |---SSRC Aa-->|(CNAME-S, |<--SSRC Ba---|         |
       |  UA-A   |             | CNAME-A, |             |  UA-B   |
       |(CNAME-A)|---SSRC Av-->| CNAME-B) |<--SSRC Bv---|(CNAME-B)|
       +---------+             +----------+             +---------+

                        Figure 11: SRC Using Mixing

8.4. RTP Session Usage by SRS

An SRS that supports recording an audio CS MUST support SRC usage of separate audio m-lines in SDP, one per CS media direction. An SRS that supports recording a video CS MUST support SRC usage of separate video m-lines in SDP, one per CS media direction. Therefore, for an SRS supporting a typical audio call, the SRS has to support receiving at least two audio m-lines. For an SRS supporting a typical audio and video call, the SRS has to support receiving at least four total m-lines in the SDP -- two audio m-lines and two video m-lines. These requirements allow an SRS to be implemented that supports video only, without requiring support for audio recording. They also allow an SRS to be implemented that supports recording only one direction of one stream in a CS -- for example, an SRS designed to record security monitoring cameras that only send (not receive) video without any audio. These requirements were not written to prevent
Top   ToC   RFC7866 - Page 31
   other modes from being implemented and used, such as using a single
   m-line and mixing the separate audio streams together.  Rather, the
   requirements were written to provide a common base mode to implement
   for the sake of interoperability.  It is important to note that an
   SRS implementation supporting the common base mode may not record all
   media streams in a CS if a participant supports more than one m-line
   in a video call, such as one for camera and one for presentation.
   SRS implementations may support other modes as well, but they have to
   at least support the modes discussed above, such that they
   interoperate in the common base mode for basic interoperability.

9. Metadata

Some metadata attributes are contained in SDP, and others are contained in a new content type called "application/rs-metadata". The format of the metadata is described as part of the mechanism in [RFC7865]. A new "disposition-type" of Content-Disposition is defined for the purpose of carrying metadata. The value is "recording-session", which indicates that the "application/rs-metadata" content contains metadata to be handled by the SRS.

9.1. Procedures at the SRC

The SRC MUST send metadata to the SRS in an RS. The SRC SHOULD send metadata as soon as it becomes available and whenever it changes. Cases in which an SRC may be justified in waiting temporarily before sending metadata include: o waiting for a previous metadata exchange to complete (i.e., the SRC cannot send another SDP offer until the previous offer/answer completes and may also prefer not to send an UPDATE during this time). o constraining the signaling rate on the RS. o sending metadata when key events occur, rather than for every event that has any impact on metadata. The SRC may also be configured to suppress certain metadata out of concern for privacy or perceived lack of need for it to be included in the recording. Metadata sent by the SRC is categorized as either a full metadata snapshot or a partial update. A full metadata snapshot describes all metadata associated with the RS. The SRC MAY send a full metadata snapshot at any time. The SRC MAY send a partial update only if a full metadata snapshot has been sent previously.
Top   ToC   RFC7866 - Page 32
   The SRC MAY send metadata (either a full metadata snapshot or a
   partial update) in an INVITE request, an UPDATE request [RFC3311], or
   a 200 response to an offerless INVITE from the SRS.  If the metadata
   contains a reference to any SDP labels, the request containing the
   metadata MUST also contain an SDP offer that defines those labels.

   When a SIP message contains both an SDP offer and metadata, the
   request body MUST have content type "multipart/mixed", with one
   subordinate body part containing the SDP offer and another containing
   the metadata.  When a SIP message contains only an SDP offer or
   metadata, the "multipart/mixed" container is optional.

   The SRC SHOULD include a full metadata snapshot in the initial INVITE
   request establishing the RS.  If metadata is not yet available (e.g.,
   an RS established in the absence of a CS), the SRC SHOULD send a full
   metadata snapshot as soon as metadata becomes available.

