draft-ietf-sipcore-invfix-01.txt   rfc6026.txt 
Network Working Group R. Sparks Internet Engineering Task Force (IETF) R. Sparks
Internet-Draft Tekelec Request for Comments: 6026 Tekelec
Updates: 3261 (if approved) T. Zourzouvillys Updates: 3261 T. Zourzouvillys
Intended status: Standards Track Skype Category: Standards Track Skype
Expires: September 9, 2010 Mar 8, 2010 ISSN: 2070-1721 September 2010
Correct transaction handling for 2xx responses to Session Initiation Correct Transaction Handling for 2xx Responses
Protocol (SIP) INVITE requests to Session Initiation Protocol (SIP) INVITE Requests
draft-ietf-sipcore-invfix-01
Abstract Abstract
This document normatively updates RFC 3261, the Session Initiation This document normatively updates RFC 3261, the Session Initiation
Protocol (SIP), to address an error in the specified handling of Protocol (SIP), to address an error in the specified handling of
success (2xx class) responses to INVITE requests. Elements following success (2xx class) responses to INVITE requests. Elements following
RFC 3261 exactly will misidentify retransmissions of the request as a RFC 3261 exactly will misidentify retransmissions of the request as a
new, unassociated, request. The correction involves modifying the new, unassociated request. The correction involves modifying the
INVITE transaction state machines. The correction also changes the INVITE transaction state machines. The correction also changes the
way responses that cannot be matched to an existing transaction are way responses that cannot be matched to an existing transaction are
handled to address a security risk. handled to address a security risk.
Status of this Memo Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This is an Internet Standards Track document.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at This document is a product of the Internet Engineering Task Force
http://www.ietf.org/shadow.html. (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on September 9, 2010. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6026.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions .....................................3
3. Reason for Change . . . . . . . . . . . . . . . . . . . . . . 3 3. Reason for Change ...............................................3
4. Summary of Change . . . . . . . . . . . . . . . . . . . . . . 4 4. Summary of Change ...............................................4
5. Consequences if Not Implemented . . . . . . . . . . . . . . . 4 5. Consequences if Not Implemented .................................4
6. The Change . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6. The Change ......................................................4
7. Change Details . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Change Details ..................................................5
7.1. Server Transaction Impacts . . . . . . . . . . . . . . . . 5 7.1. Server Transaction Impacts .................................5
7.2. Client Transaction Impacts . . . . . . . . . . . . . . . . 9 7.2. Client Transaction Impacts .................................9
7.3. Proxy Considerations . . . . . . . . . . . . . . . . . . . 10 7.3. Proxy Considerations ......................................10
8. Exact changes to RFC3261 . . . . . . . . . . . . . . . . . . . 11 8. Exact Changes to RFC 3261 ......................................11
8.1. Page 85 . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Page 85 ...................................................11
8.2. Page 107 . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.2. Page 107 ..................................................11
8.3. Page 114 . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.3. Page 114 ..................................................11
8.4. Pages 126 through 128 . . . . . . . . . . . . . . . . . . 12 8.4. Pages 126 through 128 .....................................12
8.5. Pages 134 to 135 . . . . . . . . . . . . . . . . . . . . . 15 8.5. Pages 134 to 135 ..........................................15
8.6. Page 136 . . . . . . . . . . . . . . . . . . . . . . . . . 15 8.6. Page 136 ..................................................15
8.7. Page 137 . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.7. Page 137 ..................................................17
8.8. Page 141 . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.8. Page 141 ..................................................17
8.9. Page 144 . . . . . . . . . . . . . . . . . . . . . . . . . 17 8.9. Page 144 ..................................................18
8.10. Page 146 . . . . . . . . . . . . . . . . . . . . . . . . . 18 8.10. Page 146 .................................................18
8.11. Page 265 . . . . . . . . . . . . . . . . . . . . . . . . . 18 8.11. Page 265 .................................................18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations ............................................18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations .......................................19
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 11. Acknowledgments ...............................................20
12. Normative References . . . . . . . . . . . . . . . . . . . . . 19 12. Normative References ..........................................20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
2. Introduction 1. Introduction
This document describes an essential correction to the Session This document describes an essential correction to the Session
Initiation Protocol (SIP), defined in [RFC3261]. The change Initiation Protocol (SIP), defined in [RFC3261]. The change
addresses an error in the handling of 2xx class responses to INVITE addresses an error in the handling of 2xx class responses to INVITE
requests that leads to retransmissions of the INVITE being treated as requests that leads to retransmissions of the INVITE being treated as
new requests and forbids forwarding stray INVITE responses. new requests and forbids forwarding stray INVITE responses.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Reason for Change 3. Reason for Change
One use of the INVITE method in SIP is to establish new sessions. One use of the INVITE method in SIP is to establish new sessions.
These "initial" INVITEs may fork at intermediaries, and more than one These "initial" INVITEs may fork at intermediaries, and more than one
receiving endpoint may choose to accept the request. SIP is designed receiving endpoint may choose to accept the request. SIP is designed
such that the requester receives all of these success responses. such that the requester receives all of these success responses.
Two sets of requirements in [RFC3261] work together to allow multiple Two sets of requirements in [RFC3261] work together to allow multiple
2xx responses to be processed correctly by the requester. First, all 2xx responses to be processed correctly by the requester. First, all
elements are required to immediately destroy any INVITE client elements are required to immediately destroy any INVITE client
transaction state upon forwarding a matching 2xx class response. transaction state upon forwarding a matching 2xx class response.
