INSIPID Working GroupInternet Engineering Task Force (IETF) H. KaplanInternet DraftRequest for Comments: 7329 OracleIntended status:Category: InformationalExpires: September 10, 2014 March 10,August 2014 ISSN: 2070-1721 A Session Identifier for the Session Initiation Protocol (SIP)draft-kaplan-insipid-session-id-04AbstractThis RFC, which contains the text of an individual Internet Draft that was submitted originally to the DISPATCH Working Group, is being published now as an Informational document to provide a reference for later RFCs. The mechanism defined in this document has been widely deployed, and is being followed in a backward- compatible fashion for a new Standards Track RFC in the INSIPID Working Group. The original Abstract follows.There is a need for having a globally unique session identifier for the same SIPsession, whichsession that can be consistently maintained across SIP Proxies, Back-to-Back User Agents (B2BUAs), and other SIPmiddle-boxes,middleboxes, for the purpose ofTroubleshooting.troubleshooting. Thisdraftdocument proposes a new SIP header to carry such a value: Session-ID. The mechanism defined in this document has been widely deployed, and is being followed in a backward-compatible fashion for a new Standards Track document produced by the INSIPID Working Group. Status ofthisThis Memo This document is not an Internet Standards Track specification; it is published forthe historical record.informational purposes. ThisInternet-Draftdocument issubmitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsa product of the Internet Engineering Task Force(IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum(IETF). It represents the consensus ofsix monthsthe IETF community. It has received public review andmay be updated, replaced, or obsoletedhas been approved for publication byotherthe Internet Engineering Steering Group (IESG). Not all documentsatapproved by the IESG are a candidate for anytime. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The listlevel of Internet Standard; see Section 2 of RFC 5741. Information about the currentInternet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The liststatus ofInternet-Draft Shadow Directories canthis document, any errata, and how to provide feedback on it may beaccessedobtained athttp://www.ietf.org/shadow.html. This Internet-Draft will expire on September 10, 2014.http://www.rfc-editor.org/info/rfc7329. Copyrightand LicenseNotice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1.Introduction................................................3Introduction ....................................................3 1.1.Requirements...........................................4Requirements ...............................................4 2.Terminology.................................................4Terminology .....................................................4 3. Overview ofOperation.......................................4Operation ...........................................4 4. Session-IDBehavior.........................................5Behavior .............................................5 4.1. Generating a Session-IDvalue..........................5Value ..............................5 4.2. UACBehavior...........................................5Behavior ...............................................6 4.3. UASBehavior...........................................6Behavior ...............................................6 4.4. ProxyBehavior.........................................6Behavior .............................................6 4.5. B2BUABehavior.........................................7 4.5.1Behavior .............................................7 4.5.1. B2BUA Generation of New Session-ID7 4.5.2..................8 4.5.2. B2BUA Insertion of Saved Session-ID8.................8 5. Handling SIP TransferScenarios.............................8Scenarios .................................8 5.1. Out-of-DialogREFER....................................9REFER ........................................9 5.2. Refer-ToURI...........................................9URI ...............................................9 5.3. Out-of-Dialog INVITE withReplaces.....................9Replaces .........................9 6. Session-ID Migration and FailureScenarios.................10Scenarios .....................10 7. New 'Session-ID'Header....................................10Header ........................................11 