   If the SRC receives a snapshot request from the SRS, it MUST
   immediately send a full metadata snapshot.
Top   ToC   RFC7866 - Page 33
   Figure 12 illustrates an example of a full metadata snapshot sent by
   the SRC in the initial INVITE request:

       INVITE sip:recorder@example.com SIP/2.0
       Via: SIP/2.0/TCP src.example.com;branch=z9hG4bKdf6b622b648d9
       From: <sip:2000@example.com>;tag=35e195d2-947d-4585-946f-09839247
       To: <sip:recorder@example.com>
       Call-ID: d253c800-b0d1ea39-4a7dd-3f0e20a
       CSeq: 101 INVITE
       Max-Forwards: 70
       Require: siprec
       Accept: application/sdp, application/rs-metadata
       Contact: <sip:2000@src.example.com>;+sip.src
       Content-Type: multipart/mixed;boundary=foobar
       Content-Length: [length]

       --foobar
       Content-Type: application/sdp

       v=0
       o=SRS 2890844526 2890844526 IN IP4 198.51.100.1
       s=-
       c=IN IP4 198.51.100.1
       t=0 0
       m=audio 12240 RTP/AVP 0 4 8
       a=sendonly
       a=label:1

       --foobar
       Content-Type: application/rs-metadata
       Content-Disposition: recording-session

       [metadata content]

        Figure 12: Sample INVITE Request for the Recording Session

9.2. Procedures at the SRS

The SRS receives metadata updates from the SRC in INVITE and UPDATE requests. Since the SRC can send partial updates based on the previous update, the SRS needs to keep track of the sequence of updates from the SRC. In the case of an internal failure at the SRS, the SRS may fail to recognize a partial update from the SRC. The SRS may be able to recover from the internal failure by requesting a full metadata snapshot from the SRC. Certain errors, such as syntax errors or semantic errors in the metadata information, are likely caused by an
Top   ToC   RFC7866 - Page 34
   error on the SRC side, and it is likely that the same error will
   occur again even when a full metadata snapshot is requested.  In
   order to avoid repeating the same error, the SRS can simply terminate
   the RS when a syntax error or semantic error is detected in the
   metadata.

   The SRS MAY explicitly request a full metadata snapshot by sending an
   UPDATE request.  This request MUST contain a body with
   Content-Disposition type "recording-session" and MUST NOT contain an
   SDP body.  The SRS MUST NOT request a full metadata snapshot in an
   UPDATE response or in any other SIP transaction.  The format of the
   content is "application/rs-metadata", and the body is an XML
   document, the format of which is defined in [RFC7865].  Figure 13
   shows an example:

     UPDATE sip:2000@src.example.com SIP/2.0
     Via: SIP/2.0/UDP srs.example.com;branch=z9hG4bKdf6b622b648d9
     To: <sip:2000@example.com>;tag=35e195d2-947d-4585-946f-098392474
     From: <sip:recorder@example.com>;tag=1234567890
     Call-ID: d253c800-b0d1ea39-4a7dd-3f0e20a
     CSeq: 1 UPDATE
     Max-Forwards: 70
     Require: siprec
     Contact: <sip:recorder@srs.example.com>;+sip.srs
     Accept: application/sdp, application/rs-metadata
     Content-Disposition: recording-session
     Content-Type: application/rs-metadata
     Content-Length: [length]

     <?xml version="1.0" encoding="UTF-8"?>
       <requestsnapshot xmlns='urn:ietf:params:xml:ns:recording:1'>
         <requestreason xml:lang="it">SRS internal error</requestreason>
       </requestsnapshot>

                        Figure 13: Metadata Request

   Note that UPDATE was chosen for the SRS to request a metadata
   snapshot, because it can be sent regardless of the state of the
   dialog.  This was seen as better than requiring support for both
   UPDATE and re-INVITE messages for this operation.

   When the SRC receives a request for a metadata snapshot, it MUST
   immediately provide a full metadata snapshot in a separate INVITE or
   UPDATE transaction.  Any subsequent partial updates will not be
   dependent on any metadata sent prior to this full metadata snapshot.
Top   ToC   RFC7866 - Page 35
   The metadata received by the SRS can contain ID elements used to
   cross-reference one element to another.  An element containing the
   definition of an ID and an element containing a reference to that ID
   will often be received from the same SRC.  It is also valid for those
   elements to be received from different SRCs -- for example, when each
   endpoint in the same CS acts as an SRC to record the call and a
   common ID refers to the same CS.  The SRS MUST NOT consider this an
   error.

