This is a purely informative rendering of an RFC that includes verified errata. This rendering may not be used as a reference.

The following 'Verified' errata have been incorporated in this document: EID 2538, EID 2539
Internet Engineering Task Force (IETF)                         R. Sparks
Request for Comments: 6026                                       Tekelec
Updates: 3261                                           T. Zourzouvillys
Category: Standards Track                                          Skype
ISSN: 2070-1721                                           September 2010


             Correct Transaction Handling for 2xx Responses
          to Session Initiation Protocol (SIP) INVITE Requests

Abstract

   This document normatively updates RFC 3261, the Session Initiation
   Protocol (SIP), to address an error in the specified handling of
   success (2xx class) responses to INVITE requests.  Elements following
   RFC 3261 exactly will misidentify retransmissions of the request as a
   new, unassociated request.  The correction involves modifying the
   INVITE transaction state machines.  The correction also changes the
   way responses that cannot be matched to an existing transaction are
   handled to address a security risk.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6026.

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
   2. Conventions and Definitions .....................................3
   3. Reason for Change ...............................................3
   4. Summary of Change ...............................................4
   5. Consequences if Not Implemented .................................4
   6. The Change ......................................................4
   7. Change Details ..................................................5
      7.1. Server Transaction Impacts .................................5
      7.2. Client Transaction Impacts .................................9
      7.3. Proxy Considerations ......................................10
   8. Exact Changes to RFC 3261 ......................................11
      8.1. Page 85 ...................................................11
      8.2. Page 107 ..................................................11
      8.3. Page 114 ..................................................11
      8.4. Pages 126 through 128 .....................................12
      8.5. Pages 134 to 135 ..........................................15
      8.6. Page 136 ..................................................15
      8.7. Page 137 ..................................................17
      8.8. Page 141 ..................................................17
      8.9. Page 144 ..................................................18
      8.10. Page 146 .................................................18
      8.11. Page 265 .................................................18
   9. IANA Considerations ............................................18
   10. Security Considerations .......................................19
   11. Acknowledgments ...............................................20
   12. Normative References ..........................................20

1.  Introduction

   This document describes an essential correction to the Session
   Initiation Protocol (SIP), defined in [RFC3261].  The change
   addresses an error in the handling of 2xx class responses to INVITE
   requests that leads to retransmissions of the INVITE being treated as
   new requests and forbids forwarding stray INVITE responses.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Reason for Change

   One use of the INVITE method in SIP is to establish new sessions.
   These "initial" INVITEs may fork at intermediaries, and more than one
   receiving endpoint may choose to accept the request.  SIP is designed
   such that the requester receives all of these success responses.

   Two sets of requirements in [RFC3261] work together to allow multiple
   2xx responses to be processed correctly by the requester.  First, all
   elements are required to immediately destroy any INVITE client
   transaction state upon forwarding a matching 2xx class response.
   This requirement applies to both UAs (user agents) and proxies
   (proxies forward the response upstream, the transaction layer at user
   agents forwards the response to its "UA core").  Second, all proxies
   are required to statelessly forward upstream any 2xx class responses
   that do not match an existing transaction, also called stray
   responses.  The transaction layer at user agents is required to
   forward these responses to its UA core.  Logic in the UA core deals
   with acknowledging each of these responses.

   This technique for specifying the behavior was chosen over adjusting
   INVITE client transaction state machines as a simpler way to specify
   the correct behavior.

   Over time, implementation experience demonstrated the existing text
   is in error.  Once any element with a server transaction (say, a
   proxy in the path of the INVITE) deletes that transaction state, any
   retransmission of the INVITE will be treated as a new request,
   potentially forwarded to different locations than the original.  Many
   implementations in the field have made proprietary adjustments to
   their transaction logic to avoid this error.

   The requirement to statelessly forward stray responses has also been
   identified as a security risk.  Through it, elements compliant to
   [RFC3261] are compelled to do work (forward packets) that is not
   protected by the admission policies applied to requests.  This can be
   leveraged to, for instance, use a SIP proxy as an anonymizing
   forwarder of packets in a distributed denial-of-service attack.
   General Internet endpoints can also collude to tunnel non-SIP content
   through such proxies by wrapping them in an SIP response envelope.

   Additionally, [RFC3261] requires that if an unrecoverable transport
   error is encountered while sending a response in a client
   transaction, that the transaction moves immediately into the
   "Terminated" state.  This will result in any retransmitted INVITE
   requests received after such an error was encountered to be processed
   as a new request instead of being absorbed as a retransmission.

