Internet Engineering Task Force (IETF)                           V. Hilt
Request for Comments: 6795                      Bell Labs/Alcatel-Lucent
Category: Standards Track                                   G. Camarillo
ISSN: 2070-1721                                                 Ericsson
                                                           December 2012
        
Internet Engineering Task Force (IETF)                           V. Hilt
Request for Comments: 6795                      Bell Labs/Alcatel-Lucent
Category: Standards Track                                   G. Camarillo
ISSN: 2070-1721                                                 Ericsson
                                                           December 2012
        

A Session Initiation Protocol (SIP) Event Package for Session-Specific Policies

会话特定策略的会话启动协议(SIP)事件包

Abstract

摘要

This specification defines a Session Initiation Protocol (SIP) event package for session-specific policies. This event package enables user agents (UAs) to subscribe to session policies for a SIP session and to receive notifications if these policies change.

本规范为特定于会话的策略定义会话启动协议(SIP)事件包。此事件包允许用户代理(UAs)订阅SIP会话的会话策略,并在这些策略更改时接收通知。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6795.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6795.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Terminology .....................................................3
   3. Event Package Formal Definition .................................3
      3.1. Event Package Name .........................................4
      3.2. Event Package Parameters ...................................4
      3.3. SUBSCRIBE Bodies ...........................................4
      3.4. Subscription Duration ......................................5
      3.5. NOTIFY Bodies ..............................................5
      3.6. Subscriber Generation of SUBSCRIBE Requests ................6
      3.7. Notifier Processing of SUBSCRIBE Requests ..................8
      3.8. Notifier Generation of NOTIFY Requests .....................9
      3.9. Subscriber Processing of NOTIFY Requests ..................10
      3.10. Handling of Forked Requests ..............................11
      3.11. Rate of Notifications ....................................11
      3.12. State Agents .............................................11
      3.13. Examples .................................................11
   4. Security Considerations ........................................14
   5. IANA Considerations ............................................16
      5.1. Event Package Name ........................................16
   6. References .....................................................16
      6.1. Normative References ......................................16
      6.2. Informative References ....................................17
   Appendix A. Acknowledgements ......................................18
        
   1. Introduction ....................................................2
   2. Terminology .....................................................3
   3. Event Package Formal Definition .................................3
      3.1. Event Package Name .........................................4
      3.2. Event Package Parameters ...................................4
      3.3. SUBSCRIBE Bodies ...........................................4
      3.4. Subscription Duration ......................................5
      3.5. NOTIFY Bodies ..............................................5
      3.6. Subscriber Generation of SUBSCRIBE Requests ................6
      3.7. Notifier Processing of SUBSCRIBE Requests ..................8
      3.8. Notifier Generation of NOTIFY Requests .....................9
      3.9. Subscriber Processing of NOTIFY Requests ..................10
      3.10. Handling of Forked Requests ..............................11
      3.11. Rate of Notifications ....................................11
      3.12. State Agents .............................................11
      3.13. Examples .................................................11
   4. Security Considerations ........................................14
   5. IANA Considerations ............................................16
      5.1. Event Package Name ........................................16
   6. References .....................................................16
      6.1. Normative References ......................................16
      6.2. Informative References ....................................17
   Appendix A. Acknowledgements ......................................18
        
1. Introduction
1. 介绍

The Framework for Session Initiation Protocol (SIP) [RFC3261] Session Policies [RFC6794] defines a protocol framework that enables a proxy to define and impact policies on sessions such as the codecs or media types to be used. This framework identifies two types of session policies: session-specific and session-independent policies. Session-specific policies are policies that are created for one particular session, based on the session description of this session. They enable a network intermediary to inspect the session description that a UA is proposing and to return a policy specifically generated for this session description. For example, an intermediary could open pinholes in a firewall/NAT for each media stream in a session and return a policy that replaces the internal IP addresses and ports in the session description with external ones. Since session-specific policies are tailored to a session, they only apply to the session for which they are created. A UA requests session-specific policies on a session-by-session basis at the time a session is created and the session description is known. Session-independent policies, on the other hand, are policies that are created independently of a session and generally apply to all the SIP sessions set up by a user agent.

会话启动协议框架(SIP)[RFC3261]会话策略[RFC6794]定义了一个协议框架,使代理能够定义和影响会话策略,如要使用的编解码器或媒体类型。该框架确定了两种类型的会话策略:特定于会话的策略和独立于会话的策略。特定于会话的策略是根据此会话的会话描述为特定会话创建的策略。它们使网络中介能够检查UA提议的会话描述,并返回专门为此会话描述生成的策略。例如,中介可以为会话中的每个媒体流在防火墙/NAT中打开针孔,并返回一个策略,该策略将会话描述中的内部IP地址和端口替换为外部IP地址和端口。由于特定于会话的策略是针对会话定制的,因此它们仅适用于为其创建策略的会话。UA在创建会话且会话描述已知时,会逐个会话请求特定于会话的策略。另一方面,会话无关策略是独立于会话创建的策略,通常适用于由用户代理设置的所有SIP会话。

"A Framework for Session Initiation Protocol (SIP) Session Policies" [RFC6794] defines a mechanism that enables UAs to discover the URIs of session-specific policy servers. This specification defines a SIP event package [RFC6665] that enables UAs to subscribe to session-specific policies on a policy server. Subscribing to session-specific policies involves the following steps (see the Session Policy Framework [RFC6794]):

“会话启动协议(SIP)会话策略框架”[RFC6794]定义了一种机制,使UAs能够发现会话特定策略服务器的URI。该规范定义了一个SIP事件包[RFC6665],使UAs能够在策略服务器上订阅特定于会话的策略。订阅特定于会话的策略包括以下步骤(请参阅会话策略框架[RFC6794]):

1. A user agent submits the details of the session it is trying to establish to the policy server and asks whether a session using these parameters is permissible. For example, a user agent might propose a session that contains the media types audio and video.

1. 用户代理将其试图建立的会话的详细信息提交给策略服务器,并询问是否允许使用这些参数的会话。例如,用户代理可能会建议一个包含媒体类型音频和视频的会话。

2. The policy server generates a policy decision for this session and returns the decision to the user agent. Possible policy decisions are (1) to deny the session, (2) to propose changes to the session parameters with which the session would be acceptable, or (3) to accept the session as it was proposed. An example for a policy decision is to disallow the use of video but agree to all other aspects of the proposed session.

2. 策略服务器为此会话生成策略决策,并将决策返回给用户代理。可能的政策决定包括(1)拒绝该会话,(2)建议对会话参数进行更改,以使会话可以接受,或(3)接受提议的会话。政策决定的一个例子是不允许使用视频,但同意拟议会议的所有其他方面。

3. The policy server can update the policy decision at a later time. A policy decision update can require additional changes to the session (e.g., because the available bandwidth has changed) or deny a previously accepted session (i.e., disallow the continuation of a session).

