Internet Engineering Task Force (IETF) J. van Elburg Request for Comments: 7316 Detecon International Gmbh Category: Informational K. Drage ISSN: 2070-1721 Alcatel-Lucent M. Ohsugi S. Schubert K. Arai NTT July 2014
Internet Engineering Task Force (IETF) J. van Elburg Request for Comments: 7316 Detecon International Gmbh Category: Informational K. Drage ISSN: 2070-1721 Alcatel-Lucent M. Ohsugi S. Schubert K. Arai NTT July 2014
The Session Initiation Protocol (SIP) P-Private-Network-Indication Private Header (P-Header)
会话启动协议(SIP)P-Private-Network-Indication专用头(P-Header)
Abstract
摘要
This document specifies the SIP P-Private-Network-Indication P-header used by the 3GPP. The P-Private-Network-Indication indicates that the message is part of the message traffic of a private network and identifies that private network. A private network indication allows nodes to treat private network traffic according to a different set of rules than the set applicable to public network traffic.
本文档规定了3GPP使用的SIP P-Private-Network-Indication P-header。P-Private-Network-指示表示消息是专用网络消息通信量的一部分,并标识该专用网络。专用网络指示允许节点根据与适用于公共网络流量的规则集不同的规则集来处理专用网络流量。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7316.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7316.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3 1.1. Overview ...................................................3 1.2. Applicability ..............................................3 1.3. Background .................................................3 1.4. Business Communication .....................................3 1.5. Indication Types ...........................................4 2. Conventions .....................................................6 3. Definitions .....................................................6 3.1. Traffic ....................................................6 3.2. Public Network Traffic .....................................6 3.3. Private Network Traffic ....................................6 3.4. Break-In ...................................................6 3.5. Break-Out ..................................................6 3.6. Trust Domain ...............................................6 4. Application of Terminology ......................................7 5. Overview of Solution ...........................................10 6. Proxy Behavior .................................................11 6.1. P-Private-Network-Indication Generation ...................11 6.2. P-Private-Network-Indication Consumption ..................11 6.3. P-Private-Network-Indication Removal ......................11 6.4. P-Private-Network-Indication Verification .................11 7. P-Private-Network-Indication Header Field Definition ...........12 8. Security Considerations ........................................12 9. IANA Considerations ............................................13 10. Acknowledgments ...............................................13 11. References ....................................................13 11.1. Normative References .....................................13 11.2. Informative References ...................................14
1. Introduction ....................................................3 1.1. Overview ...................................................3 1.2. Applicability ..............................................3 1.3. Background .................................................3 1.4. Business Communication .....................................3 1.5. Indication Types ...........................................4 2. Conventions .....................................................6 3. Definitions .....................................................6 3.1. Traffic ....................................................6 3.2. Public Network Traffic .....................................6 3.3. Private Network Traffic ....................................6 3.4. Break-In ...................................................6 3.5. Break-Out ..................................................6 3.6. Trust Domain ...............................................6 4. Application of Terminology ......................................7 5. Overview of Solution ...........................................10 6. Proxy Behavior .................................................11 6.1. P-Private-Network-Indication Generation ...................11 6.2. P-Private-Network-Indication Consumption ..................11 6.3. P-Private-Network-Indication Removal ......................11 6.4. P-Private-Network-Indication Verification .................11 7. P-Private-Network-Indication Header Field Definition ...........12 8. Security Considerations ........................................12 9. IANA Considerations ............................................13 10. Acknowledgments ...............................................13 11. References ....................................................13 11.1. Normative References .....................................13 11.2. Informative References ...................................14
ETSI TISPAN (Telecommunications and Internet converged Services and Protocols for Advanced Networking) defined Next Generation Networks (NGNs), which use the 3GPP IP Multimedia Subsystem (IMS), which, in turn, uses SIP [RFC3261] as its main signaling protocol. For more information on the IMS, a detailed description can be found in 3GPP TS 23.228 [3GPP.23.228] and 3GPP TS 24.229 [3GPP.24.229]. 3GPP and ETSI TISPAN have identified a set of requirements that can be met by defining a new optional SIP header, according to the procedures in RFC 5727 [RFC5727].
ETSI TISPAN(用于高级网络的电信和互联网融合服务和协议)定义的下一代网络(NGN),使用3GPP IP多媒体子系统(IMS),而IMS又使用SIP[RFC3261]作为其主要信令协议。有关IMS的更多信息,可在3GPP TS 23.228[3GPP.23.228]和3GPP TS 24.229[3GPP.24.229]中找到详细说明。3GPP和ETSI TISPAN已经确定了一组要求,这些要求可以通过根据RFC 5727[RFC5727]中的程序定义新的可选SIP报头来满足。
The P-Private-Network-Indication header field is intended to be used in controlled closed networks like 3GPP IMS and ETSI TISPAN NGNs. The P-Private-Network-Indication header is not intended for the general Internet environment and is probably not suitable for such an environment.
