Network Working Group R. Sparks Request for Comments: 5057 Estacado Systems Category: Informational November 2007 Multiple Dialog Usages in the Session Initiation Protocol Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract Several methods in the Session Initiation Protocol (SIP) can create an association between endpoints known as a dialog. Some of these methods can also create a different, but related, association within an existing dialog. These multiple associations, or dialog usages, require carefully coordinated processing as they have independent life-cycles, but share common dialog state. Processing multiple dialog usages correctly is not completely understood. What is understood is difficult to implement. This memo argues that multiple dialog usages should be avoided. It discusses alternatives to their use and clarifies essential behavior for elements that cannot currently avoid them. This is an informative document and makes no normative statements of any kind. Sparks Informational [Page 1] RFC 5057 Multiple Dialog Usages November 2007 Table of Contents 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Examples of Multiple Usages . . . . . . . . . . . . . . . . . 4 3.1. Transfer . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Reciprocal Subscription . . . . . . . . . . . . . . . . . 6 4. Usage Creation and Destruction . . . . . . . . . . . . . . . . 9 4.1. Invite Usages . . . . . . . . . . . . . . . . . . . . . . 9 4.2. Subscribe usages . . . . . . . . . . . . . . . . . . . . . 9 5. Proper Handling of Multiple Usages . . . . . . . . . . . . . . 9 5.1. A Survey of the Effect of Failure Responses on Usages and Dialogs . . . . . . . . . . . . . . . . . . . . . . . 9 5.2. Transaction Timeouts . . . . . . . . . . . . . . . . . . . 15 5.3. Matching Requests to Usages . . . . . . . . . . . . . . . 16 5.4. Target Refresh Requests . . . . . . . . . . . . . . . . . 17 5.5. Refreshing and Terminating Usages . . . . . . . . . . . . 17 5.6. Refusing New Usages . . . . . . . . . . . . . . . . . . . 18 5.7. Replacing Usages . . . . . . . . . . . . . . . . . . . . . 18 6. Avoiding Multiple Usages . . . . . . . . . . . . . . . . . . . 18 7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 8. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 24 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 10. Informative References . . . . . . . . . . . . . . . . . . . . 24 1. Overview This is an informative document. It makes no normative statements of any kind. This document refines the concept of a dialog usage in the Session Initiation Protocol (SIP [1]), and discusses what led to its existence. It explores ambiguity associated with processing multiple dialog usages that share a dialog. In particular, it surveys the effect of SIP failure responses on transaction, dialog usage, and dialog state. This document will help the implementer understand what is required to process multiple dialog usages correctly, and will provide information for future standards-track work that will clarify RFC 3261 and other related documents. Finally, the document explores single-usage dialog alternatives (using SIP extensions) to multiple dialog usages. 2. Introduction Several methods in SIP can establish a dialog. When they do so, they also establish an association between the endpoints within that dialog. This association has been known for some time as a "dialog usage" in the developer community. A dialog initiated with an INVITE request has an invite usage. A dialog initiated with a SUBSCRIBE Sparks Informational [Page 2] RFC 5057 Multiple Dialog Usages November 2007 request has a subscribe usage. A dialog initiated with a REFER request has a subscribe usage. Dialogs with multiple usages arise when a usage-creating action occurs inside an existing dialog. Such actions include accepting a REFER or SUBSCRIBE issued inside a dialog established with an INVITE request. Multiple REFERs within a dialog create multiple subscriptions, each of which is a new dialog usage sharing common dialog state. (Note that any REFER issued utilizing the subscription-suppression mechanism specified in [2] creates no new usage.) Similarly, an endpoint in a dialog established with an INVITE might subscribe to its peer's Key Press Markup Language (KPML) [3] and later issue a REFER, resulting in three dialog usages sharing common dialog state. The common state in the dialog shared by any usages is exactly: o the Call-ID o the local Tag o the remote Tag o the local CSeq o the remote CSeq o the Route-set o the local contact o the remote target o the secure flag Usages have state that is not shared in the dialog. For example, a subscription has a duration, along with other usage-specific state. Multiple subscriptions in the same dialog each have their own duration. A dialog comes into existence with the creation of the first usage, and continues to exist until the last usage is terminated (reference counting). Unfortunately, many of the usage management aspects of SIP, such as authentication, were originally designed with the implicit assumption that there was one usage per dialog. The resulting mechanisms have mixed effects, some influencing the usage, and some influencing the entire dialog. Sparks Informational [Page 3] RFC 5057 Multiple Dialog Usages November 2007 The current specifications define two usages, invite and subscribe. A dialog can share up to one invite usage and arbitrarily many subscribe usages. Because RFC 3261 [1] states that user-agents should reuse Call-ID and increment CSeq across a series of registration requests (and that to- tags appear in register responses in some of the examples), some implementations have treated REGISTER as if it were in a dialog. However, RFC 3261 explicitly calls out that REGISTER does not create a dialog. A series of REGISTER requests does not create any usage or dialog. Similarly, PUBLISH [4] does not create any usage or dialog. 