Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 2848

The PINT Service Protocol: Extensions to SIP and SDP for IP Access to Telephone Call Services

Pages: 73
Proposed Standard
Part 3 of 4 – Pages 37 to 62
First   Prev   Next

Top   ToC   RFC2848 - Page 37   prevText

4. Examples of PINT Requests and Responses

4.1. A request to a call center from an anonymous user to receive a phone call.

C->S: INVITE sip:R2C@pint.mailorder.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:anon-1827631872@chinet.net To: sip:+1-201-456-7890@iron.org;user=phone Call-ID: 19971205T234505.56.78@pager.com CSeq: 4711 INVITE Subject: Sale on Ironing Boards Content-type: application/sdp Content-Length: 174 v=0 o=- 2353687637 2353687637 IN IP4 128.3.4.5 s=R2C i=Ironing Board Promotion e=anon-1827631872@chinet.net t=2353687637 0 m=audio 1 voice - c=TN RFC2543 +1-201-406-4090 In this example, the context that is required to interpret the To: address as a telephone number is not given explicitly; it is implicitly known to the R2C@pint.mailorder.com server. But the telephone of the person who wishes to receive the call is explicitly identified as an internationally significant E.164 number that falls within the North American numbering plan (because of the "+1" within the c= line).

4.2. A request from a non anonymous customer (John Jones) to receive a phone call from a particular sales agent (Mary James) concerning the defective ironing board that was purchased

C->S: INVITE sip:marketing@pint.mailorder.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:john.jones.3@chinet.net To: sip:mary.james@mailorder.com Call-ID: 19971205T234505.56.78@pager.com CSeq: 4712 INVITE
Top   ToC   RFC2848 - Page 38
         Subject: Defective Ironing Board - want refund
         Content-type: application/sdp
         Content-Length: 150

         v=0
         o=- 2353687640 2353687640 IN IP4 128.3.4.5
         s=marketing
         e=john.jones.3@chinet.net
         c= TN RFC2543  +1-201-406-4090
         t=2353687640 0
         m=audio 1  voice -

   The To: line might include the Mary James's phone number instead of a
   email-like address. An implementation that cannot accept email-like
   URLs in the "To:" header must decline the request with a 606 Not
   Acceptable.  Note that the sending PINT client "knows" that the PINT
   Gateway contacted with the "marketing@pint.mailorder.com" Request-URI
   is capable of processing the client request as expected. (see 3.5.5.1
   for a discussion on this).

   Note also that such a telephone call service could be implemented on
   the phone side with different details. For example, it might be that
   first the agent's phone rings, and then the customer's phone rings,
   or it might be that first the customer's phone rings and he hears
   silly music until the agent comes on line. If necessary, such service
   parameter details might be indicated in "a=" attribute lines within
   the session description. The specification of such attribute lines
   for service consistency is beyond the scope of the PINT 1.0
   specifications.

4.3. A request from the same user to get a fax back on how to assemble the Ironing Board

C->S: INVITE sip:faxback@pint.mailorder.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:john.jones.3@chinet.net To: sip:1-800-3292225@steam.edu;user=phone;phone-context=+1 Call-ID: 19971205T234505.66.79@chinet.net CSeq: 4713 INVITE Content-type: application/sdp Content-Length: 218 v=0 o=- 2353687660 2353687660 IN IP4 128.3.4.5 s=faxback e=john.jones.3@chinet.net t=2353687660 0 m=application 1 fax URI
Top   ToC   RFC2848 - Page 39
      c=TN  RFC2543  1-201-406-4091
      a=fmtp:URI uri:http://localstore/Products/IroningBoards/2344.html

   In this example, the fax to be sent is stored on some local server
   (localstore), whose name may be only resolvable, or that may only be
   reachable, from within the IP network on which the PINT server sits.
   The phone number to be dialled is a "local phone number" as well.
   There is no "phone-context" attribute, so the context (in this case,
   for which nation the number is "nationally significant") must be
   supplied by the faxback@pint.mailorder.com PINT server.

   If the server that receives it does not understand the number, it
   SHOULD decline the request and include a "Network Address Not
   Understood" warning.  Note that no "require" attribute was used here,
   since it is very likely that the request can be serviced even by a
   server that does not support the "require" attribute.

4.4. A request from same user to have that same information read out over the phone

C->S: INVITE sip:faxback@pint.mailorder.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:john.jones.3@chinet.net To: sip:1-800-3292225@steam.edu;user=phone;phone-context=+1 Call-ID: 19971205T234505.66.79@chinet.net CSeq: 4713 INVITE Content-type: application/sdp Content-Length: 220 v=0 o=- 2353687660 2353687660 IN IP4 128.3.4.5 s=faxback e=john.jones.3@chinet.net t=2353687660 0 m=application 1 voice URI c=TN RFC2543 1-201-406-4090 a=fmtp:URI uri:http://localstore/Products/IroningBoards/2344.html

4.5. A request to send an included text page to a friend's pager.

In this example, the text to be paged out is included in the request. C->S: INVITE sip:R2F@pint.pager.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:scott.petrack@chinet.net To: sip:R2F@pint.pager.com Call-ID: 19974505.66.79@chinet.net CSeq: 4714 INVITE
Top   ToC   RFC2848 - Page 40
      Content-Type: multipart/related; boundary=--next

      ----next
      Content-Type: application/sdp
      Content-Length: 236
      v=0
      o=- 2353687680 2353687680 IN IP4 128.3.4.5
      s=R2F
      e=scott.petrack@chinet.net
      t=2353687680 0
      m=text 1 pager plain
      c= TN  RFC2543  +972-9-956-1867
      a=fmtp:plain spr:2@53655768


      ----next
      Content-Type: text/plain
      Content-ID: 2@53655768
      Content-Length:50

      Hi Joe! Please call me asap at 555-1234.

