Skip to main content

Essential Correction for IPv6 ABNF and URI Comparison in RFC 3261
RFC 5954

Document Type RFC - Proposed Standard (August 2010) Errata
Updates RFC 3261
Authors Brett Tate , Brian E. Carpenter , Vijay K. Gurbani
Last updated 2015-10-14
RFC stream Internet Engineering Task Force (IETF)
Formats
Additional resources Mailing list discussion
IESG Responsible AD Robert Sparks
Send notices to (None)
RFC 5954
Internet Engineering Task Force (IETF)                   V. Gurbani, Ed.
Request for Comments: 5954             Bell Laboratories, Alcatel-Lucent
Updates: 3261                                          B. Carpenter, Ed.
Category: Standards Track                              Univ. of Auckland
ISSN: 2070-1721                                             B. Tate, Ed.
                                                               BroadSoft
                                                             August 2010

   Essential Correction for IPv6 ABNF and URI Comparison in RFC 3261

Abstract

   This document corrects the Augmented Backus-Naur Form (ABNF)
   production rule associated with generating IPv6 literals in RFC 3261.
   It also clarifies the rule for Uniform Resource Identifier (URI)
   comparison when the URIs contain textual representation of IP
   addresses.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5954.

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Gurbani, et al.              Standards Track                    [Page 1]
RFC 5954                      SIP IPv6 ABNF                  August 2010

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2
   3.  Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 2
     3.1.  Extra Colon in IPv4-Mapped IPv6 Address . . . . . . . . . . 2
     3.2.  Comparing URIs with Textual Representation of IP
           Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.  Resolution  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.1.  Resolution for Extra Colon in IPv4-Mapped IPv6 Address  . . 4
     4.2.  Clarification for Comparison of URIs with Textual
           Representation of IP Addresses  . . . . . . . . . . . . . . 5
   5.  Generating a Canonical IPv6 Textual Representation  . . . . . . 5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 6

1.  Introduction

   This document corrects the Augmented Backus-Naur Form (ABNF)
   production rule associated with generating IPv6 literals in RFC 3261
   [1].  It also clarifies the rule for Uniform Resource Identifier
   (URI) comparison when the URIs contain textual representation of IP
   addresses.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [2].

3.  Problem Statement

3.1.  Extra Colon in IPv4-Mapped IPv6 Address

   The ABNF [4] for generating IPv6 literals in RFC 3261 [1] is
   incorrect.  When generating IPv4-mapped IPv6 addresses, the
   production rule may actually generate the following construct:

   [2001:db8:::192.0.2.1] - Note the extra colon before the IPv4
   address.

   The correct construct, of course, would only include two colons
   before the IPv4 address.

Gurbani, et al.              Standards Track                    [Page 2]
RFC 5954                      SIP IPv6 ABNF                  August 2010

      Historically, the ABNF pertaining to IPv6 references in RFC 3261
      was derived from Appendix B of RFC 2373 [7], which was flawed to
      begin with (see errata for RFC 2373 [8]).  RFC 2373 has been
      subsequently obsoleted by RFC 4291 [6].

   The ABNF for IPv6reference is reproduced from RFC 3261 below:

     IPv6reference  =  "[" IPv6address "]"
     IPv6address    =  hexpart [ ":" IPv4address ]
     IPv4address    =  1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
     hexpart        =  hexseq / hexseq "::" [ hexseq ] / "::" [ hexseq ]
     hexseq         =  hex4 *( ":" hex4)
     hex4           =  1*4HEXDIG

   Note that the ambiguity occurs in the <IPv6address> production rule
   where the <IPv4address> non-terminal is prefixed by the ":" token.
   Because the <hexpart> production rule is defined such that two of its
   alternatives already include the "::" token, this may yield to the
   faulty construction of an IPv6-mapped IPv4 address with an extra
   colon when expanding those alternatives.

3.2.  Comparing URIs with Textual Representation of IP Addresses

   In SIP, URIs are compared for a variety of reasons.  Registrars
   compare URIs when they receive a binding update request, for
   instance.  Section 19.1.4 of RFC 3261 [1] provides the rules for
   comparing URIs.  Among other rules, it states that:

      For two URIs to be equal, the user, password, host, and port
      components must match.

   Does the above rule then imply that the following URIs are equal:

      sip:bob@[::ffff:192.0.2.128] = sip:bob@[::ffff:c000:280]?

      sip:bob@[2001:db8::9:1] = sip:bob@[2001:db8::9:01]?

      sip:bob@[0:0:0:0:0:FFFF:129.144.52.38] = sip:bob@
      [::FFFF:129.144.52.38]?

   In all of the above examples, the textual representation of the IPv6
   address is different, but these addresses are binary equivalents
   (implementers are also urged to consult Section 5 of this document
   for recommendations on IPv6 address text representations).  Section
   19.1.4 of RFC 3261 does not provide any rule for URIs containing
   different textual representations of IPv6 addresses that all
   correspond to the same binary equivalent.

Gurbani, et al.              Standards Track                    [Page 3]
RFC 5954                      SIP IPv6 ABNF                  August 2010

      Note that the same ambiguity occurs for IPv4 addresses, i.e., is
      192.0.2.128 = 192.00.02.128?  However, IPv6, with its compressed
      notation and the need to represent hybrid addresses (like IPv4-
      mapped IPv6 addresses) makes the representation issue more acute.
      The resolution discussed in Section 4.2 applies to textual
      representations of both IPv6 and IPv4 addresses.

