Internet Engineering Task Force (IETF)                         D. Petrie
Request for Comments: 6080                                     SIPez LLC
Category: Standards Track                          S. Channabasappa, Ed.
ISSN: 2070-1721                                                CableLabs
                                                              March 2011
        
Internet Engineering Task Force (IETF)                         D. Petrie
Request for Comments: 6080                                     SIPez LLC
Category: Standards Track                          S. Channabasappa, Ed.
ISSN: 2070-1721                                                CableLabs
                                                              March 2011
        

A Framework for Session Initiation Protocol User Agent Profile Delivery

会话启动协议用户代理配置文件传递框架

Abstract

摘要

This document specifies a framework to enable configuration of Session Initiation Protocol (SIP) user agents (UAs) in SIP deployments. The framework provides a means to deliver profile data that user agents need to be functional, automatically and with minimal or no User and Administrative intervention. The framework describes how SIP user agents can discover sources, request profiles, and receive notifications related to profile modifications. As part of this framework, a new SIP event package is defined for notification of profile changes. The framework provides minimal data retrieval options to ensure interoperability. The framework does not include specification of the profile data within its scope.

本文档指定了一个框架,用于在SIP部署中启用会话启动协议(SIP)用户代理(UAs)的配置。该框架提供了一种方法来交付用户代理所需的配置文件数据,使其能够自动运行,并且用户和管理干预最少或没有。该框架描述了SIP用户代理如何发现源、请求配置文件以及接收与配置文件修改相关的通知。作为该框架的一部分,定义了一个新的SIP事件包,用于通知概要文件更改。该框架提供了最少的数据检索选项,以确保互操作性。该框架不包括其范围内的概要文件数据规范。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6080.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6080.

Copyright Notice

版权公告

Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.

本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     3.1.  Reference Model  . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  Motivation . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.3.  Profile Types  . . . . . . . . . . . . . . . . . . . . . .  9
     3.4.  Profile Delivery Stages  . . . . . . . . . . . . . . . . .  9
     3.5.  Supported Device Types . . . . . . . . . . . . . . . . . . 10
   4.  Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     4.1.  Simple Deployment Scenario . . . . . . . . . . . . . . . . 10
     4.2.  Devices Supporting Multiple Users from Different
           Service Providers  . . . . . . . . . . . . . . . . . . . . 12
   5.  Profile Delivery Framework . . . . . . . . . . . . . . . . . . 14
     5.1.  Profile Delivery Stages  . . . . . . . . . . . . . . . . . 14
     5.2.  Securing Profile Delivery  . . . . . . . . . . . . . . . . 22
     5.3.  Additional Considerations  . . . . . . . . . . . . . . . . 24
     5.4.  Support for NATs . . . . . . . . . . . . . . . . . . . . . 33
   6.  Event Package Definition . . . . . . . . . . . . . . . . . . . 33
     6.1.  Event Package Name . . . . . . . . . . . . . . . . . . . . 33
     6.2.  Event Package Parameters . . . . . . . . . . . . . . . . . 33
     6.3.  SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 36
     6.4.  Subscription Duration  . . . . . . . . . . . . . . . . . . 37
     6.5.  NOTIFY Bodies  . . . . . . . . . . . . . . . . . . . . . . 37
     6.6.  Notifier Processing of SUBSCRIBE Requests  . . . . . . . . 37
     6.7.  Notifier Generation of NOTIFY Requests . . . . . . . . . . 38
     6.8.  Subscriber Processing of NOTIFY Requests . . . . . . . . . 38
     6.9.  Handling of Forked Requests  . . . . . . . . . . . . . . . 39
     6.10. Rate of Notifications  . . . . . . . . . . . . . . . . . . 39
     6.11. State Agents . . . . . . . . . . . . . . . . . . . . . . . 39
   7.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
     7.1.  Example 1: Device Requesting Profile . . . . . . . . . . . 39
     7.2.  Example 2: Device Obtaining Change Notification  . . . . . 42
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 46
     8.1.  SIP Event Package  . . . . . . . . . . . . . . . . . . . . 46
     8.2.  Registry of SIP Configuration Profile Types  . . . . . . . 46
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 47
     9.1.  Local-Network Profile  . . . . . . . . . . . . . . . . . . 48
     9.2.  Device Profile . . . . . . . . . . . . . . . . . . . . . . 49
     9.3.  User Profile . . . . . . . . . . . . . . . . . . . . . . . 50
   10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 51
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 52
     11.2. Informative References . . . . . . . . . . . . . . . . . . 53
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     3.1.  Reference Model  . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  Motivation . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.3.  Profile Types  . . . . . . . . . . . . . . . . . . . . . .  9
     3.4.  Profile Delivery Stages  . . . . . . . . . . . . . . . . .  9
     3.5.  Supported Device Types . . . . . . . . . . . . . . . . . . 10
   4.  Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     4.1.  Simple Deployment Scenario . . . . . . . . . . . . . . . . 10
     4.2.  Devices Supporting Multiple Users from Different
           Service Providers  . . . . . . . . . . . . . . . . . . . . 12
   5.  Profile Delivery Framework . . . . . . . . . . . . . . . . . . 14
     5.1.  Profile Delivery Stages  . . . . . . . . . . . . . . . . . 14
     5.2.  Securing Profile Delivery  . . . . . . . . . . . . . . . . 22
     5.3.  Additional Considerations  . . . . . . . . . . . . . . . . 24
     5.4.  Support for NATs . . . . . . . . . . . . . . . . . . . . . 33
   6.  Event Package Definition . . . . . . . . . . . . . . . . . . . 33
     6.1.  Event Package Name . . . . . . . . . . . . . . . . . . . . 33
     6.2.  Event Package Parameters . . . . . . . . . . . . . . . . . 33
     6.3.  SUBSCRIBE Bodies . . . . . . . . . . . . . . . . . . . . . 36
     6.4.  Subscription Duration  . . . . . . . . . . . . . . . . . . 37
     6.5.  NOTIFY Bodies  . . . . . . . . . . . . . . . . . . . . . . 37
     6.6.  Notifier Processing of SUBSCRIBE Requests  . . . . . . . . 37
     6.7.  Notifier Generation of NOTIFY Requests . . . . . . . . . . 38
     6.8.  Subscriber Processing of NOTIFY Requests . . . . . . . . . 38
     6.9.  Handling of Forked Requests  . . . . . . . . . . . . . . . 39
     6.10. Rate of Notifications  . . . . . . . . . . . . . . . . . . 39
     6.11. State Agents . . . . . . . . . . . . . . . . . . . . . . . 39
   7.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
     7.1.  Example 1: Device Requesting Profile . . . . . . . . . . . 39
     7.2.  Example 2: Device Obtaining Change Notification  . . . . . 42
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 46
     8.1.  SIP Event Package  . . . . . . . . . . . . . . . . . . . . 46
     8.2.  Registry of SIP Configuration Profile Types  . . . . . . . 46
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 47
     9.1.  Local-Network Profile  . . . . . . . . . . . . . . . . . . 48
     9.2.  Device Profile . . . . . . . . . . . . . . . . . . . . . . 49
     9.3.  User Profile . . . . . . . . . . . . . . . . . . . . . . . 50
   10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 51
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 52
     11.2. Informative References . . . . . . . . . . . . . . . . . . 53
        
1. Introduction
1. 介绍

SIP user agents require configuration data to function properly. Examples include information specific to local networks, devices, and users. A configuration data set specific to an entity is termed a profile. For example, device profile contains the configuration data related to a device. The process of providing devices with one or more profiles is termed "profile delivery". Ideally, this profile delivery process should be automatic and require minimal or no user intervention.

SIP用户代理需要配置数据才能正常工作。示例包括特定于本地网络、设备和用户的信息。特定于实体的配置数据集称为配置文件。例如,设备配置文件包含与设备相关的配置数据。为设备提供一个或多个配置文件的过程称为“配置文件交付”。理想情况下,此配置文件交付过程应该是自动的,并且需要最少或不需要用户干预。

Many deployments of SIP user agents require dynamic configuration and cannot rely on pre-configuration. This framework provides a standard means of providing dynamic configuration that simplifies deployments containing SIP user agents from multiple vendors. This framework also addresses change notifications when profiles change. However, the framework does not define the content or format of the profile, leaving that to future standardization activities.

许多SIP用户代理的部署需要动态配置,不能依赖预配置。该框架提供了一种提供动态配置的标准方法,简化了包含来自多个供应商的SIP用户代理的部署。此框架还处理配置文件更改时的更改通知。但是,该框架没有定义概要文件的内容或格式,将其留给未来的标准化活动。

This document is organized as follows. The normative requirements are contained in Section 5 (framework operations) and Section 6 (the event package definition). The rest of the document provides introductory and supporting explanations. Section 3 provides a high-level overview of the abstract components, profiles, and the profile delivery stages. Section 4 provides some motivating use cases. Section 7 follows with illustrative examples of the framework in use.

本文件的组织结构如下。规范性要求包含在第5节(框架操作)和第6节(事件包定义)中。本文件其余部分提供了介绍性和支持性解释。第3节提供了抽象组件、概要文件和概要文件交付阶段的高级概述。第4节提供了一些激励性用例。第7节随后给出了使用中框架的示例。

2. Terminology
2. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

This document also reuses the SIP terminology defined in [RFC3261] and [RFC3265], and it specifies the usage of the following terms.

本文件还重用了[RFC3261]和[RFC3265]中定义的SIP术语,并规定了以下术语的用法。

Device: software or hardware entity containing one or more SIP user agents. It may also contain applications such as a DHCP client.

设备:包含一个或多个SIP用户代理的软件或硬件实体。它还可能包含DHCP客户端等应用程序。

Device Provider: the entity responsible for managing a given device.

设备提供者:负责管理给定设备的实体。

Local Network Provider: the entity that controls the local network to which a given device is connected.

本地网络提供商:控制与给定设备连接的本地网络的实体。

SIP Service Provider: the entity providing SIP services to users. This can refer to private or public enterprises.

SIP服务提供商:向用户提供SIP服务的实体。这可以指私营或公营企业。

Profile: configuration data set specific to an entity (e.g., user, device, local network, or other).

配置文件:特定于实体(例如,用户、设备、本地网络或其他)的配置数据集。

Profile Type: a particular category of profile data (e.g., user, device, local network, or other).

配置文件类型:配置文件数据的特定类别(例如,用户、设备、本地网络或其他)。

Profile Delivery Server (PDS): the source of a profile, it is the logical collection of the Profile Notification Component (PNC) and the Profile Content Component (PCC).

配置文件传递服务器(PDS):配置文件的源,它是配置文件通知组件(PNC)和配置文件内容组件(PCC)的逻辑集合。

Profile Notification Component (PNC): the logical component of a Profile Delivery Server that is responsible for enrolling devices and providing profile notifications.

配置文件通知组件(PNC):配置文件传递服务器的逻辑组件,负责注册设备并提供配置文件通知。

Profile Content Component (PCC): the logical component of a Profile Delivery Server that is responsible for storing, providing access to, and accepting profile content.

配置文件内容组件(PCC):配置文件传递服务器的逻辑组件,负责存储、提供对配置文件内容的访问和接受配置文件内容。

Profile Delivery Stages: the processes that lead a device to obtain profile data, and any subsequent changes, are collectively called profile delivery stages.

配置文件交付阶段:引导设备获取配置文件数据以及任何后续更改的过程统称为配置文件交付阶段。

Bootstrapping: Bootstrapping is the process by which a new (or factory reset) device, with no configuration or minimal "factory" pre-configuration, enrolls with the PDS. The device may use a temporary identity and credentials to authenticate itself to enroll and receive profiles, which may provide more permanent identities and credentials for future enrollments.

引导:引导是一个新的(或工厂重置)设备(无配置或最小的“工厂”预配置)向PDS注册的过程。设备可以使用临时身份和凭证来认证自身以注册和接收简档,其可以为将来的注册提供更多永久身份和凭证。

3. Overview
3. 概述

This section provides an overview of the configuration framework. It presents the reference model, the motivation, the profile delivery stages, and a mapping of the concepts to specific use cases. It is meant to serve as a reference section for the document, rather than providing a specific logical flow of material, and it may be necessary to revisit these sections for a complete appreciation of the framework.

本节概述了配置框架。它提供了参考模型、动机、概要文件交付阶段以及概念到特定用例的映射。其目的是作为文件的参考章节,而不是提供具体的逻辑材料流,可能有必要重新审视这些章节以全面了解框架。

The SIP UA Profile Delivery Framework uses a combination of SIP event messages (SUBSCRIBE and NOTIFY; [RFC3265]) and traditional file retrieval protocols, such as HTTP [RFC2616], to discover, monitor, and retrieve configuration profiles. The framework defines three types of profiles (local-network, device, and user) in order to separate aspects of the configuration that may be independently managed by different administrative domains. The initial SUBSCRIBE message for each profile allows the UA to describe itself (both its implementation and the identity requesting the profile), while

SIP UA配置文件交付框架使用SIP事件消息(订阅和通知;[RFC3265])和传统文件检索协议(如HTTP[RFC2616])的组合来发现、监视和检索配置文件。该框架定义了三种类型的配置文件(本地网络、设备和用户),以分离可由不同管理域独立管理的配置方面。每个概要文件的初始订阅消息允许UA描述自己(其实现和请求概要文件的标识),同时

requesting access to a profile by type, without prior knowledge of the profile name or location. Discovery mechanisms are specified to help the UA form the Subscription URI (the Request-URI for the SIP SUBSCRIBE). The SIP User Agent Server (UAS) handling these subscriptions is the Profile Delivery Server (PDS). When the PDS accepts a subscription, it sends a NOTIFY to the device. The initial NOTIFY from the PDS for each profile may contain profile data or a reference to the location of the profile, to be retrieved using HTTP or similar file retrieval protocols. By maintaining a subscription to each profile, the UA will receive additional NOTIFY messages if the profile is later changed. These may contain a new profile, a reference to a new profile, or a description of profile changes, depending on the Content-Type [RFC3261] in use by the subscription. The framework describes the mechanisms for obtaining three different profile types, but does not describe the data model they utilize (the data model is out of scope for this specification).

请求按类型访问配置文件,而事先不知道配置文件名称或位置。指定发现机制以帮助UA形成订阅URI(SIP订阅的请求URI)。处理这些订阅的SIP用户代理服务器(UAS)是配置文件传递服务器(PDS)。当PDS接受订阅时,它会向设备发送通知。对于每个概要文件,来自PDS的初始通知可能包含概要文件数据或对概要文件位置的引用,将使用HTTP或类似的文件检索协议进行检索。通过维护对每个配置文件的订阅,UA将在以后更改配置文件时收到额外的通知消息。根据订阅使用的内容类型[RFC3261],它们可能包含新配置文件、对新配置文件的引用或配置文件更改的描述。该框架描述了获取三种不同概要文件类型的机制,但没有描述它们使用的数据模型(该数据模型超出了本规范的范围)。

3.1. Reference Model
3.1. 参考模型

The design of the framework was the result of a careful analysis to identify the configuration needs of a wide range of SIP deployments. As such, the reference model provides for a great deal of flexibility, while breaking down the interactions to their basic forms, which can be reused in many different scenarios.

该框架的设计是仔细分析的结果,以确定广泛SIP部署的配置需求。因此,参考模型提供了很大的灵活性,同时将交互分解为基本形式,可以在许多不同的场景中重用。

The reference model for the framework defines the interactions between the Profile Delivery Server (PDS) and the device. The device needs the profile data to function effectively in the network. The PDS is responsible for responding to device requests and providing the profile data. The reference model is illustrated in Figure 1.

框架的参考模型定义了概要文件交付服务器(PDS)和设备之间的交互。设备需要配置文件数据才能在网络中有效运行。PDS负责响应设备请求并提供配置文件数据。参考模型如图1所示。

                                          +-------------------------+
    +--------+                            | Profile Delivery Server |
    | Device |<==========================>|  +---+          +---+   |
    +--------+                            |  |PNC|          |PCC|   |
                                          |  +---+          +---+   |
                                          +-------------------------+
        
                                          +-------------------------+
    +--------+                            | Profile Delivery Server |
    | Device |<==========================>|  +---+          +---+   |
    +--------+                            |  |PNC|          |PCC|   |
                                          |  +---+          +---+   |
                                          +-------------------------+
        

PNC = Profile Notification Component PCC = Profile Content Component

PNC=配置文件通知组件PCC=配置文件内容组件

Figure 1: Framework Reference Model

图1:框架参考模型

The PDS is subdivided into two logical components:

PDS细分为两个逻辑组件:

o Profile Notification Component (PNC), responsible for enrolling devices for profiles and providing profile change notifications.

o 配置文件通知组件(PNC),负责为配置文件注册设备并提供配置文件更改通知。

o Profile Content Component (PCC), responsible for storing, providing access to, and accepting modifications related to profile content.

o 配置文件内容组件(PCC),负责存储、提供对配置文件内容的访问以及接受与配置文件内容相关的修改。

3.2. Motivation
3.2. 动机

The motivation for the framework can be demonstrated by applying the reference model presented in Section 3.1 to two scenarios that are representative of the two ends of a spectrum of potential SIP deployments.

通过将第3.1节中介绍的参考模型应用于代表潜在SIP部署范围两端的两个场景,可以证明该框架的动机。

In the simplest deployment scenario, a device connects through a network that is controlled by a single provider who provides the local network, manages the devices, and offers services to the users. The provider propagates profile data to the device that contains all the necessary information to obtain services in the network (including information related to the local network and the users). This is illustrated in Figure 2. An example is a simple enterprise network that supports SIP-based devices.

在最简单的部署场景中,设备通过网络连接,该网络由提供本地网络、管理设备并向用户提供服务的单个提供商控制。提供商将配置文件数据传播到设备,该设备包含获取网络服务所需的所有信息(包括与本地网络和用户相关的信息)。如图2所示。例如,支持基于SIP的设备的简单企业网络。

                               --------------
                             / Local Network, \
                            | Device & Service |
                             \    Provider    /
                              ----------------
                                     |
                                     |
                                  --------
                                 | Device |
                                  --------
                                     |
                                     |
                                   ----
                                  |User|
                                   ----
        
                               --------------
                             / Local Network, \
                            | Device & Service |
                             \    Provider    /
                              ----------------
                                     |
                                     |
                                  --------
                                 | Device |
                                  --------
                                     |
                                     |
                                   ----
                                  |User|
                                   ----
        

Figure 2: Simple Deployment Model

图2:简单部署模型

In more complex deployments, devices connect via a local network that is not controlled by the SIP service provider, such as devices that connect via available public WiFi hot spots. In such cases, local network providers may wish to provide local network information such as bandwidth constraints to the devices.

在更复杂的部署中,设备通过不受SIP服务提供商控制的本地网络连接,例如通过可用公共WiFi热点连接的设备。在这种情况下,本地网络提供商可能希望向设备提供诸如带宽约束之类的本地网络信息。

Devices may also be controlled by device providers that are independent of the SIP service provider who provides user services, such as kiosks that allow users to access services from remote

设备还可以由独立于提供用户服务的SIP服务提供商的设备提供商控制,例如允许用户从远程访问服务的信息亭

locations. In such cases, the profile data may have to be obtained from different profile sources: local network provider, device provider, and SIP service provider. This is indicated in Figure 3.