4.  Summary of Change

   This correction document updates [RFC3261], adding a state and
   changing the transitions in the INVITE client state machine such that
   the INVITE client transaction remains in place to receive multiple
   2xx responses.  It adds a state to the INVITE server state machine to
   absorb retransmissions of the INVITE after a 2xx response has been
   sent.  It modifies state transitions in the INVITE server state
   machine to absorb retransmissions of the INVITE request after
   encountering an unrecoverable transport error when sending a
   response.  It also forbids forwarding stray responses to INVITE
   requests (not just 2xx responses), which RFC 3261 requires.

5.  Consequences if Not Implemented

   Implementations strictly conformant to [RFC3261] will process
   retransmitted initial INVITE requests as new requests.  Proxies may
   forward them to different locations than the original.  Proxies may
   also be used as anonymizing forwarders of bulk traffic.
   Implementations will process any retransmitted INVITE request as a
   new request after an attempt to send a response results in an
   unrecoverable error.

6.  The Change

   An element sending or receiving a 2xx to an INVITE transaction MUST
   NOT destroy any matching INVITE transaction state.  This state is
   necessary to ensure correct processing of retransmissions of the
   request and the retransmission of the 2xx and ACK that follow.

   An element encountering an unrecoverable transport error when trying
   to send a response to an INVITE request MUST NOT immediately destroy
   the associated INVITE server transaction state.  This state is
   necessary to ensure correct processing of retransmissions of the
   request.

   When receiving any SIP response, a transaction-stateful proxy MUST
   compare the transaction identifier in that response against its
   existing transaction state machines.  The proxy MUST NOT forward the
   response if there is no matching transaction state machine.

   When receiving an ACK that matches an existing INVITE server
   transaction and that does not contain a branch parameter containing
   the magic cookie defined in RFC 3261, the matching transaction MUST
   be checked to see if it is in the "Accepted" state.  If it is, then
   the ACK must be passed directly to the transaction user instead of
   being absorbed by the transaction state machine.  This is necessary
   as requests from RFC 2543 clients will not include a unique branch
   parameter, and the mechanisms for calculating the transaction ID from
   such a request will be the same for both INVITE and ACKs.

7.  Change Details

   These changes impact requirements in several sections of RFC 3261.
   The exact effect on that text is detailed in Section 8.  This section
   describes the details of the change, particularly the impact on the
   INVITE state machines, more succinctly to facilitate review and
   simplify implementation.

7.1.  Server Transaction Impacts

EID 2538 (Verified) is as follows:

Section: 7.1, pg.6

Original Text:

[[ last paragraph on page 6: ]]

   Figures 1 and 2 show the parts of the INVITE server state machine
   that have changed.  The entire new INVITE server state machine is
|  shown in Figure 5.

Corrected Text:

   Figures 1 and 2 show the parts of the INVITE server state machine
   that have changed.  The entire new INVITE server state machine is
|  shown in Figure 7.
Notes:
- qualified as Technical because of importance of correct pointer;
- apparently this detail has been missed when the Figures in the
document have been renumbered (#5 --> #7 and #4 --> #5) to achieve
the relationship to RFC 3261 explained in Section 8 (top of page 11):