4.  Resolution

4.1.  Resolution for Extra Colon in IPv4-Mapped IPv6 Address

   The resolution to this ambiguity is simply to use the correct ABNF
   for the <IPv6address> production rule from Appendix A of RFC 3986
   [3].  For the sake of completeness, it is reproduced below:

     IPv6address   =                             6( h16 ":" ) ls32
                    /                       "::" 5( h16 ":" ) ls32
                    / [               h16 ] "::" and
   informs the client that it should generate no DSO keepalive traffic.
   Note that after signaling that the client should generate no DSO
   keepalive traffic in this way, at any point the server may revise
   that DSO keepalive traffic requirement by sending a new DSO Keepalive
   message dictating new Session Timeout values to the client.

   The largest *finite* keepalive interval supported by the current
   Keepalive TLV is 0xFFFFFFFE (2^32-2 milliseconds, approximately 49.7
   days).

Bellis, et al.           Expires April 26, 2019                [Page 36]
Internet-Draft           DNS Stateful Operations            October 2018

6.6.  Server-Initiated Session Termination

   In addition to cancelling individual long-lived operations
   selectively (Section 5.6) there are also occasions where a server may
   need to terminate one or more entire sessions.  An entire session may
   need to be terminated if the client is defective in some way, or
   departs from the network without closing its session.  Sessions may
   also need to be terminated if the server becomes overloaded, or if
   the server is reconfigured and lacks the ability to be selective
   about which operations need to be cancelled.

   This section discusses various reasons a session may be terminated,
   and the mechanisms for doing so.

   In normal operation, closing a DSO Session is the client's
   responsibility.  The client makes the determination of when to close
   a DSO Session based on an evaluation of both its own needs, and the
   inactivity timeout value dictated by the server.  A server only
   causes a DSO Session to be ended in the exceptional circumstances
   outlined below.  Some of the exceptional situations in which a server
   may terminate a DSO Session include:

   o  The server application software or underlying operating system is
      shutting down or restarting.

   o  The server application software terminates unexpectedly (perhaps
      due to a bug that makes it crash, causing the underlying operating
      system to send a TCP RST).

   o  The server is undergoing a reconfiguration or maintenance
      procedure, that, due to the way the server software is
      implemented, requires clients to be disconnected.  For example,
      some software is implemented such that it reads a configuration
      file at startup, and changing the server's configuration entails
      modifying the configuration file and then killing and restarting
      the server software, which generally entails a loss of network
      connections.

   o  The client fails to meets its obligation to generate the required
      DSO keepalive traffic, or to close an inactive session by the
      prescribed time (twice the time interval dictated by the server,
      or five seconds, whichever is greater, as described in
      Section 6.2).

   o  The client sends a grossly invalid or malformed request that is
      indicative of a seriously defective client implementation.

   o  The server is over capacity and needs to shed some load.

Bellis, et al.           Expires April 26, 2019                [Page 37]
Internet-Draft           DNS Stateful Operations            October 2018

6.6.1.  Server-Initiated Retry Delay Message

   In the cases described above where a server elects to terminate a DSO
   Session, it could do so simply by forcibly aborting the connection.
   However, if it did this the likely behavior of the client might be
   simply to to treat this as a network failure and reconnect
   immediately, putting more burden on the server.

   Therefore, to avoid this reconnection implosion, a server SHOULD
   instead choose to shed client load by sending a Retry Delay message,
   with an appropriate RCODE value informing the client of the reason
   the DSO Session needs to be terminated.  The format of the Retry
   Delay TLV, and the interpretations of the various RCODE values, are
   described in Section 7.2.  After sending a Retry Delay message, the
   server MUST NOT send any further messages on that DSO Session.

   The server MAY randomize retry delays in situations where many retry
   delays are sent in quick succession, so as to avoid all the clients
   attempting to reconnect at once.  In general, implementations should
   avoid using the Retry Delay message in a way that would result in
   many clients reconnecting at the same time, if every client attempts
   to reconnect at the exact time specified.

   Upon receipt of a Retry Delay message from the server, the client
   MUST make note of the reconnect delay for this server, and then
   immediately close the connection gracefully.

   After sending a Retry Delay message the server SHOULD allow the
   client five seconds to close the connection, and if the client has
   not closed the connection after five seconds then the server SHOULD
   forcibly abort the connection.

   A Retry Delay message MUST NOT be initiated by a client.  If a server
   receives a Retry Delay message this is a fatal error and the server
   MUST forcibly abort the connection immediately.

6.6.1.1.  Outstanding Operations

   At the instant a server chooses to initiate a Retry Delay message
   there may be DNS requests already in flight from client to server on
   this DSO Session, which will arrive at the server after its Retry
   Delay message has been sent.  The server MUST silently ignore such
   incoming requests, and MUST NOT generate any response messages for
   them.  When the Retry Delay message from the server arrives at the
   client, the client will determine that any DNS requests it previously
   sent on this DSO Session, that have not yet received a response, now
   will certainly not be receiving any response.  Such requests should

Bellis, et al.           Expires April 26, 2019                [Page 38]
Internet-Draft           DNS Stateful Operations            October 2018

   be considered failed, and should be retried at a later time, as
   appropriate.