位置。在这种情况下,配置文件数据可能必须从不同的配置文件源获得:本地网络提供商、设备提供商和SIP服务提供商。如图3所示。

      --------
    /   SIP    \
   |   Service  |                -> Provides 'user' profile
   |  Provider  |                   data (e.g., services
    \          /                    configuration)
      --------      --------
          |       /          \
          |      |   Device   |  -> Provides 'device' profile
          |      |  Provider  |     data (e.g., device specifics)
          |       \          /
          |         ---------
          |        /
          |       /    -------
          |      /   /  Local  \
          |     /   |  Network  |
          |    |    |  Provider | -> Provides 'local-network' profile
          |    |     \         /     data (e.g., bandwidth)
          |    |       -------
          |    |        /
          |    |       /
          |    |      |
     ===================
    (   Local Network   )
     ===================
             |
             |
          --------
         | Device |              -> Needs the 'local-network'
          --------                  and 'device' profile
          /     \
         /       \
       ------   ------
      |User A| |User B|          -> Users need 'user' profiles
       ------   ------
        
      --------
    /   SIP    \
   |   Service  |                -> Provides 'user' profile
   |  Provider  |                   data (e.g., services
    \          /                    configuration)
      --------      --------
          |       /          \
          |      |   Device   |  -> Provides 'device' profile
          |      |  Provider  |     data (e.g., device specifics)
          |       \          /
          |         ---------
          |        /
          |       /    -------
          |      /   /  Local  \
          |     /   |  Network  |
          |    |    |  Provider | -> Provides 'local-network' profile
          |    |     \         /     data (e.g., bandwidth)
          |    |       -------
          |    |        /
          |    |       /
          |    |      |
     ===================
    (   Local Network   )
     ===================
             |
             |
          --------
         | Device |              -> Needs the 'local-network'
          --------                  and 'device' profile
          /     \
         /       \
       ------   ------
      |User A| |User B|          -> Users need 'user' profiles
       ------   ------
        

Figure 3: Complex Deployment Model

图3:复杂部署模型

In either case, Providers need to deliver to the device, profile data that is required to participate in their network. Examples of profile data include the list of codecs that can be used and the SIP proxies to which to connect for services. Pre-configuration of such information is one option if the device is always served by the same set of Providers. In all other cases, the profile delivery needs to be automated and consistent across Providers. Given the presence of

在这两种情况下,提供商都需要向设备提供参与其网络所需的配置文件数据。配置文件数据的示例包括可使用的编解码器列表和要连接以获得服务的SIP代理。如果设备始终由同一组提供商提供服务,则此类信息的预配置是一种选择。在所有其他情况下,配置文件交付需要自动化,并且跨提供商保持一致。鉴于

a number of large deployments where pre-configuration is neither desired nor optimal, there is a need for a common configuration framework such as the one described in this document.

在许多大型部署中,预配置既不是理想的,也不是最佳的,因此需要一个通用的配置框架,如本文档中描述的框架。

Further, the former deployment model can be accomplished by the device obtaining profile data from a single provider. However, the latter deployment model requires the device to obtain profile data from different providers. To address either deployment or any variation in between, one needs to allow for profile delivery via one or more Providers. The framework accomplishes this by specifying multiple profile types and a set of profile delivery stages to obtain them. These are introduced in the subsections to follow.

此外,前一种部署模型可以通过设备从单个提供者获取概要文件数据来实现。但是,后一种部署模型要求设备从不同的提供商处获取配置文件数据。为了解决部署或两者之间的任何变化,需要允许通过一个或多个提供者交付概要文件。框架通过指定多个概要文件类型和一组概要文件交付阶段来实现这一点。这些将在后面的小节中介绍。

3.3. Profile Types
3.3. 剖面类型

The framework handles the presence of potentially different Providers by allowing for multiple profile types. Clients request each profile separately, and obtain them from the same, or different, Providers. A deployment can also choose to pre-configure the device to request only a subset of the specified profile types. The framework specifies three basic profile types, as follows:

该框架通过允许多种配置文件类型来处理可能存在的不同提供者。客户端分别请求每个配置文件,并从相同或不同的提供商处获取它们。部署还可以选择预先配置设备,以仅请求指定配置文件类型的子集。该框架指定了三种基本配置文件类型,如下所示:

Local Network Profile: contains configuration data related to the local network to which a device is directly connected, provided by the local network provider.

本地网络配置文件:包含与设备直接连接的本地网络相关的配置数据,由本地网络提供商提供。

Device Profile: contains configuration data related to a specific device, provided by the device provider.

设备配置文件:包含设备提供商提供的与特定设备相关的配置数据。

User Profile: contains configuration data related to a specific User, as required to reflect that user's preferences and the particular services to which it is subscribed. It is provided by the SIP service provider.

用户配置文件:包含与特定用户相关的配置数据,以反映该用户的首选项及其订阅的特定服务。它由SIP服务提供商提供。

Additional profile types may also be specified by future work within the IETF. The data models associated with each profile type are out of scope for this document.

IETF内的其他配置文件类型也可由未来工作指定。与每种配置文件类型关联的数据模型超出了本文档的范围。

3.4. Profile Delivery Stages
3.4. 剖面交付阶段

The framework specified in this document requires a device to explicitly request profiles. It also requires one or more PDSs, which provide the profile data. The processes that lead a device to obtain profile data, and any subsequent changes, can be explained in three stages, termed the profile delivery stages.

本文档中指定的框架要求设备明确请求配置文件。它还需要一个或多个PDS来提供配置文件数据。引导设备获得配置文件数据的过程以及任何后续更改可分为三个阶段,称为配置文件交付阶段。

Profile Enrollment: the process by which a device requests, and if successful, enrolls with a PDS capable of providing a profile. A successful enrollment is indicated by a notification containing the profile information (contents or content indirection information). Depending on the request, this could also result in a subscription to notification of profile changes.

配置文件注册:设备请求并(如果成功)向能够提供配置文件的PDS注册的过程。成功注册由包含配置文件信息(内容或内容间接信息)的通知指示。根据请求,这也可能导致订阅配置文件更改通知。

Profile Content Retrieval: the process by which a device retrieves profile contents, if the profile enrollment resulted in content indirection information.

配置文件内容检索:如果配置文件注册导致内容间接寻址信息,则设备检索配置文件内容的过程。

Profile Change Notification: the process by which a device is notified of any changes to an enrolled profile. This may provide the device with modified profile data or content indirection information.

配置文件更改通知:通知设备已注册配置文件的任何更改的过程。这可以向设备提供修改的简档数据或内容间接信息。

3.5. Supported Device Types
3.5. 支持的设备类型

The examples in this framework tend to associate devices with entities that are accessible to end-users. However, this is not necessarily the only type of device that can utilize the specified framework. Devices can be entities such as SIP Phones or soft clients, with or without user interfaces (that allow for device configuration), entities in the network that do not directly communicate with any users (e.g., gateways, media servers, etc.) or network infrastructure elements (e.g., SIP servers). The framework is extensible for use with such device types. However, it is to be noted that some of these other device types (e.g., network elements) may also be configurable using other mechanisms. The use of this framework in conjunction with other mechanisms (specified outside of this document), is out of scope.

该框架中的示例倾向于将设备与终端用户可以访问的实体相关联。然而,这不一定是可以利用指定框架的唯一设备类型。设备可以是实体,例如SIP电话或软客户端,具有或不具有用户界面(允许设备配置),网络中不直接与任何用户通信的实体(例如网关、媒体服务器等)或网络基础设施元素(例如SIP服务器)。该框架是可扩展的,可用于此类设备类型。然而,要注意的是,这些其他设备类型中的一些(例如,网络元件)也可以使用其他机制来配置。将此框架与其他机制(在本文件之外指定)结合使用超出范围。

4. Use Cases
4. 用例

This section provides a small, non-comprehensive set of representative use cases to further illustrate how this framework can be utilized in SIP deployments. The first use case is simplistic in nature, whereas the second is relatively complex. The use cases illustrate the effectiveness of the framework in either scenario.

本节提供了一组小型的、不全面的代表性用例,以进一步说明如何在SIP部署中使用此框架。第一个用例本质上过于简单,而第二个用例相对复杂。用例说明了框架在任一场景中的有效性。

For security considerations, please refer to Sections 5 and 9.

有关安全方面的考虑,请参考第5节和第9节。

4.1. Simple Deployment Scenario
4.1. 简单部署场景

Description: Consider a deployment scenario (e.g., a small private enterprise) where a participating device implements this framework and is configured, using previously obtained profile data, to request only the device profile. Assume that the device operates in the same

描述:考虑一种参与场景(例如,小型私有企业),其中参与设备实现该框架,并且使用先前获得的配置文件数据来配置仅请求设备配置文件。假设设备以相同的方式运行

network as the PDS (i.e., there is no NAT) and it obtains its IP configuration using DHCP. Typical communication between the device and the PDS will traverse one or more SIP proxies, but is not required, and is omitted in this illustration.

网络作为PDS(即,没有NAT),并使用DHCP获得其IP配置。设备和PDS之间的典型通信将穿越一个或多个SIP代理,但不是必需的,并且在本图中省略。

Figure 4 illustrates the sequence of events that includes device start-up and a successful profile enrollment for the device profile that results in device profile data. It then illustrates how a change in the profile data is delivered via Profile Change Notification.

图4说明了事件序列,包括设备启动和设备配置文件的成功配置文件注册,从而生成设备配置文件数据。然后说明如何通过配置文件更改通知传递配置文件数据中的更改。

                                         +----------------------+
    +--------+                           |  Provider's Network  |
    | Device |                           |                      |
    |        |                           |                      |
    +--------+                           |  DHCP        PDS     |
                                         +----------------------+
         |                                   |          |
    (A)  |<============== DHCP =============>|          |
         |                                              |
         |                                              |
         |                                              |
    (B)  |<=========== Profile Enrollment  ============>|
         |                                              | Profile data
         |                                              | is modified
         |                                              |
    (C)  |<============ Profile Change  ================|
         |               Notification                   |
         |                                              |
         |                                              |
        
                                         +----------------------+
    +--------+                           |  Provider's Network  |
    | Device |                           |                      |
    |        |                           |                      |
    +--------+                           |  DHCP        PDS     |
                                         +----------------------+
         |                                   |          |
    (A)  |<============== DHCP =============>|          |
         |                                              |
         |                                              |
         |                                              |
    (B)  |<=========== Profile Enrollment  ============>|
         |                                              | Profile data
         |                                              | is modified
         |                                              |
    (C)  |<============ Profile Change  ================|
         |               Notification                   |
         |                                              |
         |                                              |
        

Figure 4: Use Case 1

图4:用例1

The following is an explanation of the interactions in Figure 4.

下面是对图4中的交互的解释。

(A) Upon initialization, the device obtains IP configuration parameters such as an IP address using DHCP.

(A) 初始化时,设备使用DHCP获取IP配置参数,如IP地址。

(B) The device requests profile enrollment for the device profile. Successful enrollment provides it with a notification containing the device profile data.

(B) 设备请求设备配置文件的配置文件注册。成功注册会向其提供包含设备配置文件数据的通知。

(C) Due to a modification of the device profile, a profile change notification is sent across to the device, along with the modified profile.

(C) 由于修改了设备配置文件,将向设备发送配置文件更改通知以及修改的配置文件。

4.2. Devices Supporting Multiple Users from Different Service Providers
4.2. 支持来自不同服务提供商的多个用户的设备

Description: Consider a single device that allows multiple users to obtain services from different SIP service providers, e.g., a kiosk at an airport.

描述:考虑单个设备,允许多个用户从不同的SIP服务提供商获得服务,例如在机场的售货亭。

The following assumptions apply:

以下假设适用:

o Provider A is the device and local network provider for the device, and the SIP service provider for user A; Provider B is the SIP service provider for user B.

o 提供商A是该设备的设备和本地网络提供商,以及用户A的SIP服务提供商;提供者B是用户B的SIP服务提供者。

o Profile enrollment always results in content indirection information requiring profile content retrieval.

o 配置文件注册总是导致内容间接信息需要配置文件内容检索。

o Communication between the device and the PDSs is facilitated via one or more SIP proxies (only one is shown in the illustration).

o 设备与pds之间的通信通过一个或多个SIP代理(图中仅示出一个)来促进。

Figure 5 illustrates the use case and highlights the communications relevant to the framework specified in this document.

图5说明了用例并突出显示了与本文档中指定的框架相关的通信。

     User User
       A   B        +----------------------+  +----------------------+
    +--------+      |       Provider       |  |       Provider       |
    | Device |      |           A          |  |          B           |
    |        |      |                      |  |                      |
    +--------+      | DHCP    PROXY   PDS  |  |  PROXY        PDS    |
                    +----------------------+  +----------------------+
         |              |        |      |          |           |
     (A) |<====DHCP====>|        |      |          |           |
         |                       |      |          |           |
         |                       |      |          |           |
         |  Profile Enrollment   |      |          |           |
     (B) |<local-network profile>|<====>|          |           |
         |
         |   <<Profile content retrieval>>
         |
         |
         |  Profile Enrollment   |      |          |           |
     (C) |<== device profile ==> |<====>|          |           |
         |
         |   <<Profile content retrieval>>
         |
                      .
                      .
                      .
        
     User User
       A   B        +----------------------+  +----------------------+
    +--------+      |       Provider       |  |       Provider       |
    | Device |      |           A          |  |          B           |
    |        |      |                      |  |                      |
    +--------+      | DHCP    PROXY   PDS  |  |  PROXY        PDS    |
                    +----------------------+  +----------------------+
         |              |        |      |          |           |
     (A) |<====DHCP====>|        |      |          |           |
         |                       |      |          |           |
         |                       |      |          |           |
         |  Profile Enrollment   |      |          |           |
     (B) |<local-network profile>|<====>|          |           |
         |
         |   <<Profile content retrieval>>
         |
         |
         |  Profile Enrollment   |      |          |           |
     (C) |<== device profile ==> |<====>|          |           |
         |
         |   <<Profile content retrieval>>
         |
                      .
                      .
                      .
        
         |   Profile Enrollment  |      |          |           |
     (D) |<= user profile (A) => |<====>|          |           |
         |                       |      |          |           |
         |
         |   <<Profile content retrieval>>
                              .
             [[User A obtains services]]
                      .
                      .
                      .
         |
         |            Profile Enrollment           |           |
     (E) |<=========== user profile (B) ==========>|<=========>|
         |                                         |           |
         |   <<Profile content retrieval>>
         |
        
         |   Profile Enrollment  |      |          |           |
     (D) |<= user profile (A) => |<====>|          |           |
         |                       |      |          |           |
         |
         |   <<Profile content retrieval>>
                              .
             [[User A obtains services]]
                      .
                      .
                      .
         |
         |            Profile Enrollment           |           |
     (E) |<=========== user profile (B) ==========>|<=========>|
         |                                         |           |
         |   <<Profile content retrieval>>
         |
        

[[User B obtains services]]

[[用户B获得服务]]

Figure 5: Use Case 2

图5:用例2

The following is an explanation of the interactions in Figure 5.

下面是对图5中的交互的解释。

(A) Upon initialization, the device obtains IP configuration parameters using DHCP. This also provides the local domain information to help with local-network profile enrollment.

(A) 初始化后,设备使用DHCP获取IP配置参数。这还提供本地域信息,以帮助注册本地网络配置文件。

(B) The device requests profile enrollment for the local network profile. It receives an enrollment notification containing content indirection information from Provider A's PDS. The device retrieves the profile (this contains useful information such as firewall port restrictions and available bandwidth).

(B) 设备请求本地网络配置文件的配置文件注册。它从提供商A的PDS接收包含内容间接寻址信息的注册通知。设备检索配置文件(其中包含防火墙端口限制和可用带宽等有用信息)。

(C) The device then requests profile enrollment for the device profile. It receives an enrollment notification resulting in device profile content retrieval. The device initializes the user interface for services.

(C) 然后,设备请求设备配置文件的配置文件注册。它接收注册通知,从而检索设备配置文件内容。设备初始化服务的用户界面。

(D) User A with a pre-existing service relationship with Provider A attempts communication via the user interface. The device uses the user supplied information (including any credential information) and requests profile enrollment for user A's profile. Successful enrollment and profile content retrieval results in services for user A.

(D) 与提供商A具有预先存在的服务关系的用户A尝试通过用户界面进行通信。设备使用用户提供的信息(包括任何凭据信息)并请求用户A的配置文件注册。成功注册和配置文件内容检索将导致用户A的服务。

(E) At a different point in time, user B with a service relationship with Provider B attempts communication via the user interface. It enrolls and retrieves user B's profile and this results in services for user B.

(E) 在不同的时间点,与提供商B具有服务关系的用户B尝试通过用户界面进行通信。它注册并检索用户B的配置文件,从而为用户B提供服务。

The discovery mechanisms for profile enrollment described by the framework, or the profile data themselves, can result in outbound proxies that support devices behind NATs, using procedures specified in [RFC5626].

框架描述的配置文件注册的发现机制或配置文件数据本身,可以使用[RFC5626]中指定的过程,生成支持NAT后面设备的出站代理。

5. Profile Delivery Framework
5. 配置文件交付框架

This section specifies the profile delivery framework. It provides the requirements for the three profile delivery stages introduced in Section 3.4 and presents the associated security requirements. It also presents considerations such as back-off and retry mechanisms.

本节指定概要文件交付框架。它提供了第3.4节中介绍的三个概要文件交付阶段的要求,并提出了相关的安全要求。它还提供了一些注意事项,例如回退和重试机制。

5.1. Profile Delivery Stages
5.1. 剖面交付阶段

The three profile delivery stages -- enrollment, content retrieval, and change notification -- apply separately to each profile type specified for use with this framework. The following subsections provide the requirements associated with each stage.

三个概要文件交付阶段(注册、内容检索和更改通知)分别应用于指定用于此框架的每个概要文件类型。以下小节提供了与每个阶段相关的要求。

5.1.1. Profile Enrollment
5.1.1. 档案登记

Profile enrollment is the process by means of which a device requests, and receives, profile data. Each profile type specified in this document requires an independent enrollment request. However, a particular PDS can support enrollment for one or more profile types.

配置文件注册是设备请求和接收配置文件数据的过程。本文档中指定的每个配置文件类型都需要一个独立的注册请求。但是,特定的PDS可以支持一个或多个配置文件类型的注册。

PDSs and devices MUST implement all of the three profile types. A device that has not been configured otherwise SHOULD try to obtain all the three profile types, in the order specified by this framework. The exceptions are bootstrapping when it SHOULD request the device profile type (see Section 5.3.1) or when it has been explicitly configured with a different order via mechanisms such as previously retrieved profile data or pre-configuration or manual configuration.

PDS和设备必须实现所有三种配置文件类型。未进行其他配置的设备应尝试按照此框架指定的顺序获取所有三种配置文件类型。当它应该请求设备配置文件类型时(参见第5.3.1节),或者当它已通过机制(如先前检索的配置文件数据或预配置或手动配置)以不同顺序显式配置时,例外情况为引导。

Profile enrollment consists of the following operations, in the specified order.

配置文件注册按指定顺序由以下操作组成。

Enrollment request transmission

注册请求传输

Profile enrollment is initiated when the device transmits a SIP SUBSCRIBE request [RFC3265] for the 'ua-profile' event package, specified in Section 6. The profile being requested is indicated using the 'profile-type' parameter. The device MUST transmit the SIP SUBSCRIBE message via configured outbound proxies for the destination domain, or in accordance with RFC 3263 [RFC3263].

当设备为第6节中指定的“ua配置文件”事件包发送SIP订阅请求[RFC3265]时,启动配置文件注册。请求的配置文件使用“配置文件类型”参数指示。设备必须通过为目的域配置的出站代理或根据RFC 3263[RFC3263]传输SIP订阅消息。

The device needs certain data to create an enrollment request, form a Request-URI, and authenticate to the network. This includes the profile provider's domain name and device or user identities and credentials. Such data can be "configured" during device manufacturing, by the user, or via profile data enrollment (see Section 5.3.1). The data can also be "discovered" using the procedures specified by this framework. The "discovered" data can be retained across device resets (but not across factory resets) and such data is referred to as "cached". Thus, data can be configured, discovered, or cached. The following requirements apply.

设备需要某些数据来创建注册请求、形成请求URI以及向网络进行身份验证。这包括配置文件提供商的域名、设备或用户身份和凭据。此类数据可在设备制造期间由用户或通过配置文件数据注册进行“配置”(见第5.3.1节)。还可以使用此框架指定的过程“发现”数据。“发现的”数据可以跨设备重置(但不能跨工厂重置)保留,此类数据称为“缓存”。因此,可以配置、发现或缓存数据。以下要求适用。

* If the device is configured with a specific domain name (for the local network provider or device provider), it MUST NOT attempt "discovery" of the domain name. This is the case when the device is pre-configured (e.g., via a user interface) to be managed by specific entities.

* 如果设备配置了特定域名(针对本地网络提供商或设备提供商),则不得尝试“发现”域名。当设备被预先配置(例如,通过用户界面)由特定实体管理时,就是这种情况。

* The device MUST only use data associated with the provider's domain in an enrollment request. As an example, when the device is requesting a local-network profile in the domain 'example.net', it cannot present a user Address of Record (AoR) associated with the local domain 'example.com'.

