Difference between revisions of "RFC6026"
| Line 10: | Line 10: | ||
'''Abstract''' | '''Abstract''' | ||
| − | This document normatively updates RFC 3261, the Session Initiation | + | This document normatively updates [[RFC3261|RFC 3261]], the Session Initiation |
Protocol (SIP), to address an error in the specified handling of | Protocol (SIP), to address an error in the specified handling of | ||
success (2xx class) responses to INVITE requests. Elements following | success (2xx class) responses to INVITE requests. Elements following | ||
| − | RFC 3261 exactly will misidentify retransmissions of the request as a | + | [[RFC3261|RFC 3261]] exactly will misidentify retransmissions of the request as a |
new, unassociated request. The correction involves modifying the | new, unassociated request. The correction involves modifying the | ||
INVITE transaction state machines. The correction also changes the | INVITE transaction state machines. The correction also changes the | ||
| Line 27: | Line 27: | ||
received public review and has been approved for publication by the | received public review and has been approved for publication by the | ||
Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | ||
| − | Internet Standards is available in Section 2 of RFC 5741. | + | Internet Standards is available in Section 2 of [[RFC5741|RFC 5741]]. |
Information about the current status of this document, any errata, | Information about the current status of this document, any errata, | ||
| Line 38: | Line 38: | ||
document authors. All rights reserved. | document authors. All rights reserved. | ||
| − | This document is subject to BCP 78 and the IETF Trust's Legal | + | This document is subject to [[BCP78|BCP 78]] and the IETF Trust's Legal |
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | ||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | ||
| Line 51: | Line 51: | ||
This document describes an essential correction to the Session | This document describes an essential correction to the Session | ||
| − | Initiation Protocol (SIP), defined in | + | Initiation Protocol (SIP), defined in [[RFC3261]]. The change |
addresses an error in the handling of 2xx class responses to INVITE | addresses an error in the handling of 2xx class responses to INVITE | ||
requests that leads to retransmissions of the INVITE being treated as | requests that leads to retransmissions of the INVITE being treated as | ||
| Line 60: | Line 60: | ||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||
| − | document are to be interpreted as described in RFC 2119 | + | document are to be interpreted as described in [[RFC2119|RFC 2119]] [[RFC2119]]. |
== Reason for Change == | == Reason for Change == | ||
| Line 69: | Line 69: | ||
such that the requester receives all of these success responses. | such that the requester receives all of these success responses. | ||
| − | Two sets of requirements in | + | Two sets of requirements in [[RFC3261]] work together to allow multiple |
2xx responses to be processed correctly by the requester. First, all | 2xx responses to be processed correctly by the requester. First, all | ||
elements are required to immediately destroy any INVITE client | elements are required to immediately destroy any INVITE client | ||
| Line 96: | Line 96: | ||
The requirement to statelessly forward stray responses has also been | The requirement to statelessly forward stray responses has also been | ||
identified as a security risk. Through it, elements compliant to | identified as a security risk. Through it, elements compliant to | ||
| − | + | [[RFC3261]] are compelled to do work (forward packets) that is not | |
protected by the admission policies applied to requests. This can be | protected by the admission policies applied to requests. This can be | ||
leveraged to, for instance, use a SIP proxy as an anonymizing | leveraged to, for instance, use a SIP proxy as an anonymizing | ||
| Line 103: | Line 103: | ||
through such proxies by wrapping them in an SIP response envelope. | through such proxies by wrapping them in an SIP response envelope. | ||
| − | Additionally, | + | Additionally, [[RFC3261]] requires that if an unrecoverable transport |
error is encountered while sending a response in a client | error is encountered while sending a response in a client | ||
transaction, that the transaction moves immediately into the | transaction, that the transaction moves immediately into the | ||
| Line 112: | Line 112: | ||
== Summary of Change == | == Summary of Change == | ||
| − | This correction document updates | + | This correction document updates [[RFC3261]], adding a state and |
changing the transitions in the INVITE client state machine such that | changing the transitions in the INVITE client state machine such that | ||
the INVITE client transaction remains in place to receive multiple | the INVITE client transaction remains in place to receive multiple | ||