   In the case where some, but not all, of the existing operations on a
   DSO Session have become invalid (perhaps because the server has been
   reconfigured and is no longer authoritative for some of the names),
   but the server is terminating all affected DSO Sessions en masse by
   sending them all a Retry Delay message, the reconnect delay MAY be
   zero, indicating that the clients SHOULD immediately attempt to re-
   establish operations.

   It is likely that some of the attempts will be successful and some
   will not, depending on the nature of the reconfiguration.

   In the case where a server is terminating a large number of DSO
   Sessions at once (e.g., if the system is restarting) and the server
   doesn't want to be inundated with a flood of simultaneous retries, it
   SHOULD send different reconnect delay values to each client.  These
   adjustments MAY be selected randomly, pseudorandomly, or
   deterministically (e.g., incrementing the time value by one tenth of
   a second for each successive client, yielding a post-restart
   reconnection rate of ten clients per second).

6.6.2.  Misbehaving Clients

   A server may determine that a client is not following the protocol
   correctly.  There may be no way for the server to recover the
   session, in which case the server forcibly terminates the connection.
   Since the client doesn't know why the connection dropped, it may
   reconnect immediately.  If the server has determined that a client is
   not following the protocol correctly, it may terminate the DSO
   session as soon as it is established, specifying a long retry-delay
   to prevent the client from immediately reconnecting.

6.6.3.  Client Reconnection

   After a DSO Session is ended by the server (either by sending the
   client a Retry Delay message, or by forcibly aborting the underlying
   transport connection) the client SHOULD try to reconnect, to that
   service instance, or to another suitable service instance, if more
   than one is available.  If reconnecting to the same service instance,
   the client MUST respect the indicated delay, if available, before
   attempting to reconnect.  Clients should not attempt to randomize the
   delay; the server will randomly jitter the retry delay values it
   sends to each client if this behavior is desired.

   If the service instance will only be out of service for a short
   maintenance period, it should use a value a little longer that the

Bellis, et al.           Expires April 26, 2019                [Page 39]
Internet-Draft           DNS Stateful Operations            October 2018

   expected maintenance window.  It should not default to a very large
   delay value, or clients may not attempt to reconnect after it resumes
   service.

   If a particular service instance does not want a client to reconnect
   ever (perhaps the service instance is being de-commissioned), it
   SHOULD set the retry delay to the maximum value 0xFFFFFFFF (2^32-1
   milliseconds, approximately 49.7 days).  It is not possible to
   instruct a client to stay away for longer than 49.7 days.  If, after
   49.7 days, the DNS or other configuration information still indicates
   that this is the valid service instance for a particular service,
   then clients MAY attempt to reconnect.  In reality, if a client is
   rebooted or otherwise lose state, it may well attempt to reconnect
   before 49.7 days elapses, for as long as the DNS or other
   configuration information continues to indicate that this is the
   service instance the client should use.

6.6.3.1.  Reconnecting After a Forcible Abort

   If a connection was forcibly aborted by the client, the client SHOULD
   mark that service instance as not supporting DSO.  The client MAY
   reconnect but not attempt to use DSO, or may connect to a different
   service instance, if applicable.

6.6.3.2.  Reconnecting After an Unexplained Connection Drop

   It is also possible for a server to forcibly terminate the
   connection; in this case the client doesn't know whether the
   termination was the result of a protocol error or a network outage.
   When the client notices that the connection has been dropped, it can
   attempt to reconnect immediately.  However, if the connection is
   dropped again without the client being able to successfully do
   whatever it is trying to do, it should mark the server as not
   supporting DSO.

6.6.3.3.  Probing for Working DSO Support

   Once a server has been marked by the client as not supporting DSO,
   the client SHOULD NOT attempt DSO operations on that server until
   some time has elapsed.  A reasonable minimum would be an hour.  Since
   forcibly aborted connections are the result of a software failure,
   it's not likely that the problem will be solved in the first hour
   after it's first encountered.  However, by restricting the retry
   interval to an hour, the client will be able to notice when the
   problem has been fixed without placing an undue burden on the server.

Bellis, et al.           Expires April 26, 2019                [Page 40]
Internet-Draft           DNS Stateful Operations            October 2018

7.  Base TLVs for DNS Stateful Operations

   This section describes the three base TLVs for DNS Stateful
   Operations: Keepalive, Retry Delay, and Encryption Padding.

7.1.  Keepalive TLV

   The Keepalive TLV (DSO-TYPE=1) performs two functions.  Primarily it
   establishes the values for the Session Timeouts.  Incidentally, it
   also resets the keepalive timer for the DSO Session, meaning that it
   can be used as a kind of "no-op" message for the purpose of keeping a
   session alive.  The client will request the desired session timeout
   values and the server will acknowledge with the response values that
   it requires the client to use.

   DSO messages with the Keepalive TLV as the primary TLV may appear in
   early data.

   The DSO-DATA for the Keepalive TLV is as follows:

                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 INACTIVITY TIMEOUT (32 bits)                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                 KEEPALIVE INTERVAL (32 bits)                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   INACTIVITY TIMEOUT:  The inactivity timeout for the current DSO
      Session, specified as a 32-bit unsigned integer, in network (big
      endian) byte order, in units of milliseconds.  This is the timeout
      at which the client MUST begin closing an inactive DSO Session.
      The inactivity timeout can be any value of the server's choosing.
      If the client does not gracefully close an inactive DSO Session,
      then after twice this interval, or five seconds, whichever is
      greater, the server will forcibly abort the connection.