* 设备在注册请求中只能使用与提供商域关联的数据。例如,当设备请求域“example.net”中的本地网络配置文件时,它不能提供与本地域“example.com”关联的用户记录地址(AoR)。

* The device SHOULD adhere to the following order of data usage: configured, cached, and discovered. An exception is when the device is explicitly configured to use a different order.

* 设备应遵循以下数据使用顺序:配置、缓存和查找。例外情况是,设备被明确配置为使用不同的顺序。

Upon failure to obtain the profile using any methods specified in this framework, the device MAY provide a user interface to allow for user intervention. This can result in temporary, one-time data to bootstrap the device. Such temporary data is not considered to be "configured" and SHOULD NOT be cached across resets. The configuration obtained using such data MAY provide the configuration data required for the device to continue functioning normally.

当未能使用本框架中指定的任何方法获得简档时,设备可提供用户界面以允许用户干预。这可能会产生临时的一次性数据来引导设备。此类临时数据不被视为“已配置”,不应跨重置缓存。使用此类数据获得的配置可提供设备继续正常运行所需的配置数据。

Devices attempting enrollment MUST comply with the SIP-specific event notification specified in [RFC3265], the event package requirements specified in Section 6.2, and the security requirements specified in Section 5.2.

尝试注册的设备必须符合[RFC3265]中规定的SIP特定事件通知、第6.2节中规定的事件包要求以及第5.2节中规定的安全要求。

Enrollment request admittance

申请入学

A PDS or a SIP proxy will receive a transmitted enrollment request. If a SIP infrastructure element receives the request, it will relay it to the authoritative proxy for the domain indicated in the Request-URI (the same way it would handle any other SUBSCRIBE message). The authoritative proxy is required to examine the request (e.g., event package) and transmit it to a PDS capable of addressing the profile enrollment request.

PDS或SIP代理将接收传输的注册请求。如果SIP基础设施元素接收到请求,它会将其中继到请求URI中指定的域的权威代理(与处理任何其他订阅消息的方式相同)。需要权威代理来检查请求(例如,事件包),并将其传输到能够处理概要文件注册请求的PDS。

A PDS receiving the enrollment request SHOULD respond to the request, or proxy it to a PDS that can respond. An exception to responding or proxying the request is when a policy prevents response (e.g., recognition of a denial-of-service (DoS) attack, an invalid device, etc.). The PDS then verifies the identity presented in the request and performs any necessary authentication. Once authentication is successful, the PDS MUST either admit or reject the enrollment request, based on applicable authorization policies. A PDS admitting the enrollment request indicates it via a 2xx-class response, as specified in [RFC3265].

接收注册请求的PDS应响应该请求,或将其代理给可响应的PDS。响应或代理请求的例外情况是策略阻止响应(例如,识别拒绝服务(DoS)攻击、无效设备等)。然后,PDS验证请求中提供的身份,并执行任何必要的身份验证。身份验证成功后,PDS必须根据适用的授权策略接受或拒绝注册请求。根据[RFC3265]中的规定,允许注册请求的PDS通过2xx类响应指示注册请求。

Refer to Sections 6.6 and 5.2 for more information on subscription request handling and security requirements, respectively.

有关订阅请求处理和安全要求的更多信息,请分别参阅第6.6节和第5.2节。

Enrollment request acceptance

入学申请受理

A PDS that admits the enrollment request verifies applicable policies, identifies the requested profile data and prepares a SIP NOTIFY message to the device. Such a notification can either contain the profile data or contain content indirection information that results in the device performing profile content retrieval. The PDS then transmits the prepared SIP notification. When the device successfully receives and accepts the SIP notification, profile enrollment is complete.

允许注册请求的PDS验证适用的策略,识别请求的配置文件数据,并准备发送给设备的SIP NOTIFY消息。这样的通知可以包含配置文件数据,也可以包含导致设备执行配置文件内容检索的内容间接信息。然后,PDS发送准备好的SIP通知。当设备成功接收并接受SIP通知时,配置文件注册完成。

When it receives the SIP NOTIFY message, indicating successful profile enrollment, the device SHOULD make the new profile effective within the specified time frame, as described in Section 6.2. The exception is when the profile data is delivered via content indirection, and the device cannot obtain the profile data within the specified time frame.

当设备接收到SIP NOTIFY消息,指示成功注册配置文件时,设备应在指定的时间范围内使新配置文件生效,如第6.2节所述。例外情况是通过内容间接传送配置文件数据,并且设备无法在指定的时间范围内获取配置文件数据。

Once profile enrollment is successful, the PDS MUST consider the device enrolled for the specific profile, for the duration of the subscription.

一旦配置文件注册成功,PDS就必须考虑在订阅期间为特定配置文件注册的设备。

5.1.2. Content Retrieval
5.1.2. 内容检索

A successful profile enrollment leads to an initial SIP notification, and may result in subsequent change notifications. Each of these notifications can either contain profile data or content indirection information. If it contains content indirection information, the device is required to retrieve the profile data using the specified content retrieval protocols. This process is termed "profile content retrieval". For information regarding the use of the SIP NOTIFY message body, please refer to Section 6.5.

成功的配置文件注册将导致初始SIP通知,并可能导致后续更改通知。每个通知都可以包含配置文件数据或内容间接信息。如果设备包含内容间接信息,则需要使用指定的内容检索协议检索配置文件数据。此过程称为“配置文件内容检索”。有关使用SIP NOTIFY消息正文的信息,请参阅第6.5节。

Devices and PDSs implementing this framework MUST implement two content retrieval protocols: HTTP and HTTPS, as specified in [RFC2616] and [RFC2818], respectively. Future enhancements or usage of this framework may specify additional or alternative content retrieval protocols. For security requirements and considerations, please refer to Section 5.2.

实现此框架的设备和PDS必须实现两个内容检索协议:HTTP和HTTPS,分别在[RFC2616]和[RFC2818]中指定。此框架的未来增强或使用可能会指定其他或替代内容检索协议。有关安全要求和注意事项,请参阅第5.2节。

5.1.3. Change Notification
5.1.3. 变更通知

Profile data can change over time. Changes can be initiated by various entities (e.g., via the device, back-office components, and end-user web interfaces) and for various reasons (e.g., change in user preferences and modifications to services). Profiles may also be shared by multiple devices simultaneously. When a profile is changed, the PDS MUST inform all the devices currently enrolled for

配置文件数据可能会随时间变化。更改可以由各种实体(例如,通过设备、后台组件和最终用户web界面)以及出于各种原因(例如,用户首选项的更改和对服务的修改)发起。配置文件也可以由多个设备同时共享。更改配置文件时,PDS必须通知当前注册的所有设备

the specific profile. This process of informing a device of any changes to the profile that it is currently enrolled for is termed change notification.

具体情况。通知设备当前注册的配置文件的任何更改的过程称为更改通知。

The PDS provides change notification using a SIP notification (the SIP NOTIFY message, as specified in [RFC3265]). The SIP notification may provide the changes, a revised profile, or content indirection, which contains a pointer to the revised data. When a device successfully receives a profile change notification for an enrolled profile, it MUST act upon the changes prior to the expiration of the 'effective-by' parameter.

PDS使用SIP通知(SIP NOTIFY消息,如[RFC3265]中所述)提供更改通知。SIP通知可以提供变更、修改的概要文件或内容间接寻址,其中包含指向修改后的数据的指针。当设备成功接收到已注册配置文件的配置文件更改通知时,它必须在“生效日期”参数过期之前对更改采取行动。

For NOTIFY content, please refer to Section 6.5.

有关通知内容,请参阅第6.5节。

5.1.4. Enrollment Data and Caching
5.1.4. 注册数据和缓存

The requirements for the contents of the SIP SUBSCRIBE used to request profile enrollment are described in this section. The data required can be configured, cached, or discovered -- depending on the profile type. If the data is not configured, the device MUST use relevant cached data or proceed with data discovery. This section describes the requirements for creating a SIP SUBSCRIBE for enrollment, the caching requirements and how data can be discovered.

本节描述了用于请求配置文件注册的SIP SUBSCRIBE的内容要求。根据配置文件类型,可以配置、缓存或查找所需的数据。如果未配置数据,则设备必须使用相关缓存数据或继续进行数据发现。本节介绍创建SIP订阅以进行注册的要求、缓存要求以及如何发现数据。

5.1.4.1. Local-Network Profile
5.1.4.1. 本地网络配置文件

To create a Subscription URI to request the local-network profile, a device needs the local network domain name, the device identifier, and optionally a user AoR with associated credentials (if one is configured). Since the device can be potentially initialized in a different local network each time, it SHOULD NOT cache the local network domain, the SIP Subscription URI or the local-network profile data across resets. An exception to this is when the device can confirm that it is reinitialized in the same network (using means outside the scope of this document). Thus, in most cases, the device needs to discover the local network domain name. The device discovers this by establishing IP connectivity in the local network (such as via DHCP or pre-configured IP information). Once established, the device MUST attempt to use the local network domain obtained via pre-configuration, if available. If it is not pre-configured, it MUST employ dynamic discovery using DHCPv4 ([RFC2132], Domain Name option) or DHCPv6 ([RFC4704]). Once the local network domain is obtained, the device creates the SIP SUBSCRIBE for enrollment as described below.

要创建订阅URI以请求本地网络配置文件,设备需要本地网络域名、设备标识符和可选的用户AoR以及相关凭据(如果已配置)。由于设备每次都可能在不同的本地网络中初始化,因此它不应跨重置缓存本地网络域、SIP订阅URI或本地网络配置文件数据。例外情况是,设备可以确认其已在同一网络中重新初始化(使用本文档范围之外的方法)。因此,在大多数情况下,设备需要发现本地网络域名。设备通过在本地网络中建立IP连接(例如通过DHCP或预配置的IP信息)来发现这一点。一旦建立,设备必须尝试使用通过预配置获得的本地网络域(如果可用)。如果未预先配置,则必须使用DHCPv4([RFC2132],域名选项)或DHCPv6([RFC4704])进行动态发现。一旦获得本地网络域,设备将创建SIP订阅以进行注册,如下所述。

o The device MUST NOT populate the user part of the Request-URI. The device MUST set the host portion of the Request-URI to the dot-separated concatenation of "_sipuaconfig" and the local network domain (see example below).

o 设备不得填充请求URI的用户部分。设备必须将请求URI的主机部分设置为“_sipuaconfig”和本地网络域的点分隔连接(参见下面的示例)。

o If the device has been configured with a user AoR for the local network domain (verified as explained in Section 5.2) the device MUST use it to populate the From field, unless configured not to (due to privacy concerns, for example). Otherwise, the device MUST set the From field to a value of "anonymous@anonymous.invalid".

o 如果设备已配置本地网络域的用户AoR(如第5.2节所述进行验证),则设备必须使用该AoR来填充From字段,除非配置为不使用(例如,出于隐私考虑)。否则,设备必须将From字段的值设置为“anonymous@anonymous.invalid".

o The device MUST include the +sip.instance parameter within the Contact header, as specified in [RFC5626]. The device MUST ensure that the value of this parameter is the same as that included in any subsequent profile enrollment request.

o 根据[RFC5626]中的规定,设备必须在联系人标头中包含+sip.instance参数。设备必须确保此参数的值与任何后续配置文件注册请求中包含的值相同。

For example, if the device requested and received the local domain name via DHCP to be: airport.example.net, then the local-network profile SUBSCRIBE Request-URI would look like:

例如,如果设备通过DHCP请求并接收到本地域名为:airport.example.net,则本地网络配置文件订阅请求URI如下所示:

sip:_sipuaconfig.airport.example.net

sip:_sipuaconfig.airport.example.net

The local-network profile SUBSCRIBE Request-URI does not have a user part so that the URI is distinct between the "local" and "device" URIs when the domain is the same for the two. This provides a means of routing to the appropriate PDS in domains where there are distinct servers.

本地网络配置文件订阅请求URI没有用户部分,因此当域与“本地”和“设备”URI相同时,URI在“本地”和“设备”URI之间是不同的。这提供了一种在存在不同服务器的域中路由到适当PDS的方法。

The From field is populated with the user AoR, if available. This allows the local network provider to propagate user-specific profile data, if available. The "+sip.instance" parameter within the Contact header is set to the device identifier or specifically, the SIP UA instance. Even though every device may get the same (or similar) local-network profile, the uniqueness of the "+sip.instance" parameter provides an important capability. Having unique instance ID fields allows the management of the local network to track devices present in the network and consequently also manage resources such as bandwidth allocation.

“发件人”字段将填充用户AoR(如果可用)。这允许本地网络提供商传播特定于用户的配置文件数据(如果可用)。联系人头中的“+sip.instance”参数被设置为设备标识符,或者具体地说是sip UA实例。即使每个设备可能获得相同(或类似)的本地网络配置文件,“+sip.instance”参数的唯一性提供了一个重要的功能。具有唯一实例ID字段允许本地网络的管理跟踪网络中存在的设备,从而也管理诸如带宽分配之类的资源。

5.1.4.2. Device Profile Type
5.1.4.2. 设备配置文件类型

Once associated with a device, the device provider is not expected to change frequently. Thus, the device is allowed to, and SHOULD, cache the Subscription URI for the device profile upon successful enrollment. Exceptions include cases where the device identifier has changed (e.g., new network card), device provider information has changed (e.g., user initiated change), or the device cannot obtain

一旦与设备关联,设备提供程序就不会频繁更改。因此,在成功注册后,设备可以并且应该缓存设备配置文件的订阅URI。例外情况包括设备标识符已更改(例如,新网卡)、设备提供商信息已更改(例如,用户发起的更改)或设备无法获取的情况

its profile using the Subscription URI. Thus, when available, the device MUST use a cached Subscription URI. If no cached URI is available then it needs to create a Subscription URI. To create a Subscription URI, the device needs a device identity and the device provider's domain name. Unless already configured, the device needs to discover the necessary information and form the Subscription URI. In such cases, the following requirements apply for creating a Subscription URI for requesting the device profile:

它的配置文件使用订阅URI。因此,当可用时,设备必须使用缓存的订阅URI。如果没有可用的缓存URI,则需要创建订阅URI。要创建订阅URI,设备需要设备标识和设备提供商的域名。除非已经配置,否则设备需要发现必要的信息并形成订阅URI。在这种情况下,以下要求适用于创建订阅URI以请求设备配置文件:

o The device MUST populate the user part of the Request-URI with the device identifier. The device MUST set the host portion of the Request-URI to the domain name of the device provider. The device identifier format is explained in detail later in this section.

o 设备必须使用设备标识符填充请求URI的用户部分。设备必须将请求URI的主机部分设置为设备提供程序的域名。本节后面将详细说明设备标识符格式。

o The device MUST set the From field to a value of anonymous@<device provider's domain>.

o 设备必须将From字段设置为anonymous@<device provider's domain>。

o The device MUST include the "+sip.instance" parameter within the Contact header, as specified in [RFC5626]. The device MUST use the same value as the one presented while requesting the local-network profile.

o 按照[RFC5626]中的规定,设备必须在联系人标头中包含“+sip.instance”参数。设备必须使用与请求本地网络配置文件时显示的值相同的值。

Note that the discovered AoR for the Request-URI can be overridden by a special, provisioned, AoR that is unique to the device. In such cases, the provisioned AoR is used to form the Request-URI and to populate the From field.

请注意,为请求URI发现的AoR可以由设备唯一的特殊、已配置的AoR覆盖。在这种情况下,配置的AoR用于形成请求URI并填充From字段。

If the device is not configured with an AoR, and needs a domain name to populate the Request-URI and the From field, it can either use a configured domain name, if available, or discover it. The options to discover are described below. The device MUST use the results of each successful discovery process for one enrollment attempt, in the order specified below.

如果设备未配置AoR,并且需要域名来填充请求URI和“发件人”字段,则可以使用已配置的域名(如果可用)或查找该域名。要查找的选项如下所述。设备必须按照下面指定的顺序将每个成功发现过程的结果用于一次注册尝试。

o Option 1: Devices that support DHCP MUST attempt to obtain the domain name of the outbound proxy during the DHCP process, using the DHCP option for SIP servers defined in [RFC3361] or [RFC3319] (for IPv4 and IPv6, respectively).

o 选项1:支持DHCP的设备必须在DHCP过程中尝试获取出站代理的域名,使用[RFC3361]或[RFC3319]中定义的SIP服务器的DHCP选项(分别用于IPv4和IPv6)。

o Option 2: Devices that support DHCP MUST attempt to obtain the local IP network domain during the DHCP process (refer to [RFC2132] and [RFC4704]).

o 选项2:支持DHCP的设备必须在DHCP过程中尝试获取本地IP网络域(请参阅[RFC2132]和[RFC4704])。

o Option 3: Devices MUST use the local network domain name (configured or discovered to retrieve the local-network profile), prefixing it with the label "_sipuaconfig".

o 选项3:设备必须使用本地网络域名(配置或查找以检索本地网络配置文件),并在其前面加上标签“_sipuaconfig”。

If the device needs to create a Subscription URI and needs to use its device identifier, it MUST use the UUID-based (Universally Unique Identifier) URN representation as specified in [RFC4122]. The following requirements apply:

如果设备需要创建订阅URI并需要使用其设备标识符,则必须使用[RFC4122]中指定的基于UUID(通用唯一标识符)的URN表示。以下要求适用:

o When the device has a non-alterable Media Access Control (MAC) address, it SHOULD use the version 1 UUID representation with the timestamp and clock sequence bits set to a value of '0'. This will allow for easy recognition, and uniqueness of MAC-address-based UUIDs. An exception is the case where the device supports independent device configuration for more than one SIP UA. An example would be multiple SIP UAs on the same platform.

o 当设备具有不可更改的媒体访问控制(MAC)地址时,应使用版本1 UUID表示,时间戳和时钟序列位设置为值“0”。这将使基于MAC地址的UUID易于识别和唯一性。例外情况是设备支持多个SIP UA的独立设备配置。例如,同一平台上的多个SIP UAs。

o If the device cannot use a non-alterable device identifier, it SHOULD use an alternative non-alterable device identifier. For example, the International Mobile Equipment Identity (IMEI) for mobile devices.

o 如果设备不能使用不可更改的设备标识符,则应使用替代的不可更改的设备标识符。例如,用于移动设备的国际移动设备标识(IMEI)。

o If the device cannot use a non-alterable MAC address, it MUST use the same approach as defining a user agent instance ID in [RFC5626].

o 如果设备不能使用不可更改的MAC地址,则必须使用与[RFC5626]中定义用户代理实例ID相同的方法。

o Note: when the URN is used as the user part of the Request-URI, it MUST be URL escaped since the colon (":") is not a legal character in the user part of an addr-spec ([RFC4122]), and must be escaped.

o 注意:当URN用作请求URI的用户部分时,必须对其进行URL转义,因为冒号(:)在addr规范([RFC4122])的用户部分中不是合法字符,必须进行转义。

         For example, the instance ID:
         urn:uuid:f81d4fae-7ced-11d0-a765-00a0c91e6bf6@example.com
        
         For example, the instance ID:
         urn:uuid:f81d4fae-7ced-11d0-a765-00a0c91e6bf6@example.com
        

would be escaped to look as follows in a URI: sip:urn%3auuid%3af81d4fae-7ced-11d0-a765-00a0c91e6bf6@ example.com

将在URI中转义为如下所示:sip:urn%3auuid%3af81d4fae-7ced-11d0-a765-00a0c91e6bf6@example.com

The ABNF ([RFC5234]) for the UUID representation is provided in [RFC4122].

UUID表示的ABNF([RFC5234])在[RFC4122]中提供。

5.1.4.3. User Profile Type
5.1.4.3. 用户配置文件类型

To create a Subscription URI to request the user profile on behalf of a user, the device needs to know the user's AoR. This can be statically or dynamically configured on the device (e.g., user input, or propagated as part of the device profile). Similar to device profiles, the content and propagation of user profiles may differ, based on deployment scenarios (i.e., users belonging to the same domain may -- or may not -- be provided the same profile). To create a Subscription URI, the following rules apply:

要创建订阅URI以代表用户请求用户配置文件,设备需要知道用户的AoR。这可以在设备上进行静态或动态配置(例如,用户输入,或作为设备配置文件的一部分进行传播)。与设备配置文件类似,根据部署场景,用户配置文件的内容和传播可能有所不同(即,属于同一域的用户可能——也可能不——被提供相同的配置文件)。要创建订阅URI,请应用以下规则:

o The device MUST set the Request-URI to the user AoR.

o 设备必须将请求URI设置为用户AoR。

o The device MUST populate the From field with the user AoR.

o 设备必须使用用户AoR填充From字段。

An authoritative SIP proxy for a SIP provider's network that receives a profile enrollment request for the user profile type will route based on the Event Header field values, thus allowing a subscription to the user's AoR to be routed to the appropriate PDS.