P-Private-Network-Indication报头字段旨在用于诸如3GPP IMS和ETSI TISPAN NGNs之类的受控封闭网络中。P-Private-Network-Indication报头不适用于一般互联网环境,并且可能不适用于此类环境。
For example, there are no mechanisms defined to prevent spoofing of this header. So, if a network were to accept calls carrying this header from the general Internet, an attacker would be able to inject information into private networks.
例如,没有定义任何机制来防止欺骗此标头。因此,如果一个网络接受来自普通互联网的带有此报头的呼叫,攻击者将能够将信息注入专用网络。
The P-Private-Network-Indication header field has been referred to in 3GPP IMS specifications and has already been used in some networks as an indicator for a specific capability. The header field has already been implemented in some vendors' equipment in some countries. RFC 5727 [RFC5727] prohibits the new proposal of P-header "unless existing deployments or standards use the prefix already". The P-Private-Network-Indication header field is already used by existing deployments and 3GPP standards; therefore, this is exactly the case where the P-header is allowed as an exception.
P-Private-Network-Indication报头字段已在3GPP IMS规范中提及,并且已在一些网络中用作特定能力的指示符。标题字段已在某些国家/地区的一些供应商设备中实施。RFC 5727[RFC5727]禁止P-header的新提案“除非现有部署或标准已经使用前缀”。P-Private-Network-Indication报头字段已经被现有部署和3GPP标准使用;因此,这正是允许P头作为例外的情况。
ETSI TISPAN has identified a framework, which was adopted by 3GPP as [3GPP.22.519], for the support of business communication capabilities by the NGN. In addition to the direct attachment of Next Generation Corporate Network (NGCN) equipment, this includes the capability to "host" functionality relating to an enterprise within the NGN itself.
ETSI TISPAN已经确定了一个框架,该框架被3GPP采用为[3GPP.22.519],用于支持NGN的业务通信能力。除了直接连接下一代公司网络(NGCN)设备外,这还包括在NGN本身内“承载”与企业相关的功能的能力。
These hosting arrangements are:
这些托管安排包括:
a) virtual leased line, where NGCN sites are interconnected through the NGN;
a) 虚拟租用线路,其中NGCN站点通过NGN互连;
b) business trunking application, where the NGN hosts transit capabilities between NGCN's; break-in capabilities, where the NGN converts public network traffic to private network traffic for delivery at a served NGCN; and break-out capabilities, where the NGN converts private network traffic from a served NGCN to public network traffic; and
b) 业务集群应用,其中NGN承载NGCN之间的传输能力;接入能力,其中NGN将公用网络流量转换为专用网络流量,以便在服务的NGCN上交付;以及中断能力,其中NGN将专用网络流量从服务的NGCN转换为公用网络流量;和
c) hosted enterprise services, where an NGN hosts originating and/or terminating business communication capabilities for business communication users that are directly attached to an NGN.
c) 托管企业服务,其中NGN承载直接连接到NGN的业务通信用户的发起和/或终止业务通信能力。
ETSI TISPAN has requirements that can be met by the introduction of an explicit indication for private network traffic.
ETSI TISPAN的要求可以通过引入专用网络流量的明确指示来满足。
The traffic generated or received by a public NGN on behalf of a private network can be either:
公共NGN代表专用网络生成或接收的流量可以是:
1) public network traffic: traffic sent to or received from an NGN for processing according to the rules for ordinary subscribers of a public telecommunication network. This type of traffic is known as public network traffic.
1) 公共网络流量:发送到下一代网络或从下一代网络接收的流量,用于根据公共电信网络普通用户的规则进行处理。这种类型的流量称为公共网络流量。
2) private network traffic: traffic sent to the NGN for processing according to an agreed set of rules specific to an enterprise. This type of traffic is known as private network traffic. Private network traffic is normally exchanged within a single enterprise, but private network traffic can also be exchanged between two or more different enterprises, based on some prior arrangements, if not precluded for regulatory reasons.
2) 专用网络流量:发送到NGN以根据特定于企业的一组商定规则进行处理的流量。这种类型的流量称为专用网络流量。专用网络流量通常在单个企业内交换,但如果出于监管原因没有排除,也可以根据一些事先安排在两个或多个不同的企业之间交换专用网络流量。
A private network indication as proposed by this document indicates to the receiving network element (supporting this specification) that this request is related to private network traffic as opposed to public network traffic. This indication does not identify an end user on a private network and is not for delivery to an end user on the private network. It is an indication that special service arrangements apply (if such service is configured based on private network traffic) for an enterprise; therefore, it is an indication of service on behalf of an enterprise, not an indication of service to a private network's end user.