      ----next--

4.6. A request to send an image as a fax to phone number +972-9-956-1867

C->S: INVITE sip:faxserver@pint.vocaltec.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:scott.petrack@chinet.net To: sip:faxserver@pint.vocaltec.com Call-ID: 19971205T234505.66.79@chinet.net CSeq: 4715 INVITE Content-type: application/sdp Content-Length: 267 v=0 o=- 2353687700 2353687700 IN IP4 128.3.4.5 s=faxserver e=scott.petrack@chinet.net t=2353687700 0 m=image 1 fax tif gif c= TN RFC2543 +972-9-956-1867 a=fmtp:tif uri:http://petrack/images/tif/picture1.tif a=fmtp:gif uri:http://petrack/images/gif/picture1.gif
Top   ToC   RFC2848 - Page 41
   The image is available as tif or as gif. The tif is the preferred
   format. Note that the http server where the pictures reside is local,
   and the PINT server is also local (because it can resolve machine
   name "petrack")

4.7. A request to read out over the phone two pieces of content in sequence.

First some included text is read out by text-to-speech. Then some text that is stored at some URI on the internet is read out. C->S: INVITE sip:R2HC@pint.acme.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 From: sip:scott.petrack@chinet.net To: sip:R2HC@pint.acme.com Call-ID: 19974505.66.79@chinet.net CSeq: 4716 INVITE Content-Type: multipart/related; boundary=next --next Content-Type: application/sdp Content-Length: 316 v=0 o=- 2353687720 2353687720 IN IP4 128.3.4.5 s=R2HC e=scott.petrack@chinet.net c= TN RFC2543 +1-201-406-4091 t=2353687720 0 m=text 1 voice plain a=fmtp:plain spr:2@53655768 m=text 1 voice plain a=fmtp:plain uri:http://www.your.com/texts/stuff.doc --next Content-Type: text/plain Content-ID: 2@53655768 Content-Length: 172 Hello!! I am about to read out to you the document you requested, "uri:http://www.your.com/texts/stuff.doc". We hope you like acme.com's new speech synthesis server. --next--
Top   ToC   RFC2848 - Page 42

4.8. Request for the prices for ISDN to be sent to my fax machine

INVITE sip:R2FB@pint.bt.co.uk SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 To: sip:0345-12347-01@pint.bt.co.uk;user=phone;phone-context=+44 From: sip:hank.wangford@newts.demon.co.uk Call-ID: 19981204T201505.56.78@demon.co.uk CSeq: 4716 INVITE Subject: Price List Content-type: application/sdp Content-Length: 169 v=0 o=- 2353687740 2353687740 IN IP4 128.3.4.5 s=R2FB i=ISDN Price List e=hank.wangford@newts.demon.co.uk t=2353687740 0 m=text 1 fax - c=TN RFC2543 +44-1794-8331010

4.9. Request for a callback

INVITE sip:R2C@pint.bt.co.uk SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 To: sip:0345-123456@pint.bt.co.uk;user=phone;phone-context=+44 From: sip:hank.wangford@newts.demon.co.uk Call-ID: 19981204T234505.56.78@demon.co.uk CSeq: 4717 INVITE Subject: It costs HOW much? Content-type: application/sdp Content-Length: 176 v=0 o=- 2353687760 2353687760 IN IP4 128.3.4.5 s=R2C i=ISDN pre-sales query e=hank.wangford@newts.demon.co.uk c=TN RFC2543 +44-1794-8331013 t=2353687760 0 m=audio 1 voice -
Top   ToC   RFC2848 - Page 43

4.10. Sending a set of information in response to an enquiry

INVITE sip:R2FB@pint.bt.co.uk SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 To: sip:0345-12347-01@pint.bt.co.uk;user=phone;phone-context=+44 From: sip:colin.masterton@sales.hh.bt.co.uk Call-ID: 19981205T234505.56.78@sales.hh.bt.co.uk CSeq: 1147 INVITE Subject: Price Info, as requested Content-Type: multipart/related; boundary=next --next Content-type: application/sdp Content-Length: 325 v=0 o=- 2353687780 2353687780 IN IP4 128.3.4.5 s=R2FB i=Your documents e=colin.masterton@sales.hh.bt.co.uk t=2353687780 0 m=application 1 fax octet-stream c=TN RFC2543 +44-1794-8331010 a=fmtp:octet-stream uri:http://www.bt.co.uk/imgs/pipr.gif opr: spr:2@53655768 --next Content-Type: text/plain Content-ID: 2@53655768 Content-Length: 352 Dear Sir, Thank you for your enquiry. I have checked availability in your area, and we can provide service to your cottage. I enclose a quote for the costs of installation, together with the ongoing rental costs for the line. If you want to proceed with this, please quote job reference isdn/hh/123.45.9901. Yours Sincerely, Colin Masterton --next-- Note that the "implicit" faxback content is given by an EMPTY opaque reference in the middle of the fmtp line in this example.
Top   ToC   RFC2848 - Page 44

