1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
|
<pre>Internet Engineering Task Force (IETF) V. Hilt
Request for Comments: 6794 Bell Labs/Alcatel-Lucent
Category: Standards Track G. Camarillo
ISSN: 2070-1721 Ericsson
J. Rosenberg
jdrosen.net
December 2012
<span class="h1">A Framework for Session Initiation Protocol (SIP) Session Policies</span>
Abstract
Proxy servers play a central role as an intermediary in the Session
Initiation Protocol (SIP) as they define and impact policies on call
routing, rendezvous, and other call features. This document
specifies a framework for SIP session policies that provides a
standard mechanism by which a proxy can define or influence policies
on sessions, such as the codecs or media types to be used. It
defines a model, an overall architecture and new protocol mechanisms
for session policies.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6794">http://www.rfc-editor.org/info/rfc6794</a>.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
<span class="grey">Hilt, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Terminology .....................................................<a href="#page-5">5</a>
<a href="#section-3">3</a>. Session-Independent Policies ....................................<a href="#page-5">5</a>
<a href="#section-3.1">3.1</a>. Architecture and Overview ..................................<a href="#page-5">5</a>
<a href="#section-3.2">3.2</a>. Policy Subscription ........................................<a href="#page-6">6</a>
<a href="#section-3.2.1">3.2.1</a>. User Agent Client (UAC) Behavior ....................<a href="#page-6">6</a>
<a href="#section-3.2.2">3.2.2</a>. User Agent Server (UAS) Behavior ....................<a href="#page-8">8</a>
<a href="#section-4">4</a>. Session-Specific Policies .......................................<a href="#page-8">8</a>
<a href="#section-4.1">4.1</a>. Architecture ...............................................<a href="#page-8">8</a>
<a href="#section-4.2">4.2</a>. Overview ...................................................<a href="#page-9">9</a>
<a href="#section-4.3">4.3</a>. Examples ..................................................<a href="#page-11">11</a>
<a href="#section-4.3.1">4.3.1</a>. Offer in Request ...................................<a href="#page-11">11</a>
<a href="#section-4.3.2">4.3.2</a>. Offer in Response ..................................<a href="#page-13">13</a>
<a href="#section-4.4">4.4</a>. UA/Policy Server Rendezvous ...............................<a href="#page-15">15</a>
<a href="#section-4.4.1">4.4.1</a>. UAC Behavior .......................................<a href="#page-15">15</a>
<a href="#section-4.4.2">4.4.2</a>. Proxy Behavior .....................................<a href="#page-17">17</a>
<a href="#section-4.4.3">4.4.3</a>. UAS Behavior .......................................<a href="#page-20">20</a>
<a href="#section-4.4.4">4.4.4</a>. Caching the Local Policy Server URI ................<a href="#page-21">21</a>
<a href="#section-4.4.5">4.4.5</a>. Header Field Definition and Syntax .................<a href="#page-22">22</a>
<a href="#section-4.5">4.5</a>. Policy Channel ............................................<a href="#page-23">23</a>
<a href="#section-4.5.1">4.5.1</a>. Creation and Management ............................<a href="#page-24">24</a>
<a href="#section-4.5.2">4.5.2</a>. Contacting the Policy Server .......................<a href="#page-25">25</a>
<a href="#section-4.5.3">4.5.3</a>. Using Session Policies .............................<a href="#page-26">26</a>
<a href="#section-5">5</a>. Security Considerations ........................................<a href="#page-27">27</a>
<a href="#section-6">6</a>. IANA Considerations ............................................<a href="#page-29">29</a>
<a href="#section-6.1">6.1</a>. Registration of the "Policy-ID" Header Field ..............<a href="#page-29">29</a>
<a href="#section-6.2">6.2</a>. Registration of the "Policy-Contact" Header Field .........<a href="#page-29">29</a>
6.3. Registration of the "non-cacheable" Policy-Contact
Header Field Parameter ....................................<a href="#page-29">29</a>
<a href="#section-6.4">6.4</a>. Registration of the "policy" SIP Option Tag ...............<a href="#page-29">29</a>
<a href="#section-7">7</a>. References .....................................................<a href="#page-30">30</a>
<a href="#section-7.1">7.1</a>. Normative References ......................................<a href="#page-30">30</a>
<a href="#section-7.2">7.2</a>. Informative References ....................................<a href="#page-31">31</a>
<a href="#appendix-A">Appendix A</a>. Acknowledgements ......................................<a href="#page-32">32</a>
<a href="#appendix-B">Appendix B</a>. Session-Specific Policies - Call Flows ................<a href="#page-32">32</a>
<a href="#appendix-B.1">B.1</a>. Offer in Invite ...........................................<a href="#page-32">32</a>
<a href="#appendix-B.2">B.2</a>. Offer in Response .........................................<a href="#page-34">34</a>
<a href="#appendix-B.3">B.3</a>. Multiple Policy Servers for the UAS .......................<a href="#page-35">35</a>
<span class="grey">Hilt, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Session Initiation Protocol (SIP) [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>] is a signaling
protocol for creating, modifying and terminating multimedia sessions.
A central element in SIP is the proxy server. Proxy servers are
intermediaries that are responsible for request routing, rendezvous,
authentication and authorization, mobility, and other signaling
services. However, proxies are divorced from the actual sessions --
audio, video, and session-mode messaging -- that SIP establishes.
Details of the sessions are carried in the payload of SIP messages,
and are usually described with the Session Description Protocol (SDP)
[<a href="./rfc4566" title=""SDP: Session Description Protocol"">RFC4566</a>].
Experience has shown that there is a need for SIP intermediaries to
impact aspects of a session. For example, SIP can be used in a
wireless network, which has limited resources for media traffic.
During periods of high activity, the wireless network provider could
want to restrict the amount of bandwidth available to each user.
With session policies, an intermediary in the wireless network can
inform the user agent (UA) about the bandwidth it has available.
This information enables the user agent to make an informed decision
about the number of streams, the media types, and the codecs it can
successfully use in a session. Similarly, a network provider can
have a service level agreement with a user that defines the set of
media types the user can use. With session policies, the network can
convey the current set of policies to user agents, enabling them to
set up sessions without inadvertently violating any of the network
policies.
In another example, a SIP user agent is using a network that is
connected to the public Internet through a firewall or a network
border device. The network provider would like to tell the user
agent that it needs to send its media streams to a specific IP
address and port on the firewall or border device to reach the public
Internet. Knowing this policy enables the user agent to set up
sessions across the firewall or the network border. In contrast to
other methods for inserting a media intermediary, the use of session
policies does not require the inspection or modification of SIP
message bodies.
Domains often have the need to enforce the session policies they have
in place. For example, a domain might have a policy that disallows
the use of video and can have an enforcement mechanism that drops all
packets containing a video encoding. Unfortunately, these
enforcement mechanisms usually do not inform the user about the
policies they are enforcing. Instead, they silently keep the user
from doing anything against them. This can lead to a malfunctioning
of devices that is incomprehensible to the user. With session
<span class="grey">Hilt, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
policies, the user knows about the current network policies and can
set up policy-compliant sessions or simply connect to a domain with
less stringent policies. Thus, session policies provide an important
combination of consent coupled with enforcement. That is, the user
becomes aware of the policy and needs to act on it, but the provider
still retains the right to enforce the policy.
Two types of session policies exist: session-specific policies and
session-independent policies. Session-specific policies are policies
that are created for one particular session, based on the session
description of that session. They enable a network intermediary to
examine the session description a UA is proposing and to return a
policy specifically for that session description. For example, an
intermediary could open pinholes in a firewall/NAT for each media
stream in the proposed session description. It can then return a
policy for the session description that replaces the IP addresses and
ports of the UA with the ones opened in the firewall/NAT that are
reachable from the exterior. Session-specific policies provide
information about a specific session to a domain, which can be used
to implement policies for opening pinholes on a firewall/NAT. Since
session-specific policies are tailored to a session, they only apply
to the session for which they are created. Session-specific policies
are created on a session-by-session basis at the time the session is
established.
Session-independent policies, on the other hand, are policies that
are created independent of a session and generally apply to all SIP
sessions set up by a user agent. A session-independent policy can,
for example, be used to inform user agents about an existing
bandwidth limit or media type restrictions. Since these policies are
not based on a specific session description, they can be created
independent of an attempt to set up a session and only need to be
conveyed to the user agent when it initializes (e.g., at the time the
device is powered on) and when policies are changed.
This specification defines a framework for SIP session policies. It
specifies a model, the overall architecture and new protocol
mechanisms that are needed for session-independent and session-
specific policies. Since session-specific and session-independent
policies have different requirements, this specification defines two
different mechanisms to deliver them to user agents. These
mechanisms are independent of each other, and, depending on whether
one or both types of session policies are needed, it is possible to
use the session-specific or the session-independent mechanism or both
to deliver policies to user agents.
