SIMPLE Instant Messaging Sessions (SIMS)

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119. [put definitions here]

The IETF SIMPLE Working Group has identified a number of scenarios where using a separate protocol for bulk messaging is desirable. In particular, the SIMPLE WG will use this facility to handle a sequence of messages as a session media, just like any other media type. The SIMPLE community has investigated many options for sessions of messages, the most recent of these called MSRP. The authors feel that the current direction of MSRP is not consistent however with the requirements of the Enterprise and Consumer IM community. This proposal attempts to capture the benefits of MSRP (especially peer-to-peer operation) and also address these additional requirements. This document defines a protocol for conveying arbitrary MIME content in near-real time through zero or more relays, with the opportunity for store and forward. SIMS (SIMPLE Instant Messaging Sessions) can be used as a standalone protocol, or in conjunction with a rendezvous or session setup protocol such as SIP. As with MSRP, all SIMS traffic is sent over reliable, congestion-safe transports. SIMS was designed to allow SIMS clients to communicate directly, or through an arbitrary number of relays. Each client is responsible for identifying any relays acting on its behalf and providing appropriate credentials. The Goals of SIMS are listed below: convey arbitrary binary MIME data operate as a standalone protocol or as a session media protocol support client to client operation (no servers required) operate through an arbitrary number of relays for policy enforcement allow each client to control which relays are traversed on its behalf prevent unsolicited messages (spam), "open relays", and denial of service amplification allow relays to use one or a small number of TCP or TLS connections to carry messages for multiple sessions, recipients, and senders allow large messages to be sent over a slow connection without causing head-of-line blocking problems allow transmission of a large message to be interrupted and resumed in place when network connectivity is lost and later reestablished offer end-to-end notification of message receipt provide notification of message storage (desirable) easy to implement allow relays to delete state after a short amount of time

SIMS defines the concept of clients and relays. Clients send messages to relays and other clients. Relays forward messages and message delivery status to clients and other relays. Clients which can open TCP connections to each other without intervening policy restrictions, can communicate directly with each other. Clients who are behind a firewall or who need to use an intermediary for policy reasons can use the services of a relay. Each client is responsible for enlisting the assistance of one or more relays for its half of the communication. SIMS also defines the special role of a Message-Taker, which is a client that can receive messages and store them persistently on behalf of a user. Note that these roles can be co-resident.

Clients which use a relay operate by first opening a connection with a relay and authenticating. When client wish to send a short message, they send a CHUNK request with the entire contents of the message.

, Content-Type: text/plain Hi Bob, I'm about to send you "The Lord of the Rings". ]]> Each hop (relay or recipient client) that receives a CHUNK request acknowledges receipt of the request before forwarding. For larger messages, each CHUNK request may contain only a portion of the complete message. To avoid confusion and ambiguity, each request or response is called a "parcel". When Alice sends Bob a 4GB file called "The Lord of the Rings.mpeg", she will sends several CHUNK requests (parcels) each with one part of the complete message. Relays can repack parcels en-route. As individual parts of the complete message arrive at the final destination client, it sends INFORM requests indicating delivery status.

| | | | 200 OK | |<-----------------------| | INFORM | |<-----------------------| | 200 OK | |----------------------->| | | ]]> When a client uses a relay, it first opens a TLS connection to its first relay and authenticates using an AUTH request which can contain Digest Authentication credentials. In a successful AUTH response, the relay provides a SIMS URI associated with the path to the client that the client can give to other clients for end-to-end message delivery. SIMS nodes can send individual portions of a complete message in multiple CHUNK requests. Each parcel uses the message/byteranges MIME type defined in RFC 2616 to correlate that part to the complete message. As each CHUNK request is received, the next hop acknowledges the request. As relays receive parcels they can reassemble or re-fragment them as long as each chunk is sent in order. Once a chunk or complete message arrives at the destination client, the destination sends an INFORM request indicating that a chunk arrived end-to-end. This request travels back along the reverse path of the CHUNK request. Unlike the CHUNK request which is acknowledged along every hop, only the sender of the INFORM request responds to an INFORM. Relays then forward the INFORM response back to the recipient of the original CHUNK.