7.1. Augmented BNFDefinitions.............................10Definitions .................................11 8. ExampleExchange...........................................11Exchange ...............................................11 9. SecurityConsiderations....................................11Considerations ........................................11 9.1. SecurityconsiderationsConsiderations foradministrators............11Administrators ................12 9.2. SecurityconsiderationsConsiderations for Session-IDextensions.....11Extensions .........12 10. IANAConsiderations........................................12Considerations ...........................................13 11.Acknowledgments............................................13Acknowledgments ...............................................13 12.References.................................................13References ....................................................13 12.1. NormativeReferences..................................13 Author's Address.................................................13References .....................................13 12.2. Informative References ...................................14 Appendix A.Use-cases notUse Cases Not inscopeScope forSession-ID...............13Session-ID .................15 A.1. Dialog Correlation forSIP............................14SIP ................................15 1. Introduction This RFC, which contains the text of an individualInternet DraftInternet-Draft that was submitted originally to the DISPATCH Working Group, is being published now as an Informational document to provide a reference for later RFCs. The mechanism defined in this document has been widelydeployed,deployed and is being followed in abackward- compatiblebackward-compatible fashion for a new Standards TrackRFC indocument produced by the INSIPID Working Group. The SIP [RFC3261] Call-ID header value is a globally unique identifier, which is mandatory in allrequests/responses, whichrequests/responses and identifies SIP messages belonging to the same dialog or registration. It provides a portion of the SIP message dialog-matchingcriteria,criteria and is used in such things as[Replaces]"Replaces" headers [RFC3891] and[dialog-events] packagedialog- event packages [RFC4235] for matching to dialogs, and in[SIP-Identity]SIP Identity [RFC4474] and[Connected-identity]Connected Identity [RFC4916] as one of the inputs for signing. In practice, the Call-ID is often changed by SIP Back-to-Back User Agents (B2BUAs) and other suchmiddle-boxesmiddleboxes in the logicalend-to- endend-to-end message path. A B2BUA logically represents a SIP User Agent Server (UAS) and User Agent Client (UAC), and as such generates a new Call-ID value for the dialog it creates on its UAC side; infactfact, for some B2BUA scenarios the Call-ID *must* be changed for SIP to function properly. At the same time, there is a need for a unique, common, consistent end-to-end identifier to help troubleshoot SIP sessions andmessage-message flows as they cross SIP nodes. Troubleshooting is more complicated if multiple legs of the session are on different sides of B2BUAs, due to the lack of a common identifier such as a Call-ID to tie the legs together. Proprietary mechanisms are currently used to achieve this goal. Therefore, in order to provide an identifier that will not be modified/replaced by B2BUAs, thisdraftdocument proposes a new SIP Header"Session-ID","Session-ID" and mandatory rules for the value of such a header. The rules are designed to be such that the value in the Session-ID header is not consideredunsafe, private,unsafe or private and does not have any property that would cause B2BUAs to change it. The goal of thisdraftdocument is to enable troubleshooting by providing a unique identifier for a given sessionwhichthat can successfully cross B2BUAs, such as Application Servers,Softswitches,softswitches, Private Branch Exchanges (PBXs), Session Border Controllers (SBCs),Feature Servers,feature servers, etc. 1.1. Requirements The following requirements drive the need for Session-ID: REQ1: It must be possible for an administrator to use the identifier to identify a set of dialogswhichthat have a direct correlation with each other such that they represent the same SIP session, with as high a probability as possible. REQ2: It must be possible to pass the identifier through SIP B2BUAs, with as high a probability as possible. This requirement drives the following requirements: REQ2a: The identifier must not reveal any information related to any SIP device or domain identity, including IPAddress,address, port, hostname, domain name, username,Address-of-Record,Address- of-Record (AoR), MAC address, IP address family, transport type, etc. REQ2b: The identifier must not reveal to the receiver of it that the Call-ID, tags, or any other SIP header or body portion have been changed bymiddle-boxes,middleboxes, with as high a probability as possible. REQ2c: The identifier must not be used for anything at a SIP layer to change the behavior of the SIP protocol. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. This document uses the terms "header field" and "header field value" following the definition of those terms in[RFC3261], which[RFC3261]; they are not interchangeable. The "header field" is the entire SIP header's contents, including any parameters. The "header field value" is only the field-value portion, which does not include header parameters. 3. Overview of Operation The general concept is that the UAC generating an out-of-dialog request generates a new,pseudo-random,pseudorandom, unique value that remains constant for the duration of the transaction, any dialog created from that request, or for a registration. The value is inserted in a new Session-ID header field defined in thisdraft.document. The UAC and UAS then reflect this header field value in all messages for the duration of the dialog. In other words, the Session-ID provides a value similar in nature to Call-ID, except onewhichthat crosses B2BUAs andwhichthat has no sensitive information in it. To aid in migration of deployments, a B2BUA or Proxy MAY also generate and/or insert the value on behalf of a UAC or UAS, if one or the other does not support this document's mechanism. Although the Session-ID concept is similar tothethat of Call-ID, it is not used for message dialog-matching rules in RFC 3261, nor does it change the Call-ID usage, nor does it replace the Call-ID value.InsteadInstead, this new header field provides an identifier for troubleshooting uses only. The format of the Session-ID value is restricted, both to avoid detection of the system typewhichthat generatedit,it and to keep it a hexadecimal representation such that it can be stored as a 128-bit binary value in log records. 4. Session-ID Behavior 4.1. Generating a Session-IDvalueValue Thisdraftdocument proposes the Session-ID header value be generated based on a defined hash mechanism for creating a 128-bitpseudo-random value,pseudorandom value andencode itbe encoded as itslower-caselowercase hex representation. The reason for specifying the mechanism istwo-fold:twofold: to make it impossible to determine the manufacturer of the devicewhichthat generated it by looking at its format or value, and to allow devices to generate the same value if they have the same private key. The Session-ID value is generated by taking the Call-ID headervalue,value and SHA-1 hashing it based on[RFC2104]HMAC (as defined in [RFC2104]) using a locally generatedpseudo-randompseudorandom 128-bit system secretkey,key to create a128- bit128-bit resultant HMAC value. The secret key makes the resultant HMAC value not re-creatable by otherparties, whichparties; this is necessary to prevent detection of Call-IDs being changed, as required byReq-2b.REQ2b. Otherwise,middle-boxesmiddleboxes may have motivation to remove the Session-ID in order to hide the fact that they changed the Call-ID. Per [RFC2104], the algorithm is thus HMAC-SHA-1-128(Call-ID_value, secret_key), and the 128-bit result is encoded using lowercase alphanumeric hex representation, as defined inthe ABNF section of this document.Section 7.1 ("Augmented BNF Definitions"). In order to enabletrouble-shootingtroubleshooting of in-dialog messages, a generator needs to remember or re-create the same Session-ID value for the duration of a given dialog(s). This is described in more detail infollowingthe subsequent sections of this document. 