1 / 25

RFC4028 Session Timer in the Session Initiation Protocol

RFC4028 Session Timer in the Session Initiation Protocol. Speaker : Ying Shun Lin Adviser : Quincy Wu. Outline. Introduction Session-Expires Header field Definition Min-SE Header field Definition 422-Response Code Definition UAC / Proxy / UAS Behavior Security Considerations

roland
Download Presentation

RFC4028 Session Timer in the Session Initiation Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFC4028Session Timer in theSession Initiation Protocol Speaker:Ying Shun Lin Adviser :Quincy Wu

  2. Outline • Introduction • Session-Expires Header field Definition Min-SE Header field Definition 422-Response Code Definition • UAC / Proxy / UAS Behavior • Security Considerations • Example call Flow

  3. Introduction (1/3) • SIP does not define a keepalive mechanism for the sessions it establishes INVITE UAC 100 Trying BYE call stateful proxy will retain state for the call

  4. Introduction (2/3) • This extension defines a keepalive mechanism for SIP sessions. UAs send periodic (re-INVITE or UPDATE) requests (referred to as session refresh requests) to keep the session alive . • If a session refresh request is not received before the interval passes,the session is considered terminated. Both UAs are supposed to send a BYE,and call stateful proxies can remove any state for the call.

  5. Introduction (3/3) • Two new header fields (Session-Expires and Min-SE) and a new response code (422) are defined - Session-Expires:conveys the duration of the session - Min-SE :conveys the minimum allowed value for the session expiration. - 422 response :indicates that the session timer duration was too small.

  6. Define some terms • Session Interval • Session Expiration • Session Refresh Request • Initial Session Refresh Request • Subsequent Session Refresh Request • Refresh

  7. Session-Expires Header Field Definition • placed only in requests (INVITE or UPDATE), as well as in any 2xx response to request. • MUST be prepared to handle Session-Expires header field values of any duration greater than 90 ;1800 seconds (30 minutes) is RECOMMENDED. • insert the Session-Expires header field SHOULD NOT choose values of less than 30 minutes. Session-Expires:1800;refresher=uac

  8. Min-SE Header Field Definition • used in an request (INVITE or UPDATE) , it indicates the smallest value of the session interval that can be used for that session . • MUST NOT be less than 90 seconds - When the header field is not present, its default value for is 90 seconds. • MUST NOT be used in responses except for those with a 422 response code . Min-SE:90

  9. 422 Response Code Definition • Session Interval Too Small - generated by a UAS or proxy when a request contains a Session-Expires header field with a duration below the minimum timer for the server . • MUST contain a Min-SE header field with the minimum timer for that server.

  10. Session-Expire & Min-SE Header Fields

  11. UAC Behavior • Generating an Initial Session Refresh Request • Processing a 2xx Response • Processing a 422 Response • Generating Subsequent Session Refresh Requests

  12. UAC /Proxy Behavior Supported :timer Session Expires: XX ; refresher =‘uac` Min-SE: XX INVITE UAC Require: timer Supported: timer Session-Expires : ; refresher= 200 proxy Min-SE : 422 Session Interval Too Small

  13. UAC Behavior UAC Min-SE :xx 422 proxy Supported :timer Session Expires: XX ; refresher =‘ uac/uas’ Min-SE: XX INVITE • If a UAC knows that its peer supports the UPDATE method • RECOMMENDED that UPDATE be used instead of a re-INVITE

  14. Proxy Behavior • The proxy processing rules require the proxy to remember information between the request and response, ruling out stateless proxies. - Processing of Requests - Processing of Responses - Session Expiration

  15. Proxy Behavior (Request) Supported :timer Session Expires: (small) Proxy 2 call failure Session Expires: XX Min-SE:XX Session Expires: XX Min-SE:XX INVITE INVITE Proxy 1

  16. Proxy Behavior (Response) (proxy remembers UAC did not support ) There is no session expiration for this session UAS did not support the session timer UAS Session Expires Session-Expires (from the forwarded request) refresher :`uac` (proxy remembers that the UAC did support the session timer)

  17. UAS Behavior Supported :timer Session Expires: Min-SE: INVITE UAS 422 Min-SE: Min-SE: proxy 200 ok Session Expires:

  18. UAS Behavior

  19. Security Considerations(1/3) • Inside Attacks Case 1: a rogue UAC that wishes to force a UAS to generate refreshes at a rapid rate - The UAS or any proxy that objects to this low timer will reject the request with a 422, thereby preventing the attack.