10. Persistent Recording

Persistent recording is a specific use case addressing REQ-005 in [RFC6341], where an RS can be established in the absence of a CS. The SRC continuously records media in an RS to the SRS even in the absence of a CS for all UAs that are part of persistent recording. By allocating recorded streams and continuously sending recorded media to the SRS, the SRC does not have to prepare new recorded streams with a new SDP offer when a new CS is created and also does not impact the timing of the CS. The SRC only needs to update the metadata when new CSs are created. When there is no CS running on the devices with persistent recording, there is no recorded media to stream from the SRC to the SRS. In certain environments where a Network Address Translator (NAT) is used, a minimum amount of flow activity is typically required to maintain the NAT binding for each port opened. Agents that support Interactive Connectivity Establishment (ICE) solve this problem. For non-ICE agents, in order not to lose the NAT bindings for the RTP/RTCP ports opened for the recorded streams, the SRC and SRS SHOULD follow the recommendations provided in [RFC6263] to maintain the NAT bindings.
Top   ToC   RFC7866 - Page 36

11. IANA Considerations

11.1. Registration of Option Tags

This specification registers two option tags. The required information for this registration, as specified in [RFC3261], is as follows.

11.1.1. "siprec" Option Tag

Name: siprec Description: This option tag is for identifying that the SIP session is for the purpose of an RS. This is typically not used in a Supported header. When present in a Require header in a request, it indicates that the UA is either an SRC or SRS capable of handling an RS.

11.1.2. "record-aware" Option Tag

Name: record-aware Description: This option tag is to indicate the ability of the UA to receive recording indicators in media-level or session-level SDP. When present in a Supported header, it indicates that the UA can receive recording indicators in media-level or session-level SDP.

11.2. Registration of Media Feature Tags

This document registers two new media feature tags in the SIP tree per the process defined in [RFC2506] and [RFC3840].

11.2.1. Feature Tag for the SRC

Media feature tag name: sip.src ASN.1 Identifier: 1.3.6.1.8.4.27 Summary of the media feature indicated by this tag: This feature tag indicates that the UA is a Session Recording Client for the purpose of an RS. Values appropriate for use with this feature tag: boolean The feature tag is intended primarily for use in the following applications, protocols, services, or negotiation mechanisms: This feature tag is only useful for an RS.
Top   ToC   RFC7866 - Page 37
   Examples of typical use:  Routing the request to a Session Recording
      Server.

   Security Considerations:  Security considerations for this media
      feature tag are discussed in Section 11.1 of RFC 3840.

11.2.2. Feature Tag for the SRS

Media feature tag name: sip.srs ASN.1 Identifier: 1.3.6.1.8.4.28 Summary of the media feature indicated by this tag: This feature tag indicates that the UA is a Session Recording Server for the purpose of an RS. Values appropriate for use with this feature tag: boolean The feature tag is intended primarily for use in the following applications, protocols, services, or negotiation mechanisms: This feature tag is only useful for an RS. Examples of typical use: Routing the request to a Session Recording Client. Security Considerations: Security considerations for this media feature tag are discussed in Section 11.1 of RFC 3840.

11.3. New Content-Disposition Parameter Registrations

This document registers a new "disposition-type" value in the Content-Disposition header: recording-session. recording-session: The body describes either * metadata about the RS or * the reason for the metadata snapshot request as determined by the MIME value indicated in the Content-Type.
Top   ToC   RFC7866 - Page 38

11.4. SDP Attributes

This document registers the following new SDP attributes.

11.4.1. "record" SDP Attribute

Contact names: Leon Portman, leon.portman@nice.com; Henry Lum, henry.lum@genesyslab.com Attribute name: record Long-form attribute name: Recording Indication Type of attribute: session level or media level Subject to charset: no This attribute provides the recording indication for the session or media stream. Allowed attribute values: on, off, paused

11.4.2. "recordpref" SDP Attribute

Contact names: Leon Portman, leon.portman@nice.com; Henry Lum, henry.lum@genesyslab.com Attribute name: recordpref Long-form attribute name: Recording Preference Type of attribute: session level or media level Subject to charset: no This attribute provides the recording preference for the session or media stream. Allowed attribute values: on, off, pause, nopreference
Top   ToC   RFC7866 - Page 39

12. Security Considerations

The RS is fundamentally a standard SIP dialog [RFC3261]; therefore, the RS can reuse any of the existing SIP security mechanisms available for securing the session signaling, the recorded media, and the metadata. The use cases and requirements document [RFC6341] outlines the general security considerations, and this document describes specific security recommendations. The SRC and SRS MUST support SIP with Transport Layer Security (TLS) version 1.2, SHOULD follow the best practices when using TLS as per [RFC7525], and MAY use Session Initiation Protocol Secure (SIPS) with TLS as per [RFC5630]. The RS MUST be at least as secure as the CS; this means using at least the same strength of cipher suite as the CS if the CS is secured. For example, if the CS uses SIPS for signaling and RTP/SAVP for media, then the RS may not use SIP or plain RTP unless other equivalent security measures are in effect, since doing so would mean an effective security downgrade. Examples of other potentially equivalent security mechanisms include mutually authenticated TLS for the RS signaling channel or an appropriately protected network path for the RS media component.