| Line 121: | Line 121: | ||
encountering an unrecoverable transport error when sending a | encountering an unrecoverable transport error when sending a | ||
response. It also forbids forwarding stray responses to INVITE | response. It also forbids forwarding stray responses to INVITE | ||
| − | requests (not just 2xx responses), which RFC 3261 requires. | + | requests (not just 2xx responses), which [[RFC3261|RFC 3261]] requires. |
== Consequences if Not Implemented == | == Consequences if Not Implemented == | ||
| − | Implementations strictly conformant to | + | Implementations strictly conformant to [[RFC3261]] will process |
retransmitted initial INVITE requests as new requests. Proxies may | retransmitted initial INVITE requests as new requests. Proxies may | ||
forward them to different locations than the original. Proxies may | forward them to different locations than the original. Proxies may | ||
| Line 153: | Line 153: | ||
When receiving an ACK that matches an existing INVITE server | When receiving an ACK that matches an existing INVITE server | ||
transaction and that does not contain a branch parameter containing | transaction and that does not contain a branch parameter containing | ||
| − | the magic cookie defined in RFC 3261, the matching transaction MUST | + | the magic cookie defined in [[RFC3261|RFC 3261]], the matching transaction MUST |
be checked to see if it is in the "Accepted" state. If it is, then | be checked to see if it is in the "Accepted" state. If it is, then | ||
the ACK must be passed directly to the transaction user instead of | the ACK must be passed directly to the transaction user instead of | ||
being absorbed by the transaction state machine. This is necessary | being absorbed by the transaction state machine. This is necessary | ||
| − | as requests from RFC 2543 clients will not include a unique branch | + | as requests from [[RFC2543|RFC 2543]] clients will not include a unique branch |
parameter, and the mechanisms for calculating the transaction ID from | parameter, and the mechanisms for calculating the transaction ID from | ||
such a request will be the same for both INVITE and ACKs. | such a request will be the same for both INVITE and ACKs. | ||
| Line 163: | Line 163: | ||
== Change Details == | == Change Details == | ||
| − | These changes impact requirements in several sections of RFC 3261. | + | These changes impact requirements in several sections of [[RFC3261|RFC 3261]]. |
The exact effect on that text is detailed in Section 8. This section | The exact effect on that text is detailed in Section 8. This section | ||
describes the details of the change, particularly the impact on the | describes the details of the change, particularly the impact on the | ||
| Line 184: | Line 184: | ||
state, the state machine MUST transition to the "Accepted" state and | state, the state machine MUST transition to the "Accepted" state and | ||
set Timer L to 64*T1, where T1 is the round-trip time estimate | set Timer L to 64*T1, where T1 is the round-trip time estimate | ||
| − | defined in Section 17.1.1.1 of | + | defined in Section 17.1.1.1 of [[RFC3261]]. |
While in the "Accepted" state, any retransmissions of the INVITE | While in the "Accepted" state, any retransmissions of the INVITE | ||
received will match this transaction state machine and will be | received will match this transaction state machine and will be | ||
absorbed by the machine without changing its state. These | absorbed by the machine without changing its state. These | ||
| − | retransmissions are not passed onto the TU. RFC 3261 requires the TU | + | retransmissions are not passed onto the TU. [[RFC3261|RFC 3261]] requires the TU |
to periodically retransmit the 2xx response until it receives an ACK. | to periodically retransmit the 2xx response until it receives an ACK. | ||
The server transaction MUST NOT generate 2xx retransmissions on its | The server transaction MUST NOT generate 2xx retransmissions on its | ||
| Line 394: | Line 394: | ||
transaction state machine. | transaction state machine. | ||
| − | == Exact Changes to RFC 3261 == | + | == Exact Changes to [[RFC3261|RFC 3261]] == |
This section describes exactly the same changes as above, but shows | This section describes exactly the same changes as above, but shows | ||
| − | exactly which text in RFC 3261 is affected. This document | + | exactly which text in [[RFC3261|RFC 3261]] is affected. This document |
intentionally does not contain a Figure 4 or Figure 6 so that the | intentionally does not contain a Figure 4 or Figure 6 so that the | ||
labels for Figures 5 and 7 are identical to the labels of the figures | labels for Figures 5 and 7 are identical to the labels of the figures | ||
| − | they are replacing in RFC 3261. | + | they are replacing in [[RFC3261|RFC 3261]]. |
=== Page 85 === | === Page 85 === | ||
| Line 702: | Line 702: | ||
