Essential Correction for IPv6 ABNF and URI Comparison in RFC 3261
RFC 5954
Document | Type |
RFC
- Proposed Standard
(August 2010)
Errata
Updates RFC 3261
|
|
---|---|---|---|
Authors | Brett Tate , Brian E. Carpenter , Vijay K. Gurbani | ||
Last updated | 2015-10-14 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Robert Sparks | |
Send notices to | (None) |
RFC 5954
Internet Engineering Task Force (IETF) V. Gurbani, Ed. Request for Comments: 5954 Bell Laboratories, Alcatel-Lucent Updates: 3261 B. Carpenter, Ed. Category: Standards Track Univ. of Auckland ISSN: 2070-1721 B. Tate, Ed. BroadSoft August 2010 Essential Correction for IPv6 ABNF and URI Comparison in RFC 3261 Abstract This document corrects the Augmented Backus-Naur Form (ABNF) production rule associated with generating IPv6 literals in RFC 3261. It also clarifies the rule for Uniform Resource Identifier (URI) comparison when the URIs contain textual representation of IP addresses. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5954. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Gurbani, et al. Standards Track [Page 1] RFC 5954 SIP IPv6 ABNF August 2010 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 2 3.1. Extra Colon in IPv4-Mapped IPv6 Address . . . . . . . . . . 2 3.2. Comparing URIs with Textual Representation of IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Resolution for Extra Colon in IPv4-Mapped IPv6 Address . . 4 4.2. Clarification for Comparison of URIs with Textual Representation of IP Addresses . . . . . . . . . . . . . . 5 5. Generating a Canonical IPv6 Textual Representation . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . . 6 1. Introduction This document corrects the Augmented Backus-Naur Form (ABNF) production rule associated with generating IPv6 literals in RFC 3261 [1]. It also clarifies the rule for Uniform Resource Identifier (URI) comparison when the URIs contain textual representation of IP addresses. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [2]. 3. Problem Statement 3.1. Extra Colon in IPv4-Mapped IPv6 Address The ABNF [4] for generating IPv6 literals in RFC 3261 [1] is incorrect. When generating IPv4-mapped IPv6 addresses, the production rule may actually generate the following construct: [2001:db8:::192.0.2.1] - Note the extra colon before the IPv4 address. The correct construct, of course, would only include two colons before the IPv4 address. Gurbani, et al. Standards Track [Page 2] RFC 5954 SIP IPv6 ABNF August 2010 Historically, the ABNF pertaining to IPv6 references in RFC 3261 was derived from Appendix B of RFC 2373 [7], which was flawed to begin with (see errata for RFC 2373 [8]). RFC 2373 has been subsequently obsoleted by RFC 4291 [6]. The ABNF for IPv6reference is reproduced from RFC 3261 below: IPv6reference = "[" IPv6address "]" IPv6address = hexpart [ ":" IPv4address ] IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT hexpart = hexseq / hexseq "::" [ hexseq ] / "::" [ hexseq ] hexseq = hex4 *( ":" hex4) hex4 = 1*4HEXDIG Note that the ambiguity occurs in the <IPv6address> production rule where the <IPv4address> non-terminal is prefixed by the ":" token. Because the <hexpart> production rule is defined such that two of its alternatives already include the "::" token, this may yield to the faulty construction of an IPv6-mapped IPv4 address with an extra colon when expanding those alternatives. 3.2. Comparing URIs with Textual Representation of IP Addresses In SIP, URIs are compared for a variety of reasons. Registrars compare URIs when they receive a binding update request, for instance. Section 19.1.4 of RFC 3261 [1] provides the rules for comparing URIs. Among other rules, it states that: For two URIs to be equal, the user, password, host, and port components must match. Does the above rule then imply that the following URIs are equal: sip:bob@[::ffff:192.0.2.128] = sip:bob@[::ffff:c000:280]? sip:bob@[2001:db8::9:1] = sip:bob@[2001:db8::9:01]? sip:bob@[0:0:0:0:0:FFFF:129.144.52.38] = sip:bob@ [::FFFF:129.144.52.38]? In all of the above examples, the textual representation of the IPv6 address is different, but these addresses are binary equivalents (implementers are also urged to consult Section 5 of this document for recommendations on IPv6 address text representations). Section 19.1.4 of RFC 3261 does not provide any rule for URIs containing different textual representations of IPv6 addresses that all correspond to the same binary equivalent. Gurbani, et al. Standards Track [Page 3] RFC 5954 SIP IPv6 ABNF August 2010 Note that the same ambiguity occurs for IPv4 addresses, i.e., is 192.0.2.128 = 192.00.02.128? However, IPv6, with its compressed notation and the need to represent hybrid addresses (like IPv4- mapped IPv6 addresses) makes the representation issue more acute. The resolution discussed in Section 4.2 applies to textual representations of both IPv6 and IPv4 addresses. 