[...] This document
intentionally does not contain a Figure 4 or Figure 6 so that the
labels for Figures 5 and 7 are identical to the labels of the figures
they are replacing in RFC 3261.
To allow a SIP element to recognize retransmissions of an INVITE as retransmissions instead of new requests, a new state, "Accepted", is added to the INVITE server transaction state machine. A new timer, Timer L, is also added to ultimately allow the state machine to terminate. A server transaction in the "Proceeding" state will transition to the "Accepted" state when it issues a 2xx response and will remain in that state just long enough to absorb any retransmissions of the INVITE. If the SIP element's TU (Transaction User) issues a 2xx response for this transaction while the state machine is in the "Proceeding" state, the state machine MUST transition to the "Accepted" state and set Timer L to 64*T1, where T1 is the round-trip time estimate defined in Section 17.1.1.1 of [RFC3261]. While in the "Accepted" state, any retransmissions of the INVITE received will match this transaction state machine and will be absorbed by the machine without changing its state. These retransmissions are not passed onto the TU. RFC 3261 requires the TU to periodically retransmit the 2xx response until it receives an ACK. The server transaction MUST NOT generate 2xx retransmissions on its own. Any retransmission of the 2xx response passed from the TU to the transaction while in the "Accepted" state MUST be passed to the transport layer for transmission. Any ACKs received from the network while in the "Accepted" state MUST be passed directly to the TU and not absorbed. When Timer L fires and the state machine is in the "Accepted" state, the machine MUST transition to the "Terminated" state. Once the transaction is in the "Terminated" state, it MUST be destroyed immediately. Timer L reflects the amount of time the server transaction could receive 2xx responses for retransmission from the TU while it is waiting to receive an ACK. A server transaction MUST NOT discard transaction state based only on encountering a non-recoverable transport error when sending a response. Instead, the associated INVITE server transaction state machine MUST remain in its current state. (Timers will eventually cause it to transition to the "Terminated" state). This allows retransmissions of the INVITE to be absorbed instead of being processed as a new request. Figures 1 and 2 show the parts of the INVITE server state machine that have changed. The entire new INVITE server state machine is shown in Figure 5. BEFORE AFTER +-----------+ +-----------+ | | | | | Proceeding| | Proceeding| | | | | | | | | | | | | | | | | +-----------+ +-----------+ |2xx from TU |2xx from TU |send response |send response +-------------->+ +------->+ | | | | | | | | Transport | INVITE | Error | - | Inform TU | +-----+ | +--+ | | | V | v | | +------------+ | | | |<--+ | +->| Accepted | | ACK | | |---+ to TU | +------------+ | | ^ | | +--+ | | | | +-----+ | | 2xx from TU | | send response | | | | Timer L fires | | - | | | V +-----------+ | +------------+ | | | | | | Terminated|<-----------+ | Terminated | | | | | +-----------+ +------------+ Figure 1: Changes to the INVITE server transaction state machine when sending 2xx BEFORE AFTER +-----------+ +------------+ | | | | | Proceeding| | Proceeding | Transport Err. | | | | Inform TU | | Transport Err. | |----------+ | | Inform TU | | | | |--------------->+ | |<---------+ +-----------+ | +------------+ | | | | | Transport Err. +-----------+ | +-----------+ Inform TU | | | | |---------+ | Completed | | | Completed | | | | | | |<--------+ +-----------+ | +-----------+ | | | | +------------------>+ Transport Err.| Inform TU | | | | | | | | | | +-----------+ | | | | | Terminated|<---------------+ | | +-----------+ Figure 2: Changes to the INVITE server transaction state machine on encountering transport error 7.2. Client Transaction Impacts In order to correctly distinguish retransmissions of 2xx responses from stray 2xx responses, the INVITE client state machine is modified to not transition immediately to "Terminated" on receipt of a 2xx response. Instead, the machine will transition to a new "Accepted" state, and remain there just long enough, determined by a new timer M, to receive and pass to the TU any retransmissions of the 2xx response or any additional 2xx responses from other branches of a downstream fork of the matching