Methods Reference | Methods Reference | ||
------- --------- | ------- --------- | ||
| − | INVITE | + | INVITE [[RFC3261]] |
NEW: | NEW: | ||
| Line 708: | Line 708: | ||
Methods Reference | Methods Reference | ||
------- --------- | ------- --------- | ||
| − | INVITE | + | INVITE [[RFC3261]][[RFC6026]] |
10. Security Considerations | 10. Security Considerations | ||
| Line 720: | Line 720: | ||
The changes to the state machines cause elements to hold onto each | The changes to the state machines cause elements to hold onto each | ||
accepted INVITE transaction state 32 seconds longer than what was | accepted INVITE transaction state 32 seconds longer than what was | ||
| − | specified in RFC 3261. This will have a direct impact on the amount | + | specified in [[RFC3261|RFC 3261]]. This will have a direct impact on the amount |
of work an attacker that is leveraging state exhaustion will have to | of work an attacker that is leveraging state exhaustion will have to | ||
exert against the system. However, this additional state is | exert against the system. However, this additional state is | ||
| Line 727: | Line 727: | ||
3261, Section 26.3.2.4. | 3261, Section 26.3.2.4. | ||
| − | RFC 3261 required SIP proxies to forward any stray 2xx class | + | [[RFC3261|RFC 3261]] required SIP proxies to forward any stray 2xx class |
responses to an INVITE request upstream statelessly. As a result, | responses to an INVITE request upstream statelessly. As a result, | ||
conformant proxies can be forced to forward packets (that look | conformant proxies can be forced to forward packets (that look | ||
| Line 736: | Line 736: | ||
stray responses. | stray responses. | ||
| − | RFC 3261 defines a "stateless proxy", which forwards requests and | + | [[RFC3261|RFC 3261]] defines a "stateless proxy", which forwards requests and |
responses without creating or maintaining any transaction state. The | responses without creating or maintaining any transaction state. The | ||
requirements introduced in this document do not change the behavior | requirements introduced in this document do not change the behavior | ||
| Line 749: | Line 749: | ||
changes. Except for the considerations mentioned earlier in this | changes. Except for the considerations mentioned earlier in this | ||
section, introducing elements implementing these changes into | section, introducing elements implementing these changes into | ||
| − | deployments with RFC 3261 implementations adds no additional security | + | deployments with [[RFC3261|RFC 3261]] implementations adds no additional security |
concerns. | concerns. | ||
| Line 763: | Line 763: | ||
12. Normative References | 12. Normative References | ||
| − | + | [[RFC2119]] Bradner, S., "Key words for use in RFCs to Indicate | |
| − | Requirement Levels", BCP 14, RFC 2119, March 1997. | + | Requirement Levels", [[BCP14|BCP 14]], [[RFC2119|RFC 2119]], March 1997. |
| − | + | [[RFC3261]] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | |
A., Peterson, J., Sparks, R., Handley, M., and E. | A., Peterson, J., Sparks, R., Handley, M., and E. | ||
| − | Schooler, "SIP: Session Initiation Protocol", RFC 3261, | + | Schooler, "SIP: Session Initiation Protocol", [[RFC3261|RFC 3261]], |
June 2002. | June 2002. | ||
Latest revision as of 01:55, 22 October 2020
Internet Engineering Task Force (IETF) R. Sparks Request for Comments: 6026 Tekelec Updates: 3261 T. Zourzouvillys Category: Standards Track Skype ISSN: 2070-1721 September 2010
Correct Transaction Handling for 2xx Responses
to Session Initiation Protocol (SIP) INVITE Requests
Abstract
This document normatively updates RFC 3261, the Session Initiation Protocol (SIP), to address an error in the specified handling of success (2xx class) responses to INVITE requests. Elements following RFC 3261 exactly will misidentify retransmissions of the request as a new, unassociated request. The correction involves modifying the INVITE transaction state machines. The correction also changes the way responses that cannot be matched to an existing transaction are handled to address a security risk.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6026.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Contents
Introduction
This document describes an essential correction to the Session Initiation Protocol (SIP), defined in RFC3261. The change addresses an error in the handling of 2xx class responses to INVITE requests that leads to retransmissions of the INVITE being treated as new requests and forbids forwarding stray INVITE responses.
Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 RFC2119.
Reason for Change
One use of the INVITE method in SIP is to establish new sessions. These "initial" INVITEs may fork at intermediaries, and more than one receiving endpoint may choose to accept the request. SIP is designed such that the requester receives all of these success responses.