<span class="grey">Hilt, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
It is RECOMMENDED that UAs and intermediaries use the mechanisms
defined in this specification for signaling session policies to
endpoints. To ensure backwards compatibility with UAs that do not
support this specification, intermediaries may choose to resort to
existing mechanisms such as rejecting sessions that are not policy
compliant with a 488 response as a fallback solution if a UA does not
indicate support for session policies. UAs that do not support
session policies will receive the same user experience as they would
today. As these techniques are known to have many drawbacks, it is
RECOMMENDED that UAs and intermediaries use explicit signaling of
policies using the mechanisms defined in this specification.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Session-Independent Policies</span>
Session-independent policies are policies that are created
independent of a session and generally apply to all sessions a user
agent is setting up. They typically remain stable for a longer
period of time and apply to any session set up while they are valid.
However, it is possible for session-independent policies to change
over time. For example, a policy that defines a bandwidth limit for
a user can change during the day, defining a lower limit during peak
hours and allow more bandwidth off-peak. The policy server informs a
UA when session-independent policies change.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Architecture and Overview</span>
+-------------+
/------| policy |
+----+ / | server 1 |
| |---/ +-------------+
| UA | ...
| |---\ +-------------+
+----+ \ | policy |
\------| server n |
+-------------+
Figure 1
A SIP UA can receive session-independent policies from one or more
policy servers. In a typical configuration, a UA receives session-
independent policies from a policy server in the local network domain
<span class="grey">Hilt, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
(i.e., the domain from which the UA receives IP service) and possibly
the SIP service provider domain (i.e., the domain at which the UA
registers). The local network can have policies that support the
access network infrastructure. For example, in a wireless network
where bandwidth is scarce, a provider can restrict the bandwidth
available to an individual user. The SIP service provider can have
policies that are needed to support services or policies that reflect
the service level agreement with the user. Thus, in most cases, a UA
will receive session-independent policies from one or two policy
servers.
Setting up session-independent policies involves the following steps:
1. A user agent discovers session-independent policy servers in the
local network and SIP service provider domain.
2. A user agent requests session-independent policies from the
discovered policy servers. A user agent typically requests these
policies when it starts up or connects to a new network domain.
3. The policy server selects the policies that apply to this user
agent. The policy server can have general policies that apply to
all users or maintain separate policies for each individual user.
The selected policies are returned to the user agent.
4. The policy server can update the policies, for example, when
network conditions change.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Policy Subscription</span>
<span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. User Agent Client (UAC) Behavior</span>
A UA that supports session-independent policies compliant to this
specification MUST attempt to retrieve session-independent policies
from the local network and the SIP service provider domain, unless
the UA knows (e.g., through configuration) that a domain does not
provide session-independent policies (in which case the UA SHOULD NOT
retrieve session-independent policies from this specific domain).
A UA that supports session-independent policies compliant to this
specification MUST support the retrieval of session-independent
policies from the local network and the SIP service provider domain
using the "ua-profile" event package defined in "A Framework for
Session Initiation Protocol User Agent Profile Delivery" [<a href="./rfc6080" title=""A Framework for Session Initiation Protocol User Agent Profile Delivery"">RFC6080</a>].
The UA MAY support other methods of retrieving session-independent
policies from the local network and the SIP service provider domains.
<span class="grey">Hilt, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
The "ua-profile" event package [<a href="./rfc6080" title=""A Framework for Session Initiation Protocol User Agent Profile Delivery"">RFC6080</a>] provides a mechanism to
subscribe to session-independent policies. A UA subscribes to the
policy server in the local network domain using the procedures
defined for the "local-network" profile-type. The UA uses the
procedures defined for the "user" profile type to subscribe to the
policy server in the SIP service provider domain.
A UA (re-)subscribes to session-independent policies when the
following events occur:
o The UA registers a new address-of-record (AoR) or removes an AoR
from the set of AoRs it has registered. In these cases, the UA
MUST establish subscriptions for each new AoR using the "user" and
the "local-network" profile-types. The UA MUST terminate all
subscriptions for AoRs it has removed.
o The UA changes the domain to which it is connected. The UA MUST
terminate all existing subscriptions for the "local-network"
profile-type. The UA MUST then create a new subscription for each
AoR it maintains using the "local-network" profile-type. This
way, the UA stops receiving policies from the previous local
domain and starts to receive the policies of the new local domain.
The UA does not need to change the subscriptions for "user"
profiles.
If a UA is unable to establish a subscription, the UA SHOULD NOT
attempt to retry this subscription, unless one of the above events
occurs again. This is to limit the number of SUBSCRIBE requests sent
within domains that do not support session-independent policies.
However, a UA SHOULD retry the subscription with a longer time
interval (e.g., once every 24 hours). This enables UAs to detect new
policies that are deployed in a network that previously did not have
policies.
A UA that supports session-independent policies compliant to this
specification MUST support the User Agent Profile Data Set for Media
Policy [<a href="./rfc6796" title=""A User Agent Profile Data Set for Media Policy"">RFC6796</a>]. To indicate that the UA wants to receive session-
independent policies, the UA includes the MIME type "application/
media-policy-dataset+xml" in the Accept header field of a SUBSCRIBE
request.
A UA MUST apply the session-independent policies it has received and
use these policies in the session descriptions it creates. If the UA
decides not to use the received policies, then the UA MUST NOT set up
a session unless it changes the domain that provided these policies.
A UA MAY try to connect to another local network and/or SIP service
provider domain with a different set of policies.
<span class="grey">Hilt, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
If a UA receives both session-independent and session-specific
policies, the UA MUST apply the session-independent policies to the
session description before the session description is sent to the
session-specific policy server (see <a href="#section-4">Section 4</a>). Thus, session-
independent policies are always applied before session-specific
policies are retrieved.
<span class="h4"><a class="selflink" id="section-3.2.2" href="#section-3.2.2">3.2.2</a>. User Agent Server (UAS) Behavior</span>
A policy server MAY send a notification to the UA every time the
session-independent policies covered by the subscription change. The
definition of what causes a policy to change is at the discretion of
the administrator. A change in the policy can be triggered, for
example, by a change in the network status, by the change in the time
of day or by an update of the service level agreement with the
customer.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Session-Specific Policies</span>
Session-specific policies are policies that are created specifically
for one particular session of a UA. Thus, session-specific policies
will typically be different for different sessions. The session-
specific policies for a session can change during the course of the
session. For example, a user can run out of credit during a session,
which will cause the network to disallow the transmission all media
streams from this point on.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Architecture</span>
domain 1
+-----------+
/------| proxy |----...
+----+ / +-----------+
| |---/ +-----------+
| | | policy |
| UA |============| server |
| | +-----------+
| |**** +-----------+
+----+ * | policy |
*******|enforcement|****...
+-----------+
--- SIP Signaling
=== Policy Channel
*** Media
Figure 2
<span class="grey">Hilt, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
The following entities are needed for session-specific policies (see
Figure 2): a user agent (UA), a proxy, a policy server, and possibly
a policy enforcement entity.
The role of the proxy is to provide a rendezvous mechanism for UAs
and policy servers. It ensures that each UA has the URI [<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] of
the policy server in its domain and knows from where to retrieve
policies. The proxy conveys the policy server URI to UAs in case
they have not yet received it (e.g., in a previous call or through
configuration). The proxy does not deliver the actual policies to
UAs.
The policy server is a separate logical entity that can be physically
co-located with the proxy. The role of the policy server is to
deliver session policies to UAs. The policy server receives session
information from the UA, uses this information to determine the
policies that apply to the session, and returns these policies to the
UA. The mechanism for generating policies (i.e., making policy
decisions) is outside of the scope of this specification. A policy
server can, for example, query an external entity to get policies or
it can directly incorporate a policy decision point and generate
policies locally.
A UA receives the URI of a policy server from a proxy. It uses this
URI to contact the policy server. It provides information about the
current session to the policy server and receives session policies in
response. The UA can also receive policy updates from the policy
server during the course of a session.
A network can have a policy enforcement infrastructure in place.
However, this specification does not make any assumptions about the
enforcement of session policies and the mechanisms defined here are
orthogonal to a policy enforcement infrastructure.
In principle, each domain that is traversed by SIP signaling messages
can define session-specific policies for a session. Each domain
needs to run a policy server and a proxy that is able to rendezvous a
UA with the policy server (as shown in Figure 2). However, it is
expected that session-specific policies will often only be provided
by the local domain of the user agent.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Overview</span>
The protocol defined in this specification clearly separates SIP
signaling and the exchange of policies. SIP signaling is only used
to rendezvous the UA with the policy server. From this point on, UA
and policy server communicate directly with each other over a
separate policy channel. This is opposed to a piggyback model, where
<span class="grey">Hilt, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
the exchange of policy information between endpoint and a policy
server in the network is piggybacked onto the SIP signaling messages
that are exchanged between endpoints.