   KEEPALIVE INTERVAL:  The keepalive interval for the current DSO
      Session, specified as a 32-bit unsigned integer, in network (big
      endian) byte order, in units of milliseconds.  This is the
      interval at which a client MUST generate DSO keepalive traffic to
      maintain connection state.  The keepalive interval MUST NOT be
      less than ten seconds.  If the client does not generate the
      mandated DSO keepalive traffic, then after twice this interval the
      server will forcibly abort the connection.  Since the minimum
      allowed keepalive interval is ten seconds, the minimum time at
      which a server will forcibly disconnect a client for failing to
      generate the mandated DSO keepalive traffic is twenty seconds.

Bellis, et al.           Expires April 26, 2019                [Page 41]
Internet-Draft           DNS Stateful Operations            October 2018

   The transmission or reception of DSO Keepalive messages (i.e.,
   messages where the Keepalive TLV is the first TLV) reset only the
   keepalive timer, not the inactivity timer.  The reason for this is
   that periodic DSO Keepalive messages are sent for the sole purpose of
   keeping a DSO Session alive, when that DSO Session has current or
   recent non-maintenance activity that warrants keeping that DSO
   Session alive.  Sending DSO keepalive traffic itself is not
   considered a client activity; it is considered a maintenance activity
   that is performed in service of other client activities.  If DSO
   keepalive traffic itself were to reset the inactivity timer, then
   that would create a circular livelock where keepalive traffic would
   be sent indefinitely to keep a DSO Session alive, where the only
   activity on that DSO Session would be the keepalive traffic keeping
   the DSO Session alive so that further keepalive traffic can be sent.
   For a DSO Session to be considered active, it must be carrying
   something more than just keepalive traffic.  This is why merely
   sending or receiving a DSO Keepalive message does not reset the
   inactivity timer.

   When sent by a client, the DSO Keepalive request message MUST be sent
   as an DSO request message, with a nonzero MESSAGE ID.  If a server
   receives a DSO Keepalive message with a zero MESSAGE ID then this is
   a fatal error and the server MUST forcibly abort the connection
   immediately.  The DSO Keepalive request message resets a DSO
   Session's keepalive timer, and at the same time communicates to the
   server the client's requested Session Timeout values.  In a server
   response to a client-initiated DSO Keepalive request message, the
   Session Timeouts contain the server's chosen values from this point
   forward in the DSO Session, which the client MUST respect.  This is
   modeled after the DHCP protocol, where the client requests a certain
   lease lifetime using DHCP option 51 [RFC2132], but the server is the
   ultimate authority for deciding what lease lifetime is actually
   granted.

   When a client is sending its second and subsequent DSO Keepalive
   request messages to the server, the client SHOULD continue to request
   its preferred values each time.  This allows flexibility, so that if
   conditions change during the lifetime of a DSO Session, the server
   can adapt its responses to better fit the client's needs.

   Once a DSO Session is in progress (Section 5.1) a DSO Keepalive
   message MAY be initiated by a server.  When sent by a server, the DSO
   Keepalive message MUST be sent as a DSO unidirectional message, with
   the MESSAGE ID set to zero.  The client MUST NOT generate a response
   to a server-initiated DSO Keepalive message.  If a client receives a
   DSO Keepalive request message with a nonzero MESSAGE ID then this is
   a fatal error and the client MUST forcibly abort the connection
   immediately.  The DSO Keepalive unidirectional message from the

Bellis, et al.           Expires April 26, 2019                [Page 42]
Internet-Draft           DNS Stateful Operations            October 2018

   server resets a DSO Session's keepalive timer, and at the same time
   unilaterally informs the client of the new Session Timeout values to
   use from this point forward in this DSO Session.  No client DSO
   response to this unilateral declaration is required or allowed.

   In DSO Keepalive response messages, the Keepalive TLV is REQUIRED and
   is used only as a Response Primary TLV sent as a reply to a DSO
   Keepalive request message from the client.  A Keepalive TLV MUST NOT
   be added to other responses as a Response Additional TLV.  If the
   server wishes to update a client's Session Timeout values other than
   in response to a DSO Keepalive request message from the client, then
   it does so by sending an DSO Keepalive unidirectional message of its
   own, as described above.

   It is not required that the Keepalive TLV be used in every DSO
   Session.  While many DNS Stateful operations will be used in
   conjunction with a long-lived session state, not all DNS Stateful
   operations require long-lived session state, and in some cases the
   default 15-second value for both the inactivity timeout and keepalive
   interval may be perfectly appropriate.  However, note that for
   clients that implement only the DSO-TYPEs defined in this document, a
   DSO Keepalive request message is the only way for a client to
   initiate a DSO Session.

7.1.1.  Client handling of received Session Timeout values

   When a client receives a response to its client-initiated DSO
   Keepalive message, or receives a server-initiated DSO Keepalive
   message, the client has then received Session Timeout values dictated
   by the server.  The two timeout values contained in the Keepalive TLV
   from the server may each be higher, lower, or the same as the
   respective Session Timeout values the client previously had for this
   DSO Session.