3. Examples of Multiple Usages 3.1. Transfer In Figure 1, Alice transfers a call she received from Bob to Carol. A dialog (and an invite dialog usage) between Alice and Bob comes into being with the 200 OK labeled F1. A second usage (a subscription to event refer) comes into being with the NOTIFY labeled F2. This second usage ends when the subscription is terminated by the NOTIFY transaction labeled F3. The dialog still has one usage (the invite usage), which lasts until the BYE transaction labeled F4. At this point, the dialog has no remaining usages, so it ceases to exist. Details of each of these messages are shown in Figure 2. Sparks Informational [Page 4] RFC 5057 Multiple Dialog Usages November 2007 Alice Bob Carol | INVITE | | |<----------------| | Dialog 1 Usage 1 | 200 OK (F1) | | -start- -start- ----------->|---------------->| | | | | ACK | | | | |<----------------| | | | | reINVITE/200/ACK| | | | | (hold) | | | | |---------------->| | | | | REFER | | | | Dialog 1 |---------------->| | | | Usage 2 | NOTIFY (F2) | | | | -start- -->|<----------------| INVITE | | | | | 200 NOTIFY |----------->| | | | |---------------->| 200 OK | | | | | 200 REFER |<-----------| | | | |<----------------| ACK | | | | | NOTIFY (F3) |----------->| | | | |<----------------| | | | | | 200 | . | | | -end- -->|---------------->| . | | | | BYE (F4) | Dialog 2 | | | |<----------------| proceeds | | | | 200 | . | -end- -end- ------------>|---------------->| . | Figure 1 Message Details (abridged to show only dialog or usage details) F1 SIP/2.0 200 OK Call-ID: dialog1@bob.example.com CSeq: 100 INVITE To: ;tag=alicetag1 From: ;tag=bobtag1 Contact: F2 NOTIFY sip:aliceinstance@alice.example.com SIP/2.0 Event: refer Call-ID: dialog1@bob.example.com CSeq: 101 NOTIFY To: ;tag=alicetag1 From: ;tag=bobtag1 Contact: Sparks Informational [Page 5] RFC 5057 Multiple Dialog Usages November 2007 F3 NOTIFY sip:aliceinstance@alice.example.com SIP/2.0 Event: refer Subscription-State: terminated;reason=noresource Call-ID: dialog1@bob.example.com CSeq: 102 NOTIFY To: ;tag=alicetag1 From: ;tag=bobtag1 Contact: Content-Type: message/sipfrag SIP/2.0 200 OK F4 BYE sip:aliceinstance@alice.example.com SIP/2.0 Call-ID: dialog1@bob.example.com CSeq: 103 BYE To: ;tag=alicetag1 From: ;tag=bobtag1 Contact: Figure 2 3.2. Reciprocal Subscription In Figure 3, Alice subscribes to Bob's presence. For simplicity, assume Bob and Alice are both serving their presence from their endpoints instead of a presence server. To focus on the essential points, the figure leaves out any rendezvous signaling through which Alice discovers Bob's endpoint. Bob is interested in Alice's presence too, so he subscribes to Alice (in most deployed presence/IM systems, people watch each other). He decides to skip the rendezvous step since he's already in a dialog with Alice, and sends his SUBSCRIBE inside that dialog (a few early SIMPLE clients behaved exactly this way). The dialog and its first usage comes into being at F1, which establishes Alice's subscription to Bob. Its second usage begins at F2, which establishes Bob's subscription to Alice. These two subscriptions are independent - they have distinct and different expirations, but they share all the dialog state. The first usage ends when Alice decides to unsubscribe at F3. Bob's subscription to Alice, and thus the dialog, continues to exist. Alice's UA must maintain this dialog state even though the subscription that caused it to exist in the first place is now over. The second usage ends when Alice decides to terminate Bob's Sparks Informational [Page 6] RFC 5057 Multiple Dialog Usages November 2007 subscription at F4 (she's probably going to reject any attempt on Bob's part to resubscribe until she's ready to subscribe to Bob again). Since this was the last usage, the dialog also terminates. Details of these messages are shown in Figure 4. Alice Bob | | | SUBSCRIBE | |------------------->| Dialog Usage 1 | NOTIFY (F1) | -start- -start- --------->|<-------------------| | | | 200 SUBSCRIBE | | | |<-------------------| | | | 200 NOTIFY | | | |------------------->| | | | SUBSCRIBE | | | |<-------------------| | | Usage 2 | NOTIFY (F2) | | | -start- -->|------------------->| | | | | 200 SUBSCRIBE | | | |------------------->| | | | | 200 NOTIFY | | | | |<-------------------| | | | | : | | | | | : | | | | | (un)SUBSCRIBE (F3) | | | | |------------------->| | | | | 200 | | | | |<-------------------| | | | | NOTIFY | | | | |<-------------------| | | | | 200 | | -end- ----------->|------------------->| | | | : | | | | : | | | | NOTIFY (F4) | | | | (Terminated) | | | |------------------->| | | | 200 | -end- -end- -->|<-------------------| | | Figure 3 Sparks Informational [Page 7] RFC 5057 Multiple Dialog Usages November 2007 Message Details (abridged to show only dialog or usage details) F1 NOTIFY sip:aliceinstance@alice.example.com SIP/2.0 Event: presence Subscription-State: active;expires=600 Call-ID: alicecallid1@alice.example.com From: ;tag=bobtag2 To: ;tag=alicetag2 CSeq: 100 NOTIFY Contact: F2 NOTIFY sip:bobinstance@bob.example.com SIP/2.0 Event: presence Subscription-State: active;expires=1200 Call-ID: alicecallid1@alice.example.com To: ;tag=bobtag2 From: ;tag=alicetag2 CSeq: 500 NOTIFY Contact: F3 SUBSCRIBE sip:bobinstance@bob.example.com SIP/2.0 Event: presence Expires: 0 Call-ID: alicecallid1@alice.example.com To: ;tag=bobtag2 From: ;tag=alicetag2 CSeq: 501 SUBSCRIBE Contact: F4 NOTIFY sip:bobinstance@bob.example.com SIP/2.0 Event: presence Subscription-State: terminated;reason=deactivated Call-ID: alicecallid1@alice.example.com To: ;tag=bobtag2 From: ;tag=alicetag2 CSeq: 502 NOTIFY Contact: Figure 4 Sparks Informational [Page 8] RFC 5057 Multiple Dialog Usages November 2007 4. Usage Creation and Destruction Dialogs come into existence along with their first usage. Dialogs terminate when their last usage is destroyed. The messages that create and destroy usages vary per usage. This section provides a high-level categorization of those messages. The section does not attempt to explore the REGISTER pseudo-dialog. 