This requirement applies to both proxies and user agents (proxies This requirement applies to both UAs (user agents) and proxies
forward the response upstream, the transaction layer at user agents (proxies forward the response upstream, the transaction layer at user
forward the response to its "UA (User-Agent) core"). Second, all agents forwards the response to its "UA core"). Second, all proxies
proxies are required to statelessly forward any 2xx class responses are required to statelessly forward upstream any 2xx class responses
that do not match an existing transaction, also called stray that do not match an existing transaction, also called stray
responses, upstream. The transaction layer at user agents is responses. The transaction layer at user agents is required to
required to forward these responses to its UA core. Logic in the UA forward these responses to its UA core. Logic in the UA core deals
core deals with acknowledging each of these responses. with acknowledging each of these responses.
This technique for specifying the behavior was chosen over adjusting This technique for specifying the behavior was chosen over adjusting
INVITE client transaction state machines as a simpler way to specify INVITE client transaction state machines as a simpler way to specify
the correct behavior. the correct behavior.
Over time, implementation experience demonstrated the existing text Over time, implementation experience demonstrated the existing text
is in error. Once any element with a server transaction (say, a is in error. Once any element with a server transaction (say, a
proxy in the path of the INVITE) deletes that transaction state, any proxy in the path of the INVITE) deletes that transaction state, any
retransmission of the INVITE will be treated as a new request, retransmission of the INVITE will be treated as a new request,
potentially forwarded to different locations than the original. Many potentially forwarded to different locations than the original. Many
implementations in the field have made proprietary adjustments to implementations in the field have made proprietary adjustments to
their transaction logic to avoid this error. their transaction logic to avoid this error.
The requirement to statelessly forward stray responses has also been The requirement to statelessly forward stray responses has also been
identified as a security risk. Through it, elements compliant to identified as a security risk. Through it, elements compliant to
[RFC3261] are compelled to do work (forward packets) that is not [RFC3261] are compelled to do work (forward packets) that is not
protected by the admission policies applied to requests. This can be protected by the admission policies applied to requests. This can be
leveraged to, for instance, use a SIP proxy as an anonymizing leveraged to, for instance, use a SIP proxy as an anonymizing
forwarder of packets in a distributed DOS attack. General internet forwarder of packets in a distributed denial-of-service attack.
endpoints can also collude to tunnel non-SIP content through such General Internet endpoints can also collude to tunnel non-SIP content
proxies by wrapping them in an SIP response envelope. through such proxies by wrapping them in an SIP response envelope.
Additionally, [RFC3261] requires that if an unrecoverable transport Additionally, [RFC3261] requires that if an unrecoverable transport
error is encountered while sending a response in a client error is encountered while sending a response in a client
transaction, that the transaction moves immediately into the transaction, that the transaction moves immediately into the
Terminated state. This will result in any re-transmitted INVITE "Terminated" state. This will result in any retransmitted INVITE
requests received after such an error was encountered be processed as requests received after such an error was encountered to be processed
a new request instead of being absorbed as a re-transmission. as a new request instead of being absorbed as a retransmission.
4. Summary of Change 4. Summary of Change
This correction document updates [RFC3261], adding a state and This correction document updates [RFC3261], adding a state and
changing the transitions in the INVITE client state machine such that changing the transitions in the INVITE client state machine such that
the INVITE client transaction remains in place to receive multiple the INVITE client transaction remains in place to receive multiple
2xx responses. It adds a state to the INVITE server state machine to 2xx responses. It adds a state to the INVITE server state machine to
absorb retransmissions of the INVITE after a 2xx response has been absorb retransmissions of the INVITE after a 2xx response has been
sent. It modifies state transitions in the INVITE server state sent. It modifies state transitions in the INVITE server state
machine to absorb retransmissions of the INVITE request after machine to absorb retransmissions of the INVITE request after
encountering a unrecoverable transport error when sending a response. encountering an unrecoverable transport error when sending a
It also forbids forwarding stray responses to INVITE requests (not response. It also forbids forwarding stray responses to INVITE
just 2xx responses), which RFC3261 requires. requests (not just 2xx responses), which RFC 3261 requires.
5. Consequences if Not Implemented 5. Consequences if Not Implemented
Implementations strictly conformant to [RFC3261] will process Implementations strictly conformant to [RFC3261] will process
retransmitted initial INVITE requests as new requests. Proxies may retransmitted initial INVITE requests as new requests. Proxies may
forward them to different locations than the original. Proxies may forward them to different locations than the original. Proxies may
also be used as anonymizing forwarders of bulk traffic. also be used as anonymizing forwarders of bulk traffic.
Implementations will process any retransmitted INVITE request as new Implementations will process any retransmitted INVITE request as a
request after an attempt to send a response resulted in a new request after an attempt to send a response results in an
unrecoverable error. unrecoverable error.
6. The Change 6. The Change
An element sending or receiving a 2xx to an INVITE transaction MUST An element sending or receiving a 2xx to an INVITE transaction MUST
NOT destroy any matching INVITE transaction state. This state is NOT destroy any matching INVITE transaction state. This state is
necessary to ensure correct processing of retransmissions of the necessary to ensure correct processing of retransmissions of the
request and the retransmission of the 2xx and ACK that follow. request and the retransmission of the 2xx and ACK that follow.
An element encountering an unrecoverable tranport error when trying An element encountering an unrecoverable transport error when trying
to send a response to an INVITE request MUST NOT immediately destroy to send a response to an INVITE request MUST NOT immediately destroy
the associated INVITE server transaction state. This state is the associated INVITE server transaction state. This state is
necessary to ensure correct processing of retransmissions of the necessary to ensure correct processing of retransmissions of the
request. request.
When receiving any SIP response, a transaction-stateful proxy MUST When receiving any SIP response, a transaction-stateful proxy MUST
compare the transaction identifier in that response against its compare the transaction identifier in that response against its
existing transaction state machines. The proxy MUST NOT forward the existing transaction state machines. The proxy MUST NOT forward the
response if there is no matching transaction state machine. response if there is no matching transaction state machine.