   In the case of the keepalive timer, the handling of the received
   value is straightforward.  The act of receiving the message
   containing the DSO Keepalive TLV itself resets the keepalive timer,
   and updates the keepalive interval for the DSO Session.  The new
   keepalive interval indicates the maximum time that may elapse before
   another message must be sent or received on this DSO Session, if the
   DSO Session is to remain alive.

   In the case of the inactivity timeout, the handling of the received
   value is a little more subtle, though the meaning of the inactivity
   timeout remains as specified -- it still indicates the maximum
   permissible time allowed without useful activity on a DSO Session.
   The act of receiving the message containing the Keepalive TLV does
   not itself reset the inactivity timer.  The time elapsed since the

Bellis, et al.           Expires April 26, 2019                [Page 43]
Internet-Draft           DNS Stateful Operations            October 2018

   last useful activity on this DSO Session is unaffected by exchange of
   DSO Keepalive messages.  The new inactivity timeout value in the
   Keepalive TLV in the received message does update the timeout
   associated with the running inactivity timer; that becomes the new
   maximum permissible time without activity on a DSO Session.

   o  If the current inactivity timer value is less than the new
      inactivity timeout, then the DSO Session may remain open for now.
      When the inactivity timer value reaches the new inactivity
      timeout, the client MUST then begin closing the DSO Session, as
      described above.

   o  If the current inactivity timer value is equal to the new
      inactivity timeout, then this DSO Session has been inactive for
      exactly as long as the server will permit, and now the client MUST
      immediately begin closing this DSO Session.

   o  If the current inactivity timer value is already greater than the
      new inactivity timeout, then this DSO Session has already been
      inactive for longer than the server permits, and the client MUST
      immediately begin closing this DSO Session.

   o  If the current inactivity timer value is already more than twice
      the new inactivity timeout, then the client is immediately
      considered delinquent (this DSO Session is immediately eligible to
      be forcibly terminated by the server) and the client MUST
      immediately begin closing this DSO Session.  However if a server
      abruptly reduces the inactivity timeout in this way, then, to give
      the client time to close the connection gracefully before the
      server resorts to forcibly aborting it, the server SHOULD give the
      client an additional grace period of one quarter of the new
      inactivity timeout, or five seconds, whichever is greater.

7.1.2.  Relationship to edns-tcp-keepalive EDNS0 Option

   The inactivity timeout value in the Keepalive TLV (DSO-TYPE=1) has
   similar intent to the edns-tcp-keepalive EDNS0 Option [RFC7828].  A
   client/server pair that supports DSO MUST NOT use the edns-tcp-
   keepalive EDNS0 Option within any message after a DSO Session has
   been established.  A client that has sent a DSO message to establish
   a session MUST NOT send an edns-tcp-keepalive EDNS0 Option from this
   point on.  Once a DSO Session has been established, if either client
   or server receives a DNS message over the DSO Session that contains
   an edns-tcp-keepalive EDNS0 Option, this is a fatal error and the
   receiver of the edns-tcp-keepalive EDNS0 Option MUST forcibly abort
   the connection immediately.

Bellis, et al.           Expires April 26, 2019                [Page 44]
Internet-Draft           DNS Stateful Operations            October 2018

7.2.  Retry Delay TLV

   The Retry Delay TLV (DSO-TYPE=2) can be used as a Primary TLV
   (unidirectional) in a server-to-client message, or as a Response
   Additional TLV in either direction.  DSO messages with a Relay Delay
   TLV as their primary TLV are not permitted in early data.

   The DSO-DATA for the Retry Delay TLV is as follows:

                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                     RETRY DELAY (32 bits)                     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   RETRY DELAY:  A time value, specified as a 32-bit unsigned integer,
      in network (big endian) byte order, in units of milliseconds,
      within which the initiator MUST NOT retry this operation, or retry
      connecting to this server.  Recommendations for the RETRY DELAY
      value are given in Section 6.6.1.

7.2.1.  Retry Delay TLV used as a Primary TLV

   When sent from server to client, the Retry Delay TLV is used as the
   Primary TLV in a DSO unidirectional message.  It is used by a server
   to instruct a client to close the DSO Session and underlying
   connection, and not to reconnect for the indicated time interval.

   In this case it applies to the DSO Session as a whole, and the client
   MUST begin closing the DSO Session, as described in Section 6.6.1.
   The RCODE in the message header SHOULD indicate the principal reason
   for the termination:

   o  NOERROR indicates a routine shutdown or restart.

   o  FORMERR indicates that a client request was too badly malformed
      for the session to continue.

   o  SERVFAIL indicates that the server is overloaded due to resource
      exhaustion and needs to shed load.

   o  REFUSED indicates that the server has been reconfigured, and at
      this time it is now unable to perform one or more of the long-
      lived client operations that were previously being performed on
      this DSO Session.

   o  NOTAUTH indicates that the server has been reconfigured and at
      this time it is now unable to perform one or more of the long-

Bellis, et al.           Expires April 26, 2019                [Page 45]
Internet-Draft           DNS Stateful Operations            October 2018

      lived client operations that were previously being performed on
      this DSO Session because it does not have authority over the names
      in question (for example, a DNS Push Notification server could be
      reconfigured such that is is no longer accepting DNS Push
      Notification requests for one or more of the currently subscribed
      names).

