1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
|
<pre>Internet Engineering Task Force (IETF) C. Shen
Request for Comments: 7200 H. Schulzrinne
Category: Standards Track Columbia U.
ISSN: 2070-1721 A. Koike
NTT
April 2014
<span class="h1">A Session Initiation Protocol (SIP) Load-Control Event Package</span>
Abstract
This specification defines a load-control event package for the
Session Initiation Protocol (SIP). It allows SIP entities to
distribute load-filtering policies to other SIP entities in the
network. The load-filtering policies contain rules to throttle calls
from a specific user or based on their source or destination domain,
telephone number prefix. The mechanism helps to prevent signaling
overload and complements feedback-based SIP overload control efforts.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7200">http://www.rfc-editor.org/info/rfc7200</a>.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Shen, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Conventions .....................................................<a href="#page-3">3</a>
<a href="#section-3">3</a>. SIP Load-Filtering Overview .....................................<a href="#page-4">4</a>
<a href="#section-3.1">3.1</a>. Load-Filtering Policy Format ...............................<a href="#page-4">4</a>
<a href="#section-3.2">3.2</a>. Load-Filtering Policy Computation ..........................<a href="#page-4">4</a>
<a href="#section-3.3">3.3</a>. Load-Filtering Policy Distribution .........................<a href="#page-4">4</a>
<a href="#section-3.4">3.4</a>. Applicable Network Domains .................................<a href="#page-8">8</a>
<a href="#section-4">4</a>. Load-Control Event Package ......................................<a href="#page-9">9</a>
<a href="#section-4.1">4.1</a>. Event Package Name .........................................<a href="#page-9">9</a>
<a href="#section-4.2">4.2</a>. Event Package Parameters ...................................<a href="#page-9">9</a>
<a href="#section-4.3">4.3</a>. SUBSCRIBE Bodies ...........................................<a href="#page-9">9</a>
<a href="#section-4.4">4.4</a>. SUBSCRIBE Duration .........................................<a href="#page-9">9</a>
<a href="#section-4.5">4.5</a>. NOTIFY Bodies .............................................<a href="#page-10">10</a>
<a href="#section-4.6">4.6</a>. Notifier Processing of SUBSCRIBE Requests .................<a href="#page-10">10</a>
<a href="#section-4.7">4.7</a>. Notifier Generation of NOTIFY Requests ....................<a href="#page-10">10</a>
<a href="#section-4.8">4.8</a>. Subscriber Processing of NOTIFY Requests ..................<a href="#page-10">10</a>
<a href="#section-4.9">4.9</a>. Handling of Forked Requests ...............................<a href="#page-12">12</a>
<a href="#section-4.10">4.10</a>. Rate of Notifications ....................................<a href="#page-12">12</a>
<a href="#section-4.11">4.11</a>. State Delta ..............................................<a href="#page-12">12</a>
<a href="#section-5">5</a>. Load-Control Document ..........................................<a href="#page-13">13</a>
<a href="#section-5.1">5.1</a>. Format ....................................................<a href="#page-13">13</a>
<a href="#section-5.2">5.2</a>. Namespace .................................................<a href="#page-13">13</a>
<a href="#section-5.3">5.3</a>. Conditions ................................................<a href="#page-14">14</a>
<a href="#section-5.3.1">5.3.1</a>. Call Identity ......................................<a href="#page-14">14</a>
<a href="#section-5.3.2">5.3.2</a>. Method .............................................<a href="#page-16">16</a>
<a href="#section-5.3.3">5.3.3</a>. Target SIP Entity ..................................<a href="#page-17">17</a>
<a href="#section-5.3.4">5.3.4</a>. Validity ...........................................<a href="#page-18">18</a>
<a href="#section-5.4">5.4</a>. Actions ...................................................<a href="#page-18">18</a>
<a href="#section-6">6</a>. XML Schema Definition for Load Control .........................<a href="#page-20">20</a>
<a href="#section-7">7</a>. Security Considerations ........................................<a href="#page-23">23</a>
<a href="#section-8">8</a>. IANA Considerations ............................................<a href="#page-24">24</a>
<a href="#section-8.1">8.1</a>. Load-Control Event Package Registration ...................<a href="#page-24">24</a>
<a href="#section-8.2">8.2</a>. application/load-control+xml Media Type Registration ......<a href="#page-24">24</a>
<a href="#section-8.3">8.3</a>. URN Sub-Namespace Registration ............................<a href="#page-25">25</a>
<a href="#section-8.4">8.4</a>. Load-Control Schema Registration ..........................<a href="#page-26">26</a>
<a href="#section-9">9</a>. Acknowledgements ...............................................<a href="#page-27">27</a>
<a href="#section-10">10</a>. References ....................................................<a href="#page-27">27</a>
<a href="#section-10.1">10.1</a>. Normative References .....................................<a href="#page-27">27</a>
<a href="#section-10.2">10.2</a>. Informative References ...................................<a href="#page-28">28</a>
<a href="#appendix-A">Appendix A</a>. Definitions ...........................................<a href="#page-30">30</a>
<a href="#appendix-B">Appendix B</a>. Design Requirements ...................................<a href="#page-30">30</a>
<a href="#appendix-C">Appendix C</a>. Discussion of How This Specification Meets the
Requirements of <a href="./rfc5390">RFC 5390</a> ..............................<a href="#page-31">31</a>
<a href="#appendix-D">Appendix D</a>. Complete Examples .....................................<a href="#page-36">36</a>
<a href="#appendix-D.1">D.1</a>. Load-Control Document Examples ............................<a href="#page-36">36</a>
<a href="#appendix-D.2">D.2</a>. Message Flow Examples .....................................<a href="#page-40">40</a>
<span class="grey">Shen, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<a href="#appendix-E">Appendix E</a>. Related Work .........................................<a href="#page-41">41</a>
<a href="#appendix-E.1">E.1</a>. Relationship to Load Filtering in PSTN ....................<a href="#page-41">41</a>
E.2. Relationship with Other IETF SIP Overload Control Efforts .42
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
SIP load-control mechanisms are needed to prevent congestion collapse
[<a href="./rfc6357" title=""Design Considerations for Session Initiation Protocol (SIP) Overload Control"">RFC6357</a>] in cases of SIP server overload [<a href="./rfc5390" title=""Requirements for Management of Overload in the Session Initiation Protocol"">RFC5390</a>]. There are two
types of load-control approaches. In the first approach, feedback
control, SIP servers provide load limits to upstream servers, to
reduce the incoming rate of all SIP requests [<a href="#ref-SIP-OVERLOAD">SIP-OVERLOAD</a>]. These
upstream servers then drop or delay incoming SIP requests. Feedback
control is reactive and affects signaling messages that have already
been issued by user agent clients. This approach works well when SIP
proxy servers in the core networks (core proxy servers) or
destination-specific SIP proxy servers in the edge networks (edge
proxy servers) are overloaded. By their nature, they need to
distribute rate, drop, or window information to all upstream SIP
proxy servers and normally affect all calls equally, regardless of
destination.
This specification proposes an additional, complementary load-control
mechanism, called "load filtering". It is most applicable for
situations where a traffic surge and its source/destination
distribution can be predicted in advance. In those cases, network
operators create load-filtering policies that indicate calls to
specific destinations or from specific sources should be rate-limited
or randomly dropped. These load-filtering policies are then
distributed to SIP servers and possibly SIP user agents that are
likely to generate calls to the affected destinations or from the
affected sources. Load filtering works best if it prevents calls as
close to the originating user agent clients as possible. The
applicability of SIP load filtering can also be extended beyond
overload control, e.g., to implement service level agreement
commitments.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Conventions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="grey">Shen, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. SIP Load-Filtering Overview</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Load-Filtering Policy Format</span>
Load-filtering policies are specified by sets of rules. Each rule
contains both load-filtering conditions and actions. The load-
filtering conditions define identities of the targets to be filtered
(<a href="#section-5.3.1">Section 5.3.1</a>). For example, there are two typical resource limits
in a possible overload situation, i.e., human destination limits
(number of call takers) and node capacity limits. The load-filtering
targets in these two cases can be the specific callee numbers or the
destination domain corresponding to the overload. Load-filtering
conditions also indicate the specific message type to be matched
(<a href="#section-5.3.2">Section 5.3.2</a>), with which target SIP entity the filtering policy is
associated (<a href="#section-5.3.3">Section 5.3.3</a>), and the period of time when the filtering
policy should be activated and deactivated (<a href="#section-5.3.4">Section 5.3.4</a>). Load-
filtering actions describe the desired control functions such as
keeping the request rate below a specified level (<a href="#section-5.4">Section 5.4</a>).
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Load-Filtering Policy Computation</span>
When computing the load-filtering policies, one needs to take into
consideration information such as overload time, scope and network
topology, as well as service policies. It is also important to make
sure that there is no resource allocation loop and that server
capacity is allocated in a way that both prevents overload and
maximizes effective throughput (commonly called goodput). In some
cases, in order to better utilize system resources, it may be
preferable to employ an algorithm that dynamically computes the load-
filtering policies based on currently observed server load status,
rather than using a purely static filtering policy assignment. The
computation algorithm for load-filtering policies is beyond the scope
of this specification.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Load-Filtering Policy Distribution</span>
For distributing load-filtering policies, this specification defines
the SIP event package for load control, which is an "instantiation"
of the generic SIP event notification framework [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>]. This
specification also defines the XML schema of a load-control document
(<a href="#section-5">Section 5</a>), which is used to encode load-filtering policies.
In order for load-filtering policies to be properly distributed, each
capable SIP entity in the network subscribes to the SIP load-control
event package of each SIP entity to which it sends signaling
requests. A SIP entity that accepts subscription requests is called
a "notifier" (<a href="#section-4.6">Section 4.6</a>). Subscription is initiated and maintained
during normal server operation. The subscription of neighboring SIP
<span class="grey">Shen, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
entities needs to be persistent, as described in Sections <a href="#section-4.1">4.1</a> and <a href="#section-4.2">4.2</a>
of [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>]. The refresh procedure is described in <a href="#section-4.7">Section 4.7</a>
below. Subscribers may terminate the subscription if they have not
received notifications for an extended time period, and can
resubscribe if they determine that signaling with the notifier
becomes active again.