本文件提出的专用网络指示向接收网元(支持本规范)表明,该请求与专用网络流量有关,而不是与公用网络流量有关。此指示不标识专用网络上的最终用户,也不用于向专用网络上的最终用户发送。这表明企业适用特殊服务安排(如果此类服务是基于专用网络流量配置的);因此,它是代表企业的服务指示,而不是对专用网络的最终用户的服务指示。
In order to allow NGN IMS nodes to perform different processing, ETSI TISPAN formulated the following requirements for NGN. The NGN shall:
为了允许NGN IMS节点执行不同的处理,ETSI TISPAN为NGN制定了以下要求。下一代网络应:
a) distinguish public network traffic from private network traffic; and
a) 区分公用网络流量和专用网络流量;和
b) distinguish private network traffic belonging to one enterprise from that belonging to another enterprise.
b) 区分属于一个企业的专用网络流量与属于另一个企业的专用网络流量。
To summarize, a few example reasons for a public NGN to make the distinction between the two types of traffic include:
总而言之,公共NGN区分这两种类型流量的几个示例原因包括:
1) Different regulations apply to two types of traffic, for example, emergency calls may be handled differently depending on the type of traffic.
1) 不同的法规适用于两种类型的交通,例如,根据交通类型,紧急呼叫的处理可能会有所不同。
2) Different charging regimes may apply.
2) 不同的收费制度可能适用。
3) Call recording for business reasons (e.g., quality control, training, non-repudiation) might apply only to a specific type of traffic.
3) 出于业务原因(例如,质量控制、培训、不可否认性)的通话记录可能仅适用于特定类型的通信。
4) Different levels of signaling and/or media transparency may apply to the different types of traffic.
4) 不同级别的信令和/或媒体透明度可应用于不同类型的业务。
There are several reasons why there is a need for an explicit indication in the signaling:
信号中需要明确指示的原因有几个:
a) Caller and callee addresses cannot always be used to determine whether a certain call is to be treated as private or public network traffic.
a) 呼叫者和被呼叫者地址不能始终用于确定某个呼叫是被视为专用网络通信量还是公用网络通信量。
b) Nodes spanning multiple networks often need to have different behavior depending upon the type of traffic. When this is done using implicit schemes, enterprise-specific logic must be distributed across multiple nodes in multiple operators' networks. That is clearly not a manageable architecture and solution.
b) 跨越多个网络的节点通常需要具有不同的行为,这取决于流量的类型。当使用隐式方案实现时,企业特定的逻辑必须分布在多个运营商网络中的多个节点上。这显然不是一个可管理的体系结构和解决方案。
c) There may be cases where treating the call as a public network call although both participants are from the same enterprise is advantageous to the enterprise.
c) 可能存在这样的情况,即尽管两个参与者来自同一企业,但将呼叫视为公共网络呼叫对企业有利。
Based on the background provided, this document formulates requirements for SIP to support an explicit private network indication and defines a P-header, P-Private-Network-Indication, to support those requirements.
基于提供的背景,本文件制定了SIP的要求,以支持明确的专用网络指示,并定义了支持这些要求的P-header,P-private-network-indication。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[RFC2119]中的说明进行解释。
In the context of this document, the term "traffic" is understood as all communication pertaining to and/or controlled by a SIP transaction or dialog.
在本文件的上下文中,术语“通信量”被理解为与SIP事务或对话有关和/或由SIP事务或对话控制的所有通信。
Traffic sent to or received from a public telecommunication network for processing according to the rules for ordinary subscribers of a public telecommunication network.
发送到公共电信网或从公共电信网接收的业务量,以便根据公共电信网普通用户的规则进行处理。
Traffic sent to or received from a public telecommunication network for processing according to an agreed set of rules specific to an enterprise or a community of closely related enterprises.
发送到公共电信网络或从公共电信网络接收的通信量,以便根据一套特定于企业或密切相关企业社区的商定规则进行处理。
Act of converting public network traffic to private network traffic. The header defined in this specification will be added to indicate the traffic is a private network traffic after conversion.
将公用网络流量转换为专用网络流量的行为。将添加本规范中定义的标头,以指示转换后的流量为专用网络流量。
Act of converting private network traffic to public network traffic. The header defined in this specification will be removed to indicate the traffic is a public network traffic after conversion.
