| DISPATCH Working Group | J.F.J. van Elburg |
| Internet-Draft | Detecon International Gmbh |
| Intended status: Informational | K. Drage |
| Expires: January 13, 2014 | Alcatel-Lucent |
| M. Ohsugi | |
| S. Schubert | |
| K. Arai | |
| NTT | |
| July 12, 2013 |
The Session Initiation Protocol (SIP) P-Private-Network-Indication Private-Header (P-Header)
draft-vanelburg-dispatch-private-network-ind-02
This document specifies the SIP P-Private-Network-Indication P-header used by the 3rd-Generation Partnership Project (3GPP). The use of this private network indication extension is only applicable inside an administrative domain with previously agreed-upon policies for generation, transport and usage of such information. A private network indication allows nodes in such a domain to treat private network traffic according to a different set of rules than the set applicable to public network traffic. The indication also distinguishes traffic from one private network from another private network.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 13, 2014.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
ETSI TISPAN defined Next Generation Networks (NGN) which uses the 3rd-Generqation Partnership Project (3GPP) IMS (IP Multimedia Subsystem) which in turn uses SIP (RFC3261 [RFC3261]) as its main signaling protocol. (For more information on the IMS, a detailed description can be found in 3GPP TS 23.228 [3GPP.23.228] and 3GPP TS 24.229 [3GPP.24.229].) 3GPP and ETSI TISPAN have identified a set of requirements that can be met by defining a new optional SIP header, according to the procedures in RFC 5727 [RFC5727].
According to RFC 3427 [RFC3427], P-headers have a limited applicability. Specifications of P-headers such as this RFC need to clearly document the useful scope of the proposal, and explain its limitations and why it is not suitable for the general use of SIP on the Internet.
The P-Private-Network-Indication header field is intended to be used in controlled closed networks like 3GPP IMS and ETSI TISPAN NGN networks. The P-Private-Network-Indication header is not intended for the general internet environment and is probably not suitable for such an environment.
The P-Private-Network-Indication header field has been referred by 3GPP IMS specifications and has already been used in some networks as an indicator for a specific capability. The header field has been already implemented in some vendors' equipment in some countries. RFC 5727 [RFC5727] prohibits the new proposal of P-header "unless existing deployments or standards use the prefix already." The P-Private-Network-Indication header field is already used by existing deployments and 3GPP standards, therefore, this is exactly the case where the P-header is allowed as an exception.
ETSI TISPAN has identified a framework [ETSI.181.019] for the support of business communication capabilities by the NGN. As well as the direct attachment of Next Generation Corporate Network (NGCN) equipment, this includes the capability to "host" functionality relating to an enterprise within the NGN itself.
These hosting arrangements are:
ETSI TISPAN has requirements that can be met by the introduction of an explicit indication for private network traffic.
The traffic generated or received by a public NGN on behalf of a private network can be either:
A private network indication as proposed by this document is an indication to network element (supporting this specification) traversed that this is a private network traffic as opposed to a public network traffic. This indication does not identify an end user on a private network and is not for delivery to an end user on the private network. It is an indication that special service arrangements apply (if such service is configured based on private network traffic) for an enterprise, and therefore it is an indication of service on behalf to an enterprise, not an indication of service to a private network's end user.
In order to allow NGN IMS nodes to perform different processing, ETSI TISPAN formulated the following requirements on NGN:
To summarize a few example reasons for a public NGN to make the distinction between the two types of traffic:
There are several reasons why there is a need for an explicit indication in the signaling:
Given the above background this document will formulate requirements for SIP to support an explicit private network indication.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119].
In the context of this document the term traffic is understood as all communication pertaining to and/or controlled by a SIP transaction or dialog.
Traffic sent to or received from a public telecommunication network for processing according to the rules for ordinary subscribers of a public telecommunication network.
Traffic sent to or received from a public telecommunication network for processing according to an agreed set of rules specific to an enterprise or a community of closely related enterprises.
The term Trust Domain in this document is taken from RFC3324 [RFC3324]. A trust domain applies to the private network indication. The rules for specifying such a trust domain are specified in RFC3324 [RFC3324] which require the filling out a Spec (T).
The Spec (T) need not specify the same contents and trust domain boundaries that are used for other header fields like for example the P-Asserted-Identity.
Figure 1 shows the interconnection of sites belonging to two private networks using the public network. Traffic in the public network relating to the interconnection of the two sites of enterprise 1 are tagged as private network traffic relating to enterprise 1. In certain cases an enterprise can also choose to send traffic from one enterprise site to another enterprise site as public network traffic when this is beneficial to the enterprise. Traffic in the public network relating to the interconnection of the two sites of enterprise 2 are tagged as private network traffic relating to enterprise 2. Enterprise 1 also generates traffic to public phones and this is public network traffic (untagged in the public network). There may be circumstances where traffic between two different enterprises are tagged as private network traffic relating to the common domain that is pre-agreed between the two enterprises.
