Internet Engineering Task Force                            A. Johnston
Internet Draft                                              D. Rawlins
Document: draft-johnston-sip-osp-token-01.txt             H. Sinnreich
November 2000                                                 WorldCom
Expires: June 2001                                      Stephen Thomas
                                                            TransNexus


                 OSP Authorization Token Header for SIP

   Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026[1].

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.
   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."
   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.



Abstract

   This draft proposes a new SIP (Session Initiation Protocol) header
   OSP-Authorization-Token for carrying an OSP (Open Settlements
   Protocol) authorization token between domains.

1 Introduction

   The problem of interdomain IP telephony calls with QoS is an
   important problem being addressed using AAA protocols.  The new SIP
   [1] header proposed here is part of an approach to solving this
   problem, which is detailed in another draft [2].

2 Design Alternatives

   The OSP Token is an opaque string to SIP which must be carried in the
   INVITE passed between domains. As such, the Token could be carried as
   a MIME attachment.  However, there are three issues with this:

    - Since the Token must be carried with the SDP, the INVITE would
      need to have a multipart MIME message body. If either User Agents
      do not support multipart MIME, the call will fail.



Johnston, et al.                                              [Page 1]
Internet Draft  OSP Authorization Token Header for SIP   November 2000


    - The Token is used by both proxies and User Agents.  As such, the
      proxy would have to decode the multipart MIME message body to
      extract the token.  The general design of SIP is for message
      bodies to contain information of interest to end-points only, with
      information needed by proxies contained in headers.

    - Multipart MIME encoding/decoding adds more delay to an already
      lengthy call setup procedure, as compared to header processing.

   For these reasons, a new SIP header is proposed instead of a new MIME
   type for OSP authorization tokens.

   Note that since OSP tokens are commonly constructed according to
   Cryptographic Message Syntax [3], their size may depend on the size
   of X.509 certificates embedded in the CMS format. In some cases the
   addition of a token may increase the size of a SIP INVITE datagram
   beyond the 576-byte or 1500-byte fragmentation limits. When such
   behavior is not desirable, it is recommended that systems use the
   abbreviated token format described in Annex D of [4].


3 Terminology

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
   and "OPTIONAL" are to be interpreted as described in RFC 2119 [5] and
   indicate requirement levels for compliant SIP caller preferences
   implementations.

4 Header Field Definition

   Table 1 specifies an extension of Table 5 in RFC 2543 [1] for the new
   header defined here.


                             where enc e-e ACK BYE CAN INV OPT REG
   OSP-Authorization-Token     R    n   h   -   -   -   o   -   -


   Table 1: Summary of header field. The "where" column describes the
   request and response types with which the header filed can be used.
   The "enc" column describes whether this message header field MAY be
   encrypted end to end. "o": optional "-": not applicable, "R':
   request header, "r": response header, "g": general header, "*":
   needed if message body is not empty. A numeric value  in  the "type"
   column indicates the status code the header field is used with.

   OSP-Authorization-Token = "OSP-Authorization-Token"":" Token
   Token = quoted-string

6 Protocol Semantics



Johnston, et al.                                              [Page 2]
Internet Draft  OSP Authorization Token Header for SIP   November 2000



   The OSP Token is always encoded per base64 and only allowed in INVITE
   requests and 200 OK responses to INVITEs.

6.1 User Agents

   The UAC include the header an INVITE requesting QoS using AAA.


   If it is absent in the INVITE, an AAA/QoS UAS determines the token
   and adds the header, otherwise it validates it.

6.2 Proxies

   A proxy participating in the AAA exchange will examine and validate
   the token.

   Otherwise, the header is ignored.

7 Example Message

   INVITE sip:+1-972-555-5555@sip.domain2.com;user=phone SIP/2.0
   Via: SIP/2.0/UDP sip.domain1.com:5060;branch=3a56d3.1
   Via: SIP/2.0/UDP phone1.domain1.com:5060
   From: Henry Sinnreich <sip:henry.sinnreich@phone1.domain1.com>
   To: <sip:+1-972-555-5555@sip.domain2.com;user=phone>
   Call-ID: 123456@domain1.com
   CSeq: 1 INVITE
   Contact: sip:henry.sinnreich@phone1.domain1.com
   Record-Route: <sip:+1-972-555-5555@sip.domain2.com
    ;maddr=sip.domain1.com>
   OSP-Authorization-Token:
   _YT64VqpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756t
   HGTrfvbnjn8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfH
   6ghyHhHUujpfyF47GhIGfHfYT64VQbnj_
   Content-Type: application/sdp
   Content-Length: 184

   v=0
   o=hsinnreich 9735285123 9721273312 IN IP4 122.32.11.6
   s=Discussion of SIP QoS OSP for AAAArch
   c=IN IP4 122.32.11.6
   t=0 0
   m=audio 9876 RTP/AVP 0
   a=qos:mandatory recv confirm


8 Security Considerations






Johnston, et al.                                              [Page 3]
Internet Draft  OSP Authorization Token Header for SIP   November 2000


   Since the AAA scheme [2] assumes authentication between client and
   server as well as IPSec AH between the server and the OSP server, the
   message and its contents (and therefore the token) can be trusted.

   The token can also be encrypted.

   No other security issues are introduced by this new header.


9 References

   [1] M. Handley, H. Schulzrinne, E. Schooler, and J. Rosenberg, "SIP:
      session initiation protocol," Request for Comments (Proposed
      Standard) 2543, Internet Engineering Task Force, March 1999.

   [2] H. Sinnreich, D. Rawlins, A. Johnston, S. Donovan, and S. Thomas,
      _AAA Usage for IP Telephony with QoS_ <draft-sinnreich-aaa-
      interdomain-sip-qos-osp-00.txt> Internet Draft, July 2000.

   [3] R. Housley, "Cryptographic Message Syntax", RFC 2630, June 1999.

   [4] European Telecommunications Standards Institute.
      "Telecommunications and Internet Protocol Harmonization Over
      Networks (TIPHON); Open Settlement Protocol (OSP) for Inter-domain
      pricing, authorization, and usage exchange". Technical
      Specification 101 321. Version 2.1.0.

   [5] S. Bradner, "Key words for use in RFCs to indicate requirement
      levels," Request for Comments (Best Current Practice) 2119,
      Internet Engineering Task Force, March 1997.


Authors' Addresses

   Alan Johnston
   WorldCom
   100 S. 4th Street
   St. Louis, Missouri 63104
   alan.johnston@wcom.com

   Henry Sinnreich
   WorldCom
   400 International Parkway
   Richardson, Texas 75081
   USA
   henry.sinnreich@wcom.com

   Diana Rawlins
   WorldCom
   901 International Parkway
   Richardson, Texas 75081



Johnston, et al.                                              [Page 4]
Internet Draft  OSP Authorization Token Header for SIP   November 2000


   USA
   diana.rawlins@wcom.com


   Stephen Thomas
   TransNexus
   430 Tenth Street NW, Suite N204
   Atlanta, GA 30318
   USA
   stephen.thomas@transnexus.com

Copyright Notice

   "Copyright (C) The Internet Society 2000. All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
















Johnston, et al.                                              [Page 5]