The main advantage of using a separate policy channel is that it
decouples signaling between endpoints from the policy exchange
between an endpoint and a policy server. This decoupling has a
number of desirable properties. It enables the use of separate
encryption mechanisms on the signaling path, to secure the
communication between endpoints, and on the policy channel, to secure
the communication between endpoint and policy server. Policies can
be submitted directly from the policy server to the endpoint. They
do not travel along the signaling path, which can potentially cross
many domains. Endpoints set up a separate policy channel to each
policy server and can disclose the information requested by the
specific policy server (e.g., offer or offer/answer). Finally,
policy servers do not need to rely on a SIP signaling message flowing
by to send policies or policy updates to an endpoint. A policy
server can use the policy channel at any time to update session
policies as needed. A disadvantage of the separate channel model is
that it requires additional messages for the exchange of policy
information.
Following this model, signaling for session-specific policies
involves the following two fundamental tasks:
1. UA/policy server rendezvous: a UA setting up a session needs to
be able to discover the policy servers that are relevant to this
session.
2. Policy channel: once the UA has discovered the relevant policy
servers for a session, it needs to connect to these servers,
disclose session information, and retrieve the policies that
apply to this session.
The communication between UA and policy server on the policy channel
involves the following steps:
1. A user agent submits information about the session it is trying
to establish to the policy server and asks whether a session
using these parameters is permissible.
2. The policy server generates a policy decision for this session
and returns the decision to the user agent. Possible policy
decisions are (1) to deny the session, (2) to propose changes to
the session parameters with which the session would be
acceptable, or (3) to accept the session as it was proposed.
<span class="grey">Hilt, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
3. The policy server can update the policy decision at a later time.
A policy decision update can, for example, propose additional
changes to the session (e.g., change the available bandwidth) or
deny a previously accepted session (i.e., disallow the
continuation of a session).
In many cases, the mechanism for session-specific policies will be
used to disclose session information and return session policies.
However, some scenarios only involve the disclosure of session
information to a network intermediary. If an intermediary does not
intend to return a policy, it can simply accept the session as it was
proposed. Similarly, some session-specific policies only apply to
the offer (and therefore only require the disclosure of the offer)
whereas others apply to offer and answer. Both types of policies are
supported by session-specific policy mechanism.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Examples</span>
This section provides two examples to illustrate the overall
operation of session-specific policies. The call flows depict the
rendezvous mechanism between UA and policy server and indicate the
points at which the UA exchanges policy information with the policy
server.
The example is based on the following scenario: there are two domains
(domain A and domain B), which both have session-specific policies
for the UAs in their domain. Neither domain provides policies to the
UAs outside of their own domain. The two domains have a proxy (Proxy
A and Proxy B) and a policy server (PS A and PS B). The policies in
both domains involve the session description offer and answer.
<span class="h4"><a class="selflink" id="section-4.3.1" href="#section-4.3.1">4.3.1</a>. Offer in Request</span>
The first call flow shown in Figure 3 depicts an INVITE transaction
with the offer in the request. It is assumed that this is the first
INVITE request the UAC creates in this domain and that it therefore
does not have previous knowledge about the policy server URIs in this
domain.
(1) UA A sends an INVITE request to Proxy A. Proxy A knows that
policies apply to this session and (2) returns a 488 (Not Acceptable
Here) response to UA A. Proxy A includes the URI of PS A in the 488
(Not Acceptable Here) response. This step is needed since the UAC
has no prior knowledge about the URI of PS A. (3) UA A uses the URI
to contact PS A, discloses the session description offer to PS A, and
(4) receives policies for the offer. (5) UA A reformulates the INVITE
request under consideration of the received policies and includes a
Policy-ID header field to indicate that it has already contacted PS
<span class="grey">Hilt, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
A. Proxy A does not reject the INVITE request this time and removes
the Policy-ID header field when forwarding the INVITE request. Proxy
B adds a Policy-Contact header field containing the URI of PS B. (6)
UA B uses this URI to contact PS B and disclose the offer and the
answer it is about to send. (7) UA B receives policies from PS B and
applies them to the offer and answer, respectively. (8) UA B returns
the updated answer in the 200 (OK) response. (9) UA A contacts PS A
again with the current offer and answer and (10) retrieves the
policies for both from PS A.
UA A Proxy A Proxy B UA B
| | | |
| INVITE offer | | |
|---------------->| | | (1)
| 488 | | |
| + Policy-Contact| | |
|<----------------| | | (2)
| ACK | | |
|---------------->| | |
| | PS A | |
| | | |
| PolicyChannel | | |
| + InfoOffer | | |
|------------------->| | | (3)
| PolicyChannel | | |
| + PolicyOffer | | |
|<-------------------| | | (4)
| | | |
| | | |
| INVITE offer' | INVITE offer' | INVITE offer' |
| + Policy-ID | | + Policy-Contact|
|---------------->|--------------->|---------------->| (5)
| | | |
| | PS B | |
| | | |
| | | PolicyChannel |
| | | + InfoOffer' |
| | | + InfoAnswer |
| | |<-------------------| (6)
| | | PolicyChannel |
| | | + PolicyOffer |
| | | + PolicyAnswer |
| | |------------------->| (7)
| | | |
<span class="grey">Hilt, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
| | | |
| OK answer' | OK answer' | OK answer' |
|<----------------|<---------------|<----------------| (8)
| ACK |
|--------------------------------------------------->|
| | | |
| | | |
| PolicyChannel | | |
| + InfoOffer' | | |
| + InfoAnswer' | | |
|------------------->| | | (9)
| PolicyChannel | | |
| + PolicyOffer | | |
| + PolicyAnswer | | |
|<-------------------| | | (10)
| | | |
Figure 3
<span class="h4"><a class="selflink" id="section-4.3.2" href="#section-4.3.2">4.3.2</a>. Offer in Response</span>
The call flow shown in Figure 4 depicts an INVITE transaction with
the offer in the response.
(1) UA A sends an INVITE request without an offer to Proxy A and (2)
Proxy A returns a 488 (Not Acceptable Here) response containing the
URI of PS A. (3),(4) UA A uses this policy server URI to set up the
policy channel. At this time, UA A does not disclose a session
description since it does not have the offer yet. (5) UA A re-sends
the INVITE request and includes a Policy-ID header field to indicate
that it has contacted PS A. Proxy A does not reject the INVITE
request this time and removes the Policy-ID header field when
forwarding the INVITE request. Proxy B adds a Policy-Contact header
field containing the URI of PS B. (6) UA B uses this URI to discloses
the offer to PS B. (7) UA B receives policies from PS B and applies
them to the offer. (8) UA B returns the updated offer the 200 (OK)
response. (9),(10) UA A contacts PS and discloses the offer and the
answer it is about to send. An important difference to the flow in
the previous example is that UA A performs steps (9) and (10) before
returning the answer in step (11). This enables UA A to return the
final answer in the ACK request, which includes all applicable
policies. However, it requires that PS A immediately returns a
policy to avoid a delay in the transmission of the ACK request.
(12),(13) UA B again sends the current offer and answer to PS B and
applies the policies it receives to both before using them.
<span class="grey">Hilt, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
UA A Proxy A Proxy B UA B
| | | |
| INVITE | | |
|---------------->| | | (1)
| 488 | | |
| + Policy-Contact| | |
|<----------------| | | (2)
| ACK | | |
|---------------->| | |
| | PS A | |
| | | |
| PolicyChannel | | |
|------------------->| | | (3)
| PolicyChannel | | |
|<-------------------| | | (4)
| | | |
| | | |
| INVITE | INVITE | INVITE |
| + Policy-ID | | + Policy-Contact|
|---------------->|--------------->|---------------->| (5)
| | | |
| | PS B | |
| | | |
| | | PolicyChannel |
| | | + InfoOffer |
| | |<-------------------| (6)
| | | PolicyChannel |
| | | + PolicyOffer |
| | |------------------->| (7)
| | | |
| | | |
| OK offer' | OK offer' | OK offer' |
|<----------------|<---------------|<----------------| (8)
| | | |
| | | |
| PolicyChannel | | |
| + InfoOffer' | | |
| + InfoAnswer | | |
|------------------->| | | (9)
| PolicyChannel | | |
| + PolicyOffer | | |
| + PolicyAnswer | | |
|<-------------------| | | (10)
| | | |
| ACK answer' |
|--------------------------------------------------->| (11)
| | | |
| | | |
<span class="grey">Hilt, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
| | | PolicyChannel |
| | | + InfoOffer' |
| | | + InfoAnswer' |
| | |<-------------------| (12)
| | | PolicyChannel |
| | | + PolicyOffer |
| | | + PolicyAnswer |
| | |------------------->| (13)
| | | |
Figure 4
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. UA/Policy Server Rendezvous</span>
The first step in setting up session-specific policies is to
rendezvous the UAs with the relevant policy servers. This is
achieved by providing the URIs of all policy servers relevant for a
session to the UAs.