4.1. Invite Usages Created by: non-100 provisional responses to INVITE; 200 response to INVITE Destroyed by: 200 responses to BYE; certain failure responses to INVITE, UPDATE, PRACK, INFO, or BYE; anything that destroys a dialog and all its usages 4.2. Subscribe usages Created by: 200 class responses to SUBSCRIBE; 200 class responses to REFER; NOTIFY requests Destroyed by: 200 class responses to NOTIFY-terminated; NOTIFY or refresh-SUBSCRIBE request timeout; certain failure responses to NOTIFY or SUBSCRIBE; expiration without refresh if network issues prevent the terminal NOTIFY from arriving; anything that destroys a dialog and all its usages 5. Proper Handling of Multiple Usages The examples in Section 3 show straightforward cases where it is fairly obvious when the dialog begins and ends. Unfortunately, there are many scenarios where such clarity is not present. For instance, in Figure 1, what would it mean if the response to the NOTIFY (F2) were a 481? Does that simply terminate the refer subscription, or does it destroy the entire dialog? This section explores the problem areas with multiple usages that have been identified to date. 5.1. A Survey of the Effect of Failure Responses on Usages and Dialogs For this survey, consider a subscribe usage inside a dialog established with an invite usage. Unless stated otherwise, we'll discuss the effect on each usage and the dialog when a client issuing a NOTIFY inside the subscribe usage receives a failure response (such as a transferee issuing a NOTIFY to event refer). Further, unless otherwise stated, the conclusions apply to arbitrary multiple usages. This survey is written from the perspective of a client receiving the Sparks Informational [Page 9] RFC 5057 Multiple Dialog Usages November 2007 error response. The effect on dialogs and usages at the server issuing the response is the same. 3xx responses: Redirection mid-dialog is not well understood in SIP, but whatever effect it has impacts the entire dialog and all of its usages equally. In our example scenario, both the subscription and the invite usage would be redirected by this single response. For the failure responses with code 400 and greater, there are three common ways the failure can affect the transaction, usage, and dialog state. Transaction Only The error affects only the transaction, not the usage or dialog the transaction occurs in (beyond affecting the local CSeq). Any other usage of the dialog is unaffected. The error is a complaint about this transaction, not the usage or dialog that the transaction occurs in. Destroys Usage The error destroys the usage, but not the dialog. Any other usages sharing this dialog are not affected. Destroys Dialog The error destroys the dialog and all usages sharing it. Table 1 and Table 2 display how the various codes affect transaction, usage, or dialog state. Response code specific comments or exceptions follow the table. +----------------------+----------------+-----------------+ | Transaction Only | Destroys Usage | Destroys Dialog | +----------------------+----------------+-----------------+ | 400 (or unknown 4xx) | 405, 480 | 404, 410, 416 | | 401, 402, 403, 406 | 481, 489 | 482, 483 | | 407, 408, 412-415 | 501 | 484, 485 | | 417, 420, 421, 422 | | 502, 604 | | 423, 428, 429 | | | | 436-438, 486, 487 | | | | 488, 491, 493, 494 | | | | 500 (or unknown 5xx) | | | | 503, 504, 505 | | | | 513, 580 | | | | 600 (or unknown 6xx) | | | | 603, 606 | | | +----------------------+----------------+-----------------+ Table 1 Sparks Informational [Page 10] RFC 5057 Multiple Dialog Usages November 2007 +---------+---------------------------------+-------------+-------+ | Code | Reason | Impact | Notes | +---------+---------------------------------+-------------+-------+ | 400/4xx | Bad Request | Transaction | | | 401 | Unauthorized | Transaction | | | 402 | Payment Required | Transaction | (1) | | 403 | Forbidden | Transaction | | | 404 | Not Found | Dialog | (2) | | 405 | Method Not Allowed | Usage | (3) | | 406 | Not Acceptable | Transaction | | | 407 | Proxy Authentication Required | Transaction | | | 408 | Request Timeout | Transaction | (4) | | 410 | Gone | Dialog | (2) | | 412 | Conditional Request Failed | Transaction | | | 413 | Request Entity Too Large | Transaction | | | 414 | Request-URI Too Long | Transaction | | | 415 | Unsupported Media Type | Transaction | | | 416 | Unsupported URI Scheme | Dialog | (2) | | 417 | Unknown Resource-Priority | Transaction | | | 420 | Bad Extension | Transaction | | | 421 | Extension Required | Transaction | | | 422 | Session Interval Too Small | Transaction | (5) | | 423 | Interval Too Brief | Transaction | | | 428 | Use Identity Header | Transaction | | | 429 | Provide Referrer Identity | Transaction | (6) | | 436 | Bad Identity-Info | Transaction | | | 437 | Unsupported Certificate | Transaction | | | 438 | Invalid Identity Header | Transaction | | | 480 | Temporarily Unavailable | Usage | (7) | | 481 | Call/Transaction Does Not Exist | Usage | (8) | | 482 | Loop Detected | Dialog | (9) | | 