3. 策略服务器可以在以后更新策略决策。策略决策更新可能需要对会话进行额外更改(例如,因为可用带宽已更改)或拒绝以前接受的会话(例如,不允许继续会话)。

The event package for session-specific policies enables a user agent to subscribe to the policies for a SIP session following the above model. The subscriber initiates a subscription by submitting the details of the session it is trying to establish to the notifier (i.e., the policy server) in the body of a SUBSCRIBE request. The notifier uses this information to determine the policy decision for this session. It conveys the initial policy decision to the subscriber in a NOTIFY request and all changes to this decision in subsequent NOTIFY requests.

会话特定策略的事件包允许用户代理按照上述模型订阅SIP会话的策略。订阅者通过在订阅请求主体中向通知者(即策略服务器)提交其试图建立的会话的详细信息来发起订阅。通知程序使用此信息确定此会话的策略决策。它在NOTIFY请求中将初始策略决策传递给订阅者,并在后续NOTIFY请求中将对此决策的所有更改传递给订阅者。

2. Terminology
2. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

3. Event Package Formal Definition
3. 事件包形式定义

This document provides the details for defining a SIP event package as required by RFC 6665 [RFC6665].

本文档提供了根据RFC 6665[RFC6665]的要求定义SIP事件包的详细信息。

3.1. Event Package Name
3.1. 事件包名称

The name of the event package defined in this specification is "session-spec-policy".

本规范中定义的事件包的名称为“会话规范策略”。

3.2. Event Package Parameters
3.2. 事件包参数

This package defines the following two event package parameters:

此包定义以下两个事件包参数:

local-only: The "local-only" parameter is optional and only defined for NOTIFY requests. The "local-only" parameter indicates that the remote session description is not required by the notifier. It MUST be ignored if received in a SUBSCRIBE request. The usage of the "local-only" parameter is described in Sections 3.6, 3.8 and 3.9.

仅本地:“仅本地”参数是可选的,仅为NOTIFY请求定义。“仅本地”参数表示通知程序不需要远程会话描述。如果在订阅请求中收到,则必须忽略它。第3.6、3.8和3.9节描述了“仅本地”参数的用法。

insufficient-info: The "insufficient-info" parameter is optional and only defined for NOTIFY requests. It is used by the notifier to indicate that a policy decision could not be made due to insufficient information. The "insufficient-info" parameter MUST be ignored if received in a SUBSCRIBE request. The usage of the "insufficient-info" parameter is described in Sections 3.7, 3.8 and 3.9.

信息不足:“信息不足”参数是可选的,仅为通知请求定义。通知程序使用它来指示由于信息不足而无法做出策略决策。如果在订阅请求中收到“信息不足”参数,则必须忽略该参数。第3.7、3.8和3.9节介绍了“信息不足”参数的用法。

3.3. SUBSCRIBE Bodies
3.3. 订阅机构

A SUBSCRIBE for this event package MUST contain a body that describes a SIP session. The purpose of this body is to enable the notifier to generate the policies in which the subscriber is interested. In this event package, the Request-URI, the event package name, and event parameters are not sufficient to determine the resource a subscription is for. However, with the session description in the SUBSCRIBE body, the notifier can generate the requested policy decision and create policy events for this resource.

此事件包的订阅必须包含描述SIP会话的正文。此主体的目的是使通知程序能够生成订阅者感兴趣的策略。在此事件包中,请求URI、事件包名称和事件参数不足以确定订阅的资源。但是,通过订阅主体中的会话描述,通知程序可以生成请求的策略决策并为此资源创建策略事件。

All subscribers and notifiers MUST support the MIME type "application/media-policy-dataset+xml" as defined in "A User Agent Profile Data Set for Media Policy" [RFC6796]. The "application/ media-policy-dataset+xml" format is the default format for SUBSCRIBE bodies in this event package. Subscribers and notifiers MAY negotiate the use of other formats capable of representing a session.

所有订阅服务器和通知程序都必须支持“媒体策略的用户代理配置文件数据集”[RFC6796]中定义的MIME类型“应用程序/媒体策略数据集+xml”。“应用程序/媒体策略数据集+xml”格式是此事件包中订阅主体的默认格式。订阅者和通知者可以协商使用能够表示会话的其他格式。

Note: It has been proposed to directly use Session Description Protocol (SDP) [RFC4566] instead of encoding the session descriptions in the Media Policy [RFC6796] format. However, using a separate format such as the Media Policy format has a number of advantages over the direct use of SDP: i) the Media Policy format is more flexible and allows the inclusion of information that

注:建议直接使用会话描述协议(SDP)[RFC4566],而不是将会话描述编码为媒体策略[RFC6796]格式。但是,与直接使用SDP相比,使用单独的格式(如媒体策略格式)有许多优点:i)媒体策略格式更灵活,允许包含以下信息:

can't be expressed in SDP (e.g., the target URI), ii) the Media Policy format enables the encoding of local and remote session descriptions in a single document (not requiring the use of MIME multipart and new content disposition types), and iii) the Media Policy format aligns the formats used for session-specific and session-independent policies. A drawback is that it requires the UA to encode SDP and session information in Media Policy documents.

不能用SDP表示(例如,目标URI),ii)媒体策略格式允许在单个文档中对本地和远程会话描述进行编码(不需要使用MIME多部分和新的内容处理类型),以及iii)媒体策略格式与特定于会话和独立于会话的策略使用的格式保持一致。缺点是它需要UA在媒体策略文档中对SDP和会话信息进行编码。

3.4. Subscription Duration
3.4. 订阅期限

A subscription to the session-specific policy package is usually established at the beginning of a session and terminated when the corresponding session ends. A typical duration of a phone call is a few minutes.

对特定于会话的策略包的订阅通常在会话开始时建立,并在相应会话结束时终止。一个电话的典型持续时间是几分钟。

Since the duration of a subscription to the session-specific policy package is related to the lifetime of the corresponding session, the value for the duration of a subscription is largely irrelevant. However, the duration SHOULD be longer than the typical duration of a session. The default subscription duration for this event package is set to two hours.

由于特定于会话的策略包订阅的持续时间与相应会话的生存期相关,因此订阅持续时间的值在很大程度上是不相关的。但是,持续时间应长于会话的典型持续时间。此事件包的默认订阅持续时间设置为两小时。

A subscription MAY be terminated before a session ends by the notifier. For example, a notifier may terminate the subscription after the initial policy notification has been sent to the subscriber if it knows that these policies will not change during the session. A subscriber MUST NOT terminate a subscription unless it is terminating the session this subscription is for or discovers that the notifier has been removed from the list of policy servers relevant for this session (see the Session Policy Framework [RFC6794]). A subscriber MUST refresh a subscription with a SUBSCRIBE request before the last SUBSCRIBE request expires to avoid that the subscription times out.