When receiving an ACK that matches an existing INVITE server When receiving an ACK that matches an existing INVITE server
transaction, and the ACK does not contain a branch parameter transaction and that does not contain a branch parameter containing
containing the magic cookie defined in RFC 3261, the matching the magic cookie defined in RFC 3261, the matching transaction MUST
transaction MUST be checked to see if it is in the "Accepted" state. be checked to see if it is in the "Accepted" state. If it is, then
If it is, then the ACK must be passed directly to the transaction the ACK must be passed directly to the transaction user instead of
user instead of absorbing it in the transaction. This is necessary being absorbed by the transaction state machine. This is necessary
as requests from RFC 2543 clients will not include a unique branch as requests from RFC 2543 clients will not include a unique branch
parameter, and the mechanisms for calculating the transaction id from parameter, and the mechanisms for calculating the transaction ID from
such a request will be the same for both INVITE and ACKs. such a request will be the same for both INVITE and ACKs.
7. Change Details 7. Change Details
These changes impact requirements in several sections of RFC3261. These changes impact requirements in several sections of RFC 3261.
The exact effect on that text is detailed in Section 8. This section The exact effect on that text is detailed in Section 8. This section
describes the details of the change, particularly the impact on the describes the details of the change, particularly the impact on the
INVITE state machines, more succinctly to facilitate review and INVITE state machines, more succinctly to facilitate review and
simplify implementation. simplify implementation.
7.1. Server Transaction Impacts 7.1. Server Transaction Impacts
To allow a SIP element to recognize retransmissions of an INVITE as To allow a SIP element to recognize retransmissions of an INVITE as
retransmissions instead of new requests, a new state, "Accepted", is retransmissions instead of new requests, a new state, "Accepted", is
added to the INVITE server transaction state machine. A new timer, added to the INVITE server transaction state machine. A new timer,
Timer L, is also added to ultimately allow the state machine to Timer L, is also added to ultimately allow the state machine to
terminate. A server transaction in the "Proceeding" state will terminate. A server transaction in the "Proceeding" state will
transition to the "Accepted" state when it issues a 2xx response, and transition to the "Accepted" state when it issues a 2xx response and
will remain in that state just long enough to absorb any will remain in that state just long enough to absorb any
retransmissions of the INVITE. retransmissions of the INVITE.
If the SIP element's TU (Transaction User) issues a 2xx response for If the SIP element's TU (Transaction User) issues a 2xx response for
this transaction while the state machine is in the "Proceeding" this transaction while the state machine is in the "Proceeding"
state, it MUST transition to the "Accepted" state and set Timer L to state, the state machine MUST transition to the "Accepted" state and
64*T1. set Timer L to 64*T1, where T1 is the round-trip time estimate
defined in Section 17.1.1.1 of [RFC3261].
While in the "Accepted" state, any retransmissions of the INVITE While in the "Accepted" state, any retransmissions of the INVITE
received will match this transaction state machine and will be received will match this transaction state machine and will be
absorbed by the machine without changing its state. These absorbed by the machine without changing its state. These
retransmissions are not passed onto the TU. RFC3261 requires the TU retransmissions are not passed onto the TU. RFC 3261 requires the TU
to periodically retransmit the 2xx response until it receives an ACK. to periodically retransmit the 2xx response until it receives an ACK.
The server transaction MUST NOT generate 2xx retransmissions on its The server transaction MUST NOT generate 2xx retransmissions on its
own. Any retransmission of the 2xx response passed from the TU to own. Any retransmission of the 2xx response passed from the TU to
the transaction while in the "Accepted" state MUST be passed to the the transaction while in the "Accepted" state MUST be passed to the
transport layer for transmission. Any ACKs received from the network transport layer for transmission. Any ACKs received from the network
while in the "Accepted" state MUST be passed directly to the TU and while in the "Accepted" state MUST be passed directly to the TU and
not absorbed. not absorbed.
When Timer L fires and the state machine is in the "Accepted" state, When Timer L fires and the state machine is in the "Accepted" state,
the machine MUST transition to the "Terminated" state. Once the the machine MUST transition to the "Terminated" state. Once the
transaction is in the "Terminated" state, it MUST be destroyed transaction is in the "Terminated" state, it MUST be destroyed
immediately. Timer L reflects the amount of time the server immediately. Timer L reflects the amount of time the server
transaction could receive 2xx responses for retransmission from the transaction could receive 2xx responses for retransmission from the
TU while it is waiting to receive an ACK. TU while it is waiting to receive an ACK.
A server transaction MUST NOT discard transaction state based only on A server transaction MUST NOT discard transaction state based only on
encountering a non-recoverable transport error when sending a encountering a non-recoverable transport error when sending a
response. Instead the assocated INVITE server transaction state response. Instead, the associated INVITE server transaction state
machine MUST remain in its current state. (Timers will eventually machine MUST remain in its current state. (Timers will eventually
cause it to transition to the Terminated state). This allows cause it to transition to the "Terminated" state). This allows
retransmissions of the INVITE to be absorbed instead of being retransmissions of the INVITE to be absorbed instead of being
processed as a new request. processed as a new request.
Figure 1 and Figure 2 graphically show the parts of the INVITE server Figures 1 and 2 show the parts of the INVITE server state machine
state machine that has changed. The entire new INVITE server state that have changed. The entire new INVITE server state machine is
machine is shown in Figure 5. shown in Figure 5.