接收用户配置文件类型的配置文件注册请求的SIP提供商网络的权威SIP代理将基于事件头字段值进行路由,从而允许将对用户AoR的订阅路由到适当的PDS。

5.2. Securing Profile Delivery
5.2. 确保配置文件交付

Profile data can contain sensitive information that needs to be secured, such as identities and credentials. Security involves authentication, data integrity and data confidentiality. Authentication is the process by which you verify that an entity is who it claims to be, such as a user AoR presented during profile enrollment. Message integrity provides the assurance that the message contents transmitted between two entities, such as between the PDS and the device, has not been modified during transit. Privacy ensures that the message contents have not been subjected to monitoring by unwanted elements during transit. Authentication and data integrity are required to ensure that the profile contents were received by a valid entity, from a valid source, and without any modifications during transit. For profiles that contain sensitive data, data confidentiality is also required.

配置文件数据可能包含需要保护的敏感信息,例如身份和凭据。安全性涉及身份验证、数据完整性和数据保密性。身份验证是验证实体是否为其声称的实体的过程,例如在概要文件注册期间显示的用户AoR。消息完整性保证在两个实体之间传输的消息内容(例如在PDS和设备之间传输的消息内容)在传输过程中未被修改。隐私确保消息内容在传输过程中不会受到不需要的元素的监视。需要验证和数据完整性,以确保配置文件内容由有效实体从有效来源接收,并且在传输过程中不进行任何修改。对于包含敏感数据的配置文件,还需要数据保密性。

For an overview of potential security threats, refer to Section 9. For information on how the device can be configured with identities and credentials, refer to Section 5.3.1. The following subsections provide the security requirements associated with each profile delivery stage, and applies to each of profile types specified by this framework.

有关潜在安全威胁的概述,请参阅第9节。有关如何使用标识和凭据配置设备的信息,请参阅第5.3.1节。以下小节提供了与每个概要文件交付阶段相关的安全要求,并适用于此框架指定的每个概要文件类型。

5.2.1. Securing Profile Enrollment
5.2.1. 保护配置文件注册

Profile enrollment may result in sensitive profile data. In such cases, the PDS MUST authenticate the device, except during the bootstrapping scenario when the device does not have existing credentials (see Section 5.3.1 for more information on bootstrapping). Additionally, the device MUST authenticate the PDS to ensure that it is obtaining sensitive profile data from a valid PDS.

配置文件注册可能导致敏感配置文件数据。在这种情况下,PDS必须对设备进行身份验证,除非在引导方案期间设备没有现有凭据(有关引导的更多信息,请参阅第5.3.1节)。此外,设备必须对PDS进行身份验证,以确保从有效的PDS获取敏感配置文件数据。

To authenticate a device that has been configured with identities and credentials, as specified in Section 5.3.1, and support profiles containing sensitive profile data (refer to Section 5.3.3), devices and PDSs MUST support digest authentication (over Transport Layer Security (TLS)) as specified in [RFC3261]. Future enhancements may

要验证已配置了第5.3.1节中规定的身份和凭据的设备,并支持包含敏感配置文件数据的配置文件(请参阅第5.3.3节),设备和PDS必须支持[RFC3261]中规定的摘要验证(传输层安全(TLS))。未来的增强可能

provide other authentication methods such as authentication using X.509 certificates. For the device to authenticate the PDS, the device MUST mutually authenticate with the PDS during digest authentication (device challenges the PDS, which responds with the Authorization header). Transmission of sensitive profile data also requires data integrity. This can be accomplished by configuring the device with, or by ensuring that the discovery process during profile enrollment provides, a Session Initiation Protocol Secure (SIPS) URI resulting in TLS establishment ([RFC5246]). TLS also prevents offline dictionary attacks when digest authentication is used. Thus, in the absence of TLS, the device MUST NOT respond to any authentication challenges. It is to be noted that the digest credentials used for obtaining profile data via this framework may, or may not, be the same as those used for SIP registration (see Section 5.3.1). In addition, while [RFC3261] considers MD5 to be a reasonable choice to compute the hash, and this may have been true when [RFC3261] was published, implementers are recommended to use stronger alternatives such as SHA-256. Refer to [FIPS-180-3] and [RFC4634] for more information about SHA-256.

提供其他身份验证方法,例如使用X.509证书进行身份验证。对于要对PDS进行身份验证的设备,设备必须在摘要身份验证期间与PDS进行相互身份验证(设备向PDS提出挑战,PDS将使用授权标头进行响应)。敏感配置文件数据的传输也需要数据完整性。这可以通过配置设备来实现,或者通过确保配置文件注册期间的发现过程提供会话启动协议安全(SIPS)URI,从而建立TLS([RFC5246])。TLS还可以在使用摘要身份验证时防止脱机字典攻击。因此,在没有TLS的情况下,设备不得响应任何认证挑战。需要注意的是,用于通过该框架获取概要文件数据的摘要凭证可能与用于SIP注册的凭证相同,也可能不同(参见第5.3.1节)。此外,虽然[RFC3261]认为MD5是计算散列的合理选择,并且在[RFC3261]发布时可能是这样,但建议实施者使用更强大的替代方案,如SHA-256。有关SHA-256的更多信息,请参阅[FIPS-180-3]和[RFC4634]。

When the PDS challenges a profile enrollment request, and it fails, the PDS MAY refuse enrollment or provide profile data without the user-specific information (e.g., to bootstrap a device as indicated in Section 5.3.1). If the device challenges, but fails to authenticate the PDS, it MUST reject the initial notification and retry the profile enrollment process. If the device is configured with, or discovers, a SIPS URI but TLS establishment fails because the next-hop SIP entity does not support TLS, the device SHOULD attempt other resolved next-hop SIP entities. When the device establishes TLS with the next-hop entity, the device MUST use the procedures specified in [RFC2818], Section 3.1, for authentication, unless it does not have any configured information (e.g., certification authority (CA) certificate) to perform authentication (like prior to bootstrapping). The 'Server Identity' for authentication is always the domain of the next-hop SIP entity. If the device attempts validation, and it fails, it MUST reject the initial notification and retry profile enrollment. In the absence of a SIPS URI for the device and a mechanism for mutual authentication, the PDS MUST NOT present any sensitive profile data in the initial notification, except when the device is being bootstrapped. It MAY still use content indirection to transmit sensitive profile data.

当PDS对配置文件注册请求提出质疑且失败时,PDS可拒绝注册或提供没有用户特定信息的配置文件数据(例如,如第5.3.1节所述引导设备)。如果设备提出质疑,但无法验证PDS,则必须拒绝初始通知并重试配置文件注册过程。如果设备配置或发现SIPS URI,但由于下一跳SIP实体不支持TLS而导致TLS建立失败,则设备应尝试其他已解析的下一跳SIP实体。当设备与下一跳实体建立TLS时,设备必须使用[RFC2818]第3.1节中规定的程序进行身份验证,除非它没有任何配置信息(例如,证书颁发机构(CA)证书)来执行身份验证(如引导前)。用于身份验证的“服务器标识”始终是下一跳SIP实体的域。如果设备尝试验证但失败,则必须拒绝初始通知并重试配置文件注册。在没有设备的SIPS URI和相互认证机制的情况下,PDS不得在初始通知中显示任何敏感配置文件数据,除非设备正在引导。它可能仍然使用内容间接传输敏感的配置文件数据。

When a device is being provided with bootstrapping profile data within the notification, and it contains sensitive information, the SIP Identity header SHOULD be used, as specified in [RFC4474]. This helps with devices that MAY be pre-configured with certificates to validate bootstrapping sources (e.g., list of allowed domain certificates, or a list of root CA certificates using Public Key

当在通知中向设备提供引导配置文件数据,并且该设备包含敏感信息时,应使用SIP标识头,如[RFC4474]中所述。这有助于设备预配置证书以验证引导源(例如,允许的域证书列表或使用公钥的根CA证书列表)

Infrastructure (PKI)). When the SIP Identity header is used, the PDS MUST set the host portion of the AoR in the From header to the Provider's domain (the user portion is a entity-specific identifier). If the device is capable of validating the SIP Identity, and it fails, it MUST reject bootstrapping profile data.

基础设施(PKI))。当使用SIP标识头时,PDS必须在From头中将AoR的主机部分设置为提供商的域(用户部分是特定于实体的标识符)。如果设备能够验证SIP标识,但失败,则必须拒绝引导配置文件数据。

5.2.2. Securing Content Retrieval
5.2.2. 安全内容检索

Initial or change notifications following a successful enrollment can provide a device with the requested profile data or use content indirection to direct it to a PCC that can provide the profile data. This document specifies HTTP and HTTPS as content retrieval protocols.

成功注册后的初始通知或更改通知可向设备提供请求的配置文件数据,或使用内容间接将其定向到可提供配置文件数据的PCC。本文档将HTTP和HTTPS指定为内容检索协议。

If the profile is provided via content indirection and contains sensitive profile data, then the PDS MUST use a HTTPS URI for content indirection. PCCs and devices MUST NOT use HTTP for sensitive profile data, except for bootstrapping a device via the device profile. A device MUST authenticate the PCC as specified in [RFC2818], Section 3.1. A device that is being provided with profile data that contains sensitive data MUST be authenticated using digest authentication as specified in [RFC2617], with the exception of a device that is being bootstrapped for the first time via the device profile. The resulting TLS channel also provides data integrity and data confidentiality.

如果配置文件是通过内容间接寻址提供的,并且包含敏感的配置文件数据,则PDS必须使用HTTPS URI进行内容间接寻址。PCC和设备不得对敏感配置文件数据使用HTTP,除非通过设备配置文件引导设备。设备必须按照[RFC2818]第3.1节的规定对PCC进行认证。必须使用[RFC2617]中规定的摘要身份验证对提供了包含敏感数据的配置文件数据的设备进行身份验证,但首次通过设备配置文件引导的设备除外。由此产生的TLS通道还提供数据完整性和数据保密性。

5.2.3. Securing Change Notification
5.2.3. 保护更改通知

If the device requested enrollment via a SIP subscription with a non-zero 'Expires' parameter, it can also result in change notifications for the duration of the subscription. For change notifications containing sensitive profile data, this framework RECOMMENDS the use of the SIP Identity header as specified in [RFC4474]. When the SIP Identity header is used, the PDS MUST set the host portion of the AoR in the From header to the Provider's domain (the user portion is a entity-specific identifier). This provides header and body integrity as well. However, for sensitive profile data requiring data confidentiality , if the contact URI to which the NOTIFY request is to be sent is not SIPS, the PDS MUST use content indirection. Additionally, the PDS MUST also use content indirection for notifications containing sensitive profile data, when the profile enrollment was not authenticated.

如果设备通过具有非零“Expires”参数的SIP订阅请求注册,还可能导致订阅期间的更改通知。对于包含敏感配置文件数据的更改通知,此框架建议使用[RFC4474]中指定的SIP标识头。当使用SIP标识头时,PDS必须在From头中将AoR的主机部分设置为提供商的域(用户部分是特定于实体的标识符)。这也提供了头部和车身的完整性。但是,对于需要数据机密性的敏感配置文件数据,如果要向其发送通知请求的联系人URI不是SIPS,则PDS必须使用内容间接寻址。此外,当配置文件注册未通过身份验证时,PDS还必须对包含敏感配置文件数据的通知使用内容间接寻址。

5.3. Additional Considerations
5.3. 其他考虑事项

This section provides additional considerations, such as details on how a device obtains identities and credentials, back-off and retry methods, guidelines on profile data, and additional profile types.

本节提供了其他注意事项,例如有关设备如何获取标识和凭据的详细信息、回退和重试方法、配置文件数据指南以及其他配置文件类型。

5.3.1. Bootstrapping Identities and Credentials
5.3.1. 引导身份和凭据

When requesting a profile, the profile delivery server will likely require the device to provide an identity (i.e., a user AoR) and associated credentials for authentication. During this process (e.g., digest authentication), the PDS is also required to present its knowledge of the credentials to ensure mutual authentication (see Section 5.2.1). For mutual authentication with the PDS, the device needs to be provided with the necessary identities and credentials (e.g., username/password, certificates). This is done via bootstrapping. For a discussion around the security considerations related to bootstrapping, please see Section 9.2.

当请求概要文件时,概要文件交付服务器可能会要求设备提供身份(即,用户AoR)和用于认证的相关凭证。在此过程中(例如,摘要认证),PDS还需要展示其对凭证的了解,以确保相互认证(见第5.2.1节)。对于与PDS的相互认证,需要为设备提供必要的身份和凭证(例如用户名/密码、证书)。这是通过引导实现的。有关与引导相关的安全注意事项的讨论,请参见第9.2节。

Bootstrapping a device with the required identities and credentials can be accomplished in one of the following ways:

使用所需的标识和凭据引导设备可以通过以下方式之一完成:

Pre-configuration The device may be pre-configured with identities and associated credentials, such as a user AoR and digest password.

预配置可以使用身份和相关凭证(例如用户AoR和摘要密码)预配置设备。

Out-of-band methods A device or Provider may provide hardware- or software-based credentials such as Subscriber Identity Module (SIM) cards or Universal Serial Bus (USB) drives.

带外方法设备或提供商可提供基于硬件或软件的凭证,如用户身份模块(SIM)卡或通用串行总线(USB)驱动器。

End-user interface The end-user may be provided with the necessary identities and credentials. The end-user can then configure the device (using a user interface), or present when required (e.g., IM login screen).

最终用户界面可向最终用户提供必要的身份和凭证。最终用户可以配置设备(使用用户界面),或在需要时显示(例如IM登录屏幕)。

Using this framework When a device is initialized, even if it has no pre-configured information, it can request the local-network and device profiles. For purposes of bootstrapping, this framework recommends that the device profile provide one of the following to bootstrap the device:

在初始化设备时使用此框架,即使没有预先配置的信息,也可以请求本地网络和设备配置文件。出于引导的目的,此框架建议设备配置文件提供以下选项之一以引导设备:

* Profile data that allows the end-user to communicate with the device provider or SIP service provider using non-SIP methods. For example, the profile data can direct the end-user to a web portal to obtain a subscription. Upon obtaining a successful subscription, the end-user or the device can be provided with the necessary identities and credentials.

* 允许最终用户使用非SIP方法与设备提供商或SIP服务提供商通信的配置文件数据。例如,概要文件数据可以将最终用户引导到web门户以获得订阅。在获得成功订阅后,可以向最终用户或设备提供必要的身份和凭据。

* Content indirection information to a PCC that can provide identities and credentials. As an example, consider a device that has an X.509 certificate that can be authenticated by the PCC. In such a case, the PCC can use HTTPS to provide identities and associated credentials.

* 将内容间接寻址信息发送到可以提供身份和凭据的PCC。作为一个例子,考虑一个具有X.509证书的设备,该证书可以由PCC进行身份验证。在这种情况下,PCC可以使用HTTPS提供身份和相关凭证。

* Profile data containing identities and credentials that can be used to bootstrap the device (see Section 5.3.3 for profile data recommendations). This can be used in cases where the device is initialized for the first time, or after a factory reset. This can be considered only in cases where the device is initialized in the Provider's network, for obvious security reasons.

* 包含可用于引导设备的标识和凭据的配置文件数据(有关配置文件数据建议,请参阅第5.3.3节)。这可用于设备首次初始化或出厂复位后的情况。出于明显的安全原因,只有在设备在提供商的网络中初始化的情况下才能考虑这一点。

For interoperability purposes, this framework requires PDSs and devices to support the last option (above), which is to use this framework. Specifically, the option of providing identities and credentials via the profile data MUST be supported.

出于互操作性目的,此框架要求PDS和设备支持最后一个选项(如上),即使用此框架。具体而言,必须支持通过配置文件数据提供身份和凭据的选项。

Additionally, AoRs are typically known by PDSs that serve the domain indicated by the AoR. Thus, devices can only present the configured AoRs in the respective domains. An exception is the use of federated identities. This allows a device to use a user's AoR in multiple domains. Further even within the same domain, the device's domain proxy and the PDS may be in two different realms, and as such may be associated with different credentials for digest authentication. In such cases, multiple credentials may be configured, and associated with the realms in which they are to be used. This framework specifies only digest authentication for profile enrollment and the device is not expected to contain any other credentials. For profile retrieval using content indirection, the device will need to support additional credentials such as X.509 certificates (for TLS). Future enhancements can specify additional credential types for profile enrollment and retrieval.

此外,AoR通常由服务于AoR指示的域的PDS所知。因此,设备只能在各自的域中呈现已配置的AOR。一个例外是使用联合身份。这允许设备在多个域中使用用户的AoR。此外,即使在同一域内,设备的域代理和PDS也可以位于两个不同的领域中,并且因此可以与用于摘要认证的不同凭证相关联。在这种情况下,可以配置多个凭证,并将其与要使用它们的领域相关联。此框架仅为配置文件注册指定摘要身份验证,设备不应包含任何其他凭据。对于使用内容间接寻址的配置文件检索,设备将需要支持其他凭据,例如X.509证书(用于TLS)。未来的增强功能可以为配置文件注册和检索指定其他凭据类型。

5.3.2. Profile Enrollment Request Attempt
5.3.2. 配置文件注册请求尝试

A state diagram representing a device requesting any specific profile defined by this framework is shown in Figure 6.

图6显示了一个状态图,表示一个设备请求此框架定义的任何特定概要文件。

                                +------------+
                                | Initialize |
                                +-----+------+
                                      |
                                      |
                                      V
                               +-------------+
                               |   Prepare   |
                    +--------->|  Enrollment |<------------------+
                    |          |   Request   |                   |
                    |          +------+------+                   |
             +------+------+          |                          |
             |   Failure   | Enroll. Req. prepared               |
         +-->|  Handling & |      /Send Req                      |
         |   |   Delay     |          |                          |
         |   +-------------+          V                          |
         |       ^    ^        +-------------+                   |
         |       |    |        |    Await    |                   |
         |       |    +--------+  Enrollment |                   |
         |       |    Timeout, |  acceptance |                   |
         |       |   non-2xx/- +------+------+                   |
         |       |                    |                          |
         |   Timeout            200 OK/-                    Enrollment
         |  /Terminate                |                       Timeout/-
         |   Enrollment               V                          |
         |       |            +--------------+                   |
         |       |            |  Enrollment  |                   |
         |       +------------+   accepted   |                   |
    Retries Exceeded          |(await NOTIFY)|                   |
   /Retry Enrollment          +---+------+---+                   |
         |                        |      |                       |
         |                        |      |                       |
         |   NOTIFY w. Content Ind|      |  NOTIFY w. Profile    |
         |     /Retrieve Profile  |      |  /Accept Profile      |
         |           +------------+      +------------+          |
         |           |                                |          |
         |           V                                V          |
         |     +------------+                   +------------+   |
         +-----+ Retrieving |    Retrieved      | Enrollment +---+
            ,->|   Profile  +--/Apply Profile-->| Successful |
           /   |            |                   |(monitoring)|<--.
      Timeout  +--+---------+                   +--+----+----+    :
      /Retry      ;      ^                         |    :         ;
           `------'      |   NOTIFY w. Cont.Ind    |    `-------'
                         +---/Retrieve Profile-----+   NOTIFY w. Profile
                                                          /Apply Profile
        
                                +------------+
                                | Initialize |
                                +-----+------+
                                      |
                                      |
                                      V
                               +-------------+
                               |   Prepare   |
                    +--------->|  Enrollment |<------------------+
                    |          |   Request   |                   |
                    |          +------+------+                   |
             +------+------+          |                          |
             |   Failure   | Enroll. Req. prepared               |
         +-->|  Handling & |      /Send Req                      |
         |   |   Delay     |          |                          |
         |   +-------------+          V                          |
         |       ^    ^        +-------------+                   |
         |       |    |        |    Await    |                   |
         |       |    +--------+  Enrollment |                   |
         |       |    Timeout, |  acceptance |                   |
         |       |   non-2xx/- +------+------+                   |
         |       |                    |                          |
         |   Timeout            200 OK/-                    Enrollment
         |  /Terminate                |                       Timeout/-
         |   Enrollment               V                          |
         |       |            +--------------+                   |
         |       |            |  Enrollment  |                   |
         |       +------------+   accepted   |                   |
    Retries Exceeded          |(await NOTIFY)|                   |
   /Retry Enrollment          +---+------+---+                   |
         |                        |      |                       |
         |                        |      |                       |
         |   NOTIFY w. Content Ind|      |  NOTIFY w. Profile    |
         |     /Retrieve Profile  |      |  /Accept Profile      |
         |           +------------+      +------------+          |
         |           |                                |          |
         |           V                                V          |
         |     +------------+                   +------------+   |
         +-----+ Retrieving |    Retrieved      | Enrollment +---+
            ,->|   Profile  +--/Apply Profile-->| Successful |
           /   |            |                   |(monitoring)|<--.
      Timeout  +--+---------+                   +--+----+----+    :
      /Retry      ;      ^                         |    :         ;
           `------'      |   NOTIFY w. Cont.Ind    |    `-------'
                         +---/Retrieve Profile-----+   NOTIFY w. Profile
                                                          /Apply Profile
        

Figure 6: Device State Diagram

图6:设备状态图

As a reminder:

提醒大家:

o The timeout for SIP messages is specified by [RFC3261]. In the cases where this is not specified such as the timeout to wait for the initial notification during profile enrollment, it is left to device implementations or future protocol enhancements.

o SIP消息的超时由[RFC3261]指定。在未指定此选项的情况下,如配置文件注册期间等待初始通知的超时,则留给设备实现或未来的协议增强。

o The timeout for profile retrieval using content indirection will be as specified by profile retrieval protocols employed. If none exists, it is left to device implementations.

o 使用内容间接寻址进行配置文件检索的超时将由所使用的配置文件检索协议指定。如果不存在,则留给设备实现。

In addition, since profile enrollment is a process unique to this framework, the device MUST follow the enrollment attempt along with exponential back-off and retry mechanisms as indicated in Figure 7.