通知程序可以在会话结束之前终止订阅。例如,如果通知程序知道这些策略在会话期间不会更改,则通知程序可以在向订阅服务器发送初始策略通知后终止订阅。订阅服务器不得终止订阅,除非它正在终止此订阅所针对的会话,或者发现通知程序已从与此会话相关的策略服务器列表中删除(请参阅会话策略框架[RFC6794])。订阅服务器必须在最后一个订阅请求过期之前使用订阅请求刷新订阅,以避免订阅超时。

3.5. NOTIFY Bodies
3.5. 通知机构

In this event package, the body of a notification contains the session policy requested by the subscriber. All subscribers and notifiers MUST support the format "application/ media-policy-dataset+xml" [RFC6796] as a format for NOTIFY bodies.

在此事件包中,通知主体包含订阅者请求的会话策略。所有订阅者和通知者必须支持“应用程序/媒体策略数据集+xml”[RFC6796]格式作为通知机构的格式。

The SUBSCRIBE request MAY contain an Accept header field. If no such header field is present, it has a default value of "application/ media-policy-dataset+xml". If the header field is present, it MUST include "application/media-policy-dataset+xml", and it MAY include any other MIME type capable of representing session-specific

订阅请求可能包含接受标头字段。如果不存在此类标题字段,则其默认值为“应用程序/媒体策略数据集+xml”。如果存在标头字段,则它必须包括“应用程序/媒体策略数据集+xml”,并且它可以包括能够表示特定于会话的任何其他MIME类型

policies. As defined in RFC 6665 [RFC6665], the body of notifications MUST be in one of the formats defined in the Accept header of the SUBSCRIBE request or in the default format.

政策。根据RFC 6665[RFC6665]中的定义,通知体必须采用订阅请求的Accept标头中定义的格式之一或默认格式。

If the notifier uses the same format in NOTIFY bodies that was used by the subscriber in the SUBSCRIBE body (e.g., "application/ media-policy-dataset+xml"), the notifier can expect that the subscriber supports all format extensions that were used in the SUBSCRIBE body. The notifier cannot assume that the subscriber supports other extensions beyond that and SHOULD NOT use such extensions.

如果通知程序在通知正文中使用的格式与订阅服务器在订阅正文中使用的格式相同(例如,“应用程序/媒体策略数据集+xml”),则通知程序可以预期订阅服务器支持订阅正文中使用的所有格式扩展。通知程序不能假定订阅服务器支持除此之外的其他扩展,因此不应使用此类扩展。

If the SUBSCRIBE request contained a representation of the local session description and the subscription was accepted, then the NOTIFY body MUST contain a policy for the local session description. If the SUBSCRIBE request of an accepted subscription contained the local and the remote session description, then the NOTIFY body MUST contain two policies: one for the local and one for the remote session description.

如果订阅请求包含本地会话描述的表示,并且订阅已被接受,则通知正文必须包含本地会话描述的策略。如果已接受订阅的订阅请求包含本地和远程会话描述,则通知正文必须包含两个策略:一个用于本地,一个用于远程会话描述。

3.6. Subscriber Generation of SUBSCRIBE Requests
3.6. 订阅服务器生成订阅请求

The subscriber follows the general rules for generating SUBSCRIBE requests defined in RFC 6665 [RFC6665]. The subscriber MUST provide sufficient information in the SUBSCRIBE body to fully describe the session for which it seeks to receive session-specific policies. The subscriber MUST use the most recent session description as a basis for this information.

订阅者遵循RFC 6665[RFC6665]中定义的生成订阅请求的一般规则。订阅者必须在SUBSCRIBE body中提供足够的信息,以全面描述其寻求接收特定于会话的策略的会话。订阅者必须使用最新的会话描述作为此信息的基础。

If the "application/media-policy-dataset+xml" format is used in SUBSCRIBE bodies, the subscriber MUST provide a value for each field that is defined for session information documents [RFC6796] and for which the subscriber has information available. In other words, the subscriber MUST fill in the elements of a session information document as complete as possible. If the subscriber supports extensions of the "application/media-policy-dataset+xml" format, the subscriber MUST also provide a value for each field defined by this extension for session information documents, if possible. Providing as much information as possible avoids that a session is rejected due to a lack of session information and the negotiation of the information to be disclosed between notifier and subscriber.

如果在订阅主体中使用“应用程序/媒体策略数据集+xml”格式,则订阅方必须为会话信息文档[RFC6796]定义的每个字段提供一个值,并且订阅方具有可用信息。换句话说,订阅者必须尽可能完整地填写会话信息文档的元素。如果订阅服务器支持“应用程序/媒体策略数据集+xml”格式的扩展,则如果可能,订阅服务器还必须为此扩展为会话信息文档定义的每个字段提供值。提供尽可能多的信息可以避免由于缺少会话信息以及通知者和订户之间要公开的信息的协商而拒绝会话。

Subscriptions to this event package are typically created in conjunction with an SDP offer/answer exchange [RFC3264] during the establishment of a session (see the Session Policy Framework [RFC6794]). If used with an offer/answer exchange, the subscriber MUST insert the representation of the local session description in the SUBSCRIBE body. The local session description is the one that

此事件包的订阅通常在会话建立期间与SDP提供/应答交换[RFC3264]一起创建(请参阅会话策略框架[RFC6794])。如果与提供/应答交换一起使用,订阅者必须在订阅正文中插入本地会话描述的表示。本地会话描述是

was created by the subscriber (e.g., the offer if the subscriber has initiated the offer/answer exchange). Under certain circumstances, a UA may not have a session description when subscribing to session-specific policies, for example, when it is composing an empty INVITE request (i.e., an INVITE request that does not contain an offer). In these cases, a UA SHOULD establish a subscription without including a representation of the local session description. The UA MUST refresh the subscription with a SUBSCRIBE request that contains this session description as soon as the session description becomes available, for example, when the UA receives a 200 OK to an empty INVITE request. A policy server can choose to admit a session only after the UA has disclosed the session descriptions.

由订阅者创建(例如,如果订阅者已发起要约/应答交换,则为要约)。在某些情况下,UA在订阅特定于会话的策略时可能没有会话描述,例如,当它正在编写空的INVITE请求(即,不包含要约的INVITE请求)时。在这些情况下,UA应建立订阅,而不包括本地会话描述的表示。UA必须在会话描述变为可用时(例如,当UA接收到对空INVITE请求的200 OK时),立即使用包含该会话描述的订阅请求刷新订阅。只有在UA公开了会话描述之后,策略服务器才能选择允许会话。

The subscriber SHOULD also include a representation of the remote session description in the SUBSCRIBE body. The remote session description is the one the subscriber has received (i.e., the answer if the subscriber has initiated the offer/answer exchange). In some scenarios, the remote session description is not available to the subscriber at the time the subscription to session-specific policies is established. In this case, the initial SUBSCRIBE message SHOULD only contain a representation of the local session description. When the remote description becomes available, the subscriber SHOULD refresh the subscription by sending another SUBSCRIBE request, which then contains the local and the remote session description, unless the subscriber has received a NOTIFY request with the "local-only" parameter. This parameter indicates that the notifier does not need to see the remote session description.