483 | Too Many Hops | Dialog | (10) | | 484 | Address Incomplete | Dialog | (2) | | 485 | Ambiguous | Dialog | (2) | | 486 | Busy Here | Transaction | (11) | | 487 | Request Terminated | Transaction | | | 488 | Not Acceptable Here | Transaction | | | 489 | Bad Event | Usage | (12) | | 491 | Request Pending | Transaction | | | 493 | Undecipherable | Transaction | | | 494 | Security Agreement Required | Transaction | | | 500/5xx | Server Internal Error | Transaction | (13) | | 501 | Not Implemented | Usage | (3) | | 502 | Bad Gateway | Dialog | (14) | | 503 | Service Unavailable | Transaction | (15) | | 504 | Server Time-Out | Transaction | (16) | | 505 | Version Not Supported | Transaction | | | 513 | Message Too Large | Transaction | | Sparks Informational [Page 11] RFC 5057 Multiple Dialog Usages November 2007 | 580 | Precondition Failure | Transaction | | | 600/6xx | Busy Everywhere | Transaction | (17) | | 603 | Decline | Transaction | | | 604 | Does Not Exist Anywhere | Dialog | (2) | | 606 | Not Acceptable | Transaction | | +---------+---------------------------------+-------------+-------+ Table 2 (1) 402 Payment Required: This is a reserved response code. If encountered, it should be treated as an unrecognized 4xx. (2) 404 Not Found: 410 Gone: 416 Unsupported URI Scheme: 484 Address Incomplete: 485 Ambiguous: 604 Does Not Exist Anywhere: The Request-URI that is being rejected is the remote target set by the Contact provided by the peer. Getting this response means that something has gone fundamentally wrong with the dialog state. (3) 405 Method Not Allowed: 501 Not Implemented: Either of these responses would be aberrant in our example scenario since support for the NOTIFY method is required by the usage. In this case, the UA knows the condition is unrecoverable and should stop sending NOTIFYs on the usage. Any refresh subscriptions should be rejected. In general, these errors will affect at most the usage. If the request was not integral to the usage (it used an unknown method, or was an INFO inside an INVITE usage, for example), only the transaction will be affected. (4) 408 Request Timeout: Receiving a 408 will have the same effect on usages and dialogs as a real transaction timeout as described in Section 5.2. Sparks Informational [Page 12] RFC 5057 Multiple Dialog Usages November 2007 (5) 422 Session Interval Too Small: This response does not make sense for any mid-usage request. If it is received, an element in the path of the request is violating protocol, and the recipient should treat this as it would an unknown 4xx response. (6) 429 Provide Referrer Identity: This response won't be returned to a NOTIFY as in our example scenario, but when it is returned to a REFER, it is objecting only to the REFER request itself. (7) 480 Temporarily Unavailable: RFC 3261 is unclear on what this response means for mid-usage requests. Future updates to that specification are expected to clarify that this response affects only the usage in which the request occurs. No other usages are affected. If the response included a Retry-After header field, further requests in that usage should not be sent until the indicated time has past. Requests in other usages may still be sent at any time. (8) 481 Call/Transaction Does Not Exist: This response indicates that the peer has lost its copy of the dialog usage state. The dialog itself should not be destroyed unless this was the last usage. The effects of a 481 on a dialog and its usages are the most ambiguous of any final response. There are implementations that have chosen the meaning recommended here, and others that destroy the entire dialog without regard to the number of outstanding usages. Going forward with this clarification will allow those deployed implementations that assumed only the usage was destroyed to work with a wider number of implementations. Existing implementations that destroy all other usages in the dialog will continue to function as they do now, except that peers following the recommendation will attempt to do things with the other usages and this element will return 481s for each of them until they are all gone. However, the necessary clarification to RFC 3261 needs to make it very clear that the ability to terminate usages independently from the overall dialog using a 481 is not justification for designing new applications that count on multiple usages in a dialog. The 481 response to a CANCEL request has to be treated differently. For CANCEL, a 481 means the UAS can't find a matching transaction. A 481 response to a CANCEL affects only the CANCEL transaction. The usage associated with the INVITE is not affected. Sparks Informational [Page 13] RFC 5057 Multiple Dialog Usages November 2007 (9) 482 Loop Detected: This response is aberrant mid-dialog. It will only occur if the Record-Route header field were improperly constructed by the proxies involved in setting up the dialog's initial usage, or if a mid-dialog request forks and merges (which should never happen). Future requests using this dialog state will also fail. An edge condition exists during RFC 3263 failover at the element sending a request, where the request effectively forks to multiple destinations from the client. Some implementations increase risk entering this edge condition by trying the next potential location as determined by RFC 3263 very rapidly if the first does not immediately respond. In any situation where a client sends the same request to more than one endpoint, it must be prepared to receive a response from each branch (and should choose a "best" response to act on following the same guidelines as a forking proxy). In this particular race condition, if multiple