4. Resolution 4.1. Resolution for Extra Colon in IPv4-Mapped IPv6 Address The resolution to this ambiguity is simply to use the correct ABNF for the <IPv6address> production rule from Appendix A of RFC 3986 [3]. For the sake of completeness, it is reproduced below: IPv6address = 6( h16 ":" ) ls32 / "::" 5( h16 ":" ) ls32 / [ h16 ] "::" and informs the client that it should generate no DSO keepalive traffic. Note that after signaling that the client should generate no DSO keepalive traffic in this way, at any point the server may revise that DSO keepalive traffic requirement by sending a new DSO Keepalive message dictating new Session Timeout values to the client. The largest *finite* keepalive interval supported by the current Keepalive TLV is 0xFFFFFFFE (2^32-2 milliseconds, approximately 49.7 days). Bellis, et al. Expires April 26, 2019 [Page 36] Internet-Draft DNS Stateful Operations October 2018 6.6. Server-Initiated Session Termination In addition to cancelling individual long-lived operations selectively (Section 5.6) there are also occasions where a server may need to terminate one or more entire sessions. An entire session may need to be terminated if the client is defective in some way, or departs from the network without closing its session. Sessions may also need to be terminated if the server becomes overloaded, or if the server is reconfigured and lacks the ability to be selective about which operations need to be cancelled. This section discusses various reasons a session may be terminated, and the mechanisms for doing so. In normal operation, closing a DSO Session is the client's responsibility. The client makes the determination of when to close a DSO Session based on an evaluation of both its own needs, and the inactivity timeout value dictated by the server. A server only causes a DSO Session to be ended in the exceptional circumstances outlined below. Some of the exceptional situations in which a server may terminate a DSO Session include: o The server application software or underlying operating system is shutting down or restarting. o The server application software terminates unexpectedly (perhaps due to a bug that makes it crash, causing the underlying operating system to send a TCP RST). o The server is undergoing a reconfiguration or maintenance procedure, that, due to the way the server software is implemented, requires clients to be disconnected. For example, some software is implemented such that it reads a configuration file at startup, and changing the server's configuration entails modifying the configuration file and then killing and restarting the server software, which generally entails a loss of network connections. o The client fails to meets its obligation to generate the required DSO keepalive traffic, or to close an inactive session by the prescribed time (twice the time interval dictated by the server, or five seconds, whichever is greater, as described in Section 6.2). o The client sends a grossly invalid or malformed request that is indicative of a seriously defective client implementation. o The server is over capacity and needs to shed some load. Bellis, et al. Expires April 26, 2019 [Page 37] Internet-Draft DNS Stateful Operations October 2018 6.6.1. Server-Initiated Retry Delay Message In the cases described above where a server elects to terminate a DSO Session, it could do so simply by forcibly aborting the connection. However, if it did this the likely behavior of the client might be simply to to treat this as a network failure and reconnect immediately, putting more burden on the server. Therefore, to avoid this reconnection implosion, a server SHOULD instead choose to shed client load by sending a Retry Delay message, with an appropriate RCODE value informing the client of the reason the DSO Session needs to be terminated. The format of the Retry Delay TLV, and the interpretations of the various RCODE values, are described in Section 7.2. After sending a Retry Delay message, the server MUST NOT send any further messages on that DSO Session. The server MAY randomize retry delays in situations where many retry delays are sent in quick succession, so as to avoid all the clients attempting to reconnect at once. In general, implementations should avoid using the Retry Delay message in a way that would result in many clients reconnecting at the same time, if every client attempts to reconnect at the exact time specified. Upon receipt of a Retry Delay message from the server, the client MUST make note of the reconnect delay for this server, and then immediately close the connection gracefully. After sending a Retry Delay message the server SHOULD allow the client five seconds to close the connection, and if the client has not closed the connection after five seconds then the server SHOULD forcibly abort the connection. A Retry Delay message MUST NOT be initiated by a client. If a server receives a Retry Delay message this is a fatal error and the server MUST forcibly abort the connection immediately. 6.6.1.1. Outstanding Operations At the instant a server chooses to initiate a Retry Delay message there may be DNS requests already in flight from client to server on this DSO Session, which will arrive at the server after its Retry Delay message has been sent. The server MUST silently ignore such incoming requests, and MUST NOT generate any response messages for them. When the Retry Delay message from the server arrives at the client, the client will determine that any DNS requests it previously sent on this DSO Session, that have not yet received a response, now will certainly not be receiving any response. Such requests should Bellis, et al. Expires April 26, 2019 [Page 38] Internet-Draft DNS Stateful Operations October 2018 be considered failed, and should be retried at a later time, as appropriate. In the case where some, but not all, of the existing operations on a DSO Session have become invalid (perhaps because the server has been reconfigured and is no longer authoritative for some of the names), but the server is terminating all affected DSO Sessions en masse by sending them all a Retry Delay message, the reconnect delay MAY be zero, indicating that the clients SHOULD immediately attempt to re- establish operations. It is likely that some of the attempts will be successful and some will not, depending on the nature of the reconfiguration. In the case where a server is terminating a large number of DSO Sessions at once (e.g., if the system is restarting) and the server doesn't want to be inundated with a flood of simultaneous retries, it SHOULD send different reconnect delay values to each client. These adjustments MAY be selected randomly, pseudorandomly, or deterministically (e.g., incrementing the time value by one tenth of a second for each successive client, yielding a post-restart reconnection rate of ten clients per second). 