BEFORE AFTER BEFORE AFTER
+-----------+ +-----------+ +-----------+ +-----------+
| | | | | | | |
| Proceeding| | Proceeding| | Proceeding| | Proceeding|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
skipping to change at page 7, line 47 skipping to change at page 7, line 47
| | Timer L fires | | Timer L fires
| | - | | -
| | | |
| V | V
+-----------+ | +------------+ +-----------+ | +------------+
| | | | | | | | | |
| Terminated|<-----------+ | Terminated | | Terminated|<-----------+ | Terminated |
| | | | | | | |
+-----------+ +------------+ +-----------+ +------------+
Figure 1: Changes to the INVITE server transaction state machine when Figure 1: Changes to the INVITE server transaction state machine
sending 2xx when sending 2xx
BEFORE AFTER BEFORE AFTER
+-----------+ +------------+ +-----------+ +------------+
| | | | | | | |
| Proceeding| | Proceeding | Transport Err. | Proceeding| | Proceeding | Transport Err.
| | | | Inform TU | | | | Inform TU
| | Transport Err. | |----------+ | | Transport Err. | |----------+
| | Inform TU | | | | | Inform TU | | |
| |--------------->+ | |<---------+ | |--------------->+ | |<---------+
+-----------+ | +------------+ +-----------+ | +------------+
| |
| |
| |
| |
| Transport Err. | Transport Err.
+-----------+ | +-----------+ Inform TU +-----------+ | +-----------+ Inform TU
| | | | |---------+ | | | | |---------+
| Completed | | | Completed | | | Completed | | | Completed | |
| | | | |<--------+ | | | | |<--------+
+-----------+ | +-----------+ +-----------+ | +-----------+
| | | |
| | | |
+------------------>+ +------------------>+
Transport Err.| Transport Err.|
Inform TU | Inform TU |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+-----------+ | +-----------+ |
| | | | | |
| Terminated|<---------------+ | Terminated|<---------------+
| | | |
+-----------+ +-----------+
Figure 2: Changes to the INVITE server transaction state machine on Figure 2: Changes to the INVITE server transaction state machine on
encountering transport error encountering transport error
7.2. Client Transaction Impacts 7.2. Client Transaction Impacts
In order to correctly distinguish retransmissions of 2xx responses In order to correctly distinguish retransmissions of 2xx responses
from stray 2xx responses, the INVITE client state machine is modified from stray 2xx responses, the INVITE client state machine is modified
to not transition immediately to "Terminated" on receipt of a 2xx to not transition immediately to "Terminated" on receipt of a 2xx
response. Instead, the machine will transition to a new "Accepted" response. Instead, the machine will transition to a new "Accepted"
state, and remain there just long enough, determined by a new timer state, and remain there just long enough, determined by a new timer
M, to receive and pass to the TU any retransmissions of the 2xx M, to receive and pass to the TU any retransmissions of the 2xx
skipping to change at page 9, line 28 skipping to change at page 9, line 28
received while in the "Accepted" state MUST be passed to the TU and received while in the "Accepted" state MUST be passed to the TU and
the machine remains in the "Accepted" state. The client transaction the machine remains in the "Accepted" state. The client transaction
MUST NOT generate an ACK to any 2xx response on its own. The TU MUST NOT generate an ACK to any 2xx response on its own. The TU
responsible for the transaction will generate the ACK. responsible for the transaction will generate the ACK.
When Timer M fires and the state machine is in the "Accepted" state, When Timer M fires and the state machine is in the "Accepted" state,
the machine MUST transition to the "Terminated" state. Once the the machine MUST transition to the "Terminated" state. Once the
transaction is in the "Terminated" state, it MUST be destroyed transaction is in the "Terminated" state, it MUST be destroyed
immediately. immediately.
Any response received which does not match an existing client Any response received that does not match an existing client
transaction state machine is simply dropped. (Implementations are, transaction state machine is simply dropped. (Implementations are,
of course, free to log or do other implementation specific things of course, free to log or do other implementation-specific things
with such responses, but the implementer should be sure to consider with such responses, but the implementer should be sure to consider
the impact of large numbers of malicious stray responses). the impact of large numbers of malicious stray responses.)
Note that it is not necessary to preserve client transaction state Note that it is not necessary to preserve client transaction state
upon the detection of unrecoverable transport errors. Existing upon the detection of unrecoverable transport errors. Existing
requirements ensure the TU has been notified, and the new requirements ensure the TU has been notified, and the new
requirements in this document ensure that any received retransmitted requirements in this document ensure that any received retransmitted
response will be dropped since there will no longer be any matching response will be dropped since there will no longer be any matching
transaction state. transaction state.
Figure 3 graphically shows the part of the INVITE client state Figure 3 shows the part of the INVITE client state machine that has
machine that has changed. The entire new INVITE client state machine changed. The entire new INVITE client state machine is shown in
is shown in Figure 4. Figure 5.
+-----------+ +-----------+ +-----------+ +-----------+
| | | | | | | |
| Calling | | Calling | | Calling | | Calling |
| |----------->+ | |-----------+ | |----------->+ | |-----------+
+-----------+ 2xx | +-----------+ 2xx | +-----------+ 2xx | +-----------+ 2xx |
2xx to TU | 2xx to TU | 2xx to TU | 2xx to TU |
| | | |
| | | |
| | | |
| | | |
+-----------+ | +-----------+ | +-----------+ | +-----------+ |
| | | | | | | | | | | |
|Proceeding |----------->| |Proceeding |---------->| |Proceeding |----------->| |Proceeding |---------->|
| | 2xx | | | 2xx | | | 2xx | | | 2xx |
+-----------+ 2xx to TU | +-----------+ 2xx to TU | +-----------+ 2xx to TU | +-----------+ 2xx to TU |
| | | |
| | | |
| | | |
| V | V
| +-----------+ | +-----------+
| | | | | |
| | Accepted | | | Accepted |
| +---| | | +---| |
| 2xx | +-----------+ | 2xx | +-----------+
| 2xx to TU | ^ | | 2xx to TU | ^ |
| | | | | | | |
| +-----+ | | +-----+ |
| | | |
| +-----------------+ | +-----------------+
| | Timer M fires | | Timer M fires
| | - | | -
| V | V
+-----------+ | +-----------+ +-----------+ | +-----------+
| | | | | | | | | |
| Terminated|<-----------+ | Terminated| | Terminated|<-----------+ | Terminated|
| | | | | | | |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 3: Changes to the INVITE client transaction state machine Figure 3: Changes to the INVITE client transaction state machine
7.3. Proxy Considerations 7.3. Proxy Considerations
This document changes the behaviour of transaction-stateful proxies This document changes the behavior of transaction-stateful proxies to
to not forward stray INVITE responses. When receiving any SIP not forward stray INVITE responses. When receiving any SIP response,
response, a transaction-stateful proxy MUST compare the transaction a transaction-stateful proxy MUST compare the transaction identifier
identifier in that response against its existing transaction state in that response against its existing transaction state machines.