将专用网络流量转换为公用网络流量的行为。本规范中定义的标头将被删除,以表明转换后的流量为公共网络流量。
The term "trust domain" in this document is taken from P-Asserted-Identity [RFC3324]. A trust domain applies to the private network indication. The rules for specifying such a trust domain are specified in P-Asserted-Identity [RFC3324] and require the specification of a Spec(T) as covered in Section 2.4 of [RFC3324].
本文件中的术语“信任域”取自P-Asserted-Identity[RFC3324]。信任域适用于专用网络指示。P-Asserted-Identity[RFC3324]中规定了指定此类信任域的规则,并要求规范(T),如[RFC3324]第2.4节所述。
The same information is required to specify a Spec(T) for purposes of P-Private-Network-Indication as for P-Asserted-Identity [RFC3324]. However, if a network is using P-Private-Network-Indication as well as other header fields subject to Spec(T) (such as P-Asserted-Identity), the Spec(T) for each header field will probably be different from the others.
为P-Private-Network-Indication指定规范(T)需要与P-Asserted-Identity[RFC3324]相同的信息。但是,如果网络使用P-Private-network-Indication以及受Spec(T)约束的其他报头字段(例如P-Asserted-Identity),则每个报头字段的Spec(T)可能与其他报头字段不同。
Figure 1 shows the interconnection of sites belonging to two private networks using the public network. Traffic in the public network relating to the interconnection of the two sites of enterprise 1 are tagged as private network traffic relating to enterprise 1. In certain cases, an enterprise can also choose to send traffic from one enterprise site to another enterprise site as public network traffic when this is beneficial to the enterprise. Traffic in the public network relating to the interconnection of the two sites of enterprise 2 are tagged as private network traffic relating to enterprise 2. Enterprise 1 also generates traffic to public phones, and this is public network traffic (untagged in the public network). There may be circumstances where traffic in the public network between two different private networks is tagged as private network traffic using a pre-arranged domain name agreed by the two involved enterprises. This is illustrated by the interconnection of the site from enterprise 3 and the site from enterprise 4.
图1显示了使用公共网络连接属于两个专用网络的站点。与enterprise 1的两个站点互连相关的公共网络流量被标记为与enterprise 1相关的专用网络流量。在某些情况下,企业还可以选择将流量作为公共网络流量从一个企业站点发送到另一个企业站点,这对企业是有益的。与Enterprise2的两个站点互连相关的公共网络流量被标记为与Enterprise2相关的专用网络流量。Enterprise1还向公用电话生成流量,这是公用网络流量(在公用网络中未标记)。可能存在这样的情况,即两个不同私有网络之间的公共网络中的流量使用两个相关企业同意的预先安排的域名被标记为私有网络流量。企业3的站点和企业4的站点的互连说明了这一点。
+------------------------------+ | private network | +------------+ |<===========traffic==========>| +------------+ | enterprise | | (enterprise 1) | | enterprise | | 1 +-----+------------------------------+-----+ 1 ! | site 1 | | | | site 2 | +------------+ | +---+-----| | | public | | | | /--\ |<=========network========>| | +------------+ o /\ o | traffic | | / \----------+--------------------------+ | +----+ | | public | | phone | | | private network | +------------+ |<===========traffic==========>| +------------+ | enterprise | | (enterprise 2) | | enterprise | | 2 +-----+------------------------------+-----+ 2 ! | site 1 | | | | site 2 | +------------+ | | +------------+ | | | private network | +------------+ |<===========traffic==========>| +------------+ | enterprise | | (pre-arranged domain name) | | enterprise | | 3 +-----+------------------------------+-----+ 4 ! | site 1 | | | | site 1 | +------------+ | | +------------+ | | +------------------------------+
+------------------------------+ | private network | +------------+ |<===========traffic==========>| +------------+ | enterprise | | (enterprise 1) | | enterprise | | 1 +-----+------------------------------+-----+ 1 ! | site 1 | | | | site 2 | +------------+ | +---+-----| | | public | | | | /--\ |<=========network========>| | +------------+ o /\ o | traffic | | / \----------+--------------------------+ | +----+ | | public | | phone | | | private network | +------------+ |<===========traffic==========>| +------------+ | enterprise | | (enterprise 2) | | enterprise | | 2 +-----+------------------------------+-----+ 2 ! | site 1 | | | | site 2 | +------------+ | | +------------+ | | | private network | +------------+ |<===========traffic==========>| +------------+ | enterprise | | (pre-arranged domain name) | | enterprise | | 3 +-----+------------------------------+-----+ 4 ! | site 1 | | | | site 1 | +------------+ | | +------------+ | | +------------------------------+
Figure 1: Two Private Networks
图1:两个专用网络
Figure 2 shows the interconnection of sites belonging to a private network using the public network and supported in the public network by a server providing a business trunking application. The business trunking application provides routing capabilities for the enterprise traffic and supports the identification of calls to and from public network users and routing of break-in and break-out of that traffic. (Note that the business trunking application may consist of a concatenation of application logic provided to the originating enterprise site and application logic that is provided to the terminating enterprise site.) Traffic in the public network relating to the interconnection of the two sites of enterprise 1 is tagged as private network traffic relating to enterprise 1. The business trunking application also routes traffic to public phones, and this is public network traffic (untagged in the public network).