6.6.2. Misbehaving Clients A server may determine that a client is not following the protocol correctly. There may be no way for the server to recover the session, in which case the server forcibly terminates the connection. Since the client doesn't know why the connection dropped, it may reconnect immediately. If the server has determined that a client is not following the protocol correctly, it may terminate the DSO session as soon as it is established, specifying a long retry-delay to prevent the client from immediately reconnecting. 6.6.3. Client Reconnection After a DSO Session is ended by the server (either by sending the client a Retry Delay message, or by forcibly aborting the underlying transport connection) the client SHOULD try to reconnect, to that service instance, or to another suitable service instance, if more than one is available. If reconnecting to the same service instance, the client MUST respect the indicated delay, if available, before attempting to reconnect. Clients should not attempt to randomize the delay; the server will randomly jitter the retry delay values it sends to each client if this behavior is desired. If the service instance will only be out of service for a short maintenance period, it should use a value a little longer that the Bellis, et al. Expires April 26, 2019 [Page 39] Internet-Draft DNS Stateful Operations October 2018 expected maintenance window. It should not default to a very large delay value, or clients may not attempt to reconnect after it resumes service. If a particular service instance does not want a client to reconnect ever (perhaps the service instance is being de-commissioned), it SHOULD set the retry delay to the maximum value 0xFFFFFFFF (2^32-1 milliseconds, approximately 49.7 days). It is not possible to instruct a client to stay away for longer than 49.7 days. If, after 49.7 days, the DNS or other configuration information still indicates that this is the valid service instance for a particular service, then clients MAY attempt to reconnect. In reality, if a client is rebooted or otherwise lose state, it may well attempt to reconnect before 49.7 days elapses, for as long as the DNS or other configuration information continues to indicate that this is the service instance the client should use. 6.6.3.1. Reconnecting After a Forcible Abort If a connection was forcibly aborted by the client, the client SHOULD mark that service instance as not supporting DSO. The client MAY reconnect but not attempt to use DSO, or may connect to a different service instance, if applicable. 6.6.3.2. Reconnecting After an Unexplained Connection Drop It is also possible for a server to forcibly terminate the connection; in this case the client doesn't know whether the termination was the result of a protocol error or a network outage. When the client notices that the connection has been dropped, it can attempt to reconnect immediately. However, if the connection is dropped again without the client being able to successfully do whatever it is trying to do, it should mark the server as not supporting DSO. 6.6.3.3. Probing for Working DSO Support Once a server has been marked by the client as not supporting DSO, the client SHOULD NOT attempt DSO operations on that server until some time has elapsed. A reasonable minimum would be an hour. Since forcibly aborted connections are the result of a software failure, it's not likely that the problem will be solved in the first hour after it's first encountered. However, by restricting the retry interval to an hour, the client will be able to notice when the problem has been fixed without placing an undue burden on the server. Bellis, et al. Expires April 26, 2019 [Page 40] Internet-Draft DNS Stateful Operations October 2018 7. Base TLVs for DNS Stateful Operations This section describes the three base TLVs for DNS Stateful Operations: Keepalive, Retry Delay, and Encryption Padding. 7.1. Keepalive TLV The Keepalive TLV (DSO-TYPE=1) performs two functions. Primarily it establishes the values for the Session Timeouts. Incidentally, it also resets the keepalive timer for the DSO Session, meaning that it can be used as a kind of "no-op" message for the purpose of keeping a session alive. The client will request the desired session timeout values and the server will acknowledge with the response values that it requires the client to use. DSO messages with the Keepalive TLV as the primary TLV may appear in early data. The DSO-DATA for the Keepalive TLV is as follows: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | INACTIVITY TIMEOUT (32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | KEEPALIVE INTERVAL (32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ INACTIVITY TIMEOUT: The inactivity timeout for the current