machines. The proxy MUST NOT forward the response if there is no The proxy MUST NOT forward the response if there is no matching
matching transaction state machine. transaction state machine.
8. Exact changes to RFC3261 8. Exact Changes to RFC 3261
This section describes exactly the same changes as above, but shows This section describes exactly the same changes as above, but shows
exactly which text in RFC3261 is affected. exactly which text in RFC 3261 is affected. This document
intentionally does not contain a Figure 4 or Figure 6 so that the
labels for Figures 5 and 7 are identical to the labels of the figures
they are replacing in RFC 3261.
Section 13.3.1.4 paragraph 4 is replaced entirely by Section 13.3.1.4, paragraph 4, is replaced entirely by:
Once the response has been constructed, it is passed to the INVITE Once the response has been constructed, it is passed to the INVITE
server transaction. In order to ensure reliable end-to-end server transaction. In order to ensure reliable end-to-end
transport of the response, it is necessary to periodically pass transport of the response, it is necessary to periodically pass
the response directly to the transport until the ACK arrives. The the response directly to the transport until the ACK arrives. The
2xx response is passed to the transport with an interval that 2xx response is passed to the transport with an interval that
starts at T1 seconds and doubles for each retransmission until it starts at T1 seconds and doubles for each retransmission until it
reaches T2 seconds (T1 and T2 are defined in Section 17). reaches T2 seconds (T1 and T2 are defined in Section 17).
Response retransmissions cease when an ACK request for the Response retransmissions cease when an ACK request for the
response is received. This is independent of whatever transport response is received. This is independent of whatever transport
protocols are used to send the response. protocols are used to send the response.
Section 16.7 paragraphs 1 and 2 are replaced entirely by Section 16.7, paragraphs 1 and 2, are replaced entirely by:
When a response is received by an element, it first tries to When a response is received by an element, it first tries to
locate a client transaction (Section 17.1.3) matching the locate a client transaction (Section 17.1.3) matching the
response. If a transaction is found, the response is handed to response. If a transaction is found, the response is handed to
the client transaction. If none is found, the element MUST NOT the client transaction. If none is found, the element MUST NOT
forward the response. forward the response.
Section 16.7, part 9, first paragraph. Replace this sentence Section 16.7, part 9, first paragraph. Replace this sentence:
If the server transaction is no longer available to handle the If the server transaction is no longer available to handle the
transmission, the element MUST forward the response statelessly by transmission, the element MUST forward the response statelessly by
sending it to the server transport. sending it to the server transport.
with with
If the server transaction is no longer available to handle the If the server transaction is no longer available to handle the
transmission, the response is simply discarded. transmission, the response is simply discarded.
8.4. Pages 126 through 128 8.4. Pages 126 through 128
Section 17.1.1.2. Replace paragraph 7 (starting "When in either") Section 17.1.1.2. Replace paragraph 7 (starting "When in either")
through the end of the section with through the end of the section with:
When in either the "Calling" or "Proceeding" states, reception of When in either the "Calling" or "Proceeding" states, reception of
a response with status code from 300-699 MUST cause the client a response with status code from 300-699 MUST cause the client
transaction to transition to "Completed". The client transaction transaction to transition to "Completed". The client transaction
MUST pass the received response up to the TU, and the client MUST pass the received response up to the TU, and the client
transaction MUST generate an ACK request, even if the transport is transaction MUST generate an ACK request, even if the transport is
reliable (guidelines for constructing the ACK from the response reliable (guidelines for constructing the ACK from the response
are given in Section 17.1.1.3) and then pass the ACK to the are given in Section 17.1.1.3), and then pass the ACK to the
transport layer for transmission. The ACK MUST be sent to the transport layer for transmission. The ACK MUST be sent to the
same address, port, and transport to which the original request same address, port, and transport to which the original request
was sent. was sent.
The client transaction MUST start timer D when it enters the The client transaction MUST start Timer D when it enters the
"Completed" state for any reason, with a value of at least 32 "Completed" state for any reason, with a value of at least 32
seconds for unreliable transports, and a value of zero seconds for seconds for unreliable transports, and a value of zero seconds for
reliable transports. Timer D reflects the amount of time that the reliable transports. Timer D reflects the amount of time that the
server transaction can remain in the "Completed" state when server transaction can remain in the "Completed" state when
unreliable transports are used. This is equal to Timer H in the unreliable transports are used. This is equal to Timer H in the
INVITE server transaction, whose default is 64*T1, and is also INVITE server transaction, whose default is 64*T1, and is also
equal to the time a UAS core will wait for an ACK once it sends a equal to the time a UAS core will wait for an ACK once it sends a
2xx response. However, the client transaction does not know the 2xx response. However, the client transaction does not know the
value of T1 in use by the server transaction or any downstream UAS value of T1 in use by the server transaction or any downstream UAS
cores, so an absolute minimum of 32s is used instead of basing cores, so an absolute minimum of 32 s is used instead of basing
Timer D on T1. Timer D on T1.