图2显示了属于使用公共网络的专用网络的站点之间的互连,以及由提供业务集群应用程序的服务器在公共网络中支持的站点之间的互连。业务中继应用程序为企业流量提供路由功能,并支持识别与公共网络用户之间的呼叫,以及路由该流量的接入和断开。(请注意,业务集群应用程序可能包括提供给发起企业站点的应用程序逻辑和提供给终止企业站点的应用程序逻辑的串联。)与企业1的两个站点互连相关的公共网络流量被标记为与企业1相关的专用网络流量。业务集群应用程序还将流量路由到公用电话,这是公用网络流量(在公用网络中未标记)。
+-------------------------------------------------+ | private network | +------------+ |<===========traffic============>+------------+ | | enterprise | | (enterprise 1) | | | | 1 +-----+--------------------------------+ | | | site 1 | | | business | | +------------+ | +-----+ trunking | | | public | | application| | /--\ |<=========network========>| +--+ | | o /\ o | traffic | | | | | / \----------+--------------------------+ | | | | +----+ | | +------------+ | public | | | phone | | | | private network | | +------------+ |<===========traffic=========>| | | enterprise | | (enterprise 1) | | | 1 +-----+-----------------------------+ | | site 2 | | | +------------+ | | | | +-------------------------------------------------+
+-------------------------------------------------+ | private network | +------------+ |<===========traffic============>+------------+ | | enterprise | | (enterprise 1) | | | | 1 +-----+--------------------------------+ | | | site 1 | | | business | | +------------+ | +-----+ trunking | | | public | | application| | /--\ |<=========network========>| +--+ | | o /\ o | traffic | | | | | / \----------+--------------------------+ | | | | +----+ | | +------------+ | public | | | phone | | | | private network | | +------------+ |<===========traffic=========>| | | enterprise | | (enterprise 1) | | | 1 +-----+-----------------------------+ | | site 2 | | | +------------+ | | | | +-------------------------------------------------+
Figure 2: Private Network and Business Trunking
图2:专用网络和业务集群
Figure 3 shows the interconnection of sites belonging to a private network on a server providing a hosted enterprise service application (also known as Centrex). The hosted enterprise service application supports phones belonging to the enterprise and is also able to route traffic to and from public network phones using break-in or break-out functionality. Traffic in the public network relating to the interconnection of the site of enterprise 1 and the hosted enterprise service belonging to enterprise 1 is tagged as private network traffic relating to enterprise 1. The hosted enterprise service application also routes traffic to public phones, and this is public network traffic (untagged in the public network). Traffic from the enterprise phones would not normally be tagged, but it can be tagged as private network traffic. (Note that the hosted enterprise service logic may precede or succeed a business trunking application that offers services on behalf of an enterprise site.)