request. If a 2xx response is received while the client INVITE state machine is in the "Calling" or "Proceeding" states, it MUST transition to the "Accepted" state, pass the 2xx response to the TU, and set Timer M to 64*T1. A 2xx response received while in the "Accepted" state MUST be passed to the TU and the machine remains in the "Accepted" state. The client transaction MUST NOT generate an ACK to any 2xx response on its own. The TU responsible for the transaction will generate the ACK. When Timer M fires and the state machine is in the "Accepted" state, the machine MUST transition to the "Terminated" state. Once the transaction is in the "Terminated" state, it MUST be destroyed immediately. Any response received that does not match an existing client transaction state machine is simply dropped. (Implementations are, of course, free to log or do other implementation-specific things with such responses, but the implementer should be sure to consider the impact of large numbers of malicious stray responses.) Note that it is not necessary to preserve client transaction state upon the detection of unrecoverable transport errors. Existing requirements ensure the TU has been notified, and the new requirements in this document ensure that any received retransmitted response will be dropped since there will no longer be any matching transaction state. Figure 3 shows the part of the INVITE client state machine that has changed. The entire new INVITE client state machine is shown in Figure 5. +-----------+ +-----------+ | | | | | Calling | | Calling | | |----------->+ | |-----------+ +-----------+ 2xx | +-----------+ 2xx | 2xx to TU | 2xx to TU | | | | | | | | | +-----------+ | +-----------+ | | | | | | | |Proceeding |----------->| |Proceeding |---------->| | | 2xx | | | 2xx | +-----------+ 2xx to TU | +-----------+ 2xx to TU | | | | | | | | V | +-----------+ | | | | | Accepted | | +---| | | 2xx | +-----------+ | 2xx to TU | ^ | | | | | | +-----+ | | | | +-----------------+ | | Timer M fires | | - | V +-----------+ | +-----------+ | | | | | | Terminated|<-----------+ | Terminated| | | | | +-----------+ +-----------+ Figure 3: Changes to the INVITE client transaction state machine 7.3. Proxy Considerations This document changes the behavior of transaction-stateful proxies to not forward stray INVITE responses. When receiving any SIP response, a transaction-stateful proxy MUST compare the transaction identifier in that response against its existing transaction state machines. The proxy MUST NOT forward the response if there is no matching transaction state machine. 8. Exact Changes to RFC 3261 This section describes exactly the same changes as above, but shows exactly which text in RFC 3261 is affected. This document intentionally does not contain a Figure 4 or Figure 6 so that the labels for Figures 5 and 7 are identical to the labels of the figures they are replacing in RFC 3261. 8.1. Page 85 Section 13.3.1.4, paragraph 4, is replaced entirely by: Once the response has been constructed, it is passed to the INVITE server transaction. In order to ensure reliable end-to-end transport of the response, it is necessary to periodically pass the response directly to the transport until the ACK arrives. The 2xx response is passed to the transport with an interval that starts at T1 seconds and doubles for each retransmission until it reaches T2 seconds (T1 and T2 are defined in Section 17). Response retransmissions cease when an ACK request for the response is received. This is independent of whatever transport protocols are used to send the response. 8.2. Page 107 Section 16.7, paragraphs 1 and 2, are replaced entirely by: When a response is received by an element, it first tries to locate a client transaction (Section 17.1.3) matching the response. If a transaction is found, the response is handed to the client transaction. If none is found, the element MUST NOT forward the response. 8.3. Page 114 Section 16.7, part 9, first paragraph. Replace this sentence: If the server transaction is no longer available to handle the transmission, the element MUST forward the response statelessly by sending it to the server transport. with If the server transaction is no longer available to handle the transmission, the response is simply discarded. 8.4. Pages 126 through 129 Section 17.1.1.2. Replace paragraph 7 (starting "When in either") through the end of the section with:
EID 2539 (Verified) is as follows:

Section: 8.4, pg.12

Original Text:

|8.4.  Pages 126 through 128

   Section 17.1.1.2.  Replace paragraph 7 (starting "When in either")
   through the end of the section with:

Corrected Text:

|8.4.  Pages 126 through 129

   Section 17.1.1.2.  Replace paragraph 7 (starting "When in either")
   through the end of the section with:
Notes:
Rationale:
In RFC 3261, Section 17.1.1.2. extends to mid-page 129.
So if the quoted text is correct, the section headline
here is strongly misleading, contradicts the text, and
hence needs adjustment.
Since the textual scope of the change is at the heart of
this RFC, this Errata note is classified as Technical.
When in either the "Calling" or "Proceeding" states, reception of a response with status code from 300-699 MUST cause the client transaction to transition to "Completed". The client transaction MUST pass the received response up to the TU, and the client transaction MUST generate an ACK request, even if the transport is reliable (guidelines for constructing the ACK from the response are given in Section 17.1.1.3), and then pass the ACK to the transport layer for transmission. The ACK MUST be sent to the same address, port, and transport to which the original request was sent. The client transaction MUST start Timer D when it enters the "Completed" state for any reason, with a value of at least 32 seconds for unreliable transports, and a value of zero seconds for reliable transports. Timer D reflects the amount of time that the server transaction can remain in the "Completed" state when unreliable transports are used. This is equal to Timer H in the INVITE server transaction, whose default is 64*T1, and is also equal to the time a UAS core will wait for an ACK once it sends a 2xx response. However, the client transaction does not know the value of T1 in use by the server transaction or any downstream UAS cores, so an absolute minimum of 32 s is used instead of basing Timer D on T1. Any retransmissions of a response with status code 300-699 that are received while in the "Completed" state MUST cause the ACK to be re-passed to the transport layer for retransmission, but the newly received response MUST NOT be passed up to the TU. A retransmission of the response is defined as any response that would match the same client transaction based on the rules of Section 17.1.3. If Timer D fires while the client transaction is in the "Completed" state, the client transaction MUST move to the "Terminated" state. When a 2xx response is received while in either the "Calling" or "Proceeding" states, the client transaction MUST transition to the "Accepted" state, and Timer M MUST be started with a value of 64*T1. The 2xx response MUST be passed up to the TU. The client transaction MUST NOT generate an ACK to the 2xx response -- its handling is delegated to the TU. A UAC core will send an ACK to the 2xx response using a new transaction. A proxy core will always forward the 2xx response upstream. The purpose of the "Accepted" state is to allow the client transaction to continue to exist to receive, and pass to the TU, any retransmissions of the 2xx response and any additional 2xx responses from other branches of the INVITE if it forked downstream. Timer M reflects the amount of time that the transaction user will wait for such messages. Any 2xx responses that match this client transaction and that are received while in the "Accepted" state MUST be passed up to the TU. The client transaction MUST NOT generate an ACK to the 2xx response. The client transaction takes no further action. If Timer M fires while the client transaction is in the "Accepted" state, the client transaction MUST move to the "Terminated" state. The client transaction MUST be destroyed the instant it enters the "Terminated" state. Replace Figure 5 with: |INVITE from TU Timer A fires |INVITE sent Timer B fires Reset A, V or Transport Err. INVITE sent +-----------+ inform TU +---------| |--------------------------+ | | Calling | | +-------->| |-----------+ | 300-699 +-----------+ 2xx | | ACK sent | | 2xx to TU | | resp. to TU | |1xx | | +-----------------------------+ |1xx to TU | | | | | | | 1xx V | | | 1xx to TU +-----------+ | | | +---------| | | | | | |Proceeding | | | | +-------->| | | | | +-----------+ 2xx | | | 300-699 | | 2xx to TU | | | ACK sent, +--------+ +---------------+ | | resp. to TU| | | | | | | | V V | | +-----------+ +----------+ | +------------->| |Transport Err. | | | | Completed |Inform TU | Accepted | | +--| |-------+ | |-+ | 300-699 | +-----------+ | +----------+ | | ACK sent| ^ | | | ^ | | | | | | | | | | +----+ | | | +-----+ | |Timer D fires | Timer M fires| 2xx | |- | - | 2xx to TU | +--------+ | +-----------+ | NOTE: V V V | Transitions +------------+ | are labeled | | | with the event | Terminated |<-----------------------+ over the action | | to take. +------------+ Figure 5: INVITE client transaction 8.5. Pages 134 to 135 Section 17.2.1, paragraph 4, is replaced with: If, while in the "Proceeding" state, the TU passes a 2xx response to the server transaction, the server transaction MUST pass this response to the transport layer for transmission. It is not retransmitted by the server transaction; retransmissions of 2xx responses are handled by the TU. The server transaction MUST then transition to the "Accepted" state. 