订阅者还应该在订阅正文中包含远程会话描述的表示。远程会话描述是订阅者已收到的描述(即,如果订阅者已发起要约/应答交换,则为应答)。在某些情况下,在建立对特定于会话的策略的订阅时,订阅服务器无法使用远程会话描述。在这种情况下,初始订阅消息应该只包含本地会话描述的表示。当远程描述可用时,订阅者应通过发送另一个订阅请求刷新订阅,该请求随后包含本地和远程会话描述,除非订阅者已收到带有“仅本地”参数的通知请求。此参数表示通知程序不需要查看远程会话描述。

A user agent can change the session description of an ongoing session. A change in the session description will typically affect the policy decisions for this session. A subscriber MUST refresh the subscription to session-specific policies every time the session description of a session changes. It does this by sending a SUBSCRIBE request, which contains the details of the updated session descriptions.

用户代理可以更改正在进行的会话的会话描述。会话描述中的更改通常会影响此会话的策略决策。每次会话的会话描述更改时,订阅服务器都必须刷新对特定于会话的策略的订阅。它通过发送一个SUBSCRIBE请求来实现这一点,该请求包含更新的会话描述的详细信息。

A subscriber may receive an error that indicates a server failure in response to a SUBSCRIBE request. In this case, the subscriber SHOULD try to locate an alternative server, for example, using the procedures described in [RFC3263]. If no alternative server can be located, the subscriber MAY continue with the session for which it wanted to receive session-specific policies without subscribing to session-specific policies. This is to avoid that a failed policy server prevents a UA from setting up or continuing with a session. Since the sessions created by the UA may not be policy compliant without this subscription, they may be blocked by policy enforcement mechanisms if they are in place.

订阅者可能会收到一个错误,表明响应订阅请求时服务器出现故障。在这种情况下,订阅者应尝试使用[RFC3263]中所述的步骤查找备用服务器。如果找不到替代服务器,订阅者可以继续其希望接收特定于会话的策略的会话,而不订阅特定于会话的策略。这是为了避免出现故障的策略服务器阻止UA设置或继续会话。由于UA创建的会话在没有此订阅的情况下可能不符合策略,因此如果策略执行机制已就位,则可能会阻止会话。

Session policies can contain sensitive information. Moreover, policy decisions can significantly impact the behavior of a user agent. A user agent should therefore verify the identity of a policy server and make sure that policies have not been altered in transit. All implementations of this package MUST support Transport Layer Security (TLS) [RFC5246] and the Session Initiation Protocol Secure (SIPS) URI scheme. A subscriber SHOULD use SIPS URIs when subscribing to session-specific policies so that policies are transmitted over TLS. See Section 4.

会话策略可能包含敏感信息。此外,策略决策可以显著影响用户代理的行为。因此,用户代理应该验证策略服务器的身份,并确保策略在传输过程中没有被更改。此包的所有实现必须支持传输层安全(TLS)[RFC5246]和会话启动协议安全(SIPS)URI方案。订阅者在订阅特定于会话的策略时应使用SIPS URI,以便通过TLS传输策略。见第4节。

3.7. Notifier Processing of SUBSCRIBE Requests
3.7. 订阅请求的通知程序处理

All subscriptions to session-specific policies SHOULD be authenticated and authorized before approval. However, a policy server may frequently encounter UAs it cannot authenticate. In these cases, the policy server MAY provide a generic policy that does not reveal sensitive information to these UAs. For details, see Section 4.

在批准之前,应对会话特定策略的所有订阅进行身份验证和授权。但是,策略服务器可能经常遇到无法进行身份验证的UAs。在这些情况下,策略服务器可以提供不向这些UAs透露敏感信息的通用策略。有关详细信息,请参见第4节。

The authorization policy is at the discretion of the administrator. In general, all users SHOULD be allowed to subscribe to the session-specific policies of their sessions. A subscription to this event package will typically be established by a device that needs to know about the policies for its sessions. However, subscriptions may also be established by applications (e.g., a conference server). In those cases, an authorization policy will typically be provided for these applications.

授权策略由管理员自行决定。通常,应允许所有用户订阅其会话的特定于会话的策略。此事件包的订阅通常由需要了解其会话策略的设备建立。然而,订阅也可以由应用程序(例如,会议服务器)建立。在这些情况下,通常会为这些应用程序提供授权策略。

Responding in a timely manner to a SUBSCRIBE request is crucial for this event package. A notifier must minimize the time needed for processing SUBSCRIBE requests and generating the initial NOTIFY request. This includes minimizing the time needed to generate an initial policy decision. In particular, a short response time is important for this event package since it minimizes the delay for fetching policies during an INVITE transaction and therefore reduces call setup time. In addition, subscriptions to session-specific policies can be established while the subscriber is in an INVITE transaction at a point where it has received the 200 OK but before sending the ACK. Delaying the creation of the initial NOTIFY request would delay the transmission of the ACK. A more detailed discussion of this scenario can be found in the Session Policy Framework [RFC6794].

及时响应订阅请求对于此事件包至关重要。通知程序必须尽可能减少处理订阅请求和生成初始通知请求所需的时间。这包括尽可能减少生成初始策略决策所需的时间。特别是,短响应时间对于此事件包非常重要,因为它可以将INVITE事务期间获取策略的延迟降至最低,从而减少调用设置时间。此外,当订阅服务器在接收到200 OK但在发送ACK之前处于INVITE事务中时,可以建立对特定于会话的策略的订阅。延迟初始通知请求的创建将延迟ACK的传输。在会话策略框架[RFC6794]中可以找到关于此场景的更详细讨论。

A subscriber may not have disclosed enough information in the SUBSCRIBE request to enable the notifier to generate a policy decision. For example, a UA may have subscribed to session-specific policies without including the representation of a session description. The policy server SHOULD accept such a subscription.

订户可能没有在订阅请求中披露足够的信息,以使通知程序能够生成策略决策。例如,UA可能已经订阅了特定于会话的策略,而不包括会话描述的表示。策略服务器应该接受这样的订阅。

The policy server SHOULD generate a NOTIFY request that includes the "insufficient-info" event package parameter. A NOTIFY request with this parameter indicates that a policy decision could not be made due to insufficient information. The body of such a NOTIFY request can either be empty or contain a policy decision document that provides hints about which information was missing.

策略服务器应生成包含“信息不足”事件包参数的通知请求。具有此参数的NOTIFY请求表示由于信息不足而无法做出策略决策。此类通知请求的主体可以是空的,也可以包含一个策略决策文档,该文档提供有关缺少哪些信息的提示。

3.8. Notifier Generation of NOTIFY Requests
3.8. 通知程序生成通知请求

A notifier sends a notification in response to SUBSCRIBE requests as defined in RFC 6665 [RFC6665]. In addition, a notifier MAY send a notification at any time during the subscription. Typically, it will send one every time the policy decision this subscription is for has changed. When and why a policy decision changes is entirely at the discretion of the administrator. A policy decision can change for many reasons. For example, a network may become congested due to an increase in traffic and reduce the bandwidth available to an individual user. Another example is a session that has been started during "business hours" and continues into "evening hours" where more bandwidth or video sessions are available to the user according to the service level agreement.