Two sets of requirements in RFC3261 work together to allow multiple 2xx responses to be processed correctly by the requester. First, all elements are required to immediately destroy any INVITE client transaction state upon forwarding a matching 2xx class response. This requirement applies to both UAs (user agents) and proxies (proxies forward the response upstream, the transaction layer at user agents forwards the response to its "UA core"). Second, all proxies are required to statelessly forward upstream any 2xx class responses that do not match an existing transaction, also called stray responses. The transaction layer at user agents is required to forward these responses to its UA core. Logic in the UA core deals with acknowledging each of these responses.
This technique for specifying the behavior was chosen over adjusting INVITE client transaction state machines as a simpler way to specify the correct behavior.
Over time, implementation experience demonstrated the existing text is in error. Once any element with a server transaction (say, a proxy in the path of the INVITE) deletes that transaction state, any retransmission of the INVITE will be treated as a new request, potentially forwarded to different locations than the original. Many implementations in the field have made proprietary adjustments to their transaction logic to avoid this error.
The requirement to statelessly forward stray responses has also been identified as a security risk. Through it, elements compliant to RFC3261 are compelled to do work (forward packets) that is not protected by the admission policies applied to requests. This can be leveraged to, for instance, use a SIP proxy as an anonymizing forwarder of packets in a distributed denial-of-service attack. General Internet endpoints can also collude to tunnel non-SIP content through such proxies by wrapping them in an SIP response envelope.
Additionally, RFC3261 requires that if an unrecoverable transport error is encountered while sending a response in a client transaction, that the transaction moves immediately into the "Terminated" state. This will result in any retransmitted INVITE requests received after such an error was encountered to be processed as a new request instead of being absorbed as a retransmission.
Summary of Change
This correction document updates RFC3261, adding a state and changing the transitions in the INVITE client state machine such that the INVITE client transaction remains in place to receive multiple 2xx responses. It adds a state to the INVITE server state machine to absorb retransmissions of the INVITE after a 2xx response has been sent. It modifies state transitions in the INVITE server state machine to absorb retransmissions of the INVITE request after encountering an unrecoverable transport error when sending a response. It also forbids forwarding stray responses to INVITE requests (not just 2xx responses), which RFC 3261 requires.
Consequences if Not Implemented
Implementations strictly conformant to RFC3261 will process retransmitted initial INVITE requests as new requests. Proxies may forward them to different locations than the original. Proxies may also be used as anonymizing forwarders of bulk traffic. Implementations will process any retransmitted INVITE request as a new request after an attempt to send a response results in an unrecoverable error.
The Change
An element sending or receiving a 2xx to an INVITE transaction MUST NOT destroy any matching INVITE transaction state. This state is necessary to ensure correct processing of retransmissions of the request and the retransmission of the 2xx and ACK that follow.
An element encountering an unrecoverable transport error when trying to send a response to an INVITE request MUST NOT immediately destroy the associated INVITE server transaction state. This state is necessary to ensure correct processing of retransmissions of the request.
When receiving any SIP response, a transaction-stateful proxy MUST compare the transaction identifier in that response against its existing transaction state machines. The proxy MUST NOT forward the response if there is no matching transaction state machine.
When receiving an ACK that matches an existing INVITE server transaction and that does not contain a branch parameter containing the magic cookie defined in RFC 3261, the matching transaction MUST be checked to see if it is in the "Accepted" state. If it is, then the ACK must be passed directly to the transaction user instead of being absorbed by the transaction state machine. This is necessary as requests from RFC 2543 clients will not include a unique branch parameter, and the mechanisms for calculating the transaction ID from such a request will be the same for both INVITE and ACKs.
Change Details
These changes impact requirements in several sections of RFC 3261. The exact effect on that text is detailed in Section 8. This section describes the details of the change, particularly the impact on the INVITE state machines, more succinctly to facilitate review and simplify implementation.
Server Transaction Impacts
To allow a SIP element to recognize retransmissions of an INVITE as retransmissions instead of new requests, a new state, "Accepted", is added to the INVITE server transaction state machine. A new timer, Timer L, is also added to ultimately allow the state machine to terminate. A server transaction in the "Proceeding" state will transition to the "Accepted" state when it issues a 2xx response and will remain in that state just long enough to absorb any retransmissions of the INVITE.
If the SIP element's TU (Transaction User) issues a 2xx response for this transaction while the state machine is in the "Proceeding" state, the state machine MUST transition to the "Accepted" state and set Timer L to 64*T1, where T1 is the round-trip time estimate defined in Section 17.1.1.1 of RFC3261.