12.1. Authentication and Authorization

At the transport level, the RS uses TLS authentication to validate the authenticity of the SRC and SRS. The SRC and SRS MUST implement TLS mutual authentication for establishing the RS. Whether the SRC/SRS chooses to use TLS mutual authentication is a deployment decision. In deployments where a UA acts as its own SRC, this requires that the UA have its own certificate as needed for TLS mutual authentication. In deployments where the SRC and the SRS are in the same administrative domain and have some other means of assuring authenticity, the SRC and SRS may choose not to authenticate each other or to have the SRC authenticate the SRS only. In deployments where the SRS can be hosted on a different administrative domain, it is important to perform mutual authentication to ensure the authenticity of both the SRC and the SRS before transmitting any recorded media. The risk of not authenticating the SRS is that the recording may be sent to an entity other than the intended SRS, allowing a sensitive call recording to be received by an attacker. On the other hand, the risk of not authenticating the SRC is that an SRS will accept calls from an unknown SRC and allow potential forgery of call recordings. There may be scenarios in which the signaling between the SRC and SRS is not direct, e.g., a SIP proxy exists between the SRC and the SRS. In such scenarios, each hop is subject to the TLS mutual authentication constraint, and transitive trust at each hop is
Top   ToC   RFC7866 - Page 40
   utilized.  Additionally, an SRC or SRS may use other existing SIP
   mechanisms available, including, but not limited to, Digest
   authentication [RFC3261], asserted identity [RFC3325], and connected
   identity [RFC4916].

   The SRS may have its own set of recording policies to authorize
   recording requests from the SRC.  The use of recording policies is
   outside the scope of the Session Recording Protocol.

12.2. RTP Handling

In many scenarios, it will be critical for the media transported between the SRC and the SRS to be protected. Media encryption is an important element in the overall SIPREC solution; therefore, the SRC and the SRS MUST support RTP/SAVP [RFC3711] and RTP/SAVPF [RFC5124]. RTP/SAVP and RTP/SAVPF provide media encryption, integrity protection, replay protection, and a limited form of source authentication. They do not contain or require a specific keying mechanism. At a minimum, the SRC and SRS MUST support the SDP security descriptions key negotiation mechanism [RFC4568]. For cases in which Datagram Transport Layer Security for Secure RTP (DTLS-SRTP) is used to encrypt a CS media stream, an SRC may use SRTP Encrypted Key Transport (EKT) [EKT-SRTP] in order to use SRTP-SDES in the RS without needing to re-encrypt the media. Note: When using EKT in this manner, it is possible for participants in the CS to send traffic that appears to be from other participants and have this forwarded by the SRC to the SRS within the RS. If this is a concern (e.g., the RS is intended for audit or compliance purposes), EKT is not an appropriate choice. When RTP/SAVP or RTP/SAVPF is used, an SRC can choose to use the same keys or different keys in the RS than those used in the CS. Some SRCs are designed to simply replicate RTP packets from a CS media stream to the SRS, in which case the SRC will use the same key in the RS as the key used in the CS. In this case, the SRC MUST secure the SDP containing the keying material in the RS with at least the same level of security as in the CS. The risk of lowering the level of security in the RS is that it will effectively become a downgrade attack on the CS, since the same key is used for both the CS and the RS. SRCs that decrypt an encrypted CS media stream and re-encrypt it when sending it to the SRS MUST use a different key than what is used for the CS media stream, to ensure that it is not possible for someone who has the key for the CS media stream to access recorded data they
Top   ToC   RFC7866 - Page 41
   are not authorized to access.  In order to maintain a comparable
   level of security, the key used in the RS SHOULD be of equivalent
   strength to, or greater strength than, that used in the CS.

12.3. Metadata

Metadata contains sensitive information, such as the address of record of the participants and other extension data placed by the SRC. It is essential to protect the content of the metadata in the RS. Since metadata is a content type transmitted in SIP signaling, metadata SHOULD be protected at the transport level by SIPS/TLS.