4.2. UAC Behavior The rules for when a UAC generates a new Session-ID value are similar as those for Call-ID value: a UAC supporting this document's mechanism MUST generate a new unique Session-ID valuewheneverwhen it generates an out-of-dialogrequest,request orforwhen there is a new Registration. The exception to this rule is for out-of-dialog REFERrequests,requests or for an INVITE with[RFC3891]a Replaces headerfield,field (see [RFC3891]), as described insectionSection 5. The UAC MUSTre-usereuse the same Session-ID value for in-dialog messages as that of the original dialog-creating request, and for any out-of- dialog request that it retransmits or re-generates in response to a3xx, or3xx that itre-formulatesreformulates due to failure responses. This follows the rules in [RFC3261] for Call-ID generation. Session-ID values in Registration "refreshes"--- REGISTER requestswhichthat are used to update the expiry time but not to register a new contact--- MUST use the same Session-ID value as previous REGISTER requests. New Registrations, which add or change the Contact URI for the AoR, but do not simplytodelete them, MUST use a newSession- IDSession-ID value. This follows the behavior of Call-ID per RFC 3261; it isre-iteratedreiterated here because some devices incorrectly change theirCall- IDCall-ID value for every re-Registration, and they MUST NOT do the same to the Session-ID. The UAC MUST include the Session-ID header field in every SIP message it transmits. 4.3. UAS Behavior A UAS compliant with this document MUST copy areceivedSession-ID header field (received in arequest,request) into responses and subsequent upstream requests sent within the dialog. If an out-of-dialog request is received without a Session-ID header field, the UAS SHOULD generate a new one for subsequent use in the transaction and dialog, as defined for a UAC, and use the same value in all responses and upstream in-dialog requests for the same dialog. 4.4. Proxy Behavior A Proxy MUST NOT remove or modify the Session-ID header field it receives, if one is in the message. By definition,ana Proxy that is compliant with RFC 3261compliant Proxywould not modify or remove such a header. If the Proxy forks a request, it MUST copy the same Session-ID header field into all the forked request copies. If the Proxy recurses requests due to 3xx redirection, or regenerates requests due to failures, it MUST use the same Session-ID header field as the original request, just as the UAC does. If the Proxy locally generates any response or request based on a received request, including 100 Trying, it MUST insert any received Session-ID header field from the original request into the response message it locally creates. This is necessary for troubleshooting purposes. A Proxy compliant with thisdraftdocument MAY generate a new Session-ID or insert a previously savedone,one if and only if none existed in a received message, following the rules for doing so as a B2BUA as definedlater.in Section 4.5. 4.5. B2BUA Behavior A B2BUA compliant with this document MUSTcopycopy: - the Session-ID header field it receives in requests as a UAS into the related requests it generates as aUAC;UAC, and - any Session-ID header field it receives in responses as a UAC into the correlated responses it generates as a UAS. If the B2BUA forks or creates multiple requests as a UAC, from a request it received as a UAS, the B2BUA MUST copy the sameSession- IDSession-ID header field it received into all the forks/requests. If the B2BUA recursesrequests due toon 3xxredirection,responses, or regenerates requests due to failures, it MUST use the same Session-ID field, just as the UAC does. If the B2BUA locally generates any response or request based on a received request, including 100 Trying, it MUST insert any received Session-ID field from the original request into the response message it locally creates. A B2BUA MAY remember the received Session-ID value for the duration of the transaction and dialog, for the purpose ofre-insertion,reinsertion, in case thefar-endfar end does not support thisdraft.document. In all cases, if the SIP message received by a B2BUAcontainedcontains a Session-ID header field, a B2BUA compliant with this document MUST NOT remove,modifymodify, or replace it as it "forwards" the message on the other logical UA "side" of itself.4.5.14.5.1. B2BUA Generation of New Session-ID If an out-of-dialog request is received by a B2BUA compliant with this document, and the request does *not* contain a Session-ID header field, the B2BUA MAY generate a new one. The new Session-ID value MUST be calculated based on the received Call-ID of the received request, even if the B2BUA uses a different Call-ID value for requests generated on its other "side(s)". It MUST then insertitthe new Session-ID in any requests or