此外,由于配置文件注册是此框架特有的过程,因此设备必须遵循注册尝试以及指数退避和重试机制,如图7所示。

Function for Profile Enrollment ()

用于配置文件注册的函数()

Init Function: Iteration i=0

初始化函数:迭代i=0

Loop 1: Attempt

循环1:尝试

Loop 2: For each SIP Subscription URI

循环2:对于每个SIP订阅URI

Loop 3: For each next-hop SIP entity

循环3:对于每个下一跳SIP实体

- Prepare and transmit Enrollment Request

- 准备并发送注册请求

- Await Enrollment Acceptance and initial NOTIFY

- 等待入学验收并初步通知

+ If the profile enrollment is successful = Exit this function()

+ 如果配置文件注册成功=退出此函数()

+ If profile enrollment fails due to an explicit failure or a timeout as specified in [RFC3261] = Continue with the next-hop SIP entity (Loop 3)

+ 如果配置文件注册因显式故障或[RFC3261]中指定的超时而失败=继续下一跳SIP实体(循环3)

End Loop: Loop 3

结束循环:循环3

End Loop: Loop 2

结束循环:循环2

(Note: If you are here, profile enrollment did not succeed)

(注意:如果您在这里,配置文件注册未成功)

+ Is any valid cached profile data available? = If yes, use it and continue with Loop 1

+ 是否有任何有效的缓存配置文件数据可用?=如果是,使用它并继续循环1

+ If the enrollment request is for a non-mandatory profile = Start profile enrollment for the next profile, if applicable

+ 如果注册请求是针对非强制性配置文件,则=启动下一个配置文件的配置文件注册(如果适用)

- Delay for 2^i*(64*T1); -- this is exponential back-off

- 延迟2^i*(64*T1);——这是退后

- increment i;

- 增量i;

- If i>8, reset i=8;

- 如果i>8,则重置i=8;

End loop: Loop 1

结束循环:循环1

End Function()

结束函数()

Figure 7: Profile Enrollment Attempt (Pseudo-Code)

图7:配置文件注册尝试(伪代码)

The pseudo-code above (Figure 7) allows for cached profiles to be used. However, any cached local-network profile MUST NOT be used unless the device can ensure that it is in the same local network that provided the cached data. This framework does not provide any procedures for local network recognition. Any cached device and user profiles MUST only be used in domains with which they are associated. For example, a cached device profile is used only when the associated domain matches the current device provider's domain. If a PDS wants to invalidate a profile it may do so by transmitting a NOTIFY with an 'empty profile', i.e., profile instance without any included data (if supported by the profile data model; not to be confused with an empty NOTIFY), or via an explicit profile data element that invalidates the data. A device receiving such a NOTIFY MUST discard the applicable profile (i.e., it cannot even store it in the cache). Additionally, if a factory reset is available and performed on a device, it MUST reset the device to its initial state prior to any configuration. Specifically, the device MUST set the device back to the state when it was originally distributed.

上面的伪代码(图7)允许使用缓存的概要文件。但是,除非设备能够确保其位于提供缓存数据的同一本地网络中,否则不得使用任何缓存的本地网络配置文件。该框架不提供任何本地网络识别程序。任何缓存的设备和用户配置文件只能在与其关联的域中使用。例如,仅当关联的域与当前设备提供商的域匹配时,才会使用缓存的设备配置文件。如果PDS想要使配置文件无效,它可以通过发送带有“空配置文件”的通知来实现,即,不包含任何数据的配置文件实例(如果配置文件数据模型支持;不要与空通知混淆),或者通过使数据无效的显式配置文件数据元素来实现。接收此类通知的设备必须丢弃适用的配置文件(即,它甚至不能将其存储在缓存中)。此外,如果可以在设备上进行出厂重置,则必须在进行任何配置之前将设备重置为其初始状态。具体来说,设备必须将设备设置回最初分发时的状态。

The order of profile enrollment is important. For the profiles specified in this framework, the device MUST enroll in the following default order: local network, device, and user. The pseudo-code presented earlier (Figure 7) differentiates between 'mandatory' and 'non-mandatory' profiles. This distinction is left to profile data definitions.

配置文件注册的顺序很重要。对于此框架中指定的配置文件,设备必须按以下默认顺序注册:本地网络、设备和用户。前面介绍的伪代码(图7)区分了“强制”和“非强制”配置文件。这一区别由概要数据定义决定。

It is to be noted that this framework does not allow the devices to inform the PDSs of profile retrieval errors such as invalid data. Follow-on standardization activities are expected to address this feature.

需要注意的是,该框架不允许设备通知PDS配置文件检索错误,例如无效数据。后续的标准化活动有望解决这一问题。

5.3.3. Profile Data
5.3.3. 剖面数据

This framework does not specify the contents for any profile type. Follow-on standardization activities are expected to address profile contents. However, the framework provides the following requirements and recommendations for profile data definitions:

此框架不指定任何概要文件类型的内容。后续的标准化活动有望解决概要文件内容。但是,该框架为纵断面数据定义提供了以下要求和建议:

o The device profile type SHOULD specify parameters to configure the identities and credentials for use in scenarios such as bootstrapping (see Section 5.3.1) and run-time modifications to identities and credentials. This framework recommends the device profile provide the identities and credentials due to a couple of reasons. The local-network profile may not always be available, and even if present, may not be controlled by the device provider who controls device configuration to provide services. Further, the device may not have any users configured prior to being bootstrapped, resulting in an absence of user profile requests.

o 设备配置文件类型应指定用于配置身份和凭据的参数,以便在引导(请参阅第5.3.1节)和身份和凭据的运行时修改等场景中使用。由于两个原因,此框架建议设备配置文件提供标识和凭据。本地网络配置文件可能并不总是可用的,并且即使存在,也可能不由控制设备配置以提供服务的设备提供商控制。此外,设备在引导之前可能没有配置任何用户,导致没有用户配置文件请求。

However, this framework does not prevent other profile types from providing identities and credentials to meet deployment needs. For example, the user profile can contain identities and credentials for communicating with specific applications.

但是,此框架不会阻止其他配置文件类型提供身份和凭据以满足部署需要。例如,用户配置文件可以包含用于与特定应用程序通信的标识和凭据。

o Each profile MUST clearly identify if it may contain any sensitive data. Such profiles MUST also identify the data elements that are considered sensitive, i.e., data that cannot be disclosed to unauthorized parties. As an example, a device profile definition may identify itself as containing sensitive data and indicate data such as device credentials to be sensitive.

o 每个概要文件必须清楚地标识其是否可能包含任何敏感数据。此类概要文件还必须确定被视为敏感的数据元素,即不能向未经授权方披露的数据。例如,设备配置文件定义可将自身标识为包含敏感数据,并指示诸如设备凭据之类的数据为敏感数据。

o When the device receives multiple profiles, the contents of each profile type SHOULD only contain data relevant to the entity it represents. As an example, consider a device that obtains all the defined profiles. Information pertaining to the local network is contained in the 'local-network' profile and not the 'user' profile. This does not preclude relevant data about a different entity from being included in a profile type, e.g., the 'device' profile type may contain information about the users allowed to access services via the device. A profile may also contain starting information to obtain subsequent profiles.

o 当设备接收到多个配置文件时,每个配置文件类型的内容应仅包含与其所代表的实体相关的数据。作为一个例子,考虑一个获得所有定义的配置文件的设备。与本地网络有关的信息包含在“本地网络”配置文件中,而不是“用户”配置文件中。这并不排除在配置文件类型中包含关于不同实体的相关数据,例如,“设备”配置文件类型可能包含关于允许通过设备访问服务的用户的信息。配置文件还可能包含获取后续配置文件的起始信息。

o Data overlap SHOULD be avoided across profile types, unless necessary. If data overlap is present, prioritization of the data is left to data definitions. As an example, the device profile may contain the list of codecs to be used by the device and the user profile (for a user on the device) may contain the codecs preferred by the user. Thus, the same data (usable codecs) is present in two profiles. However, the data definitions may indicate that, to function effectively, any codec chosen for communication needs to be present in both the profiles.

o 除非必要,否则应避免跨配置文件类型的数据重叠。若存在数据重叠,则数据的优先级将留给数据定义。例如,设备简档可以包含设备要使用的编解码器的列表,并且用户简档(对于设备上的用户)可以包含用户首选的编解码器。因此,相同的数据(可用编解码器)存在于两个配置文件中。然而,数据定义可以指示,为了有效地工作,选择用于通信的任何编解码器需要存在于两个简档中。

5.3.4. Profile Data Frameworks
5.3.4. 概要数据框架

The framework specified in this document does not address profile data representation, storage, or retrieval protocols. It assumes that the PDS has a PCC based on existing or other Profile Data Frameworks.

本文档中指定的框架不涉及配置文件数据表示、存储或检索协议。它假设PDS具有基于现有或其他概要文件数据框架的PCC。

While this framework does not impose specific constraints on any such framework, it does allow for the propagation of profile content to the PDS (specifically the PCC). Thus, Profile Data Frameworks or retrieval frameworks used in conjunction with this framework MAY consider techniques for propagating incremental, atomic changes to the PDS. One means for propagating changes to a PDS is XML Configuration Access Protocol (XCAP) ([RFC4825]).

虽然此框架没有对任何此类框架施加特定约束,但它允许将配置文件内容传播到PDS(特别是PCC)。因此,与该框架结合使用的配置文件数据框架或检索框架可以考虑用于向PDS传播增量原子变更的技术。将更改传播到PDS的一种方法是XML配置访问协议(XCAP)([RFC4825])。

5.3.5. Additional Profile Types
5.3.5. 其他纵断面类型

This document specifies three profile types: local-network, device, and user. However, there may be use cases for additional profile types. e.g., profile types for application specific profile data or to provide enterprise-specific policies. Definition of such additional profile types is not prohibited, but considered out of scope for this document. Such profile definitions MUST specify the order of retrieval with respect to all the other profiles such as the local-network, device, and user profile types defined in this document.

本文档指定了三种配置文件类型:本地网络、设备和用户。但是,可能存在其他配置文件类型的用例。e、 例如,配置文件类型用于特定于应用程序的配置文件数据或提供特定于企业的策略。此类附加配置文件类型的定义不受禁止,但被认为超出了本文件的范围。此类配置文件定义必须指定与所有其他配置文件(如本文档中定义的本地网络、设备和用户配置文件类型)相关的检索顺序。

5.3.6. Deployment Considerations
5.3.6. 部署注意事项

The framework defined in this document was designed to address various deployment considerations, some of which are highlighted below.

本文件中定义的框架旨在解决各种部署注意事项,其中一些在下文中重点介绍。

Provider relationships:

提供商关系:

o The local network provider and the SIP service provider can often be different entities, with no administrative or business relationship with each other.

o 本地网络提供商和SIP服务提供商通常可以是不同的实体,彼此之间没有管理或业务关系。

o There may be multiple SIP service providers involved, one for each service to which a user subscribes (telephony service, instant messaging, etc.); this framework does not specify explicit behavior in such a scenario, but it does not prohibit its usage either.

o 可能涉及多个SIP服务提供商,用户订阅的每个服务(电话服务、即时消息等)一个;该框架在这种场景中没有指定显式行为,但也不禁止使用它。

o Each user accessing services via the same device may subscribe to different sets of services, from different service providers.

o 通过同一设备访问服务的每个用户可以从不同的服务提供商订阅不同的服务集。

User-device relationship:

用户设备关系:

o The relationship between devices and users can be many-to-many (e.g., a particular device may allow for many users to obtain subscription services through it, and individual users may have access to multiple devices).

o 设备和用户之间的关系可以是多对多(例如,特定设备可能允许许多用户通过它获得订阅服务,并且单个用户可以访问多个设备)。

o Each user may have different preferences for use of services, and presentation of those services in the device user interface.

o 每个用户可能对服务的使用以及在设备用户界面中对这些服务的表示有不同的偏好。

o Each user may have different personal information applicable to use of the device, either as related to particular services, or independent of them.

o 每个用户可以具有适用于设备使用的不同个人信息,或者与特定服务相关,或者独立于特定服务。

5.4. Support for NATs
5.4. 支持NATs

PDSs that support devices behind NATs, and devices that can be behind NATs can use procedures specified in [RFC5626]. The Outbound proxies can be configured or discovered. Clients that support such behavior MUST include the 'outbound' option-tag in a Supported header field value, and add the "ob" parameter, as specified in [RFC5626], within the SIP SUBSCRIBE for profile enrollment.

支持NAT后面的设备的PDS和可以支持NAT的设备可以使用[RFC5626]中指定的过程。可以配置或查找出站代理。支持此类行为的客户端必须在支持的标头字段值中包含“outbound”选项标记,并在SIP SUBSCRIBE for profile注册中添加[RFC5626]中指定的“ob”参数。

6. Event Package Definition
6. 事件包定义

The framework specified in this document proposes and specifies a new SIP event package, as allowed by [RFC3265]. The purpose is to allow for devices to subscribe to specific profile types with PDSs and for the PDSs to notify the devices with the profile data or content indirection information.

本文档中指定的框架提出并指定了[RFC3265]允许的新SIP事件包。目的是允许设备使用pds订阅特定的配置文件类型,并允许pds使用配置文件数据或内容间接信息通知设备。

The requirements specified in [RFC3265] apply to this package. The following subsections specify the event package description and the associated requirements. The framework requirements are defined in Section 5.

[RFC3265]中规定的要求适用于本包。以下小节规定了事件包说明和相关要求。第5节定义了框架要求。

6.1. Event Package Name
6.1. 事件包名称

The name of this package is "ua-profile". This value appears in the Event header field present in SUBSCRIBE and NOTIFY requests for this package, as defined in [RFC3265].

此包的名称为“ua配置文件”。此值出现在[RFC3265]中定义的此包的订阅和通知请求中的事件标头字段中。

6.2. Event Package Parameters
6.2. 事件包参数

This package defines the following new parameters for the event header:

此包为事件头定义以下新参数:

"profile-type", "vendor", "model", "version", and "effective-by"

“配置文件类型”、“供应商”、“型号”、“版本”和“生效日期”

The following rules apply:

以下规则适用:

o All the new parameters, with the exception of the "effective-by" parameter, MUST only be used in SUBSCRIBE requests and ignored if they appear in NOTIFY requests.

o 除“生效日期”参数外,所有新参数只能在订阅请求中使用,如果它们出现在NOTIFY请求中,则可以忽略。

o The "effective-by" parameter is for use in NOTIFY requests only and MUST be ignored if it appears in SUBSCRIBE requests.

o “生效日期”参数仅用于NOTIFY请求,如果它出现在SUBSCRIBE请求中,则必须忽略。

The semantics of these new parameters are specified in the following subsections.

这些新参数的语义在以下小节中指定。

6.2.1. "profile-type" Parameter
6.2.1. “配置文件类型”参数

The "profile-type" parameter is used to indicate the token name of the profile type the user agent wishes to obtain and to be notified of subsequent changes. This document defines three logical types of profiles and their token names. They are as follows:

“profile type”参数用于指示用户代理希望获得的配置文件类型的令牌名称,并在后续更改时得到通知。本文档定义了三种逻辑类型的配置文件及其标记名。详情如下:

local-network: specifying the "local-network" type profile indicates the desire for profile data, and potentially, profile change notifications specific to the local network.

本地网络:指定“本地网络”类型的配置文件表示需要配置文件数据,并且可能需要特定于本地网络的配置文件更改通知。

device: specifying the "device" type profile(s) indicates the desire for the profile data, and potentially, profile change notification that is specific to the device or user agent.

设备:指定“设备”类型的配置文件表示需要配置文件数据,并且可能需要特定于设备或用户代理的配置文件更改通知。

user: specifying the "user" type profile indicates the desire for the profile data, and potentially, profile change notification specific to the user.

用户:指定“用户”类型的配置文件表示对配置文件数据的需求,并且可能是特定于用户的配置文件更改通知。

The profile type is identified in the Event header parameter: "profile-type". A separate SUBSCRIBE dialog is used for each profile type. Thus, the subscription dialog on which a NOTIFY arrives implies which profile's data is contained in, or referred to, by the NOTIFY message body. The Accept header of the SUBSCRIBE request MUST include the MIME types for all profile content types for which the subscribing user agent wishes to retrieve profiles, or receive change notifications.

配置文件类型在事件标题参数“配置文件类型”中标识。每个配置文件类型都使用单独的“订阅”对话框。因此,NOTIFY到达的订阅对话框意味着NOTIFY消息体包含或引用了哪个配置文件的数据。订阅请求的Accept标头必须包含订阅用户代理希望检索其配置文件或接收更改通知的所有配置文件内容类型的MIME类型。

In the following syntax definition using ABNF, EQUAL and token are defined in [RFC3261]. It is to be noted that additional profile types may be defined in subsequent documents.

在以下使用ABNF的语法定义中,[RFC3261]中定义了EQUAL和token。需要注意的是,后续文件中可能会定义其他配置文件类型。

   Profile-type   = "profile-type" EQUAL profile-value
   profile-value  =  profile-types / token
   profile-types  = "device" / "user" / "local-network"
        
   Profile-type   = "profile-type" EQUAL profile-value
   profile-value  =  profile-types / token
   profile-types  = "device" / "user" / "local-network"
        

The "device", "user", or "local-network" token in the profile-type parameter may represent a class or set of profile properties. Follow-on standards defining specific profile contents may find it desirable to define additional tokens for the profile-type parameter. Also, additional content types may be defined along with the profile formats that can be used in the Accept header of the SUBSCRIBE to filter or indicate what data sets of the profile are desired.

配置文件类型参数中的“设备”、“用户”或“本地网络”令牌可以表示一类或一组配置文件属性。定义特定概要文件内容的后续标准可能会发现需要为概要文件类型参数定义其他标记。此外,还可以定义附加内容类型以及概要文件格式,这些格式可以在SUBSCRIBE to filter的Accept标头中使用,或者指示所需的概要文件数据集。

6.2.2. "vendor", "model", and "version" Parameters
6.2.2. “供应商”、“型号”和“版本”参数

The "vendor", "model", and "version" parameter values are tokens specified by the implementer of the user agent. These parameters MUST be provided in the SUBSCRIBE request for all profile types. The implementer SHOULD use their DNS domain name (e.g., example.com) as the value of the "vendor" parameter so that it is known to be unique, unless there is a good reason not to. Examples of exceptions include: if the vendor does not have an assigned DNS domain name, if they are using a different vendor's implementation, etc. These parameters are useful to the PDS to affect the profiles provided. In some scenarios, it is desirable to provide different profiles based upon these parameters. For example, feature property X in a profile may work differently on two versions of the same user agent. This gives the PDS the ability to compensate for or take advantage of the differences. In the following ABNF defining the syntax, EQUAL and quoted-string are defined in [RFC3261].