Any retransmissions of a response with status code 300-699 that Any retransmissions of a response with status code 300-699 that
are received while in the "Completed" state MUST cause the ACK to are received while in the "Completed" state MUST cause the ACK to
be re-passed to the transport layer for retransmission, but the be re-passed to the transport layer for retransmission, but the
newly received response MUST NOT be passed up to the TU. newly received response MUST NOT be passed up to the TU.
A retransmission of the response is defined as any response which A retransmission of the response is defined as any response that
would match the same client transaction based on the rules of would match the same client transaction based on the rules of
Section 17.1.3. Section 17.1.3.
If timer D fires while the client transaction is in the If Timer D fires while the client transaction is in the
"Completed" state, the client transaction MUST move to the "Completed" state, the client transaction MUST move to the
"Terminated" state. "Terminated" state.
When a 2xx response is received while in either the "Calling" or When a 2xx response is received while in either the "Calling" or
"Proceeding" states, the client transaction MUST transition to the "Proceeding" states, the client transaction MUST transition to the
"Accepted" state, and Timer M MUST be started with a value of "Accepted" state, and Timer M MUST be started with a value of
64*T1. The 2xx response MUST be passed up to the TU. The client 64*T1. The 2xx response MUST be passed up to the TU. The client
transaction MUST NOT generate an ACK to the 2xx response - its transaction MUST NOT generate an ACK to the 2xx response -- its
handling is delegated to the TU. A UAC core will send an ACK to handling is delegated to the TU. A UAC core will send an ACK to
the 2xx response using a new transaction. A proxy core will the 2xx response using a new transaction. A proxy core will
always forward the 2xx response upstream. always forward the 2xx response upstream.
The purpose of the "Accepted" state is to allow the client The purpose of the "Accepted" state is to allow the client
transaction to continue to exist to receive, and pass to the TU, transaction to continue to exist to receive, and pass to the TU,
any retransmissions of the 2xx response and any additional 2xx any retransmissions of the 2xx response and any additional 2xx
responses from other branches of the INVITE if it forked responses from other branches of the INVITE if it forked
downstream. Timer M reflects the amount of time that transaction downstream. Timer M reflects the amount of time that the
user will wait for such messages. transaction user will wait for such messages.
Any 2xx responses matching this client transaction that are Any 2xx responses that match this client transaction and that are
received while in the "Accepted" state MUST be passed up to the received while in the "Accepted" state MUST be passed up to the
TU. The client transaction MUST NOT generate an ACK to the 2xx TU. The client transaction MUST NOT generate an ACK to the 2xx
response. The client transaction takes no further action. response. The client transaction takes no further action.
If timer M fires while the client transaction is in the "Accepted" If Timer M fires while the client transaction is in the "Accepted"
state, the client transaction MUST move to the "Terminated" state. state, the client transaction MUST move to the "Terminated" state.
The client transaction MUST be destroyed the instant it enters the The client transaction MUST be destroyed the instant it enters the
"Terminated" state. "Terminated" state.
Replace Figure 5 with Replace Figure 5 with:
|INVITE from TU
Timer A fires |INVITE sent Timer B fires
Reset A, V or Transport Err.
INVITE sent +-----------+ inform TU
+---------| |--------------------------+
| | Calling | |
+-------->| |-----------+ |
300-699 +-----------+ 2xx | |
ACK sent | | 2xx to TU | |
resp. to TU | |1xx | |
+-----------------------------+ |1xx to TU | |
| | | |
| 1xx V | |
| 1xx to TU +-----------+ | |
| +---------| | | |
| | |Proceeding | | |
| +-------->| | | |
| +-----------+ 2xx | |
| 300-699 | | 2xx to TU | |
| ACK sent, +--------+ +---------------+ |
| resp. to TU| | |
| | | |
| V V |
| +-----------+ +----------+ |
+------------->| |Transport Err. | | |
| Completed |Inform TU | Accepted | |
+--| |-------+ | |-+ |
300-699 | +-----------+ | +----------+ | |
ACK sent| ^ | | | ^ | |
| | | | | | | |
+----+ | | | +-----+ |
|Timer D fires | Timer M fires| 2xx |
|- | - | 2xx to TU |
+--------+ | +-----------+ |
NOTE: V V V |
transitions +------------+ |
labeled with | | |
the event | Terminated |<-----------------------+
over the action | |
to take +------------+
Figure 4: INVITE client transaction |INVITE from TU
Timer A fires |INVITE sent Timer B fires
Reset A, V or Transport Err.
INVITE sent +-----------+ inform TU
+---------| |--------------------------+
| | Calling | |
+-------->| |-----------+ |
300-699 +-----------+ 2xx | |
ACK sent | | 2xx to TU | |
resp. to TU | |1xx | |
+-----------------------------+ |1xx to TU | |
| | | |
| 1xx V | |
| 1xx to TU +-----------+ | |
| +---------| | | |
| | |Proceeding | | |
| +-------->| | | |
| +-----------+ 2xx | |
| 300-699 | | 2xx to TU | |
| ACK sent, +--------+ +---------------+ |
| resp. to TU| | |
| | | |
| V V |
| +-----------+ +----------+ |
+------------->| |Transport Err. | | |
| Completed |Inform TU | Accepted | |
+--| |-------+ | |-+ |
300-699 | +-----------+ | +----------+ | |
ACK sent| ^ | | | ^ | |
| | | | | | | |
+----+ | | | +-----+ |
|Timer D fires | Timer M fires| 2xx |
|- | - | 2xx to TU |
+--------+ | +-----------+ |
NOTE: V V V |
Transitions +------------+ |
are labeled | | |
with the event | Terminated |<-----------------------+
over the action | |
to take. +------------+
Figure 5: INVITE client transaction
8.5. Pages 134 to 135 8.5. Pages 134 to 135
Section 17.2.1 paragraph 4 is replaced with Section 17.2.1, paragraph 4, is replaced with:
If, while in the "Proceeding" state, the TU passes a 2xx response If, while in the "Proceeding" state, the TU passes a 2xx response
to the server transaction, the server transaction MUST pass this to the server transaction, the server transaction MUST pass this
response to the transport layer for transmission. It is not response to the transport layer for transmission. It is not
retransmitted by the server transaction; retransmissions of 2xx retransmitted by the server transaction; retransmissions of 2xx
responses are handled by the TU. The server transaction MUST then responses are handled by the TU. The server transaction MUST then
transition to the "Accepted" state. transition to the "Accepted" state.