图3显示了在提供托管企业服务应用程序(也称为Centrex)的服务器上属于专用网络的站点之间的互连。托管的企业服务应用程序支持属于企业的电话,并且还能够使用中断或中断功能在公共网络电话之间路由通信。公共网络中与企业1的站点和属于企业1的托管企业服务的互连相关的流量被标记为与企业1相关的专用网络流量。托管企业服务应用程序还将流量路由到公用电话,这是公用网络流量(在公用网络中未标记)。来自企业电话的流量通常不会被标记,但可以标记为专用网络流量。(请注意,托管企业服务逻辑可能位于代表企业站点提供服务的业务集群应用程序之前或之后。)
+-------------------------------------------------+ | private network | +------------+ |<===========traffic============>+------------+ | | enterprise | | (enterprise 1) | | | | 1 +-----+--------------------------------+ hosted | | | site 1 | | | enterprise | | +------------+ | +-----+ service | | | public | | enterprise | | /--\ |<=========network========>| +--+ 1 | | o /\ o | traffic | | | | | / \----------+--------------------------+ | | | | +----+ | | +------------+ | public | | | phone | | | | private network | | /--\ |<===========traffic=========>| | o /\ o | (enterprise 1) | | / \----------+-----------------------------+ | +----+ | | enterprise | | phone | | +-------------------------------------------------+
+-------------------------------------------------+ | private network | +------------+ |<===========traffic============>+------------+ | | enterprise | | (enterprise 1) | | | | 1 +-----+--------------------------------+ hosted | | | site 1 | | | enterprise | | +------------+ | +-----+ service | | | public | | enterprise | | /--\ |<=========network========>| +--+ 1 | | o /\ o | traffic | | | | | / \----------+--------------------------+ | | | | +----+ | | +------------+ | public | | | phone | | | | private network | | /--\ |<===========traffic=========>| | o /\ o | (enterprise 1) | | / \----------+-----------------------------+ | +----+ | | enterprise | | phone | | +-------------------------------------------------+
Figure 3: Hosted Service and Private Network
图3:托管服务和专用网络
The mechanism proposed in this document relies on a new header field called 'P-Private-Network-Indication' that contains a private network identifier expressed as a domain name, for example:
本文件中提出的机制依赖于一个名为“P-Private-Network-Indication”的新标题字段,该字段包含一个表示为域名的专用网络标识符,例如:
P-Private-Network-Indication: example.com
P-Private-Network-Indication:example.com
A proxy server that handles a message MAY insert such a P-Private-Network-Indication header field into the message based on authentication of the source of a message, configuration, or local policy. A proxy server MAY forward the message to other proxies in the same administrative domain or proxies in a trusted domain to be handled as private network traffic. A proxy that forwards a message to a proxy server or user agent (UA) that it does not trust MUST remove the P-Private-Network-Indication header field before forwarding the message.
处理消息的代理服务器可以基于消息源、配置或本地策略的认证将这样的P-Private-Network-Indication报头字段插入到消息中。代理服务器可以将消息转发给同一管理域中的其他代理或受信任域中的代理,以作为专用网络流量处理。将消息转发给其不信任的代理服务器或用户代理(UA)的代理必须在转发消息之前删除P-Private-Network-Indication标头字段。
The private network identifier expressed as a domain name allows it to be a globally unique identifier, associated with the originating and/or terminating enterprise(s). Domain name is used, as it allows reuse of a company-owned Internet domain name without requiring an
表示为域名的专用网络标识符允许它是全局唯一标识符,与发起和/或终止企业关联。使用域名,因为它允许重用公司拥有的互联网域名,而无需
additional private network identifier registry. When the enterprise needs more than one identifier, it can freely add subdomains under its own control.
附加专用网络标识符注册表。当企业需要多个标识符时,它可以在自己的控制下自由添加子域。
The formal syntax for the P-Private-Network-Indication header is presented in Section 7.
第7节介绍了P-专用网络-指示标头的正式语法。
Proxies that are responsible for determining certain traffic to be treated as private network traffic or contain a break-in function that converts incoming public network traffic to private network traffic MUST insert a P-Private-Network-Indication header field into incoming or outgoing requests for a dialog or for a standalone transaction. The value MUST be set to the private network identifier corresponding to the enterprise(s) to which the traffic belongs.
负责确定将被视为专用网络流量的特定流量或包含将传入的公用网络流量转换为专用网络流量的中断功能的代理必须在对话框或独立事务的传入或传出请求中插入P-private-network-Indication标头字段。该值必须设置为与流量所属企业对应的专用网络标识符。
Proxies that are responsible for applying different processing behaviors to specific private network traffic MUST support this extension. The P-Private-Network-Indication header field MUST NOT be used by a proxy in case it is received in a request from an entity that it does not trust; in such a case, it MUST be removed before the request is forwarded.
负责将不同处理行为应用于特定专用网络流量的代理必须支持此扩展。如果P-Private-Network-Indication标头字段是在不信任的实体的请求中收到的,则代理不得使用该字段;在这种情况下,必须在转发请求之前将其删除。
Proxies that are at the edge of the trust domain or contain a break-out function that converts incoming private network traffic to public network traffic MUST remove the P-Private-Network-Indication header field before forwarding a request that contains such a header field.
位于信任域边缘或包含将传入的专用网络流量转换为公用网络流量的中断功能的代理必须在转发包含此类标头字段的请求之前删除P-private-network-Indication标头字段。
When proxies supporting this specification receive a P-Private-Network-Indication header field in a SIP request from a trusted node, proxies MUST check whether the received domain name in the request is the same as the domain name associated with the provisioned domain name. If the received domain name does not match, proxies MUST remove the P-Private-Network-Indication header field.