通知程序发送通知以响应RFC 6665[RFC6665]中定义的订阅请求。此外,通知程序可以在订阅期间的任何时间发送通知。通常,每次更改此订阅的策略决策时,它都会发送一个。政策决定更改的时间和原因完全由管理员决定。一项政策决定可能会因为许多原因而改变。例如,网络可能由于通信量的增加而变得拥挤,并减少单个用户可用的带宽。另一个示例是在“营业时间”期间启动并持续到“夜间”的会话,其中根据服务级别协议,用户可以使用更多带宽或视频会话。

Policy decisions are expressed in the format negotiated for the NOTIFY body (e.g., "application/media-policy-dataset+xml"). The policy document in a NOTIFY body MUST represent a complete policy decision. Notifications that contain the deltas to previous policy decisions or partial policy decisions are not supported in this event package.

策略决策以为通知主体协商的格式表示(例如,“应用程序/媒体策略数据集+xml”)。通知机构中的策略文档必须表示完整的策略决策。此事件包不支持包含以前策略决策或部分策略决策的增量的通知。

The notifier SHOULD terminate the subscription if the policy decision is to reject a session and if it can be expected that this decision will not change in the foreseeable future. The notifier SHOULD keep the subscription alive, if it rejects a session but expects that the session can be admitted soon. For example, if the session was rejected due to a temporary shortage of resources and the notifier expects that these resources will become available again shortly it should keep the subscription alive. The decision to reject a session is expressed in the policy decision document. A session is admitted by returning a policy decision document that requires some or no changes to the session.

如果策略决定拒绝会话,并且可以预期此决定在可预见的将来不会更改,则通知程序应终止订阅。如果通知程序拒绝某个会话,但希望该会话可以很快被接纳,则通知程序应使订阅保持活动状态。例如,如果会话由于资源暂时短缺而被拒绝,并且通知程序希望这些资源很快会再次可用,那么它应该使订阅保持活动状态。拒绝会议的决定在政策决定文件中表达。通过返回需要对会话进行部分更改或不进行更改的策略决策文档,会话被接纳。

If the notifier has not received enough information to make a policy decision from the subscriber (e.g., because it did not receive a session description), the notifier SHOULD NOT terminate the subscription since it can be expected that the UA refreshes the subscription with a SUBSCRIBE request that contains more information. The notifier SHOULD generate a NOTIFY request with the "insufficient-info" event package parameter to indicate that a policy decision

如果通知程序没有从订阅者处收到足够的信息来做出策略决策(例如,因为它没有收到会话描述),通知程序不应该终止订阅,因为可以预期UA会使用包含更多信息的订阅请求刷新订阅。通知程序应生成带有“信息不足”事件包参数的通知请求,以指示策略决策

could not be made due to insufficient information. This NOTIFY request can contain an empty body or a body that contains a policy decision document indicating which information was missing.

由于信息不足,无法创建。此NOTIFY请求可以包含空正文,也可以包含指示缺少哪些信息的策略决策文档的正文。

Some session-specific policies do not require the disclosure of the remote session description to the notifier. If a notifier determines that this is the case after receiving a SUBSCRIBE request, the notifier SHOULD include the "local-only" event parameter in NOTIFY requests.

某些特定于会话的策略不要求向通知程序披露远程会话描述。如果通知程序在收到订阅请求后确定是这种情况,则通知程序应在通知请求中包含“仅本地”事件参数。

3.9. Subscriber Processing of NOTIFY Requests
3.9. 订户处理通知请求

A subscriber MUST apply the policy decision received in a NOTIFY request to the session associated with this subscription. If the UA decides not to apply the received policy decision, the UA MUST NOT set up the session and MUST terminate the session if the session is already in progress. If the UA has a pending INVITE transaction for this session, the UA MUST cancel or reject the INVITE request.

订阅者必须将NOTIFY请求中收到的策略决定应用于与此订阅关联的会话。如果UA决定不应用收到的策略决定,UA不得设置会话,如果会话已在进行中,则必须终止会话。如果UA对此会话有一个挂起的INVITE事务,UA必须取消或拒绝INVITE请求。

If the subscriber receives a NOTIFY request indicating that the session has been rejected, the subscriber MUST NOT attempt to establish this session. If the notifier has terminated the subscription after rejecting the session, the subscriber SHOULD NOT try to re-send the same SUBSCRIBE request again. The termination of the subscription by the notifier indicates that the policy decision for this session is final and will not change in the foreseeable future. The subscriber MAY try to re-subscribe for this session if at least one aspect of the session (e.g., a parameter in the session description or the target URI) has changed or if there is other reason to believe that re-trying the subscription will be successful (e.g., because time has progressed significantly since the last attempt).

如果订阅服务器收到通知请求,指示会话已被拒绝,则订阅服务器不得尝试建立此会话。如果通知程序在拒绝会话后终止了订阅,则订阅服务器不应再次尝试重新发送相同的订阅请求。通知程序终止订阅表示此会话的策略决定是最终的,在可预见的将来不会更改。如果会话的至少一个方面(例如,会话描述中的参数或目标URI)已经改变,或者如果有其他理由相信重新尝试订阅将成功(例如,因为自上次尝试以来时间已经显著进步),订户可以尝试重新订阅该会话。

The notifier may keep up the subscription after rejecting a session to indicate that it may send an updated policy decision for this session to the subscriber at a later time. This is useful, for example, if the session was rejected due to a temporary shortage of resources and the notifier expects that this problem to be resolved shortly. In another example, the session was rejected because it was attempted in a restricted period during the day but this period is going to end soon. In this case, the subscriber SHOULD not terminate the subscription to session-specific policies.

通知程序可在拒绝会话后继续订阅,以指示其可在稍后向订户发送此会话的更新策略决策。例如,如果会话由于暂时的资源短缺而被拒绝,并且通知程序希望这个问题很快得到解决,那么这将非常有用。在另一个示例中,会话被拒绝,因为它是在一天中的限制时间内尝试的,但该时间段即将结束。在这种情况下,订阅服务器不应终止对特定于会话的策略的订阅。

The subscriber may receive a NOTIFY request that contains an "insufficient-info" event package parameter to indicate that the SUBSCRIBE request did not contain enough information. The subscriber

订户可能会收到包含“信息不足”事件包参数的通知请求,以指示订阅请求没有包含足够的信息。订户

SHOULD refresh the subscription with more complete information as soon as the missing information (e.g., the session description) is available.

