draft-ietf-sipcore-invfix-00.txt   draft-ietf-sipcore-invfix-01.txt 
Network Working Group R. Sparks Network Working Group R. Sparks
Internet-Draft Tekelec Internet-Draft Tekelec
Updates: 3261 (if approved) T. Zourzouvillys Updates: 3261 (if approved) T. Zourzouvillys
Intended status: Standards Track VoIP.co.uk Intended status: Standards Track Skype
Expires: March 16, 2010 Sept 12, 2009 Expires: September 9, 2010 Mar 8, 2010
Correct transaction handling for 200 responses to Session Initiation Correct transaction handling for 2xx responses to Session Initiation
Protocol INVITE requests Protocol (SIP) INVITE requests
draft-ietf-sipcore-invfix-00 draft-ietf-sipcore-invfix-01
Abstract
This document normatively updates RFC 3261, the Session Initiation
Protocol (SIP), to address an error in the specified handling of
success (2xx class) responses to INVITE requests. Elements following
RFC 3261 exactly will misidentify retransmissions of the request as a
new, unassociated, request. The correction involves modifying the
INVITE transaction state machines. The correction also changes the
way responses that cannot be matched to an existing transaction are
handled to address a security risk.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 45
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 16, 2010. This Internet-Draft will expire on September 9, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
This document normatively updates RFC 3261, the Session Initiation described in the BSD License.
Protocol (SIP), to address an error in the specified handling of
success (200 class) responses to INVITE requests. Elements following
RFC 3261 exactly will misidentify retransmissions of the request as a
new, unassociated, request. The correction involves modifying the
INVITE transaction state machines. The correction also changes the
way responses that cannot be matched to an existing transaction are
handled to address a security risk.
Table of Contents Table of Contents
1. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 1. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Reason for Change . . . . . . . . . . . . . . . . . . . . . . 3 3. Reason for Change . . . . . . . . . . . . . . . . . . . . . . 3
4. Summary of Change . . . . . . . . . . . . . . . . . . . . . . 4 4. Summary of Change . . . . . . . . . . . . . . . . . . . . . . 4
5. Consequences if Not Approved . . . . . . . . . . . . . . . . . 4 5. Consequences if Not Implemented . . . . . . . . . . . . . . . 4
6. The Change . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. The Change . . . . . . . . . . . . . . . . . . . . . . . . . . 4
7. Change Details . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Change Details . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Server Transaction Impacts . . . . . . . . . . . . . . . . 5 7.1. Server Transaction Impacts . . . . . . . . . . . . . . . . 5
7.2. Client Transaction Impacts . . . . . . . . . . . . . . . . 9 7.2. Client Transaction Impacts . . . . . . . . . . . . . . . . 9
7.3. Proxy Considerations . . . . . . . . . . . . . . . . . . . 10 7.3. Proxy Considerations . . . . . . . . . . . . . . . . . . . 10
8. Exact changes to RFC3261 . . . . . . . . . . . . . . . . . . . 11 8. Exact changes to RFC3261 . . . . . . . . . . . . . . . . . . . 11
8.1. Page 85 . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Page 85 . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2. Page 107 . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.2. Page 107 . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.3. Page 114 . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.3. Page 114 . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.4. Pages 126 through 128 . . . . . . . . . . . . . . . . . . 12 8.4. Pages 126 through 128 . . . . . . . . . . . . . . . . . . 12
8.5. Pages 134 to 135 . . . . . . . . . . . . . . . . . . . . . 15 8.5. Pages 134 to 135 . . . . . . . . . . . . . . . . . . . . . 15
8.6. Page 136 . . . . . . . . . . . . . . . . . . . . . . . . . 15 8.6. Page 136 . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.7. Page 137 . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.7. Page 137 . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.8. Page 141 . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.8. Page 141 . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.9. Page 144 . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.9. Page 144 . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.10. Page 146 . . . . . . . . . . . . . . . . . . . . . . . . . 18 8.10. Page 146 . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.11. Page 265 . . . . . . . . . . . . . . . . . . . . . . . . . 18 8.11. Page 265 . . . . . . . . . . . . . . . . . . . . . . . . . 18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 12. Normative References . . . . . . . . . . . . . . . . . . . . . 19
12.1. Normative References . . . . . . . . . . . . . . . . . . . 19
12.2. Informative References . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
1. Conventions and Definitions 1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119]. document are to be interpreted as described in RFC-2119 [RFC2119].