<span class="h4"><a class="selflink" id="section-4.4.1" href="#section-4.4.1">4.4.1</a>. UAC Behavior</span>
A UAC compliant to this specification MUST include a Supported header
field with the option tag "policy" into all requests that can
initiate an offer/answer exchange [<a href="./rfc3264" title=""An Offer/Answer Model with Session Description Protocol (SDP)"">RFC3264</a>] (e.g., INVITE, UPDATE
[<a href="./rfc3311" title=""The Session Initiation Protocol (SIP) UPDATE Method"">RFC3311</a>], and PRACK [<a href="./rfc3262" title=""Reliability of Provisional Responses in Session Initiation Protocol (SIP)"">RFC3262</a>] requests). The UAC MUST include the
"policy" option tag into these requests even if the particular
request does not contain an offer or answer (e.g., an INVITE request
without an offer). A UAC MAY include the "policy" option tag into
all requests.
A UAC can receive a 488 (Not Acceptable Here) response that contains
a Policy-Contact header field. The Policy-Contact header field is a
new header field defined in this specification. It contains one (or
multiple alternative) URI(s) for a policy server. A 488 (Not
Acceptable Here) response with this header field is generated by a
proxy to convey a URI of the local policy server to the UAC. After
receiving a 488 (Not Acceptable Here) response with a Policy-Contact
header field, a UAC compliant to this specification needs to decide
if it wants to continue with the session now knowing that there is a
policy server. If the UAC decides to continue, the UAC MUST use one
of the policy server URIs to contact the policy server using the
mechanism defined in <a href="#section-4.5">Section 4.5</a>.
The Policy-Contact header can contain multiple URIs each with a
different URI scheme and containing an "alt-uri" parameter with
identical values. These URIs represent alternative policy channel
mechanisms for obtaining the same policy. The UAC chooses one of the
alternative URIs to use to obtain the policy. The UAC MAY take as a
<span class="grey">Hilt, et al. Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
hint the order of the alternative URIs as indicating a preference as
to which URI to use. The topmost URI in the list might be more
preferred by the domain of the proxy for use to obtain the policy.
After receiving policies from the policy server, the UAC decides
whether or not it wants to accept these policies. If the UAC accepts
these policies, the UAC MUST apply them to the current request and
re-send the updated request. If no changes are required by policies
or no policies have been received, the request can be re-sent without
any policy-induced changes. If the UAC decides that the list of
policy servers or the received session policies are unacceptable,
then the UAC MUST NOT re-send the request.
To protect the integrity of the policy server URI in a Policy-Contact
header field, the UAC SHOULD use a secured transport protocol such as
Transport Layer Security (TLS) [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] between UAC and proxy.
The UAC MUST insert a Policy-ID header field into requests for which
it has contacted a policy server and accepted the policies received.
The Policy-ID header field is a new header field that is defined in
this specification. The UA MUST create a Policy-ID header field
value for each policy server it has contacted during the preparation
of the request. A Policy-ID header field value contains two pieces
of information: the policy server URI and an optional token. The
policy server URI is the URI the UA has used to contact the policy
server. The token is an opaque string the UAC can receive from the
policy server. A token can, for example, be contained in the policy
document [<a href="./rfc6796" title=""A User Agent Profile Data Set for Media Policy"">RFC6796</a>]. If the UAC has received a token from the policy
server, the UAC MUST include the token in the Policy-ID header field.
The format of the Policy-ID header field is defined in <a href="#section-4.4.5">Section 4.4.5</a>.
The main purpose of the Policy-ID header field is to enable a proxy
to determine if the UAC already knows a URI of the local policy
server. If the policy server URI is not yet known to the UAC, the
proxy can convey this URI to the UAC by rejecting the request with a
488 (Not Acceptable Here) response.
In some cases, a request can traverse multiple domains with a
session-policy server. Each of these domains can return a 488 (Not
Acceptable Here) response containing a policy server URI. A UAC
contacts a policy server after receiving a 488 (Not Acceptable Here)
response from a domain and before re-sending the request. This
creates an implicit order between the policy servers in multiple
domains. That is, a UAC contacts the first policy server, re-sends
the modified request, contacts the second policy server, re-sends the
modified request, and so on. This way, session policies are always
<span class="grey">Hilt, et al. Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
applied to a request in the order in which the request traverses
through the domains. The UAC MUST NOT change this implicit order
among policy servers.
A UAC frequently needs to contact the policy server in the local
domain before setting up a session. To avoid the retransmission of
the local policy server URI in a 488 (Not Acceptable Here) response
for each new request, a UA SHOULD maintain a cache that contains the
URI of the policy server in the local domain (see <a href="#section-4.4.4">Section 4.4.4</a>).
The UAC SHOULD use the cached policy server URI to contact the local
policy server before sending a request that initiates the offer/
answer exchange for a new session (e.g., an INVITE request). The UAC
SHOULD NOT cache a policy server URI that is in a different domain
than the UAC, even if it is the first policy server URI returned.
The first policy server URI returned can be from another domain if
the local domain does not have a policy server. Note that UACs
perform exact domain comparisons. That is, foo.example.com and
example.com are not considered equivalent.
UAs can renegotiate the session description during a session by
initiating a subsequent offer/answer exchange, e.g., in an INVITE,
UPDATE, or PRACK request. When creating such a mid-dialog request, a
UA SHOULD contact all policy servers to which it has established a
policy channel during the initial offer/answer exchange (see
<a href="#section-4.5">Section 4.5</a>) before sending the request. This avoids the
retransmission of all policy server URIs in 488 (Not Acceptable Here)
responses for mid-dialog requests.
<span class="h4"><a class="selflink" id="section-4.4.2" href="#section-4.4.2">4.4.2</a>. Proxy Behavior</span>
A proxy provides rendezvous functionalities for UAs and policy
server. This is achieved by conveying the URI of a policy server to
the UAC or the UAS (or both) when processing INVITE, UPDATE, or PRACK
requests (or any other request that can initiate an offer/answer
exchange).
If an offer/answer exchange initiating request contains a Supported
header field with the option tag "policy", the proxy MAY reject the
request with a 488 (Not Acceptable Here) response to provide the
local policy server URI to the UAC. Before rejecting a request, the
proxy MUST verify that the request does not contain a Policy-ID
header field with the local policy server URI as a value. If the
request does not contain such a header field or a local policy server
URI is not present in this header field, then the proxy MAY reject
the request with a 488 (Not Acceptable Here) response. The proxy
MUST insert a Policy-Contact header field in the 488 (Not Acceptable
Here) response that contains one (or multiple) URI(s) of its
<span class="grey">Hilt, et al. Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
associated policy server. The proxy MAY add the header field
parameter "non-cacheable" to prevent the UAC from caching this policy
server URI (see <a href="#section-4.4.4">Section 4.4.4</a>).
More than one URI for the policy server using different URI schemes
MAY be provided by the proxy as alternative URIs to contact the
policy. If a proxy includes multiple URIs for the same policy, the
proxy MUST include an "alt-uri" parameter for all policy server URIs
that are alternatives for obtaining the same policy. The "alt-uri"
parameter MUST contain either the domain name of the domain for which
all the alternative policy server URIs relate to or a Fully Qualified
Domain Name (FQDN) (e.g., the hostname of a policy server). All URIs
that are alternatives for the same policy MUST have the same value
for the "alt-uri" parameter. The value used for the "alt-uri"
parameter MUST be such that the same value will not be included with
other policy server URIs that a UA needs to contact by any other
proxy within the same domain or another domain. A method to create a
new unique "alt-uri" parameter value is to examine the value of
existing "alt-uri" parameters and to make sure that the new value
differs. A proxy MAY hint to a UA at a preference as to which URI to
use by including the more preferred URI higher in the list than the
other alternative URIs. URIs with the same "alt-uri" parameter MUST
use different URI schemes. A SIP or SIPS URI MUST be included even
if other URI schemes are defined and used in the future.
If a local policy server URI is present in a Policy-ID header field
value of a request, then the proxy MUST NOT reject the request as
described above (it can still reject the request for other reasons).
The proxy SHOULD remove the Policy-ID header field value of its
associated policy server from the Policy-ID header field before
forwarding the request. Not removing the Policy-ID header field
value will not cause harm; however, the value is not relevant to any
other proxy on the path and only increases message size. It also
would disclose the policy server URI to subsequent proxies.
The Policy-ID header field serves two main purposes: first and most
important, it enables the proxy to determine if a UAC already knows
the URI of the local policy server. The second purpose of the
Policy-ID header field is to enable a domain to route all requests
that belong to the same session (i.e., the initial request and
requests a UA retransmits after contacting the policy server) to the
same proxy and policy server. This is important if a domain has
multiple proxy/policy server combinations (e.g., in a proxy/policy
server farm that receives requests through a load balancer), which
create per-session state in the network. An example for such a
scenario is a policy server that is associated with a session border
device. The policy server configures the session border device after
receiving a session description from the UAC via the policy channel.