| |<-- AUTH ------------| |<-- 401 Auth---------| |--- 401 Auth-------->| |--- AUTH ----------->| |<-- AUTH ------------| |<-- 200 OK-----------| |--- 200 OK---------->| | | | | .... time passes .... | | | | |--- CHUNK 0-3 ------>| | | |<-- 200 OK ----------| | (slow link) | |--- CHUNK 4-7 ------>|--- CHUNK 0-5 ----->| | |<-- 200 OK ----------|<-- 200 OK ---------|--- CHUNK 0-3 ------>| |--- CHUNK 8-10 ----->|--- CHUNK 6-10 ---->| ....>| |<-- 200 OK ----------|<-- 200 OK ---------| ..>| | | |<-- 200 OK ----------| | | |<-- INFORM 0-3 ------| | |<-- INFORM 0-3 -----|--- CHUNK 4-7 ------>| |<-- INFORM 0-3 ------| | ...>| |--- 200 OK --------->| | ..>| | |--- 200 OK -------->| | | | |--- 200 OK --------->| | | |<-- INFORM 4-7 ----->| | |<-- INFORM 4-7 -----|--- CHUNK 8-10 ----->| |<-- INFORM 4-7 ------| | ..>| |--- 200 OK --------->| |<-- 200 OK ----------| | |<-- INFORM done-----|<-- INFORM done -----| |<-- INFORM done -----|--- 200 OK -------->| | |--- 200 OK --------->| |--- 200 OK --------->| | |--- 200 OK -------->| | | | |--- 200 OK --------->| | | | | ]]> Relays only keep transaction state for a short period of time for each chunk. Delivery of each hope should take no more than 32 seconds after the last byte of data is sent. Clients applications define their own implementation-dependent timers for end-to-end message delivery. In some cases the end user node may not have its own client or that client or node may be unavailable. In this case, a message-taker can take receipt of the message or fragment and deliver an INFORM back to the sender indicating that the message or fragment was successfully stored. For client to client communication, the sender of a message typically opens a new TCP connection if one is needed. Relays reuse existing connections first, but can open new connections (typically to another relay) to deliver a CHUNK request. INFORM requests are only delivered over an existing connection.

SIMS defines the concept of a parcel, which is analogous to a "message" (a request or response) in HTTP, SIP, and RTSP. In SIMS, a message is a complete MIME document with a single Message-ID. Since messages can be arbitrarily large, a message can be sent in one or more piece, each piece carried in its own parcel. SIMS parcels can be either requests or responses. Parcels consist of a start line, headers and an optional body. Requests contain a method name and the Request-URI in the start line. Responses contain a response code and response phrase in the start line. The Request-URI in a SIMS request is typically a SIMS URI. A SIMS URI takes the form sims:userinfo@hostport;param=value. For example: sims:r13-9dELHJ@server.example.com:9000;transport=tls+tcp SIMS defines three types of requests, the CHUNK request, the INFORM request, and the AUTH request. The semantics of each of these methods is described in turn. The CHUNK method is used to send a chunk of a message. CHUNK requests contain a Message-ID used to associate all the chunks of a message. CHUNK requests are sent one hop at a time. Once a CHUNK request is received by a hop, that hop immediately generates a response parcel. This kind of request and response is called a per-hop transaction. CHUNK requests are per-hop for two reasons: 1) SIMS relays may pack or rechunk any message in a different set of chunks as long as they preserve ordering, and 2) since the amount of bandwidth available between each hop may be radically different, there is no way to set a sensible timer for the success or failure of a chunk delivered end-to-end.

<- 200 OK CHUNK -> <- 200 OK ]]> Chunks of messages are managed using the message/byterange MIME container defined in RFC 2616. Each CHUNK parcel MAY contain a complete MIME body, or it MAY contain a chunk, described using message/byterange. It is not necessary to know the length of a message or a chunk before sending, although setting one or both of these can help SIMS clients receiving a message, display progress information (for example, a progress thermometer). INFORM requests are sent to indicate delivery status of a chunk. INFORM requests contain a Message-ID header with the same value as the corresponding CHUNK requests. INFORM requests are typically sent by the final recipient to indicate the delivery status of a chunk. (Note that the INFORM may provide status for a different sized chunk than sent in any of the original CHUNK requests). Other INFORM requests can be sent to indicate a forwarding delay or error condition. Unlike CHUNK transactions, INFORM transactions are multi-hop. Only the sender of the original message responds to an INFORM request. Relays forward responses to an INFORM back to the sender of the INFORM.

200 OK --> ]]> Finally, AUTH requests are used by clients with ephemeral addresses to create a handle they can use to receive incoming requests. AUTH requests can also contain credentials used to authenticate a client, and authorization policy used to block Denial of Service attacks. AUTH requests do not contain a Message-ID header. AUTH requests are discussed in more detail in Section XXX TODO. SIMS responses contain a 3-digit response code. Responses in the range 200-299 indicate a successful transaction. Responses in the ranges 400-499 and 500-599 indicate client and server errors respectively. Unlike HTTP and SIP there are no redirection responses and no provisional responses.