2. Introduction 2. Introduction
This document describes an essential correction to the Session This document describes an essential correction to the Session
Initiation Protocol (SIP), defined in [RFC3261], using the process Initiation Protocol (SIP), defined in [RFC3261]. The change
defined in [I-D.drage-sip-essential-correction]. The change addresses an error in the handling of 2xx class responses to INVITE
addresses an error in the handling of 200 class responses to INVITE
requests that leads to retransmissions of the INVITE being treated as requests that leads to retransmissions of the INVITE being treated as
new requests and forbids forwarding stray INVITE responses. new requests and forbids forwarding stray INVITE responses.
3. Reason for Change 3. Reason for Change
One use of the INVITE method in SIP is to establish new sessions. One use of the INVITE method in SIP is to establish new sessions.
These "initial" INVITEs may fork at intermediaries, and more than one These "initial" INVITEs may fork at intermediaries, and more than one
receiving endpoint may choose to accept the request. SIP is designed receiving endpoint may choose to accept the request. SIP is designed
such that the requester receives all of these success responses. such that the requester receives all of these success responses.
Two sets of requirements in [RFC3261] work together to allow multiple Two sets of requirements in [RFC3261] work together to allow multiple
200s to be processed correctly by the requester. First, all elements 2xx responses to be processed correctly by the requester. First, all
are required to immediately destroy any INVITE client transaction elements are required to immediately destroy any INVITE client
state upon forwarding a matching 200 OK response. This requirement transaction state upon forwarding a matching 2xx class response.
applies to both proxies and user agents (proxies forward the response This requirement applies to both proxies and user agents (proxies
upstream, the transaction layer at user agents forward the response forward the response upstream, the transaction layer at user agents
to its "UA core"). Second, all proxies are required to statelessly forward the response to its "UA (User-Agent) core"). Second, all
forward any 200 OK responses that do not match an existing proxies are required to statelessly forward any 2xx class responses
transaction, also called stray responses, upstream. The transaction that do not match an existing transaction, also called stray
layer at user agents is required to forward these responses to its UA responses, upstream. The transaction layer at user agents is
core. Logic in the UA core deals with acknowledging each of these required to forward these responses to its UA core. Logic in the UA
responses. core deals with acknowledging each of these responses.
This technique for specifying the behavior was chosen over adjusting This technique for specifying the behavior was chosen over adjusting
INVITE client transaction state machines as a simpler way to specify INVITE client transaction state machines as a simpler way to specify
the correct behavior. the correct behavior.
Over time, implementation experience demonstrated the existing text Over time, implementation experience demonstrated the existing text
is in error. Once any element with a server transaction (say, a is in error. Once any element with a server transaction (say, a
proxy in the path of the INVITE) deletes that transaction state, any proxy in the path of the INVITE) deletes that transaction state, any
retransmission of the INVITE will be treated as a new request, retransmission of the INVITE will be treated as a new request,
potentially forwarded to different locations than the original. Many potentially forwarded to different locations than the original. Many
skipping to change at page 4, line 26 skipping to change at page 4, line 26
transaction, that the transaction moves immediately into the transaction, that the transaction moves immediately into the
Terminated state. This will result in any re-transmitted INVITE Terminated state. This will result in any re-transmitted INVITE
requests received after such an error was encountered be processed as requests received after such an error was encountered be processed as
a new request instead of being absorbed as a re-transmission. a new request instead of being absorbed as a re-transmission.
4. Summary of Change 4. Summary of Change
This correction document updates [RFC3261], adding a state and This correction document updates [RFC3261], adding a state and
changing the transitions in the INVITE client state machine such that changing the transitions in the INVITE client state machine such that
the INVITE client transaction remains in place to receive multiple the INVITE client transaction remains in place to receive multiple
200 OK responses. It adds a state to the INVITE server state machine 2xx responses. It adds a state to the INVITE server state machine to
to absorb retransmissions of the INVITE after a 200 OK response has absorb retransmissions of the INVITE after a 2xx response has been
been sent. It modifies state transitions in the INVITE server state sent. It modifies state transitions in the INVITE server state
machine to absorb retransmissions of the INVITE request after machine to absorb retransmissions of the INVITE request after
encountering a unrecoverable transport error when sending a response. encountering a unrecoverable transport error when sending a response.