“供应商”、“模型”和“版本”参数值是由用户代理的实现者指定的令牌。这些参数必须在所有配置文件类型的订阅请求中提供。实现者应该使用他们的DNS域名(例如example.com)作为“vendor”参数的值,以便知道它是唯一的,除非有充分的理由不这样做。例外情况的示例包括:如果供应商没有指定的DNS域名,如果他们使用不同供应商的实现,等等。这些参数对PDS很有用,可以影响提供的配置文件。在某些情况下,希望根据这些参数提供不同的配置文件。例如,配置文件中的要素属性X在同一用户代理的两个版本上的工作方式可能不同。这使PDS能够补偿或利用差异。在以下定义语法的ABNF中,[RFC3261]中定义了等号和带引号的字符串。

Vendor = "vendor" EQUAL quoted-string Model = "model" EQUAL quoted-string Version = "version" EQUAL quoted-string

Vendor=“Vendor”等引号字符串Model=“Model”等引号字符串Version=“Version”等引号字符串

6.2.3. "effective-by" Parameter
6.2.3. “生效日期”参数

The "effective-by" parameter in the Event header of the NOTIFY request specifies the maximum number of seconds before the user agent MUST attempt to make the new profile effective. The "effective-by" parameter MAY be provided in the NOTIFY request for any of the profile types. A value of 0 (zero) indicates that the subscribing user agent MUST attempt to make the profiles effective immediately (despite possible service interruptions). This gives the PDS the power to control when the profile is effective. This may be important to resolve an emergency problem or disable a user agent immediately. If it is absent, the device SHOULD attempt to make the profile data effective at the earliest possible opportunity that does not disrupt any services being offered. The "effective-by" parameter is ignored in all messages other than the NOTIFY request. In the following ABNF, EQUAL and DIGIT are defined in [RFC3261].

NOTIFY请求的事件标头中的“生效时间”参数指定用户代理必须尝试使新配置文件生效前的最长秒数。“生效日期”参数可在任何配置文件类型的通知请求中提供。值为0(零)表示订阅用户代理必须尝试使配置文件立即生效(尽管可能存在服务中断)。这使PDS能够控制配置文件何时有效。这对于解决紧急问题或立即禁用用户代理可能很重要。如果没有配置文件,设备应尽可能早地尝试使配置文件数据生效,而不会中断所提供的任何服务。在除NOTIFY请求之外的所有消息中,忽略“生效日期”参数。在以下ABNF中,[RFC3261]中定义了相等和数字。

Effective-By = "effective-by" EQUAL 1*DIGIT

生效日期=“生效日期”等于1*位

6.2.4. Summary of Event Parameters
6.2.4. 事件参数摘要

The following are example Event headers that may occur in SUBSCRIBE requests. These examples are not intended to be complete SUBSCRIBE requests.

以下是订阅请求中可能出现的事件头示例。这些示例并不打算成为完整的订阅请求。

   Event: ua-profile;profile-type=device;
          vendor="vendor.example.com";model="Z100";version="1.2.3"
        
   Event: ua-profile;profile-type=device;
          vendor="vendor.example.com";model="Z100";version="1.2.3"
        
   Event: ua-profile;profile-type=user;
          vendor="premier.example.com";model="trs8000";version="5.5"
        
   Event: ua-profile;profile-type=user;
          vendor="premier.example.com";model="trs8000";version="5.5"
        

The following are example Event headers that may occur in NOTIFY requests. These example headers are not intended to be complete SUBSCRIBE requests.

以下是NOTIFY请求中可能出现的事件头示例。这些示例头并不打算成为完整的订阅请求。

   Event: ua-profile;effective-by=0
        
   Event: ua-profile;effective-by=0
        
   Event: ua-profile;effective-by=3600
        
   Event: ua-profile;effective-by=3600
        

The following table shows the use of Event header parameters in SUBSCRIBE requests for the three profile types:

下表显示了在三种配置文件类型的订阅请求中使用事件头参数的情况:

   profile-type || device | user | local-network
   =============================================
   vendor       ||   m    |  m   |        m
   model        ||   m    |  m   |        m
   version      ||   m    |  m   |        m
   effective-by ||        |      |
        
   profile-type || device | user | local-network
   =============================================
   vendor       ||   m    |  m   |        m
   model        ||   m    |  m   |        m
   version      ||   m    |  m   |        m
   effective-by ||        |      |
        

m - MUST be provided s - SHOULD be provided o - OPTIONAL to be provided

m-必须提供s-应提供o-可选提供

Non-specified means that the parameter has no meaning and should be ignored.

未指定表示该参数没有意义,应忽略。

The following table shows the use of Event header parameters in NOTIFY requests for the three profile types:

下表显示了在三种配置文件类型的NOTIFY请求中使用事件头参数的情况:

   profile-type || device | user | local-network
   =============================================
   vendor       ||        |      |
   model        ||        |      |
   version      ||        |      |
   effective-by ||   o    |  o   |        o
        
   profile-type || device | user | local-network
   =============================================
   vendor       ||        |      |
   model        ||        |      |
   version      ||        |      |
   effective-by ||   o    |  o   |        o
        
6.3. SUBSCRIBE Bodies
6.3. 订阅机构

This package defines no use of the SUBSCRIBE request body. If present, it SHOULD be ignored. Exceptions include future enhancements to the framework that may specify a use for the SUBSCRIBE request body.

此包定义不使用SUBSCRIBE请求主体。如果存在,则应忽略它。例外情况包括未来对框架的增强,这些增强可能会指定订阅请求主体的用途。

6.4. Subscription Duration
6.4. 订阅期限

The duration of a subscription is specific to SIP deployments, and no specific recommendation is made by this event package. If absent, a value of 86400 seconds (24 hours; 1 day) is RECOMMENDED since the presence (or absence) of a device subscription is not time critical to the regular functioning of the PDS.

订阅的持续时间特定于SIP部署,此事件包不提供任何特定建议。如果没有,建议使用86400秒(24小时;1天)的值,因为设备订阅的存在(或不存在)对PDS的正常运行不是时间关键。

It is to be noted that a one-time fetch of a profile, without ongoing subscription, can be accomplished by setting the 'Expires' parameter to a value of Zero, as specified in [RFC3265].

需要注意的是,如[RFC3265]中所述,通过将“Expires”参数的值设置为零,可以在不进行订阅的情况下一次性获取配置文件。

6.5. NOTIFY Bodies
6.5. 通知机构

The framework specifying the event package allows for the NOTIFY body to contain the profile data, or a pointer to the profile data using content indirection. For profile data delivered via content indirection, i.e., a pointer to a PCC, then the Content-ID MIME header, as described in [RFC4483], MUST be used for each profile document URI. At a minimum, the "http:" [RFC2616] and "https:" [RFC2818] URI schemes MUST be supported; other URI schemes MAY be supported based on the Profile Data Frameworks (examples include FTP [RFC0959], Lightweight Directory Access Protocol (LDAP) [RFC4510], and XCAP [RFC4825] ).

指定事件包的框架允许NOTIFY body包含概要文件数据,或使用内容间接指向概要文件数据的指针。对于通过内容间接寻址(即指向PCC的指针)交付的配置文件数据,则必须对每个配置文件文档URI使用[RFC4483]中所述的内容ID MIME头。至少,必须支持“http:[RFC2616]和“https:[RFC2818]URI方案;基于概要文件数据框架可以支持其他URI方案(示例包括FTP[RFC0959]、轻型目录访问协议(LDAP)[RFC4510]和XCAP[RFC4825])。

A non-empty NOTIFY body MUST include a MIME type specified in the Accept header of the SUBSCRIBE. Further, if the Accept header of the SUBSCRIBE included the MIME type message/external-body (indicating support for content indirection) then the PDS MAY use content indirection in the NOTIFY body for providing the profiles.

非空的通知正文必须包含在订阅的Accept标头中指定的MIME类型。此外,如果订阅的Accept报头包括MIME类型消息/外部主体(指示对内容间接寻址的支持),则PDS可以使用NOTIFY主体中的内容间接寻址来提供概要文件。

6.6. Notifier Processing of SUBSCRIBE Requests
6.6. 订阅请求的通知程序处理

A successful SUBSCRIBE request results in a NOTIFY with either profile contents or a pointer to it (via content indirection). The SUBSCRIBE SHOULD be either authenticated or transmitted over an integrity protected SIP communications channel. Exceptions include cases where the identity of the Subscriber is unknown and the Notifier is configured to accept such requests.

成功的订阅请求将生成一个带有概要文件内容或指向它的指针(通过内容间接寻址)的通知。订阅应通过身份验证或通过完整性保护的SIP通信信道传输。例外情况包括订户身份未知且通知程序配置为接受此类请求的情况。

The Notifier MAY also authenticate SUBSCRIBE messages even if the NOTIFY is expected to only contain a pointer to profile data. Securing data sent via content indirection is covered in Section 9.

通知程序还可以对订阅消息进行身份验证,即使通知仅包含指向配置文件数据的指针。第9节介绍了如何保护通过内容间接寻址发送的数据。

If the profile type indicated in the "profile-type" Event header parameter is unavailable or the Notifier is configured not to provide it, the Notifier SHOULD return a 404 response to the SUBSCRIBE

如果“profile type”事件头参数中指示的配置文件类型不可用,或者通知程序配置为不提供,则通知程序应向订阅服务器返回404响应

request. If the specific user or device is unknown, the Notifier MAY accept the subscription, or else it may reject the subscription (with a 403 response).

要求如果特定用户或设备未知,通知程序可以接受订阅,或者拒绝订阅(403响应)。

6.7. Notifier Generation of NOTIFY Requests
6.7. 通知程序生成通知请求

As specified in [RFC3265], the Notifier MUST always send a NOTIFY request upon accepting a subscription. If the device or user is unknown and the Notifier chooses to accept the subscription, the Notifier MAY either respond with profile data (e.g., default profile data) or provide no profile information (i.e., empty NOTIFY).

如[RFC3265]中所述,通知程序在接受订阅时必须始终发送通知请求。如果设备或用户未知且通知者选择接受订阅,则通知者可以使用配置文件数据(例如,默认配置文件数据)响应,或者不提供配置文件信息(例如,空通知)。

If the identity indicated in the SUBSCRIBE request (From header) is a known identity and the requested profile information is available (i.e., as specified in the "profile-type" parameter of the Event header), the Notifier SHOULD send a NOTIFY with profile data. Profile data MAY be sent as profile contents or via content indirection (if the content indirection MIME type was included in the Accept header). The Notifier MUST NOT use any scheme that was not indicated in the "schemes" Contact header field.

如果订阅请求(来自报头)中指示的标识是已知标识,且请求的配置文件信息可用(即,如事件报头的“配置文件类型”参数中所指定),则通知程序应发送带有配置文件数据的通知。配置文件数据可以作为配置文件内容发送,也可以通过内容间接发送(如果内容间接MIME类型包含在Accept标头中)。通知程序不得使用“方案”联系人标题字段中未指明的任何方案。

The Notifier MAY specify when the new profiles must be made effective by the Subscriber by specifying a maximum time in seconds (zero or more) in the "effective-by" Event header parameter.

通知程序可以通过在“生效时间”事件头参数中指定以秒为单位的最长时间(零或更多)来指定订阅者必须使新配置文件生效的时间。

If the SUBSCRIBE was received over an integrity protected SIP communications channel, the Notifier SHOULD send the NOTIFY over the same channel.

如果订阅是通过完整性保护的SIP通信通道接收的,则通知程序应通过同一通道发送通知。

6.8. Subscriber Processing of NOTIFY Requests
6.8. 订户处理通知请求

A Subscriber to this event package MUST adhere to the NOTIFY request processing behavior specified in [RFC3265]. If the Notifier indicated an effective time (using the "effective-by" Event header parameter), the Subscriber SHOULD attempt to make the profiles effective within the specified time. Exceptions include deployments that prohibit such behavior in certain cases (e.g., emergency sessions are in progress). When profile data cannot be applied within the recommended time frame and this affects device behavior, any actions to be taken SHOULD be defined by the profile data definitions. By default, the Subscriber is RECOMMENDED to make the profiles effective as soon as possible.

此事件包的订阅服务器必须遵守[RFC3265]中指定的通知请求处理行为。如果通知程序指示了有效时间(使用“生效日期”事件标头参数),则订阅者应尝试在指定时间内使配置文件生效。例外情况包括在某些情况下禁止此类行为的部署(例如,正在进行紧急会话)。如果无法在建议的时间范围内应用配置文件数据,并且这会影响设备行为,则应通过配置文件数据定义来定义要采取的任何操作。默认情况下,建议订户尽快使配置文件生效。

When accepting content indirection, the Subscriber MUST always support "http:" or "https:" and be prepared to accept NOTIFY messages with those URI schemes. If the Subscriber wishes to support alternative URI schemes they MUST each be indicated in the "schemes" Contact header field parameter as defined in [RFC4483]. The

在接受内容间接寻址时,订阅者必须始终支持“http:”或“https:”,并准备接受具有这些URI方案的通知消息。如果订户希望支持备选URI方案,则必须在[RFC4483]中定义的“schemes”Contact header字段参数中分别指明。这个

Subscriber MUST also be prepared to receive a NOTIFY request with no body. The subscriber MUST NOT reject the NOTIFY request with no body. The subscription dialog MUST NOT be terminated by a empty NOTIFY, i.e., with no body.

订阅者还必须准备好接收无正文的通知请求。订阅者不得在没有正文的情况下拒绝NOTIFY请求。订阅对话框不能由空通知终止,即没有正文。

6.9. Handling of Forked Requests
6.9. 分叉请求的处理

This event package allows the creation of only one dialog as a result of an initial SUBSCRIBE request as described in Section 4.4.9 of [RFC3265]. It does not support the creation of multiple subscriptions using forked SUBSCRIBE requests.

根据[RFC3265]第4.4.9节所述的初始订阅请求,此事件包仅允许创建一个对话框。它不支持使用分叉订阅请求创建多个订阅。

6.10. Rate of Notifications
6.10. 通知率

The rate of notifications for the profiles in this framework is deployment specific, but expected to be infrequent. Hence, the event package specification does not specify a throttling or minimum period between NOTIFY requests.

此框架中配置文件的通知率是特定于部署的,但预计不会频繁。因此,事件包规范没有指定NOTIFY请求之间的限制或最短周期。

6.11. State Agents
6.11. 国家代理人

State agents are not applicable to this event package.

状态代理不适用于此事件包。

7. Examples
7. 例子

This section provides examples along with sample SIP message bodies relevant to this framework. Both the examples are derived from the use case illustrated in Section 4.1, specifically the request for the device profile. The examples are informative only.

本节提供了示例以及与此框架相关的示例SIP消息体。这两个示例都源自第4.1节中所示的用例,特别是对设备配置文件的请求。这些例子仅供参考。

7.1. Example 1: Device Requesting Profile
7.1. 示例1:设备请求配置文件

This example illustrates the detailed message flows between the device and the SIP service provider's network for requesting and retrieving the profile (the flow uses the device profile as an example).

此示例说明了设备和SIP服务提供商的网络之间用于请求和检索配置文件的详细消息流(该流使用设备配置文件作为示例)。

The following are assumed for this example:

本例假设如下:

o Device is assumed to have established local network connectivity; NAT and firewall considerations are assumed to have been addressed by the SIP service provider.

o 假设设备已建立本地网络连接;假定NAT和防火墙问题已由SIP服务提供商解决。

o Examples are snapshots only and do not illustrate all the interactions between the device and the service provider's network (and none between the entities in the SIP service provider's network).

o 示例仅为快照,并未说明设备与服务提供商网络之间的所有交互(SIP服务提供商网络中的实体之间没有交互)。

o All SIP communication with the SIP service provider happens via a SIP proxy.

o 与SIP服务提供商的所有SIP通信都通过SIP代理进行。

o HTTP over TLS is assumed to be the Content Retrieval method used (any suitable alternative can be used as well).

o 假定HTTP over TLS是所使用的内容检索方法(也可以使用任何合适的替代方法)。

The flow diagram and an explanation of the messages follow.

下面是流程图和消息说明。

                                      +----------------------+
    +--------+                        | SIP Service Provider |
    | Device |                        |                      |
    |(SIP UA)|                        |  SIP     PDS   HTTP  |
    +--------+                        | PROXY         Server |
                                      |                      |
                                      +----------------------+
         |                                |       |      |
         |                                |       |      |
         |          SUBSCRIBE             |       |      |
   (SReq)|--------device profile--------->|       |      |
         |                                |------>|      |
         |                                |200 OK |      |
         |            200 OK              |<------|      |
   (SRes)|<-------------------------------|       |      |
         |                                |       |      |
         |                                | NOTIFY|      |
         |    NOTIFY (Content Indirection)|<------|      |
   (NTFY)|<-------------------------------|       |      |
         |            200 OK              |       |      |
   (NRes)|------------------------------->|200 OK |      |
         |                                |------>|      |
         |                                               |
         |                                               |
         |                                               |
         |<<<<<<<<<<<<<  TLS establishment  >>>>>>>>>>>>>|
         |                                               |
         |                HTTP Request                   |
   (XReq)|---------------------------------------------->|
         |                                               |
         |                HTTP Response                  |
   (XRes)|<----------------------------------------------|
         |                                               |
        
                                      +----------------------+
    +--------+                        | SIP Service Provider |
    | Device |                        |                      |
    |(SIP UA)|                        |  SIP     PDS   HTTP  |
    +--------+                        | PROXY         Server |
                                      |                      |
                                      +----------------------+
         |                                |       |      |
         |                                |       |      |
         |          SUBSCRIBE             |       |      |
   (SReq)|--------device profile--------->|       |      |
         |                                |------>|      |
         |                                |200 OK |      |
         |            200 OK              |<------|      |
   (SRes)|<-------------------------------|       |      |
         |                                |       |      |
         |                                | NOTIFY|      |
         |    NOTIFY (Content Indirection)|<------|      |
   (NTFY)|<-------------------------------|       |      |
         |            200 OK              |       |      |
   (NRes)|------------------------------->|200 OK |      |
         |                                |------>|      |
         |                                               |
         |                                               |
         |                                               |
         |<<<<<<<<<<<<<  TLS establishment  >>>>>>>>>>>>>|
         |                                               |
         |                HTTP Request                   |
   (XReq)|---------------------------------------------->|
         |                                               |
         |                HTTP Response                  |
   (XRes)|<----------------------------------------------|
         |                                               |
        

(SReq) the device transmits a request for the 'device' profile using the SIP SUBSCRIBE utilizing the event package specified in this framework.

(SReq)设备使用SIP SUBSCRIBE(使用此框架中指定的事件包)发送对“设备”配置文件的请求。

* Note: Some of the header fields (e.g., SUBSCRIBE, Event, Via) are continued on a separate line due to format constraints of this document.

* 注意:由于本文档的格式限制,一些标题字段(例如,订阅、事件、通过)在单独的行上继续。

   SUBSCRIBE sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB
             @example.com  SIP/2.0
   Event: ua-profile;profile-type=device;vendor="vendor.example.net";
          model="Z100";version="1.2.3"
   From: anonymous@example.com;tag=1234
   To: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB@example.com
   Call-ID: 3573853342923422@192.0.2.44
   CSeq: 2131 SUBSCRIBE
   Contact: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB
      @192.168.1.44
      ;+sip.instance="<urn:uuid:00000000-0000-0000-0000-123456789AB0>"
      ;schemes="http,https"
   Via: SIP/2.0/TCP 192.0.2.41;
     branch=z9hG4bK6d6d35b6e2a203104d97211a3d18f57a
   Accept: message/external-body, application/x-z100-device-profile
   Content-Length: 0
        
   SUBSCRIBE sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB
             @example.com  SIP/2.0
   Event: ua-profile;profile-type=device;vendor="vendor.example.net";
          model="Z100";version="1.2.3"
   From: anonymous@example.com;tag=1234
   To: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB@example.com
   Call-ID: 3573853342923422@192.0.2.44
   CSeq: 2131 SUBSCRIBE
   Contact: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB
      @192.168.1.44
      ;+sip.instance="<urn:uuid:00000000-0000-0000-0000-123456789AB0>"
      ;schemes="http,https"
   Via: SIP/2.0/TCP 192.0.2.41;
     branch=z9hG4bK6d6d35b6e2a203104d97211a3d18f57a
   Accept: message/external-body, application/x-z100-device-profile
   Content-Length: 0
        

(SRes) the SUBSCRIBE request is received by a SIP proxy in the service provider's network, which transmits it to the PDS. The PDS accepts the response and responds with a 200 OK.