responses it generates, as if it had actually received the new Session-ID from the UAC, following the rules previously defined for a B2BUA. This allows for a B2BUA to provide a migration to Session-ID deployment, on behalf of upstream nodes that do not yet support it. As defined previously, if any received message already had a Session-ID, a B2BUA compliant with this document would not replace it.4.5.24.5.2. B2BUA Insertion of Saved Session-ID If a Session-ID was received in an out-of-dialog request, or the B2BUA locally generated one because none existed, the B2BUA SHOULD insert the same Session-ID field into all responses and upstream in- dialog requests if and only if a Session-ID is not already in them. This allows for a B2BUA to provide a migration to Session-IDdeployment,deployment on behalf of downstream nodes that do not yet support it. 5. Handling SIP Transfer Scenarios The transfer or movement of SIP sessions represents a complication for aSession-ID type mechanism.mechanism like Session-ID. On the one hand, the replacement SIP session represents a newone,one and could reasonably be expected to use a new Session-ID value; on the other hand, from a troubleshooting andhuman userhuman-user perspective, it is clearly related to, if not just a continuation of, the previous session. Since the purpose of this document's mechanism is to aid monitoring and troubleshooting, and it's not used for actual SIP protocol mechanics, the behavior defined in this section is tore-usereuse the same Session-ID value for the replacement SIP session. In order to do so, the Session-ID of the "original" session is transferred as well, in the Refer-To URI of a[RFC3515]REFERrequest.request as described in [RFC3515]. Furthermore, out-of-dialog REFER and INVITE with[RFC3891]Replaces requests as described in [RFC3891] use the appropriate Session-ID values. This assumes, of course, that the UAs involved support the Session-ID mechanism. If they do not, then it is possible for the Session-ID to not be "carried forward" to the new SIP dialog. Unfortunately, this means troubleshooting such dialogs is notimproved/aidedimproved or aided by this document's mechanism;butbut, it would not "break" anything at a SIP layer. It should also be noted that using the same Session-ID for the transferred-to dialog means the same Session-ID now exists in two independent dialogs, because the original one may well continue due to the implicit Subscription usage created by aREFER - thatREFER. That implicitSubscription basedSubscription-based usage will continue to use the same Session-ID as the new dialog created to the transferred-to party.ForIn the followingsub-sections,subsections, the term "UA" is used for User Agent. The language applies to the SIP devicewhichthat creates the request, whether it be a UA or B2BUA. 5.1. Out-of-Dialog REFER A UA compliant with this document MUST use the same Session-ID header field value for an out-of-dialog REFER request it generates, as the original dialog the REFER is targeted to (i.e., as if the REFER had been in-dialog). For example, if UA Bob has a SIP dialog X to Alice, and Bob sends an out-of-dialog REFER to Alice to refer her to Charlie, the Session-ID header field value of the REFER request would be the same as that used in dialog X. 5.2. Refer-To URI A UA compliant with this document MUST add the Session-ID header field as an embedded header in the Refer-To header field URI of any REFER request it generates, using the value of the session it is referring to. For example, if UA Bob has a SIP dialog X to Alice and dialog Y to Charlie, and Bob sends a REFER request to Alice to refer her to Charlie, the Session-ID header field value embedded in the Refer-To URI of the REFER request would be the same as that used in dialog Y. 5.3. Out-of-Dialog INVITE with Replaces When generating an out-of-dialog INVITE with[RFC3891]a Replaces headerfield,field as described in [RFC3891], a UA compliant with this document MUST use the same Session-ID header field value for the INVITE request as that used for the dialog it is replacing, if it knows the value.Typically itTypically, the UA would know the value by having received it in the Refer-To header field of a REFER, as described previously. For example, if UA Bob has a SIP dialog X to Alice and dialog Y to Charlie, and Bob sends a REFER request to Alice to refer her to Charlie, the Session-ID header field value embedded in the Refer-To URI of the REFER request would be the one used in dialog Y, which Alice would use as the Session-ID header field value for her INVITE to Charlie. If the UA does not know the Session-ID of the dialog it is replacing, forexampleexample, because it is not embedded in the Refer-To URI of a received REFER, then it MUST use a new Session-ID value, calculated using the mechanism as defined insectionSection 4.1 with the Call-ID of the INVITE. 