It also forbids forwarding stray responses to INVITE requests (not It also forbids forwarding stray responses to INVITE requests (not
just 200 OK responses), which RFC3261 requires. just 2xx responses), which RFC3261 requires.
5. Consequences if Not Approved 5. Consequences if Not Implemented
Implementations strictly conformant to [RFC3261] will process Implementations strictly conformant to [RFC3261] will process
retransmitted initial INVITE requests as new requests. Proxies may retransmitted initial INVITE requests as new requests. Proxies may
forward them to different locations than the original. Proxies may forward them to different locations than the original. Proxies may
also be used as anonymizing forwarders of bulk traffic. also be used as anonymizing forwarders of bulk traffic.
Implementations will process any retransmitted INVITE request as new Implementations will process any retransmitted INVITE request as new
request after an attempt to send a response resulted in a request after an attempt to send a response resulted in a
unrecoverable error. unrecoverable error.
6. The Change 6. The Change
An element sending or receiving a 200 OK to an INVITE transaction An element sending or receiving a 2xx to an INVITE transaction MUST
MUST NOT destroy any matching INVITE transaction state. This state NOT destroy any matching INVITE transaction state. This state is
is necessary to ensure correct processing of retransmissions of the necessary to ensure correct processing of retransmissions of the
request and the retransmission of the 200 OK and ACK that follow. request and the retransmission of the 2xx and ACK that follow.
An element encountering an unrecoverable tranport error when trying An element encountering an unrecoverable tranport error when trying
to send a response to an INVITE request MUST NOT immediately destroy to send a response to an INVITE request MUST NOT immediately destroy
the associated INVITE server transaction state. This state is the associated INVITE server transaction state. This state is
necessary to ensure correct processing of retransmissions of the necessary to ensure correct processing of retransmissions of the
request. request.
When receiving any SIP response, a transaction-stateful proxy MUST When receiving any SIP response, a transaction-stateful proxy MUST
compare the transaction identifier in that response against its compare the transaction identifier in that response against its
existing transaction state machines. The proxy MUST NOT forward the existing transaction state machines. The proxy MUST NOT forward the
skipping to change at page 5, line 45 skipping to change at page 5, line 45
To allow a SIP element to recognize retransmissions of an INVITE as To allow a SIP element to recognize retransmissions of an INVITE as
retransmissions instead of new requests, a new state, "Accepted", is retransmissions instead of new requests, a new state, "Accepted", is
added to the INVITE server transaction state machine. A new timer, added to the INVITE server transaction state machine. A new timer,
Timer L, is also added to ultimately allow the state machine to Timer L, is also added to ultimately allow the state machine to
terminate. A server transaction in the "Proceeding" state will terminate. A server transaction in the "Proceeding" state will
transition to the "Accepted" state when it issues a 2xx response, and transition to the "Accepted" state when it issues a 2xx response, and
will remain in that state just long enough to absorb any will remain in that state just long enough to absorb any
retransmissions of the INVITE. retransmissions of the INVITE.
If the SIP elements's TU issues a 2xx response for this transaction If the SIP element's TU (Transaction User) issues a 2xx response for
while the state machine is in the "Proceeding" state, it MUST this transaction while the state machine is in the "Proceeding"
transition to the "Accepted" state and set Timer L to 64*T1. state, it MUST transition to the "Accepted" state and set Timer L to
64*T1.
While in the "Accepted" state, any retransmissions of the INVITE While in the "Accepted" state, any retransmissions of the INVITE
received will match this transaction state machine and will be received will match this transaction state machine and will be
absorbed by the machine without changing its state. These absorbed by the machine without changing its state. These
retransmissions are not passed onto the TU. RFC3261 requires the TU retransmissions are not passed onto the TU. RFC3261 requires the TU
to periodically retransmit the 2xx response until it receives an ACK. to periodically retransmit the 2xx response until it receives an ACK.