DSO Session, specified as a 32-bit unsigned integer, in network (big endian) byte order, in units of milliseconds. This is the timeout at which the client MUST begin closing an inactive DSO Session. The inactivity timeout can be any value of the server's choosing. If the client does not gracefully close an inactive DSO Session, then after twice this interval, or five seconds, whichever is greater, the server will forcibly abort the connection. KEEPALIVE INTERVAL: The keepalive interval for the current DSO Session, specified as a 32-bit unsigned integer, in network (big endian) byte order, in units of milliseconds. This is the interval at which a client MUST generate DSO keepalive traffic to maintain connection state. The keepalive interval MUST NOT be less than ten seconds. If the client does not generate the mandated DSO keepalive traffic, then after twice this interval the server will forcibly abort the connection. Since the minimum allowed keepalive interval is ten seconds, the minimum time at which a server will forcibly disconnect a client for failing to generate the mandated DSO keepalive traffic is twenty seconds. Bellis, et al. Expires April 26, 2019 [Page 41] Internet-Draft DNS Stateful Operations October 2018 The transmission or reception of DSO Keepalive messages (i.e., messages where the Keepalive TLV is the first TLV) reset only the keepalive timer, not the inactivity timer. The reason for this is that periodic DSO Keepalive messages are sent for the sole purpose of keeping a DSO Session alive, when that DSO Session has current or recent non-maintenance activity that warrants keeping that DSO Session alive. Sending DSO keepalive traffic itself is not considered a client activity; it is considered a maintenance activity that is performed in service of other client activities. If DSO keepalive traffic itself were to reset the inactivity timer, then that would create a circular livelock where keepalive traffic would be sent indefinitely to keep a DSO Session alive, where the only activity on that DSO Session would be the keepalive traffic keeping the DSO Session alive so that further keepalive traffic can be sent. For a DSO Session to be considered active, it must be carrying something more than just keepalive traffic. This is why merely sending or receiving a DSO Keepalive message does not reset the inactivity timer. When sent by a client, the DSO Keepalive request message MUST be sent as an DSO request message, with a nonzero MESSAGE ID. If a server receives a DSO Keepalive message with a zero MESSAGE ID then this is a fatal error and the server MUST forcibly abort the connection immediately. The DSO Keepalive request message resets a DSO Session's keepalive timer, and at the same time communicates to the server the client's requested Session Timeout values. In a server response to a client-initiated DSO Keepalive request message, the Session Timeouts contain the server's chosen values from this point forward in the DSO Session, which the client MUST respect. This is modeled after the DHCP protocol, where the client requests a certain lease lifetime using DHCP option 51 [RFC2132], but the server is the ultimate authority for deciding what lease lifetime is actually granted. When a client is sending its second and subsequent DSO Keepalive request messages to the server, the client SHOULD continue to request its preferred values each time. This allows flexibility, so that if conditions change during the lifetime of a DSO Session, the server can adapt its responses to better fit the client's needs. Once a DSO Session is in progress (Section 5.1) a DSO Keepalive message MAY be initiated by a server. When sent by a server, the DSO Keepalive message MUST be sent as a DSO unidirectional message, with the MESSAGE ID set to zero. The client MUST NOT generate a response to a server-initiated DSO Keepalive message. If a client receives a DSO Keepalive request message with a nonzero MESSAGE ID then this is a fatal error and the client MUST forcibly abort the connection immediately. The DSO Keepalive unidirectional message from the Bellis, et al. Expires April 26, 2019 [Page 42] Internet-Draft DNS Stateful Operations October 2018 server resets a DSO Session's keepalive timer, and at the same time unilaterally informs the client of the new Session Timeout values to use from this point forward in this DSO Session. No client DSO response to this unilateral declaration is required or allowed. In DSO Keepalive response messages, the Keepalive TLV is REQUIRED and is used only as a Response Primary TLV sent as a reply to a DSO Keepalive request message from the client. A Keepalive TLV MUST NOT be added to other responses as a Response Additional TLV. If the server wishes to update a client's Session Timeout values other than in response to a DSO Keepalive request message from the client, then it does so by sending an DSO Keepalive unidirectional message of its own, as described above. It is not required that the Keepalive TLV be used in every DSO Session. While many DNS Stateful operations will be used in conjunction with a long-lived session state, not all DNS Stateful operations require long-lived session state, and in some cases the default 15-second value for both the inactivity timeout and keepalive interval may be perfectly appropriate. However, note that for clients that implement only the DSO-TYPEs defined in this document, a DSO Keepalive request message is the only way for a client to initiate a DSO Session. 