6. Session-ID Migration and Failure Scenarios SIP is already widely deployed on the Internet, and it is impractical to expect all UAs to be upgraded to support this document's mechanism in the near future. A solution for gradual migration isnecessary, whichnecessary and is provided by this documentprovidesby allowing B2BUAs or Proxies to perform the Session-ID generator and inserter role. Even within those device types, it is impractical to expect all B2BUAs to support this mechanism all atonce,once or any time in the near future. Therefore, it is expected that some B2BUAs and/or UAs will support generating and inserting Session-ID, while others will not support Session-ID at all. Due to the varying types ofB2BUAs, suchB2BUAs (such as PBXs, SBCs, Application Servers,Feature Servers,feature servers, andSoftswitchessoftswitches of variousflavors,flavors) and the numerous SIP deployment models in use, there are going to be cases in which Session-ID will fail to be a consistent value for all relateddialogs,dialogs or fail to successfully match. The goal of thisdraftdocument is to improve troubleshooting of current deployments as much as possible- and-- and, in this author'sopinionopinion, that is the best that can be done given the constraints. One example is for forked requests: if a UACwhichthat does not support this mechanism sends a request to a Proxy or B2BUAwhichthat also does not support this mechanism, each fork could reach B2BUAs or UASswhichthat *do* support this mechanism. In such a case, each of those forked-to B2BUA/UAS will generate unique Session-IDs and put them in their responses, temporarily leading to multiple, differentSession- IDSession-ID values for the same related early dialogs. Typically, the UAC would eventually only accept one of the dialogs, and only one Session-ID would remain. 7. New 'Session-ID' Header Thisdraftdocument adds the "Session-ID" token to the definition of the element "message-header" in the SIP message grammar. The Session-ID header is a single-instance header. 7.1. Augmented BNF Definitions Session-ID = "Session-ID" HCOLON sess-id *( SEMI generic-param ) sess-id = 32(DIGIT / %x61-66);32; 32 chars of [0-9a-f] NOTE: The sess-id value is technically case-INSENSITIVE, butnote thatonlylower-caselowercase characters are allowed. See the Security Considerations section for discussion about using header parameters in Session-ID header fields. 8. Example Exchange In the following example, Alice initiates a call to Bob. Alice generates a Session-ID header in the out-of-dialog INVITE. Alice generates thefollowing: (note:following. (Note: much has been left out forsimplicity)simplicity.) INVITE sip:bob@example.com SIP/2.0 Via: SIP/2.0/UDP 192.0.2.1:5060;branch=z9hG4bKnashds10 From: Alice <sip:alice@example.net>;tag=1234567 To: Bob <sip:bob@example.com> Call-Id: 123456mcmxcix@1.2.3.4 Session-ID: f81d4fae7dec11d0a76500a0c91e6bf6 CSeq: 1 INVITE Contact: <sip:alice@192.168.1.1> 9. Security Considerations There are several security considerations surrounding this document's mechanism. The Session-ID generation algorithm should provide a reasonably random 32-character Session-IDvalue,value to avoidcollisions,collisions andwouldshould not let one re-create the original Call-ID. There is no known security issue with viewing or modifying the Session-ID, other than to hamper troubleshooting efforts. 9.1. SecurityconsiderationsConsiderations foradministratorsAdministrators The requirement for the Session-ID is to be an identifier which cannot be used by a recipient to identify if the Call-ID has been changed bymiddle-boxes.middleboxes. As such, a UAS/UAC cannot detect the original Call-ID, nor whether it has beenchanged, and thuschanged; thus, administrators should notcause administrators concern tobe concerned if the Session-ID header field is "passed through". 