SIMS parcels contain a number of header fields. Many header fields can contain an ordered list of multiple header field values separated by commas. [need a bit more elaboration here?] All parcels MUST contain a Via header field. Clients and relays set the Via header when sending requests and consume the Via on the return to route responses. The Route header is used to provide a list of relays to traverse before visiting the Request-URI. The Message-ID header is used in CHUNK and INFORM requests to refer to a specific message. The Delivery-Status header is used in INFORM requests to indicate the status of a chunk or an entire message. Some examples:

Delivery-Status: ok;range=0-131071 Delivery-Status: ok;range=* Delivery-Status: stored Delivery-Status: failure;error=disk-full More headers to include Authorization headers Content Management headers (Accept*, Content*) Other Optional headers (Expires, Date, temporal relevance, priority, retry-after) Require, Supported, Unsupported, Allow User-agent and Server headers. Note Expire header must look like Expire: 3600 meaning expires 3600 seconds in future. Absolute times are not supported.

Body handling and use of message/byterange

CHUNK Content-type: multipart/byteranges; boundary=------bound123456 -------bound123456 Content-type: text/plain Content-range: bytes 0-2/8 hi -------bound123456-- The "0" indicates that the data in this body starts is for byte location 0 in the complete message. The "2" is a hint of the byte position of the last byte in this chunk but MUST be ignored if the actual size is different. The "8" indicates the size of the total parcel. If it is unknown, a * would be used. An important feature of the way the bodies are defined is that a network element sending a message, can decide to change the size of what it is sending after it starts sending. For example, say that an element has 500 bytes of a message that start at location 1000 to 2000. It expects to send all 500 bytes but after sending the first 5 bytes that contain the the word hello, the element discovers there is a higher priority message that it needs to send over the same link. It closes off the first messages. The receiver will gets something that looks like:

CHUNK Content-type: multipart/byteranges; boundary=-----bound123456 -------bound123456 Content-type: text/plain Content-range: bytes 1000-1499/8000 12345 -------bound123456-- If a relay has selected a boundary marker of "bound1234" and encounters the string "bound1234" in the data it is sending. It can just close off the current parcel and start a new one so there is no need to escape any of the data inside of the multipart bodies. The multipart boundaries are constructed in a special way to allow for simple high speed parsing of them. In addition to the two dashes (-) that are normally before a bound, the bound itself MUST start with five additional dashes followed by a string that MUST have at least 16 bits off randomness in it. For example, a valid boundary would be "boundary=-----6ea7" where the 6ea7 was a randomly chosen four digit hexadecimal number. The advantage of this is there will always be several "-" in a row in the boundaries that the scanner is searching for. This guarantees that 4 of then will be aligned on a 32 bit boundary and the scanner can quickly look for them by just looking for a 32 bit value that is equal to the "----". Once this word is found, the scanner can carefully check and see if this is the boundary it is looking for or just some random data. All SIMS clients and relays must support multipart/related, multipart/mixed, message/byterange, and multipart/signed MIME types. It is not required to check the signatures if they don't support S/MIME but they still need to be able to receive the content in a multipart/signed messages. Any MIME type that is acceptable for content (such as text/plain) must also be supported inside a MIME container. The type text/plain MUST be supported and message/cpim SHOULD be supported. It is desirable to have text/html.

[Rohan TODO] - Note, if messages is large enough it takes over 1 minute to send, should break into 1 minute chunks. This means should always send multipart/byterange if messages is large than XXX (2000 butes???)

A SIMS client that receives a CHUNK request MUST respond with a final response immediately. A 200-class response indicates the successful delivery of the message fragment to the final hop, but does not mean that the message has been read by the user. The final response to the CHUNK MUST be sent to the previous hop, which could be a SIMS relay or the sender of the CHUNK. The 2xx response to the CHUNK MUST NOT contain a body. A 4xx or 5xx response indicates that the message was not delivered successfully. A 6xx response means it was delivered successfully, but refused. The client SHOULD reconstruct the original message sent by combining the message fragments that it receives in different CHUNK requests with the same messageID. It SHOULD not display or store the message until the entire message has been reconstructed. After the final response has been sent, the client MUST send back an INFORM to the sender of the CHUNK request,indicating the successful end-to-end delivery of the message fragment. For more details on constructing the INFORM request, see section . After the message has received fully, the client may display the message to the user. If the CHUNK expires before the client is able to present the message to the user, the client SHOULD handle the message based on local policy. Example policies include: deleting the message without displaying it, displaying to the user with an indication that the message is expired, or some other policy. If the message is displayed, the client SHOULD clearly indicate to the user that the message has expired. TODO Need to deal with negotiation of types text/plain message/cpim text/html

[who?] When a client or a note taker receives a message parcel, it MUST send an INFORM request that indicates the byte range that has been received. The route header for this INFOM message is formed by looking at the VIA headers of the CHUNK request that was received. If an error response is received when sending an INFOM, it is not retried. A relay can also send an INFORM to indicate that some error happened when sending sending a parcel. It is possible to get INFORM requests a long time after the original message was sent. If a client receives an INFORM for a message it knows nothing about, it can discard the INFORM.