An example architecture is shown in Figure 1 to illustrate SIP load-
filtering policy distribution. This scenario consists of two
networks belonging to Service Provider A and Service Provider B,
respectively. Each provider's network is made up of two SIP core
proxy servers and four SIP edge proxy servers. The core proxy
servers and edge proxy servers of Service Provider A are denoted as
CPa1 to CPa2 and EPa1 to EPa4; the core proxy servers and edge proxy
servers of Service Provider B are denoted as CPb1 to CPb2 and EPb1 to
EPb4.
<span class="grey">Shen, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
+-----------+ +-----------+ +-----------+ +-----------+
| | | | | | | |
| EPa1 | | EPa2 | | EPa3 | | EPa4 |
| | | | | | | |
+-----------+ +-----------+ +-----------+ +-----------+
\ / \ /
\ / \ /
\ / \ /
+-----------+ +-----------+
| | | |
| CPa1 |------------------| CPa2 |
| | | |
+-----------+ +-----------+
| |
Service | |
Provider A | |
| |
=================================================================
| |
Service | |
Provider B | |
| |
+-----------+ +-----------+
| | | |
| CPb1 |------------------| CPb2 |
| | | |
+-----------+ +-----------+
/ \ / \
/ \ / \
/ \ / \
+-----------+ +-----------+ +-----------+ +-----------+
| | | | | | | |
| EPb1 | | EPb2 | | EPb3 | | EPb4 |
| | | | | | | |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 1: Example Network Scenario Using SIP Load-Control Event
Package Mechanism
During the initialization stage, the proxy servers first identify all
their outgoing signaling neighbors and subscribe to them. Service
providers can provision neighbors, or the proxy servers can
incrementally learn who their neighbors are by inspecting signaling
messages that they send and receive. Assuming all signaling
relationships in Figure 1 are bidirectional, after this
initialization stage, each proxy server will be subscribed to all its
neighbors.
<span class="grey">Shen, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
Case I: EPa1 serves a TV program hotline and decides to limit the
total number of incoming calls to the hotline to prevent an overload.
To do so, EPa1 sends a notification to CPa1 with the specific hotline
number, time of activation, and total acceptable call rate.
Depending on the load-filtering policy computation algorithm, CPa1
may allocate the received total acceptable call rate among its
neighbors, namely, EPa2, CPa2, and CPb1, and notify them about the
resulting allocation along with the hotline number and the activation
time. CPa2 and CPb1 may perform further allocation among their own
neighbors and notify the corresponding proxy servers. This process
continues until all edge proxy servers in the network have been
informed about the event and have proper load-filtering policies
configured.
In the above case, the network entity where load-filtering policy is
first introduced is the SIP server providing access to the resource
that creates the overload situation. In other cases, the network
entry point of introducing load-filtering policy could also be an
entity that hosts this resource. For example, an operator may host
an application server that performs toll-free-number ("800 number")
translation services. The application server itself may be a SIP
proxy server or a SIP Back-to-Back User Agent (B2BUA). If one of the
toll-free numbers hosted at the application server creates the
overload condition, the load-filtering policies can be introduced
from the application server and then propagated to other SIP proxy
servers in the network.
Case II: A hurricane affects the region covered by CPb2, EPb3, and
EPb4. All three of these SIP proxy servers are overloaded. The
rescue team determines that outbound calls are more valuable than
inbound calls in this specific situation. Therefore, EPb3 and EPb4
are configured with load-filtering policies to accept more outbound
calls than inbound calls. CPb2 may be configured the same way or
receive dynamically computed load-filtering policies from EPb3 and
EPb4. Depending on the load-filtering policy computation algorithm,
CPb2 may also send out notifications to its outside neighbors, namely
CPb1 and CPa2, specifying a limit on the acceptable rate of inbound
calls to CPb2's responsible domain. CPb1 and CPa2 may subsequently
notify their neighbors about limiting the calls to CPb2's area. The
same process could continue until all edge proxy servers are notified
and have load-filtering policies configured.
Note that this specification does not define the provisioning
interface between the party who determines the load-filtering policy
and the network entry point where the policy is introduced. One of
the options for the provisioning interface is the Extensible Markup
Language (XML) Configuration Access Protocol (XCAP) [<a href="./rfc4825" title=""The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)"">RFC4825</a>].
<span class="grey">Shen, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Applicable Network Domains</span>
This specification MUST be applied inside a "Trust Domain". The
concept of a Trust Domain is similar to that defined in [<a href="./rfc3324" title=""Short Term Requirements for Network Asserted Identity"">RFC3324</a>] and
[<a href="./rfc3325" title=""Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks"">RFC3325</a>]. A Trust Domain, for the purpose of SIP load filtering, is
a set of SIP entities such as SIP proxy servers that are trusted to
exchange load-filtering policies defined in this specification. In
the simplest case, a Trust Domain is a network of SIP entities
belonging to a single service provider who deploys it and accurately
knows the behavior of those SIP entities. Such simple Trust Domains
may be joined to form larger Trust Domains by bilateral agreements
between the service providers of the SIP entities.
The key requirement of a Trust Domain for the purpose of SIP load
filtering is that the behavior of all SIP entities within a given
Trust Domain is known to comply to the following set of
specifications.
o SIP entities in the Trust Domain agree on the mechanisms used to
secure the communication among SIP entities within the Trust
Domain.
o SIP entities in the Trust Domain agree on the manner used to
determine which SIP entities are part of the Trust Domain.
o SIP entities in the Trust Domain are compliant to SIP [<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>].
o SIP entities in the Trust Domain are compliant to SIP-Specific
Event Notification[RFC6665].
o SIP entities in the Trust Domain are compliant to this
specification.
o SIP entities in the Trust Domain agree on what types of calls can
be affected by this SIP load-filtering mechanism. For example,
<call-identity> condition elements (<a href="#section-5.3.1">Section 5.3.1</a>) <one> and
<many> might be limited to describe within certain prefixes.
o SIP entities in the Trust Domain agree on the destinations to
which calls may be redirected when the "redirect" action
(<a href="#section-5.4">Section 5.4</a>) is used. For example, the URI might have to match a
given set of domains.
SIP load filtering is only effective if all neighbors that are
possible signaling sources participate and enforce the designated
load-filtering policies. Otherwise, a single non-conforming neighbor
could make all filtering efforts useless by pumping in excessive
traffic to overload the server. Therefore, the SIP server that
<span class="grey">Shen, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
distributes load-filtering policies needs to take countermeasures
towards any non-conforming neighbors. A simple method is to reject
excessive requests with 503 "Service Unavailable" response messages
as if they were obeying the rate. Considering the rejection costs, a
more complicated but fairer method would be to allocate at the
overloaded server the same amount of processing to the combination of
both normal processing and rejection as the overloaded server would
devote to processing requests for a conforming upstream SIP server.
These approaches work as long as the total rejection cost does not
overwhelm the entire server resources. In addition, SIP servers need
to handle message prioritization properly while performing load
filtering, which is described in <a href="#section-4.8">Section 4.8</a>.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Load-Control Event Package</span>
The SIP load-filtering mechanism defines a load-control event package
for SIP based on [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>].
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Event Package Name</span>
The name of this event package is "load-control". This name is
carried in the Event and Allow-Events header, as specified in
[<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>].
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Event Package Parameters</span>
No package-specific event header field parameters are defined for
this event package.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. SUBSCRIBE Bodies</span>
This specification does not define the content of SUBSCRIBE bodies.
Future specifications could define bodies for SUBSCRIBE messages, for
example, to request specific types of load-control event
notifications.
A SUBSCRIBE request sent without a body implies the default
subscription behavior as specified in <a href="#section-4.7">Section 4.7</a>.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. SUBSCRIBE Duration</span>
The default expiration time for a subscription to load-filtering
policy is one hour. Since the desired expiration time may vary
significantly for subscriptions among SIP entities with different
signaling relationships, the subscribers and notifiers are
RECOMMENDED to explicitly negotiate appropriate subscription duration
when knowledge about the mutual signaling relationship is available.
<span class="grey">Shen, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. NOTIFY Bodies</span>
The body of a NOTIFY request in this event package contains load-
filtering policies. The format of the NOTIFY request body MUST be in
one of the formats defined in the Accept header field of the
SUBSCRIBE request or be the default format, as specified in
[<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>]. The default data format for the NOTIFY request body of
this event package is "application/load-control+xml" (defined in
<a href="#section-5">Section 5</a>). This means that when a NOTIFY request body exists but no
Accept header field is specified in a SUBSCRIBE request, the NOTIFY
request body MUST contain content conforming to the "application/
load-control+xml" format.
<span class="h3"><a class="selflink" id="section-4.6" href="#section-4.6">4.6</a>. Notifier Processing of SUBSCRIBE Requests</span>
The notifier accepts a new subscription or updates an existing
subscription upon receiving a valid SUBSCRIBE request.
If the identity of the subscriber sending the SUBSCRIBE request is
not allowed to receive load-filtering policies, the notifier MUST
return a 403 "Forbidden" response.
If none of the media types specified in the Accept header of the
SUBSCRIBE request are supported, the notifier SHOULD return a 406
"Not Acceptable" response.
<span class="h3"><a class="selflink" id="section-4.7" href="#section-4.7">4.7</a>. Notifier Generation of NOTIFY Requests</span>
A notifier MUST send a NOTIFY request with its current load-filtering
policy to the subscriber upon successfully accepting or refreshing a
subscription. If no load-filtering policy needs to be distributed
when the subscription is received, the notifier SHOULD sent a NOTIFY
request without a body to the subscriber. The content-type header
field of this NOTIFY request MUST indicate the correct body format as
if the body were present (e.g., "application/load-control+xml").
Notifiers are likely to send NOTIFY requests without a body when a
subscription is initiated for the first time, e.g., when a SIP entity
is just introduced, because there may be no planned events that
require load filtering at that time. A notifier SHOULD generate
NOTIFY requests each time the load-filtering policy changes, with the
maximum notification rate not exceeding values defined in
<a href="#section-4.10">Section 4.10</a>.