Replace Figure 7 with Replace Figure 7 with:
|INVITE |INVITE
|pass INV to TU |pass INV to TU
INVITE V send 100 if TU won't in 200ms INVITE V send 100 if TU won't in 200 ms
send response+------------+ send response+------------+
+--------| |--------+ 101-199 from TU +--------| |--------+ 101-199 from TU
| | | | send response | | | | send response
+------->| |<-------+ +------->| |<-------+
| Proceeding | | Proceeding |
| |--------+ Transport Err. | |--------+ Transport Err.
| | | Inform TU | | | Inform TU
| |<-------+ | |<-------+
+------------+ +------------+
300-699 from TU | |2xx from TU 300-699 from TU | |2xx from TU
skipping to change at page 16, line 48 skipping to change at page 16, line 49
- | | | - | | |
| | Timer I fires | | | Timer I fires |
| | - | Timer L fires | | - | Timer L fires
| V | - | V | -
| +------------+ | | +------------+ |
| | |<----+ | | |<----+
+------->| Terminated | +------->| Terminated |
| | | |
+------------+ +------------+
Figure 5: INVITE server transaction Figure 7: INVITE server transaction
Section 17.2.1 - Replace the last paragraph (starting "Once the In Section 17.2.1, replace the last paragraph (starting "Once the
transaction") with transaction") with:
The purpose of the "Accepted" state is to absorb retransmissions The purpose of the "Accepted" state is to absorb retransmissions
of an accepted INVITE request. Any such retransmissions are of an accepted INVITE request. Any such retransmissions are
absorbed entirely within the server transaction. They are not absorbed entirely within the server transaction. They are not
passed up to the TU since any downstream UAS cores that accepted passed up to the TU since any downstream UAS cores that accepted
the request have taken responsibility for reliability and will the request have taken responsibility for reliability and will
already retransmit their 2xx responses if neccessary. already retransmit their 2xx responses if necessary.
While in the "Accepted" state, if the TU passes a 2xx response, While in the "Accepted" state, if the TU passes a 2xx response,
the server transaction MUST pass the response to the transport the server transaction MUST pass the response to the transport
layer for transmission. layer for transmission.
When the INVITE server transaction enters the "Accepted" state, When the INVITE server transaction enters the "Accepted" state,
Timer L MUST be set to fire in 64*T1 for all transports. This Timer L MUST be set to fire in 64*T1 for all transports. This
value matches both Timer B in the next upstream client state value matches both Timer B in the next upstream client state
machine (the amount of time the previous hop will wait for a machine (the amount of time the previous hop will wait for a
response when no provisionals have been sent) and the amount of response when no provisionals have been sent) and the amount of
time this (or any downstream) UAS core might be retransmitting the time this (or any downstream) UAS core might be retransmitting the
2xx while waiting for an ACK. If an ACK is received while the 2xx while waiting for an ACK. If an ACK is received while the
INVITE server transaction is in the "Accepted" state, then the ACK INVITE server transaction is in the "Accepted" state, then the ACK
must be passed up to the TU. If Timer L fires while the INVITE must be passed up to the TU. If Timer L fires while the INVITE
server transaction is in the "Accepted" state, the transaction server transaction is in the "Accepted" state, the transaction
MUST transition to the "Terminated" state. MUST transition to the "Terminated" state.
Once the transaction is in the "Terminated" state, it MUST be Once the transaction is in the "Terminated" state, it MUST be
destroyed immediately. destroyed immediately.
Section 17.2.4 - Replace the second paragraph with In Section 17.2.4, replace the second paragraph with:
First, the procedures in [4] are followed, which attempt to First, the procedures in [4] are followed, which attempt to
deliver the response to a backup. If those should all fail, based deliver the response to a backup. If those should all fail, based
on the definition of failure in [4], the server transaction SHOULD on the definition of failure in [4], the server transaction SHOULD
inform the TU that a failure has occurred, and MUST remain in the inform the TU that a failure has occurred, and MUST remain in the
current state. current state.
Section 18.1.2 - Replace the second paragraph with In Section 18.1.2, replace the second paragraph with:
The client transport uses the matching procedures of Section The client transport uses the matching procedures of Section
17.1.3 to attempt to match the response to an existing 17.1.3 to attempt to match the response to an existing
transaction. If there is a match, the response MUST be passed to transaction. If there is a match, the response MUST be passed to
that transaction. Otherwise, any element other than a stateless that transaction. Otherwise, any element other than a stateless
proxy MUST silently discard the response. proxy MUST silently discard the response.
Section 18.2.1 - Replace the last paragraph with In Section 18.2.1, replace the last paragraph with:
Next, the server transport attempts to match the request to a Next, the server transport attempts to match the request to a
server transaction. It does so using the matching rules described server transaction. It does so using the matching rules described
in Section 17.2.3. If a matching server transaction is found, the in Section 17.2.3. If a matching server transaction is found, the
request is passed to that transaction for processing. If no match request is passed to that transaction for processing. If no match
is found, the request is passed to the core, which may decide to is found, the request is passed to the core, which may decide to
construct a new server transaction for that request. construct a new server transaction for that request.
