| draft-ietf-dime-rfc3588bis-02.txt | | draft-ietf-dime-rfc3588bis-03.txt | |
|---|
| | | | |
| DIME V. Fajardo, Ed. | | DIME V. Fajardo, Ed. | |
| Internet-Draft Toshiba America Research | | Internet-Draft Toshiba America Research | |
|
| Intended status: Standards Track J. Loughney | | Intended status: Standards Track J. Arkko | |
| Expires: September 4, 2007 Nokia Research Center | | Expires: October 1, 2007 Ericsson Research | |
| March 3, 2007 | | J. Loughney | |
| | | Nokia Research Center | |
| | | March 30, 2007 | |
| | | | |
| Diameter Base Protocol | | Diameter Base Protocol | |
|
| draft-ietf-dime-rfc3588bis-02.txt | | draft-ietf-dime-rfc3588bis-03.txt | |
| | | | |
| Status of this Memo | | Status of this Memo | |
| | | | |
| By submitting this Internet-Draft, each author represents that any | | By submitting this Internet-Draft, each author represents that any | |
| applicable patent or other IPR claims of which he or she is aware | | applicable patent or other IPR claims of which he or she is aware | |
| have been or will be disclosed, and any of which he or she becomes | | have been or will be disclosed, and any of which he or she becomes | |
| aware will be disclosed, in accordance with Section 6 of BCP 79. | | aware will be disclosed, in accordance with Section 6 of BCP 79. | |
| | | | |
| Internet-Drafts are working documents of the Internet Engineering | | Internet-Drafts are working documents of the Internet Engineering | |
| Task Force (IETF), its areas, and its working groups. Note that | | Task Force (IETF), its areas, and its working groups. Note that | |
| | | | |
| skipping to change at page 1, line 35 | | skipping to change at page 1, line 37 | |
|---|
| and may be updated, replaced, or obsoleted by other documents at any | | and may be updated, replaced, or obsoleted by other documents at any | |
| time. It is inappropriate to use Internet-Drafts as reference | | time. It is inappropriate to use Internet-Drafts as reference | |
| material or to cite them other than as "work in progress." | | material or to cite them other than as "work in progress." | |
| | | | |
| The list of current Internet-Drafts can be accessed at | | The list of current Internet-Drafts can be accessed at | |
| http://www.ietf.org/ietf/1id-abstracts.txt. | | http://www.ietf.org/ietf/1id-abstracts.txt. | |
| | | | |
| The list of Internet-Draft Shadow Directories can be accessed at | | The list of Internet-Draft Shadow Directories can be accessed at | |
| http://www.ietf.org/shadow.html. | | http://www.ietf.org/shadow.html. | |
| | | | |
|
| This Internet-Draft will expire on September 4, 2007. | | This Internet-Draft will expire on October 1, 2007. | |
| | | | |
| Copyright Notice | | Copyright Notice | |
| | | | |
| Copyright (C) The IETF Trust (2007). | | Copyright (C) The IETF Trust (2007). | |
| | | | |
| Abstract | | Abstract | |
| | | | |
| The Diameter base protocol is intended to provide an Authentication, | | The Diameter base protocol is intended to provide an Authentication, | |
