STRAWInternet Engineering Task Force (IETF) R. RavindranathInternet-DraftRequest for Comments: 7879 T. ReddyIntended status:Category: Standards Track G. SalgueiroExpires: October 6, 2016ISSN: 2070-1721 Cisco V. Pascual OracleParthasarathi.P. Ravindran Nokia NetworksApril 4,May 2016 DTLS-SRTP Handling inSession Initiation Protocol (SIP)SIP Back-to-Back User Agents(B2BUAs) draft-ietf-straw-b2bua-dtls-srtp-12Abstract Session Initiation Protocol (SIP) Back-to-Back User Agents(B2BUA)(B2BUAs) exist on the signaling and media paths between the endpoints. This document describes the behavior of B2BUAs when Secure Real-time Transport (SRTP) security context is set up with the Datagram Transport Layer Security (DTLS) protocol. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 6, 2016.http://www.rfc-editor.org/info/rfc7879. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Goals and Scope of this Document . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. B2BUAs Procedures to Allow End-to-End DTLS-SRTP . . . . . . . 4 4.Signaling PlaneSignaling-Plane B2BUA Handling of DTLS-SRTP . . . . . . . . . 5 4.1. Proxy-B2BUAs . . . . . . . . . . . . . . . . . . . . . . 5 4.2.Signaling-onlySignaling-Only andSDP-modifying Signaling-onlySDP-Modifying Signaling-Only B2BUAs . 5 5.Media PlaneMedia-Plane B2BUA Handling of DTLS-SRTP . . . . . . . . . . .65 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1.1. Media Relay . . . . . . . . . . . . . . . . . . . . . 6 5.1.2.RTP/RTCP-AwareRTP- and RTCP-Aware Media-Aware B2BUA . . . . . . . .. .8 6. Forking Considerations . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8.IANA Considerations .References . . . . . . . . . . . . . . . . . . . .10 9. Acknowledgments. . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 1010. Contributors . . . . . . . . . . . . . . .8.2. Informative References . . . . . . . . .10 11. References .. . . . . . . . 11 Acknowledgments . . . . . . . . . . . . . . . .10 11.1. Normative References. . . . . . . . . 12 Contributors . . . . . . . . .11 11.2. Informative References. . . . . . . . . . . . . . . . .1112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction 1.1. Overview [RFC5763] describes how the Session Initiation Protocol (SIP) [RFC3261] can be used to establish a Secure Real-time Transport Protocol (SRTP) [RFC3711] security context with the Datagram Transport Layer Security (DTLS)[RFC6347] protocol.protocol [RFC6347]. It describes a mechanism for transporting a certificate fingerprint using the Session Description Protocol (SDP) [RFC4566]. The fingerprint identifies the certificate that will be presented during the DTLS handshake. DTLS-SRTP is currently defined for point-to-point media sessions, in which there are exactly two participants. EachDTLS-SRTPDTLS- SRTP session (described in Section 3 of [RFC5764]) contains a single DTLS connection (if RTP andRTCPRTP Control Protocol (RTCP) are multiplexed) or two DTLS connections (if RTP and RTCP are not multiplexed), and either two SRTP contexts (if media traffic is flowing in both directions on the same 5-tuple) or one SRTP context (if media traffic is only flowing in one direction). In many SIP deployments, SIP Back-to-Back User Agents (B2BUA) entities exist on theSIP signalingSIP-signaling path between the endpoints. As described in [RFC7092], these B2BUAs can modify SIP and SDP information. For example, as described in Section 3.1.3 of [RFC7092], SDP-modifying signaling-only B2BUAs can potentially modify the SDP. B2BUAs can also be present on the media path, in which case they modify parts of the SDP information (like IP address, port) and subsequently modify the RTP headers as well. Such B2BUAs are referred to asmedia plane B2BUAs."media-plane B2BUAs". [RFC7092] describes two different categories ofmedia planemedia-plane B2BUAs, according to the level of activities performed on the media plane. When B2BUAs are present in a call between two SIP User Agents(UAs)(UAs), they often make end-to-end DTLS-SRTP sessions impossible.End-to-endAn "end- to-end DTLS-SRTPsessionsession" means thatman-in-middleman-in-the-middle devices cannot break the DTLS-SRTP session between the endpoints. In other words, theman-in- middleman-in-the-middle device cannot create a separate DTLS-SRTP session between the client and the middledevice,device on one side, and the middle device and the remote peer on the other side. B2BUAs may be deployed for address hiding or media latching [RFC7362], althoughTURN (and ICE) isTraversal Using Relays around NAT (TURN) and Interactive Connectivity Establishment (ICE) are expected to be used more often for this purpose as it provides better security properties. Such B2BUAs are able to perform their functions without requiring termination of DTLS-SRTPsessions i.e.sessions, i.e., these B2BUAs need not act as DTLS proxy and decrypt the RTP payload. 