<span class="h3"><a class="selflink" id="section-4.8" href="#section-4.8">4.8</a>. Subscriber Processing of NOTIFY Requests</span>
The subscriber is the load-filtering server that enforces load-
filtering policies received from the notifier. The way subscribers
process NOTIFY requests depends on the load-filtering policies
<span class="grey">Shen, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
conveyed in the notifications. Typically, load-filtering policies
consist of rules specifying actions to be applied to requests
matching certain conditions. A subscriber receiving a notification
first installs these rules and then enforces corresponding actions on
requests matching those conditions, for example, limiting the sending
rate of call requests destined for a specific callee.
In the case when load-filtering policies specify a future validity,
it is possible that when the validity time arrives, the subscription
to the specific notifier that conveyed the rules has expired. In
this case, it is RECOMMENDED that the subscriber re-activate its
subscription with the corresponding notifier. Regardless of whether
or not this re-activation of subscription is successful, when the
validity time is reached, the subscriber SHOULD enforce the
corresponding rules.
Upon receipt of a NOTIFY request with a Subscription-State header
field containing the value "terminated", the subscription status with
the particular notifier will be terminated. Meanwhile, subscribers
MUST also terminate previously received load-filtering policies from
that notifier.
The subscriber MUST discard unknown bodies. If the NOTIFY request
contains several bodies, none of them being supported, it SHOULD
unsubscribe unless it has knowledge that it will possibly receive
NOTIFY requests with supported bodies from that notifier. A NOTIFY
request without a body indicates that no load-filtering policies need
to be updated.
When the subscriber enforces load-filtering policies, it needs to
prioritize requests and select those requests that need to be
rejected or redirected. This selection is largely a matter of local
policy. It is expected that the subscriber will follow local policy
as long as the result in reduction of traffic is consistent with the
overload algorithm in effect at that node. Accordingly, the
normative behavior described in the next three paragraphs should be
interpreted with the understanding that the subscriber will aim to
preserve local policy to the fullest extent possible.
o The subscriber SHOULD honor the local policy for prioritizing SIP
requests such as policies based on message type, e.g., INVITEs
versus requests associated with existing sessions.
o The subscriber SHOULD honor the local policy for prioritizing SIP
requests based on the content of the Resource-Priority header
(RPH, [<a href="./rfc4412" title=""Communications Resource Priority for the Session Initiation Protocol (SIP)"">RFC4412</a>]). Specific (namespace.value) RPH contents may
indicate high-priority requests that should be preserved as much
<span class="grey">Shen, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
as possible during overload. The RPH contents can also indicate a
low-priority request that is eligible to be dropped during times
of overload.
o The subscriber SHOULD honor the local policy for prioritizing SIP
requests relating to emergency calls as identified by the sos URN
[<a href="./rfc5031" title=""A Uniform Resource Name (URN) for Emergency and Other Well-Known Services"">RFC5031</a>] indicating an emergency request.
A local policy can be expected to combine both the SIP request type
and the prioritization markings and SHOULD be honored when overload
conditions prevail.
<span class="h3"><a class="selflink" id="section-4.9" href="#section-4.9">4.9</a>. Handling of Forked Requests</span>
Forking is not applicable when this load-control event package
mechanism is used within a single-hop distance between neighboring
SIP entities. If communication scope of the load-control event
package mechanism is among multiple hops, forking is also not
expected to happen because the subscription request is addressed to a
clearly defined SIP entity. However, in the unlikely case when
forking does happen, the load-control event package only allows the
first potential dialog-establishing message to create a dialog, as
specified in <a href="./rfc6665#section-5.4.9">Section 5.4.9 of [RFC6665]</a>.
<span class="h3"><a class="selflink" id="section-4.10" href="#section-4.10">4.10</a>. Rate of Notifications</span>
The rate of notifications is unlikely to be of concern for this local
control event package mechanism when it is used in a non-real-time
mode for relatively static load-filtering policies. Nevertheless, if
a situation does arise in which a rather frequently used load
filtering policy update is needed, it is RECOMMENDED that the
notifier not generate notifications at a rate higher than once per
second in all cases, in order to avoid the NOTIFY request itself
overloading the system.
<span class="h3"><a class="selflink" id="section-4.11" href="#section-4.11">4.11</a>. State Delta</span>
It is likely that updates to specific load-filtering policies are
made by changing only part of the policy parameters (e.g., acceptable
request rate or percentage, but not matching identities). This will
typically be because the utilization of a resource subject to
overload depends upon dynamic unknowns such as holding time and the
relative distribution of offered loads over subscribing SIP entities.
The updates could originate manually or be determined automatically
by an algorithm that dynamically computes the load-filtering policies
(<a href="#section-3.2">Section 3.2</a>). Another factor that is usually not known precisely or
<span class="grey">Shen, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
needs to be computed automatically is the duration of the event
requiring load filtering. Therefore, it would also be common for the
validity to change frequently.
This event package allows the use of state delta as in [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>] to
accommodate frequent updates of partial policy parameters. For each
NOTIFY transaction in a subscription, a version number that increases
by exactly one MUST be included in the NOTIFY request body when the
body is present. When the subscriber receives a state delta, it
associates the partial updates to the particular policy by matching
the appropriate rule id (Appendix D). If the subscriber receives a
NOTIFY request with a version number that is increased by more than
one, it knows that it has missed a state delta and needs to ask for a
full state snapshot. Therefore, the subscriber ignores that NOTIFY
request containing the state delta, and resends a SUBSCRIBE request
to force a NOTIFY request containing a complete state snapshot.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Load-Control Document</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Format</span>
A load-control document is an XML document that describes the load-
filtering policies. It inherits and enhances the common policy
document defined in [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>]. A common policy document contains a
set of rules. Each rule consists of three parts: conditions,
actions, and transformations. The conditions part is a set of
expressions containing attributes such as identity, domain, and
validity time information. Each expression evaluates to TRUE or
FALSE. Conditions are matched on "equality" or "greater than" style
comparison. There is no regular expression matching. Conditions are
evaluated on receipt of an initial SIP request for a dialog or
standalone transaction. If a request matches all conditions in a
rule set, the action part and the transformation part are consulted
to determine the "permission" on how to handle the request. Each
action or transformation specifies a positive grant to the policy
server to perform the resulting actions. Well-defined mechanism are
available for combining actions and transformations obtained from
more than one sources.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Namespace</span>
The namespace URI for elements defined by this specification is a
Uniform Resource Namespace (URN) ([<a href="./rfc2141" title=""URN Syntax"">RFC2141</a>]), using the namespace
identifier "ietf" defined by [<a href="./rfc2648" title=""A URN Namespace for IETF Documents"">RFC2648</a>] and extended by [<a href="./rfc3688" title=""The IETF XML Registry"">RFC3688</a>].
The URN is as follows:
urn:ietf:params:xml:ns:load-control
<span class="grey">Shen, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Conditions</span>
[<a id="ref-RFC4745">RFC4745</a>] defines three condition elements: <identity>, <sphere>, and
<validity>. This specification defines new condition elements and
reuses the <validity> element. The <sphere> element is not used.
<span class="h4"><a class="selflink" id="section-5.3.1" href="#section-5.3.1">5.3.1</a>. Call Identity</span>
Since the problem space of this specification is different from that
of [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>], the [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] <identity> element is not sufficient for
use with load filtering. First, load filtering may be applied to
different identities contained in a request, including identities of
both the receiving entity and the sending entity. Second, the
importance of authentication varies when different identities of a
request are concerned. This specification defines new identity
conditions that can accommodate the granularity of specific SIP
identity header fields. The requirement for authentication depends
on which field is to be matched.
The identity condition for load filtering is specified by the
<call-identity> element and its sub-element <sip>. The <sip> element
itself contains sub-elements representing SIP sending and receiving
identity header fields: <from>, <to>, <request-uri>, and
<p-asserted-identity>. All those sub-elements are of an extended
form of the [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] <identity> element. In addition to the sub-
elements including <one>, <except>, and <many> in the <identity>
element from [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>], the extended form adds two new sub-elements,
namely, <many-tel> and <except-tel>, which will be explained later in
this section.
The [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] <one> and <except> elements may contain an "id"
attribute, which is the URI of a single entity to be included or
excluded in the condition. When used in the <from>, <to>,
<request-uri>, and <p-asserted-identity> elements, this "id" value is
the URI contained in the corresponding SIP header field, i.e., From,
To, Request-URI, and P-Asserted-Identity.
When the <call-identity> element contains multiple <sip> sub-
elements, the result is combined using logical OR. When the <from>,
<to>, <request-uri>, and <p-asserted-identity> elements contain
multiple <one>, <many>, or <many-tel> sub-elements, the result is
also combined using logical OR. When the <many> sub-element further
contains one or more <except> sub-elements, or when the <many-tel>
sub-element further contains one or more <except-tel> sub-elements,
the result of each <except> or <except-tel> sub-element is combined
using a logical OR, similar to that of the [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] <identity>
element. However, when the <sip> element contains multiple <from>,
<to>, <request-uri>, and <p-asserted-identity> sub-elements, the
<span class="grey">Shen, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
result is combined using logical AND. This allows the call identity
to be specified by multiple fields of a SIP request simultaneously,
e.g., both the From and the To header fields.
The following shows an example of the <call-identity> element, which
matches call requests whose To header field contains the SIP URI
"sip:alice@hotline.example.com" or the 'tel' URI
"tel:+1-212-555-1234".
<call-identity>
<sip>
<to>
<one id="sip:alice@hotline.example.com"/>
<one id="tel:+1-212-555-1234"/>
</to>
</sip>
</call-identity>
Before evaluating <call-identity> conditions, the subscriber shall
convert URIs received in SIP header fields in canonical form as per
[<a href="./rfc3261" title=""SIP: Session Initiation Protocol"">RFC3261</a>], except that the "phone-context" parameter shall not be
removed, if present.
The [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] <many> and <except> elements may take a "domain"
attribute. The "domain" attribute specifies a domain name to be
matched by the domain part of the candidate identity. Thus, it
allows matching a large and possibly unknown number of entities
within a domain. The "domain" attribute works well for SIP URIs.
A URI identifying a SIP user, however, can also be a 'tel' URI.
Therefore, a similar way to match a group of 'tel' URIs is needed.