Clients can be informed (typically thought provisioning) of a list of relays they need to use. They MUST be able to form a connection to each relay and send an AUTH command to get a URI that can be used in route headers. The client can authenticate the relay by looking at the relays TLS certificate. The relay MUST authenticate the client using digest. The relay will return a URI, or list of URIs, in the Route header of the response. These URI can be used by the client in the route set that is sent in the SDP to setup the session. The same URI can be used for multiple session to send to the client. Example with two relays on one side. Need to AUTH to first, then use the supplied route header to AUTH to second thought the first. NOTE - only auth not auth-int is needed because TLS provides integrity When a client wishes to use more than one relay, they must AUTH to each relay they wish to use. Consider a client A, that whishes messages to flow from A to the first relays, R1, then on to a second relays, R2. This client with do a normal AUTH with R1. It will then do an AUTH transaction with R2 that is routed through R1. The client will form this AUTH messages by setting the request URI to R2 and adding a route header with the URI learned from R1 then sending this message to R1. R1 will forward this like a INFORM request is forwarded to R2. When the client sends an AUTH request, it may set the Expires header a relative time. The relay will return a URI that is only valid for that periods of time.

[Rohan TODO]

A SIMS relay that receives a CHUNK request MUST respond with a final response immediately. A 200-class response indicates the successful delivery of the message fragment, but does not mean that the message has been forwarded on to its next hop. The final response to the CHUNK MUST be sent to the previous hop, which could be a SIMS relay or the sender of the CHUNK. The 2xx response to the CHUNK MUST NOT contain a body. A 4xx or 5xx response indicates that the message was not delivered successfully. A 6xx response means it was delivered successfully, but refused. The SIMS relay MAY further break up the message fragment received in the CHUNK request into smaller fragments and forward them to the next hop in separate CHUNK requests. It MAY also combine message fragments received before or after this CHUNK request, and forward them out in a single CHUNK request to the next hop identified in the Route header. The SIMS relay MUST NOT combine message fragments from CHUNK requests with different messageIDs. The SIMS relay MAY choose whether to further fragment the message, or combine message fragments, or send the message as is, based on some policy which is administered, or based on the network speed to the next hop, or any other mechanism. If the SIMS relay has knowledge of the byte range that it will transmit to the next hop, it SHOULD update the message/byterange parameter in the CHUNK request appropriately. Before forwarding the CHUNK request to the next hop, the SIMS relay MUST inspect the URI in the topmost Route header field value. If it indicates this relay, the relay removes it from the Route header field. It MUST then delete all the Via headers from the new request. Then it MUST insert a Via header into the request for itself. If the SIMS relay fails to forward the CHUNK on to the next hop, it SHOULD return an INFORM back to the sender of the CHUNK indicating the reason for failure. [how? example. see section]

When a relay receives an AUTH request, it must digest challenge the request. Once the challenge is complete, it MUST provide a URI that can be used in future route headers. When the route URI is received in future messages. It MUST verify that this URI was issues by this relay. It MUST ensure that the message is either being forwarded from an entity that did the AUTH request that resulted in this URI or it is being forwarded to the the entity that did the AUTH request that resulted in this URI. The relay does not necessarily needs to save state to meet these requirements. One way that a relay could implement this is the following. When an AUTH request arrives, the relay concatenates the current time, the identity of the sender of the AUTH request, the identity of the previous hop the request came from. It then takes the concatenates string and encrypts it with a key only the relay knows and uses this for form the user portion of the sims URI that it returns. Later when it receives a URI, it can decrypt this information and use it to decide if the request should be forwarded or not. If the relay is actually several servers that share a DNS name, the URI may also encrypt which server actually has the connection to the client. When a relay receive an AUTH request, it must authenticate the client that sent it with digest, it must also authenticate the previous hop that send the message to it. When previous hop was a relay this is done with the mutual TLS while when the previous hop was a client mutual TLS MAY be used it is available or the client authorization from the digest is used. The relay will generate a URI that it a token that allows messages to be forwarded to and from this client. If the previous hop was authenticated by mutual TLS, then the URI MUST be valid to route across any connection the relay has to the previous hop relay. If the previous hop was not authenticated by mutual TLS, then the URI MUST only be valid to route across the same connection that the AUTH was received on. If this connection is closed then reopened, the URI MUST NOT be valid. Valid to route means that when the relay receives a messages that contains this URI, if the message it going to element that was the previous hop in the AUTH, then the relay can forward it and if the messages is coming from previous hop in the AUTH, then the relay can forward it to any location, otherwise the RELAY must discard the message and MAY send a INFORM indicating the auth URI was bad. If the AUTH request contains an Expires header, then the relay MUST ensure that the URI is not valid to route after the expiry time. It is possible to implement all of the above requirements without the relay saving any state. When a relay starts up it could pick a crypto random 128 bit password (K) and 128 bit initialization vector (IV). If the relay was actually a NDS farm, all the machines in the farm would need to share the same K. When an ATUH request was received the relay form a string that contains: the expiry time of the URI, an indication if the previous hop was mutual TLS authenticated or not and it it was, the name of the previous hop, if it was not the identifier for the connection which received the AUTH request. The IV vector would be incremented (it needs to change because it forms the salt) and the string would be encrypted using AES-CBC with a key of K. The IV and encrypted data would be base 64 encoded and form the user portion of the request URI. Later when the relay received this URI, it could decrypt it and check the current time was before the expiry time and check that the messages was coming from or going to the connection or location specified in the URI. When implementing something like this, implementers should be careful not to use a scheme like EBE that would allows portion of encrypted tokens to be cut and paste into others.