<span class="grey">Hilt, et al. Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
Retransmitted requests for such a session need to be routed to the
same proxy/policy server as the initial request since this proxy/
policy server combination has configured the associated border device
for the session.
Routing all requests that belong to the same session to the same
proxy can be achieved by using the Policy-ID header field token. It
requires that the policy server return a token to the UAC that
uniquely identifies the specific proxy/policy server combination.
The UAC includes this token in the Policy-ID header field, and it can
be used (together with the policy server URI) by the proxies in this
domain to route the request along the desired path. The format of
this token does not require standardization. The only requirement is
that the token provide sufficient information for proxies to route
the message inside a domain to the desired proxy/policy server. The
token can, for example, be a numeric identifier or an IP address.
Note: it has been proposed to use the Policy-ID header field to
provide a hint for a proxy that the UAC has actually contacted the
policy server. This usage also requires the policy server to
return a token to the UA. In addition, the policy server needs to
share valid tokens with the proxy. After receiving a request with
a Policy-ID header field, the proxy can determine if the token in
the Policy-ID header field is valid. If it is valid, the proxy
knows that the UA has contacted the policy server for this
session. However, this token does not provide any proof that the
UA has actually used the policies it has received from the policy
server. A malicious UA can simply contact the policy server,
discard all policies it receives, and still use the token in the
Policy-ID header field.
The proxy MAY insert a Policy-Contact header field into INVITE,
UPDATE, or PRACK requests (or any other request that can initiate an
offer/answer exchange) in order to convey the policy server URI to
the UAS. If the request already contains a Policy-Contact header
field, the proxy MUST insert the URI after all existing values at the
end of the list. A proxy MUST NOT change the order of existing
Policy-Contact header field values.
A proxy MUST use the Record-Route mechanism [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>] if its
associated policy server has session policies that apply to mid-
dialog requests. The Record-Route header field enables a proxy to
stay in the signaling path and resubmit the policy server URIs to UAs
during mid-dialog requests that initiate an offer/answer exchange.
Resubmitting the policy server URI to UAs ensures that UAs keep
contacting the policy server for mid-dialog requests.
<span class="grey">Hilt, et al. Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
A proxy can find out if the UAS supports this extension by examining
the Supported header field of responses. The proxy knows that the
UAS supports this extension if the Supported header field of a
response contains the option tag "policy". A proxy can use this
information to determine if the UAS has understood the Policy-Contact
header field it has inserted into the request.
To protect the integrity of the policy server URI in a Policy-Contact
header field, the proxy SHOULD use a secured transport protocol such
as TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] between proxy and UAs.
<span class="h4"><a class="selflink" id="section-4.4.3" href="#section-4.4.3">4.4.3</a>. UAS Behavior</span>
A UAS can receive an INVITE, UPDATE, or PRACK request (or another
request that can initiate offer/answer exchanges) that contains a
Policy-Contact header field with a list of policy server URIs. A UAS
that receives such a request needs to decide if it wants to accept
the session knowing that there are policy servers involved. If the
Policy-Contact header contains multiple URIs, each with a different
URI scheme and containing an "alt-uri" parameter with identical
values, these URI schemes represent alternative policy channel
mechanisms for obtaining the same policy. If the UAS accepts the
session, the UAS MUST contact one URI out of each group of URIs with
identical "alt-uri" parameter values to obtain the policy. The UAS
MAY take as a hint the order of the alternative URIs as indicating a
preference as to which URI to use. The topmost URI in the list might
be more preferred by the domain of the proxy for use to obtain the
policy. The UAS MUST contact all policy server URIs in a Policy-
Contact header field that are not part of a group of alternative URIs
and MUST contact one URI in each group of alternative URIs. The UAS
MUST contact these policy server URIs in the order in which they were
contained in the Policy-Contact header field, starting with the
topmost value (i.e., the value that was inserted first).
If a UAS decides that it does not want to accept a session because
there are policy servers involved or because one of the session
policies received from a policy server is not acceptable, the UAS
MUST reject the request with a 488 (Not Acceptable Here) response.
The UAS MAY accept a request and continue with setting up a session
if it cannot set up a policy channel to the policy server, for
example, because the policy server is unreachable or returns an error
condition that cannot be resolved by the UAS (i.e., error conditions
other than, for example, a 401 (Unauthorized) response). This is to
avoid that the failure of a policy server prevents a UA from
communicating. Since this session might not be policy compliant
without the policy subscription, it can be blocked by policy
enforcement mechanisms if they are in place.
<span class="grey">Hilt, et al. Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
A UAS can receive a token from a policy server via the policy
channel. Since the UAS does not create a Policy-ID header field, it
can simply ignore this token.
A UAS compliant to this specification MUST include a Supported header
field with the option tag "policy" into responses to requests that
can initiate an offer/answer exchange. The UAS MAY include this
option tag in all responses. This way, a proxy that has inserted the
Policy-Contact header field can know that the header field was
understood by the UAS.
<span class="h4"><a class="selflink" id="section-4.4.4" href="#section-4.4.4">4.4.4</a>. Caching the Local Policy Server URI</span>
A UAC frequently needs to contact the policy server in the local
domain before setting up a session. To avoid the retransmission of
the local policy server URI for each session, a UA SHOULD maintain a
cache that contains the URI of the local policy server.
A UA can receive this URI in a Policy-Contact header field of a
request or a 488 (Not Acceptable Here) response. The UA can also
receive the local policy server URI through configuration, for
example, via the configuration framework [<a href="./rfc6080" title=""A Framework for Session Initiation Protocol User Agent Profile Delivery"">RFC6080</a>]. If a UA has
received a local policy server URI through configuration and receives
another local policy server URI in a Policy-Contact header field, the
UA SHOULD overwrite the configured URI with the most recent one
received in a Policy-Contact header field. A policy server URI
received in a Policy-Contact header field expires if it has not been
refreshed before it reaches the maximum cached URI validity. The
default maximum cached URI validity is 24 hours.
Domains can prevent a UA from caching the local policy server URI.
This is useful, for example, if the policy server does not need to be
involved in all sessions or the policy server URI changes from
session to session. A proxy can mark the URI of such a policy server
as "non-cacheable". A UA MUST NOT cache a non-cacheable policy
server URI. The UA SHOULD remove the current URI from the cache when
receiving a local policy server URI that is marked as "non-
cacheable". This is to avoid the use of policy server URIs that are
outdated.
The UA SHOULD NOT cache policy server URIs it has received from
proxies outside of the local domain. These policy servers need not
be relevant for subsequent sessions, which can go to a different
destination, traversing different domains.
The UA MUST NOT cache tokens it has received from a policy server. A
token is only valid for one request.
<span class="grey">Hilt, et al. Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
<span class="h4"><a class="selflink" id="section-4.4.5" href="#section-4.4.5">4.4.5</a>. Header Field Definition and Syntax</span>
<span class="h5"><a class="selflink" id="section-4.4.5.1" href="#section-4.4.5.1">4.4.5.1</a>. Policy-ID Header Field</span>
The Policy-ID header field is inserted by the UAC into INVITE,
UPDATE, or PRACK requests (or any other request that can be used to
initiate an offer/answer exchange). The Policy-ID header field
identifies all policy servers the UAC has contacted for this request.
The value of a Policy-ID header field consists of a policy server URI
and an optional token parameter. The token parameter contains a
token the UA might have received from the policy server.
The syntax of the Policy-ID header field is described below in ABNF,
according to [<a href="./rfc5234" title=""Augmented BNF for Syntax Specifications: ABNF"">RFC5234</a>], as an extension to the ABNF for SIP in
[<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>]:
Policy-ID = "Policy-ID" HCOLON policyURI
*(COMMA policyURI)
policyURI = ( SIP-URI / SIPS-URI / absoluteURI )
[ SEMI token-param ] *( SEMI generic-param )
token-param = "token=" token
<span class="h5"><a class="selflink" id="section-4.4.5.2" href="#section-4.4.5.2">4.4.5.2</a>. Policy-Contact Header Field</span>
The Policy-Contact header field can be inserted by a proxy into a 488
(Not Acceptable Here) response to INVITE, UPDATE, or PRACK requests
(or other requests that initiate an offer/answer exchange). The
value of a Policy-Contact header field consists of a policy server
URI and an optional "non-cacheable" header field parameter. The
policy server URI identifies the policy server that needs to be
contacted by a UAC. The "non-cacheable" header field parameter
indicates that the policy server URI is not intended to be cached by
the UAC.
The Policy-Contact header field can also be inserted by a proxy into
INVITE, UPDATE, and PRACK requests (or other requests that can be
used to initiate an offer/answer exchange). It contains an ordered
list of policy server URIs that need to be contacted by the UAS. The
topmost value of this list identifies the policy server that is
contacted first. New header field values are inserted at the end.
With this, the Policy-Contact header field effectively forms a fist-
in-first-out queue.