| Authorization and Accounting (AAA) framework for applications such as | | Authorization and Accounting (AAA) framework for applications such as | |
| network access or IP mobility. Diameter is also intended to work in | | network access or IP mobility. Diameter is also intended to work in | |
| | | | |
| skipping to change at page 2, line 28 | | skipping to change at page 2, line 28 | |
|---|
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 | | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 | |
| 1.1. Diameter Protocol . . . . . . . . . . . . . . . . . . . . 10 | | 1.1. Diameter Protocol . . . . . . . . . . . . . . . . . . . . 10 | |
| 1.1.1. Description of the Document Set . . . . . . . . . . 11 | | 1.1.1. Description of the Document Set . . . . . . . . . . 11 | |
| 1.1.2. Conventions Used in This Document . . . . . . . . . 12 | | 1.1.2. Conventions Used in This Document . . . . . . . . . 12 | |
| 1.2. Approach to Extensibility . . . . . . . . . . . . . . . . 12 | | 1.2. Approach to Extensibility . . . . . . . . . . . . . . . . 12 | |
| 1.2.1. Defining New AVP Values . . . . . . . . . . . . . . 13 | | 1.2.1. Defining New AVP Values . . . . . . . . . . . . . . 13 | |
| 1.2.2. Creating New AVPs . . . . . . . . . . . . . . . . . 13 | | 1.2.2. Creating New AVPs . . . . . . . . . . . . . . . . . 13 | |
| 1.2.3. Creating New Authentication Applications . . . . . . 13 | | 1.2.3. Creating New Authentication Applications . . . . . . 13 | |
| 1.2.4. Creating New Accounting Applications . . . . . . . . 14 | | 1.2.4. Creating New Accounting Applications . . . . . . . . 14 | |
| 1.2.5. Application Authentication Procedures . . . . . . . 15 | | 1.2.5. Application Authentication Procedures . . . . . . . 15 | |
|
| 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 16 | | 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 15 | |
| 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 23 | | 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 22 | |
| 2.1. Transport . . . . . . . . . . . . . . . . . . . . . . . . 24 | | 2.1. Transport . . . . . . . . . . . . . . . . . . . . . . . . 23 | |
| 2.1.1. SCTP Guidelines . . . . . . . . . . . . . . . . . . 25 | | 2.1.1. SCTP Guidelines . . . . . . . . . . . . . . . . . . 24 | |
| 2.2. Securing Diameter Messages . . . . . . . . . . . . . . . 25 | | 2.2. Securing Diameter Messages . . . . . . . . . . . . . . . 24 | |
| 2.3. Diameter Application Compliance . . . . . . . . . . . . . 25 | | 2.3. Diameter Application Compliance . . . . . . . . . . . . . 24 | |
| 2.4. Application Identifiers . . . . . . . . . . . . . . . . . 26 | | 2.4. Application Identifiers . . . . . . . . . . . . . . . . . 24 | |
| 2.5. Connections vs. Sessions . . . . . . . . . . . . . . . . 26 | | 2.5. Connections vs. Sessions . . . . . . . . . . . . . . . . 25 | |
| 2.6. Peer Table . . . . . . . . . . . . . . . . . . . . . . . 27 | | 2.6. Peer Table . . . . . . . . . . . . . . . . . . . . . . . 26 | |
| 2.7. Routing Table . . . . . . . . . . . . . . . . . . . . . . 28 | | 2.7. Routing Table . . . . . . . . . . . . . . . . . . . . . . 27 | |