   This document specifies only these RCODE values for the Retry Delay
   message.  Servers sending Retry Delay messages SHOULD use one of
   these values.  However, future circumstances may create situations
   where other RCODE values are appropriate in Retry Delay messages, so
   clients MUST be prepared to accept Retry Delay messages with any
   RCODE value.

   In some cases, when a server sends a Retry Delay message to a client,
   there may be more than one reason for the server wanting to end the
   session.  Possibly the configuration could have been changed such
   that some long-lived client operations can no longer be continued due
   to policy (REFUSED), and other long-lived client operations can no
   longer be performed due to the server no longer being authoritative
   for those names (NOTAUTH).  In such cases the server MAY use any of
   the applicable RCODE values, or RCODE=NOERROR (routine shutdown or
   restart).

   Note that the selection of RCODE value in a Retry Delay message is
   not critical, since the RCODE value is generally used only for
   information purposes, such as writing to a log file for future human
   analysis regarding the nature of the disconnection.  Generally
   clients do not modify their behavior depending on the RCODE value.
   The RETRY DELAY in the message tells the client how long it should
   wait before attempting a new connection to this service instance.

   For clients that do in some way modify their behavior depending on
   the RCODE value, they should treat unknown RCODE values the same as
   RCODE=NOERROR (routine shutdown or restart).

   A Retry Delay message from server to client is a DSO unidirectional
   message; the MESSAGE ID MUST be set to zero in the outgoing message
   and the client MUST NOT send a response.

   A client MUST NOT send a Retry Delay DSO message to a server.  If a
   server receives a DSO message where the Primary TLV is the Retry
   Delay TLV, this is a fatal error and the server MUST forcibly abort
   the connection immediately.

Bellis, et al.           Expires April 26, 2019                [Page 46]
Internet-Draft           DNS Stateful Operations            October 2018

7.2.2.  Retry Delay TLV used as a Response Additional TLV

   In the case of a DSO request message that results in a nonzero RCODE
   value, the responder MAY append a Retry Delay TLV to the response,
   indicating the time interval during which the initiator SHOULD NOT
   attempt this operation again.

   The indicated time interval during which the initiator SHOULD NOT
   retry applies only to the failed operation, not to the DSO Session as
   a whole.

Bellis, et al.           Expires April 26, 2019                [Page 47]
Internet-Draft           DNS Stateful Operations            October 2018

7.3.  Encryption Padding TLV

   The Encryption Padding TLV (DSO-TYPE=3) can only be used as an
   Additional or Response Additional TLV.  It is only applicable when
   the DSO Transport layer uses encryption such as TLS.

   The DSO-DATA for the Padding TLV is optional and is a variable length
   field containing non-specified values.  A DSO-LENGTH of 0 essentially
   provides for 4 bytes of padding (the minimum amount).

                                                1   1   1   1   1   1
        0   1   2   3   4   5   6   7   8   9   0   1   2   3   4   5
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
      /                                                               /
      /              PADDING -- VARIABLE NUMBER OF BYTES              /
      /                                                               /
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

   As specified for the EDNS(0) Padding Option [RFC7830] the PADDING
   bytes SHOULD be set to 0x00.  Other values MAY be used, for example,
   in cases where there is a concern that the padded message could be
   subject to compression before encryption.  PADDING bytes of any value
   MUST be accepted in the messages received.

   The Encryption Padding TLV may be included in either a DSO request
   message, response, or both.  As specified for the EDNS(0) Padding
   Option [RFC7830] if a DSO request message is received with an
   Encryption Padding TLV, then the DSO response MUST also include an
   Encryption Padding TLV.

   The length of padding is intentionally not specified in this document
   and is a function of current best practices with respect to the type
   and length of data in the preceding TLVs
   [I-D.ietf-dprive-padding-policy].

Bellis, et al.           Expires April 26, 2019                [Page 48]
Internet-Draft           DNS Stateful Operations            October 2018

8.  Summary Highlights

   This section summarizes some noteworthy highlights about various
   aspects of the DSO protocol.

8.1.  QR bit and MESSAGE ID

   In DSO Request Messages the QR bit is 0 and the MESSAGE ID is
   nonzero.

   In DSO Response Messages the QR bit is 1 and the MESSAGE ID is
   nonzero.

   In DSO Unidirectional Messages the QR bit is 0 and the MESSAGE ID is
   zero.

   The table below illustrates which combinations are legal and how they
   are interpreted:

               +------------------------------+------------------------+
               |       MESSAGE ID zero        |   MESSAGE ID nonzero   |
      +--------+------------------------------+------------------------+
      |  QR=0  |  DSO unidirectional Message  |  DSO Request Message   |
      +--------+------------------------------+------------------------+
      |  QR=1  |    Invalid - Fatal Error     |  DSO Response Message  |
      +--------+------------------------------+------------------------+

Bellis, et al.           Expires April 26, 2019                [Page 49]
Internet-Draft           DNS Stateful Operations            October 2018

8.2.  TLV Usage

   The table below indicates, for each of the three TLVs defined in this
   document, whether they are valid in each of ten different contexts.