A SIMS relay that receives an INFORM request, MUST inspect the URI in the topmost Route header field value. If it indicates this relay, the relay removes it from the Route header field. It MUST then insert a Via header into the request. Then, it MUST forward the INFORM request on to the next hop listed in the Route Header.

A SIMS relay that receives an INFORM response, MUST inspect the URI in the topmost Route header field value. If it indicates this relay, the relay removes it from the Route header field. It MUST then insert a Via header into the response. Then, it MUST forward the INFORM respone on to the next hop listed in the Route Header. A SIMS relay can distinguish between responses for an INFORM and a CHUNK request based on the transaction ID of the request (the branch tag in the Via)

[Rohan TODO] Relays should keep connection open as long as possible. If a connection has not been used in a significant time (many minutes) it could be closed. If the relay runs out of resource and must close connections, it should first stop accepting new connections from clients then start closing connections on a least recently used basis.

Requests with an unknown method are forwarded as if they were INFORM requests.

A Message Taker merely acts like a Client which returns different INFORM responses. TODO - how to I let the message taker know to send all the requests it saved for me to me. I assume I still send INFOMS to the original sender as well as the message take to let them know I got the message.

The following syntax specification uses the augmented Backus-Naur Form (BNF) as described in RFC-2234. Section 6.1 of RFC 2234 defines a set of core rules that are used by this specification, and not repeated here. Implementers need to be familiar with the notation and content of RFC 2234 in order to understand this specification. Certain basic rules are in uppercase, such as SP, LWS, HTAB, CRLF, DIGIT, ALPHA, etc. Angle brackets are used within definitions to clarify the use of rule names. The use of square brackets is redundant syntactically. It is used as a semantic hint that the specific parameter is optional to use. The following rules are used throughout this specification to describe basic parsing constructs. Also, several rules are incorporated from RFC 2396 [5] but are updated to make them compliant with RFC 2234 [10]. These include:

alphanum = ALPHA / DIGIT reserved = ";" / "/" / "?" / ":" / "@" / "&" / "=" / "+" / "$" / "," unreserved = alphanum / mark mark = "-" / "_" / "." / "!" / "~" / "*" / "'" / "(" / ")" escaped = "%" HEXDIG HEXDIG The most frequently-used production in SIMS is the token. Unless otherwise stated, tokens are case- insensitive. Non-token characters MUST be in a quoted string to be used within a parameter value.

token = 1*(alphanum / "-" / "." / "!" / "%" / "*" / "_" / "+" / "`" / "'" / "~" ) A string of text is parsed as a single word if it is quoted using double-quote marks. In quoted strings, quotation marks (") and backslashes (\) need to be escaped. The backslash character (\) MAY be used as a single-character quoting mechanism only within quoted-string and comment constructs. Unlike HTTP/1.1, the characters CR and LF cannot be escaped by this mechanism to avoid conflict with line folding and header separation.

quoted-string = SWS DQUOTE *(qdtext / quoted-pair ) DQUOTE qdtext = LWS / %x21 / %x23-5B / %x5D-7E / UTF8-NONASCII quoted-pair = "\" (%x00-09 / %x0B-0C / %x0E-7F) Unlike SIP/2.0 and HTTP/1.1 which allow line folding, line folding in SIMS is not allowed. In SIMS header field values, all unquoted linear white space has the same semantics as SP. A recipient MAY replace any unquoted linear white space with a single SP before interpreting the field value or forwarding the message downstream. The SWS construct is used when linear white space is optional, generally between tokens and separators. When tokens are used or separators are used between elements, whitespace is often allowed before or after the characters below.