(SRes)订阅请求由服务提供商网络中的SIP代理接收,并将其传输到PDS。PDS接受响应并以200 OK响应。

* Note: The device and the SIP proxy may have established a secure communications channel (e.g., TLS).

* 注意:设备和SIP代理可能已经建立了安全通信信道(例如,TLS)。

(NTFY) subsequently, the PDS transmits a SIP NOTIFY message indicating the profile location.

(NTFY)随后,PDS发送指示概要文件位置的SIP NOTIFY消息。

* Note: Some of the fields (e.g., content-type) are continued on a separate line due to format constraints of this document.

* 注意:由于本文档的格式限制,某些字段(例如,内容类型)在单独的行上继续。

 NOTIFY sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB
        @192.168.1.44 SIP/2.0
 Event: ua-profile;effective-by=3600
 From: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB@example.com
       ;tag=abca
 To: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB@example.com
     ;tag=1234
 Call-ID: 3573853342923422@192.0.2.44
 CSeq: 322 NOTIFY
 Via: SIP/2.0/UDP 192.0.2.3;
   branch=z9hG4bK1e3effada91dc37fd5a0c95cbf6767d0
 MIME-Version: 1.0
 Content-Type: message/external-body; access-type="URL";
               expiration="Mon, 01 Jan 2010 09:00:00 UTC";
               URL="http://example.com/z100-000000000000.html";
               size=9999;
               hash=10AB568E91245681AC1B
        
 NOTIFY sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB
        @192.168.1.44 SIP/2.0
 Event: ua-profile;effective-by=3600
 From: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB@example.com
       ;tag=abca
 To: sip:urn%3auuid%3a00000000-0000-1000-0000-00FF8D82EDCB@example.com
     ;tag=1234
 Call-ID: 3573853342923422@192.0.2.44
 CSeq: 322 NOTIFY
 Via: SIP/2.0/UDP 192.0.2.3;
   branch=z9hG4bK1e3effada91dc37fd5a0c95cbf6767d0
 MIME-Version: 1.0
 Content-Type: message/external-body; access-type="URL";
               expiration="Mon, 01 Jan 2010 09:00:00 UTC";
               URL="http://example.com/z100-000000000000.html";
               size=9999;
               hash=10AB568E91245681AC1B
        

Content-Type: application/x-z100-device-profile Content-ID: <39EHF78SA@example.com> . . .

内容类型:应用程序/x-z100-device-profile内容ID:<39EHF78SA@example.com> . . .

(NRes) Device accepts the NOTIFY message and responds with a 200 OK.

(NRes)设备接受NOTIFY消息并以200 OK响应。

(XReq) once the necessary secure communications channel is established, the device sends an HTTP request to the HTTP server indicated in the NOTIFY.

(XReq)一旦建立了必要的安全通信通道,设备将向通知中指示的HTTP服务器发送HTTP请求。

(XRes) the HTTP server responds to the request via a HTTP response containing the profile contents.

(XRes)HTTP服务器通过包含概要文件内容的HTTP响应响应请求。

7.2. Example 2: Device Obtaining Change Notification
7.2. 示例2:获取更改通知的设备

The following example illustrates the case where a user (X) is simultaneously accessing services via two different devices (e.g., multimedia entities on a PC and PDA) and has access to a user interface that allows for changes to the user profile.

下面的示例说明了用户(X)通过两个不同的设备(例如,PC和PDA上的多媒体实体)同时访问服务并且可以访问允许更改用户简档的用户界面的情况。

The following are assumed for this example:

本例假设如下:

o The devices (A & B) obtain the necessary profiles from the same SIP service provider.

o 设备(A&B)从同一SIP服务提供商处获得必要的配置文件。

o The SIP service provider also provides a user interface that allows the user to change preferences that impact the user profile.

o SIP服务提供商还提供一个用户界面,允许用户更改影响用户配置文件的首选项。

The flow diagram and an explanation of the messages follow.

下面是流程图和消息说明。

o Note: The example only shows retrieval of user X's profile, but it may request and retrieve other profiles (e.g., local-network, device).

o 注意:该示例仅显示检索用户X的配置文件,但它可能会请求并检索其他配置文件(例如,本地网络、设备)。

               -----           -----
              |User |_________| UI* | * = User Interface
              |  X  |         |     |
               -----           -----
             /       \
            /         \
           /           \              +----------------------+
    +--------+      +--------+        | SIP Service Provider |
    | Device |      | Device |        |                      |
    |    A   |      |    B   |        |  SIP     PDS   HTTP  |
    +--------+      +--------+        | PROXY         Server |
                                      +----------------------+
         |                                |       |      |
         |                                |       |      |
   (A-EX)|<=Enrolls for User X's profile=>|<=====>|      |
         |                                |       |      |
         |                                               |
   (A-RX)|<===Retrieves User X's profile================>|
         |                                               |
         |               |                |       |      |
         |               |  Enrolls for   |       |      |
         |         (B-EX)|<== User X's ==>|<=====>|      |
         |               |    profile     |       |      |
         |               |                |       |      |
         |               |                               |
         |         (B-RX)|<= Retrieves User X's profile=>|
         |                                               |
         |                       |                       |
         |                 (HPut)|---------------------->|
         |                       |                       |
         |                 (HRes)|<----------------------|
         |                                               |
         |                                |       |      |
         |                                | NOTIFY|      |
         |            NOTIFY              |<------|      |
   (A-NT)|<-------------------------------|       |      |
         |            200 OK              |       |      |
   (A-RS)|------------------------------->|200 OK |      |
         |                                |------>|      |
        
               -----           -----
              |User |_________| UI* | * = User Interface
              |  X  |         |     |
               -----           -----
             /       \
            /         \
           /           \              +----------------------+
    +--------+      +--------+        | SIP Service Provider |
    | Device |      | Device |        |                      |
    |    A   |      |    B   |        |  SIP     PDS   HTTP  |
    +--------+      +--------+        | PROXY         Server |
                                      +----------------------+
         |                                |       |      |
         |                                |       |      |
   (A-EX)|<=Enrolls for User X's profile=>|<=====>|      |
         |                                |       |      |
         |                                               |
   (A-RX)|<===Retrieves User X's profile================>|
         |                                               |
         |               |                |       |      |
         |               |  Enrolls for   |       |      |
         |         (B-EX)|<== User X's ==>|<=====>|      |
         |               |    profile     |       |      |
         |               |                |       |      |
         |               |                               |
         |         (B-RX)|<= Retrieves User X's profile=>|
         |                                               |
         |                       |                       |
         |                 (HPut)|---------------------->|
         |                       |                       |
         |                 (HRes)|<----------------------|
         |                                               |
         |                                |       |      |
         |                                | NOTIFY|      |
         |            NOTIFY              |<------|      |
   (A-NT)|<-------------------------------|       |      |
         |            200 OK              |       |      |
   (A-RS)|------------------------------->|200 OK |      |
         |                                |------>|      |
        
         |                                               |
         |               |                | NOTIFY|      |
         |               |    NOTIFY      |<------|      |
         |         (B-NT)|<---------------|       |      |
         |               |    200 OK      |       |      |
         |         (B-RS)|--------------->|200 OK |      |
         |               |                |------>|      |
         |                                               |
         |                                               |
   (A-RX)|<===Retrieves User X's profile================>|
         |                                               |
         |               |                               |
         |               |                               |
         |         (B-RX)|<= Retrieves User X's profile=>|
         |               |                               |
        
         |                                               |
         |               |                | NOTIFY|      |
         |               |    NOTIFY      |<------|      |
         |         (B-NT)|<---------------|       |      |
         |               |    200 OK      |       |      |
         |         (B-RS)|--------------->|200 OK |      |
         |               |                |------>|      |
         |                                               |
         |                                               |
   (A-RX)|<===Retrieves User X's profile================>|
         |                                               |
         |               |                               |
         |               |                               |
         |         (B-RX)|<= Retrieves User X's profile=>|
         |               |                               |
        

(A-EX) Device A discovers, enrolls, and obtains notification related to user X's profile.

(A-EX)设备A发现、注册并获取与用户X的配置文件相关的通知。

(A-RX) Device A retrieves user X's profile.

(A-RX)设备A检索用户X的配置文件。

(B-EX) Device B discovers, enrolls, and obtains notification related to user X's profile.

(B-EX)设备B发现、注册并获取与用户X的配置文件相关的通知。

(B-RX) Device B retrieves user X's profile.

(B-RX)设备B检索用户X的配置文件。

(HPut) Changes affected by the user via the user interface are uploaded to the HTTP server.

(HPut)通过用户界面受用户影响的更改将上载到HTTP服务器。

* Note: The Unique Identifier (UI) itself can act as a device and subscribe to user X's profile. This is not the case in the example shown.

* 注意:唯一标识符(UI)本身可以充当设备并订阅用户X的配置文件。所示示例中的情况并非如此。

(HRes) Changes are accepted by the HTTP server.

HTTP服务器接受(HRes)更改。

(A-NT) PDS transmits a NOTIFY message to device A indicating the changed profile. A sample message is shown below:

(A-NT)PDS向设备A发送通知消息,指示已更改的配置文件。示例消息如下所示:

* Note: Some of the fields (e.g., Via) are continued on a separate line due to format constraints of this document.

* 注:由于本文件的格式限制,部分字段(如Via)在单独一行上继续。

   NOTIFY sip:userX@192.0.2.44 SIP/2.0
   Event: ua-profile;effective-by=3600
   From: sip:userX@sip.example.net;tag=abcd
   To: sip:userX@sip.example.net.net;tag=1234
   Call-ID: 3573853342923422@192.0.2.44
   CSeq: 322 NOTIFY
   Via: SIP/2.0/UDP 192.0.2.3;
     branch=z9hG4bK1e3effada91dc37fd5a0c95cbf6767d1
   MIME-Version: 1.0
   Content-Type: message/external-body; access-type="URL";
                 expiration="Mon, 01 Jan 2010 09:00:00 UTC";
                 URL="http://www.example.com/user-x-profile.html";
                 size=9999;
                 hash=123456789AAABBBCCCDD
   .
   .
   .
        
   NOTIFY sip:userX@192.0.2.44 SIP/2.0
   Event: ua-profile;effective-by=3600
   From: sip:userX@sip.example.net;tag=abcd
   To: sip:userX@sip.example.net.net;tag=1234
   Call-ID: 3573853342923422@192.0.2.44
   CSeq: 322 NOTIFY
   Via: SIP/2.0/UDP 192.0.2.3;
     branch=z9hG4bK1e3effada91dc37fd5a0c95cbf6767d1
   MIME-Version: 1.0
   Content-Type: message/external-body; access-type="URL";
                 expiration="Mon, 01 Jan 2010 09:00:00 UTC";
                 URL="http://www.example.com/user-x-profile.html";
                 size=9999;
                 hash=123456789AAABBBCCCDD
   .
   .
   .
        

(A-RS) Device A accepts the NOTIFY and sends a 200 OK.

(A-RS)设备A接受通知并发送200 OK。

(B-NT) PDS transmits a NOTIFY message to device B indicating the changed profile. A sample message is shown below:

(B-NT)PDS向设备B发送通知消息,指示已更改的配置文件。示例消息如下所示:

* Note: Some of the fields (e.g., Via) are continued on a separate line due to format constraints of this document.

* 注:由于本文件的格式限制,部分字段(如Via)在单独一行上继续。

   NOTIFY sip:userX@192.0.2.43 SIP/2.0
   Event: ua-profile;effective-by=3600
   From: sip:userX@sip.example.net;tag=abce
   To: sip:userX@sip.example.net.net;tag=1234
   Call-ID: 3573853342923422@192.0.2.43
   CSeq: 322 NOTIFY
   Via: SIP/2.0/UDP 192.0.2.3;
     branch=z9hG4bK1e3effada91dc37fd5a0c95cbf6767d2
   MIME-Version: 1.0
   Content-Type: message/external-body; access-type="URL";
                 expiration="Mon, 01 Jan 2010 09:00:00 UTC";
                 URL="http://www.example.com/user-x-profile.html";
                 size=9999;
                 hash=123456789AAABBBCCCDD
   .
   .
   .
        
   NOTIFY sip:userX@192.0.2.43 SIP/2.0
   Event: ua-profile;effective-by=3600
   From: sip:userX@sip.example.net;tag=abce
   To: sip:userX@sip.example.net.net;tag=1234
   Call-ID: 3573853342923422@192.0.2.43
   CSeq: 322 NOTIFY
   Via: SIP/2.0/UDP 192.0.2.3;
     branch=z9hG4bK1e3effada91dc37fd5a0c95cbf6767d2
   MIME-Version: 1.0
   Content-Type: message/external-body; access-type="URL";
                 expiration="Mon, 01 Jan 2010 09:00:00 UTC";
                 URL="http://www.example.com/user-x-profile.html";
                 size=9999;
                 hash=123456789AAABBBCCCDD
   .
   .
   .
        

(B-RS) Device B accepts the NOTIFY and sends a 200 OK.

(B-RS)设备B接受通知并发送200 OK。

(A-RX) Device A retrieves the updated profile pertaining to user X.

(A-RX)设备A检索与用户X有关的更新的配置文件。

(B-RX) Device B retrieves the updated profile pertaining to user X.

(B-RX)设备B检索与用户X有关的更新的配置文件。

8. IANA Considerations
8. IANA考虑

IANA has registered a SIP event package, event header parameters, and SIP configuration profile types as outlined in the following subsections.

IANA已注册SIP事件包、事件头参数和SIP配置文件类型,如以下小节所述。

8.1. SIP Event Package
8.1. SIP事件包

This specification registers a new event package as defined in [RFC3265]. The registration is as follows:

本规范注册了[RFC3265]中定义的新事件包。登记情况如下:

Package Name: ua-profile

软件包名称:ua配置文件

Package or Template-Package: This is a package

包或模板包:这是一个包

Published Document: RFC 6080

已出版文件:RFC 6080

   Persons to Contact:  Daniel Petrie <dan.ietf@SIPez.com>,
      Sumanth Channabasappa <sumanth@cablelabs.com>
        
   Persons to Contact:  Daniel Petrie <dan.ietf@SIPez.com>,
      Sumanth Channabasappa <sumanth@cablelabs.com>
        

New event header parameters: profile-type, vendor, model, version, effective-by (The profile-type parameter has predefined values. The new event header parameters do not.)

新事件标题参数:配置文件类型、供应商、型号、版本、生效日期(配置文件类型参数具有预定义值。新事件标题参数没有。)

The following table illustrates the additions to the IANA SIP "Header Field Parameters and Parameter Values" registry:

下表说明了IANA SIP“标题字段参数和参数值”注册表的新增内容:

                                                   Predefined
   Header Field                  Parameter Name    Values      Reference
   ----------------------------  ---------------   ----------  ---------
   Event                         profile-type      Yes         [RFC6080]
   Event                         vendor            No          [RFC6080]
   Event                         model             No          [RFC6080]
   Event                         version           No          [RFC6080]
   Event                         effective-by      No          [RFC6080]
        
                                                   Predefined
   Header Field                  Parameter Name    Values      Reference
   ----------------------------  ---------------   ----------  ---------
   Event                         profile-type      Yes         [RFC6080]
   Event                         vendor            No          [RFC6080]
   Event                         model             No          [RFC6080]
   Event                         version           No          [RFC6080]
   Event                         effective-by      No          [RFC6080]
        
8.2. Registry of SIP Configuration Profile Types
8.2. SIP配置配置文件类型的注册表

IANA has registered new SIP configuration profile types at http://www.iana.org in the "SIP Configuration Profile Types" registry.

IANA已在注册了新的SIP配置文件类型http://www.iana.org 在“SIP配置文件类型”注册表中。

The registration procedures are "Specification Required", as explained in "Guidelines for Writing an IANA Considerations Section in RFCs" ([RFC5226]).

注册程序为“规范要求”,如“RFCs中编写IANA注意事项部分的指南”([RFC5226])所述。

Registrations with the IANA MUST include the profile type, and a published document that describes its purpose and usage.

IANA注册必须包括配置文件类型,以及描述其用途和用法的已发布文档。

As this document specifies three SIP configuration profile types, the initial IANA registration contains the information shown in the table below.

由于本文档指定了三种SIP配置文件类型,初始IANA注册包含下表所示的信息。

         Profile Type                          Reference
         --------------                         ---------
         local-network                          [RFC6080]
         device                                 [RFC6080]
         user                                   [RFC6080]
        
         Profile Type                          Reference
         --------------                         ---------
         local-network                          [RFC6080]
         device                                 [RFC6080]
         user                                   [RFC6080]
        
9. Security Considerations
9. 安全考虑

The framework specified in this document specifies profile delivery stages, an event package, and three profile types to enable profile delivery. The profile delivery stages are enrollment, content retrieval, and change notification. The event package helps with enrollment and change notifications. Each profile type allows for profile retrieval from a PDS belonging to a specific provider.

本文档中指定的框架指定了概要文件交付阶段、一个事件包和三种概要文件类型,以启用概要文件交付。配置文件交付阶段包括注册、内容检索和更改通知。事件包有助于注册和更改通知。每种配置文件类型都允许从属于特定提供商的PDS检索配置文件。

Enrollment allows a device to request, and if successful, enroll with a PDS to obtain profile data. To transmit the request the device relies on configured, cached, or discovered data. Such data includes provider domain names, identities, and credentials. The device either uses configured outbound proxies or discovers the next-hop entity using [RFC3263] that can result in a SIP proxy or the PDS. It then transmits the request. A SIP proxy receiving the request uses the Request-URI and event header contents to route it to a PDS (via other SIP proxies, if required).

注册允许设备请求,如果成功,则使用PDS注册以获取配置文件数据。为了传输请求,设备依赖于配置、缓存或发现的数据。此类数据包括提供商域名、身份和凭据。设备使用配置的出站代理或使用[RFC3263]发现下一跳实体,这可能导致SIP代理或PDS。然后它传输请求。接收请求的SIP代理使用请求URI和事件头内容将其路由到PDS(如果需要,通过其他SIP代理)。

When a PDS receives the enrollment request, it can either challenge any contained identity or admit the enrollment. Authorization rules then decide if the enrollment gets accepted. If accepted, the PDS sends an initial notification that contains either the profile data, or content indirection information. The profile data can contain generic profile data (common across multiple devices) or information specific to an entity (such as the device or a user). If specific to an entity, it may contain sensitive information such as credentials. Disclosure of sensitive data can lead to threats such as impersonation attacks (establishing rogue sessions), theft of service (if services are obtainable), and zombie attacks. It is important for the device to ensure the authenticity of the PNC and the PCC since impersonation of the SIP service provider can lead to DoS and man-in-the-middle (MITM) attacks.

当PDS收到注册请求时,它可以质询任何包含的身份或接受注册。然后,授权规则决定是否接受注册。如果接受,PDS将发送包含配置文件数据或内容间接信息的初始通知。配置文件数据可以包含通用配置文件数据(跨多个设备通用)或特定于实体(如设备或用户)的信息。如果特定于实体,则它可能包含敏感信息,如凭据。泄露敏感数据可能导致诸如模拟攻击(建立恶意会话)、窃取服务(如果可以获得服务)和僵尸攻击等威胁。设备必须确保PNC和PCC的真实性,因为模拟SIP服务提供商可能导致DoS和中间人(MITM)攻击。

Profile content retrieval allows a device to retrieve profile data via content indirection from a PCC. This communication is accomplished using one of many profile delivery protocols or frameworks, such as HTTP or HTTPS as specified in this document. However, since the profile data returned is subject to the same considerations as that sent via profile notification, similar threats exist. For example, DoS attacks (rogue devices bombard the PCC with requests for a specific profile) and attempts to modify erroneous data onto the PCC (since the location and format may be known). Thus, for the delivery of any sensitive profile data, authentication of the entity requesting profile data is required. It is also important for the requesting entity to authenticate the profile source via content indirection and ensure that the sensitive profile data is protected via data integrity. For sensitive data that should not be disclosed to unauthorized parties, data confidentiality is also required.