Add to Table 4: Add to Table 4:
Timer L 64*T1 Section 17.2.1 Wait time for Timer L 64*T1 Section 17.2.1 Wait time for
accepted INVITE accepted INVITE
request retransmits request retransmits
Timer M 64*T1 Section 17.1.1 Wait time for Timer M 64*T1 Section 17.1.1 Wait time for
retransmission of retransmission of
2xx to INVITE or 2xx to INVITE or
additional 2xx from additional 2xx from
other branches of other branches of
a forked INVITE a forked INVITE
9. IANA Considerations 9. IANA Considerations
None. IANA has updated the SIP Parameters: Method and Response Codes
registry as follows:
OLD:
Methods Reference
------- ---------
INVITE [RFC3261]
NEW:
Methods Reference
------- ---------
INVITE [RFC3261][RFC6026]
10. Security Considerations 10. Security Considerations
This document makes two changes to the Session Initiation Protocol to This document makes two changes to the Session Initiation Protocol to
address the error discussed in Section 3. It changes the behavior of address the error discussed in Section 3. It changes the behavior of
both the client and server INVITE transaction state machines, and it both the client and server INVITE transaction state machines, and it
changes the way "stray" responses (those that don't match any changes the way "stray" responses (those that don't match any
existing transaction) are handled at transaction stateful elements. existing transaction) are handled at transaction-stateful elements.
The changes to the state machines cause elements to hold onto each The changes to the state machines cause elements to hold onto each
accepted INVITE transaction state longer (32 seconds) than what was accepted INVITE transaction state 32 seconds longer than what was
specified in RFC 3261. This will have a direct impact on the amount specified in RFC 3261. This will have a direct impact on the amount
of work an attacker leveraging state exhaustion will have to exert of work an attacker that is leveraging state exhaustion will have to
against the system. However, this additional state is necessary to exert against the system. However, this additional state is
achieve correct operation. necessary to achieve correct operation. There is some discussion of
avoiding state exhaustion and other denial-of-service attacks in RFC
3261, Section 26.3.2.4.
RFC 3261 required SIP proxies to forward any stray 2xx class RFC 3261 required SIP proxies to forward any stray 2xx class
responses to an INVITE request upstream statelessly. As a result, responses to an INVITE request upstream statelessly. As a result,
conformant proxies can be forced to forward packets (that look conformant proxies can be forced to forward packets (that look
sufficiently like SIP responses) to destinations of the sender's sufficiently like SIP responses) to destinations of the sender's
choosing. Section 3 discusses some of the malicious behavior this choosing. Section 3 discusses some of the malicious behavior this
enables. This document reverses the stateless forwarding enables. This document reverses the stateless forwarding
requirement, making it a violation of the specification to forward requirement, making it a violation of the specification to forward
stray responses. stray responses.
RFC 3261 defines a "stateless proxy" which forwards requests and RFC 3261 defines a "stateless proxy", which forwards requests and
responses without creating or maintaining any transaction state. The responses without creating or maintaining any transaction state. The
requirements introduced in this document do not change the behavior requirements introduced in this document do not change the behavior
of these elements in any way. Stateless proxies are inherently of these elements in any way. Stateless proxies are inherently
vulnerable to the abuses discussed in Section 3. One way operators vulnerable to the abuses discussed in Section 3. One way operators
might mitigate this vulnerability is to carefully control which peer might mitigate this vulnerability is to carefully control which peer
elements can present traffic to a given stateless proxy. elements can present traffic to a given stateless proxy.
The changes introduced by this document are backward-compatible. The changes introduced by this document are backward-compatible.
Transaction behavior will be no less correct, and possible more Transaction behavior will be no less correct, and possibly more
correct, when only one peer in a transaction implements these correct, when only one peer in a transaction implements these
changes. Except for the considerations mentioned earlier in this changes. Except for the considerations mentioned earlier in this
section, introducing elements implementing these changes into section, introducing elements implementing these changes into
deployments with RFC 3261 implementations adds no additional security deployments with RFC 3261 implementations adds no additional security
concerns. concerns.
11. Acknowledgments 11. Acknowledgments
Pekka Pessi reported the improper handling of INVITE retransmissions. Pekka Pessi reported the improper handling of INVITE retransmissions.
Brett Tate performed a careful review uncovering the need for the Brett Tate performed a careful review uncovering the need for the
Accepted state and Timer M in the client transaction state machine. "Accepted" state and Timer M in the client transaction state machine.
Jan Kolomaznik noticed that a server transaction should let a TU know Jan Kolomaznik noticed that a server transaction should let a TU know
about transport errors when it attempts to send a 2xx-class response. about transport errors when it attempts to send a 2xx class response.
Michael Procter corrected several nits. Michael Procter corrected several nits.
12. Normative References 12. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
skipping to change at page 20, line 17 skipping to change at page 20, line 33
Authors' Addresses Authors' Addresses
Robert Sparks Robert Sparks
Tekelec Tekelec
17210 Campbell Road 17210 Campbell Road
Suite 250 Suite 250
Dallas, Texas 75252 Dallas, Texas 75252
USA USA
Email: RjS@nostrum.com EMail: RjS@nostrum.com
Theo Zourzouvillys Theo Zourzouvillys
Skype Skype
3rd Floor 3rd Floor
8000 Marina Blvd 8000 Marina Blvd
Brisbane, California 84005 Brisbane, California 84005
US US
Email: theo@crazygreek.co.uk EMail: theo@crazygreek.co.uk
 End of changes. 76 change blocks. 
270 lines changed or deleted 280 lines changed or added

This html diff was produced by rfcdiff 1.39. The latest version is available from http://tools.ietf.org/tools/rfcdiff/