The syntax of the Policy-Contact header field is described below in
ABNF, according to [<a href="./rfc5234" title=""Augmented BNF for Syntax Specifications: ABNF"">RFC5234</a>], as an extension to the ABNF for SIP in
[<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>]:
<span class="grey">Hilt, et al. Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
Policy-Contact = "Policy-Contact" HCOLON policyContact-info
*(COMMA policyContact-info)
policyContact-info = LAQUOT policyContact-uri RAQUOT
*( SEMI policyContact-param )
policyContact-uri = ( SIP-URI / SIPS-URI / absoluteURI )
policyContact-param = ( "non-cacheable" / policyContact-alt-uri
/ generic-param )
policyContact-alt-uri = "alt-uri" EQUAL hostname
Tables 1 and 2 are extensions of Tables 2 and 3 in [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>]. The
column "INF" is for the INFO method [<a href="./rfc6086" title=""Session Initiation Protocol (SIP) INFO Method and Package Framework"">RFC6086</a>], "PRA" is for the PRACK
method [<a href="./rfc3262" title=""Reliability of Provisional Responses in Session Initiation Protocol (SIP)"">RFC3262</a>], "UPD" is for the UPDATE method [<a href="./rfc3311" title=""The Session Initiation Protocol (SIP) UPDATE Method"">RFC3311</a>], "SUB" is
for the SUBSCRIBE method [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>], "NOT" is for the NOTIFY method
[<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>], "MSG" is for the MESSAGE method [<a href="./rfc3428" title=""Session Initiation Protocol (SIP) Extension for Instant Messaging"">RFC3428</a>], "REF" is for
the REFER method [<a href="./rfc3515" title=""The Session Initiation Protocol (SIP) Refer Method"">RFC3515</a>], and "PUB" is for the PUBLISH method
[<a href="./rfc3903" title=""Session Initiation Protocol (SIP) Extension for Event State Publication"">RFC3903</a>].
Header field where proxy ACK BYE CAN INV OPT REG UPD
_______________________________________________________________
Policy-ID R rd - - - c - - c
Policy-Contact R a - - - c - - c
Policy-Contact 488 a - - - c - - c
Table 1: Policy-ID and Policy-Contact Header Fields
Header field where proxy PRA PUB SUB NOT INF MSG REF
_______________________________________________________________
Policy-ID R rd c - - - - - -
Policy-Contact R a c - - - - - -
Policy-Contact 488 a c - - - - - -
Table 2: Policy-ID and Policy-Contact Header Fields
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Policy Channel</span>
The main task of the policy channel is to enable a UA to submit
information about the session it is trying to establish (i.e., the
offer and the answer) to a policy server and to receive the resulting
session-specific policies and possible updates to these policies in
response.
The Event Package for Session-Specific Policies [<a href="./rfc6795" title=""A Session Initiation Protocol (SIP) Event Package for Session-Specific Policies"">RFC6795</a>] defines a
SUBSCRIBE/NOTIFY-based [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>] policy channel mechanism. A UA
compliant to this specification MUST support the Event Package for
Session-Specific Policies [<a href="./rfc6795" title=""A Session Initiation Protocol (SIP) Event Package for Session-Specific Policies"">RFC6795</a>]. The UA MUST use this event
<span class="grey">Hilt, et al. Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
package to contact a policy server if the policy server URI is a
SIP-URI or SIPS-URI. A UA MAY support other policy channel
mechanisms.
<span class="h4"><a class="selflink" id="section-4.5.1" href="#section-4.5.1">4.5.1</a>. Creation and Management</span>
A UA discovers the list of policy servers relevant for a session
during the initial offer/answer exchange (see <a href="#section-4.4">Section 4.4</a>). A UA
compliant to this specification MUST set up a policy channel to each
of the discovered policy servers. If the UA does not want to set up
a policy channel to one of the policy servers provided, the UA MUST
cancel or reject a pending INVITE transaction for the session or
terminate the session if it is already in progress.
A UA MUST maintain the policy channel to each discovered policy
server during the lifetime of a session, unless the policy channel is
closed by the policy server or the UA discovers that the policy
server is no longer relevant for the session as described below.
A UAC can receive a 488 (Not Acceptable Here) response with a Policy-
Contact header field containing a new policy server URI in response
to a mid-dialog request. This indicates that the set of policy
servers relevant for the current session has changed. If this
occurs, the UAC MUST retry sending the request as if it were the
first request in a dialog (i.e., without applying any policies except
the policies from the local policy server). This way, the UAC will
rediscover the list of policy servers for the current session. This
is necessary since the UAC has no other way of knowing when to
contact the newly discovered policy server relative to the existing
policy servers and if any of the existing policy servers do not need
to be contacted any more. The UAC MUST set up a policy channel to
each new policy server. The UAC SHOULD close policy channels to
policy server that are not listed any more. If the policy channel to
these servers is not closed, the UAC can receive policies that do not
apply to the session any more. The UAC MUST contact policy servers
in the order in which they were discovered in the most recent
request.
If a UAS receives a mid-dialog request with a Policy-Contact header
field containing a list of policy server URIs that is different from
the list of policy servers to which the UAS has currently established
a policy channel, then the UAS MUST set up a policy channel to all
new policy servers and contact them. The UAS SHOULD close policy
channels to servers that are not listed any more. If the policy
channel to these servers is not closed, the UAS can receive policies
that do not apply to the session any more. The UAS MUST use policy
servers in the order in which they were contained in the most recent
Policy-Contact header field.
<span class="grey">Hilt, et al. Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
A UA MUST inform the policy server when a session is terminated
(e.g., when the UA has either sent or received a BYE) via the policy
channel, unless a policy server indicates via the policy channel that
it does not need to be contacted at the end of the session. This
enables a policy server to free all resources it has allocated for
this session.
<span class="h4"><a class="selflink" id="section-4.5.2" href="#section-4.5.2">4.5.2</a>. Contacting the Policy Server</span>
A UA MUST contact all policy servers to which it has established a
policy channel before sending or after receiving a mid-dialog
request. The UA MUST contact the policy servers in the order in
which they were discovered most recently.
A UA that receives a SIP message containing an offer or answer SHOULD
completely process the message (e.g., according to [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>]) before
contacting the policy server. The SIP processing of the message
includes, for example, updating dialog state and timers as well as
creating ACK or PRACK requests as necessary. This ensures that
contacting a policy server does not interfere with SIP message
processing and timing (e.g., by inadvertently causing timers to
expire). This implies, for example, that a UAC that has received a
response to an INVITE request would normally finish the processing of
the response including transmitting the ACK request before it
contacts the policy server. An important exception to this rule is
discussed in the next paragraph.
In some cases, a UA needs to use the offer/answer it has received in
a SIP message to create an ACK or PRACK request for this message;
i.e., it needs to use the offer/answer before finishing the SIP
machinery for this message. For example, a UAC that has received an
offer in the response to an INVITE request needs to apply policies to
the offer and the answer before it can send the answer in an ACK
request. In these cases, a UA SHOULD contact the policy server even
if this is during the processing of a SIP message. This implies that
a UA, which has received an offer in the response of an INVITE
request, would normally contact the policy server and apply session
policies before sending the answer in the ACK request.
Note: this assumes that the policy server can always respond
immediately to a policy request and does not require manual
intervention to create a policy. This will be the case for most
policy servers. If, however, a policy server cannot respond with
a policy right away, it can return a policy that temporarily
denies the session and update this policy as the actual policy
decision becomes available. A delay in the response from the
<span class="grey">Hilt, et al. Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
policy server to the UA would delay the transmission of the ACK
request and could trigger retransmissions of the INVITE response
(also see the recommendations for Flow I in [<a href="./rfc3725" title=""Best Current Practices for Third Party Call Control (3pcc) in the Session Initiation Protocol (SIP)"">RFC3725</a>]).
The case of multiple policy servers providing policies to the same UA
requires additional considerations. A policy returned by one policy
server can contain information that needs to be shared with the other
policy servers. For example, two policy servers can have the policy
to insert a media intermediary by modifying the IP addresses and
ports of media streams. In order for media streams to pass through
both intermediaries, each intermediary needs to know the IP address
and port on which the other media intermediary is expecting the
stream to arrive. If media streams are flowing in both directions,
this means that each intermediary needs to know IP addresses and
ports of the other intermediary.
UACs usually contact a policy server twice during an offer/answer
exchange (unless a policy server indicates that it only needs to be
contacted once). Therefore, the case of multiple policy servers
providing policies to a single UAC does not require additional steps
in most cases. However, a UAS usually contacts each policy server
only once (see Figure 4). If a session policy returned by one of the
policy servers requires that information be shared between multiple
servers and the UAS receives policies from more than one policy
server, then the UAS MUST contact all policy servers a second time
after contacting all servers the first time. Whether or not a second
round is required is determined by the type of information returned
by the policy server. A data format for session policies (e.g.,
[<a href="./rfc6796" title=""A User Agent Profile Data Set for Media Policy"">RFC6796</a>]) needs to explicitly state if a second round is needed for
a particular data element. If a UA receives such an element, it
knows that is expected to contact policy servers a second time. If
such a data element is modified during a mid-call offer/answer
exchange and multiple policy servers are providing policies to a UA,
then all UAs MUST contact policy servers in a first and second round.