配置文件内容检索允许设备通过内容间接从PCC检索配置文件数据。此通信是使用许多概要文件交付协议或框架之一完成的,如本文档中指定的HTTP或HTTPS。但是,由于返回的配置文件数据与通过配置文件通知发送的配置文件数据受到相同的考虑,因此存在类似的威胁。例如,DoS攻击(恶意设备用特定配置文件的请求轰炸PCC)并试图将错误数据修改到PCC上(因为位置和格式可能已知)。因此,对于任何敏感概要文件数据的交付,需要对请求概要文件数据的实体进行身份验证。请求实体还必须通过内容间接寻址验证配置文件源,并确保通过数据完整性保护敏感配置文件数据。对于不应向未经授权方披露的敏感数据,还要求数据保密。

The following subsections highlight the security considerations that are specific to each profile type.

以下小节重点介绍了特定于每种配置文件类型的安全注意事项。

9.1. Local-Network Profile
9.1. 本地网络配置文件

A local network may or may not (e.g., home router) support local-network profiles as specified in this framework. Even if supported, the PDS may only be configured with a generic local-network profile that is provided to every device that requests the local-network profile. Such a PDS may not implement any authentication requirements or TLS.

本地网络(例如,家庭路由器)可能支持也可能不支持本框架中规定的本地网络配置文件。即使受支持,PDS也只能配置为向每个请求本地网络配置文件的设备提供的通用本地网络配置文件。此类PDS可能不会实现任何认证要求或TLS。

Alternatively, certain deployments may require the entities -- device and the PDS -- to authenticate each other prior to successful profile enrollment. Such networks may pre-configure user identities to the devices and allow user-specific local-network profiles. In such networks, the PDS will support digest authentication, and the devices are configured with user identities and credentials as specified in Section 5.3.1. If sensitive profile data is being transmitted, the user identity is a SIPS URI that results in TLS with the next-hop (which is authenticated), and digest authentication is used by the PDS and the device.

或者,某些部署可能需要实体(设备和PDS)在成功注册配置文件之前相互验证。这样的网络可以预先配置设备的用户身份,并允许用户特定的本地网络配置文件。在此类网络中,PDS将支持摘要身份验证,设备配置有第5.3.1节中规定的用户身份和凭据。如果正在传输敏感简档数据,则用户标识是SIPS URI,该用户标识将导致具有下一跳的TLS(已认证),并且PDS和设备使用摘要认证。

This framework supports both use cases and any variations in between. However, devices obtaining local-network profiles from an unauthenticated PDS are cautioned against potential MITM or PDS impersonation attacks. This framework requires that a device reject sensitive data, such as credentials, from unauthenticated local-network sources. It also prohibits devices from responding to authentication challenges in the absence of TLS on all hops as a result of using a SIPS URI. Responding to unauthenticated challenges

这个框架支持用例和两者之间的任何变化。但是,从未经验证的PDS获取本地网络配置文件的设备应注意防止潜在的MITM或PDS模拟攻击。此框架要求设备拒绝来自未经验证的本地网络源的敏感数据,如凭据。它还禁止由于使用SIPS URI而在所有跃点上没有TLS的情况下,设备响应身份验证挑战。应对未经验证的挑战

allows for dictionary attacks that can reveal weak passwords. The only exception to accepting such sensitive data without authentication of the PDS is in the case of bootstrapping (see Section 5.3.1). In the case of bootstrapping, the methods employed need to be aware of potential security threats such as impersonation.

允许字典攻击,可以揭示弱密码。在未经PDS认证的情况下接受此类敏感数据的唯一例外情况是引导(见第5.3.1节)。在引导的情况下,所使用的方法需要意识到潜在的安全威胁,例如模拟。

SIP Identity is useful for the device to validate notifications in the absence of a secure channel such as TLS when a SIPS URI is used. In such cases, the device can validate the SIP Identity header to verify the source of the profile notification, and the source of the profile data when content indirection is not used. However, the presence of the header does not guarantee the validity of the data. It verifies the source and confirms data integrity, but the data obtained from an undesired source may still be invalid, e.g., invalid outbound proxy information, resulting in DoS. Thus, devices requesting the local-network profile from unknown networks need to be prepared to discard information that prevent retrieval of other, required, profiles.

当使用SIPS URI时,SIP标识对于设备在缺少安全通道(如TLS)的情况下验证通知非常有用。在这种情况下,设备可以验证SIP标识报头以验证配置文件通知的源,以及在不使用内容间接寻址时验证配置文件数据的源。但是,标头的存在并不能保证数据的有效性。它验证源并确认数据完整性,但从不需要的源获得的数据可能仍然无效,例如,无效的出站代理信息,从而导致拒绝服务。因此,从未知网络请求本地网络简档的设备需要准备丢弃阻止检索其他所需简档的信息。

9.2. Device Profile
9.2. 设备配置文件

Device profiles deal with device-specific configuration. They may be provided to unknown devices that are attempting to obtaining profiles for purposes such as trials, self-subscription (not to be confused with [RFC3265]), and emergency services [PHONEBCP].

设备配置文件处理特定于设备的配置。它们可以提供给尝试获取配置文件的未知设备,以用于试验、自订阅(不要与[RFC3265]混淆)和紧急服务[PHONEBCP]等目的。

This framework allows the device profile to be used for bootstrapping a device. Such bootstrapping profile data may contain enough information to connect to a Provider. For example, it may enable the device to communicate with a device provider, allowing for trial or self-subscription services via visual or audio interfaces (e.g., interactive voice response), or customer service representatives. The profile data may also allow the device a choice of device providers and allow the end-user to choose one. The profile data may also contain identities and credentials (temporary or long-term) that can be used to obtain further profile data from the network. This framework recommends the use of the SIP Identity header by the PDS. However, to be able to validate the SIP Identity header, the device needs to be pre-configured with the knowledge of allowable domains or certificates for validation (e.g., using PKI). If not, the device can still guarantee header and body integrity if the profile data contains the domain certificate (but the data can still be invalid or malicious). In such cases, devices supporting user interfaces may obtain confirmation from the user trying to bootstrap the device (confirming header and body integrity). However, when the SIP Identity header is not present, or the device is not capable of validating it, the bootstrapping data is unauthenticated and obtained without any integrity protection. Such bootstrapping data, however,

此框架允许设备配置文件用于引导设备。这样的引导配置文件数据可能包含足够的信息以连接到提供者。例如,它可以使设备能够与设备提供商通信,允许通过视频或音频接口(例如,交互式语音响应)或客户服务代表进行试用或自订阅服务。配置文件数据还允许设备选择设备提供商,并允许最终用户选择一个。配置文件数据还可以包含可用于从网络获取进一步配置文件数据的身份和凭证(临时或长期)。该框架建议PDS使用SIP标识头。然而,为了能够验证SIP标识报头,设备需要预先配置用于验证的允许域或证书的知识(例如,使用PKI)。否则,如果配置文件数据包含域证书,则设备仍然可以保证头和正文的完整性(但数据仍然可能无效或恶意)。在这种情况下,支持用户界面的设备可以从尝试引导设备的用户处获得确认(确认头部和主体完整性)。但是,当SIP标识头不存在或设备无法验证它时,引导数据未经验证,并且在没有任何完整性保护的情况下获得。然而,这样的自举数据,

may contain only temporary credentials (SIPS URI and digest credentials) that can be used to reconnect to the network to ensure data integrity and data confidentiality prior to obtaining long-term credentials. It is to be noted that such devices are at the mercy of the network they request the device profile from. If they are initialized in a rogue network, or get hijacked by a rogue PDS, the end-user may be left without desired device operation or, worse, unwanted operation. To mitigate such factors the device provider may communicate temporary credentials (e.g., passwords that can be entered via an interface) or permanent credentials (e.g., a USB device) to the end-user for connectivity. If such methods are used, those credentials MUST be quickly replaced by large-entropy credentials, to minimize the impact of dictionary attacks. Future enhancements to this framework may specify device capabilities that allow for authentication without any provider-specific configuration (e.g., X.509 certificates using PKI can allow for authentication by any provider with access to the CA certificate). Alternatively, the device may be pre-configured with credentials for use with content indirection mechanisms. In such circumstances a PDS can use secure content indirection mechanism, such as HTTPS, to provide the bootstrapping data.

可能仅包含临时凭据(SIPS URI和摘要凭据),可用于在获取长期凭据之前重新连接到网络以确保数据完整性和数据机密性。需要注意的是,此类设备受其请求设备配置文件的网络支配。如果它们在恶意网络中初始化,或被恶意PDS劫持,最终用户可能无法进行所需的设备操作,或者更糟糕的是,无法进行不必要的操作。为了缓解这些因素,设备提供商可以将临时凭证(例如,可以通过接口输入的密码)或永久凭证(例如,USB设备)传送给最终用户以进行连接。如果使用这种方法,则必须用大熵凭据快速替换这些凭据,以将字典攻击的影响降至最低。该框架的未来增强可能会指定允许在没有任何特定于提供商的配置的情况下进行身份验证的设备功能(例如,使用PKI的X.509证书可以允许任何访问CA证书的提供商进行身份验证)。或者,设备可以预先配置用于内容间接寻址机制的凭据。在这种情况下,PDS可以使用安全的内容间接寻址机制(如HTTPS)来提供引导数据。

Once a device is associated with a device provider the device profile is vital to device operation. This is because the device profile can contain important operational information such as users that are to be allowed access (white-list or black-list), user credentials (if required) and other sensitive information. Thus, it is necessary to ensure that any device profile containing sensitive information is obtained via an authenticated source, with integrity protection, and delivered to an authenticated device. For sensitive information such as credentials, data confidentiality is also required. The framework requires that devices obtain sensitive information only from authenticated entities except while it is being bootstrapped. In cases where data confidentiality needs to be mandated for notifications, the device provider can configure the device with a SIPS URI, to be used as the Subscription URI, during profile enrollment. The framework also requires a PDS presenting sensitive profile data to use digest authentication. This ensures that the data is delivered to an authenticated entity. Authentication of profile retrieval via content indirection for sensitive profiles is via HTTPS utilizing HTTP digest.

一旦设备与设备提供商关联,设备配置文件对设备操作至关重要。这是因为设备配置文件可以包含重要的操作信息,例如允许访问的用户(白名单或黑名单)、用户凭据(如果需要)和其他敏感信息。因此,有必要确保包含敏感信息的任何设备配置文件都是通过具有完整性保护的认证源获得的,并交付给认证设备。对于凭证等敏感信息,还需要数据保密性。该框架要求设备仅从经过身份验证的实体获取敏感信息,引导时除外。在通知需要强制执行数据保密的情况下,设备提供商可以使用SIPS URI配置设备,以在配置文件注册期间用作订阅URI。该框架还要求PDS提供敏感的配置文件数据,以使用摘要身份验证。这确保了数据被传递到经过身份验证的实体。通过敏感配置文件的内容间接寻址进行配置文件检索的身份验证是通过使用HTTP摘要的HTTPS进行的。

9.3. User Profile
9.3. 用户配置文件

Devices can only request user profiles for users that are known by a SIP service provider. PDSs are required to reject user profile enrollment requests for any users that are unknown in the network.

设备只能为SIP服务提供商已知的用户请求用户配置文件。PDS需要拒绝网络中未知用户的用户配置文件注册请求。

For known user AoRs that are allowed to retrieve profiles, the security considerations are similar to that of the device profile (except for bootstrapping).

对于允许检索配置文件的已知用户AOR,安全注意事项与设备配置文件类似(除了引导)。

10. Acknowledgements
10. 致谢

The author appreciates all those who contributed and commented on the many iterations of this document. Detailed comments were provided by the following individuals: Jonathan Rosenberg, Henning Schulzrinne, Cullen Jennings, Rohan Mahy, Rich Schaaf, Volker Hilt, Adam Roach, Hisham Khartabil, Henry Sinnreich, Martin Dolly, John Elwell, Elliot Eichen, Robert Liao, Dale Worley, Francois Audet, Roni Even, Jason Fischl, Josh Littlefield, and Nhut Nguyen.

作者感谢所有对本文件多次迭代作出贡献和评论的人。以下个人提供了详细的评论:乔纳森·罗森博格、亨宁·舒尔兹林内、卡伦·詹宁斯、罗汉·马伊、里奇·沙夫、沃尔克·希尔特、亚当·罗奇、希沙姆·哈塔比尔、亨利·辛里奇、马丁·多利、约翰·埃尔维尔、埃利奥特·艾钦、罗伯特·廖、戴尔·沃利、弗朗索瓦·奥德、罗尼·伊恩、杰森·菲舍尔、约什·利特菲尔德和恩胡特·阮。

The final revisions of this document were a product of design team discussions. The editor wishes to extend special appreciation to the following design team members for their numerous reviews and specific contributions to various sections: Josh Littlefield (Overview, Section 6), Peter Blatherwick (Section 6), Cullen Jennings (Security), Sam Ganesan (Section 6), and Mary Barnes (layout, Section 6).

本文件的最终修订是设计团队讨论的结果。编辑希望特别感谢以下设计团队成员,感谢他们对各个部分的大量评论和具体贡献:Josh Littlefield(概述,第6节)、Peter Blatherwick(第6节)、Cullen Jennings(安全)、Sam Ganesan(第6节)和Mary Barnes(布局,第6节)。

The following design team members are thanked for numerous reviews and general contributions: Martin Dolly, Jason Fischl, Alvin Jiang, and Francois Audet.

感谢以下设计团队成员的众多评论和一般性贡献:Martin Dolly、Jason Fischl、Alvin Jiang和Francois Audet。

The following SIPPING WG members are thanked for numerous reviews, comments and recommendations: John Elwell, Donald Lukacs, Roni Even, David Robbins, Shida Schubert, and Eugene Nechamkin. The editor would also like to extend a special thanks to the comments and recommendations provided by the SIPPING WG, specifically Keith Drage (restructuring proposal) and John Elwell (numerous reviews and recommendations).

感谢以下工作组成员的众多评论、评论和建议:约翰·埃尔维尔、唐纳德·卢卡奇、甚至罗尼、大卫·罗宾斯、希达·舒伯特和尤金·内查姆金。编辑还要特别感谢SIPING工作组提供的评论和建议,特别是Keith Drage(重组提案)和John Elwell(众多评论和建议)。

Additionally, appreciation is also due to Peter Koch for expert DNS advice.

此外,感谢Peter Koch提供的专家DNS建议。

Finally, sincere appreciation is extended to the chairs (Mary Barnes and Gonzalo Camarillo); the past/current Area Directors (Cullen Jennings, Jon Peterson, and Robert Sparks) for facilitating discussions, reviews, and contributions; and, the expert reviewers from the IESG (Peter McCann, Catherine Meadows).

最后,向各位主席(玛丽·巴恩斯和冈萨洛·卡马里洛)表示诚挚的感谢;过去/现在的区域主管(Cullen Jennings、Jon Peterson和Robert Sparks)负责促进讨论、审查和贡献;还有来自IESG的专家评论员(Peter McCann,Catherine Meadows)。

11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[FIPS-180-3] National Institute of Standards and Technology (NIST), "Secure Hash Standard (SHS)", FIPS PUB 180-3, October 2008.

[FIPS-180-3]国家标准与技术研究所(NIST),“安全哈希标准(SHS)”,FIPS PUB 180-3,2008年10月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

[RFC2616]菲尔丁,R.,盖蒂斯,J.,莫卧儿,J.,弗莱斯蒂克,H.,马斯特,L.,利奇,P.,和T.伯纳斯李,“超文本传输协议——HTTP/1.1”,RFC 2616,1999年6月。

[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999.

[RFC2617]Franks,J.,Hallam Baker,P.,Hostetler,J.,Lawrence,S.,Leach,P.,Lootonen,A.,和L.Stewart,“HTTP认证:基本和摘要访问认证”,RFC 26171999年6月。

[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

[RFC2818]Rescorla,E.,“TLS上的HTTP”,RFC2818,2000年5月。

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。

[RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002.

[RFC3263]Rosenberg,J.和H.Schulzrinne,“会话启动协议(SIP):定位SIP服务器”,RFC 3263,2002年6月。

[RFC3265] Roach, A., "Session Initiation Protocol (SIP)-Specific Event Notification", RFC 3265, June 2002.

[RFC3265]Roach,A.,“会话启动协议(SIP)-特定事件通知”,RFC3265,2002年6月。

[RFC3319] Schulzrinne, H. and B. Volz, "Dynamic Host Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP) Servers", RFC 3319, July 2003.

[RFC3319]Schulzrinne,H.和B.Volz,“会话启动协议(SIP)服务器的动态主机配置协议(DHCPv6)选项”,RFC 3319,2003年7月。

[RFC3361] Schulzrinne, H., "Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option for Session Initiation Protocol (SIP) Servers", RFC 3361, August 2002.

[RFC3361]Schulzrinne,H.,“会话启动协议(SIP)服务器的动态主机配置协议(DHCP-for-IPv4)选项”,RFC 3361,2002年8月。

[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2005.

[RFC4122]Leach,P.,Mealling,M.和R.Salz,“通用唯一标识符(UUID)URN名称空间”,RFC 4122,2005年7月。

[RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, August 2006.

[RFC4474]Peterson,J.和C.Jennings,“会话启动协议(SIP)中身份验证管理的增强”,RFC 4474,2006年8月。

[RFC4483] Burger, E., "A Mechanism for Content Indirection in Session Initiation Protocol (SIP) Messages", RFC 4483, May 2006.

[RFC4483]Burger,E.“会话初始化协议(SIP)消息中的内容间接寻址机制”,RFC 4483,2006年5月。

[RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) Option", RFC 4704, October 2006.

[RFC4704]Volz,B.,“IPv6(DHCPv6)客户端完全限定域名(FQDN)选项的动态主机配置协议”,RFC 4704,2006年10月。

[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.

[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。

[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008.

[RFC5234]Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,2008年1月。

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。

[RFC5626] Jennings, C., Mahy, R., and F. Audet, "Managing Client-Initiated Connections in the Session Initiation Protocol (SIP)", RFC 5626, October 2009.

[RFC5626]Jennings,C.,Mahy,R.,和F.Audet,“在会话启动协议(SIP)中管理客户端启动的连接”,RFC 5626,2009年10月。

11.2. Informative References
11.2. 资料性引用

[PHONEBCP] Rosen, B. and J. Polk, "Best Current Practice for Communications Services in support of Emergency Calling", Work in Progress, October 2010.

[PHONEBCP]Rosen,B.和J.Polk,“支持紧急呼叫的通信服务当前最佳实践”,正在进行的工作,2010年10月。

[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985.

[RFC0959]Postel,J.和J.Reynolds,“文件传输协议”,标准9,RFC 959,1985年10月。

[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997.

[RFC2132]Alexander,S.和R.Droms,“DHCP选项和BOOTP供应商扩展”,RFC 21321997年3月。

[RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006.

[RFC4510]Zeilenga,K.,“轻量级目录访问协议(LDAP):技术规范路线图”,RFC45102006年6月。

[RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms (SHA and HMAC-SHA)", RFC 4634, July 2006.

[RFC4634]Eastlake,D.和T.Hansen,“美国安全哈希算法(SHA和HMAC-SHA)”,RFC 46342006年7月。

[RFC4825] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", RFC 4825, May 2007.

[RFC4825]Rosenberg,J.,“可扩展标记语言(XML)配置访问协议(XCAP)”,RFC4825,2007年5月。

Authors' Addresses

作者地址

Daniel Petrie SIPez LLC 246A Park Ave Arlington, MA 02476 USA

美国马萨诸塞州阿灵顿公园大道246A号Daniel Petrie SIPez LLC 02476

   EMail: dan.ietf@SIPez.com
   URI:   http://www.SIPez.com/
        
   EMail: dan.ietf@SIPez.com
   URI:   http://www.SIPez.com/
        

Sumanth Channabasappa (editor) CableLabs 858 Coal Creek Circle Louisville, CO 80027 USA

Sumanth Channabasapa(编辑)CableLabs 858美国科罗拉多州路易斯维尔市煤溪圈80027

   EMail: sumanth@cablelabs.com
   URI:   http://www.cablelabs.com/
        
   EMail: sumanth@cablelabs.com
   URI:   http://www.cablelabs.com/