一旦丢失的信息(如会话描述)可用,应立即使用更完整的信息刷新订阅。

A subscriber may receive an update to a policy decision for a session that is already established. The subscriber MUST apply the new policy decision to this session. If a UA decides that it does not want to apply the new policy decision, the UA MUST terminate the session. An updated policy decision may require the UA to generate a re-INVITE or UPDATE request in this session if the session description has changed or it may need to terminate this session. A policy update that requires a UA to terminate a session can, for example, be triggered by the user's account running out of credit or the detection of an emergency that requires the termination of non-emergency calls.

订户可能会收到已建立会话的策略决策更新。订户必须将新策略决策应用于此会话。如果UA决定不想应用新的策略决定,则UA必须终止会话。如果会话描述已更改或可能需要终止此会话,则更新的策略决策可能要求UA在此会话中生成重新邀请或更新请求。例如,需要UA终止会话的策略更新可以由用户的帐户信用耗尽或检测到需要终止非紧急呼叫的紧急情况触发。

If the subscriber receives a NOTIFY request that contains the "local-only" event parameter, the subscriber SHOULD NOT include the remote session description in subsequent SUBSCRIBE requests within this subscription.

如果订阅服务器收到包含“仅本地”事件参数的NOTIFY请求,则订阅服务器不应在此订阅中的后续订阅请求中包含远程会话描述。

3.10. Handling of Forked Requests
3.10. 分叉请求的处理

This event package allows the creation of only one dialog as a result of an initial SUBSCRIBE request. The techniques to achieve this behavior are described in [RFC6665].

此事件包仅允许作为初始订阅请求的结果创建一个对话框。[RFC6665]中描述了实现此行为的技术。

3.11. Rate of Notifications
3.11. 通知率

It is anticipated that the rate of policy changes will be very low. In any case, notifications SHOULD NOT be generated at a rate of more than once every five seconds.

预计政策变化率将非常低。在任何情况下,通知的生成速率都不应超过每五秒钟一次。

3.12. State Agents
3.12. 国家代理人

State agents play no role in this package.

州代理在此包中不起作用。

3.13. Examples
3.13. 例子

The following message flow illustrates how a user agent (Alice's phone) can subscribe to session-specific policies when establishing a call (here to Bob's phone). The flow assumes that the user agent has already received the policy server URI (e.g., through configuration or as described in the Session Policy Framework [RFC6794]), and it does not show messages for authentication on a transport or SIP level.

下面的消息流说明了用户代理(Alice的电话)在建立呼叫(这里是Bob的电话)时如何订阅特定于会话的策略。该流假设用户代理已经接收到策略服务器URI(例如,通过配置或会话策略框架[RFC6794]中所述),并且它不显示传输或SIP级别的身份验证消息。

These call flow examples are informative and not normative.

这些调用流示例是信息性的,而不是规范性的。

Implementers should consult the main text of this document for exact protocol details.

实施者应参考本文档的主要文本以了解确切的协议细节。

   Policy Server          Alice                Bob
       |                   |                   |
       |(1) SUBSCRIBE      |                   |
       |<------------------|                   |
       |(2) 200 OK         |                   |
       |------------------>|                   |
       |(3) NOTIFY         |                   |
       |------------------>|                   |
       |(4) 200 OK         |                   |
       |<------------------|                   |
       |                   |(5) INVITE         |
       |                   |------------------>|
       |                   |                   |
       |                   |(6) 200 OK         |
       |                   |<------------------|
       |                   |(7) ACK            |
       |                   |------------------>|
       |(8) SUBSCRIBE      |                   |
       |<------------------|                   |
       |(9) 200 OK         |                   |
       |------------------>|                   |
       |(10) NOTIFY        |                   |
       |------------------>|                   |
       |(11) 200 OK        |                   |
       |<------------------|                   |
       |                   |                   |
        
   Policy Server          Alice                Bob
       |                   |                   |
       |(1) SUBSCRIBE      |                   |
       |<------------------|                   |
       |(2) 200 OK         |                   |
       |------------------>|                   |
       |(3) NOTIFY         |                   |
       |------------------>|                   |
       |(4) 200 OK         |                   |
       |<------------------|                   |
       |                   |(5) INVITE         |
       |                   |------------------>|
       |                   |                   |
       |                   |(6) 200 OK         |
       |                   |<------------------|
       |                   |(7) ACK            |
       |                   |------------------>|
       |(8) SUBSCRIBE      |                   |
       |<------------------|                   |
       |(9) 200 OK         |                   |
       |------------------>|                   |
       |(10) NOTIFY        |                   |
       |------------------>|                   |
       |(11) 200 OK        |                   |
       |<------------------|                   |
       |                   |                   |
        

Message Details

消息详细信息

(1) SUBSCRIBE Alice -> Policy Server

(1) 订阅Alice->策略服务器

        SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0
        Via: SIP/2.0/TLS pc.biloxi.example.com:5061
         ;branch=z9hG4bK74bf
        Max-Forwards: 70
        From: Alice <sips:alice@biloxi.example.com>;tag=8675309
        To: PS <sips:policy@biloxi.example.com>
        Call-ID: rt4353gs2egg@pc.biloxi.example.com
        CSeq: 1 SUBSCRIBE
        Contact: <sips:alice@pc.biloxi.example.com>
        Expires: 7200
        Event: session-spec-policy
        Accept: application/media-policy-dataset+xml
        Content-Type: application/media-policy-dataset+xml
        
        SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0
        Via: SIP/2.0/TLS pc.biloxi.example.com:5061
         ;branch=z9hG4bK74bf
        Max-Forwards: 70
        From: Alice <sips:alice@biloxi.example.com>;tag=8675309
        To: PS <sips:policy@biloxi.example.com>
        Call-ID: rt4353gs2egg@pc.biloxi.example.com
        CSeq: 1 SUBSCRIBE
        Contact: <sips:alice@pc.biloxi.example.com>
        Expires: 7200
        Event: session-spec-policy
        Accept: application/media-policy-dataset+xml
        Content-Type: application/media-policy-dataset+xml
        

Content-Length: ...

内容长度:。。。

[Local session description (offer)]

[本地会话描述(提供)]

(2) 200 OK Policy Server -> Alice

(2) 200确定策略服务器->Alice

(3) NOTIFY Policy Server -> Alice

(3) 通知策略服务器->Alice

NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 ;branch=z9hG4bK74br Max-Forwards: 70 From: PS <sips:policy@biloxi.example.com>;tag=31451098 To: Alice <sips:alice@biloxi.example.com>;tag=8675309 Call-ID: rt4353gs2egg@pc.biloxi.example.com CSeq: 1 NOTIFY Event: session-spec-policy Subscription-State: active;expires=7200 Content-Type: application/media-policy-dataset+xml Content-Length: ...