branches respond, all but one will most likely return a 482 Merged Request. The client should select the remaining non-482 response as the "best" response. (10) 483 Too Many Hops: Similar to 482, receiving this mid-dialog is aberrant. Unlike 482, recovery may be possible by increasing Max- Forwards (assuming that the requester did something strange like using a smaller value for Max-Forwards in mid-dialog requests than it used for an initial request). If the request isn't tried with an increased Max-Forwards, then the agent should follow the Destroy Dialog actions. (11) 486 Busy Here: This response is nonsensical in our example scenario, or in any scenario where this response comes inside an established usage. If it occurs in that context, it should be treated as an unknown 4xx response. (12) 489 Bad Event: In our example scenario, [5] declares that the subscription usage in which the NOTIFY is sent is terminated. This response is only valid in the context of SUBSCRIBE and NOTIFY. UAC behavior for receiving this response to other methods is not specified, but treating it as an unknown 4xx is a reasonable practice. (13) 500 and 5xx unrecognized responses: If the response contains a Retry-After header field value, the server thinks the condition is temporary, and the request can be retried after the indicated interval. If the response does not contain a Retry-After header field value, the UA may decide to retry after an interval of its choosing or attempt to gracefully terminate the usage. Whether or not to terminate other usages depends on the application. If the Sparks Informational [Page 14] RFC 5057 Multiple Dialog Usages November 2007 UA receives a 500 (or unrecognized 5xx) in response to an attempt to gracefully terminate this usage, it can treat this usage as terminated. If this is the last usage sharing the dialog, the dialog is also terminated. (14) 502 Bad Gateway: This response is aberrant mid-dialog. It will only occur if the Record-Route header field were improperly constructed by the proxies involved in setting up the dialog's initial usage. Future requests using this dialog state will also fail. (15) 503 Service Unavailable: As per [6], the logic handling locating SIP servers for transactions may handle 503 requests (effectively, sequentially forking at the endpoint based on DNS results). If this process does not yield a better response, a 503 may be returned to the transaction user. Like a 500 response, the error is a complaint about this transaction, not the usage. Because this response occurred in the context of an established usage (hence an existing dialog), the route-set has already been formed and any opportunity to try alternate servers (as recommended in [1]) has been exhausted by the RFC3263 logic. (16) 504 Server Time-out: It is not obvious under what circumstances this response would be returned to a request in an existing dialog. (17) 600 and 6xx unrecognized responses: Unlike 400 Bad Request, a 600 response code says something about the recipient user, not the request that was made. This end user is stating an unwillingness to communicate. If the response contains a Retry-After header field value, the user is indicating willingness to communicate later and the request can be retried after the indicated interval. This usage, and any other usages sharing the dialog are unaffected. If the response does not contain a Retry-After header field value, the UA may decide to retry after an interval of its choosing or attempt to gracefully terminate the usage. Whether or not to terminate other usages depends on the application. If the UA receives a 600 (or unrecognized 6xx) in response to an attempt to gracefully terminate this usage, it can treat this usage as terminated. If this is the last usage sharing the dialog, the dialog is also terminated. 5.2. Transaction Timeouts [1] states that a UAC should terminate a dialog (by sending a BYE) if no response is received for a request sent within a dialog. This recommendation should have been limited to the invite usage instead of the whole dialog. [5] states that a timeout for a NOTIFY removes a Sparks Informational [Page 15] RFC 5057 Multiple Dialog Usages November 2007 subscription, but a SUBSCRIBE that fails with anything other than a 481 does not. Given these statements, it is unclear whether a refresh SUBSCRIBE issued in a dialog shared with an invite usage destroys either usage or the dialog if it times out. Generally, a transaction timeout should affect only the usage in which the transaction occurred. Other uses sharing the dialog should not be affected. In the worst case of timeout due to total transport failure, it may require multiple failed messages to remove all usages from a dialog (at least one per usage). There are some mid-dialog messages that never belong to any usage. If they timeout, they will have no effect on the dialog or its usages. 