Figure 2 shows the interconnection of sites belonging to a private network using the public network, and supported in the public network by a server providing a business trunking application. The business trunking application provides routing capabilities for the enterprise traffic, and supports the identification of calls to and from public network users, break-in and break out of that traffic. (Note that the business trunking application may consist of a concatenation of application logic provided to the originating enterprise site and application logic that is provided to the terminating enterprise site.) Traffic in the public network relating to the interconnection of the two sites of enterprise 1 are tagged as private network traffic relating to enterprise 1. The business trunking application also routes traffic to public phones and this is public network traffic (untagged in the public network).
Figure 3 shows the interconnection of sites belonging to a private network on a server providing a hosted enterprise service application (also known as Centrex). The hosted enterprise service application supports phones belonging to the enterprise and is also able to route traffic to and from public network phones using break-in or break-out functionality. Traffic in the public network relating to the interconnection of the site of enterprise 1 and the hosted enterprise service belonging to enterprise 1 are tagged as private network traffic relating to enterprise 1. The hosted enterprise service application also routes traffic to public phones and this is public network traffic (untagged in the public network). Traffic from the enterprise phones would not normally be tagged (such tag is added at the server providing the hosted enterprise services application. (Note that the hosted enterprise service logic may precede or succeed a business trunking application that offers services on behalf of an enterprise site.)
This section lists the requirements on SIP derived from the considerations in Section 1:
The mechanism proposed in this document relies on a new header field called 'P-Private-Network-Indication' that contains a private network identifier expressed as a domain name, for example:
A proxy server which handles a message can insert such a P-Private-Network-Indication header field into the message based on authentication of the source of a message, configuration or local policy, and forward it to other proxies in the same administrative domain or proxies in trusted domain to be handled as private network traffic. A proxy that forwards a message to a proxy server or UA that it does not trust MUST remove the P-Private-Network-Indication header field before forwarding the message.
The private network identifier expressed as a domain name allows it to be globally unique identifier, associated with the originating enterprise. Domain name is used, as it allows reuse of a company owned internet domain name, without requiring an additional private network identifier registry. When the enterprise needs more than one identifier it can freely add subdomains under its own control.
The formal syntax for the P-Private-Network-Indication header is presented in Section 8.
Proxies that are responsible for determining certain traffic to be treated as private network traffic or contain a breaking function that converts incoming public network traffic to private network traffic MUST insert a P-Private-Network-Indication header field into incoming or outgoing requests for a dialog or for a standalone transaction. The value MUST be set to the private network identifier corresponding to the enterprise to which the traffic belongs.
Proxies that are responsible for applying different processing behaviors to specific private network traffic MUST support this extension. The P-Private-Network-Indication header field MUST NOT be used by a proxy in case it is received on a request from an entity that it does not trust, in such case it MUST be removed before the request is forwarded.
Proxies that are at the edge of the trust domain or contain a breakout function that converts incoming private network traffic to public network traffic MUST remove the P-Private-Network-Indication header field before forwarding a request that contains such a header field with a value.
This document defines the SIP P-Private-Network-Indication header field. This header field can be added by a proxy to initial requests for a dialog or standalone requests. The presence of the P-Private-Network-Indication header field signifies to proxies that understand this header field that the request is to be treated as private network traffic. The P-Private-Network-Indication header field contains a domain name value, that allows the private network traffic to be associated with an enterprise, to which it belongs and that allows proxies that understand this header field to process the request according to the local policy configured for a specific enterprise.
The augmented Backus-Naur Form (BNF) (RFC5234 [RFC5234]) syntax of the P-Private-Network-Indication header field is the following:
EQUAL, HCOLON, SEMI, hostname and generic-param are defined in RFC3261 [RFC3261].
The following is an example of a P-Private-Network-Indication header field:
The private network indication defined in this document is to be used in an environment where elements are trusted and where attackers are not supposed to have access to the protocol messages between those elements. Traffic protection between network elements is sometimes achieved by using IPsec and sometimes by physically protection of the network. In any case, the environment where the private network indication will be used ensures the integrity and the confidentiality of the contents of this header field.
A private network indication received from an untrusted node MUST NOT be used and the information MUST be removed from a request or response before it is forwarded to entities in the trust domain.
There is a security risk if a private network indication is allowed to propagate out of the trust domain where it was generated. In that case sensitive information would be revealed by such a breach. To prevent such a breach from happening, proxies MUST NOT insert the information when forwarding requests to a next hop located outside the trust domain. When forwarding the request to a trusted node, proxies MUST NOT insert the header field unless they have sufficient knowledge that the route set includes another proxy in the trust domain that understands the header field, such as the own proxy. There is no automatic mechanism to learn the support for this specification. Proxies MUST remove the information when forwarding requests to untrusted nodes or when the proxy does not have knowledge of any other proxy in the route set that is able to understand the header field.
This document defines a new SIP header field: P-Private-Network-Indication. This header field needs to be registered by the IANA in the SIP Parameters registry under the Header Fields subregistry.
The authors thank Bruno Chatras, John Elwell and Salvatore Loreto for providing comments on an early version of this draft. Further we thank John Elwell for performing the expert review.
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
| [RFC3261] | Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. |
| [RFC3324] | Watson, M., "Short Term Requirements for Network Asserted Identity", RFC 3324, November 2002. |
| [RFC5234] | Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. |