There are two forms of 'tel' URIs: for global numbers and local
numbers. According to [<a href="./rfc3966" title=""The tel URI for Telephone Numbers"">RFC3966</a>], "All phone numbers MUST use the
global form unless they cannot be represented as such...Local numbers
MUST be tagged with a 'phone-context'". The global number 'tel' URIs
start with a "+". The "phone-context" parameter of local numbers may
be labeled as a global number or any number of its leading digits or
a domain name. Both forms of the 'tel' URI make the resulting URI
globally unique.
'tel' URIs of global numbers can be grouped by prefixes consisting of
any number of common leading digits. For example, a prefix formed by
a country code or both the country and area code identifies telephone
numbers within a country or an area. Since the length of the country
and area code for different regions are different, the length of the
number prefix also varies. This allows further flexibility such as
<span class="grey">Shen, et al. Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
grouping the numbers into sub-areas within the same area code. 'tel'
URIs of local numbers can be grouped by the value of the
"phone-context" parameter.
The <many> and <except> sub-elements in the <identity> element of
[<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] do not allow additional attributes to be added directly.
Redefining behavior of their existing "domain" attribute creates
backward-compatibility issues. Therefore, this specification defines
the <many-tel> and <except-tel> sub-elements that extend the
[<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] <identity> element. Both of them have a "prefix" attribute
for grouping 'tel' URIs, similar to the "domain" attribute for
grouping SIP URIs in existing <many> and <except> sub-elements. For
global numbers, the "prefix" attribute value holds any number of
common leading digits, for example, "+1-212" for US phone numbers
within area code "212" or "+1-212-854" for the organization with US
area code "212" and local prefix "854". For local numbers, the
"prefix" attribute value contains the "phone-context" parameter
value. It should be noted that visual separators (such as the "-"
sign) in 'tel' URIs are not used for URI comparison as per [<a href="./rfc3966" title=""The tel URI for Telephone Numbers"">RFC3966</a>].
The following example shows the use of the "prefix" attribute along
with the "domain" attribute. It matches those requests calling to
the number "+1-202-999-1234" but are not calling from a "+1-212"
prefix or a SIP From URI domain of "manhattan.example.com".
<call-identity>
<sip>
<from>
<many>
<except domain="manhattan.example.com"/>
</many>
<many-tel>
<except-tel prefix="+1-212"/>
</many-tel>
</from>
<to>
<one id="tel:+1-202-999-1234"/>
</to>
</sip>
</call-identity>
<span class="h4"><a class="selflink" id="section-5.3.2" href="#section-5.3.2">5.3.2</a>. Method</span>
The load created on a SIP server depends on the type of initial SIP
requests for dialogs or standalone transactions. The <method>
element specifies the SIP method to which the load-filtering action
applies. When this element is not included, the load-filtering
actions are applicable to all applicable initial requests. These
<span class="grey">Shen, et al. Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
requests include INVITE, MESSAGE, REGISTER, SUBSCRIBE, OPTIONS, and
PUBLISH. Non-initial requests, such as ACK, BYE, and CANCEL MUST NOT
be subjected to load filtering. In addition, SUBSCRIBE requests are
not filtered if the event-type header field indicates the event
package defined in this specification.
The following example shows the use of the <method> element in the
case the filtering actions should be applied to INVITE requests.
<method>INVITE</method>
<span class="h4"><a class="selflink" id="section-5.3.3" href="#section-5.3.3">5.3.3</a>. Target SIP Entity</span>
A SIP server that performs load-filtering may have multiple paths to
route call requests matching the same set of call identity elements.
In those situations, the SIP load-filtering server may desire to take
advantage of alternative paths and only apply load-filtering actions
to matching requests for the next-hop SIP entity that originated the
corresponding load-filtering policy. To achieve that, the SIP load-
filtering server needs to associate every load-filtering policy with
its originating SIP entity. The <target-sip-entity> element is
defined for that purpose, and it contains the URI of the entity that
initiated the load-filtering policy, which is generally the
corresponding notifier. A notifier MAY include this element as part
of the condition of its filtering policy being sent to the
subscriber, as below.
<target-sip-entity>sip:biloxi.example.com</target-sip-entity>
When a SIP load-filtering server receives a policy with a
<target-sip-entity> element, it SHOULD record it and take it into
consideration when making load-filtering decisions. If the load-
filtering server receives a load-filtering policy that does not
contain a <target-sip-entity> element, it MAY still record the URI of
the load-filtering policy's originator as the <target-sip-entity>
information and consider it when making load-filtering decisions.
The following are two examples of using the <target-sip-entity>
element.
Use case I: The network has user A connected to SIP Proxy 1 (SP1),
user B connected to SIP Proxy 3 (SP3), SP1 and SP3 connected via
SIP Proxy 2 (SP2), and SP2 connected to an Application Server
(AS). Under normal load conditions, a call from A to B is routed
along the following path: A-SP1-SP2-AS-SP3-B. The AS provides a
nonessential service and can be bypassed in case of overload. Now
let's assume that AS is overloaded and sends to SP2 a load-
filtering policy requesting that 50% of all INVITE requests be
<span class="grey">Shen, et al. Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
dropped. SP2 can maintain AS as the <target-sip-entity> for that
policy so that it knows the 50% drop action is only applicable to
call requests that must go through AS, without affecting those
calls directly routed through SP3 to B.
Use case II: A translation service for toll-free numbers is
installed on two Application Servers, AS1 and AS2. User A is
connected to SP1 and calls 800-1234-4529, which is translated by
AS1 and AS2 into a regular E.164 number depending on, e.g., the
caller's location. SP1 forwards INVITE requests with Request-URI
= "800 number" to AS1 or AS2 based on a load-balancing strategy.
As calls to 800-1234-4529 create a pre-overload condition in AS1,
AS1 sends to SP1 a load-filtering policy requesting that 50% of
calls towards 800-1234-4529 be rejected. In this case, SP1 can
maintain AS1 as the <target-sip-entity> for the rule, and only
apply the load-filtering policy on incoming requests that are
intended to be sent to AS1. Those requests that are sent to AS2,
although matching the <call-identity> of the filter, will not be
affected.
<span class="h4"><a class="selflink" id="section-5.3.4" href="#section-5.3.4">5.3.4</a>. Validity</span>
A filtering policy is usually associated with a validity period
condition. This specification reuses the <validity> element of
[<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>], which specifies a period of validity time by pairs of
<from> and <until> sub-elements. When multiple time periods are
defined, the validity condition is evaluated to TRUE if the current
time falls into any of the specified time periods. That is, it
represents a logical OR operation across all validity time periods.
The following example shows a <validity> element specifying a valid
period from 12:00 to 15:00 US Eastern Standard Time on 2008-05-31.
<validity>
<from>2008-05-31T12:00:00-05:00</from>
<until>2008-05-31T15:00:00-05:00</until>
</validity>
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Actions</span>
The actions a load-filtering server takes on loads matching the load-
filtering conditions are defined by the <accept> element in the load-
filtering policy, which includes any one of the three sub-elements
<rate>, <percent>, and <win>. The <rate> element denotes an absolute
value of the maximum acceptable request rate in requests per second;
the <percent> element specifies the relative percentage of incoming
requests that should be accepted; the <win> element describes the
acceptable window size supplied by the receiver, which is applicable
<span class="grey">Shen, et al. Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
in window-based load-filtering. In static load-filtering policy
configuration scenarios, using the <rate> sub-element is RECOMMENDED
because it is hard to enforce the percentage rate or window-based
load filtering when incoming load from upstream or reactions from
downstream are uncertain. (See [<a href="#ref-SIP-OVERLOAD">SIP-OVERLOAD</a>] and [<a href="./rfc6357" title=""Design Considerations for Session Initiation Protocol (SIP) Overload Control"">RFC6357</a>] for more
details on rate-based, loss-based, and window-based load control.)
In addition, the <accept> element takes an optional "alt-action"
attribute that can be used to explicitly specify the desired action
in case a request cannot be processed. The "alt-action" can take one
of the following three values: "reject", "redirect", or "drop".
o The "reject" action is the default value for "alt-action". It
means that the load-filtering server will reject the request with
a 503 "Service Unavailable" response message.
o The "redirect" action means redirecting the request to another
target. When it is used, an "alt-target" attribute MUST be
defined. The "alt-target" specifies one URI or a list of URIs
where the request should be redirected. The server sends out the
redirect URIs in a 300-class response message.
o The "drop" action means simply ignoring the request without doing
anything, which can, in certain cases, help save processing
capability during overload. For example, when SIP is running over
a reliable transport such as TCP, the "drop" action does not send
out the rejection response, neither does it close the transport
connection. However, when running SIP over an unreliable
transport such as UDP, using the "drop" action will create message
retransmissions that further worsen the possible overload
situation. Therefore, any "drop" action applied to an unreliable
transport MUST be treated as if it were "reject".
The above "alt-action" processing can also be illustrated through the
following pseudocode.
SWITCH "alt-action"
"redirect": "redirect"
"drop":
IF unreliable-transport
THEN treat as "reject"
ELSE
"drop"
"reject": "reject"
default: "reject"
END
<span class="grey">Shen, et al. Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
In the following <actions> element example, the server accepts
maximum of 100 call requests per second. The remaining calls are
redirected to an answering machine.
<actions>
<accept alt-action="redirect" alt-target=
"sip:answer-machine@example.com">
<rate>100</rate>
</accept>
</actions>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. XML Schema Definition for Load Control</span>
This section defines the XML schema for the load-control document.
It extends the Common Policy schema in [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>] in two ways.
Firstly, it defines two mandatory attributes for the <ruleset>
element: "version" and "state". The "version" attribute allows the
recipient of the notification to properly order them. Versions start
at zero and increase by one for each new document sent to a
subscriber within the same subscription. Versions MUST be
representable using a non-negative 32-bit integer. The "state"
attribute indicates whether the document contains a full load-
filtering policy update or only state delta as partial update.
Secondly, it defines new members of the <conditions> and <actions>
elements.