4.11. Sportsline "headlines" message sent to your phone/pager/fax

(i) phone INVITE sip:R2FB@pint.wwos.skynet.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 To: sip:1-900-123-456-7@wwos.skynet.com;user=phone;phone-context=+1 From: sip:fred.football.fan@skynet.com Call-ID: 19971205T234505.56.78@chinet.net CSeq: 4721 INVITE Subject: Wonderful World Of Sports NFL Final Scores Content-type: application/sdp Content-Length: 220 v=0 o=- 2353687800 2353687800 IN IP4 128.3.4.5 s=R2FB i=NFL Final Scores e=fred.football.fan@skynet.com c=TN RFC2543 +44-1794-8331013 t=2353687800 0 m=audio 1 voice x-pay a=fmtp:x-pay opr:mci.com/md5:<crypto signature> (ii) fax INVITE sip:R2FB@pint.wwos.skynet.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 To: sip:1-900-123-456-7@wwos.skynet.com;user=phone; phone-context=+1 From: sip:fred.football.fan@skynet.com Call-ID: 19971205T234505.56.78@chinet.net CSeq: 4722 INVITE Subject: Wonderful World Of Sports NFL Final Scores Content-type: application/sdp Content-Length: 217 v=0 o=- 2353687820 2353687820 IN IP4 128.3.4.5 s=R2FB i=NFL Final Scores e=fred.football.fan@skynet.com c=TN RFC2543 +44-1794-8331010 t=2353687820 0 m=text 1 fax x-pay a=fmtp:x-pay opr:mci.com/md5:<crypto signature>
Top   ToC   RFC2848 - Page 45
   (iii) pager
         INVITE sip:R2FB@pint.wwos.skynet.com  SIP/2.0
         Via: SIP/2.0/UDP 169.130.12.5
         To: sip:1-900-123-456-7@wwos.skynet.com;user=phone;
             phone-context=+1
         From: sip:fred.football.fan@skynet.com
         Call-ID: 19971205T234505.56.78@chinet.net
         CSeq: 4723 INVITE
         Subject: Wonderful World Of Sports NFL Final Scores
         Content-type: application/sdp
         Content-Length: 219

         v=0
         o=- 2353687840 2353687840 IN IP4 128.3.4.5
         s=R2FB
         i=NFL Final Scores
         e=fred.football.fan@skynet.com
         c=TN  RFC2543 +44-1794-8331015
         t=2353687840 0
         m=text 1 pager x-pay
         a=fmtp:x-pay opr:mci.com/md5:<crypto signature>

   Note that these are all VERY similar.

4.12. Automatically giving someone a fax copy of your phone bill

INVITE sip:BillsRUs@pint.sprint.com SIP/2.0 Via: SIP/2.0/UDP 169.130.12.5 To: sip:+1-555-888-1234@fbi.gov;user=phone From: sip:agent.mulder@fbi.gov Call-ID: 19991231T234505.56.78@fbi.gov CSeq: 911 INVITE Subject: Itemised Bill for January 98 Content-type: application/sdp Content-Length: 247 v=0 o=- 2353687860 2353687860 IN IP4 128.3.4.5 s=BillsRUs i=Joe Pendleton's Phone Bill e=agent.mulder@fbi.gov c=TN RFC2543 +1-202-833-1010 t=2353687860 0 m=text 1 fax x-files-id a=fmtp:x-files-id opr:fbi.gov/jdcn-123@45:3des;base64,<signature>
Top   ToC   RFC2848 - Page 46
   Note: in this case the opaque reference is a collection of data used
   to convince the Executive System that the requester has the right to
   get this information, rather than selecting the particular content
   (the A party in the To: field of the SIP "wrapper" does that alone).

5. Security Considerations

5.1. Basic Principles for PINT Use

A PINT Gateway, and the Executive System(s) with which that Gateway is associated, exist to provide service to PINT Requestors. The aim of the PINT protocol is to pass requests from those users on to a PINT Gateway so an associated Executive System can service those requests.

5.1.1. Responsibility for service requests

The facility of making a GSTN-based call to numbers specified in the PINT request, however, comes with some risks. The request can specify an incorrect telephone of fax number. It is also possible that the Requestor has purposely entered the telephone number of an innocent third party. Finally, the request may have been intercepted on its way through any intervening PINT or SIP infrastructure, and the request may have been altered. In any of these cases, the result may be that a call is placed incorrectly. Where there is intent or negligence, this may be construed as harassment of the person incorrectly receiving the call. Whilst the regulatory framework for misuse of Internet connections differs throughout the world and is not always mature, the rules under which GSTN calls are made are much more settled. Someone may be liable for mistaken or incorrect calls. Understandably, the GSTN Operators would prefer that this someone is not them, so they will need to ensure that any PINT Gateway and Executive System combination does not generate incorrect calls through some error in the Gateway or Executive system implementation or GSTN-internal communications fault. Equally, it is important that the Operator can show that they act only on requests that they have good reason to believe are correct. This means that the Gateway must not pass on requests unless it is sure that they have not been corrupted in transit from the Requestor. If a request can be shown to have come from a particular Requestor and to have been acted on in good faith by the PINT service provider, then responsibility for making requests may well fall to the Requestor rather than the Operator who executed these requests.
Top   ToC   RFC2848 - Page 47
   Finally, it may be important for the PINT service provider to be able
   to show that they act only on requests for which they have some
   degree of assurance of origin. In many jurisdictions, it is a
   requirement on GSTN Operators that they place calls only when they
   can, if required, identify the parties to the call (such as when
   required to carry out a Malicious Call Trace). It is at least likely
   that the provider of PINT services will have a similar responsibility
   placed on them.

   It follows that the PINT service provider may require that the
   identity of the Requestor be confirmed. If such confirmation is not
   available, then they may be forced (or choose) not to provide
   service. This identification may require personal authentication of
   the Requesting User.

5.1.2. Authority to make requests

Where GSTN resources are used to provide a PINT service, it is at least possible that someone will have to pay for it. This person may not be the Requestor, as, for example, in the case of existing GSTN split-charging services like free phone in which the recipient of a call rather than the originator is responsible for the call cost. This is not, of course, the only possibility; for example, PINT service may be provided on a subscription basis, and there are a number of other models. However, whichever model is chosen, there may be a requirement that the authority of a Requestor to make a PINT request is confirmed. If such confirmation is not available, then, again, the PINT Gateway and associated Executive System may choose not to provide service.