  20. Security Considerations(2/3) Case2: rogue UAS that wishes to force a UAC to generate refreshes at a rapid rate . - UAC copy the current session interval into the Session-Expires header field in the request. The proxies will reject this request and provide a Min-SE with a higher minimum, which the UAC will then use.

  21. Security Considerations(3/3) • Outside Attacks - An element that can observe and modify a request or response in transit can force rapid session refreshes . -proxies that record-route and request session timer SHOULD record-route with a SIPS URI . A UA that inserts a Session-Expires header into a request or response SHOULD include a Contact URI that is a SIPS URI.

  22. (1) INVITE sips:bob@biloxi.example.com SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds8 Supported: timer Session-Expires: 90 Max-Forwards: 70 To: Bob <sips:bob@biloxi.example.com> From: Alice <sips:alice@atlanta.example.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314159 INVITE Contact: <sips:alice@pc33.atlanta.example.com> Content-Type: application/sdp Content-Length: 142 Example Call Flow Proxy P2 Proxy P1 Alice Bob (1)INVITE SE:90 (4) INVITE sips:bob@biloxi.example.com SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds9 Supported: timer Session-Expires: 3600 Min-SE: 3600 Max-Forwards: 70 To: Bob <sips:bob@biloxi.example.com> From: Alice <sips:alice@atlanta.example.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314160 INVITE Contact: <sips:alice@pc33.atlanta.example.com> Content-Type: application/sdp Content-Length: 142 (2) SIP/2.0 422 Session Interval Too Small Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds8 ;received=192.0.2.1 Min-SE: 3600 To: Bob <sips:bob@biloxi.example.com>;tag=9a8kz From: Alice <sips:alice@atlanta.example.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq:314159 INVITE (2)422 MSE:3600 (3)ACK (4)INVITE SE:3600 MSE:3600

  23. Example Call Flow (10) INVITE sips:bob@biloxi.example.com SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds10 Supported: timer Session-Expires: 4000 Min-SE: 4000 Max-Forwards: 70 To: Bob <sips:bob@biloxi.example.com> From: Alice <sips:alice@atlanta.example.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314161 INVITE Contact: <sips:alice@pc33.atlanta.example.com> Content-Type: application/sdp Content-Length: 142 Proxy P2 Proxy P1 Alice Bob (5)INVITE SE:3600 MSE:3600 (6)422 MSE:4000 (7)ACK (8)422 MSE:4000 (9)ACK (10)INVITESE:4000 MSE:4000

  24. (15) SIP/2.0 200 OK Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds10 ;received=192.0.2.1 Require: timer Supported: timer Record-Route: sips:p1.atlanta.example.com Session-Expires: 4000;refresher=uac To: Bob <sips:bob@biloxi.example.com>;tag=9as888nd From: Alice <sips:alice@atlanta.example.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314161 INVITE Contact: <sips:bob@192.0.2.4> Content-Type: application/sdp Content-Length: 142 Example Call Flow Proxy P2 Proxy P1 Alice (11)INVITESE:4000 MSE:4000 Bob (12)INVITESE:4000 MSE:4000 (13)200OKSE:4000 (14)200OK SE:4000 (15)200OK SE:4000 (16)ACK (17)ACK

  25. Example Call Flow Proxy P2 Proxy P1 Alice Bob (18)UPDATESE:4000 (19)UPDATESE:4000 (18) UPDATE sips:bob@192.0.2.4 SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds12 Route: sips:p1.atlanta.example.com Supported: timer Session-Expires: 4000;refresher=uac Max-Forwards: 70 To: Bob <sips:bob@biloxi.example.com>;tag=9as888nd From: Alice <sips:alice@atlanta.example.com>;tag=1928301774 Call-ID: a84b4c76e66710 CSeq: 314162 UPDATE Contact: <sips:alice@pc33.atlanta.example.com> (20)200OK SE:4000 (21)200OK SE:4000 (22)BYE (23)BYE (24)408 (Request Timeout)

More Related