Internet Draft S. Bhatia Document: draft-bhatia-sipping-sip-php-00.txt A. Niemi Expires: January 2002 Nokia July 2001 PHP: Hypertext Preprocessor for SIP Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract Due to the similarity of SIP and HTTP, many mechanisms that have been instrumental in the success of the World Wide Web have been replicated in SIP. PHP is a robust, cross-platform scripting language, which has been tailored to simplify and accelerate service development on the World Wide Web while empowering the developer with easy and yet reliable connectivity with all modern databases. This draft discusses the creation of SIP services using PHP. Table of Contents Status of this Memo................................................1 Abstract...........................................................1 1. Introduction....................................................2 2. Conventions used in this document...............................2 3. Motivations.....................................................3 4. SIP PHP Specification...........................................3 4.1. Introduction..................................................3 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 4.2. PHP script execution..........................................4 4.4. SIP functions in PHP..........................................4 4.5. Dynamic documents in SIP with PHP.............................6 5. Security Considerations.........................................6 5.1. Request Initiation............................................6 5.2. Authenticated and Encrypted Messages..........................7 6. Acknowledgements................................................7 References.........................................................7 Author's Addresses.................................................8 1. Introduction One of the most important factors attributing to the phenomenal success of the World Wide Web and its extraordinary growth in the last decade has been the flexibility and robustness of technologies that have enabled developers to rapidly create and deploy services on web servers. With the passage of time, new tools and technologies tailored to specific tasks, levels of security, scalability of the application etc. have emerged and have supplanted previous ones in numerous domains in the industry. PHP [1] is one of the most influential of these newly established technologies and has pervaded nearly every sphere of the web in a staggeringly short period of time. Prior to the acceptance of the Session Initiation Protocol (SIP) [2] as a standard for control in telephony networks, services in telephony networks were developed for IN service environments. Due to the strong similarity of SIP with HTTP [3], several technologies that are used to develop services over HTTP have also been standardized for building services over SIP. PHP is one such technology, which with its variety of programming interfaces (connectivity to databases, COM, CORBA, RMI, SNMP, LDAP etc.), widespread acceptance and familiarity could profoundly influence the potential as well as the swiftness of service development for SIP. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [4]. Bhatia and Niemi Expires January 2002 2 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 3. Motivations There are many benefits of using PHP to implement services for SIP. Some of the most prominent of these are listed below: 1. Multi-platform: PHP component implementations are available for nearly every conceivable platform existing today including Linux, Solaris, BeOS, AIX, FreeBSD, Win32 etc. 2. Industry standard: PHP is a de facto industry standard that has emerged out of a community of web developers and has gained millions of followers as well having penetrated millions of web servers that use it to deploy dynamic content. 3. Platform and Network functions: PHP supports high level functions that provide PHP scripts access to numerous network and platform interfaces such as SNMP, FTP, LDAP, SMTP, DOM and IMAP. 4. Database connectivity: PHP offers easy and yet reliable connectivity to most of today's common databases including Oracle, Sybase, MySQL, ODBC and others. PHP also offers integration with various external libraries that enable the developer to do anything from generating PDF documents to parsing XML. 5. Greater control: Since services written using PHP are interpreted by an extension of the server they run with, they allow far greater control to be exercised than services that might be executed as platform-binaries. 6. Extensibility and Reusability: PHP is in the process of continuous extension of functionality by the open-source community. Complete scripts, classes and libraries are freely available on the Internet, and can be used to create services fast and efficiently. Since PHP is a scripting language, pieces of scripts are highly reusable. 4. SIP PHP Specification 4.1. Introduction It should be noted that although in the web domain, PHP is used mainly to create dynamic XML content, its usage in SIP tends to resemble other scripting environments used to enable enhanced call routing and service creation. However, in the future many SIP-related services may be expected to revolve around things other than pure telephony services. For creating services not exclusively related to the call routing process, PHP has inherent support for a much more elaborate set of tools than other mechanisms, such as SIP-CGI [5] and CPL [6]. Bhatia and Niemi Expires January 2002 3 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 4.2. PHP script execution This draft is based on the work-in-progress PHP manual, which can be found at http://www.php.net/docs.php. A PHP extension module (that parses and executes PHP scripts) in a server is glued to it by means of a server abstraction layer (SAPI). The engine for parsing PHP (The Zend Engine) and the PHP core, where the actual functionality of the PHP execution environment resides, are built on top of this abstraction layer. This draft does not attempt to define a standard procedure for SIP servers to use PHP scripts. Instead, it introduces some basic concepts, which make PHP in SIP a viable mechanism. 