An example call flow is shown in <a href="#appendix-B.3">Appendix B.3</a>.
A UA that supports session-specific policies compliant to this
specification MUST support the User Agent Profile Data Set for Media
Policy [<a href="./rfc6796" title=""A User Agent Profile Data Set for Media Policy"">RFC6796</a>] as data format for session policies.
<span class="h4"><a class="selflink" id="section-4.5.3" href="#section-4.5.3">4.5.3</a>. Using Session Policies</span>
A UA MUST disclose the session description(s) for the current session
to policy servers through the policy channel. The UA MUST apply
session policies it receives to the offer and, if one is received, to
the answer before using the offer/answer. If these policies are
unacceptable, the UA MUST NOT continue with the session. This means
that the UA MUST cancel or reject a pending INVITE transaction for
<span class="grey">Hilt, et al. Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
the session or terminate the session if it is already in progress.
If the UA receives an unacceptable policy in an INVITE response, the
UA MUST complete the INVITE transaction and then terminate the
session.
When a UA receives a notification about a change in the current
policies, the UA MUST apply the updated policies to the current
session or the UA MUST terminate the session. If the policy update
causes a change in the session description of a session, then the UA
needs to renegotiate the modified session description with its peer
UA, for example, using a re-INVITE or UPDATE request. For example,
if a policy update disallows the use of video and video is part of
the current session description, then the UA will need to create an
new session description offer without video. After receiving this
offer, the peer UA knows that video can't be used any more and
responds with the corresponding answer.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
Policy enforcement mechanisms can prevent a UA from communicating
with another UA if the UAs are not aware of the policies that are
enforced. Policy enforcement mechanisms without policy signaling can
therefore create a denial-of-service condition for UAs. This
specification provides a mechanism for intermediaries to signal the
policies that are enforced to UAs. It enables UAs to establish
sessions that are conform and pass through policy enforcement.
Session policies can significantly change the behavior of a UA and
can be used by an attacker to compromise a UA. For example, session
policies can be used to prevent a UA from successfully establishing a
session (e.g., by setting the available bandwidth to zero). Such a
policy can be submitted to the UA during a session, which causes the
UA to terminate the session.
A UA transmits session information to a policy server for session-
specific policies. This session information can contain sensitive
data the user does not want an eavesdropper or an unauthorized policy
server to see. Vice versa, session policies can contain sensitive
information about the network or service level agreements the service
provider does not want to disclose to an eavesdropper or an
unauthorized UA.
It is important to secure the communication between the proxy and the
UA (for session-specific policies) as well as the UA and the policy
server. The following four discrete attributes need to be protected:
1. integrity of the policy server URI (for session-specific
policies),
<span class="grey">Hilt, et al. Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
2. authentication of the policy server and, if needed, the user
agent,
3. confidentiality of the messages exchanged between the user agent
and the policy server and
4. ensuring that private information is not exchanged between the
two parties, even over a confidentiality-assured and
authenticated session.
To protect the integrity of the policy server URI, a UA SHOULD use a
secured transport protocol such as TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] between proxies and
the UA. Protecting the integrity of the policy server URI is
important since an attacker could intercept SIP messages between the
UA and the proxy and remove the policy header fields needed for
session-specific policies. This would impede the rendezvous between
UA and policy server and, since the UA would not contact the policy
server, can prevent a UA from setting up a session.
Instead of removing a policy server URI, an attacker can also modify
the policy server URI and point the UA to a compromised policy
server. It is RECOMMENDED that a UA authenticate policy servers to
prevent such an attack from being effective.
It is RECOMMENDED that the UA only accept session-independent
policies from trustworthy policy servers as these policies affect all
sessions of a UA. A list of trustworthy session-independent policy
servers can be provided to the UA through configuration. As SIP
messages can be affected by any proxy on a path and session-specific
policies only apply to a single session, a UA MAY choose to accept
session-specific policies from other policy servers as well.
Policy servers SHOULD authenticate UAs to protect the information
that is contained in a session policy. However, a policy server can
also frequently encounter UAs it cannot authenticate. In these
cases, the policy server MAY provide a generic policy that does not
reveal sensitive information to these UAs.
It is RECOMMENDED that administrators use SIPS URIs as policy server
URIs so that subscriptions to session policies are transmitted over
TLS.
The above security attributes are important to protect the
communication between the UA and policy server. This document does
not define the protocol used for the communication between UA and
policy server and merely refers to other specifications for this
purpose. The security considerations of these specifications need to
address the above security aspects.
<span class="grey">Hilt, et al. Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IANA Considerations</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Registration of the "Policy-ID" Header Field</span>
Name of Header Field: Policy-ID
Short form: none
Normative description: <a href="#section-4.4.5">Section 4.4.5</a> of this document
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Registration of the "Policy-Contact" Header Field</span>
Name of Header Field: Policy-Contact
Short form: none
Normative description: <a href="#section-4.4.5">Section 4.4.5</a> of this document
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Registration of the "non-cacheable" Policy-Contact Header Field</span>
<span class="h3"> Parameter</span>
Registry Name: Header Field Parameters and Parameter Values
Reference: [<a href="./rfc3968" title=""The Internet Assigned Number Authority (IANA) Header Field Parameter Registry for the Session Initiation Protocol (SIP)"">RFC3968</a>]
Registry:
Header Field Parameter Name Predefined Reference
Values
_____________________________________________________________________
Policy-Contact non-cacheable Yes this document
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. Registration of the "policy" SIP Option Tag</span>
This specification registers a new SIP option tag, as per the
guidelines in <a href="./rfc3261#section-27.1">Section 27.1 of [RFC3261]</a>.
This document defines the SIP option tag "policy".
The following row has been added to the "Option Tags" section of the
SIP Parameter Registry:
<span class="grey">Hilt, et al. Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
+------------+------------------------------------------+-----------+
| Name | Description | Reference |
+------------+------------------------------------------+-----------+
| policy | This option tag is used to indicate that | this |
| | a UA can process policy server URIs for | document |
| | and subscribe to session-specific | |
| | policies. | |
+------------+------------------------------------------+-----------+
Name of option: policy
Description: Support for the Policy-Contact and Policy-ID header
fields.
SIP header fields defined: Policy-Contact, Policy-ID
Normative description: This document
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. References</span>
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC3261">RFC3261</a>] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", <a href="./rfc3261">RFC 3261</a>,
June 2002.
[<a id="ref-RFC3262">RFC3262</a>] Rosenberg, J. and H. Schulzrinne, "Reliability of
Provisional Responses in Session Initiation Protocol
(SIP)", <a href="./rfc3262">RFC 3262</a>, June 2002.
[<a id="ref-RFC3264">RFC3264</a>] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
with Session Description Protocol (SDP)", <a href="./rfc3264">RFC 3264</a>,
June 2002.
[<a id="ref-RFC3311">RFC3311</a>] Rosenberg, J., "The Session Initiation Protocol (SIP)
UPDATE Method", <a href="./rfc3311">RFC 3311</a>, October 2002.
[<a id="ref-RFC3968">RFC3968</a>] Camarillo, G., "The Internet Assigned Number Authority
(IANA) Header Field Parameter Registry for the Session
Initiation Protocol (SIP)", <a href="https://www.rfc-editor.org/bcp/bcp98">BCP 98</a>, <a href="./rfc3968">RFC 3968</a>,
December 2004.
[<a id="ref-RFC5234">RFC5234</a>] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, <a href="./rfc5234">RFC 5234</a>, January 2008.
<span class="grey">Hilt, et al. Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
[<a id="ref-RFC6080">RFC6080</a>] Petrie, D. and S. Channabasappa, "A Framework for Session
Initiation Protocol User Agent Profile Delivery",
<a href="./rfc6080">RFC 6080</a>, March 2011.
[<a id="ref-RFC6665">RFC6665</a>] Roach, A., "SIP-Specific Event Notification", <a href="./rfc6665">RFC 6665</a>,
July 2012.
[<a id="ref-RFC6795">RFC6795</a>] Hilt, V. and G. Camarillo, "A Session Initiation Protocol
(SIP) Event Package for Session-Specific Policies",
<a href="./rfc6795">RFC 6795</a>, December 2012.
[<a id="ref-RFC6796">RFC6796</a>] Hilt, V., Camarillo, G., Rosenberg, J., and D. Worley, "A
User Agent Profile Data Set for Media Policy", <a href="./rfc6796">RFC 6796</a>,
December 2012.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Informative References</span>
[<a id="ref-RFC3428">RFC3428</a>] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C.,
and D. Gurle, "Session Initiation Protocol (SIP) Extension
for Instant Messaging", <a href="./rfc3428">RFC 3428</a>, December 2002.