当支持此规范的代理从受信任节点接收SIP请求中的P-Private-Network-Indication头字段时,代理必须检查请求中接收到的域名是否与与配置的域名关联的域名相同。如果收到的域名不匹配,代理必须删除P-Private-Network-Indication头字段。
This document defines the SIP P-Private-Network-Indication header field. This header field can be added by a proxy to initial requests for a dialog or standalone requests. The presence of the P-Private-Network-Indication header field signifies to proxies that understand the header field that the request is to be treated as private network traffic. The P-Private-Network-Indication header field contains a domain name value that allows the private network traffic to be associated with an enterprise to which it belongs and allows proxies that understand this header field to process the request according to the local policy configured for a specific enterprise(s).
本文档定义了SIP P-Private-Network-Indication标头字段。代理可以将此标头字段添加到对话框或独立请求的初始请求中。P-Private-Network-Indication报头字段的存在对理解报头字段的代理表示请求将被视为专用网络流量。P-Private-Network-Indication标头字段包含一个域名值,该域名值允许专用网络流量与其所属的企业相关联,并允许理解此标头字段的代理根据为特定企业配置的本地策略处理请求。
The Augmented Backus-Naur Form (ABNF) [RFC5234] syntax of the P-Private-Network-Indication header field is described below:
P-Private-Network-Indication标头字段的扩展巴科斯诺尔形式(ABNF)[RFC5234]语法描述如下:
P-Private-Network-Indication = "P-Private-Network-Indication" HCOLON PNI-value *(SEMI PNI-param) PNI-param = generic-param PNI-value = hostname
P-Private-Network-Indication=“P-Private-Network-Indication”HCOLON PNI值*(半PNI参数)PNI参数=通用参数PNI值=主机名
EQUAL, HCOLON, SEMI, hostname, and generic-param are defined in RFC 3261 [RFC3261].
EQUAL、HCOLON、SEMI、hostname和generic param在RFC 3261[RFC3261]中定义。
The following is an example of a P-Private-Network-Indication header field:
以下是P-Private-Network-Indication标头字段的示例:
P-Private-Network-Indication: example.com
P-Private-Network-Indication:example.com
The private network indication defined in this document MUST only be used in the traffic transported between network elements that are mutually trusted. Traffic protection between network elements can be achieved by using security protocols such as IP Encapsulating Security Payload (ESP) [RFC4303] or SIP / Transport Layer Security (SIP/TLS) or sometimes by physical protection of the network. In any case, the environment where the private network indication will be used needs to ensure the integrity and the confidentiality of the contents of this header field.
本文件中定义的专用网络指示只能用于相互信任的网元之间传输的流量。可以通过使用安全协议(如IP封装安全有效负载(ESP)[RFC4303]或SIP/传输层安全(SIP/TLS))或有时通过网络的物理保护来实现网元之间的流量保护。在任何情况下,将使用专用网络指示的环境都需要确保此标头字段内容的完整性和机密性。
A private network indication received from an untrusted node MUST NOT be used, and the information MUST be removed from a request or response before it is forwarded to entities in the trust domain. Additionally, local policies may be in place that ensure that all requests entering the trust domain for private network indication from untrusted nodes with a private network indication will be discarded.
不得使用从不受信任节点接收的专用网络指示,并且在将信息转发给信任域中的实体之前,必须从请求或响应中删除该信息。此外,可以制定本地策略,以确保从具有专用网络指示的不受信任节点进入专用网络指示的信任域的所有请求都将被丢弃。
There is a security risk if a private network indication is allowed to propagate out of the trust domain where it was generated. The indication may reveal information about the identity of the caller, i.e., the organization that he belongs to. That is sensitive information. It also reveals to the outside world that there is a set of rules that this call is subject to that is different then the rules that apply to public traffic. That is sensitive information too. To prevent such a breach from happening, proxies MUST NOT insert the information when forwarding requests to a next hop located outside the trust domain. When forwarding the request to a trusted node, proxies MUST NOT insert the header field unless they have sufficient knowledge that the route set includes another proxy in the trust domain that understands this header field. However, how to learn such knowledge is out of the scope of this document. Proxies MUST remove the information when forwarding requests to untrusted nodes or when the proxy does not have knowledge of any other proxy in the route set that is able to understand this header field.
如果允许私有网络指示从生成它的信任域传播出去,则存在安全风险。该指示可揭示关于呼叫者的身份的信息,即他所属的组织。这是敏感信息。它还向外部世界揭示了此呼叫所遵循的一系列规则,这些规则与适用于公共交通的规则不同。这也是敏感信息。为了防止发生此类违规行为,代理在将请求转发到位于信任域之外的下一个跃点时不得插入信息。将请求转发到受信任节点时,除非代理充分了解路由集在信任域中包含理解此头字段的另一个代理,否则不得插入头字段。但是,如何学习这些知识不在本文档的范围之内。当将请求转发到不受信任的节点时,或者当代理不知道路由集中能够理解此标头字段的任何其他代理时,代理必须删除该信息。
This document defines a new SIP header field: P-Private-Network-Indication. This header field has been registered by the IANA in the "SIP Parameters" registry under the "Header Fields" subregistry.