1.2. Goals and Scope of this Document A B2BUA could be deployed for address hiding or medialatching,latching as described in [RFC7362]. Such B2BUAs only terminate the media plane at the IP and transport (UDP/TCP) layers and may inspect the RTP headers or RTP Control Protocol (RTCP) packets. The goal of this specification is to provide guidance on how such B2BUAs function without breaking the end-to-end DTLS-SRTP session. A B2BUA could also terminate themediamedia, or modify the RTP headers or RTP Control Protocol (RTCP) packets. Such B2BUAs will not allow end-to-end DTLS- SRTP. The recommendations made in this document are not expected to be applied by B2BUAs terminating DTLS-SRTP sessions given deployment reality. This specification assumes that a B2BUA is not providing identity assurance and is not authorized to terminate the DTLS-SRTP session. A B2BUA that provides identity assurance on behalf of endpoints behind it can modify any portion of SIP and SDP before it generates the identity signature. As the B2BUA is generating the identitysignaturesignature, it is not possible to detect if a B2BUA has terminated the DTLS-SRTP session. B2BUAs providing identity assurance and terminating DTLS-SRTPsessionsessions are out of scope of this document. The following sections describe the behavior B2BUAs can follow to avoid breaking end-to-end DTLS-SRTP sessions. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Transport Address: The combination of an IP address and port number. The following generalized terms are defined in [RFC3261], Section 6. B2BUA:aA SIP Back-to-Back User Agent, which is the logical combination of a User Agent Server (UAS) and a User Agent Client (UAC). UAS:aA SIP User Agent Server. UAC:aA SIP User Agent Client. All of the pertinent B2BUA terminology and taxonomy used in this documentisare based on [RFC7092]. It is assumed the reader is already familiar with the fundamental concepts of the RTP protocol [RFC3550] and its taxonomy [RFC7656], as well as those of SRTP[RFC3711],[RFC3711] and DTLS [RFC6347]. 3. B2BUAs Procedures to Allow End-to-End DTLS-SRTP A B2BUA MUST follow the rules mentioned below to allow end-to-end DTLS-SRTPsession.sessions. 1. B2BUAs MUST forward the certificate fingerprint and SDP setup attribute it receives from one endpoint unmodified towards the other endpoint andvice-versa.vice versa. 2. The enhancements described in [RFC4474]providesprovide a means for signing portions of SIP requests in order to provide identity assurance and certificate pinning by providing an identity signature over the SDP that carries the fingerprint of keying for DTLS-SRTP [RFC5763]. B2BUAs can identify that the enhancements in [RFC4474]isare used for identity assurance if the SIP request contains both Identity and Identity-Info headers. In cases where endpoints use [RFC4474], B2BUAs MUST ensure that it does not modify any of the information used to construct the identity signature. This includes the entire SDP body and portions of the SIP header as described in [RFC4474]. In this case, a B2BUA cannot act as amedia relaymedia-relay B2BUA. 3.[I-D.ietf-stir-rfc4474bis][SIP-ID] is introduced to overcome the limitations of [RFC4474] (discussed in Section 1 of[I-D.ietf-stir-rfc4474bis]).[SIP-ID]). Unlike [RFC4474],[I-D.ietf-stir-rfc4474bis][SIP-ID] does not generate an identity signature over material that intermediaries in the field commonly alter. In this case, a B2BUA can act as amedia relaymedia-relay B2BUA. B2BUAs can identify that[I-D.ietf-stir-rfc4474bis][SIP-ID] is used for identity assurance if the SIP request contains an Identity header but does not include an Identity-Info header. The Identity-Info header is deprecated in[I-D.ietf-stir-rfc4474bis].[SIP-ID]. A B2BUA MUST ensure that it does not modify any of the headers used to construct the identity signature. 4. Both media relays and media-aware relays MUST NOT modify the authenticated portion of RTP and RTCP packets, and MUST NOT modify the authentication tag in the RTP and RTCP packets. 