7.1.1. Client handling of received Session Timeout values When a client receives a response to its client-initiated DSO Keepalive message, or receives a server-initiated DSO Keepalive message, the client has then received Session Timeout values dictated by the server. The two timeout values contained in the Keepalive TLV from the server may each be higher, lower, or the same as the respective Session Timeout values the client previously had for this DSO Session. In the case of the keepalive timer, the handling of the received value is straightforward. The act of receiving the message containing the DSO Keepalive TLV itself resets the keepalive timer, and updates the keepalive interval for the DSO Session. The new keepalive interval indicates the maximum time that may elapse before another message must be sent or received on this DSO Session, if the DSO Session is to remain alive. In the case of the inactivity timeout, the handling of the received value is a little more subtle, though the meaning of the inactivity timeout remains as specified -- it still indicates the maximum permissible time allowed without useful activity on a DSO Session. The act of receiving the message containing the Keepalive TLV does not itself reset the inactivity timer. The time elapsed since the Bellis, et al. Expires April 26, 2019 [Page 43] Internet-Draft DNS Stateful Operations October 2018 last useful activity on this DSO Session is unaffected by exchange of DSO Keepalive messages. The new inactivity timeout value in the Keepalive TLV in the received message does update the timeout associated with the running inactivity timer; that becomes the new maximum permissible time without activity on a DSO Session. o If the current inactivity timer value is less than the new inactivity timeout, then the DSO Session may remain open for now. When the inactivity timer value reaches the new inactivity timeout, the client MUST then begin closing the DSO Session, as described above. o If the current inactivity timer value is equal to the new inactivity timeout, then this DSO Session has been inactive for exactly as long as the server will permit, and now the client MUST immediately begin closing this DSO Session. o If the current inactivity timer value is already greater than the new inactivity timeout, then this DSO Session has already been inactive for longer than the server permits, and the client MUST immediately begin closing this DSO Session. o If the current inactivity timer value is already more than twice the new inactivity timeout, then the client is immediately considered delinquent (this DSO Session is immediately eligible to be forcibly terminated by the server) and the client MUST immediately begin closing this DSO Session. However if a server abruptly reduces the inactivity timeout in this way, then, to give the client time to close the connection gracefully before the server resorts to forcibly aborting it, the server SHOULD give the client an additional grace period of one quarter of the new inactivity timeout, or five seconds, whichever is greater. 7.1.2. Relationship to edns-tcp-keepalive EDNS0 Option The inactivity timeout value in the Keepalive TLV (DSO-TYPE=1) has similar intent to the edns-tcp-keepalive EDNS0 Option [RFC7828]. A client/server pair that supports DSO MUST NOT use the edns-tcp- keepalive EDNS0 Option within any message after a DSO Session has been established. A client that has sent a DSO message to establish a session MUST NOT send an edns-tcp-keepalive EDNS0 Option from this point on. Once a DSO Session has been established, if either client or server receives a DNS message over the DSO Session that contains an edns-tcp-keepalive EDNS0 Option, this is a fatal error and the receiver of the edns-tcp-keepalive EDNS0 Option MUST forcibly abort the connection immediately. Bellis, et al. Expires April 26, 2019 [Page 44] Internet-Draft DNS Stateful Operations October 2018 7.2. Retry Delay TLV The Retry Delay TLV (DSO-TYPE=2) can be used as a Primary TLV (unidirectional) in a server-to-client message, or as a Response Additional TLV in either direction. DSO messages with a Relay Delay TLV as their primary TLV are not permitted in early data. The DSO-DATA for the Retry Delay TLV is as follows: 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RETRY DELAY (32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RETRY DELAY: A time value, specified as a 32-bit unsigned integer, in network (big endian) byte order, in units of milliseconds, within which the initiator MUST NOT retry this operation, or retry connecting to this server. Recommendations for the RETRY DELAY value are given in Section 6.6.1. 7.2.1. Retry Delay TLV used as a Primary TLV When sent from server to client, the Retry Delay TLV is used as the Primary TLV in a DSO unidirectional message. It is used by a server to instruct a client to close the DSO Session and underlying connection, and not to reconnect for the indicated time interval. In this case it applies to the DSO Session as a whole, and the client MUST begin closing the DSO Session, as described in Section 6.6.1. The RCODE in the message header SHOULD indicate the principal reason for the termination: o NOERROR indicates a routine shutdown or restart. o FORMERR indicates that a client request was too badly malformed for the session to continue. o SERVFAIL indicates that the server is overloaded due to resource exhaustion and needs to shed load. o REFUSED indicates that the server has been reconfigured, and at this time it is now unable to