5.1.3. Privacy

Even if the identity of the Requesting User and the Authority under which they make their request is known, there remains the possibility that the request is either corrupted, maliciously altered, or even replaced whilst in transit between the Requestor and the PINT Gateway. Similarly, information on the Authority under which a request is made may well be carried within that request. This can be sensitive information, as an eavesdropper might steal this and use it within their own requests. Such authority SHOULD be treated as if it were financial information (such as a credit card number or PIN).
Top   ToC   RFC2848 - Page 48
   The data authorizing a Requesting User to make a PINT request should
   be known only to them and the service provider. However, this
   information may be in a form that does not match the schemes normally
   used within the Internet. For example, X.509 certificates[14] are
   commonly used for secured transactions on the Internet both in the IP
   Security Architecture[12] and in the TLS protocol[13], but the GSTN
   provider may only store an account code and PIN (i.e. a fixed string
   of numbers).

   A Requesting User has a reasonable expectation that their requests
   for service are confidential. For some PINT services, no content is
   carried over the Internet; however, the telephone or fax numbers of
   the parties to a resulting service calls may be considered sensitive.
   As a result, it is likely that the Requestor (and their PINT service
   provider) will require that any request that is sent across the
   Internet be protected against eavesdroppers; in short, the requests
   SHOULD to be encrypted.

5.1.4. Privacy Implications of SUBSCRIBE/NOTIFY

Some special considerations relate to monitoring sessions using the SUBSCRIBE and NOTIFY messages. The SUBSCRIBE message that is used to register an interest in the disposition of a PINT service transaction uses the original Session Description carried in the related INVITE message. This current specification does not restrict the source of such a SUBSCRIBE message, so it is possible for an eavesdropper to capture an unprotected session description and use this in a subsequent SUBSCRIBE request. In this way it is possible to find out details on that transaction that may well be considered sensitive. The initial solution to this risk is to recommend that a session description that may be used within a subsequent SUBSCRIBE message SHOULD be protected. However, there is a further risk; if the origin-field used is "guessable" then it might be possible for an attacker to reconstruct the session description and use this reconstruction within a SUBSCRIBE message. SDP (see section 6 of [2], "o=" field) does not specify the mechanism used to generate the sess-id field, and suggests that a method based on timestamps produced by Network Time Protocol [16] can be used. This is sufficient to guarantee uniqueness, but may allow the value to be guessed, particularly if other unprotected requests from the same originator are available.
Top   ToC   RFC2848 - Page 49
   Thus, to ensure that the session identifier is not guessable the
   techniques described in section 6.3 of [17] can be used when
   generating the origin-field for a session description to be used
   inside a PINT INVITE message. If all requests from (and responses to)
   a particular PINT requesting entity are protected, then this is not
   needed. Where such a situation is not assured, AND where session
   monitoring is supported, then a method by which an origin-field
   within a session description is not guessable SHOULD be used.

5.2. Registration Procedures

Any number of PINT Gateways may register to provide the same service; this is indicated by the Gateways specifying the same "userinfo" part in the To: header field of the REGISTER request. Whilst such ambiguity would be unlikely to occur with the scenarios covered by "core" SIP, it is very likely for PINT; there could be any number of service providers all willing to support a "Request-To-Fax" service, for example. Unless a request specifies the Gateway name explicitly, an intervening Proxy that acts on a registration database to which several Gateways have all registered is in a position to select from the registrands using whatever algorithm it chooses; in principle, any Gateway that has registered as "R2F" would be appropriate. However, this opens up an avenue for attack, and this is one in which a "rogue" Gateway operator stands to make a significant gain. The standard SIP procedure for releasing a registration is to send a REGISTER request with a Contact field having a wildcard value and an expires parameter with a value of 0. It is important that a PINT Registrar uses authentication of the Registrand, as otherwise one PINT service provider would be able to "spoof" another and remove their registration. As this would stop the Proxy passing any requests to that provider, this would both increase requests being sent to the rogue and stop requests going to the victim. Another variant on this attack would be to register a Gateway using a name that has been registered by another provider; thus a rogue Operator might register its Gateway as "R2C@pint.att.com", thereby hijacking requests. The solution is the same; all registrations by PINT Gateways MUST be authenticated; this includes both new or apparent replacement registrations, and any cancellation of current registrations. This recommendation is also made in the SIP specification, but for the correct operation of PINT, it is very important indeed.
Top   ToC   RFC2848 - Page 50

5.3. Security mechanisms and implications on PINT service

PINT is a set of extensions to SIP[1] and SDP[2], and will use the security procedures described in SIP. There are several implications of this, and these are covered here. For several of the PINT services, the To: header field of SIP is used to identify one of the parties to the resulting service call. The PINT Request-To-Call service is an example. As mentioned in the SIP specification, this field is used to route SIP messages through an infrastructure of Redirect and Proxy server between the corresponding User Agent Servers, and so cannot be encrypted. This means that, although the majority of personal or sensitive data can be protected whilst in transit, the telephone (or fax) number of one of the parties to a PINT service call cannot, and will be "visible" to any interception. For the PINT milestone services this may be acceptable, since the caller named in the To: service is typically a "well known" provider address, such as a Call Center. Another aspect of this is that, even if the Requesting User does not consider the telephone or fax numbers of the parties to a PINT service to be private, those parties might. Where PINT servers have reason to believe this might be the case they SHOULD encrypt the request, even if the Requestor has not done so. This could happen, for example, if a Requesting User within a company placed a PINT request and this was carried via the company's Intranet to their Proxy/firewall and thence over the Internet to a PINT Gateway at another location. If a request carries data that can be reused by an eavesdropper either to "spoof" the Requestor or to obtain PINT service by inserting the Requestor's authorization token into an eavesdropper's request, then this data MUST be protected. This is particularly important if the authorization token consists of static text (such as an account code and/or PIN). One approach is to encrypt the whole of the request, using the methods described in the SIP specification. As an alternative, it may be acceptable for the authorization token to be held as an opaque reference (see section 3.4.2.3 and examples 4.11 and 4.12), using some proprietary scheme agreed between the Requestor and the PINT service provider, as long as this is resistant to interception and re-use. Also, it may be that the authorization token cannot be used outside of a request cryptographically signed by the Requestor; if so then this requirement can be relaxed, as in this case the token cannot be re-used by another. However, unless both the Requestor and the Gateway are assured that this is the case, any authorization token MUST be treated as sensitive, and so MUST be encrypted.
Top   ToC   RFC2848 - Page 51
   A PINT request may contain data within the SDP message body that can
   be used more efficiently to route that request. For example, it may
   be that one Gateway and Executive System combination cannot handle a
   request that specifies one of the parties as a pager, whilst another
   can. Both gateways may have registered with a PINT/SIP Registrar, and
   this information may be available to intervening PINT/SIP Proxies.
   However, if the message body is encrypted, then the request cannot be
   decoded at the Proxy server, and so Gateway selection based on
   contained information cannot be made there.