[<a id="ref-RFC3515">RFC3515</a>] Sparks, R., "The Session Initiation Protocol (SIP) Refer
Method", <a href="./rfc3515">RFC 3515</a>, April 2003.
[<a id="ref-RFC3725">RFC3725</a>] Rosenberg, J., Peterson, J., Schulzrinne, H., and G.
Camarillo, "Best Current Practices for Third Party Call
Control (3pcc) in the Session Initiation Protocol (SIP)",
<a href="https://www.rfc-editor.org/bcp/bcp85">BCP 85</a>, <a href="./rfc3725">RFC 3725</a>, April 2004.
[<a id="ref-RFC3903">RFC3903</a>] Niemi, A., "Session Initiation Protocol (SIP) Extension
for Event State Publication", <a href="./rfc3903">RFC 3903</a>, October 2004.
[<a id="ref-RFC3986">RFC3986</a>] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
<a href="./rfc3986">RFC 3986</a>, January 2005.
[<a id="ref-RFC4566">RFC4566</a>] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", <a href="./rfc4566">RFC 4566</a>, July 2006.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>, August 2008.
[<a id="ref-RFC6086">RFC6086</a>] Holmberg, C., Burger, E., and H. Kaplan, "Session
Initiation Protocol (SIP) INFO Method and Package
Framework", <a href="./rfc6086">RFC 6086</a>, January 2011.
<span class="grey">Hilt, et al. Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Acknowledgements</span>
Many thanks to Allison Mankin, Andrew Allen, Cullen Jennings and
Vijay Gurbani for their contributions to this document. Many thanks
to Roni Even, Bob Penfield, Mary Barnes, Shida Schubert, Keith Drage,
Lisa Dusseault, Tim Polk and Pasi Eronen for their reviews and
suggestions.
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. Session-Specific Policies - Call Flows</span>
The following call flows illustrate the overall operation of session-
specific policies including the policy channel protocol as defined in
"A Session Initiation Protocol (SIP) Event Package for Session-
Specific Policies" [<a href="./rfc6795" title=""A Session Initiation Protocol (SIP) Event Package for Session-Specific Policies"">RFC6795</a>].
The following abbreviations are used:
o: offer
o': offer modified by a policy
po: offer policy
a: answer
a': answer modified by a policy
pa: answer policy
ps uri: policy server URI (in Policy-Contact header field)
ps id: policy server id (in Policy-ID header field)
<span class="h3"><a class="selflink" id="appendix-B.1" href="#appendix-B.1">B.1</a>. Offer in Invite</span>
<span class="grey">Hilt, et al. Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
UA A P A PS A PS B P B UA B
| | | | | |
|(1) INV <o> | | | |
|-------->| | | | |
|(2) 488 <ps uri> | | | |
|<--------| | | | |
|(3) ACK | | | | |
|-------->| | | | |
|(4) SUBSCRIBE <o> | | | |
|------------------>| | | |
|(5) 200 OK | | | |
|<------------------| | | |
|(6) NOTIFY <po> | | | |
|<------------------| | | |
|(7) 200 OK | | | |
|------------------>| | | |
|(8) INV <ps id, o'>| | | |
|-------->| | | | |
| |(9) INV <o'> | | |
| |---------------------------->| |
| | | | |(10) INV <o', ps uri>
| | | | |-------->|
| | | |(11) SUBSCRIBE <o', a>
| | | |<------------------|
| | | |(12) 200 OK |
| | | |------------------>|
| | | |(13) NOTIFY <po, pa>
| | | |------------------>|
| | | |(14) 200 OK |
| | | |<------------------|
| | | | |(15) 200 OK <a'>
| | | | |<--------|
| |(16) 200 OK <a'> | | |
| |<----------------------------| |
|(17) 200 OK <a'> | | | |
|<--------| | | | |
|(18) ACK | | | | |
|------------------------------------------------>|
|(19) SUBSCRIBE <o', a'> | | |
|------------------>| | | |
|(20) 200 OK | | | |
|<------------------| | | |
|(21) NOTIFY <po, pa> | | |
|<------------------| | | |
|(22) 200 OK | | | |
|------------------>| | | |
| | | | | |
| | | | | |
<span class="grey">Hilt, et al. Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
<span class="h3"><a class="selflink" id="appendix-B.2" href="#appendix-B.2">B.2</a>. Offer in Response</span>
UA A P A PS A PS B P B UA B
| | | | | |
|(1) INV | | | | |
|-------->| | | | |
|(2) 488 <ps uri> | | | |
|<--------| | | | |
|(3) ACK | | | | |
|-------->| | | | |
|(4) SUBSCRIBE | | | |
|------------------>| | | |
|(5) 200 OK | | | |
|<------------------| | | |
|(6) NOTIFY | | | |
|<------------------| | | |
|(7) 200 OK | | | |
|------------------>| | | |
|(8) INV <ps id> | | | |
|-------->| | | | |
| |(9) INV | | | |
| |---------------------------->| |
| | | | |(10) INV <ps uri>
| | | | |-------->|
| | | |(11) SUBSCRIBE <o> |
| | | |<------------------|
| | | |(12) 200 OK |
| | | |------------------>|
| | | |(13) NOTIFY <po> |
| | | |------------------>|
| | | |(14) 200 OK |
| | | |<------------------|
| | | | |(15) 200 OK <o'>
| | | | |<--------|
| |(16) 200 OK <o'> | | |
| |<----------------------------| |
|(17) 200 OK <o'> | | | |
|<--------| | | | |
|(18) SUBSCRIBE <o', a> | | |
|------------------>| | | |
|(19) 200 OK | | | |
|<------------------| | | |
|(20) NOTIFY <po, pa> | | |
|<------------------| | | |
|(21) 200 OK | | | |
|------------------>| | | |
|(22) ACK <a'> | | | |
|------------------------------------------------>|
<span class="grey">Hilt, et al. Standards Track [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
| | | |(23) SUBSCRIBE <o', a'>
| | | |<------------------|
| | | |(24) 200 OK |
| | | |------------------>|
| | | |(25) NOTIFY <po, pa>
| | | |------------------>|
| | | |(26) 200 OK |
| | | |<------------------|
| | | | | |
| | | | | |
<span class="h3"><a class="selflink" id="appendix-B.3" href="#appendix-B.3">B.3</a>. Multiple Policy Servers for the UAS</span>
UA A P A PS A PS B P B UA B
| | | | | |
| | | | | |
| | | | | |
|(1) INV <o> | | | |
|-------->| | | | |
| |(2) INV <o, uri PSA> | |
| |---------------------------->| |
| | | | |(3) INV <o, uri PSA, uri PSB>
| | | | |-------->|
| | |(4) SUBSCRIBE <o, a> |
| | |<----------------------------|
| | |(5) 200 OK | |
| | |---------------------------->|
| | |(6) NOTIFY <po, pa>| |
| | |---------------------------->|
| | |(7) 200 OK | |
| | |<----------------------------|
| | | |(8) SUBSCRIBE <o', a'>
| | | |<------------------|
| | | |(9) 200 OK |
| | | |------------------>|
| | | |(10) NOTIFY <po, pa>
| | | |------------------>|
| | | |(11) 200 OK |
| | | |<------------------|
| | |(12) SUBSCRIBE <o", a"> |
| | |<----------------------------|
| | |(13) 200 OK | |
| | |---------------------------->|
| | |(14) NOTIFY <po, pa> |
| | |---------------------------->|
| | |(15) 200 OK | |
| | |<----------------------------|
| | | |(16) SUBSCRIBE <o", a">
<span class="grey">Hilt, et al. Standards Track [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc6794">RFC 6794</a> Session Policy Framework December 2012</span>
| | | |<------------------|
| | | |(17) 200 OK |
| | | |------------------>|
| | | |(18) NOTIFY <po, pa>
| | | |------------------>|
| | | |(19) 200 OK |
| | | |<------------------|
| | | | |(20) 200 OK <a">
| | | | |<--------|
| |(21) 200 OK <a"> | | |
| |<----------------------------| |
|(22) 200 OK <a"> | | | |
|<--------| | | | |
|(23) ACK | | | | |
|------------------------------------------------>|
| | | | | |
| | | | | |
Authors' Addresses
Volker Hilt
Bell Labs/Alcatel-Lucent
Lorenzstrasse 10
70435 Stuttgart
Germany
EMail: volker.hilt@bell-labs.com
Gonzalo Camarillo
Ericsson
Hirsalantie 11
Jorvas 02420
Finland
EMail: Gonzalo.Camarillo@ericsson.com
Jonathan Rosenberg
jdrosen.net
Monmouth, NJ
USA
EMail: jdrosen@jdrosen.net
Hilt, et al. Standards Track [Page 36]
</pre>
|