4.3. Using PHP with SIP-CGI A typical SIP network structure is shown in figure 1. Usually a SIP network server may deploy services for its users. These services may include mechanisms such as CPL and SIP-CGI scripting. A SIP-CGI scripting environment can readily adopt PHP, since PHP can be executed as any CGI program. +----------+ +-----------+ +-------------+ | | req | | SIP | | | User | ---------> | SIP | CGI | PHP | | Agent | <--------- | Proxy | <---> | Scripting | | | resp | Server | | Environment | +----------+ | | | | +-----------+ +-------------+ | ^ | | resp | | | | req | | v | +-----------+ | | | User | | Agent | | | +-----------+ Fig 1. Normal SIP PHP environment 4.4. SIP functions in PHP In general, SIP proxies are far more complex and functional than their HTTP counterparts. Also, most HTTP scripts apply themselves to a singular connection, i.e. the one bound to the client that has Bhatia and Niemi Expires January 2002 4 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 issued the HTTP request. SIP scripts, as opposed to that, may need to involve connections to other clients as well in the course of processing a transaction or session. +-----------+ | | | User | | Agent | | | +-----------+ | ^ | | resp | | req | | | | [UA] [UA] [UA] [UA] v | | | | / +-----------+ +-------------+ -[UA] | | SIP | | | SIP | CGI | PHP | -[UA] | (Network) | <---> | Scripting | | Server | | Environment | -[UA] | | | | +-----------+ +-------------+ -[UA] | | | \ [UA] [UA] [UA] [UA] Fig 2. PHP scripts with server functionality Consider for instance, a situation in which a user wishes to be notified of any incoming call that is being forwarded by the proxy by means of an instant message. A PHP script implementing this functionality will need to create a new call-leg over which any such notification would hence be dispatched. In such a situation, it may not be desirable for the script to initiate independent and arbitrary connections. It would be highly beneficial if the scripts were to delegate these actions to the actual SIP server to utilize operations specific to the SIP protocol, authentication mechanisms etc. and keep administrative policies pertaining to the domain uniform. Thus, although generating dynamic documents and passing them to the HTTP server empowers HTTP-PHP scripts sufficiently, SIP-PHP scripts may require to perform other operations, such as creating new call- legs in the SIP server. Thus, SIP-PHP scripts must be provided with an additional API to invoke these operations through the SIP server. This API will be described in more detail in future versions of this draft. Bhatia and Niemi Expires January 2002 5 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 4.5. Dynamic documents in SIP with PHP In the web domain, PHP is used most commonly to generate dynamic XML content. PHP scripts are embedded in XML and executed on document retrieval. In SIP, documents of this sort are absent in normal call routing or session establishment. However, with SIP being used in applications such as presence [7] and Instant Messaging [8], PHP can provide a myriad of powerful tools for creating dynamic elements in SIP messages. For example, presence agent functionality might be fully contained in a simple PHP script run adjunct to a presence server. In this scenario, there is clear analogy between the type of SIP services offered and modern day web services. An example of a PHP enhanced presence document is shown in figure 3. "; include("presence_agent.php"); ?> Fig 3. Simple presence document using PHP On the event of an incoming SUBSCRIBE, the above document would be relayed through corresponding NOTIFYs. The embedded PHP script would generate the presentity information using PHP's network and/or database functions. 5. Security Considerations 5.1. Request Initiation PHP is a powerful language and the PHP scripts are allowed to access files, execute commands and open network connections on a server. Similarly, PHP scripts can initiate arbitrary SIP transactions, and produce spoofed responses of any sort. These properties make any script run on a server insecure by default. This document does not specify restrictions to the actions PHP scripts can take, but instead suggests that server administrators MUST consider PHP scripts as security-sensitive, and monitor and review the security of PHP scripts before installing them. Also, it should be noted that uploading PHP scripts should be made in a secure fashion, i.e. the authenticity and integrity of the scripts should be guaranteed. Bhatia and Niemi Expires January 2002 6 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 5.2. Authenticated and Encrypted Messages PHP scripts must be careful not to interfere with authentication. Adding or removing of headers, or modifying the message payload that has been included in an integrity checksum by the user agent, will effectively break authentication at the user agent. When SIP requests are encrypted, the headers in cleartext are passed to the script as specified in SIP-CGI. The encrypted portion is passed to the script as a body. Any added headers may be discarded upon decryption, if those headers are also contained in the encrypted portion. 5.3. SIP Server API In HTTP-PHP, the interface between scripts and the HTTP server is a lightweight one, and does not require any security additional to that which the platform and web server itself imposes. In SIP, however, it may sometimes be necessary to deny ordinary scripts access to certain functions and programmatic interfaces that might be provided by the API. This security feature is also a future work item. 6. Acknowledgements The authors would like to acknowledge Tommi Komulainen, Jens Staack, Patrik Flykt, Sami Uskela, Markus Isomaki and Yrjo Raivio for interesting discussions on the subject. References 1 http://www.php.net/ 2 Handley, M., Schulzrinne, H., Schooler, E., Rosenberg, J., "SIP: Session Initiation Protocol", RFC 2543, March 1999 3 Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T., "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999 4 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 Bhatia and Niemi Expires January 2002 7 Internet Draft PHP: Hypertext Preprocessor for SIP July 2001 5 Lennox, J., Schulzrinne, H., Rosenberg, J., "Common Gateway Interface for SIP", RFC 3050, January 2001 6 Lennox, J., Schulzrinne, H., "CPL: A Language for User Control of Internet Telephony Services", Internet Draft, November, 2000, Work in progress 7 Rosenberg, J., et al., "SIP Extensions for Presence", Internet Draft, March 2001, Work in progress 8 Rosenberg, J., Willis, D., Sparks, R., Campbell, B., Schultzrinne, H., Lennox, J., Huitema, C., Aboba, B., Gurle, D., Oran, D., "SIP Extensions for Instant Messaging", Internet Draft, April 2001, Work in progress Author's Addresses Sapan Bhatia Nokia P.O. Box 301 Phone: +358-50-3891646 FIN-00045 NOKIA GROUP Email: sapan.bhatia@nokia.com Finland Aki Niemi Nokia P.O. Box 301 Phone: +358-50-3891644 FIN-00045 NOKIA GROUP Email: aki.niemi@nokia.com Finland Bhatia and Niemi Expires January 2002 8