While in the "Accepted" state, any retransmissions of the INVITE received will match this transaction state machine and will be absorbed by the machine without changing its state. These retransmissions are not passed onto the TU. RFC 3261 requires the TU to periodically retransmit the 2xx response until it receives an ACK. The server transaction MUST NOT generate 2xx retransmissions on its own. Any retransmission of the 2xx response passed from the TU to the transaction while in the "Accepted" state MUST be passed to the transport layer for transmission. Any ACKs received from the network while in the "Accepted" state MUST be passed directly to the TU and not absorbed.
When Timer L fires and the state machine is in the "Accepted" state, the machine MUST transition to the "Terminated" state. Once the transaction is in the "Terminated" state, it MUST be destroyed immediately. Timer L reflects the amount of time the server transaction could receive 2xx responses for retransmission from the TU while it is waiting to receive an ACK.
A server transaction MUST NOT discard transaction state based only on encountering a non-recoverable transport error when sending a response. Instead, the associated INVITE server transaction state machine MUST remain in its current state. (Timers will eventually cause it to transition to the "Terminated" state). This allows retransmissions of the INVITE to be absorbed instead of being processed as a new request.
Figures 1 and 2 show the parts of the INVITE server state machine that have changed. The entire new INVITE server state machine is shown in Figure 5.
BEFORE AFTER
+-----------+ +-----------+
| | | |
| Proceeding| | Proceeding|
| | | |
| | | |
| | | |
| | | |
+-----------+ +-----------+
|2xx from TU |2xx from TU
|send response |send response
+-------------->+ +------->+
| |
| |
| |
| | Transport
| INVITE | Error
| - | Inform TU
| +-----+ | +--+
| | | V | v
| | +------------+
| | | |<--+
| +->| Accepted | | ACK
| | |---+ to TU
| +------------+
| | ^ |
| +--+ | |
| | +-----+
| | 2xx from TU
| | send response
| |
| | Timer L fires
| | -
| |
| V
+-----------+ | +------------+
| | | | |
| Terminated|<-----------+ | Terminated |
| | | |
+-----------+ +------------+
Figure 1: Changes to the INVITE server transaction state machine
when sending 2xx
BEFORE AFTER
+-----------+ +------------+
| | | |
| Proceeding| | Proceeding | Transport Err.
| | | | Inform TU
| | Transport Err. | |----------+
| | Inform TU | | |
| |--------------->+ | |<---------+
+-----------+ | +------------+
|
|
|
|
| Transport Err.
+-----------+ | +-----------+ Inform TU
| | | | |---------+
| Completed | | | Completed | |
| | | | |<--------+
+-----------+ | +-----------+
| |
| |
+------------------>+
Transport Err.|
Inform TU |
|
|
|
|
|
|
|
|
|
+-----------+ |
| | |
| Terminated|<---------------+
| |
+-----------+
Figure 2: Changes to the INVITE server transaction state machine on
encountering transport error
Client Transaction Impacts
In order to correctly distinguish retransmissions of 2xx responses from stray 2xx responses, the INVITE client state machine is modified to not transition immediately to "Terminated" on receipt of a 2xx response. Instead, the machine will transition to a new "Accepted" state, and remain there just long enough, determined by a new timer M, to receive and pass to the TU any retransmissions of the 2xx response or any additional 2xx responses from other branches of a downstream fork of the matching request. If a 2xx response is received while the client INVITE state machine is in the "Calling" or "Proceeding" states, it MUST transition to the "Accepted" state, pass the 2xx response to the TU, and set Timer M to 64*T1. A 2xx response received while in the "Accepted" state MUST be passed to the TU and the machine remains in the "Accepted" state. The client transaction MUST NOT generate an ACK to any 2xx response on its own. The TU responsible for the transaction will generate the ACK.
When Timer M fires and the state machine is in the "Accepted" state, the machine MUST transition to the "Terminated" state. Once the transaction is in the "Terminated" state, it MUST be destroyed immediately.
Any response received that does not match an existing client transaction state machine is simply dropped. (Implementations are, of course, free to log or do other implementation-specific things with such responses, but the implementer should be sure to consider the impact of large numbers of malicious stray responses.)
Note that it is not necessary to preserve client transaction state upon the detection of unrecoverable transport errors. Existing requirements ensure the TU has been notified, and the new requirements in this document ensure that any received retransmitted response will be dropped since there will no longer be any matching transaction state.