   The first five contexts are DSO requests or DSO unidirectional
   messages from client to server, and the corresponding responses from
   server back to client:

   o  C-P - Primary TLV, sent in DSO Request message, from client to
      server, with nonzero MESSAGE ID indicating that this request MUST
      generate response message.

   o  C-U - Primary TLV, sent in DSO Unidirectional message, from client
      to server, with zero MESSAGE ID indicating that this request MUST
      NOT generate response message.

   o  C-A - Additional TLV, optionally added to a DSO request message or
      DSO unidirectional message from client to server.

   o  CRP - Response Primary TLV, included in response message sent back
      to the client (in response to a client "C-P" request with nonzero
      MESSAGE ID indicating that a response is required) where the DSO-
      TYPE of the Response TLV matches the DSO-TYPE of the Primary TLV
      in the request.

   o  CRA - Response Additional TLV, included in response message sent
      back to the client (in response to a client "C-P" request with
      nonzero MESSAGE ID indicating that a response is required) where
      the DSO-TYPE of the Response TLV does not match the DSO-TYPE of
      the Primary TLV in the request.

   The second five contexts are their counterparts in the opposite
   direction: DSO requests or DSO unidirectional messages from server to
   client, and the corresponding responses from client back to server.

   o  S-P - Primary TLV, sent in DSO Request message, from server to
      client, with nonzero MESSAGE ID indicating that this request MUST
      generate response message.

   o  S-U - Primary TLV, sent in DSO Unidirectional message, from server
      to client, with zero MESSAGE ID indicating that this request MUST
      NOT generate response message.

   o  S-A - Additional TLV, optionally added to a DSO request message or
      DSO unidirectional message from server to client.

Bellis, et al.           Expires April 26, 2019                [Page 50]
Internet-Draft           DNS Stateful Operations            October 2018

   o  SRP - Response Primary TLV, included in response message sent back
      to the server (in response to a server "S-P" request with nonzero
      MESSAGE ID indicating that a response is required) where the DSO-
      TYPE of the Response TLV matches the DSO-TYPE of the Primary TLV
      in the request.

   o  SRA - Response Additional TLV, included in response message sent
      back to the server (in response to a server "S-P" request with
      nonzero MESSAGE ID indicating that a response is required) where
      the DSO-TYPE of the Response TLV does not match the DSO-TYPE of
      the Primary TLV in the request.

                +-------------------------+-------------------------+
                | C-P  C-U  C-A  CRP  CRA | S-P  S-U  S-A  SRP  SRA |
   +------------+-------------------------+-------------------------+
   | KeepAlive  |  X              X       |       X                 |
   +------------+-------------------------+-------------------------+
   | RetryDelay |                      X  |       X              X  |
   +------------+-------------------------+-------------------------+
   | Padding    |            X         X  |            X         X  |
   +------------+-------------------------+-------------------------+

   Note that some of the columns in this table are currently empty.  The
   table provides a template for future TLV definitions to follow.  It
   is recommended that definitions of future TLVs include a similar
   table summarizing the contexts where the new TLV is valid.

Bellis, et al.           Expires April 26, 2019                [Page 51]
Internet-Draft           DNS Stateful Operations            October 2018

9.  Additional Considerations

9.1.  Service Instances

   We use the term service instance to refer to software running on a
   host which can receive connections on some set of IP address and port
   tuples.  What makes the software an instance is that regardless of
   which of these tuples the client uses to connect to it, the client is
   connected to the same software, running on the same node (but see
   Section 9.2), and will receive the same answers and the same keying
   information.

   Service instances are identified from the perspective of the client.
   If the client is configured with IP addresses and port number tuples,
   it has no way to tell if the service offered at one tuple is the same
   server that is listening on a different tuple.  So in this case, the
   client treats each such tuple as if it references a separate service
   instance.

   In some cases a client is configured with a hostname and a port
   number (either implicitly, where the port number is omitted and
   assumed, or explicitly, as in the case of DNS SRV records).  In these
   cases, the (hostname, port) tuple uniquely identifies the service
   instance (hostname comparisons are case-insensitive [RFC1034].

   It is possible that two hostnames might point to some common IP
   addresses; this is a configuration error which the client is not
   obliged to detect.  The effect of this could be that after being told
   to disconnect, the client might reconnect to the same server because
   it is represented as a different service instance.

   Implementations SHOULD NOT resolve hostnames and then perform
   matching of IP address(es) in order to evaluate whether two entities
   should be determined to be the "same service instance".

Bellis, et al.           Expires April 26, 2019                [Page 52]
Internet-Draft           DNS Stateful Operations            October 2018

9.2.  Anycast Considerations

   When an anycast service is configured on a particular IP address and
   port, it must be the case that although there is more than one
   physical server responding on that IP address, each such server can
   be treated as equivalent.  What we mean by "equivalent" here is that
   both servers can provide the same service and, where appropriate, the
   same authentication information, such as PKI certificates, when
   establishing connections.

   If a change in network topology causes packets in a particular TCP
   connection to be sent to an anycast server instance that does not
   know about the connection, the new server will automatically
   terminate the connection with a TCP reset, since it will have no
   record of the connection, and then the client can reconnect or stop
   using the connection, as appropriate.

   If after the connection is re-established, the client's assumption
   that it is connected to the same service is violated in some way,
   that would be considered to be incorrect behavior in this context.
   It is however out of the possible scope for this specification to
   make specific recommendations in this regard; that would be up to
   follow-on documents that describe specific uses of DNS stateful
   operations.