4.Signaling PlaneSignaling-Plane B2BUA Handling of DTLS-SRTP Section 3.1 of [RFC7092] describes different categories ofsignalingsignaling- plane B2BUAs. This section explains how these B2BUAs are expected to comply with the recommendations in Section 3. 4.1. Proxy-B2BUAs Proxy-B2BUAs, as defined in Section 3.1.1 of [RFC7092], modify only the Via and Record-Route SIP headers. These B2BUAs can continue to perform their function and still allow end-to-end DTLS-SRTP sessions sinceit does not modify anynone of the headers used to construct the identitysignature.signature are modified. 4.2.Signaling-onlySignaling-Only andSDP-modifying Signaling-onlySDP-Modifying Signaling-Only B2BUAs These categories of B2BUAs are likely to modify headers that are used to construct the identity signature. For example, a signaling-only B2BUA can modify the Contact URI. Such B2BUAs are likely to violate rule 2 or rule 3 in Section 3. Depending upon the application requirements, such a B2BUA may be able to limit modification of header fields to those allowed to be modified by [RFC4474] or[I-D.ietf-stir-rfc4474bis].[SIP-ID]. 5.Media PlaneMedia-Plane B2BUA Handling of DTLS-SRTP 5.1. General This section describes how the different types ofmedia planemedia-plane B2BUAs defined in [RFC7092] are expected to comply with the recommendations in Section 3. 5.1.1. Media RelayAFrom an application-layer point of view, a mediarelay, asrelay (as defined in Section 3.2.1 of[RFC7092], from an application layer point-of-view,[RFC7092]) forwards all packets it receives on a negotiated connection, without inspecting or modifying the packet contents. A media relay only modifies the transport layer (UDP/TCP) and IP headers. Amedia relaymedia-relay B2BUA followstherule 1 mentioned in Section 3 and forwards the certificate fingerprint and SDP setup attribute it receives from one endpoint unmodified towards the other endpoint andvice-versa.vice versa. The example below shows a SIP call establishment flow, with both SIP endpoints (user agents) using DTLS-SRTP, and amediamedia- relay B2BUA. +-------++------------------++-------------------+ +-----+ | Alice | |MediaRelayMedia-Relay B2BUA | | Bob | +-------++------------------++-------------------+ +-----+ |(1) INVITE |(3)INVITE(3) INVITE | | a=setup:actpass | a=setup:actpass | | a=fingerprint1 | a=fingerprint1 | |(alice's(Alice's IP/port) | (B2BUAs IP/port) | |------------------------>|-------------------------->| | | | | (2) 100 trying | | |<------------------------| | | | (4) 100 trying | | |<--------------------------| | | | | |(5)200(5) 200 OK | | | a=setup:active | | | a=fingerprint2 | | | (Bob's IP/port) | |<------------------------|<--------------------------| | (6) 200 OK | | | a=setup:active | | | a=fingerprint2 | | | B2BUAs IP/port | | | (7,8)ClientHello8) ClientHello + use_srtp | |<----------------------------------------------------| |(B2BUA changes transport(UDP/TCP) and IP header) | | | | | | | |(9,10)ServerHello(9,10) ServerHello + use_srtp | |---------------------------------------------------->| |(B2BUA changes transport(UDP/TCP) and IP header) | | | | | | | | (11) | | | [Certificate exchange between Alice and Bob over | | DTLS ] | | | | | | (12) | | |<---------SRTP/SRTCP-----------SRTP/SRTCP----------->| | [B2BUA changes transport(UDP/TCP) and IP headers] | Figure 1: INVITE with SDPcall-flowCall Flow forMedia RelayMedia-Relay B2BUANOTE:Note: Forbrevitybrevity, the entire value of the SDP fingerprint attribute is not shown. The example here shows only one DTLS connection for the sake of simplicity. Inrealityreality, depending on whether the RTP and RTCP flows are multiplexed ordemultiplexeddemultiplexed, there will be one or two DTLS connections. If RTP and RTCP traffic is multiplexedas described in [RFC5761]on a single port as described in [RFC5761], then only a single DTLS connection is required between the peers. If RTP and RTCP are not multiplexed, then the peers would have to establish two DTLS connections. In this case,Bob,afterhe receivesreceiving an INVITE request, Bob triggers the establishment of a DTLS connection. Note that the DTLS handshake and the sending of the INVITE response can happen in parallel; thus, the B2BUA has to be prepared to receive DTLS,STUNSession Traversal Utilities for NAT (STUN), and media on the ports it advertised to Bob in the SDP