5.3. Matching Requests to Usages For many mid-dialog requests, identifying the usage they belong to is obvious. A dialog can have at most one invite usage, so any INVITE, UPDATE, PRACK, ACK, CANCEL, BYE, or INFO requests belong to it. The usage (i.e. the particular subscription) SUBSCRIBE, NOTIFY, and REFER requests belong to can be determined from the Event header field of the request. REGISTER requests within a (pseudo)-dialog belong to the registration usage. (As mentioned before, implementations aren't mixing registration usages with other usages, so this document isn't exploring the consequences of that bad behavior). According to [1], "an OPTIONS request received within a dialog generates a 200 OK response that is identical to one constructed outside a dialog and does not have any impact on that dialog". Thus, OPTIONS does not belong to any usage. Only those failures discussed in Section 5.1 and Section 5.2 that destroy entire dialogs will have any effect on the usages sharing the dialog with a failed OPTIONS request. MESSAGE requests are discouraged inside a dialog. Implementations are restricted from creating a usage for the purpose of carrying a sequence of MESSAGE requests (though some implementations use it that way, against the standard recommendation). A failed MESSAGE occurring inside an existing dialog will have similar effects on the dialog and its usages as a failed OPTIONS request. Mid-dialog requests with unknown methods cannot be matched with a usage. Servers will return a failure response (likely a 501). The effect on the dialog and its usages at either the client or the server should be similar to that of a failed OPTIONS request. Sparks Informational [Page 16] RFC 5057 Multiple Dialog Usages November 2007 These guidelines for matching messages to usages (or determining there is no usage) apply equally when acting as a UAS, a UAC, or any third party tracking usage and dialog state by inspecting all messages between two endpoints. 5.4. Target Refresh Requests Target refresh requests update the remote target of a dialog when they are successfully processed. The currently defined target refresh requests are INVITE, UPDATE, SUBSCRIBE, NOTIFY, and REFER [7]). The remote target is part of the dialog state. When a target refresh request affects it, it affects it for ALL usages sharing that dialog. If a subscription and invite usage are sharing a dialog, sending a refresh SUBSCRIBE with a different contact will cause reINVITEs from the peer to go to that different contact. A UAS will only update the remote target if it sends a 200 class response to a target refresh request. A UAC will only update the remote target if it receives a 200 class response to a target refresh request. Again, any update to a dialog's remote target affects all usages of that dialog. There is known ambiguity around the effects of provisional responses on remote targets that a future specification will attempt to clarify. Furthermore, because the remote target is part of the dialog state, not any usage state, there is ambiguity in having target refresh requests in progress simultaneously on multiple usages in the same dialog. Implementation designers should consider these conditions with care. 5.5. Refreshing and Terminating Usages Subscription and registration usages expire over time and must be refreshed (with a refresh SUBSCRIBE, for example). This expiration is usage state, not dialog state. If several subscriptions share a dialog, refreshing one of them has no effect on the expiration of the others. Normal termination of a usage has no effect on other usages sharing the same dialog. For instance, terminating a subscription with a NOTIFY/Subscription-State: terminated will not terminate an invite usage sharing its dialog. Likewise, ending an invite usage with a BYE does not terminate any active Event: refer subscriptions established on that dialog. Sparks Informational [Page 17] RFC 5057 Multiple Dialog Usages November 2007 5.6. Refusing New Usages As the survey of the effect of failure responses shows, care must be taken when refusing a new usage inside an existing dialog. Choosing the wrong response code will terminate the dialog and all of its usages. Generally, returning a 603 Decline is the safest way to refuse a new usage. 5.7. Replacing Usages [8] defines a mechanism through which one usage can replace another. It can be used, for example, to associate the two dialogs in which a transfer target is involved during an attended transfer. It is written using the term "dialog", but its intent was only to affect the invite usage of the dialog it targets. Any other usages inside that dialog are unaffected. For some applications, the other usages may no longer make sense, and the application may terminate them as well. However, the interactions between Replaces and multiple dialog usages have not been well explored. More discussion of this topic is needed. Implementers should avoid this scenario completely. 6. Avoiding Multiple Usages Processing multiple usages correctly is not completely understood. What is understood is difficult to implement and is very likely to lead to interoperability problems. The best way to avoid the trouble that comes with such complexity is to avoid it altogether. When designing new applications or features that use SIP dialogs, do not require endpoints to construct multiple usages to participate in the application or use the feature. When designing endpoints, address the existing multiple usage scenarios as best as possible. Outside those scenarios, if a peer attempts to create a second usage inside a dialog, refuse it. Unfortunately, there are existing applications, like transfer, that currently entail multiple usages, so the simple solution of "don't do it" will require some transitional work. This section looks at the pressures that led to these existing multiple usages and suggests alternatives. When executing a transfer, the transferor and transferee currently share an invite usage and a subscription usage within the dialog between them. This is a result of sending the REFER request within the dialog established by the invite usage. Implementations were led to this behavior by these primary problems: Sparks Informational [Page 18] RFC 5057 Multiple Dialog Usages November 2007 1. There was no way to ensure that a REFER on a new dialog would reach the particular endpoint involved in a transfer. Many factors, including details of implementations and changes in proxy routing between an INVITE and a REFER could cause the REFER to be sent to the wrong place. Sending the REFER down the existing dialog ensured it got to the same endpoint with which the dialog was established. 