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:ietf:params:xml:ns:load-control"
xmlns:lc="urn:ietf:params:xml:ns:load-control"
xmlns:cp="urn:ietf:params:xml:ns:common-policy"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributedFormDefault="unqualified">
<xs:import namespace="urn:ietf:params:xml:ns:common-policy"/>
<!-- RULESET -->
<xs:element name="ruleset">
<xs:complexType>
<xs:complexContent>
<xs:restriction base="xs:anyType">
<xs:sequence>
<xs:element name="rule" type="cp:ruleType"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:restriction>
</xs:complexContent>
<span class="grey">Shen, et al. Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<xs:attribute name="version" type="xs:integer" use="required"/>
<xs:attribute name="state" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="full"/>
<xs:enumeration value="partial"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!-- CONDITIONS -->
<!-- CALL IDENTITY -->
<xs:element name="call-identity" type="lc:call-identity-type"/>
<!-- CALL IDENTITY TYPE -->
<xs:complexType name="call-identity-type">
<xs:choice>
<xs:element name="sip" type="lc:sip-id-type"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:choice>
<anyAtrribute namespace="##other" processContents="lax"/>
</xs:complexType>
<!-- SIP ID TYPE -->
<xs:complexType name="sip-id-type">
<xs:sequence>
<element name="from" type="lc:identityType" minOccurs="0"/>
<element name="to" type="lc:identityType" minOccurs="0"/>
<element name="request-uri" type="lc:identityType"
minOccurs="0"/>
<element name="p-asserted-identity" type="lc:identityType"
minOccurs="0"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
<anyAtrribute namespace="##other" processContents="lax"/>
</xs:complexType>
<!-- IDENTITY TYPE -->
<xs:complexType name="identityType">
<xs:complexContent>
<xs:restriction base="xs:anyType">
<xs:choice minOccurs="1" maxOccurs="unbounded">
<xs:element name="one" type="cp:oneType"/>
<span class="grey">Shen, et al. Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<xs:element name="many" type="lc:manyType"/>
<xs:element name="many-tel" type="lc:manyTelType"/>
<xs:any namespace="##other" processContents="lax"/>
</xs:choice>
</xs:restriction>
</xs:complexContent>
</xs:complexType>
<!-- MANY-TEL TYPE -->
<xs:complexType name="manyTelType">
<xs:complexContent>
<xs:restriction base="xs:anyType">
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="except-tel" type="lc:exceptTelType"/>
<xs:any namespace="##other"
minOccurs="0" processContents="lax"/>
</xs:choice>
<xs:attribute name="prefix"
use="optional" type="xs:string"/>
</xs:restriction>
</xs:complexContent>
</xs:complexType>
<!-- EXCEPT-TEL TYPE -->
<xs:complexType name="exceptTelType">
<xs:attribute name="prefix" type="xs:string" use="optional"/>
<xs:attribute name="id" type="xs:anyURI" use="optional"/>
</xs:complexType>
<!-- METHOD -->
<xs:element name="method" type="lc:method-type"/>
<!-- METHOD TYPE -->
<xs:simpleType name="method-type">
<xs:restriction base="xs:string">
<xs:enumeration value="INVITE"/>
<xs:enumeration value="MESSAGE"/>
<xs:enumeration value="REGISTER"/>
<xs:enumeration value="SUBSCRIBE"/>
<xs:enumeration value="OPTIONS"/>
<xs:enumeration value="PUBLISH"/>
</xs:restriction>
</xs:simpleType>
<!-- TARGET SIP ENTITY -->
<xs:element name="target-sip-entity" type="xs:anyURI" minOccurs="0"/>
<!-- ACTIONS -->
<span class="grey">Shen, et al. Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<xs:element name="accept">
<xs:choice>
<element name="rate" type="xs:decimal" minOccurs="0"/>
<element name="win" type="xs:integer" minOccurs="0"/>
<element name="percent" type="xs:decimal" minOccurs="0"/>
<any namespace="##other" processContents="lax" minOccurs="0"
maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="alt-action" type="xs:string" default="reject"/>
<xs:attribute name="alt-target" type="lc:alt-target-type"
use="optional"/>
<anyAtrribute namespace="##other" processContents="lax"/>
</xs:element>
<!-- ALT TARGET TYPE -->
<xs:simpleType name="alt-target-type">
<xs:list itemType="xs:anyURI"/>
</xs:simpleType>
</xs:schema>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
Two primary security considerations arise from this specification.
One is the distribution mechanism for the load filtering policy that
is based on the SIP event notification framework, and the other is
the enforcement mechanism for the load-filtering policy.
Security considerations for SIP event package mechanisms are covered
in <a href="./rfc6665#section-6">Section 6 of [RFC6665]</a>. A particularly relevant security concern
for this event package is that if the notifiers can be spoofed,
attackers can send fake notifications asking subscribers to throttle
all traffic, leading to denial-of-service (DoS) attacks. Therefore,
this SIP load-filtering mechanism MUST be used in a Trust Domain
(<a href="#section-3.4">Section 3.4</a>). But if a legitimate notifier in the Trust Domain is
itself compromised, additional mechanisms will be needed to detect
the attack.
Security considerations for load-filtering policy enforcement depends
very much on the contents of the policy. This specification defines
a possible match of the following SIP header fields in a load-
filtering policy: <from>, <to>, <request-uri>, and
<p-asserted-identity>. The exact requirement to authenticate and
authorize these fields is up to the service provider. In general, if
the identity field represents the source of the request, it SHOULD be
authenticated and authorized; if the identity field represents the
destination of the request, the authentication and authorization is
optional.
<span class="grey">Shen, et al. Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
In addition, the "redirect" action (<a href="#section-5.4">Section 5.4</a>) could facilitate a
reflection denial-of-service attack. If a number of SIP proxy
servers in a Trust Domain are using UDP and configured to get their
policies from a central server. An attacker spoofs the central
server's address to send a number of NOTIFY bodies telling the proxy
servers to redirect all calls to victim@outside-of-trust-domain.com.
The proxy servers then redirect all calls to the victim, who then
becomes a victim of Denial of Service attack and becomes
inaccessiable from the Internet. To address this type of threat,
this specification requires that a Trust Domain agrees on what types
of calls can be affected as well as on the destinations to which
calls may be redirected, as in <a href="#section-3.4">Section 3.4</a>.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. IANA Considerations</span>
This specification registers a SIP event package, a new media type, a
new XML namespace, and a new XML schema.
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Load-Control Event Package Registration</span>
This section registers an event package based on the registration
procedures defined in [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>].
Package name: load-control
Type: package
Published specification: This specification
Person to contact: Charles Shen, charles@cs.columbia.edu
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. application/load-control+xml Media Type Registration</span>
This section registers a new media type based on the procedures
defined in [<a href="./rfc6838" title=""Media Type Specifications and Registration Procedures"">RFC6838</a>] and guidelines in [<a href="./rfc3023" title=""XML Media Types"">RFC3023</a>].
Type name: application
Subtype name: load-control+xml
Required parameters: none
Optional parameters: Same as charset parameter of application/xml as
specified in [<a href="./rfc3023" title=""XML Media Types"">RFC3023</a>].
Encoding considerations: Same as encoding considerations of
application/xml as specified in [<a href="./rfc3023" title=""XML Media Types"">RFC3023</a>].
<span class="grey">Shen, et al. Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
Security considerations: See <a href="./rfc3023#section-10">Section 10 of [RFC3023]</a> and <a href="#section-7">Section 7</a> of
this specification.
Interoperability considerations: none
Published specification: This specification
Applications that use this media type: Applications that perform load
control of SIP entities.
Fragment identifier considerations: Same as fragment identifier
considerations of application/xml as specified in [<a href="./rfc3023" title=""XML Media Types"">RFC3023</a>].
Additional Information:
Deprecated alias names for this type: none
Magic Number(s): none
File Extension(s): .xml
Macintosh file type code(s): "TEXT"
Person and email address for further information: Charles Shen,
charles@cs.columbia.edu
Intended usage: COMMON
Restrictions on usage: none
Author: Charles Shen, Henning Schulzrinne, Arata Koike
Change controller: IESG
Provisional registration? (standards tree only): no
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. URN Sub-Namespace Registration</span>
This section registers a new XML namespace, as per the guidelines in
[<a href="./rfc3688" title=""The IETF XML Registry"">RFC3688</a>]
URI: The URI for this namespace is
urn:ietf:params:xml:ns:load-control
Registrant Contact: IETF SOC Working Group <sip-overload@ietf.org>,
as designated by the IESG <iesg@ietf.org>
<span class="grey">Shen, et al. Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
XML:
BEGIN
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"<a href="http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd</a>">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>SIP Load-Control Namespace</title>
</head>
<body>
<h1>Namespace for SIP Load Control</h1>
<h2>urn:ietf:params:xml:ns:load-control</h2>
<p>See <a href="http://www.rfc-editor.org/rfc/rfc7200.txt">
<a href="./rfc7200">RFC 7200</a></a>.</p>
</body>
</html>
END
<span class="h3"><a class="selflink" id="section-8.4" href="#section-8.4">8.4</a>. Load-Control Schema Registration</span>
URI: urn:ietf:params:xml:schema:load-control
Registrant Contact: IETF SOC working group, Charles Shen
(charles@cs.columbia.edu).
XML: the XML schema contained in <a href="#section-6">Section 6</a> has been registered.
Its first line is
<?xml version="1.0" encoding="UTF-8"?>
and its last line is
</xs:schema>
<span class="grey">Shen, et al. Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgements</span>
The authors would like to thank Jari Arkko, Richard Barnes, Stewart
Bryant, Gonzalo Camarillo, Bruno Chatras, Benoit Claise, Spencer
Dawkins, Martin Dolly, Keith Drage, Ashutosh Dutta, Donald Eastlake,
Adrian Farrel, Stephen Farrell, Janet Gunn, Vijay Gurbani, Brian
Haberman, Volker Hilt, Geoff Hunt, Carolyn Johnson, Hadriel Kaplan,
Paul Kyzivat, Barry Leiba, Pearl Liang, Salvatore Loreto, Timothy
Moran, Eric Noel, Parthasarathi R, Pete Resnick, Adam Roach, Dan
Romascanu, Shida Schubert, Robert Sparks, Martin Stiemerling, Sean
Turner, Phil Williams, and other members of the SOC and SIPPING
working groups for many helpful comments. In particular, Bruno
Chatras proposed the <method> and <target-sip-entity> condition
elements along with many other text improvements. Janet Gunn
provided detailed text suggestions including <a href="#appendix-C">Appendix C</a>. Eric Noel
suggested clarification on load-filtering policy distribution
initialization process. Shida Schubert made many suggestions such as
terminology usage. Phil Williams suggested adding support for delta
updates. Ashutosh Dutta gave pointers to Public Switched Telephone
Network (PSTN) references. Adam Roach suggested improvements related
to <a href="./rfc6665">RFC 6665</a> and offered other helpful clarifications. Richard Barnes
made many suggestions such as referencing the Trust Domain concept of
RFCs 3324 and 3325, the use of a separate element for 'tel' URI
grouping, and addressing the "redirect" action security threat.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2141">RFC2141</a>] Moats, R., "URN Syntax", <a href="./rfc2141">RFC 2141</a>, May 1997.