perform one or more of the long- lived client operations that were previously being performed on this DSO Session. o NOTAUTH indicates that the server has been reconfigured and at this time it is now unable to perform one or more of the long- Bellis, et al. Expires April 26, 2019 [Page 45] Internet-Draft DNS Stateful Operations October 2018 lived client operations that were previously being performed on this DSO Session because it does not have authority over the names in question (for example, a DNS Push Notification server could be reconfigured such that is is no longer accepting DNS Push Notification requests for one or more of the currently subscribed names). This document specifies only these RCODE values for the Retry Delay message. Servers sending Retry Delay messages SHOULD use one of these values. However, future circumstances may create situations where other RCODE values are appropriate in Retry Delay messages, so clients MUST be prepared to accept Retry Delay messages with any RCODE value. In some cases, when a server sends a Retry Delay message to a client, there may be more than one reason for the server wanting to end the session. Possibly the configuration could have been changed such that some long-lived client operations can no longer be continued due to policy (REFUSED), and other long-lived client operations can no longer be performed due to the server no longer being authoritative for those names (NOTAUTH). In such cases the server MAY use any of the applicable RCODE values, or RCODE=NOERROR (routine shutdown or restart). Note that the selection of RCODE value in a Retry Delay message is not critical, since the RCODE value is generally used only for information purposes, such as writing to a log file for future human analysis regarding the nature of the disconnection. Generally clients do not modify their behavior depending on the RCODE value. The RETRY DELAY in the message tells the client how long it should wait before attempting a new connection to this service instance. For clients that do in some way modify their behavior depending on the RCODE value, they should treat unknown RCODE values the same as RCODE=NOERROR (routine shutdown or restart). A Retry Delay message from server to client is a DSO unidirectional message; the MESSAGE ID MUST be set to zero in the outgoing message and the client MUST NOT send a response. A client MUST NOT send a Retry Delay DSO message to a server. If a server receives a DSO message where the Primary TLV is the Retry Delay TLV, this is a fatal error and the server MUST forcibly abort the connection immediately. Bellis, et al. Expires April 26, 2019 [Page 46] Internet-Draft DNS Stateful Operations October 2018 7.2.2. Retry Delay TLV used as a Response Additional TLV In the case of a DSO request message that results in a nonzero RCODE value, the responder MAY append a Retry Delay TLV to the response, indicating the time interval during which the initiator SHOULD NOT attempt this operation again. The indicated time interval during which the initiator SHOULD NOT retry applies only to the failed operation, not to the DSO Session as a whole. Bellis, et al. Expires April 26, 2019 [Page 47] Internet-Draft DNS Stateful Operations October 2018 7.3. Encryption Padding TLV The Encryption Padding TLV (DSO-TYPE=3) can only be used as an Additional or Response Additional TLV. It is only applicable when the DSO Transport layer uses encryption such as TLS. The DSO-DATA for the Padding TLV is optional and is a variable length field containing non-specified values. A DSO-LENGTH of 0 essentially provides for 4 bytes of padding (the minimum amount). 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ / / / PADDING -- VARIABLE NUMBER OF BYTES / / / +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ As specified for the EDNS(0) Padding Option [RFC7830] the PADDING bytes SHOULD be set to 0x00. Other values MAY be used, for example, in cases where there is a concern that the padded message could be subject to compression before encryption. PADDING bytes of any value MUST be accepted in the messages received. The Encryption Padding TLV may be included in either a DSO request message, response, or both. As specified for the EDNS(0) Padding Option [RFC7830] if a DSO request message is received with an Encryption Padding TLV, then the DSO response MUST also include an Encryption Padding TLV. The length of padding is intentionally not specified in this document and is a function of current best practices with respect to the type and length of data in the preceding TLVs [I-D.ietf-dprive-padding-policy]. Bellis, et al. Expires April 26, 2019 [Page 48] Internet-Draft DNS Stateful Operations October 2018 8. Summary Highlights This section summarizes some noteworthy highlights about various aspects of the DSO protocol. 