通知sips:alice@pc.biloxi.example.comSIP/2.0 Via:SIP/2.0/TLS srvr.biloxi.example.com:5061;分支=z9hG4bK74br最大转发:70从:PS<sips:policy@biloxi.example.com>;标签=31451098至:Alice<sips:alice@biloxi.example.com>;tag=8675309呼叫ID:rt4353gs2egg@pc.biloxi.example.comCSeq:1通知事件:会话规范策略订阅状态:活动;expires=7200内容类型:应用程序/媒体策略数据集+xml内容长度:。。。

[Policy for local session description (offer)]

[本地会话描述(提供)策略]

(4) 200 OK Alice -> Policy Server

(4) 200 OK Alice->策略服务器

(5) INVITE Alice -> Bob

(5) 邀请爱丽丝->鲍勃

(6) 200 OK Bob -> Alice

(6) 200好的鲍勃->爱丽丝

(7) ACK Alice -> Bob

(7) 阿克爱丽丝->鲍勃

(8) SUBSCRIBE Alice -> Policy Server

(8) 订阅Alice->策略服务器

SUBSCRIBE sips:policy@biloxi.example.com SIP/2.0 Via: SIP/2.0/TLS pc.biloxi.example.com:5061 ;branch=z9hG4bKna998sl Max-Forwards: 70 From: Alice <sips:alice@biloxi.example.com>;tag=8675309 To: PS <sips:policy@biloxi.example.com>;tag=31451098 Call-ID: rt4353gs2egg@pc.biloxi.example.com CSeq: 2 SUBSCRIBE Expires: 7200 Event: session-spec-policy Accept: application/media-policy-dataset+xml Content-Type: application/media-policy-dataset+xml Content-Length: ...

订阅sips:policy@biloxi.example.comSIP/2.0 Via:SIP/2.0/TLS pc.biloxi.example.com:5061;branch=z9hG4bKna998sl最大转发:70发件人:Alice<sips:alice@biloxi.example.com>;标签=8675309至:PS<sips:policy@biloxi.example.com>;tag=31451098呼叫ID:rt4353gs2egg@pc.biloxi.example.comCSeq:2订阅过期:7200事件:会话规范策略接受:应用程序/媒体策略数据集+xml内容类型:应用程序/媒体策略数据集+xml内容长度:。。。

[Local session description (offer)] [Remote session description (answer)]

[本地会话描述(提供)][远程会话描述(应答)]

(9) 200 OK Policy Server -> Alice

(9) 200确定策略服务器->Alice

(10) NOTIFY Policy Server -> Alice

(10) 通知策略服务器->Alice

NOTIFY sips:alice@pc.biloxi.example.com SIP/2.0 Via: SIP/2.0/TLS srvr.biloxi.example.com:5061 ;branch=z9hG4bKna998sk Max-Forwards: 70 From: PS <sips:policy@biloxi.example.com>;tag=31451098 To: Alice <sips:alice@biloxi.example.com>;tag=8675309 Call-ID: rt4353gs2egg@pc.biloxi.example.com CSeq: 2 NOTIFY Event: session-spec-policy Subscription-State: active;expires=7200 Content-Type: application/media-policy-dataset+xml Content-Length: ...

通知sips:alice@pc.biloxi.example.comSIP/2.0 Via:SIP/2.0/TLS srvr.biloxi.example.com:5061;分支=z9hG4bKna998sk最大转发:70从:PS<sips:policy@biloxi.example.com>;标签=31451098至:Alice<sips:alice@biloxi.example.com>;tag=8675309呼叫ID:rt4353gs2egg@pc.biloxi.example.comCSeq:2通知事件:会话规范策略订阅状态:活动;expires=7200内容类型:应用程序/媒体策略数据集+xml内容长度:。。。

[Policy for local session description (offer)] [Policy for remote session description (answer)]

[本地会话描述策略(提供)][远程会话描述策略(应答)]

F6 200 OK Alice -> Policy Server

F6 200 OK Alice->策略服务器

4. Security Considerations
4. 安全考虑

Session policies can significantly change the behavior of a user agent and can therefore be used by an attacker to compromise a user agent. For example, session policies can be used to prevent a user agent from successfully establishing a session (e.g., by setting the available bandwidth to zero). Such a policy can be submitted to the user agent during a session, which may cause the UA to terminate the session.

会话策略可以显著改变用户代理的行为,因此攻击者可以利用会话策略危害用户代理。例如,会话策略可用于防止用户代理成功建立会话(例如,通过将可用带宽设置为零)。这样的策略可以在会话期间提交给用户代理,这可能导致UA终止会话。

A user agent transmits session information to a policy server. This information may contain sensitive data the user may not want an eavesdropper or an unauthorized policy server to see. For example, the session information may contain the encryption keys for media streams. Vice versa, session policies may also contain sensitive information about the network or service level agreements the service provider may not want to disclose to an eavesdropper or an unauthorized user agent.

用户代理将会话信息传输到策略服务器。此信息可能包含用户不希望窃听者或未经授权的策略服务器看到的敏感数据。例如,会话信息可以包含媒体流的加密密钥。反之亦然,会话策略还可能包含有关网络或服务级别协议的敏感信息,服务提供商可能不想向窃听者或未经授权的用户代理透露这些信息。

It is therefore important to secure the communication between the user agent and the policy server. The following three discrete attributes need to be protected:

因此,保护用户代理和策略服务器之间的通信非常重要。需要保护以下三个离散属性:

1. authentication of the policy server and, if needed, the user agent,

1. 策略服务器和用户代理(如果需要)的身份验证,

2. confidentiality of the messages exchanged between the user agent and the policy server, and

2. 用户代理和策略服务器之间交换的消息的机密性,以及

3. ensuring that private information is not exchanged between the two parties, even over a confidentiality-assured and authenticated session.

3. 确保双方之间不交换私人信息,即使是在保密和认证的会话中。

Authentication of the peers and protecting the confidentiality of the policies in transit is achieved by existing SIP security mechanisms (the use of TLS and SIPS URI scheme [RFC3261], [RFC5630]).

通过现有的SIP安全机制(使用TLS和SIPS URI方案[RFC3261]、[RFC5630]),实现对等方的身份验证和保护传输中策略的机密性。

Accordingly, policy servers SHOULD be addressable only through a SIPS URI. Policy server and user agent MUST support TLS. The confidentiality of the communication between the policy server and the user agent will be assured as long as the policy server supports TLS and is reached through a SIPS URI.

因此,策略服务器应该只能通过SIPS URI寻址。策略服务器和用户代理必须支持TLS。只要策略服务器支持TLS并通过SIPS URI访问,就可以确保策略服务器和用户代理之间通信的机密性。

Authenticating the two parties can be performed using X.509 certificates exchanged through TLS and other techniques such as HTTP Digest. When the user agent establishes a TLS session with the policy server, the policy server will present it with an X.509 certificate. The user agent SHOULD ensure that the identity of the policy server encoded in the certificate matches the URI of the policy server the user agent has received either using the Session Policy Framework [RFC6794] or other means such as configuration.