本文档定义了一个新的SIP头字段:P-Private-Network-Indication。IANA已在“标题字段”子区域下的“SIP参数”注册表中注册此标题字段。
RFC Number: [RFC7316]
RFC编号:[RFC7316]
Header Field Name: P-Private-Network-Indication
标题字段名称:P-专用-网络-指示
Compact Form: none
紧凑型:无
The authors would like to thank Richard Barnes, Mary Barnes, Atle Monrad, Bruno Chatras, John Elwell, and Salvatore Loreto for providing comments on an early version of this document. Further, we thank John Elwell for performing the expert review.
作者感谢Richard Barnes、Mary Barnes、Atle Monrad、Bruno Chatras、John Elwell和Salvatore Loreto对本文件早期版本的评论。此外,我们感谢John Elwell进行专家评审。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.
[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。
[RFC3324] Watson, M., "Short Term Requirements for Network Asserted Identity", RFC 3324, November 2002.
[RFC3324]Watson,M.,“网络断言身份的短期要求”,RFC 33242002年11月。
[RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5234]Crocker,D.,Ed.,和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,2008年1月。
[3GPP.22.519] 3GPP, "Business Communication Requirements", TS 22.519.
[3GPP.22.519]3GPP,“业务通信需求”,TS 22.519。
[3GPP.23.228] 3GPP, "IP Multimedia Subsystem (IMS); Stage 2", 3GPP TS 23.228 V8, July 2007.
[3GPP.23.228]3GPP,“IP多媒体子系统(IMS);第2阶段”,3GPP TS 23.228 V8,2007年7月。
[3GPP.24.229] 3GPP, "Internet Protocol (IP) multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3", 3GPP TS 24.229 V8, July 2007.
[3GPP.24.229]3GPP,“基于会话启动协议(SIP)和会话描述协议(SDP)的互联网协议(IP)多媒体呼叫控制协议;第3阶段”,3GPP TS 24.229 V8,2007年7月。
[RFC5727] Peterson, J., Jennings, C., and R. Sparks, "Change Process for the Session Initiation Protocol (SIP) and the Real-time Applications and Infrastructure Area", BCP 67, RFC 5727, March 2010.
[RFC5727]Peterson,J.,Jennings,C.,和R.Sparks,“会话启动协议(SIP)和实时应用程序和基础设施领域的变更过程”,BCP 67,RFC 5727,2010年3月。
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005.
[RFC4303]Kent,S.,“IP封装安全有效载荷(ESP)”,RFC 4303,2005年12月。
Authors' Addresses
作者地址
Hans Erik van Elburg Detecon International Gmbh Oberkasselerstrasse 2 Bonn 53227 Germany
Hans Erik van Elburg Detecon International Gmbh Oberkasselerstrasse 2波恩53227德国
EMail: ietf.hanserik@gmail.com
EMail: ietf.hanserik@gmail.com
Keith Drage Alcatel-Lucent The Quadrant, Stonehill Green, Westlea Swindon SN5 7DJ UK
基思·德拉格·阿尔卡特·朗讯象限,斯通希尔格林,威斯特利亚斯温登SN5 7DJ英国
EMail: drage@alcatel-lucent.com
EMail: drage@alcatel-lucent.com
Mayumi Ohsugi NTT Corporation
大杉雅美NTT公司
Phone: +81 422 36 7502 EMail: mayumi.ohsugi@ntt-at.co.jp
Phone: +81 422 36 7502 EMail: mayumi.ohsugi@ntt-at.co.jp
Shida Schubert NTT Corporation
Shida舒伯特NTT公司
Phone: +1 415 323 9942 EMail: shida@ntt-at.com
Phone: +1 415 323 9942 EMail: shida@ntt-at.com
Kenjiro Arai NTT Corporation 9-11, Midori-cho 3-Chome Musashino-shi, Tokyo 180-8585 Japan
荒井健二郎NTT公司9-11,日本东京武藏寺三中町,180-8585
Phone: +81 422 59 3518 EMail: arai.kenjiro@lab.ntt.co.jp URI: http://www.ntt.co.jp
Phone: +81 422 59 3518 EMail: arai.kenjiro@lab.ntt.co.jp URI: http://www.ntt.co.jp