12.4. Storage and Playback

While storage and playback of the call recording are beyond the scope of this document, it is worthwhile to mention here that it is also important for the recording storage and playback to provide a level of security that is comparable to the CS. It would defeat the purpose of securing both the CS and the RS mentioned in the previous sections if the recording can be easily played back with a simple, unsecured HTTP interface without any form of authentication or authorization.

13. References

13.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2506] Holtman, K., Mutz, A., and T. Hardie, "Media Feature Tag Registration Procedure", BCP 31, RFC 2506, DOI 10.17487/RFC2506, March 1999, <http://www.rfc-editor.org/info/rfc2506>. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <http://www.rfc-editor.org/info/rfc3261>. [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 3264, DOI 10.17487/RFC3264, June 2002, <http://www.rfc-editor.org/info/rfc3264>.
Top   ToC   RFC7866 - Page 42
   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
              Jacobson, "RTP: A Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
              July 2003, <http://www.rfc-editor.org/info/rfc3550>.

   [RFC3840]  Rosenberg, J., Schulzrinne, H., and P. Kyzivat,
              "Indicating User Agent Capabilities in the Session
              Initiation Protocol (SIP)", RFC 3840,
              DOI 10.17487/RFC3840, August 2004,
              <http://www.rfc-editor.org/info/rfc3840>.

   [RFC4574]  Levin, O. and G. Camarillo, "The Session Description
              Protocol (SDP) Label Attribute", RFC 4574,
              DOI 10.17487/RFC4574, August 2006,
              <http://www.rfc-editor.org/info/rfc4574>.

   [RFC5234]  Crocker, D., Ed., and P. Overell, "Augmented BNF for
              Syntax Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <http://www.rfc-editor.org/info/rfc5234>.

   [RFC7245]  Hutton, A., Ed., Portman, L., Ed., Jain, R., and K. Rehor,
              "An Architecture for Media Recording Using the Session
              Initiation Protocol", RFC 7245, DOI 10.17487/RFC7245,
              May 2014, <http://www.rfc-editor.org/info/rfc7245>.

   [RFC7865]  Ravindranath, R., Ravindran, P., and P. Kyzivat, "Session
              Initiation Protocol (SIP) Recording Metadata", RFC 7865,
              DOI 10.17487/RFC7865, May 2016,
              <http://www.rfc-editor.org/info/rfc7865>.

13.2. Informative References

[EKT-SRTP] Mattsson, J., Ed., McGrew, D., Wing, D., and F. Andreasen, "Encrypted Key Transport for Secure RTP", Work in Progress, draft-ietf-avtcore-srtp-ekt-03, October 2014. [RFC2804] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, DOI 10.17487/RFC2804, May 2000, <http://www.rfc-editor.org/info/rfc2804>. [RFC3311] Rosenberg, J., "The Session Initiation Protocol (SIP) UPDATE Method", RFC 3311, DOI 10.17487/RFC3311, October 2002, <http://www.rfc-editor.org/info/rfc3311>.
Top   ToC   RFC7866 - Page 43
   [RFC3325]  Jennings, C., Peterson, J., and M. Watson, "Private
              Extensions to the Session Initiation Protocol (SIP) for
              Asserted Identity within Trusted Networks", RFC 3325,
              DOI 10.17487/RFC3325, November 2002,
              <http://www.rfc-editor.org/info/rfc3325>.

   [RFC3551]  Schulzrinne, H. and S. Casner, "RTP Profile for Audio and
              Video Conferences with Minimal Control", STD 65, RFC 3551,
              DOI 10.17487/RFC3551, July 2003,
              <http://www.rfc-editor.org/info/rfc3551>.

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, DOI 10.17487/RFC3711, March 2004,
              <http://www.rfc-editor.org/info/rfc3711>.

   [RFC4568]  Andreasen, F., Baugher, M., and D. Wing, "Session
              Description Protocol (SDP) Security Descriptions for Media
              Streams", RFC 4568, DOI 10.17487/RFC4568, July 2006,
              <http://www.rfc-editor.org/info/rfc4568>.

   [RFC4585]  Ott, J., Wenger, S., Sato, N., Burmeister, C., and J. Rey,
              "Extended RTP Profile for Real-time Transport Control
              Protocol (RTCP)-Based Feedback (RTP/AVPF)", RFC 4585,
              DOI 10.17487/RFC4585, July 2006,
              <http://www.rfc-editor.org/info/rfc4585>.