   The result is that the Proxy may deliver the request to a Gateway
   that cannot handle it; the implication is that a PINT/SIP Proxy
   SHOULD consider its choice for the appropriate Gateway subject to
   correction, and, on receiving a 501 or 415 rejection from the first
   gateway chosen, try another. In this way, the request will succeed if
   at all possible, even though it may be delayed (and tie up resources
   in the inappropriate Gateways).

   This opens up an interesting avenue for Denial Of Service; sending a
   valid request that appears to be suitable for a number of different
   Gateways, and simply occupying those Gateways in decrypting a message
   requesting a service they cannot provide. As mentioned in section
   3.5.5.1, the choice of service name to be passed in the userinfo
   portion of the SIP Request-URI is flexible, and it is RECOMMENDED
   that names be chosen that allow a Proxy to select an appropriate
   Gateway without having to examine the SDP body part. Thus, in the
   example given here, the service might be called "Request-To-Page" or
   "R2P" rather than the more general use of "R2F", if there is a
   possibility of the SDP body part being protected during transit.

   A variation on this attack is to provide a request that is
   syntactically invalid but that, due to the encryption, cannot be
   detected without expending resources in decoding it. The effects of
   this form of attack can be minimised in the same way as for any SIP
   Invitation; the Proxy should detect the 400 rejection returned from
   the initial Gateway, and not pass the request onwards to another.

   Finally, note that the Requesting User may not have a prior
   relationship with a PINT Gateway, whilst still having a prior
   relationship with the Operator of the Executive System that fulfills
   their request. Thus there may be two levels of authentication and
   authorization; one carried out using the techniques described in the
   SIP specification (for use between the Requestor and the Gateway),
   with another being used between the Requesting User or the Requestor
   and the Executive System.
Top   ToC   RFC2848 - Page 52
   For example, the Requesting User may have an account with the PINT
   service provider. That provider might require that requests include
   this identity before they will be convinced to provide service. In
   addition, to counter attacks on the request whilst it is in transit
   across the Internet, the Gateway may require a separate X.509-based
   certification of the request. These are two separate procedures, and
   data needed for the former would normally be expected to be held in
   opaque references inside the SDP body part of the request.

   The detailed operation of this mechanism is, by definition, outside
   the scope of an Internet Protocol, and so must be considered a
   private matter. However, one approach to indicating to the Requestor
   that such "second level" authentication or authorization is required
   by their Service Provider would be to ask for this inside the textual
   description carried with a 401 response returned from the PINT
   Gateway.

5.4. Summary of Security Implications

From the above discussion, PINT always carries data items that are sensitive, and there may be financial considerations as well as the more normal privacy concerns. As a result, the transactions MUST be protected from interception, modification and replay in transit. PINT is based on SIP and SDP, and can use the security procedures outlined in [1] (sections 13 and 15). However, in the case of PINT, the SIP recommendation that requests and responses MAY be protected is not enough. PINT messages MUST be protected, so PINT Implementations MUST support SIP Security (as described in [1], sections 13 & 15), and be capable of handling such received messages. In some configurations, PINT Clients, Servers, and Gateways can be sure that they operate using the services of network level security [13], transport layer security [12], or physical security for all communications between them. In these cases messages MAY be exchanged without SIP security, since all traffic is protected already. Clients and servers SHOULD support manual configuration to use such lower layer security facilities. When using network layer security [13], the Security Policy Database MUST be configured to provide appropriate protection to PINT traffic. When using TLS, a port configured MUST NOT also be configured for non-TLS traffic. When TLS is used, basic authentication MUST be supported, and client-side certificates MAY be supported.
Top   ToC   RFC2848 - Page 53
   Authentication of the Client making the request is required, however,
   so if this is not provided by the underlying mechanism used, then it
   MUST be included within the PINT messages using SIP authentication
   techniques. In contrast with SIP, PINT requests are often sent to
   parties with which a prior communications relationship exists (such
   as a Telephone Carrier). In this case, there may be a shared secret
   between the client and the PINT Gateway. Such PINT systems MAY use
   authentication based on shared secrets, with HTTP "basic
   authentication". When this is done, the message integrity and privacy
   must be guaranteed by some lower layer mechanism.

   There are implications on the operation of PINT here though. If a
   PINT proxy or redirect server is used, then it must be able to
   examine the contents of the IP datagrams carried. It follows that an
   end-to-end approach using network-layer security between the PINT
   Client and a PINT Gateway precludes the use of an intervening proxy;
   communication between the Client and Gateway is carried via a tunnel
   to which any intervening entity cannot gain access, even if the IP
   datagrams are carried via this node. Conversely, if a "hop-by-hop"
   approach is used, then any intervening PINT proxies (or redirect
   servers) are, by implication, trusted entities.