9.2. SecurityconsiderationsConsiderations for Session-IDextensionsExtensions The Session-ID's value is created from the Call-ID using a hashing mechanism based on [RFC2104], using SHA-1 and a secret key known only to the system generating the Session-ID. Because the algorithm is defined in this document, it should be fairly secure from detecting the generator of the Session-ID, in terms of manufacturer or code base. The Session-ID generation algorithm should provide a reasonably random 128-bit Session-ID value, to avoid collisions, andwouldshould not let one re-create the original Call-ID. The secret key MUST only be used for the Session-ID mechanism, in case a weakness is foundwhichthat reveals the key. One such weakness may be that a UAC generates one or more Call-IDswhichthat have a property that makes determining the key more likely. In general, B2BUA behavior cannot be dictated by standards. They do whatever their owners/operators wish them to do, or whatever is necessary to make their applications work. This document attempts to normatively specify some B2BUA behavior, by creating a SIP header value for which the properties are such that B2BUAs should have no legitimate reason to interfere. This effectively creates a "promise" that future uses of this Session-ID header field, including its value *and* any future defined parameters, maintain this benign property. Any future extensions to the Session-ID mechanism and header field MUST maintain this property, or else B2BUAs will begin to modify it again or remove it, and its value will be lost. Manufacturers of SIP devices should note thatthere is no guarantee thata B2BUAwill notmay inspect the Session-ID headerfield,field and may remove it if it does not comply with this document's value restrictions. Any Session-ID header parameters MUST be registered with IANA and documented in RFCs from the IETFRFCs,stream, pursuant to the requirements of [RFC3968]. 10. IANA ConsiderationsThis document asksIANAto registerhas registered a new SIP header field named 'Session-ID', pursuant to the registration policies for such in [RFC5727]. This is a single-instance headerfield,field and is appropriate for any SIP message, of any Method type, in any request or response. The ABNF rules [RFC5234] for this new header allow for headerparameters, howeverparameters; however, they must be registered following the rules of [RFC3968], as required by [RFC5727]. This registration is intended to be temporary. The author expects that astandards-trackStandards Track definition of Session-ID will be published at a future date. Assuming such a document is published, it will replace this registration with a reference to itself, at which point this document will no longer be referenced by IANA. 11. Acknowledgments Thanks to Raphael Coeffic, Bob Penfield, Dale Worley, Paul Kyzivat, Ian Elz, Marco Stura, Martin Dolly, Martin Huelsemann, LauraLiessLiess, and Adam Roach for their input. 12. References 12.1. Normative References [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti,R.,"HMAC: Keyed- Hashing for Message Authentication", RFC 2104, February 1997. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3515] Sparks, R., "The Session Initiation Protocol (SIP) Refer Method", RFC 3515, April 2003. [RFC3891] Mahy, R., Biggs, B., and R. Dean,R.,"The Session Initiation Protocol (SIP) "Replaces" Header", RFC 3891, September 2004. [RFC3968] Camarillo, G., "The Internet Assigned Number Authority (IANA) Header Field Parameter Registry for the Session Initiation Protocol (SIP)", BCP 98, RFC 3968, December 2004. [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [RFC5727] Peterson, J., Jennings, C., and R. Sparks,R.,"Change Process for the Session Initiation Protocol (SIP) and theReal-timeReal- time Applications and Infrastructure Area", BCP 67, RFC 5727, March 2010.Author's Address Hadriel Kaplan Oracle Email: hadriel.kaplan@oracle.com12.2. Informative References [RFC4235] Rosenberg, J., Schulzrinne, H., and R. Mahy, Ed., "An INVITE-Initiated Dialog Event Package for the Session Initiation Protocol (SIP)", RFC 4235, November 2005. [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, August 2006. [RFC4916] Elwell, J., "Connected Identity in the Session Initiation Protocol (SIP)", RFC 4916, June 2007. Appendix A.Use-cases notUse Cases Not inscopeScope for Session-ID It is very tempting to use a header field value such as that provided by Session-ID, for other purposes than troubleshooting. In a previousdraftdocument for this same Session-ID concept, the proposal included other