| 2.8. Role of Diameter Agents . . . . . . . . . . . . . . . . . 30 | | 2.8. Role of Diameter Agents . . . . . . . . . . . . . . . . . 28 | |
| 2.8.1. Relay Agents . . . . . . . . . . . . . . . . . . . . 31 | | 2.8.1. Relay Agents . . . . . . . . . . . . . . . . . . . . 30 | |
| 2.8.2. Proxy Agents . . . . . . . . . . . . . . . . . . . . 32 | | 2.8.2. Proxy Agents . . . . . . . . . . . . . . . . . . . . 31 | |
| 2.8.3. Redirect Agents . . . . . . . . . . . . . . . . . . 32 | | 2.8.3. Redirect Agents . . . . . . . . . . . . . . . . . . 31 | |
| 2.8.4. Translation Agents . . . . . . . . . . . . . . . . . 33 | | 2.8.4. Translation Agents . . . . . . . . . . . . . . . . . 32 | |
| 2.9. End-to-End Security Framework . . . . . . . . . . . . . . 34 | | 2.9. Diameter Path Authorization . . . . . . . . . . . . . . . 33 | |
| 2.10. Diameter Path Authorization . . . . . . . . . . . . . . . 35 | | 3. Diameter Header . . . . . . . . . . . . . . . . . . . . . . . 35 | |
| 3. Diameter Header . . . . . . . . . . . . . . . . . . . . . . . 37 | | 3.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 38 | |
| 3.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 40 | | 3.2. Command Code ABNF specification . . . . . . . . . . . . . 38 | |
| 3.2. Command Code ABNF specification . . . . . . . . . . . . . 41 | | 3.3. Diameter Command Naming Conventions . . . . . . . . . . . 40 | |
| 3.3. Diameter Command Naming Conventions . . . . . . . . . . . 43 | | 4. Diameter AVPs . . . . . . . . . . . . . . . . . . . . . . . . 42 | |
| 4. Diameter AVPs . . . . . . . . . . . . . . . . . . . . . . . . 44 | | 4.1. AVP Header . . . . . . . . . . . . . . . . . . . . . . . 42 | |
| 4.1. AVP Header . . . . . . . . . . . . . . . . . . . . . . . 44 | | 4.1.1. Optional Header Elements . . . . . . . . . . . . . . 44 | |
| 4.1.1. Optional Header Elements . . . . . . . . . . . . . . 46 | | 4.2. Basic AVP Data Formats . . . . . . . . . . . . . . . . . 44 | |
| 4.2. Basic AVP Data Formats . . . . . . . . . . . . . . . . . 46 | | 4.3. Derived AVP Data Formats . . . . . . . . . . . . . . . . 46 | |
| 4.3. Derived AVP Data Formats . . . . . . . . . . . . . . . . 48 | | 4.4. Grouped AVP Values . . . . . . . . . . . . . . . . . . . 53 | |
| 4.4. Grouped AVP Values . . . . . . . . . . . . . . . . . . . 56 | | 4.4.1. Example AVP with a Grouped Data type . . . . . . . . 54 | |
| 4.4.1. Example AVP with a Grouped Data type . . . . . . . . 57 | | 4.5. Diameter Base Protocol AVPs . . . . . . . . . . . . . . . 56 | |
| 4.5. Diameter Base Protocol AVPs . . . . . . . . . . . . . . . 60 | | 5. Diameter Peers . . . . . . . . . . . . . . . . . . . . . . . 60 | |
| 5. Diameter Peers . . . . . . . . . . . . . . . . . . . . . . . 63 | | 5.1. Peer Connections . . . . . . . . . . . . . . . . . . . . 60 | |
| 5.1. Peer Connections . . . . . . . . . . . . . . . . . . . . 63 | | 5.2. Diameter Peer Discovery . . . . . . . . . . . . . . . . . 60 | |
| 5.2. Diameter Peer Discovery . . . . . . . . . . . . . . . . . 63 | | 5.3. Capabilities Exchange . . . . . . . . . . . . . . . . . . 63 | |
| 5.3. Capabilities Exchange . . . . . . . . . . . . . . . . . . 66 | | 5.3.1. Capabilities-Exchange-Request . . . . . . . . . . . 64 | |