   However, if there is any doubt that there is an underlying network or
   transport layer security association in place, then the players in a
   PINT protocol exchange MUST use encryption and authentication
   techniques within the protocol itself. The techniques described in
   section 15 of RFC2543 MUST be used, unless there is an alternative
   protection scheme that is agreed between the parties. In either case,
   the content of any message body (or bodies) carried within a PINT
   request or response MUST be protected; this has implications on the
   options for routing requests via Proxies (see 5.3).

   Using SIP techniques for protection, the Request-URI and To: fields
   headers within PINT requests cannot be protected. In  the baseline
   PINT services these fields may contain sensitive information. This is
   a consideration, and if these data ARE considered sensitive, then
   this will preclude the sole use of SIP techniques; in such a
   situation, transport [12] or network layer [13] protection mechanisms
   MUST be used.

   As a final point, this choice will in turn have an influence on the
   choice of transport layer protocol that can be used; if a TLS
   association is available between two nodes, then TCP will have to be
   used. This is different from the default behaviour of SIP (try UDP,
   then try TCP if that fails).
Top   ToC   RFC2848 - Page 54

6. Deployment considerations and the Relationship PINT to I.N. (Informative)

6.1. Web Front End to PINT Infrastructure

It is possible that some other protocol may be used to communicate a Requesting User's requirements. Due to the high numbers of available Web Browsers and servers it seems likely that some PINT systems will use HTML/HTTP as a "front end". In this scenario, HTTP will be used over a connection from the Requesting User's Web Browser (WC) to an Intermediate Web Server (WS). This will be closely associated with a PINT Client (using some unspecified mechanism to transfer the data from the Web Server to the PINT Client). The PINT Client will represent the Requesting User to the PINT Gateway, and thus to the Executive System that carries out the required action. [WC]------[WS] [PC] \ \ [PG] [XS] Figure 2: Basic "Web-fronted" Configuration

6.2. Redirects to Multiple Gateways

It is quite possible that a given PINT Gateway is associated with an Executive System (or systems) that can connect to the GSTN at different places. Equally, if there is a chain of PINT Servers, then each of these intermediate or proxy servers (PP) may be able to route PINT requests to Executive Systems that connect at specific points to the GSTN. The result of this is that there may be more than one PINT Gateway or Executive System that can deal with a given request. The mechanisms by which the choice on where to deliver a request are outside the scope of this document. [WC]------[WS] [WC]------[WS] [PC] [PC] \ \ \ \ [PG] [PP] .........[XS]......... / \ : : / \ [PG] [PG] [XS] [XS] Figure 3: Multiple Access Configurations
Top   ToC   RFC2848 - Page 55
   However, there do seem to be two approaches. Either a Server that
   acts as a proxy or redirect will select the appropriate Gateway
   itself and will cause the request to be sent on accordingly, or a
   list of possible Locations will be returned to the Requesting User
   from which they can select their choice.

   In SIP, the implication is that, if a proxy cannot resolve to a
   single unique match for a request destination, then a response
   containing a list of the choices should be returned to the Requesting
   User for selection. This is not too likely a scenario within the
   normal use of SIP.

   However, within PINT, such ambiguity may be quite common; it implies
   that there are a number of possible providers of a given service.

6.3. Competing PINT Gateways REGISTERing to offer the same service

With PINT, the registration is not for an individual but instead for a service that can be handled by a service provider. Thus, one can envisage a registration by the PINT Server of the domain telcoA.com of its ability to support the service R2C as "R2C@telcoA.com", sent to an intermediary server that acts as registrar for the "broker.telcos.com" domain from "R2C@pint.telcoA.com" as follows: REGISTER sip:registrar@broker.telcos.com SIP/2.0 To: sip:R2C@pint.telcoA.com From: sip:R2C@pint.telcoA.com ... This is the standard SIP registration service. However, what happens if there are a number of different Service Providers, all of whom support the "R2C" service? Suppose there is a PINT system at domain "broker.com". PINT clients requesting a Request-to-Call service from broker.com might be very willing to be redirected or proxied to any one of the various service providers that had previously registered with the registrar. PINT servers might also be interested in providing service for requests that did not specify the service provider explicitly, as well as those requests that were directed "at them". To enable such service, PINT servers would REGISTER at the broker PINT server registrations of the form: REGISTER sip:registrar@broker.com SIP/2.0 To: sip:R2C@broker.com From: sip:R2C@pint.telcoA.com
Top   ToC   RFC2848 - Page 56
   When several such REGISTER messages appear at the registrar, each
   differing only in the URL in the From: line, the registrar has many
   possibilities, e.g.:

   (i)  it overwrites the prior registration for "R2C@broker.telcos.com"
        when the next comes in;

   (ii) it rejects the subsequent registration for
        "R2C@broker.telcos.com";

   (iii) it maintains all such registrations.

   In this last case, on receiving an Invitation for the "general"
   service, either:

       (iii.1) it passes on the invitation to all registered service
               providers, returning a collated response with all
               acceptances, using multiple Location: headers,
   or
       (iii.2) it silently selects one of the registrations (using, for
               example, a "round robin" approach) and routes the Invitation
               and response onwards without further comment.

   As an alternative to all of the above approaches, it:

   (iv) may choose to not allow registrations for the "general" service,
        rejecting all such REGISTER requests.

   The algorithm by which such a choice is made will be implementation-
   dependent, and is outside the scope of PINT. Where a behaviour is to
   be defined by requesting users, then some sort of call processing
   language might be used to allow those clients, as a pre-service
   operation, to download the behaviour they expect to the server making
   such decisions. This, however, is a topic for other protocols, not
   for PINT.