8.6. Page 136 Replace Figure 7 with: |INVITE |pass INV to TU INVITE V send 100 if TU won't in 200 ms send response+------------+ +--------| |--------+ 101-199 from TU | | | | send response +------->| |<-------+ | Proceeding | | |--------+ Transport Err. | | | Inform TU | |<-------+ +------------+ 300-699 from TU | |2xx from TU send response | |send response +--------------+ +------------+ | | INVITE V Timer G fires | send response +-----------+ send response | +--------| |--------+ | | | | | | +------->| Completed |<-------+ INVITE | Transport Err. | | - | Inform TU +--------| |----+ +-----+ | +---+ | +-----------+ | ACK | | v | v | ^ | | - | +------------+ | | | | | | |---+ ACK +----------+ | | +->| Accepted | | to TU Transport Err. | | | |<--+ Inform TU | V +------------+ | +-----------+ | ^ | | | | | | | | | Confirmed | | +-----+ | | | | 2xx from TU Timer H fires | +-----------+ | send response - | | | | | Timer I fires | | | - | Timer L fires | V | - | +------------+ | | | |<----+ +------->| Terminated | | | +------------+ Figure 7: INVITE server transaction 8.7. Page 137 In Section 17.2.1, replace the last paragraph (starting "Once the transaction") with: The purpose of the "Accepted" state is to absorb retransmissions of an accepted INVITE request. Any such retransmissions are absorbed entirely within the server transaction. They are not passed up to the TU since any downstream UAS cores that accepted the request have taken responsibility for reliability and will already retransmit their 2xx responses if necessary. While in the "Accepted" state, if the TU passes a 2xx response, the server transaction MUST pass the response to the transport layer for transmission. When the INVITE server transaction enters the "Accepted" state, Timer L MUST be set to fire in 64*T1 for all transports. This value matches both Timer B in the next upstream client state machine (the amount of time the previous hop will wait for a response when no provisionals have been sent) and the amount of time this (or any downstream) UAS core might be retransmitting the 2xx while waiting for an ACK. If an ACK is received while the INVITE server transaction is in the "Accepted" state, then the ACK must be passed up to the TU. If Timer L fires while the INVITE server transaction is in the "Accepted" state, the transaction MUST transition to the "Terminated" state. Once the transaction is in the "Terminated" state, it MUST be destroyed immediately. 8.8. Page 141 In Section 17.2.4, replace the second paragraph with: First, the procedures in [4] are followed, which attempt to deliver the response to a backup. If those should all fail, based on the definition of failure in [4], the server transaction SHOULD inform the TU that a failure has occurred, and MUST remain in the current state. 8.9. Page 144 In Section 18.1.2, replace the second paragraph with: The client transport uses the matching procedures of Section 17.1.3 to attempt to match the response to an existing transaction. If there is a match, the response MUST be passed to that transaction. Otherwise, any element other than a stateless proxy MUST silently discard the response. 8.10. Page 146 In Section 18.2.1, replace the last paragraph with: Next, the server transport attempts to match the request to a server transaction. It does so using the matching rules described in Section 17.2.3. If a matching server transaction is found, the request is passed to that transaction for processing. If no match is found, the request is passed to the core, which may decide to construct a new server transaction for that request. 8.11. Page 265 Add to Table 4: Timer L 64*T1 Section 17.2.1 Wait time for accepted INVITE request retransmits Timer M 64*T1 Section 17.1.1 Wait time for retransmission of 2xx to INVITE or additional 2xx from other branches of a forked INVITE 9. IANA Considerations IANA has updated the SIP Parameters: Method and Response Codes registry as follows: OLD: Methods Reference ------- --------- INVITE [RFC3261] NEW: Methods Reference ------- --------- INVITE [RFC3261][RFC6026] 10. Security Considerations This document makes two changes to the Session Initiation Protocol to address the error discussed in Section 3. It changes the behavior of both the client and server INVITE transaction state machines, and it changes the way "stray" responses (those that don't match any existing transaction) are handled at transaction-stateful elements. The changes to the state machines cause elements to hold onto each accepted INVITE transaction state 32 seconds longer than what was specified in RFC 3261. This will have a direct impact on the amount of work an attacker that is leveraging state exhaustion will have to exert against the system. However, this additional state is necessary to achieve correct operation. There is some discussion of avoiding state exhaustion and other denial-of-service attacks in RFC 3261, Section 26.3.2.4. RFC 3261 required SIP proxies to forward any stray 2xx class responses to an INVITE request upstream statelessly. As a result, conformant proxies can be forced to forward packets (that look sufficiently like SIP responses) to destinations of the sender's choosing. Section 3 discusses some of the malicious behavior this enables. This document reverses the stateless forwarding requirement, making it a violation of the specification to forward stray responses. RFC 3261 defines a "stateless proxy", which forwards requests and responses without creating or maintaining any transaction state. The requirements introduced in this document do not change the behavior of these elements in any way. Stateless proxies are inherently vulnerable to the abuses discussed in Section 3. One way operators might mitigate this vulnerability is to carefully control which peer elements can present traffic to a given stateless proxy. The changes introduced by this document are backward-compatible. Transaction behavior will be no less correct, and possibly more correct, when only one peer in a transaction implements these changes. Except for the considerations mentioned earlier in this section, introducing elements implementing these changes into deployments with RFC 3261 implementations adds no additional security concerns. 11. Acknowledgments Pekka Pessi reported the improper handling of INVITE retransmissions. Brett Tate performed a careful review uncovering the need for the "Accepted" state and Timer M in the client transaction state machine. Jan Kolomaznik noticed that a server transaction should let a TU know about transport errors when it attempts to send a 2xx class response. Michael Procter corrected several nits. 12. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. Authors' Addresses Robert Sparks Tekelec 17210 Campbell Road Suite 250 Dallas, Texas 75252 USA EMail: RjS@nostrum.com Theo Zourzouvillys Skype 3rd Floor 8000 Marina Blvd Brisbane, California 84005 US EMail: theo@crazygreek.co.uk

mirror server hosted at Truenetwork, Russian Federation.