Figure 3 shows the part of the INVITE client state machine that has changed. The entire new INVITE client state machine is shown in Figure 5.
+-----------+ +-----------+ | | | | | Calling | | Calling | | |----------->+ | |-----------+ +-----------+ 2xx | +-----------+ 2xx |
2xx to TU | 2xx to TU |
| |
| |
| |
| |
+-----------+ | +-----------+ | | | | | | | |Proceeding |----------->| |Proceeding |---------->| | | 2xx | | | 2xx | +-----------+ 2xx to TU | +-----------+ 2xx to TU |
| |
| |
| |
| V
| +-----------+
| | |
| | Accepted |
| +---| |
| 2xx | +-----------+
| 2xx to TU | ^ |
| | | |
| +-----+ |
| |
| +-----------------+
| | Timer M fires
| | -
| V
+-----------+ | +-----------+ | | | | | | Terminated|<-----------+ | Terminated| | | | | +-----------+ +-----------+
Figure 3: Changes to the INVITE client transaction state machine
Proxy Considerations
This document changes the behavior of transaction-stateful proxies to not forward stray INVITE responses. When receiving any SIP response, a transaction-stateful proxy MUST compare the transaction identifier in that response against its existing transaction state machines. The proxy MUST NOT forward the response if there is no matching transaction state machine.
Exact Changes to RFC 3261
This section describes exactly the same changes as above, but shows exactly which text in RFC 3261 is affected. This document intentionally does not contain a Figure 4 or Figure 6 so that the labels for Figures 5 and 7 are identical to the labels of the figures they are replacing in RFC 3261.
Page 85
Section 13.3.1.4, paragraph 4, is replaced entirely by:
Once the response has been constructed, it is passed to the INVITE server transaction. In order to ensure reliable end-to-end transport of the response, it is necessary to periodically pass the response directly to the transport until the ACK arrives. The 2xx response is passed to the transport with an interval that starts at T1 seconds and doubles for each retransmission until it reaches T2 seconds (T1 and T2 are defined in Section 17). Response retransmissions cease when an ACK request for the response is received. This is independent of whatever transport protocols are used to send the response.
Page 107
Section 16.7, paragraphs 1 and 2, are replaced entirely by:
When a response is received by an element, it first tries to locate a client transaction (Section 17.1.3) matching the response. If a transaction is found, the response is handed to the client transaction. If none is found, the element MUST NOT forward the response.
Page 114
Section 16.7, part 9, first paragraph. Replace this sentence:
If the server transaction is no longer available to handle the transmission, the element MUST forward the response statelessly by sending it to the server transport.
with
If the server transaction is no longer available to handle the transmission, the response is simply discarded.
Pages 126 through 128
Section 17.1.1.2. Replace paragraph 7 (starting "When in either") through the end of the section with:
When in either the "Calling" or "Proceeding" states, reception of a response with status code from 300-699 MUST cause the client transaction to transition to "Completed". The client transaction MUST pass the received response up to the TU, and the client transaction MUST generate an ACK request, even if the transport is reliable (guidelines for constructing the ACK from the response are given in Section 17.1.1.3), and then pass the ACK to the transport layer for transmission. The ACK MUST be sent to the same address, port, and transport to which the original request was sent.
The client transaction MUST start Timer D when it enters the "Completed" state for any reason, with a value of at least 32 seconds for unreliable transports, and a value of zero seconds for reliable transports. Timer D reflects the amount of time that the server transaction can remain in the "Completed" state when unreliable transports are used. This is equal to Timer H in the INVITE server transaction, whose default is 64*T1, and is also equal to the time a UAS core will wait for an ACK once it sends a 2xx response. However, the client transaction does not know the value of T1 in use by the server transaction or any downstream UAS cores, so an absolute minimum of 32 s is used instead of basing Timer D on T1.
Any retransmissions of a response with status code 300-699 that are received while in the "Completed" state MUST cause the ACK to be re-passed to the transport layer for retransmission, but the newly received response MUST NOT be passed up to the TU.
A retransmission of the response is defined as any response that would match the same client transaction based on the rules of Section 17.1.3.
If Timer D fires while the client transaction is in the "Completed" state, the client transaction MUST move to the "Terminated" state.