6.4. Limitations on Available Information and Request Timing for SUBSCRIBE

A reference configuration for PINT is that service requests are sent, via a PINT Gateway, to an Executive System that fulfills the Service Control Function (SCF) of an Intelligent Network (see [11]). The success or failure of the resulting service call may be information available to the SCF and so may potentially be made available to the PINT Gateway. In terms of historical record of whether or not a service succeeded, a large SCF may be dealing with a million call attempts per hour. Given that volume of service transactions, there
Top   ToC   RFC2848 - Page 57
   are finite limits beyond which it cannot store service disposition
   records; expecting to find out if a Fax was sent last month from a
   busy SCF is unrealistic.

   Other status changes, such as that on completion of a successful
   service call, require the SCF to arrange monitoring of the service
   call in a way that the service may not do normally, for performance
   reasons. In most implementations, it is difficult efficiently to
   interrupt a service to change it once it has begun execution, so it
   may be necessary to have two different services; one that sets GSTN
   resources to monitor service call termination, and one that doesn't.
   It is unlikely to be possible to decide that monitoring is required
   once the service has started.

   These factors can have implications both on the information that is
   potentially available at the PINT Gateway, and when a request to
   register interest in the status of a PINT service can succeed. The
   alternative to using a general SCF is to provide a dedicated Service
   Node just for PINT services. As this node is involved in placing all
   service calls, it is in a position to collect the information needed.
   However, it may well still not be able to respond successfully to a
   registration of interest in call state changes once a service logic
   program instance is running.

   Thus, although a Requesting User may register an interest in the
   status of a service request, the PINT Gateway may not be in a
   position to comply with that request. Although this does not affect
   the protocol used between the Requestor and the PINT Gateway, it may
   influence the response returned. To avoid the problem of changing
   service logic once running, any registration of interest in status
   changes should be made at or before the time at which the service
   request is made.

   Conversely, if a historical request is made on the disposition of a
   service, this should be done within a short time after the service
   has completed; the Executive System is unlikely to store the results
   of service requests for long; these will have been processed as AMA
   (Automatic Message Accounting) records quickly, after which the
   Executive System has no reason to keep them, and so they may be
   discarded.

   Where the PINT Gateway and the Executive System are intimately
   linked, the Gateway can respond to status subscription requests that
   occur while a service is running. It may accept these requests and
   simply not even try to query the Executive System until it has
   information that a service has completed, merely returning the final
   status. Thus the PINT Requestor may be in what it believes is a
   monitoring state, whilst the PINT Gateway has not even informed the
Top   ToC   RFC2848 - Page 58
   Executive System that a request has been made. This will increase the
   internal complexity of the PINT Gateway in that it will have a
   complex set of interlocking state machines, but does mean that status
   registration and indication CAN be provided in conjunction with an
   I.N. system.

6.5. Parameters needed for invoking traditional GSTN Services within PINT

This section describes how parameters needed to specify certain traditional GSTN services can be carried within PINT requests.

6.5.1. Service Identifier

When a Requesting User asks for a service to be performed, he or she will, of course, have to specify in some way which service. This can be done in the URLs within the To: header and the Request-URI (see section 3.5.5.1).

6.5.2. A and B parties

With the Request-to-Call service, they will also need to specify the A and B parties they want to be engaged in the resulting service call. The A party could identify, for example, the Call Center from which they want a call back, whilst the B party is their telephone number (i.e. who the Call Center agent is to call). The Request-to-Fax and Request-to-Hear-Content services require the B party to be specified (respectively the telephone number of the destination Fax machine or the telephone to which spoken content is to be delivered), but the A party is a Telephone Network based resource (either a Fax or speech transcoder/sender), and is implicit; the Requesting User does not (and cannot) specify it. With the "Fax-Back" variant of the Request-to-Fax service, (i.e. where the content to be delivered resides on the GSTN) they will also have specify two parties. As before, the B party is the telephone number of the fax machine to which they want a fax to be sent. However, within this variant the A party identifies the "document context" for the GSTN-based document store from which a particular document is to be retrieved; the analogy here is to a GSTN user dialling a particular telephone number and then entering the document number to be returned using "touch tone" digits. The telephone number they dial is that of the document store or A party, with the "touch tone" digits selecting the document within that store.
Top   ToC   RFC2848 - Page 59

6.5.3. Other Service Parameters

In terms of the extra parameters to the request, the services again differ. The Request-to-Call service needs only the A and B parties. Also it is convenient to assert that the resulting service call will carry voice, as the Executive System within the destination GSTN may be able to check that assertion against the A and B party numbers specified and may treat the call differently. With the Request-to-Fax and Request-to-Hear-Content services, the source information to be transcoded is held on the Internet. That means either that this information is carried along with the request itself, or that a reference to the source of this information is given. In addition, it is convenient to assert that the service call will carry fax or voice, and, where possible, to specify the format for the source information. The GSTN-based content or "Fax-Back" variant of the Request-to-Fax service needs to specify the Document Store number and the Fax machine number to which the information is to be delivered. It is convenient to assert that the call will carry Fax data, as the destination Executive System may be able to check that assertion against the document store number and that of the destination Fax machine. In addition, the document number may also need to be sent. This parameter is an opaque reference that is carried through the Internet but has significance only within the GSTN. The document store number and document number together uniquely specify the actual content to be faxed.

6.5.4. Service Parameter Summary

The following table summarises the information needed in order to specify fully the intent of a GSTN service request. Note that it excludes any other parameters (such as authentication or authorisation tokens, or Expires: or CallId: headers) that may be used in a request. Service ServiceID AParty BParty CallFmt Source SourceFmt ------- --------- ------ ------ ------- ------ ------- R2C x x x voice - - R2F x - x fax URI/IL ISF/ILSF R2FB x x x fax OR - R2HC x - x voice URI/IL ISF/ILSF
Top   ToC   RFC2848 - Page 60
   In this table, "x" means that the parameter is required, whilst "-"
   means that the parameter is not required.