LWS = 1*WSP SWS = [LWS] HCOLON = SWS ":" SWS EQUAL = SWS "=" SWS ; equal LPAREN = SWS "(" SWS ; left parenthesis RPAREN = SWS ")" SWS ; right parenthesis RAQUOT = ">" SWS ; right angle quote LAQUOT = SWS "<"; left angle quote COMMA = SWS "," SWS ; comma SEMI = SWS ";" SWS ; semicolon LDQUOT = SWS DQUOTE; open double quotation mark RDQUOT = DQUOTE SWS ; close double quotation mark The TEXT-UTF8 rule is only used for descriptive field contents and values that are not intended to be interpreted by the message parser. Words of *TEXT-UTF8 contain characters from the UTF-8 charset (RFC 2279 [7]). The TEXT-UTF8-TRIM rule is used for descriptive field contents that are n t quoted strings, where leading and trailing LWS is not meaningful. In this regard, SIMS differs from HTTP, which uses the ISO 8859-1 character set.

When sending a response, the response is always forwarded over an existing connection using the connection handle set in the receiver parameter in the topmost Via header field value and the sent-by transport in that Via header field value to determine the correct connection. When resolving a URI (for example from a Route header field, or from the Request-URI), examine the hostport portion of the URI and the transport URI parameter to decide how to proceed. If the hostport is an IPv4 address or an IPv6 reference, send the request to that address using the port and transport specified in the URI. If no transport is provided, use the default (tls+tcp). If no port number is provided, use the default for the selected protocol (port 8999 for tcp, and port 9000 for tls over tcp). If the hostport is a domain name and an explicit port number is provided, attempt to lookup a valid address record (A, AAAA, or A6) for the domain name. Connect using the specified protocol (or the default of tls+tcp if none is specified) and port number. If a domain name is provided, but no port number, perform a DNS SRV lookup for all transports supported by the client and select the entry with the highest weight. If no SRV records are found, try an address lookup using the default port number procedures described in the previous paragraph. Note that AUTH requests MUST only be sent over a TLS-protected channel. An SRV lookup in the example.com domain might return:

;; in example.com. Pri Wght Port Target _sims+tls._tcp IN SRV 0 1 9000 server1.example.com. _sims+tls._tcp IN SRV 0 2 9000 server2.example.com. _sims._tcp IN SRV 1 1 8999 server1.example.com. _sims._tcp IN SRV 1 2 8999 server2.example.com. If implementing a relay farm, it is RECOMMENDED that each member of the relay farm have an SRV entry. If any members of the farm have multiple IP addresses (for example an IPv4 and an IPv6 address), that each of these are registered in DNS as separate A, AAAA, or A6 records.

This section first describes the security mechanisms available for use in SIMS. Then the threat model is presented. Finally we list implementation requirements related to security. [Cullen TODO] Clients and Relays MUST implement TLS and Digest. AUTH requests and responses MUST be sent over a TLS-protected link.

AUTH requests and responses MAY be authenticated using HTTP authentication. HTTP authentication is done as described in [RFC 2617], with the following exceptions. Basic authentication MUST NOT be used. A qop value of auth-int MUST NOT be used as the AUTH requests are integrity protected by TLS and there is no body to protect. Note that unlike in some usages of HTTP Authentication (for example, SIP), the uri parameter in the Authorize header is the same as the Request-URI in the request line of the SIMS parcel of the AUTH request. Note the BNF in RFC-2617 has an error--the value of the uri parameter MUST be in quotes. The BNF in this document is correct, as are the examples in RFC 2617.

[Cullen TODO] Don't forget to require clientExtendedHellos! use the same ciphersuite as SIP. [CJ TODO] Question: Do servers have to do mutual TLS? TLS is used to authenticate relays to senders and to provide integrity and confidentiality for the headers being transported. SIMS client and relays MUST support TLS. Clients and relays MUST support the TLS ClientExtendedHello extended hello information for server name indication as described in RFC 3546. A crypto suite of TLS_RSA_WITH_AES_128_CBC_SHA1 MUST be supported. Relays must act as TLS servers and present a certificate with their identity in the SubjectAltName using the choice type of dnsName. Relay to relay connections MUST use TLS and client to relay comunications MUST use TLS when an AUTH request is being sent. TODO Much More Needed

Cullen TODO - need to describe end to end sign and encryption Cullen TODO - getting keying material out of SDP Cullen TODO - need to describe relay's vouching for identity