| 5.3.1. Capabilities-Exchange-Request . . . . . . . . . . . 67 | | 5.3.2. Capabilities-Exchange-Answer . . . . . . . . . . . . 65 | |
| 5.3.2. Capabilities-Exchange-Answer . . . . . . . . . . . . 68 | | 5.3.3. Vendor-Id AVP . . . . . . . . . . . . . . . . . . . 65 | |
| 5.3.3. Vendor-Id AVP . . . . . . . . . . . . . . . . . . . 69 | | 5.3.4. Firmware-Revision AVP . . . . . . . . . . . . . . . 66 | |
| 5.3.4. Firmware-Revision AVP . . . . . . . . . . . . . . . 69 | | 5.3.5. Host-IP-Address AVP . . . . . . . . . . . . . . . . 66 | |
| 5.3.5. Host-IP-Address AVP . . . . . . . . . . . . . . . . 69 | | 5.3.6. Supported-Vendor-Id AVP . . . . . . . . . . . . . . 66 | |
| 5.3.6. Supported-Vendor-Id AVP . . . . . . . . . . . . . . 69 | | 5.3.7. Product-Name AVP . . . . . . . . . . . . . . . . . . 66 | |
| 5.3.7. Product-Name AVP . . . . . . . . . . . . . . . . . . 70 | | 5.4. Disconnecting Peer connections . . . . . . . . . . . . . 66 | |
| 5.4. Disconnecting Peer connections . . . . . . . . . . . . . 70 | | 5.4.1. Disconnect-Peer-Request . . . . . . . . . . . . . . 67 | |
| 5.4.1. Disconnect-Peer-Request . . . . . . . . . . . . . . 70 | | 5.4.2. Disconnect-Peer-Answer . . . . . . . . . . . . . . . 67 | |
| 5.4.2. Disconnect-Peer-Answer . . . . . . . . . . . . . . . 71 | | 5.4.3. Disconnect-Cause AVP . . . . . . . . . . . . . . . . 68 | |
| 5.4.3. Disconnect-Cause AVP . . . . . . . . . . . . . . . . 71 | | 5.5. Transport Failure Detection . . . . . . . . . . . . . . . 68 | |
| 5.5. Transport Failure Detection . . . . . . . . . . . . . . . 72 | | 5.5.1. Device-Watchdog-Request . . . . . . . . . . . . . . 68 | |
| 5.5.1. Device-Watchdog-Request . . . . . . . . . . . . . . 72 | | 5.5.2. Device-Watchdog-Answer . . . . . . . . . . . . . . . 69 | |
| 5.5.2. Device-Watchdog-Answer . . . . . . . . . . . . . . . 72 | | 5.5.3. Transport Failure Algorithm . . . . . . . . . . . . 69 | |
| 5.5.3. Transport Failure Algorithm . . . . . . . . . . . . 73 | | 5.5.4. Failover and Failback Procedures . . . . . . . . . . 69 | |
| 5.5.4. Failover and Failback Procedures . . . . . . . . . . 73 | | 5.6. Peer State Machine . . . . . . . . . . . . . . . . . . . 70 | |
| 5.6. Peer State Machine . . . . . . . . . . . . . . . . . . . 73 | | 5.6.1. Incoming connections . . . . . . . . . . . . . . . . 72 | |
| 5.6.1. Incoming connections . . . . . . . . . . . . . . . . 76 | | 5.6.2. Events . . . . . . . . . . . . . . . . . . . . . . . 73 | |
| 5.6.2. Events . . . . . . . . . . . . . . . . . . . . . . . 76 | | 5.6.3. Actions . . . . . . . . . . . . . . . . . . . . . . 74 | |
| 5.6.3. Actions . . . . . . . . . . . . . . . . . . . . . . 77 | | 5.6.4. The Election Process . . . . . . . . . . . . . . . . 76 | |
| 5.6.4. The Election Process . . . . . . . . . . . . . . . . 79 | | 5.6.5. Capabilities Update . . . . . . . . . . . . . . . . 76 | |
| 5.6.5. Capabilities Update . . . . . . . . . . . . . . . . 79 | | 6. Diameter message processing . . . . . . . . . . . . . . . . . 77 | |