[<a id="ref-RFC3023">RFC3023</a>] Murata, M., St. Laurent, S., and D. Kohn, "XML Media
Types", <a href="./rfc3023">RFC 3023</a>, January 2001.
[<a id="ref-RFC3261">RFC3261</a>] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", <a href="./rfc3261">RFC 3261</a>,
June 2002.
[<a id="ref-RFC3688">RFC3688</a>] Mealling, M., "The IETF XML Registry", <a href="https://www.rfc-editor.org/bcp/bcp81">BCP 81</a>, <a href="./rfc3688">RFC 3688</a>,
January 2004.
[<a id="ref-RFC3966">RFC3966</a>] Schulzrinne, H., "The tel URI for Telephone Numbers", <a href="./rfc3966">RFC</a>
<a href="./rfc3966">3966</a>, December 2004.
<span class="grey">Shen, et al. Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
[<a id="ref-RFC4745">RFC4745</a>] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J.,
Polk, J., and J. Rosenberg, "Common Policy: A Document
Format for Expressing Privacy Preferences", <a href="./rfc4745">RFC 4745</a>,
February 2007.
[<a id="ref-RFC6665">RFC6665</a>] Roach, A., "SIP-Specific Event Notification", <a href="./rfc6665">RFC 6665</a>,
July 2012.
[<a id="ref-RFC6838">RFC6838</a>] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", <a href="https://www.rfc-editor.org/bcp/bcp13">BCP 13</a>, <a href="./rfc6838">RFC</a>
<a href="./rfc6838">6838</a>, January 2013.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[<a id="ref-E.300SerSup3">E.300SerSup3</a>]
ITU-T, "North American Precise Audible Tone Plan",
Recommendation E.300 Series Supplement 3, November 1988.
[<a id="ref-E.412">E.412</a>] ITU-T, "Network Management Controls", Recommendation
E.412-2003, January 2003.
[<a id="ref-Q.1248.2">Q.1248.2</a>] ITU-T, "Interface Recommendation for Intelligent Network
Capability Set4:SCF-SSF interface", Recommendation
Q.1248.2, July 2001.
[<a id="ref-RFC2648">RFC2648</a>] Moats, R., "A URN Namespace for IETF Documents", <a href="./rfc2648">RFC 2648</a>,
August 1999.
[<a id="ref-RFC3324">RFC3324</a>] Watson, M., "Short Term Requirements for Network Asserted
Identity", <a href="./rfc3324">RFC 3324</a>, November 2002.
[<a id="ref-RFC3325">RFC3325</a>] Jennings, C., Peterson, J., and M. Watson, "Private
Extensions to the Session Initiation Protocol (SIP) for
Asserted Identity within Trusted Networks", <a href="./rfc3325">RFC 3325</a>,
November 2002.
[<a id="ref-RFC4412">RFC4412</a>] Schulzrinne, H. and J. Polk, "Communications Resource
Priority for the Session Initiation Protocol (SIP)", <a href="./rfc4412">RFC</a>
<a href="./rfc4412">4412</a>, February 2006.
[<a id="ref-RFC4825">RFC4825</a>] Rosenberg, J., "The Extensible Markup Language (XML)
Configuration Access Protocol (XCAP)", <a href="./rfc4825">RFC 4825</a>, May 2007.
[<a id="ref-RFC5031">RFC5031</a>] Schulzrinne, H., "A Uniform Resource Name (URN) for
Emergency and Other Well-Known Services", <a href="./rfc5031">RFC 5031</a>,
January 2008.
<span class="grey">Shen, et al. Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
[<a id="ref-RFC5390">RFC5390</a>] Rosenberg, J., "Requirements for Management of Overload in
the Session Initiation Protocol", <a href="./rfc5390">RFC 5390</a>, December 2008.
[<a id="ref-RFC6357">RFC6357</a>] Hilt, V., Noel, E., Shen, C., and A. Abdelal, "Design
Considerations for Session Initiation Protocol (SIP)
Overload Control", <a href="./rfc6357">RFC 6357</a>, August 2011.
[<a id="ref-SIP-OVERLOAD">SIP-OVERLOAD</a>]
Gurbani, V., Ed., Hilt, V., and H. Schulzrinne, "Session
Initiation Protocol (SIP) Overload Control", Work in
Progress, March 2014.
<span class="grey">Shen, et al. Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Definitions</span>
This specification reuses the definitions for "Event Package",
"Notification", "Notifier", "Subscriber", and "Subscription" as in
[<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>]. The following additional definitions are also used.
Load Filtering: A load-control mechanism that applies specific
actions to selected loads (e.g., SIP requests) matching specific
conditions.
Load-Filtering Policy: A set of zero or more load-filtering rules,
also known as load-filtering rule set.
Load-Filtering Rule: Conditions and actions to be applied for load
filtering.
Load-Filtering Condition: Elements that describe how to select loads
to apply load-filtering actions. This specification defines the
<call-identity>, <method>, <target-sip-identity>, and <validity>
condition elements (<a href="#section-5.3">Section 5.3</a>).
Load-Filtering Action: An operation to be taken by a load-filtering
server on loads that match the load-filtering conditions. This
specification allows actions such as accept, reject, and redirect
of loads (<a href="#section-5.4">Section 5.4</a>).
Load-Filtering Server: A server that performs load filtering. In
the context of this specification, the load-filtering server is
the subscriber, which receives load-filtering policies from the
notifier and enforces those policies during load filtering.
Load-Control Document: An XML document that describes the load-
filtering policies (<a href="#section-5">Section 5</a>). It inherits and enhances the
common policy document defined in [<a href="./rfc4745" title=""Common Policy: A Document Format for Expressing Privacy Preferences"">RFC4745</a>].
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. Design Requirements</span>
The SIP load-filtering mechanism needs to satisfy the following
requirements:
o For simplicity, the solution should focus on a method for
controlling SIP load, rather than a generic application-layer
mechanism.
o The load-filtering policy needs to be distributed efficiently to
possibly a large subset of all SIP elements.
<span class="grey">Shen, et al. Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
o The solution should reuse existing SIP protocol mechanisms to
reduce implementation and deployment complexity.
o For predictable overload situations, such as holidays and mass
calling events, the load-filtering policy should specify during
what time it is to be applied, so that the information can be
distributed ahead of time.
o For destination-specific overload situations, the load-filtering
policy should be able to describe the destination domain or the
callee.
o To address accidental and intentional high-volume call generators,
the load-filtering policy should be able to specify the caller.
o Caller and callee need to be specified as both SIP URIs and 'tel'
URIs [<a href="./rfc3966" title=""The tel URI for Telephone Numbers"">RFC3966</a>] in load-filtering policies.
o It should be possible to specify particular information in the SIP
headers (e.g., prefixes in telephone numbers) that allow load
filtering over limited regionally focused overloads.
o The solution should draw upon experiences from related PSTN
mechanisms [<a href="#ref-Q.1248.2" title=""Interface Recommendation for Intelligent Network Capability Set4:SCF-SSF interface"">Q.1248.2</a>] [<a href="#ref-E.412" title=""Network Management Controls"">E.412</a>] [<a href="#ref-E.300SerSup3">E.300SerSup3</a>] where applicable.
o The solution should be extensible to meet future needs.
<span class="h2"><a class="selflink" id="appendix-C" href="#appendix-C">Appendix C</a>. Discussion of How This Specification Meets the Requirements</span>
of <a href="./rfc5390">RFC 5390</a>
This section evaluates whether the load-control event package
mechanism defined in this specification satisfies various SIP
overload control requirements set forth by [<a href="./rfc5390" title=""Requirements for Management of Overload in the Session Initiation Protocol"">RFC5390</a>]. As mentioned
in <a href="#section-1">Section 1</a>, this specification complements other efforts in the
overall SIP load-control solution space. Therefore, not all <a href="./rfc5390">RFC 5390</a>
requirements are found applicable to this specification. This
specification categorizes the assessment results into Yes (the
requirement is met), P/A (Partially Applicable), No (must be used in
conjunction with another mechanism to meet the requirement), and N/A
(Not Applicable).
REQ 1: The overload mechanism shall strive to maintain the overall
useful throughput (taking into consideration the quality-of-
service needs of the using applications) of a SIP server at
reasonable levels, even when the incoming load on the network is
far in excess of its capacity. The overall throughput under load
is the ultimate measure of the value of an overload control
mechanism.
<span class="grey">Shen, et al. Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
P/A. The goal of load filtering is to prevent overload or maintain
overall goodput during the time of overload, but it is dependent on
the predictions of the load and the computations as well as
distribution of the filtering policies. If the load predictions or
filtering policy computations are incorrect, or the filtering policy
is not properly distributed, the mechanism will be less effective.
On the other hand, if the load can be accurately predicted and
filtering policies be computed and distributed appropriately, this
requirement can be met.
REQ 2: When a single network element fails, goes into overload, or
suffers from reduced processing capacity, the mechanism should
strive to limit the impact of this on other elements in the
network. This helps to prevent a small-scale failure from
becoming a widespread outage.
N/A if load-filtering policies are installed in advance and do not
change during the potential overload period, P/A if load-filtering
policies are dynamically adjusted. The algorithm to dynamically
compute load-filtering policies is outside the scope of this
specification, while the distribution of the updated filtering
policies uses the event package mechanism of this specification.