When a 2xx response is received while in either the "Calling" or "Proceeding" states, the client transaction MUST transition to the "Accepted" state, and Timer M MUST be started with a value of 64*T1. The 2xx response MUST be passed up to the TU. The client transaction MUST NOT generate an ACK to the 2xx response -- its handling is delegated to the TU. A UAC core will send an ACK to
the 2xx response using a new transaction. A proxy core will always forward the 2xx response upstream.
The purpose of the "Accepted" state is to allow the client transaction to continue to exist to receive, and pass to the TU, any retransmissions of the 2xx response and any additional 2xx responses from other branches of the INVITE if it forked downstream. Timer M reflects the amount of time that the transaction user will wait for such messages.
Any 2xx responses that match this client transaction and that are received while in the "Accepted" state MUST be passed up to the TU. The client transaction MUST NOT generate an ACK to the 2xx response. The client transaction takes no further action.
If Timer M fires while the client transaction is in the "Accepted" state, the client transaction MUST move to the "Terminated" state.
The client transaction MUST be destroyed the instant it enters the "Terminated" state.
Replace Figure 5 with:
|INVITE from TU
Timer A fires |INVITE sent Timer B fires
Reset A, V or Transport Err.
INVITE sent +-----------+ inform TU
+---------| |--------------------------+
| | Calling | |
+-------->| |-----------+ |
300-699 +-----------+ 2xx | | ACK sent | | 2xx to TU | | resp. to TU | |1xx | | +-----------------------------+ |1xx to TU | | | | | | | 1xx V | | | 1xx to TU +-----------+ | | | +---------| | | | | | |Proceeding | | | | +-------->| | | | | +-----------+ 2xx | | | 300-699 | | 2xx to TU | | | ACK sent, +--------+ +---------------+ | | resp. to TU| | | | | | | | V V | | +-----------+ +----------+ | +------------->| |Transport Err. | | |
| Completed |Inform TU | Accepted | |
+--| |-------+ | |-+ |
300-699 | +-----------+ | +----------+ | |
ACK sent| ^ | | | ^ | |
| | | | | | | |
+----+ | | | +-----+ |
|Timer D fires | Timer M fires| 2xx |
|- | - | 2xx to TU |
+--------+ | +-----------+ |
NOTE: V V V |
Transitions +------------+ | are labeled | | | with the event | Terminated |<-----------------------+ over the action | | to take. +------------+
Figure 5: INVITE client transaction
Pages 134 to 135
Section 17.2.1, paragraph 4, is replaced with:
If, while in the "Proceeding" state, the TU passes a 2xx response to the server transaction, the server transaction MUST pass this response to the transport layer for transmission. It is not retransmitted by the server transaction; retransmissions of 2xx responses are handled by the TU. The server transaction MUST then transition to the "Accepted" state.
Page 136
Replace Figure 7 with:
|INVITE
|pass INV to TU
INVITE V send 100 if TU won't in 200 ms
send response+------------+
+--------| |--------+ 101-199 from TU
| | | | send response
+------->| |<-------+
| Proceeding |
| |--------+ Transport Err.
| | | Inform TU
| |<-------+
+------------+
300-699 from TU | |2xx from TU
send response | |send response
+--------------+ +------------+
| |
INVITE V Timer G fires | send response +-----------+ send response |
+--------| |--------+ |
| | | | |
+------->| Completed |<-------+ INVITE | Transport Err.
| | - | Inform TU
+--------| |----+ +-----+ | +---+
| +-----------+ | ACK | | v | v
| ^ | | - | +------------+
| | | | | | |---+ ACK
+----------+ | | +->| Accepted | | to TU
Transport Err. | | | |<--+
Inform TU | V +------------+
| +-----------+ | ^ |
| | | | | |
| | Confirmed | | +-----+
| | | | 2xx from TU
Timer H fires | +-----------+ | send response
- | | |
| | Timer I fires |
| | - | Timer L fires
| V | -
| +------------+ |
| | |<----+
+------->| Terminated |
| |
+------------+
Figure 7: INVITE server transaction
Page 137
In Section 17.2.1, replace the last paragraph (starting "Once the transaction") with:
The purpose of the "Accepted" state is to absorb retransmissions of an accepted INVITE request. Any such retransmissions are absorbed entirely within the server transaction. They are not passed up to the TU since any downstream UAS cores that accepted the request have taken responsibility for reliability and will already retransmit their 2xx responses if necessary.
While in the "Accepted" state, if the TU passes a 2xx response, the server transaction MUST pass the response to the transport layer for transmission.