| 6. Diameter message processing . . . . . . . . . . . . . . . . . 80 | | 6.1. Diameter Request Routing Overview . . . . . . . . . . . . 77 | |
| 6.1. Diameter Request Routing Overview . . . . . . . . . . . . 80 | | 6.1.1. Originating a Request . . . . . . . . . . . . . . . 78 | |
| 6.1.1. Originating a Request . . . . . . . . . . . . . . . 81 | | 6.1.2. Sending a Request . . . . . . . . . . . . . . . . . 79 | |
| 6.1.2. Sending a Request . . . . . . . . . . . . . . . . . 82 | | 6.1.3. Receiving Requests . . . . . . . . . . . . . . . . . 79 | |
| 6.1.3. Receiving Requests . . . . . . . . . . . . . . . . . 82 | | 6.1.4. Processing Local Requests . . . . . . . . . . . . . 79 | |
| 6.1.4. Processing Local Requests . . . . . . . . . . . . . 82 | | 6.1.5. Request Forwarding . . . . . . . . . . . . . . . . . 79 | |
| 6.1.5. Request Forwarding . . . . . . . . . . . . . . . . . 82 | | 6.1.6. Request Routing . . . . . . . . . . . . . . . . . . 80 | |
| 6.1.6. Request Routing . . . . . . . . . . . . . . . . . . 83 | | 6.1.7. Predictive Loop Avoidance . . . . . . . . . . . . . 80 | |
| 6.1.7. Predictive Loop Avoidance . . . . . . . . . . . . . 83 | | 6.1.8. Redirecting requests . . . . . . . . . . . . . . . . 80 | |
| 6.1.8. Redirecting requests . . . . . . . . . . . . . . . . 83 | | 6.1.9. Relaying and Proxying Requests . . . . . . . . . . . 81 | |
| 6.1.9. Relaying and Proxying Requests . . . . . . . . . . . 84 | | 6.2. Diameter Answer Processing . . . . . . . . . . . . . . . 82 | |
| 6.2. Diameter Answer Processing . . . . . . . . . . . . . . . 85 | | 6.2.1. Processing received Answers . . . . . . . . . . . . 83 | |
| 6.2.1. Processing received Answers . . . . . . . . . . . . 86 | | 6.2.2. Relaying and Proxying Answers . . . . . . . . . . . 83 | |
| 6.2.2. Relaying and Proxying Answers . . . . . . . . . . . 86 | | 6.3. Origin-Host AVP . . . . . . . . . . . . . . . . . . . . . 83 | |
| 6.3. Origin-Host AVP . . . . . . . . . . . . . . . . . . . . . 86 | | 6.4. Origin-Realm AVP . . . . . . . . . . . . . . . . . . . . 84 | |
| 6.4. Origin-Realm AVP . . . . . . . . . . . . . . . . . . . . 87 | | 6.5. Destination-Host AVP . . . . . . . . . . . . . . . . . . 84 | |
| 6.5. Destination-Host AVP . . . . . . . . . . . . . . . . . . 87 | | 6.6. Destination-Realm AVP . . . . . . . . . . . . . . . . . . 84 | |
| 6.6. Destination-Realm AVP . . . . . . . . . . . . . . . . . . 87 | | 6.7. Routing AVPs . . . . . . . . . . . . . . . . . . . . . . 85 | |
| 6.7. Routing AVPs . . . . . . . . . . . . . . . . . . . . . . 88 | | 6.7.1. Route-Record AVP . . . . . . . . . . . . . . . . . . 85 | |
| 6.7.1. Route-Record AVP . . . . . . . . . . . . . . . . . . 88 | | 6.7.2. Proxy-Info AVP . . . . . . . . . . . . . . . . . . . 85 | |
| 6.7.2. Proxy-Info AVP . . . . . . . . . . . . . . . . . . . 88 | | 6.7.3. Proxy-Host AVP . . . . . . . . . . . . . . . . . . . 85 | |
| 6.7.3. Proxy-Host AVP . . . . . . . . . . . . . . . . . . . 88 | | 6.7.4. Proxy-State AVP . . . . . . . . . . . . . . . . . . 85 | |
| 6.7.4. Proxy-State AVP . . . . . . . . . . . . . . . . . . 88 | | 6.8. Auth-Application-Id AVP . . . . . . . . . . . . . . . . . 85 | |
