scope:

IETF RFC 4412, Communications Resource Priority for the Session Initiation Protocol (SIP) [Ref 4], specifies use of the Session Initiation Protocol 'Resource-Priority' Header (SIP RPH) field for communicating Resource-Priority. As specified in IETF RFC 4412 [Ref 4], the SIP RPH field may be used by SIP user agents, including Public Switched Telephone Network (PSTN) gateways and terminals, and SIP proxy servers to influence prioritization afforded to communications sessions, including PSTN calls.

The SIP RPH "ets" and "wps" namespace parameters are defined and used to support National Security / Emergency Preparedness (NS/EP) Priority Service calls which include Wireless Priority Service (WPS), Government Emergency Telecommunication Service (GETS) and Next Generation Network Priority Services (NGN-PS) calls in IP-based networks. However, the SIP RPH field could be spoofed and abused by unauthorized entities impacting NS/EP Priority Service communications. For example, NS/EP Service Providers receiving SIP RPHs across IP Network-to-Network Interconnections (IPNNIs) have difficulty determining whether the SIP RPH was populated by an authorized NS/EP Service Provider, or whether it was spoofed or inserted by an unauthorized entity.

This ATIS standard describes a framework leveraging the Signature-based Handling of Asserted information using toKENs (SHAKEN) framework specified in ATIS-1000074, Signature-based Handling of Asserted information using toKENs (SHAKEN) [Ref 2], to cryptographically sign and verify the SIP RPH field of NS/EP Priority Service calls using the "rph" Personal Assertion Token (PASSporT) extension defined in IETF RFC 8443 [Ref 8] and the associated Secure Telephone Identity (STI) protocols. There are some cross relationships between Caller ID signing and verification using a "shaken" PASSporT and SIP RPH signing and verification using the "rph" PASSporT extension defined in IETF RFC 8443 [Ref 8]. However, Caller ID signing and verification using SHAKEN is not an NS/EP Priority Service requirement per se; it is only discussed in this standard to highlight cross relationships.

This ATIS standard is intended to provide a framework and guidance on how to use the "rph" PASSporT extension defined in IETF RFC 8443 [Ref 8] and the associated STI protocols to cryptographically sign and verify the SIP RPH field in support of a trust mechanism for NS/EP Priority Service calls crossing IPNNI boundaries.

The scope of this ATIS standard is limited to cryptographic signing and verification of the SIP RPH field of NS/EP Priority Service calls with the "ets" and "wps" namespace parameters, using the "rph" PASSporT extension defined in IETF RFC 8443 [Ref 8] and the associated STI protocols. The scope of this standard does not include cryptographic signing and verification of the attestation of the Caller ID of NS/EP Priority Service calls. The procedures to sign and verify attestations of the Caller ID in an NS/EP Priority Service call using "shaken" PASSporTs are specified in ATIS-1000074 [Ref 2].

Purpose

Illegitimate spoofing of the SIP RPH with "ets" and/or "wps" namespace parameters that are used to support NS/EP Priority Service calls is a concern for NS/EP Service Providers. NS/EP Service Providers have difficulty in determining whether a call with a SIP RPH received over IPNNIs with multiple service providers should be trusted and admitted with the SIP RPH. The purpose of this standard is to provide a framework to cryptographically sign and verify SIP RPH fields containing "ets" and/or "wps" namespace parameters that can be used as a trust mechanism to mitigate unauthorized spoofing or tampering of the SIP RPH field. The framework provided in this ATIS standard can be used in the originating network authorizing NS/EP Priority Service calls to sign a PASSporT claim for the RPH field of a SIP INVITE before it is sent across an IPNNI boundary, and for the receiving network to verify the PASSporT claim for the RPH field to decide whether the call should be admitted with the RPH field.