When the INVITE server transaction enters the "Accepted" state, Timer L MUST be set to fire in 64*T1 for all transports. This value matches both Timer B in the next upstream client state machine (the amount of time the previous hop will wait for a response when no provisionals have been sent) and the amount of time this (or any downstream) UAS core might be retransmitting the 2xx while waiting for an ACK. If an ACK is received while the INVITE server transaction is in the "Accepted" state, then the ACK must be passed up to the TU. If Timer L fires while the INVITE server transaction is in the "Accepted" state, the transaction MUST transition to the "Terminated" state.
Once the transaction is in the "Terminated" state, it MUST be destroyed immediately.
Page 141
In Section 17.2.4, replace the second paragraph with:
First, the procedures in [4] are followed, which attempt to deliver the response to a backup. If those should all fail, based on the definition of failure in [4], the server transaction SHOULD inform the TU that a failure has occurred, and MUST remain in the current state.
Page 144
In Section 18.1.2, replace the second paragraph with:
The client transport uses the matching procedures of Section 17.1.3 to attempt to match the response to an existing transaction. If there is a match, the response MUST be passed to that transaction. Otherwise, any element other than a stateless proxy MUST silently discard the response.
8.10. Page 146
In Section 18.2.1, replace the last paragraph with:
Next, the server transport attempts to match the request to a server transaction. It does so using the matching rules described in Section 17.2.3. If a matching server transaction is found, the request is passed to that transaction for processing. If no match is found, the request is passed to the core, which may decide to construct a new server transaction for that request.
8.11. Page 265
Add to Table 4:
Timer L 64*T1 Section 17.2.1 Wait time for
accepted INVITE
request retransmits
Timer M 64*T1 Section 17.1.1 Wait time for
retransmission of
2xx to INVITE or
additional 2xx from
other branches of
a forked INVITE
IANA Considerations
IANA has updated the SIP Parameters: Method and Response Codes registry as follows:
OLD:
Methods Reference
---------
INVITE RFC3261
NEW:
Methods Reference
---------
10. Security Considerations
This document makes two changes to the Session Initiation Protocol to address the error discussed in Section 3. It changes the behavior of both the client and server INVITE transaction state machines, and it changes the way "stray" responses (those that don't match any existing transaction) are handled at transaction-stateful elements.
The changes to the state machines cause elements to hold onto each accepted INVITE transaction state 32 seconds longer than what was specified in RFC 3261. This will have a direct impact on the amount of work an attacker that is leveraging state exhaustion will have to exert against the system. However, this additional state is necessary to achieve correct operation. There is some discussion of avoiding state exhaustion and other denial-of-service attacks in RFC 3261, Section 26.3.2.4.
RFC 3261 required SIP proxies to forward any stray 2xx class responses to an INVITE request upstream statelessly. As a result, conformant proxies can be forced to forward packets (that look sufficiently like SIP responses) to destinations of the sender's choosing. Section 3 discusses some of the malicious behavior this enables. This document reverses the stateless forwarding requirement, making it a violation of the specification to forward stray responses.
RFC 3261 defines a "stateless proxy", which forwards requests and responses without creating or maintaining any transaction state. The requirements introduced in this document do not change the behavior of these elements in any way. Stateless proxies are inherently vulnerable to the abuses discussed in Section 3. One way operators might mitigate this vulnerability is to carefully control which peer elements can present traffic to a given stateless proxy.
The changes introduced by this document are backward-compatible. Transaction behavior will be no less correct, and possibly more correct, when only one peer in a transaction implements these changes. Except for the considerations mentioned earlier in this section, introducing elements implementing these changes into deployments with RFC 3261 implementations adds no additional security concerns.
11. Acknowledgments
Pekka Pessi reported the improper handling of INVITE retransmissions. Brett Tate performed a careful review uncovering the need for the "Accepted" state and Timer M in the client transaction state machine. Jan Kolomaznik noticed that a server transaction should let a TU know about transport errors when it attempts to send a 2xx class response. Michael Procter corrected several nits.
12. Normative References
RFC2119 Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
RFC3261 Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
Authors' Addresses
Robert Sparks Tekelec 17210 Campbell Road Suite 250 Dallas, Texas 75252 USA
EMail: [email protected]
Theo Zourzouvillys Skype 3rd Floor 8000 Marina Blvd Brisbane, California 84005 US
EMail: [email protected]