| 6.8. Auth-Application-Id AVP . . . . . . . . . . . . . . . . . 88 | | 6.9. Acct-Application-Id AVP . . . . . . . . . . . . . . . . . 85 | |
| 6.9. Acct-Application-Id AVP . . . . . . . . . . . . . . . . . 89 | | 6.10. Inband-Security-Id AVP . . . . . . . . . . . . . . . . . 86 | |
| 6.10. Inband-Security-Id AVP . . . . . . . . . . . . . . . . . 89 | | 6.11. Vendor-Specific-Application-Id AVP . . . . . . . . . . . 86 | |
| 6.11. Vendor-Specific-Application-Id AVP . . . . . . . . . . . 89 | | 6.12. Redirect-Host AVP . . . . . . . . . . . . . . . . . . . . 87 | |
| 6.12. Redirect-Host AVP . . . . . . . . . . . . . . . . . . . . 90 | | 6.13. Redirect-Host-Usage AVP . . . . . . . . . . . . . . . . . 87 | |
| 6.13. Redirect-Host-Usage AVP . . . . . . . . . . . . . . . . . 90 | | 6.14. Redirect-Max-Cache-Time AVP . . . . . . . . . . . . . . . 88 | |
| 6.14. Redirect-Max-Cache-Time AVP . . . . . . . . . . . . . . . 91 | | 6.15. E2E-Sequence AVP . . . . . . . . . . . . . . . . . . . . 88 | |
| 6.15. E2E-Sequence AVP . . . . . . . . . . . . . . . . . . . . 91 | | 7. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 89 | |
| 7. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 93 | | 7.1. Result-Code AVP . . . . . . . . . . . . . . . . . . . . . 90 | |
| 7.1. Result-Code AVP . . . . . . . . . . . . . . . . . . . . . 95 | | 7.1.1. Informational . . . . . . . . . . . . . . . . . . . 91 | |
| 7.1.1. Informational . . . . . . . . . . . . . . . . . . . 95 | | 7.1.2. Success . . . . . . . . . . . . . . . . . . . . . . 91 | |
| 7.1.2. Success . . . . . . . . . . . . . . . . . . . . . . 96 | | 7.1.3. Protocol Errors . . . . . . . . . . . . . . . . . . 92 | |
| 7.1.3. Protocol Errors . . . . . . . . . . . . . . . . . . 96 | | 7.1.4. Transient Failures . . . . . . . . . . . . . . . . . 93 | |
| 7.1.4. Transient Failures . . . . . . . . . . . . . . . . . 97 | | 7.1.5. Permanent Failures . . . . . . . . . . . . . . . . . 94 | |
| 7.1.5. Permanent Failures . . . . . . . . . . . . . . . . . 98 | | 7.2. Error Bit . . . . . . . . . . . . . . . . . . . . . . . . 97 | |
| 7.2. Error Bit . . . . . . . . . . . . . . . . . . . . . . . . 101 | | 7.3. Error-Message AVP . . . . . . . . . . . . . . . . . . . . 97 | |
| 7.3. Error-Message AVP . . . . . . . . . . . . . . . . . . . . 101 | | 7.4. Error-Reporting-Host AVP . . . . . . . . . . . . . . . . 97 | |
| 7.4. Error-Reporting-Host AVP . . . . . . . . . . . . . . . . 102 | | 7.5. Failed-AVP AVP . . . . . . . . . . . . . . . . . . . . . 97 | |
| 7.5. Failed-AVP AVP . . . . . . . . . . . . . . . . . . . . . 102 | | 7.6. Experimental-Result AVP . . . . . . . . . . . . . . . . . 98 | |
| 7.6. Experimental-Result AVP . . . . . . . . . . . . . . . . . 103 | | 7.7. Experimental-Result-Code AVP . . . . . . . . . . . . . . 99 | |
| 7.7. Experimental-Result-Code AVP . . . . . . . . . . . . . . 103 | | 8. Diameter User Sessions . . . . . . . . . . . . . . . . . . . 100 | |
| 8. Diameter User Sessions . . . . . . . . . . . . . . . . . . . 104 | | 8.1. Authorization Session State Machine . . . . . . . . . . . 101 | |