   [RFC4916]  Elwell, J., "Connected Identity in the Session Initiation
              Protocol (SIP)", RFC 4916, DOI 10.17487/RFC4916,
              June 2007, <http://www.rfc-editor.org/info/rfc4916>.

   [RFC4961]  Wing, D., "Symmetric RTP / RTP Control Protocol (RTCP)",
              BCP 131, RFC 4961, DOI 10.17487/RFC4961, July 2007,
              <http://www.rfc-editor.org/info/rfc4961>.

   [RFC5104]  Wenger, S., Chandra, U., Westerlund, M., and B. Burman,
              "Codec Control Messages in the RTP Audio-Visual Profile
              with Feedback (AVPF)", RFC 5104, DOI 10.17487/RFC5104,
              February 2008, <http://www.rfc-editor.org/info/rfc5104>.

   [RFC5124]  Ott, J. and E. Carrara, "Extended Secure RTP Profile for
              Real-time Transport Control Protocol (RTCP)-Based Feedback
              (RTP/SAVPF)", RFC 5124, DOI 10.17487/RFC5124,
              February 2008, <http://www.rfc-editor.org/info/rfc5124>.

   [RFC5168]  Levin, O., Even, R., and P. Hagendorf, "XML Schema for
              Media Control", RFC 5168, DOI 10.17487/RFC5168,
              March 2008, <http://www.rfc-editor.org/info/rfc5168>.
Top   ToC   RFC7866 - Page 44
   [RFC5630]  Audet, F., "The Use of the SIPS URI Scheme in the Session
              Initiation Protocol (SIP)", RFC 5630,
              DOI 10.17487/RFC5630, October 2009,
              <http://www.rfc-editor.org/info/rfc5630>.

   [RFC5761]  Perkins, C. and M. Westerlund, "Multiplexing RTP Data and
              Control Packets on a Single Port", RFC 5761,
              DOI 10.17487/RFC5761, April 2010,
              <http://www.rfc-editor.org/info/rfc5761>.

   [RFC6263]  Marjou, X. and A. Sollaud, "Application Mechanism for
              Keeping Alive the NAT Mappings Associated with RTP / RTP
              Control Protocol (RTCP) Flows", RFC 6263,
              DOI 10.17487/RFC6263, June 2011,
              <http://www.rfc-editor.org/info/rfc6263>.

   [RFC6341]  Rehor, K., Ed., Portman, L., Ed., Hutton, A., and R. Jain,
              "Use Cases and Requirements for SIP-Based Media Recording
              (SIPREC)", RFC 6341, DOI 10.17487/RFC6341, August 2011,
              <http://www.rfc-editor.org/info/rfc6341>.

   [RFC7022]  Begen, A., Perkins, C., Wing, D., and E. Rescorla,
              "Guidelines for Choosing RTP Control Protocol (RTCP)
              Canonical Names (CNAMEs)", RFC 7022, DOI 10.17487/RFC7022,
              September 2013, <http://www.rfc-editor.org/info/rfc7022>.

   [RFC7525]  Sheffer, Y., Holz, R., and P. Saint-Andre,
              "Recommendations for Secure Use of Transport Layer
              Security (TLS) and Datagram Transport Layer Security
              (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525,
              May 2015, <http://www.rfc-editor.org/info/rfc7525>.

Acknowledgements

We want to thank John Elwell, Paul Kyzivat, Partharsarathi R, Ram Mohan R, Hadriel Kaplan, Adam Roach, Miguel Garcia, Thomas Stach, Muthu Perumal, Dan Wing, and Magnus Westerlund for their valuable comments and inputs to this document.
Top   ToC   RFC7866 - Page 45

Authors' Addresses

Leon Portman NICE Systems 22 Zarhin Street P.O. Box 690 Ra'anana 4310602 Israel Email: leon.portman@gmail.com Henry Lum (editor) Genesys 1380 Rodick Road, Suite 201 Markham, Ontario L3R4G5 Canada Email: henry.lum@genesyslab.com Charles Eckel Cisco 170 West Tasman Drive San Jose, CA 95134 United States Email: eckelcu@cisco.com Alan Johnston Illinois Institute of Technology Bellevue, WA United States Email: alan.b.johnston@gmail.com Andrew Hutton Unify Brickhill Street Milton Keynes MK15 0DJ United Kingdom Email: andrew.hutton@unify.com