8.1. QR bit and MESSAGE ID In DSO Request Messages the QR bit is 0 and the MESSAGE ID is nonzero. In DSO Response Messages the QR bit is 1 and the MESSAGE ID is nonzero. In DSO Unidirectional Messages the QR bit is 0 and the MESSAGE ID is zero. The table below illustrates which combinations are legal and how they are interpreted: +------------------------------+------------------------+ | MESSAGE ID zero | MESSAGE ID nonzero | +--------+------------------------------+------------------------+ | QR=0 | DSO unidirectional Message | DSO Request Message | +--------+------------------------------+------------------------+ | QR=1 | Invalid - Fatal Error | DSO Response Message | +--------+------------------------------+------------------------+ Bellis, et al. Expires April 26, 2019 [Page 49] Internet-Draft DNS Stateful Operations October 2018 8.2. TLV Usage The table below indicates, for each of the three TLVs defined in this document, whether they are valid in each of ten different contexts. The first five contexts are DSO requests or DSO unidirectional messages from client to server, and the corresponding responses from server back to client: o C-P - Primary TLV, sent in DSO Request message, from client to server, with nonzero MESSAGE ID indicating that this request MUST generate response message. o C-U - Primary TLV, sent in DSO Unidirectional message, from client to server, with zero MESSAGE ID indicating that this request MUST NOT generate response message. o C-A - Additional TLV, optionally added to a DSO request message or DSO unidirectional message from client to server. o CRP - Response Primary TLV, included in response message sent back to the client (in response to a client "C-P" request with nonzero MESSAGE ID indicating that a response is required) where the DSO- TYPE of the Response TLV matches the DSO-TYPE of the Primary TLV in the request. o CRA - Response Additional TLV, included in response message sent back to the client (in response to a client "C-P" request with nonzero MESSAGE ID indicating that a response is required) where the DSO-TYPE of the Response TLV does not match the DSO-TYPE of the Primary TLV in the request. The second five contexts are their counterparts in the opposite direction: DSO requests or DSO unidirectional messages from server to client, and the corresponding responses from client back to server. o S-P - Primary TLV, sent in DSO Request message, from server to client, with nonzero MESSAGE ID indicating that this request MUST generate response message. o S-U - Primary TLV, sent in DSO Unidirectional message, from server to client, with zero MESSAGE ID indicating that this request MUST NOT generate response message. o S-A - Additional TLV, optionally added to a DSO request message or DSO unidirectional message from server to client. Bellis, et al. Expires April 26, 2019 [Page 50] Internet-Draft DNS Stateful Operations October 2018 o SRP - Response Primary TLV, included in response message sent back to the server (in response to a server "S-P" request with nonzero MESSAGE ID indicating that a response is required) where the DSO- TYPE of the Response TLV matches the DSO-TYPE of the Primary TLV in the request. o SRA - Response Additional TLV, included in response message sent back to the server (in response to a server "S-P" request with nonzero MESSAGE ID indicating that a response is required) where the DSO-TYPE of the Response TLV does not match the DSO-TYPE of the Primary TLV in the request. +-------------------------+-------------------------+ | C-P C-U C-A CRP CRA | S-P S-U S-A SRP SRA | +------------+-------------------------+-------------------------+ | KeepAlive | X X | X | +------------+-------------------------+-------------------------+ | RetryDelay | X | X X | +------------+-------------------------+-------------------------+ | Padding | X X | X X | +------------+-------------------------+-------------------------+ Note that some of the columns in this table are currently empty. The table provides a template for future TLV definitions to follow. It is recommended that definitions of future TLVs include a similar table summarizing the contexts where the new TLV is valid. Bellis, et al. Expires April 26, 2019 [Page 51] Internet-Draft DNS Stateful Operations October 2018 9. Additional Considerations 9.1. Service Instances We use the term service instance to refer to software running on a host which can receive connections on some set of IP address and port tuples. What makes the software an instance is that regardless of which of these tuples the client uses to connect to it, the client is connected to the same software, running on the same node (but see Section 9.2), and will receive the same answers and the same keying information. Service instances are identified from the perspective of the client. If the client is configured with IP addresses and port number tuples, it has no way to tell if the service offered at one tuple is the same server that is listening on a different tuple. So in this case, the client treats each such tuple as if it references a separate service instance. In some cases a client is configured with a hostname and a port number (either implicitly, where the port number is omitted and assumed, or explicitly, as in the case of DNS SRV records). In these cases, the (hostname, port) tuple uniquely identifies the service instance (hostname comparisons are case-insensitive [RFC1034]. It is possible that two hostnames might point to some common IP addresses; this is a configuration error which the client is not obliged to detect. The effect of this could be that after being told to disconnect, the client might reconnect to the same server because it is represented as a different service instance. Implementations SHOULD NOT resolve hostnames and then perform matching of IP address(es) in order to evaluate whether two entities should be determined to be the "same service instance". Bellis, et al. Expires April 26, 2019 [Page 52] Internet-Draft DNS Stateful Operations October 2018 9.2. Anycast Considerations When an anycast service is configured on a particular IP address and port, it must be the case that although there is more than one physical server responding on that