REQ 3: The mechanism should seek to minimize the amount of
configuration required in order to work. For example, it is
better to avoid needing to configure a server with its SIP message
throughput, as these kinds of quantities are hard to determine.
No. This mechanism is entirely dependent on advance configuration,
based on advance knowledge. In order to satisfy REQ 3, it should be
used in conjunction with other mechanisms that are not based on
advance configuration.
REQ 4: The mechanism must be capable of dealing with elements that
do not support it, so that a network can consist of a mix of
elements that do and don't support it. In other words, the
mechanism should not work only in environments where all elements
support it. It is reasonable to assume that it works better in
such environments, of course. Ideally, there should be
incremental improvements in overall network throughput as
increasing numbers of elements in the network support the
mechanism.
No. This mechanism is entirely dependent on the participation of all
possible neighbors. In order to satisfy REQ 4, it should be used in
conjunction with other mechanisms, some of which are described in
<a href="#section-3.4">Section 3.4</a>.
<span class="grey">Shen, et al. Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
REQ 5: The mechanism should not assume that it will only be
deployed in environments with completely trusted elements. It
should seek to operate as effectively as possible in environments
where other elements are malicious; this includes preventing
malicious elements from obtaining more than a fair share of
service.
No. This mechanism is entirely dependent on the non-malicious
participation of all possible neighbors. In order to satisfy REQ 5,
it should be used in conjunction with other mechanisms, some of which
are described in <a href="#section-3.4">Section 3.4</a>.
REQ 6: When overload is signaled by means of a specific message,
the message must clearly indicate that it is being sent because of
overload, as opposed to other, non overload-based failure
conditions. This requirement is meant to avoid some of the
problems that have arisen from the reuse of the 503 response code
for multiple purposes. Of course, overload is also signaled by
lack of response to requests. This requirement applies only to
explicit overload signals.
N/A. This mechanism signals anticipated overload, not actual
overload. However, the signals in this mechanism are not used for
any other purpose.
REQ 7: The mechanism shall provide a way for an element to
throttle the amount of traffic it receives from an upstream
element. This throttling shall be graded so that it is not all-
or-nothing as with the current 503 mechanism. This recognizes the
fact that "overload" is not a binary state and that there are
degrees of overload.
Yes. This event package allows rate-/loss-/window-based overload
control options as discussed in <a href="#section-5.4">Section 5.4</a>.
REQ 8: The mechanism shall ensure that, when a request was not
processed successfully due to overload (or failure) of a
downstream element, the request will not be retried on another
element that is also overloaded or whose status is unknown. This
requirement derives from REQ 1.
N/A to the load-control event package mechanism itself.
REQ 9: That a request has been rejected from an overloaded element
shall not unduly restrict the ability of that request to be
submitted to and processed by an element that is not overloaded.
This requirement derives from REQ 1.
<span class="grey">Shen, et al. Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
Yes. For example, load-filtering policy (<a href="#section-3.1">Section 3.1</a>) can include
alternative forwarding destinations for rejected requests.
REQ 10: The mechanism should support servers that receive requests
from a large number of different upstream elements, where the set
of upstream elements is not enumerable.
No. Because this mechanism requires advance configuration of
specifically identified neighbors, it does not support environments
where the number and identity of the upstream neighbors are not known
in advance. In order to satisfy REQ 10, it should be used in
conjunction with other mechanisms.
REQ 11: The mechanism should support servers that receive requests
from a finite set of upstream elements, where the set of upstream
elements is enumerable.
Yes. See also answer to REQ 10.
REQ 12: The mechanism should work between servers in different
domains.
Yes. The load-control event package mechanism is not limited by
domain boundaries. However, it is likely more applicable in intra-
domain scenarios than in inter-domain scenarios due to security and
other concerns (see also <a href="#section-3.4">Section 3.4</a>).
REQ 13: The mechanism must not dictate a specific algorithm for
prioritizing the processing of work within a proxy during times of
overload. It must permit a proxy to prioritize requests based on
any local policy, so that certain ones (such as a call for
emergency services or a call with a specific value of the
Resource-Priority header field [<a href="./rfc4412" title=""Communications Resource Priority for the Session Initiation Protocol (SIP)"">RFC4412</a>]) are given preferential
treatment, such as not being dropped, being given additional
retransmission, or being processed ahead of others.
P/A. This mechanism does not specifically address the prioritizing
of work during times of overload. But it does not preclude any
particular local policy.
REQ 14: The mechanism should provide unambiguous directions to
clients on when they should retry a request and when they should
not. This especially applies to TCP connection establishment and
SIP registrations, in order to mitigate against avalanche restart.
N/A to the load-control event package mechanism itself.
<span class="grey">Shen, et al. Standards Track [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
REQ 15: In cases where a network element fails, is so overloaded
that it cannot process messages, or cannot communicate due to a
network failure or network partition, it will not be able to
provide explicit indications of the nature of the failure or its
levels of congestion. The mechanism must properly function in
these cases.
P/A. Because the load-filtering policies are provisioned in advance,
they are not affected by the overload or failure of other network
elements. On the other hand, they may not, in those cases, be able
to protect the overloaded network elements (see REQ 1).
REQ 16: The mechanism should attempt to minimize the overhead of
the overload control messaging.
Yes. The standardized SIP event package mechanism [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>] is used.
REQ 17: The overload mechanism must not provide an avenue for
malicious attack, including DoS and DDoS attacks.
P/A. This mechanism does provide a potential avenue for malicious
attacks. Therefore, the security mechanisms for SIP event packages,
in general, [<a href="./rfc6665" title=""SIP-Specific Event Notification"">RFC6665</a>] and <a href="#section-7">Section 7</a> of this specification should be
used.
REQ 18: The overload mechanism should be unambiguous about whether
a load indication applies to a specific IP address, host, or URI,
so that an upstream element can determine the load of the entity
to which a request is to be sent.
Yes. The identity of load indication is covered in the load-
filtering policy format definition in <a href="#section-3.1">Section 3.1</a>.
REQ 19: The specification for the overload mechanism should give
guidance on which message types might be desirable to process over
others during times of overload, based on SIP-specific
considerations. For example, it may be more beneficial to process
a SUBSCRIBE refresh with Expires of zero than a SUBSCRIBE refresh
with a non-zero expiration (since the former reduces the overall
amount of load on the element), or to process re-INVITEs over new
INVITEs.
N/A to the load-control event package mechanism itself.
REQ 20: In a mixed environment of elements that do and do not
implement the overload mechanism, no disproportionate benefit
shall accrue to the users or operators of the elements that do not
implement the mechanism.
<span class="grey">Shen, et al. Standards Track [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
No. This mechanism is entirely dependent on the participation of all
possible neighbors. In order to satisfy REQ 20, it should be used in
conjunction with other mechanisms, some of which are described in
<a href="#section-3.4">Section 3.4</a>.
REQ 21: The overload mechanism should ensure that the system
remains stable. When the offered load drops from above the
overall capacity of the network to below the overall capacity, the
throughput should stabilize and become equal to the offered load.
N/A to the load-control event package mechanism itself.
REQ 22: It must be possible to disable the reporting of load
information towards upstream targets based on the identity of
those targets. This allows a domain administrator who considers
the load of their elements to be sensitive information, to
restrict access to that information. Of course, in such cases,
there is no expectation that the overload mechanism itself will
help prevent overload from that upstream target.
N/A to the load-control event package mechanism itself.
REQ 23: It must be possible for the overload mechanism to work in
cases where there is a load balancer in front of a farm of
proxies.
Yes. The load-control event package mechanism does not preclude its
use in a scenario with server farms.
<span class="h2"><a class="selflink" id="appendix-D" href="#appendix-D">Appendix D</a>. Complete Examples</span>
<span class="h3"><a class="selflink" id="appendix-D.1" href="#appendix-D.1">D.1</a>. Load-Control Document Examples</span>
This section presents two complete examples of load-control documents
valid with respect to the XML schema defined in <a href="#section-6">Section 6</a>.
The first example assumes that a set of hotlines are set up at
"sip:alice@hotline.example.com" and "tel:+1-212-555-1234". The
hotlines are activated from 12:00 to 15:00 US Eastern Standard Time
on 2008-05-31. The goal is to limit the incoming calls to the
hotlines to 100 requests per second. Calls that exceed the rate
limit are explicitly rejected.
<span class="grey">Shen, et al. Standards Track [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
xmlns:lc="urn:ietf:params:xml:ns:load-control"
version="0" state="full">
<rule id="f3g44k1">
<conditions>
<lc:call-identity>
<lc:sip>
<lc:to>
<one id="sip:alice@hotline.example.com"/>
<one id="tel:+1-212-555-1234"/>
</lc:to>
</lc:sip>
</lc:call-identity>
<method>INVITE</method>
<validity>
<from>2008-05-31T12:00:00-05:00</from>
<until>2008-05-31T15:00:00-05:00</until>
</validity>
</conditions>
<actions>
<lc:accept alt-action="reject">
<lc:rate>100</lc:rate>
</lc:accept>
</actions>
</rule>
</ruleset>
The second example optimizes the usage of server resources during the
three-day period following a hurricane. Incoming calls to the domain
"sandy.example.com" or to call destinations with prefix "+1-212" will
be limited to a rate of 100 requests per second, except for those
calls originating from a particular rescue team domain
"rescue.example.com". Outgoing calls from the hurricane domain or
calls within the local domain are never limited. All calls that are
throttled due to the rate limit will be forwarded to an answering
machine with updated hurricane rescue information.
<span class="grey">Shen, et al. Standards Track [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
xmlns:lc="urn:ietf:params:xml:ns:load-control"
version="1" state="full">
<rule id="f3g44k2">
<conditions>
<lc:call-identity>
<lc:sip>
<lc:to>
<many domain="sandy.example.com"/>
<many-tel prefix="+1-212"/>
</lc:to>
<lc:from>
<many>
<except domain="sandy.example.com"/>
<except domain="rescue.example.com"/>
</many>
</lc:from>
</lc:sip>
</lc:call-identity>
<method>INVITE</method>
<validity>
<from>2012-10-25T09:00:00+01:00</from>
<until>2012-10-28T09:00:00+01:00</until>
</validity>
</conditions>
<actions>
<lc:accept alt-action="redirect" alt-target=
"sip:sandy@update.example.com">
<lc:rate>100</lc:rate>
</lc:accept>
</actions>
</rule>
</ruleset>
Sometimes it may occur that multiple rules in a ruleset define
actions that match the same methods, call identity and validity. In
those cases, the "first-match-wins" principle is used. For example,
in the following ruleset, the first rule requires all calls from the
"example.com" domain to be rejected. Even though the rule following
that one specifies that calls from "sip:alice@example.com" be
redirected to a specific target "sip:eve@example.com", the calls from
"sip:alice@example.com" will still be rejected because they have
already been matched by the earlier rule.