uses;buthowever, these were removed because anyuse-caseuse case other than troubleshooting can easily lead to a B2BUA needing to change the value, in certain cases. That would defeat the troubleshooting value of Session-ID. This section discusses suchuse-casesuse cases and explains why they are potentially harmful. A.1. Dialog Correlation for SIP Although Session-ID does provide a means to correlate separate SIP dialogs, messages, and transactions, it does so at a higher layer than SIP. It does not replace the mechanics of SIP using theCall- IDCall-ID and To/From tags of SIP messages to correlate SIP dialogs, nor in other uses such as Replaces headers or dialog-event packages. It is tempting, however, to use it for exactly that purpose in certain cases. For example, suppose a call transfer case where Alice calls Bob through B2BUA-1. Bob then callsCharlie,Charlie and sends Charlie a REFER with embeddedReplaces,Replaces to make Charlie send an INVITE with a Replaces header to Alice, to replace the Alice-Bob session. If Charlie uses a different B2BUA-2 to reach Alice, the INVITE with Replaces willfail,fail because the Call-ID/tags won't match anything B2BUA-2 or Alice knows about. +-----+ +-------+ +-------+ +-----+ +-------+ |Alice| |B2BUA-1| |B2BUA-2| | Bob | |Charlie| +-----+ +-------+ +-------+ +-----+ +-------+ | | | | | |INVITE | | | | |callid:1a |callid:1b | | | |----------->|----------------------->|INVITE | |sessid:1 |sessid:1 | |callid:2a | | | | |----------->| | | | |sessid:2 | | | | | | | | | |REFER | | | | |referto:1b | | | | |----------->| | | | | | | | | | INVITE| | | | | replaces:1b| | | X<-----------------------| | | INVITE| | sessid:1| | | replaces:1b| | | X<------------------------| | | | | sessid:1| | |Example-1: call transfer caseExample 1: Call Transfer Case If, on the other hand, Alice were to use the Session-ID value for correlation, she would see it matches her dialog with Bob (assuming the Session-ID were passed along in the Refer-To and Replaces info). There are problems with this approach, however. The first problem is, by not sending the INVITE with Replaces to B2BUA-1, B2BUA-1 is in an incorrect state; the dialog is getting replaced, and the B2BUA doesn't know it. A second issue is the Session-ID doesn't identify enough information to replace a dialog. Imagine there were a third B2BUA, such as aSoftSwitch,softswitch, between Alice and B2BUA-1 and B2BUA-2, and the INVITE with Replaces reached theSoftSwitchsoftswitch before Alice. TheSoftSwitchsoftswitch won't know which "side" the INVITE is replacing. The To/From tags no longer match anything theSoftSwitchsoftswitch knows about, so it can't figure out if the INVITE with Replaces is replacing the dialog fromSoftSwitchsoftswitch to Alice, or the one to Bob. If we try to fix this by creating a tag-type value pair for Session-ID, we're back to devices changing those tag values and defeating the matching property. Another example is based on 3GPP 24.605annexAnnex A.2.2. Alice has a call with Bob through multipleB2BUA'sB2BUAs and an Application Server. The dialogs of that call all have the samesession-id,Session-ID, but uniquecall-id/tags.Call-ID/tags. Alice wants to invoke a3rd partythird-party conference facility in theAS,AS and to reference the call she has with Bob for that. In this particular3gpp3GPP scenario, to do that Alice sends a new INVITE to the AS with a resource-list body (a la RFC 5366) containing the call information for the original call. This is the "RL<sessid:1>" piece in the diagram. It has thecalli-d/tagsCall-ID/tags as well, but they'll be wrong when received at the AS. The AS processes that list, can't match thecallid/tagsCall-ID/tags in the resource-lit but does match thesession-id,Session-ID, and sends a re-INVITE to party B within the original call's dialog. +-----+ +-------+ +----+ +-------+ +-----+ |Alice| |B2BUA-1| | AS | |B2BUA-2| | Bob | +-----+ +-------+ +----+ +-------+ +-----+ | | | | | |INVITE | | | | |callid:1a |callid:1b |callid:1c |callid:1d | |----------->|----------->|---------->|----------->| |sessid:1 |sessid:1 |sessid:1 |sessid:1 | | | | | | |INVITE | | | | |callid:2a |callid:2b | | | |----------->|----------->| | | |sessid:2 |sessid:2 |re-INVITE | | |RL<sessid:1>|RL<sessid:1>|callid:1c |callid:1d | | | |---------->|----------->| | | |sessid:1 |sessid:1 | | | | | |Example-2:Example 2: Resource List Author's Address Hadriel Kaplan Oracle EMail: hadrielk@yahoo.com