Bellis, et al.           Expires April 26, 2019                [Page 53]
Internet-Draft           DNS Stateful Operations            October 2018

quot; 4( h16 ":" ) ls32
                    / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32
                    / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32
                    / [ *3( h16 ":" ) h16 ] "::"    h16 ":"   ls32
                    / [ *4( h16 ":" ) h16 ] "::"              ls32
                    / [ *5( h16 ":" ) h16 ] "::"              h16
                    / [ *6( h16 ":" ) h16 ] "::"

     h16           = 1*4HEXDIG
     ls32          = ( h16 ":" h16 ) / IPv4address
     IPv4address   = dec-octet "." dec-octet "." dec-octet "." dec-octet
     dec-octet     = DIGIT                 ; 0-9
                    / %x31-39 DIGIT         ; 10-99
                    / "1" 2DIGIT            ; 100-199
                    / "2" %x30-34 DIGIT     ; 200-249
                    / "25" %x30-35          ; 250-255

   Accordingly, this document updates RFC 3261 as follows:  the
   <IPv6address> and <IPv4address> production rules from RFC 3261 MUST
   NOT be used and instead, the production rules of the same name in RFC
   3986 (and reproduced above) MUST be used.  This will render
   <hexpart>, <hexseq>, and <hex4> production rules in RFC 3261
   obsolete; as such, these three production rules -- namely, <hexpart>,
   <hexseq>, and <hex4> -- from RFC 3261 MUST NOT be used.

   The use of the <IPv4address> production rule from RFC 3986 no longer
   allows syntactically valid -- though semantically invalid -- SIP URIs
   of the form "sip:bob@444.555.666.777".

Gurbani, et al.              Standards Track                    [Page 4]
RFC 5954                      SIP IPv6 ABNF                  August 2010

4.2.  Clarification for Comparison of URIs with Textual Representation
      of IP Addresses

   The resolution to this ambiguity is a simple clarification
   acknowledging that the textual representation of an IP address
   varies, but it is the binary equivalence of the IP address that must
   be taken into consideration when comparing two URIs that contain
   varying textual representations of an IP address.

   Accordingly, the existing rule from the bulleted list in Section
   19.1.4 of RFC 3261 MUST be modified as follows:

   OLD:

   o  For two URIs to be equal, the user, password, host, and port
      components must match.

   NEW:

   o  For two URIs to be equal, the user, password, host, and port
      components must match.  If the host component contains a textual
      representation of IP addresses, then the representation of those
      IP addresses may vary.  If so, the host components are considered
      to match if the different textual representations yield the same
      binary IP address.

   In addition, the text in the following paragraph MUST be added to the
   existing list of examples in Section 19.1.4 of RFC 3261 in order to
   demonstrate the intent of the modified rule:

   The following URIs are equivalent because the underlying binary
   representation of the IP addresses are the same although their
   textual representations vary:

      sip:bob@[::ffff:192.0.2.128]
      sip:bob@[::ffff:c000:280]

      sip:bob@[2001:db8::9:1]
      sip:bob@[2001:db8::9:01]

      sip:bob@[0:0:0:0:0:FFFF:129.144.52.38]
      sip:bob@[::FFFF:129.144.52.38]

5.  Generating a Canonical IPv6 Textual Representation

   Implementers SHOULD generate IPv6 text representation as defined in
   RFC 5952 [5].

Gurbani, et al.              Standards Track                    [Page 5]
RFC 5954                      SIP IPv6 ABNF                  August 2010

6.  Security Considerations

   This document does not introduce any new security considerations
   beyond those described in RFC 3261 [1].

7.  Acknowledgments

   The ABNF for IPv6 was developed by Roy T. Fielding and Andrew Main
   and published in RFC 3986.

   Jeroen van Bemmel, Peter Blatherwick, Gonzalo Camarillo, Paul
   Kyzivat, Jonathan Rosenberg, Michael Thomas, and Dale Worley provided
   invaluable discussion points on the SIP WG mailing list on the URI
   equivalency problem.  Alfred Hoenes urged the use of angle brackets
   (as specified in Section 2.1 of RFC 5234 [4]) to denote productions.

8.  References

8.1.  Normative References

   [1]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [3]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
        Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
        January 2005.

   [4]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
        Specifications: ABNF", STD 68, RFC 5234, January 2008.

   [5]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
        Address Text Representation", RFC 5952, August 2010.

8.2.  Informative References

   [6]  Hinden, R. and S. Deering, "IP Version 6 Addressing
        Architecture", RFC 4291, February 2006.

   [7]  Hinden, R. and S. Deering, "IP Version 6 Addressing
        Architecture", RFC 2373, July 1998.

   [8]  "RFC Editor Errata", <http://www.rfc-editor.org/errata.php>.

Gurbani, et al.              Standards Track                    [Page 6]
RFC 5954                      SIP IPv6 ABNF                  August 2010

Authors' Addresses

   Vijay K. Gurbani (editor)
   Bell Laboratories, Alcatel-Lucent
   1960 Lucent Lane
   Room 9C-533
   Naperville, IL  60563
   USA

   Phone:  +1 630 224-0216
   EMail:  vkg@bell-labs.com

   Brian E. Carpenter (editor)
   Department of Computer Science
   University of Auckland
   PB 92019
   Auckland,   1142
   New Zealand

   EMail:  brian.e.carpenter@gmail.com

   Brett Tate (editor)
   BroadSoft

   EMail:  brett@broadsoft.com

Gurbani, et al.              Standards Track                    [Page 7]