This section discuses the threat model and the broad mechanism that must come into place to secure the protocol. The next section describes the details of how the protocol mechanism meet the broad requirements. SIMS allows two peer to peer clients to exchange messages. Each peer can select a set of relays to perform certain policy operation for them. This combined set of relays is referred to as the route set. There often exists a channel outside of SIMS, such as SIP, that can securely negotiate setting up the SIMS session and communicate the route set to both clients. A client may trust a relay with certain types of routing and policy decisions but it might or might not trust the relay with all the contents of the session. For example, a relay being trusted to look for viruses would probably need to be allowed to see all the contents of the session. A relay that helped deal with firewall traversal of the ISPs firewall would likely not be trusted with the contents of the session but would be trusted to correctly forward information. Clients need to be able to authenticate that the relay they are communicating with is the one they trust. Likewise, relays need to be able to authenticate the client is the authorized client for them to forward information to. Clients need the option of ensuring information between the relay and the client is integrity protected and confidential to elements other than the relays and clients. To simplify the number of options, traffic between relays must always be integrity protected and encrypted regardless of if the client request it or not. There is no way for the clients to tell the relays what strength of crypto to use between relays other than the clients to choose to use relays that are operated by people requiring an adequate level of security. The system also need to stop the messages from being directed to relays that are not supposed to see them. To keep the relays from being used in DDOS attacks, the relays must not forward messages unless they have a trust relationship with either the client sending or receiving the message and that they only forward that message if it is coming from or going to the client they have the trust relationship with. If a relay has a trust relationship with the client that is the destination of the message, it should not send the message anywhere except the client that is the destination. Some terminology used in this discussion is SClient is the sending client the message and RClient is the receiving client the message. SRelay is a relay the sender trusts and RRelay is a relay the receiver trusts. The message will go from SClient to SRelay1 to SRelay2 to RRelay2 to RRelay1 to RClient.

Confidentiality and Privacy from elements not in the route set is provided by using TLS on all the transports. If a client decided to not use TLS that is it's choice but relays must use TLS. Clients must implement TLS. The relays authenticate to the clients using TLS (but don't have to do mutual TLS). The clients authenticate to the relays using HTTP Digest inside of TLS. Relays authenticate to each other using mutual TLS. The clients can protect the contents so that the relays can not see them by using S/MIME encryption. End to end signing is also possible with S/MIME. The complex part is making sure that relays do not send messages place where they should not. This is done by having the client authenticate to the relay and having the relay return a token. Messages that contain this token can be relayed if they come from the client that got the token or if they are being forwarded towards the client that got the token. The tokens must only ever be seen by things in the route set or other elements that at least one of the parties trusts. If some 3rd party discovers the token that RRelay2 uses to forward messages to RClient, then that 3rd party can send as many messages as they want to RRelay2 and it will forward them to RClient. The 3rd party can not cause them to be forwarded anywhere except to RClient eliminating the open relay problems. SRelay1 will not forward the message unless it contains a valid token. When SClient goes to get a token from SRelay2, this request is relayed through SRelay1. SRelay authenticates that it really is SClient requesting the token but it generates a token that is only valid for forwarding messages to or from SRelay1. SRelay two knows it is connected to SRelay1 because of the mutual TLS. The tokens are carried in the user portion of the SIMS URLs. Issues: How to tokens expire - rekeying. Will probably use Expire header on AUTH response. Token MAY be valid for between 10 minutes and 24 hours with 1 hour recommended. Both sides need to do a SIP re-invite to set up new tokens before the old one expires. Issues: Token good for single session or for all session Note: tokens are only required for relays, not clients or note takers. TODO talk about where client to client and A, RA, B

Puzzles Puzzles are something the sender of the messages needs to compute before the request is processed. Two types are defined here, machine puzzles based on computing sha-1 hashes and human puzzles. The hash puzzles are indicated with a header like.

Puzzle: sha-1;id=abc;ans=0x1204;mask=0xff0f;result=0x4567 This tells the receiver they need to compute a value that has a hash of 4567; As a hint the mask tells which bits of the provided ans are correct. The client that receives this needs to try all possible values to replace the 0 in 1204 to find one that hashes to 4567. If the ans was 3, then the request would be resent with a header like:

Puzzle: sha-1:id=abc;ans=0x1234;result0x4567 The id is just to allow the element issues the puzzle to correlate answers to the puzzles. The implications of this need to be carefully considered. The even bits of the mask MUST be set to stop this from being a use tool for performing distributed attacks on hash values. Probably need better way to reduce this risk like adding some defined text to the beginning of the bits to hash. Human puzzles provide a web page where the user needs to go and look at to figure out the answer. They looks like:

Puzzle: web:id=abc;http://www.example.com/puzzle1234567 and an answer like

Puzzle-Ans: web;id=abc;ans="42" Payments If the internet ever evolves a standard form of electronic cash, The sender or one the the sender relays, can attach a cash payment as a body to the messages. The receiver (or one of the receiving relays) can deposit the money. If the user reads the messages, decides it is not SPAM and wishes to refund the money they can. Since two transaction were done on the money even, the provider of the electronic cash is likely to take a percentage of both transactions. Payments can be request using some header.