2. It was unclear how to associate an existing invite usage with a REFER arriving on a new dialog, where it was completely obvious what the association was when the REFER came on the invite usage's dialog. 3. There were concerns with authorizing out-of-dialog REFERs. The authorization policy for REFER in most implementations piggybacks on the authorization policy for INVITE (which is, in most cases, based simply on "I placed or answered this call"). Globally Routable User Agent (UA) URIs (GRUUs) [9] have been defined specifically to address problem 1 by providing a URI that will reach one specific user-agent. The Target-Dialog header field [10] was created to address problems 2 and 3. This header field allows a request to indicate the dialog identifiers of some other dialog, providing association with the other dialog that can be used in an authorization decision. The Join [11] and Replaces [8] mechanisms can also be used to address problem 1. When using this technique, a new request is sent outside any dialog with the expectation that it will fork to possibly many endpoints, including the one we're interested in. This request contains a header field listing the dialog identifiers of a dialog in progress. Only the endpoint holding a dialog matching those identifiers will accept the request. The other endpoints the request may have forked to will respond with an error. This mechanism is reasonably robust, failing only when the routing logic for out-of- dialog requests changes such that the new request does not arrive at the endpoint holding the dialog of interest. The reachability aspects of using a GRUU to address problem 1 can be combined with the association-with-other-dialogs aspects of the Join/ Replaces and Target-Dialog mechanisms. A REFER request sent out-of- dialog can be sent towards a GRUU, and identify an existing dialog as part of the context the receiver should use. The Target-Dialog header field can be included in the REFER listing the dialog this REFER is associated with. Figure 5 sketches how this could be used to achieve transfer without reusing a dialog. For simplicity, the diagram and message details do not show the server at example.com Sparks Informational [Page 19] RFC 5057 Multiple Dialog Usages November 2007 that will be involved in routing the GRUU. Refer to [9] for those details. Alice Bob Carol | | | | F1 INVITE (Bob's AOR) | | | Call-ID: (call-id one) | | | Contact: (Alice's-GRUU) | | |------------------------------->| | | F2 200 OK | | | To: <>;tag=totag1 | | | From: <>;tag=fromtag1 | | | Call-ID: (call-id one) | | | Contact: (Bob's-GRUU) | | |<-------------------------------| | | ACK | | |------------------------------->| | | : | | | (Bob places Alice on hold) | | | : | F3 INVITE (Carol's AOR) | | | Call-ID: (call-id two) | | | Contact: (Bob's-GRUU) | | |----------------------------->| | | F4 200 OK | | | To: <>;tag=totag2 | | | From: <>;tag=fromtag2 | | | Call-ID: (call-id two) | | | Contact: (Carol's-GRUU) | | |<-----------------------------| | | ACK | | |----------------------------->| | | : | | | (Bob places Carol on hold) | | F5 REFER (Alice's-GRUU) | : | | Call-ID: (call-id three) | | | Refer-To: (Carol's-GRUU) | | | Target-Dialog: (call-id one,totag1,fromtag1) | | Contact: (Bob's-GRUU) | | |<-------------------------------| | | 202 Accepted | | |------------------------------->| | Sparks Informational [Page 20] RFC 5057 Multiple Dialog Usages November 2007 | NOTIFY (Bob's-GRUU) | | | Call-ID: (call-id three) | | |------------------------------->| | | 200 OK | | |<-------------------------------| | | | | | F6 INVITE (Carol's-GRUU) | | Call-ID: (call-id four) | | Contact: (Alice's-GRUU) | |-------------------------------------------------------------->| | 200 OK | | Contact: (Carol's-GRUU) | |<--------------------------------------------------------------| | ACK | |-------------------------------------------------------------->| | | | | F7 NOTIFY (Bob's-GRUU) | | | Call-ID: (call-id three) | | |------------------------------->| | | 200 OK | | |<-------------------------------| | | BYE (Alice's-GRUU) | | | Call-ID: (call-id one) | | |<-------------------------------| BYE (Carol's-GRUU) | | | Call-ID: (call-id two) | | 200 OK |----------------------------->| |------------------------------->| 200 OK | | |<-----------------------------| | | | Figure 5: Transfer without dialog reuse In message F1, Alice invites Bob indicating support for GRUUs (and offering a GRUU for herself): Message F1 (abridged, detailing pertinent fields) INVITE sip:bob@example.com SIP/2.0 Call-ID: 13jfdwer230jsdw@alice.example.com Supported: gruu Contact: Sparks Informational [Page 21] RFC 5057 Multiple Dialog Usages November 2007 Message F2 carries Bob's GRUU to Alice. Message F2 (abridged, detailing pertinent fields) SIP/2.0 200 OK Supported: gruu To: ;tag=totag1 From: ;tag=fromtag1 Contact: Bob decides to try to transfer Alice to Carol, so he puts Alice on hold and sends an INVITE to Carol. Carol and Bob negotiate GRUU support similar to what happened in F1 and F2. Message F3 (abridged, detailing pertinent fields) INVITE sip:carol@example.com SIP/2.0 Supported: gruu Call-ID: 23rasdnfoa39i4jnasdf@bob.example.com Contact: Message F4 (abridged, detailing pertinent fields) SIP/2.0 200 OK Supported: gruu To: ;tag=totag2 From: ;tag=fromtag2 Call-ID: 23rasdnfoa39i4jnasdf@bob.example.com Contact: After consulting Carol, Bob places her on hold and refers Alice to her using message F5. Notice that the