offer before it receivesaan SDP answer from Bob. Since amedia relaymedia-relay B2BUA does not differentiate between a DTLS message,RTPRTP, or any packet it receives, it only changes the transport layer (UDP/TCP) and IP headers and forwards the packet towards the other endpoint. The B2BUA cannot decrypt the RTPpayloadpayload, as the payload is encrypted using the SRTP keys derived from the DTLS connection setup between Alice and Bob. If the endpoints use [RFC4474], a B2BUA cannot function as a media- relay without violating rule 2 in Section 3. If[4474bis][SIP-ID] is used, a B2BUA can modify the IP address in the c= line and the port in the m=line, as shownline inFigure 1,the SDP as long as it does not otherwise violate rule 3 in Section 3. 5.1.2.RTP/RTCP-AwareRTP- and RTCP-Aware Media-Aware B2BUA Unlike the media relay discussed in Section 5.1.1, a media-aware relay as defined in Section 3.2.2 of[RFC7092],[RFC7092] is aware of the type of media traffic it is receiving. There are two types of media-aware relays, those that merely inspect the RTP headers and unencrypted portions of RTCP packets, and those that inspect and modify the RTP headers and unencrypted portions of RTCP packets. 5.1.2.1. RTP Header and RTCP Packets InspectionA RTP/RTCP awareAn RTP-/RTCP-aware media relay does not modify the RTP headers and RTCP packets but only inspects the packets. Such B2BUAs follow rule 4 in Section 3 and can continue to do their function while allowingend- to-endend-to-end DTLS-SRTP. Inspection by the B2BUA will not reveal theclear- textclear-text for encrypted parts of the SRTP/SRTCP packets. 5.1.2.2. RTP Header and RTCP Packet Modification A B2BUA cannot modify RTP headers or RTCP packets, as to do so it would need to act as a DTLS endpoint, terminate the DTLS-SRTPsessionsession, and decrypt/re-encrypt RTP packets. If a B2BUA modifies unencrypted or encrypted portions of the RTP or RTCPpacketspackets, then the integrity check will fail and the packet will be dropped by the endpoint. The unencrypted and encrypted portions of the RTP or RTCP packets are integrity protected using the HMAC algorithm negotiated during the DTLS handshake (discussed in Section 4.1.2 of [RFC5764]). B2BUAs have to follow the rules in Section 3 to avoid breaking the integrity ofSRTP/ SRTCPSRTP/SRTCP streams. 6. Forking Considerations Due to forking [RFC3261], a SIP request carrying an SDP offer sent by an endpoint (offerer) can reach multiple remote endpoints. As a result, multiple DTLS-SRTP sessions can be established, one between the endpoint that sent the SIP request and each of the remote endpoints that received the request. B2BUAs have to follow rule 1 in Section 3 while handling offer/answer and forward the certificate fingerprints and SDP setup attributes it received in the SDP answer from each endpoint (answerer) unmodified towards the offerer. Since each DTLS connection issetupset up on a unique 5-tuple, B2BUA replaces the answerer's transport addresses in each answer with its unique transport addresses so that the offerer can establish a DTLS connection with each answerer. TheB2BUAB2BUA, acting as a media relayherehere, follows rule 4 mentioned in Section 3. Bob (192.0.2.1:6666) / / / DTLS-SRTP=XXX / / DTLS-SRTP=XXX v <-----------> (192.0.2.3:7777) Alice (192.0.2.0:5555) B2BUA <-----------> (192.0.2.3:8888) DTLS-SRTP=YYY ^ \ \ DTLS-SRTP=YYY \ \ \ Charlie (192.0.2.2:6666) Figure 2: B2BUAhandling multiple answersHandling Multiple Answers For instance, as shown in Figure22, Alice sends a request with anoffer,offer and the request is forked. Alice receives answers from both Bob and Charlie. The B2BUA advertises different B2BUA transportaddressaddresses in each answer, as shown inFigure2,Figure 2, where XXX and YYY represent different DTLS-SRTP sessions. The B2BUA replaces Bob's transport address (192.0.2.1:6666) in the answer with its transport address (192.0.2.3:7777) and Charlie's transport address (192.0.2.2:6666) in the answer with its transport address (192.0.2.3:8888). The B2BUA tracks the remote sources (Bob and Charlie) and associates them to the local sources that are used to send packets to Alice. 