The server transaction MUST NOT generate 2xx retransmissions on its The server transaction MUST NOT generate 2xx retransmissions on its
own. Any retransmission of the 2xx response passed from the TU to own. Any retransmission of the 2xx response passed from the TU to
the transaction while in the "Accepted" state MUST be passed to the the transaction while in the "Accepted" state MUST be passed to the
transport layer for transmission. Any ACKs received from the network transport layer for transmission. Any ACKs received from the network
skipping to change at page 19, line 10 skipping to change at page 19, line 10
changes the way "stray" responses (those that don't match any changes the way "stray" responses (those that don't match any
existing transaction) are handled at transaction stateful elements. existing transaction) are handled at transaction stateful elements.
The changes to the state machines cause elements to hold onto each The changes to the state machines cause elements to hold onto each
accepted INVITE transaction state longer (32 seconds) than what was accepted INVITE transaction state longer (32 seconds) than what was
specified in RFC 3261. This will have a direct impact on the amount specified in RFC 3261. This will have a direct impact on the amount
of work an attacker leveraging state exhaustion will have to exert of work an attacker leveraging state exhaustion will have to exert
against the system. However, this additional state is necessary to against the system. However, this additional state is necessary to
achieve correct operation. achieve correct operation.
RFC 3261 required SIP proxies to forward any stray 200 class RFC 3261 required SIP proxies to forward any stray 2xx class
responses to an INVITE request upstream statelessly. As a result, responses to an INVITE request upstream statelessly. As a result,
conformant proxies can be forced to forward packets (that look conformant proxies can be forced to forward packets (that look
sufficiently like SIP responses) to destinations of the sender's sufficiently like SIP responses) to destinations of the sender's
choosing. Section 3 discusses some of the malicious behavior this choosing. Section 3 discusses some of the malicious behavior this
enables. This document reverses the stateless forwarding enables. This document reverses the stateless forwarding
requirement, making it a violation of the specification to forward requirement, making it a violation of the specification to forward
stray responses. stray responses.
RFC 3261 defines a "stateless proxy" which forwards requests and RFC 3261 defines a "stateless proxy" which forwards requests and
responses without creating or maintaining any transaction state. The responses without creating or maintaining any transaction state. The
skipping to change at page 19, line 41 skipping to change at page 19, line 41
section, introducing elements implementing these changes into section, introducing elements implementing these changes into
deployments with RFC 3261 implementations adds no additional security deployments with RFC 3261 implementations adds no additional security
concerns. concerns.
11. Acknowledgments 11. Acknowledgments
Pekka Pessi reported the improper handling of INVITE retransmissions. Pekka Pessi reported the improper handling of INVITE retransmissions.
Brett Tate performed a careful review uncovering the need for the Brett Tate performed a careful review uncovering the need for the
Accepted state and Timer M in the client transaction state machine. Accepted state and Timer M in the client transaction state machine.
Jan Kolomaznik noticed that a server transaction should let a TU know Jan Kolomaznik noticed that a server transaction should let a TU know
about transport errors when it attempts to send a 200-class response. about transport errors when it attempts to send a 2xx-class response.
Michael Procter corrected several nits. Michael Procter corrected several nits.
12. References 12. Normative References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002. June 2002.
12.2. Informative References
[I-D.drage-sip-essential-correction]
Drage, K., "A Process for Handling Essential Corrections
to the Session Initiation Protocol (SIP)",
draft-drage-sip-essential-correction-03 (work in
progress), July 2008.
Authors' Addresses Authors' Addresses
Robert Sparks Robert Sparks
Tekelec Tekelec
17210 Campbell Road 17210 Campbell Road
Suite 250 Suite 250
Dallas, Texas 75252 Dallas, Texas 75252
USA USA
Email: RjS@nostrum.com Email: RjS@nostrum.com
Theo Zourzouvillys Theo Zourzouvillys
VoIP.co.uk Skype
Commerce House 3rd Floor
Telford Rd 8000 Marina Blvd
Bicester, Oxfordshire OX26 6BU Brisbane, California 84005
UK US
Email: theo@crazygreek.co.uk Email: theo@crazygreek.co.uk
 End of changes. 19 change blocks. 
70 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/