Refer-To URI is Carol's GRUU, and that this is on a different Call-ID than message F1. (The URI in the Refer-To header is line-broken for readability in this document; it would not be valid to break the URI this way in a real message.) Message F5 (abridged, detailing pertinent fields) REFER sip:aanewmr203raswdf@example.com SIP/2.0 Call-ID: 39fa99r0329493asdsf3n@bob.example.com Refer-To: Target-Dialog: 13jfdwer230jsdw@alice.example.com; local-tag=fromtag1;remote-tag=totag1 Supported: gruu Contact: Sparks Informational [Page 22] RFC 5057 Multiple Dialog Usages November 2007 Alice uses the information in the Target-Dialog header field to determine that this REFER is associated with the dialog she already has in place with Bob. Alice is now in a position to use the same admission policy she used for in-dialog REFERs: "Do I have a call with this person?". She accepts the REFER, sends Bob the obligatory immediate NOTIFY, and proceeds to INVITE Carol with message F6. Message F6 (abridged, detailing pertinent fields) sip:carol@example.com;gr=urn:uuid:(Carol's UA's bits) \ / \ / | | v v INVITE SIP/2.0 Call-ID: 4zsd9f234jasdfasn3jsad@alice.example.com Replaces: 23rasdnfoa39i4jnasdf@bob.example.com; to-tag=totag2;from-tag=fromtag2 Supported: gruu Contact: Carol accepts Alice's invitation to replace her dialog (invite usage) with Bob, and notifies him that the REFERenced INVITE succeeded with F7: Message F7 (abridged, detailing pertinent fields) NOTIFY sip:boaiidfjjereis@example.com SIP/2.0 Subscription-State: terminated;reason=noresource Call-ID: 39fa99r0329493asdsf3n@bob.example.com Contact: Content-Type: message/sipfrag SIP/2.0 200 OK Bob then ends his invite usages with both Alice and Carol using BYEs. 7. Security Considerations Handling multiple usages within a single dialog is complex and introduces scenarios where the right thing to do is not clear. The ambiguities described here can result in unexpected disruption of communication if response codes are chosen carelessly. Furthermore, these ambiguities could be exploited, particularly by third-parties injecting unauthenticated requests or inappropriate responses. Implementations choosing to create or accept multiple usages within a dialog should give extra attention to the security considerations in Sparks Informational [Page 23] RFC 5057 Multiple Dialog Usages November 2007 [1], especially those concerning the authenticity of requests and processing of responses. Service implementations should carefully consider the effects on their service of peers making different choices in these areas of ambiguity. A service that requires multiple usages needs to pay particular attention to the effect on service and network utilization when a client fails to destroy a dialog the service believes should be destroyed. A service that disallows multiple usages should consider the effect on clients that, for instance, destroy the entire dialog when only a usage should be torn down. In the worst case of a service deployed into a network with a large number of misbehaving clients trying to create multiple usages in an automated fashion, a retry storm similar to an avalanche restart could be induced. 8. Conclusion Handling multiple usages within a single dialog is complex and introduces scenarios where the right thing to do is not clear. Implementations should avoid entering into multiple usages whenever possible. New applications should be designed to never introduce multiple usages. There are some accepted SIP practices, including transfer, that currently require multiple usages. Recent work, most notably GRUU, makes those practices unnecessary. The standardization of those practices and the implementations should be revised as soon as possible to use only single-usage dialogs. 9. Acknowledgments The ideas in this document have been refined over several IETF meetings with many participants. Significant contribution was provided by Adam Roach, Alan Johnston, Ben Campbell, Cullen Jennings, Jonathan Rosenberg, Paul Kyzivat, and Rohan Mahy. Members of the reSIProcate project also shared their difficulties and discoveries while implementing multiple-usage dialog handlers. 10. Informative References [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [2] Levin, O., "Suppression of Session Initiation Protocol (SIP) REFER Method Implicit Subscription", RFC 4488, May 2006. Sparks Informational [Page 24] RFC 5057 Multiple Dialog Usages November 2007 [3] Burger, E. and M. Dolly, "A Session Initiation Protocol (SIP) Event Package for Key Press Stimulus (KPML)", RFC 4730, November 2006. [4] Niemi, A., "Session Initiation Protocol (SIP) Extension for Event State Publication", RFC 3903, October 2004. [5] Roach, A., "Session Initiation Protocol (SIP)-Specific Event Notification", RFC 3265, June 2002. [6] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002. [7] Sparks, R., "The Session Initiation Protocol (SIP) Refer Method", RFC 3515, April 2003. [8] Mahy, R., Biggs, B., and R. Dean, "The Session Initiation Protocol (SIP) "Replaces" Header", RFC 3891, September 2004. [9] Rosenberg, J., "Obtaining and Using Globally Routable User Agent (UA) URIs (GRUU) in the Session Initiation Protocol (SIP)", Work in Progress, June 2006. [10] Rosenberg, J., "Request Authorization through Dialog Identification in the Session Initiation Protocol (SIP)", RFC 4538, June 2006. [11] Mahy, R. and D. Petrie, "The Session Initiation Protocol (SIP) "Join" Header", RFC 3911, October 2004. Author's Address Robert J. Sparks Estacado Systems EMail: RjS@estacado.net Sparks Informational [Page 25] RFC 5057 Multiple Dialog Usages November 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Sparks Informational [Page 26]