7. Security Considerations This document describes the behavior B2BUAs must follow to avoid breaking end-to-end DTLS-SRTP. Media relays that modify RTP or RTCP, or modify SIP header fields or SDP fields that are protected by the identity signature, are incompatible with end-to-end DTLS-SRTP. Such relays are out of scope for this document. Security considerations discussed in [RFC5763] are also applicable to this document. In addition, the B2BUA behaviors outlined in this document do not impact the security and integrity of a DTLS-SRTP session or the data exchanged over it. A malicious B2BUA can try to break into the DTLS connection, but such an attack can be prevented using the identity validation mechanism discussed in [RFC4474] or[I-D.ietf-stir-rfc4474bis].[SIP-ID]. Either the endpoints or the authentication service proxies involved in the call can use the identity validation mechanisms discussed in [RFC4474] or[I-D.ietf-stir-rfc4474bis][SIP-ID] to validate the identity of peers and detect maliciousB2BUA'sB2BUAs that can attempt to terminate the DTLS connection to decrypt the RTP payload. 8.IANA Considerations This document makes no request of IANA. 11.References11.1.8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, <http://www.rfc-editor.org/info/rfc3550>. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, <http://www.rfc-editor.org/info/rfc3711>. [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 2010, <http://www.rfc-editor.org/info/rfc5763>. [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, DOI 10.17487/RFC5764, May 2010, <http://www.rfc-editor.org/info/rfc5764>. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, <http://www.rfc-editor.org/info/rfc6347>.11.2.8.2. Informative References[I-D.ietf-stir-rfc4474bis] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, "Authenticated Identity Management in the Session Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-08 (work in progress), March 2016.[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <http://www.rfc-editor.org/info/rfc3261>. [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, DOI 10.17487/RFC4474, August 2006, <http://www.rfc-editor.org/info/rfc4474>. [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, DOI 10.17487/RFC4566, July 2006, <http://www.rfc-editor.org/info/rfc4566>. [RFC5761] Perkins, C. and M. Westerlund, "Multiplexing RTP Data and Control Packets on a Single Port", RFC 5761, DOI 10.17487/RFC5761, April 2010, <http://www.rfc-editor.org/info/rfc5761>. [RFC7092] Kaplan, H. and V. Pascual, "A Taxonomy of Session Initiation Protocol (SIP) Back-to-Back User Agents", RFC 7092, DOI 10.17487/RFC7092, December 2013, <http://www.rfc-editor.org/info/rfc7092>. [RFC7362] Ivov, E., Kaplan, H., and D. Wing, "Latching: Hosted NAT Traversal (HNT) for Media in Real-Time Communication", RFC 7362, DOI 10.17487/RFC7362, September 2014, <http://www.rfc-editor.org/info/rfc7362>. [RFC7656] Lennox, J., Gross, K., Nandakumar, S., Salgueiro, G., and B. Burman, Ed., "A Taxonomy of Semantics and Mechanisms for Real-Time Transport Protocol (RTP) Sources", RFC 7656, DOI 10.17487/RFC7656, November 2015, <http://www.rfc-editor.org/info/rfc7656>.9.[SIP-ID] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, "Authenticated Identity Management in the Session Initiation Protocol (SIP)", Work in Progress, draft-ietf- stir-rfc4474bis-08, March 2016. Acknowledgments Special thanks to Lorenzo Miniero, Ranjit Avarsala, Hadriel Kaplan, Muthu Arul Mozhi, Paul Kyzivat, Peter Dawes, Brett Tate, Dan Wing, Charles Eckel, Simon Perreault, Albrecht Schwarz, Jens Guballa, Christer Holmberg, Colin Perkins, BenCampbellCampbell, and Alissa Cooper for their constructive comments, suggestions, and early reviews that were critical to the formulation and refinement of this document. The authors would also like to thank Dan Romascanu, Vijay K. Gurbani, Francis Dupont, PaulWoutersWouters, and Stephen Farrell for their review and feedback of this document.10.Contributors Rajeev Seth provided substantial contributions to this document. Authors' Addresses Ram Mohan Ravindranath Cisco Cessna Business Park Sarjapur-Marathahalli Outer Ring Road Bangalore, Karnataka 560103 India Email: rmohanr@cisco.com Tirumaleswar Reddy Cisco Cessna Business Park Sarjapur Marathalli Outer Ring Road Bangalore, Karnataka 560103 India Email: tireddy@cisco.com Gonzalo Salgueiro Cisco Systems, Inc. 7200-12 Kit Creek Road Research Triangle Park, NC 27709USUnited States Email: gsalguei@cisco.com Victor Pascual Oracle Barcelona, Spain Email: victor.pascual.avila@oracle.com Parthasarathi Ravindran Nokia Networks Bangalore, Karnataka India Email: partha@parthasarathi.co.in