[Rohan TODO] No registry of SIMS methods, headers, and option-tags yet. Do not want to encourage "too much" extensibility. Still need to register URI scheme, SRV names, and port numbers (2)

In order for two SIMS clients to communicate with each other, they need to negotiate the characteristics of the SIMS session. These include the addresses where messages can be sent, the path that the SIMS requests/responses should take, and the content type that is acceptable to both ends. This information MAY be exchanged and agreed upon between two SIMS clients using a session setup protocol like SIP, and the negotation of the session characteristics MAY be done using the offer-answer approach with SDP contained in the SIP messages. The Call-ID of the SIP session SHOULD be used as the Call-ID in the SIMS messages, so that the correlation between the media and the control signaling can be achieved.

There will be an m-line in the SDP for the SIMS session. The m-line has the form:

]]>

The media type for a SIMS session SHOULD be "message". The port is not used. The protocol should be sims/tcp or sims/tcp+tls. And the format list is not used. It should be set to "*". The m-line used to define a SIMS session has three attributes Accept-Types Message-URI Messagre-Path

CHUNK can carry any MIME encoded payload. Endpoints specify MIME content types that they are willing to receive in the accept types "a"-line attribute. This attribute has the following syntax:

accept-types = accept-types-label ":" format-list accept-types-label = "accept-types" format-list = format-entry *( SP format-entry) format-entry = (type "/" subtype) type = token subtype = token SDP offers for SIMS sessions MUST include an accept-types attribute. SDP answers MUST also include the attribute, which MUST contain either the same list as in the offer or a subset of that list. If no format-entry is specified in the accept-types attribute, it indicates that the sender may attempt to send messages with media types that have not been explicitly listed. If the receiver is able to process the media type, it does so. If not, it will respond with a 415. Note that all explicit entries SHOULD be considered preferred over any non-listed types. This feature is needed as, otherwise, the list of formats for rich IM devices may be prohibitively large. The accept-types attribute may include container types, that is, mime formats that contain other types internally. If compound types are used, the types listed in the accept-types attribute may be used both as the root payload, or may be wrapped in a listed container type. (Note that the container type MUST also be listed in the accept-types attribute.) Clients specify the relays they wish to use in an "a=hop" attribute line in the SDP. A SIP answer only contains the relays that that side wishes to use, it does not include the relays that the client that made the offer wishes to use. This attribute line has the following syntax:

hop-attribute = hop-label ":" sims-url hop-label = "hop" There can be several hop labels in the SDP and they are associated with the m line that proceed them. The top hop one corresponds to the relay closest to the client that is sending the SDP and the next hop corresponds to the next relay out and so on.

The Message-URI attribute is used to communicate the SIMS URI which should be used for sending all SIMS requests/responses to this endpoint. The Message-URI attribute has the following syntax:

Message-URI = "message-uri" ":" SIMS-URI SDP offers for SIMS sessions MUST include a "message-uri" attribute. SDP answers MUST also include this attribute.

The Message-Path attribute is used to specify the path that the SIMS requests/responses should take to reach this endpoint. Each endpoint specifies in its SDP, the SIMS relays that must be travelled (in order) to reach it. The Message-Path attribute has the following syntax:

Message-Path="message-path" ":" SIMS-PATH SIMS-PATH=*(SIMS-URI)

[Juhee TODO] Before a SIMS session can start, both sides need to communicate the relays they wish to use. One client puts the relays they wish to use in an SDP offer and sent it via SIP to the other client which adds the relays it which to use and sends the complete list of relays back in the answer. The SDP for an offer looks like:

c=IN IP4 invalid.none m=message 1234 sims/tcp+tls alice@alice.example.com a=accept: message/cpim text/plain text/html a=hop:sims:magic456@a.example.com:1234;transport=tcp+tls While the SDP for the answer would be:

c=IN IP4 invalid.none m=message 1234 sims/tcp+tls bob@bob.example.com a=accept: message/cpim text/plain a=hop:sims:magic789@b1.example.com:1234;transport=tcp+tls a=hop:sims:magic012@b2.example.com:1234;transport=tcp+tls explain above example Define how SDP works TODO define a=accept TODO define a=hop

TODO - Topics to compare: TCP fan out, HOL blocking, next hop congestion at a relay, congestion back pressure, robust sending of a message even as host temporarily disconnects and reconnects. scale, relay farms, multiple relays,

[Juhee TODO]

Many thanks to the following members of the SIMPLE WG for spirited discussions on session mode: Ben Campbell, Jonathan Rosenberg, Robert Sparks, Paul Kyzivat, Allison Mankin, Jon Peterson, Brian Rosen, Dean Willis, Adam Roach, Aki Niemi, Hisham Khartabil, Pekka Pessi, and Chris Boulton