IP address, each such server can be treated as equivalent. What we mean by "equivalent" here is that both servers can provide the same service and, where appropriate, the same authentication information, such as PKI certificates, when establishing connections. If a change in network topology causes packets in a particular TCP connection to be sent to an anycast server instance that does not know about the connection, the new server will automatically terminate the connection with a TCP reset, since it will have no record of the connection, and then the client can reconnect or stop using the connection, as appropriate. If after the connection is re-established, the client's assumption that it is connected to the same service is violated in some way, that would be considered to be incorrect behavior in this context. It is however out of the possible scope for this specification to make specific recommendations in this regard; that would be up to follow-on documents that describe specific uses of DNS stateful operations. Bellis, et al. Expires April 26, 2019 [Page 53] Internet-Draft DNS Stateful Operations October 2018 quot; 4( h16 ":" ) ls32 / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32 / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32 / [ *3( h16 ":" ) h16 ] "::" h16 ":" ls32 / [ *4( h16 ":" ) h16 ] "::" ls32 / [ *5( h16 ":" ) h16 ] "::" h16 / [ *6( h16 ":" ) h16 ] "::" h16 = 1*4HEXDIG ls32 = ( h16 ":" h16 ) / IPv4address IPv4address = dec-octet "." dec-octet "." dec-octet "." dec-octet dec-octet = DIGIT ; 0-9 / %x31-39 DIGIT ; 10-99 / "1" 2DIGIT ; 100-199 / "2" %x30-34 DIGIT ; 200-249 / "25" %x30-35 ; 250-255 Accordingly, this document updates RFC 3261 as follows: the <IPv6address> and <IPv4address> production rules from RFC 3261 MUST NOT be used and instead, the production rules of the same name in RFC 3986 (and reproduced above) MUST be used. This will render <hexpart>, <hexseq>, and <hex4> production rules in RFC 3261 obsolete; as such, these three production rules -- namely, <hexpart>, <hexseq>, and <hex4> -- from RFC 3261 MUST NOT be used. The use of the <IPv4address> production rule from RFC 3986 no longer allows syntactically valid -- though semantically invalid -- SIP URIs of the form "sip:bob@444.555.666.777". Gurbani, et al. Standards Track [Page 4] RFC 5954 SIP IPv6 ABNF August 2010 4.2. Clarification for Comparison of URIs with Textual Representation of IP Addresses The resolution to this ambiguity is a simple clarification acknowledging that the textual representation of an IP address varies, but it is the binary equivalence of the IP address that must be taken into consideration when comparing two URIs that contain varying textual representations of an IP address. Accordingly, the existing rule from the bulleted list in Section 19.1.4 of RFC 3261 MUST be modified as follows: OLD: o For two URIs to be equal, the user, password, host, and port components must match. NEW: o For two URIs to be equal, the user, password, host, and port components must match. If the host component contains a textual representation of IP addresses, then the representation of those IP addresses may vary. If so, the host components are considered to match if the different textual representations yield the same binary IP address. In addition, the text in the following paragraph MUST be added to the existing list of examples in Section 19.1.4 of RFC 3261 in order to demonstrate the intent of the modified rule: The following URIs are equivalent because the underlying binary representation of the IP addresses are the same although their textual representations vary: sip:bob@[::ffff:192.0.2.128] sip:bob@[::ffff:c000:280] sip:bob@[2001:db8::9:1] sip:bob@[2001:db8::9:01] sip:bob@[0:0:0:0:0:FFFF:129.144.52.38] sip:bob@[::FFFF:129.144.52.38] 5. Generating a Canonical IPv6 Textual Representation Implementers SHOULD generate IPv6 text representation as defined in RFC 5952 [5]. Gurbani, et al. Standards Track [Page 5] RFC 5954 SIP IPv6 ABNF August 2010 6. Security Considerations This document does not introduce any new security considerations beyond those described in RFC 3261 [1]. 7. Acknowledgments The ABNF for IPv6 was developed by Roy T. Fielding and Andrew Main and published in RFC 3986. Jeroen van Bemmel, Peter Blatherwick, Gonzalo Camarillo, Paul Kyzivat, Jonathan Rosenberg, Michael Thomas, and Dale Worley provided invaluable discussion points on the SIP WG mailing list on the URI equivalency problem. Alfred Hoenes urged the use of angle brackets (as specified in Section 2.1 of RFC 5234 [4]) to denote productions. 8. References 8.1. Normative References [1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [4] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [5] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, August 2010. 8.2. Informative References [6] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [7] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998. [8] "RFC Editor Errata", <http://www.rfc-editor.org/errata.php>. Gurbani, et al. Standards Track [Page 6] RFC 5954 SIP IPv6 ABNF August 2010 Authors' Addresses Vijay K. Gurbani (editor) Bell Laboratories, Alcatel-Lucent 1960 Lucent Lane Room 9C-533 Naperville, IL 60563 USA Phone: +1 630 224-0216 EMail: vkg@bell-labs.com Brian E. Carpenter (editor) Department of Computer Science University of Auckland PB 92019 Auckland, 1142 New Zealand EMail: brian.e.carpenter@gmail.com Brett Tate (editor) BroadSoft EMail: brett@broadsoft.com Gurbani, et al. Standards Track [Page 7]