可以使用通过TLS和其他技术(如HTTP摘要)交换的X.509证书对双方进行身份验证。当用户代理与策略服务器建立TLS会话时,策略服务器将向其提供X.509证书。用户代理应确保证书中编码的策略服务器的标识与用户代理使用会话策略框架[RFC6794]或其他方式(如配置)接收到的策略服务器的URI匹配。

When a policy server receives a new subscription (as opposed to a refresh subscription), the policy server SHOULD try to authenticate the user agent using any means at its disposal. If the user agent has an X.509 certificate suitable for use with TLS, the identity of the user agent SHOULD be contained in the certificate, or, if the user agent does not possess a certificate, the policy server SHOULD challenge the user agent using HTTP Digest. A policy server may frequently encounter UAs it cannot authenticate. In these cases, the policy server MAY provide a generic policy that does not reveal sensitive information to these UAs.

当策略服务器接收到新订阅(与刷新订阅相反)时,策略服务器应尝试使用其可用的任何方法对用户代理进行身份验证。如果用户代理具有适合与TLS一起使用的X.509证书,则证书中应包含用户代理的标识,或者,如果用户代理不拥有证书,则策略服务器应使用HTTP摘要质询用户代理。策略服务器可能经常遇到无法进行身份验证的UAs。在这些情况下,策略服务器可以提供不向这些UAs透露敏感信息的通用策略。

If the subscriber and notifier desire to protect the integrity of the policy exchange in an end-to-end manner, they MAY use S/MIME to protect the session policies. However, RFC3261 cautions that "[i]mplementers should note, however, that there may be rare network

如果订阅者和通知者希望以端到端的方式保护策略交换的完整性,他们可以使用S/MIME来保护会话策略。然而,RFC3261警告说:“然而,实施者应该注意,可能存在罕见的网络

intermediaries (not typical proxy servers) that rely on viewing or modifying the bodies of SIP messages (especially SDP), and that secure MIME may prevent these sorts of intermediaries from functioning" [RFC3261].

依赖于查看或修改SIP消息体(尤其是SDP)的中间层(不是典型的代理服务器),并且安全MIME可能会阻止此类中间层正常工作“[RFC3261]。

And finally, the fact that the user agent and the policy server have successfully authenticated each other and have established a secure TLS session does not absolve either one from ensuring that they do not communicate sensitive information. For example, a session description may contain sensitive information -- session keys, for example -- that the user agent may not want to share with the policy server; and indeed, the policy server does not need such information to effectively formulate a policy. Thus, the user agent should not insert such sensitive information in a session information document that it sends to the policy server. Likewise, the policy server may have information that is sensitive and of no use to the user agent -- network service level agreements, or network statistics, for example. Thus, the policy server should refrain from transmitting such information to the user agent.

最后,用户代理和策略服务器已经成功地相互验证并建立了安全的TLS会话,这一事实并不能免除任何一方确保它们不传递敏感信息的责任。例如,会话描述可能包含用户代理可能不想与策略服务器共享的敏感信息(例如会话密钥);实际上,策略服务器不需要这些信息来有效地制定策略。因此,用户代理不应在发送给策略服务器的会话信息文档中插入此类敏感信息。类似地,策略服务器可能具有对用户代理敏感且无用的信息,例如,网络服务级别协议或网络统计信息。因此,策略服务器应避免向用户代理发送此类信息。

5. IANA Considerations
5. IANA考虑
5.1. Event Package Name
5.1. 事件包名称

This specification registers an event package as follows, based on the registration procedures defined in RFC 6665 [RFC6665].

本规范根据RFC 6665[RFC6665]中定义的注册过程,按如下方式注册事件包。

Package Name: session-spec-policy

包名称:会话规范策略

Package or Template-Package: This is a package.

包或模板包:这是一个包。

Published Document: RFC 6795.

出版文件:RFC6795。

Person to Contact: Volker Hilt, volker.hilt@bell-labs.com.

联系人:沃尔克·希尔特,沃尔克。hilt@bell-实验室网站。

6. References
6. 工具书类
6.1. Normative References
6.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。

[RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002.

[RFC3263]Rosenberg,J.和H.Schulzrinne,“会话启动协议(SIP):定位SIP服务器”,RFC 3263,2002年6月。

[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.

[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。

[RFC6665] Roach, A., "SIP-Specific Event Notification", RFC 6665, July 2012.

[RFC6665]Roach,A.,“SIP特定事件通知”,RFC 66652012年7月。

[RFC6794] Hilt, V., Camarillo, G., and J. Rosenberg, "A Framework for Session Initiation Protocol (SIP) Session Policies", RFC 6794, December 2012.

[RFC6794]Hilt,V.,Camarillo,G.,和J.Rosenberg,“会话启动协议(SIP)会话策略框架”,RFC 67942012年12月。

[RFC6796] Hilt, V., Camarillo, G., Rosenberg, J., and D. Worley, "A User Agent Profile Data Set for Media Policy", RFC 6796, December 2012.

[RFC6796]Hilt,V.,Camarillo,G.,Rosenberg,J.,和D.Worley,“媒体策略的用户代理配置文件数据集”,RFC 67962012年12月。

6.2. Informative References
6.2. 资料性引用

[RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 3264, June 2002.

[RFC3264]Rosenberg,J.和H.Schulzrinne,“具有会话描述协议(SDP)的提供/应答模型”,RFC 3264,2002年6月。

[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, July 2006.

[RFC4566]Handley,M.,Jacobson,V.,和C.Perkins,“SDP:会话描述协议”,RFC4566,2006年7月。

[RFC5630] Audet, F., "The Use of the SIPS URI Scheme in the Session Initiation Protocol (SIP)", RFC 5630, October 2009.

[RFC5630]Audet,F.“会话启动协议(SIP)中SIPS URI方案的使用”,RFC 5630,2009年10月。

Appendix A. Acknowledgements
附录A.确认书

Many thanks to Jonathan Rosenberg for the discussions and suggestions for this document. Many thanks to Roni Even, Bob Penfield, Mary Barnes, Shida Schubert and Jon Peterson for reviewing the document and to Vijay Gurbani for the contributions to the Security Considerations section.

非常感谢Jonathan Rosenberg对本文件的讨论和建议。非常感谢Roni、Bob Penfield、Mary Barnes、Shida Schubert和Jon Peterson审阅了该文件,并感谢Vijay Gurbani对安全考虑部分的贡献。

Authors' Addresses

作者地址

Volker Hilt Bell Labs/Alcatel-Lucent Lorenzstrasse 10 70435 Stuttgart Germany

沃尔克希尔特贝尔实验室/德国斯图加特阿尔卡特朗讯洛伦茨特拉斯10 70435

   EMail: volker.hilt@bell-labs.com
        
   EMail: volker.hilt@bell-labs.com
        

Gonzalo Camarillo Ericsson Hirsalantie 11 Jorvas 02420 Finland

Gonzalo Camarillo Ericsson Hirsalantie 11 Jorvas 02420芬兰

   EMail: Gonzalo.Camarillo@ericsson.com
        
   EMail: Gonzalo.Camarillo@ericsson.com