   The Services listed are Request-to-Call (R2C), Request-to-Fax (R2F),
   the GSTN-based content or "Fax-back" Variant of Request-to-Fax
   (R2FB), and Request-to-Hear-Content (R2HC).

   The Call Format parameter values "voice" or "fax" indicate the kind
   of service call that results.

   The Source Indicator "URI/IL" implies that the information is either
   an Internet source reference (a Universal Resource Identifier, or
   URI) or is carried "in-line" with the message. The Source indicator
   "OR" means that the value passed is an Opaque Reference that should
   be carried along with the rest of the message but is to be
   interpreted only within the destination (GSTN) context. As an
   alternative, it could be given as a "local" reference with the "file"
   style, or even using a partial reference with the "http" style.
   However, the way in which such a reference is interpreted is a matter
   for the receiving PINT Server and Executive System; it remains, in
   effect, an opaque reference.

   The Source Format value "ISF/ILSF" means that the format of the
   source is specified either in terms of the URI or that it is carried
   "in-line".  Note that, for some data, the format either can be
   detected by inspection or, if all else fails, can be assumed from the
   URI (for example, by assuming that the file extension part of a URL
   indicates the data type). For an opaque reference, the Source Format
   is not available on the Internet, and so is not given.

6.6. Parameter Mapping to PINT Extensions

This section describes the way in which the parameters needed to specify a GSTN service request fully might be carried within a "PINT extended" message. There are other choices, and these are not precluded. However, in order to ensure that the Requesting User receives the service that they expect, it is necessary to have some shared understanding of the parameters passed and the behaviour expected of the PINT Server and its attendant Executive System. The Service Identifier can be sent as the userinfo element of the Request-URI. Thus, the first line of a PINT Invitation would be of the form: INVITE <serviceID>@<pint-server>.<domain> SIP/2.0
Top   ToC   RFC2848 - Page 61
   The A Party for the Request-to-Call and "Fax-back" variant of
   Request-to-Fax service can be held in the "To:" header field. In this
   case the "To:" header value will be different from the Request-URI.
   In the services where the A party is not specified, the "To:" field
   is free to repeat the value held in the Request-URI. This is the case
   for Request-to-Fax and Request-to-Hear-Content services.

   The B party is needed in all these milestone services, and can be
   held in the enclosed SDP sub-part, as the value of the "c=" field.

   The call format parameter can be held as part of the "m=" field
   value.  It maps to the "transport protocol" element as described in
   section 3.4.2 of this document.

   The source format specifier is held in the "m=", as a type and either
   "-" or sub-type. The latter is normally required for all services
   except Request-to-Call or "Faxback", where the "-" form may be used.
   As shown earlier, the source format and source are not always
   required when generating requests for services. However, the
   inclusion in all requests of a source format specifier can make
   parsing the request simpler and allows for other services to be
   specified in the future, and so values are always given. The source
   format parameter is covered in section 3.4.2 as the "media type"
   element.

   The source itself is identified by an "a=fmtp:" field value, where
   needed. With the exception of the Request-to-Call service, all
   invitations will normally include such a field. From the perspective
   of the SDP extensions, it can be considered as qualifying the media
   sub-type, as if to say, for example, "when I say jpeg, what I mean is
   the following".

   In summary, the parameters needed by the different services are
   carried in fields as shown in the following table:

Service   Svc Param    PINT/SIP or SDP field used      Example value
-------   ---------    --------------------------      -------------
  R2C
          ServiceID:   <SIP Request-URI userinfo>      R2C
          AParty:      <SIP To: field>                 sip:123@p.com
          BParty:      <SDP c= field>                  TN RFC2543 4567
          CallFormat:  <SDP transport protocol
                            sub-field of m= field>     voice
          SourceFmt:   <SDP media type sub-field
                            of m= field>               audio
                       (--- only "-" sub-type
                            sub-field value used)      ---
          Source:      (--- No source specified)       ---
Top   ToC   RFC2848 - Page 62
  R2F
          ServiceID:   <SIP Request-URI userinfo>      R2F
          AParty:      (--- SIP To: field not used) sip:R2F@pint.xxx.net
          BParty:      <SDP c= field>               TN RFCxxx +441213553
          CallFormat:  <SDP transport protocol
                            sub-field of m= field>     fax
          SourceFmt:   <SDP media type sub-field
                            of m= field>               image
                       <SDP media sub-type sub-field
                            of m= field>               jpeg
          Source:      <SDP a=fmtp: field qualifying
                            preceding m= field>    a=fmtp:jpeg<uri-ref>

  R2FB
          ServiceID:   <SIP Request-URI userinfo>      R2FB
          AParty:      <SIP To: field>              sip:1-730-1234@p.com
          BParty:      <SDP c= field>               TN RFCxxx +441213553
          CallFormat:  <SDP transport protocol
                            sub-field of m= field>     fax
          SourceFmt:   <SDP media type sub-field
                            of m= field>               image
                       <SDP media sub-type sub-field
                            of m= field>               jpeg
          Source:      <SDP a=fmtp: field qualifying
                            preceding m= field>     a=fmtp:jpeg opr:1234

  R2HC
          ServiceID:   <SIP Request-URI userinfo>      R2HC
          AParty:      (--- SIP To: field not used) sip:R2HC@pint.ita.il
          BParty:      <SDP c= field>               TN RFCxxx +441213554
          CallFormat:  <SDP transport protocol
                            sub-field of m= field>     voice
          SourceFmt:   <SDP media type sub-field
                            of m= field>               text
                       <SDP media sub-type sub-field
                            of m= field>               html
          Source:      <SDP a=fmtp: field qualifying
                            preceding m= field>     a=fmtp:html<uri-ref>



(page 62 continued on part 4)

Next Section