<span class="grey">Shen, et al. Standards Track [Page 38]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-39" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="urn:ietf:params:xml:ns:common-policy"
xmlns:lc="urn:ietf:params:xml:ns:load-control"
version="1" state="full">
<rule id="f3g44k3">
<conditions>
<lc:call-identity>
<lc:sip>
<lc:from>
<many domain="example.com"/>
</lc:from>
</lc:sip>
</lc:call-identity>
<method>INVITE</method>
<validity>
<from>2013-7-2T09:00:00+01:00</from>
<until>2013-7-3T09:00:00+01:00</until>
</validity>
</conditions>
<actions>
<lc:accept alt-action="reject">
<lc:rate>0</lc:rate>
</lc:accept>
</actions>
</rule>
<rule id="f3g44k4">
<conditions>
<lc:call-identity>
<lc:sip>
<lc:from>
<one id="sip:alice@example.com"/>
</lc:from>
</lc:sip>
</lc:call-identity>
<method>INVITE</method>
<validity>
<from>2013-7-2T09:00:00+01:00</from>
<until>2013-7-3T09:00:00+01:00</until>
</validity>
</conditions>
<actions>
<lc:accept alt-action="redirect" alt-target=
"sip:eve@example.com">
<lc:rate>0</lc:rate>
</lc:accept>
</actions>
<span class="grey">Shen, et al. Standards Track [Page 39]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-40" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
</rule>
</ruleset>
<span class="h3"><a class="selflink" id="appendix-D.2" href="#appendix-D.2">D.2</a>. Message Flow Examples</span>
This section presents an example message flow of using the load-
control event package mechanism defined in this specification.
atlanta biloxi
| F1 SUBSCRIBE |
|------------------>|
| F2 200 OK |
|<------------------|
| F3 NOTIFY |
|<------------------|
| F4 200 OK |
|------------------>|
F1 SUBSCRIBE atlanta.example.com -> biloxi.example.com
SUBSCRIBE sip:biloxi.example.com SIP/2.0
Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy7cjbu3
From: sip:atlanta.example.com;tag=162ab5
To: sip:biloxi.example.com
Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
CSeq: 2012 SUBSCRIBE
Contact: sip:atlanta.example.com
Event: load-control
Max-Forwards: 70
Accept: application/load-control+xml
Expires: 3600
Content-Length: 0
F2 200 OK biloxi.example.com -> atlanta.example.com
SIP/2.0 200 OK
Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy7cjbu3
;received=192.0.2.1
To: <sip:biloxi.example.com>;tag=331dc8
From: <sip:atlanta.example.com>;tag=162ab5
Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
CSeq: 2012 SUBSCRIBE
Expires: 3600
Contact: sip:biloxi.example.com
Content-Length: 0
<span class="grey">Shen, et al. Standards Track [Page 40]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-41" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
F3 NOTIFY biloxi.example.com -> atlanta.example.com
NOTIFY sip:atlanta.example.com SIP/2.0
Via: SIP/2.0/TCP biloxi.example.com;branch=z9hG4bKy71g2ks
From: <sip:biloxi.example.com>;tag=331dc8
To: <sip:atlanta.example.com>;tag=162ab5
Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
Event: load-control
Subscription-State: active;expires=3599
Max-Forwards: 70
CSeq: 1775 NOTIFY
Contact: sip:biloxi.example.com
Content-Type: application/load-control+xml
Content-Length: ...
[Load-Control Document]
F4 200 OK atlanta.example.com -> biloxi.example.com
SIP/2.0 200 OK
Via: SIP/2.0/TCP atlanta.example.com;branch=z9hG4bKy71g2ks
;received=192.0.2.2
From: <sip:biloxi.example.com>;tag=331dc8
To: <sip:atlanta.example.com>;tag=162ab5
Call-ID: 2xTb9vxSit55XU7p8@atlanta.example.com
CSeq: 1775 NOTIFY
Content-Length: 0
<span class="h2"><a class="selflink" id="appendix-E" href="#appendix-E">Appendix E</a>. Related Work</span>
<span class="h3"><a class="selflink" id="appendix-E.1" href="#appendix-E.1">E.1</a>. Relationship to Load Filtering in PSTN</span>
It is known that an existing PSTN network also uses a load-filtering
mechanism to prevent overload and the filtering policy configuration
is done manually except in specific cases when the Intelligent
Network architecture is used [<a href="#ref-Q.1248.2" title=""Interface Recommendation for Intelligent Network Capability Set4:SCF-SSF interface"">Q.1248.2</a>][E.412]. This specification
defines a load-filtering mechanism based on the SIP event
notification framework that allows automated filtering policy
distribution in suitable environments.
PSTN overload control uses messages that specify an outgoing control
list, call gap duration, and control duration [<a href="#ref-Q.1248.2" title=""Interface Recommendation for Intelligent Network Capability Set4:SCF-SSF interface"">Q.1248.2</a>][E.412].
These items correspond roughly to the identity, action, and time
fields of the SIP load-filtering policy defined in this
specification. However, the load-filtering policy defined in this
specification is much more generic and flexible as opposed to its
PSTN counterpart.
<span class="grey">Shen, et al. Standards Track [Page 41]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-42" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
Firstly, PSTN load filtering only applies to telephone numbers. The
identity element of SIP load-filtering policy allows both SIP URI and
telephone numbers (through 'tel' URI) to be specified. These
identities can be arbitrarily grouped by SIP domains or any number of
leading prefixes of the telephone numbers.
Secondly, the PSTN load-filtering action is usually limited to call
gapping. The action field in SIP load-filtering policy allows more
flexible possibilities such as rate throttle and others.
Thirdly, the duration field in PSTN load filtering specifies a value
in seconds for the load-filtering duration only, and the allowed
values are mapped into a value set. The time field in SIP load-
filtering policy may specify not only a duration, but also a future
activation time that could be especially useful for automating load
filtering for predictable overloads.
PSTN load filtering can be performed in both edge switches and
transit switches; the SIP load filtering can also be applied in both
edge proxy servers and core proxy servers, and even in capable user
agents.
PSTN load filtering also has special accommodation for High
Probability of Completion (HPC) calls, which would be similar to
calls designated by the SIP Resource Priority Headers [<a href="./rfc4412" title=""Communications Resource Priority for the Session Initiation Protocol (SIP)"">RFC4412</a>]. The
SIP load-filtering mechanism also allows prioritizing the treatment
of these calls by specifying favorable actions for them.
PSTN load filtering also provides an administrative option for
routing failed call attempts to either a reorder tone [<a href="#ref-E.300SerSup3">E.300SerSup3</a>]
indicating overload conditions or a special recorded announcement. A
similar capability can be provided in the SIP load-filtering
mechanism by specifying appropriate "alt-action" attribute in the SIP
load-filtering action field.
<span class="h3"><a class="selflink" id="appendix-E.2" href="#appendix-E.2">E.2</a>. Relationship with Other IETF SIP Overload Control Efforts</span>
The load-filtering policies in this specification consist of
identity, action, and time. The identity can range from a single
specific user to an arbitrary user aggregate, domains, or areas. The
user can be identified by either the source or the destination. When
the user is identified by the source and a favorable action is
specified, the result is, to some extent, similar to identifying a
priority user based on authorized Resource Priority Headers [<a href="./rfc4412" title=""Communications Resource Priority for the Session Initiation Protocol (SIP)"">RFC4412</a>]
in the requests. Specifying a source user identity with an
unfavorable action would cause an effect to some extent similar to an
inverse SIP resource priority mechanism.
<span class="grey">Shen, et al. Standards Track [Page 42]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-43" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
The load-filtering policy defined in this specification is generic
and expected to be applicable not only to the load-filtering
mechanism but also to the feedback overload control mechanism in
[<a href="#ref-SIP-OVERLOAD">SIP-OVERLOAD</a>]. In particular, both mechanisms could use specific or
wildcard identities for load control and could share well-known load-
control actions. The time duration field in the load-filtering
policy could also be used in both mechanisms. As mentioned in
<a href="#section-1">Section 1</a>, the load-filtering policy distribution mechanism and the
feedback overload control mechanism address complementary areas in
the overload control problem space. Load filtering is more proactive
and focuses on distributing filtering policies towards the source of
the traffic; the hop-by-hop feedback-based approach is reactive and
reduces traffic already accepted by the network. Therefore, they
could also make different use of the generic load-filtering policy
components. For example, the load-filtering mechanism may use the
time field in the filtering policy to specify not only a control
duration but also a future activation time to accommodate a
predicable overload such as the one caused by Mother's Day greetings
or a viewer-voting program; the feedback-based control might not need
to use the time field or might use the time field to specify an
immediate load-control duration.
<span class="grey">Shen, et al. Standards Track [Page 43]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-44" ></span>
<span class="grey"><a href="./rfc7200">RFC 7200</a> SIP Load-Control Event Package April 2014</span>
Authors' Addresses
Charles Shen
Columbia University
Department of Computer Science
1214 Amsterdam Avenue, MC 0401
New York, NY 10027
USA
Phone: +1 212 854 3109
EMail: charles@cs.columbia.edu
Henning Schulzrinne
Columbia University
Department of Computer Science
1214 Amsterdam Avenue, MC 0401
New York, NY 10027
USA
Phone: +1 212 939 7004
EMail: schulzrinne@cs.columbia.edu
Arata Koike
NTT Network Technology Labs
3-9-11 Midori-cho Musashino-shi
Tokyo 180-8585
Japan
Phone: +81 422 59 6099
EMail: koike.arata@lab.ntt.co.jp
Shen, et al. Standards Track [Page 44]
</pre>
|