| 8.1. Authorization Session State Machine . . . . . . . . . . . 105 | | 8.2. Accounting Session State Machine . . . . . . . . . . . . 105 | |
| 8.2. Accounting Session State Machine . . . . . . . . . . . . 109 | | 8.3. Server-Initiated Re-Auth . . . . . . . . . . . . . . . . 111 | |
| 8.3. Server-Initiated Re-Auth . . . . . . . . . . . . . . . . 115 | | 8.3.1. Re-Auth-Request . . . . . . . . . . . . . . . . . . 111 | |
| 8.3.1. Re-Auth-Request . . . . . . . . . . . . . . . . . . 115 | | 8.3.2. Re-Auth-Answer . . . . . . . . . . . . . . . . . . . 112 | |
| 8.3.2. Re-Auth-Answer . . . . . . . . . . . . . . . . . . . 116 | | 8.4. Session Termination . . . . . . . . . . . . . . . . . . . 112 | |
| 8.4. Session Termination . . . . . . . . . . . . . . . . . . . 117 | | 8.4.1. Session-Termination-Request . . . . . . . . . . . . 113 | |
| 8.4.1. Session-Termination-Request . . . . . . . . . . . . 118 | | 8.4.2. Session-Termination-Answer . . . . . . . . . . . . . 114 | |
| 8.4.2. Session-Termination-Answer . . . . . . . . . . . . . 118 | | 8.5. Aborting a Session . . . . . . . . . . . . . . . . . . . 115 | |
| 8.5. Aborting a Session . . . . . . . . . . . . . . . . . . . 119 | | 8.5.1. Abort-Session-Request . . . . . . . . . . . . . . . 116 | |
| 8.5.1. Abort-Session-Request . . . . . . . . . . . . . . . 120 | | 8.5.2. Abort-Session-Answer . . . . . . . . . . . . . . . . 116 | |
| 8.5.2. Abort-Session-Answer . . . . . . . . . . . . . . . . 120 | | 8.6. Inferring Session Termination from Origin-State-Id . . . 117 | |
| 8.6. Inferring Session Termination from Origin-State-Id . . . 121 | | 8.7. Auth-Request-Type AVP . . . . . . . . . . . . . . . . . . 118 | |
| 8.7. Auth-Request-Type AVP . . . . . . . . . . . . . . . . . . 122 | | 8.8. Session-Id AVP . . . . . . . . . . . . . . . . . . . . . 118 | |
| 8.8. Session-Id AVP . . . . . . . . . . . . . . . . . . . . . 122 | | 8.9. Authorization-Lifetime AVP . . . . . . . . . . . . . . . 119 | |
| 8.9. Authorization-Lifetime AVP . . . . . . . . . . . . . . . 123 | | 8.10. Auth-Grace-Period AVP . . . . . . . . . . . . . . . . . . 120 | |
| 8.10. Auth-Grace-Period AVP . . . . . . . . . . . . . . . . . . 124 | | 8.11. Auth-Session-State AVP . . . . . . . . . . . . . . . . . 120 | |
| 8.11. Auth-Session-State AVP . . . . . . . . . . . . . . . . . 124 | | 8.12. Re-Auth-Request-Type AVP . . . . . . . . . . . . . . . . 121 | |
| 8.12. Re-Auth-Request-Type AVP . . . . . . . . . . . . . . . . 125 | | 8.13. Session-Timeout AVP . . . . . . . . . . . . . . . . . . . 121 | |
| 8.13. Session-Timeout AVP . . . . . . . . . . . . . . . . . . . 125 | | 8.14. User-Name AVP . . . . . . . . . . . . . . . . . . . . . . 122 | |
| 8.14. User-Name AVP . . . . . . . . . . . . . . . . . . . . . . 126 | | 8.15. Termination-Cause AVP . . . . . . . . . . . . . . . . . . 122 | |
| 8.15. Termination-Cause AVP . . . . . . . . . . . . . . . . . . 126 | | 8.16. Origin-State-Id AVP . . . . . . . . . . . . . . . . . . . 123 | |
| 8.16. Origin-State-Id AVP . . . . . . . . . . . . . . . . . . . 127 | | 8.17. Session-Binding AVP . . . . . . . . . . . . . . . . . . . 123 | |
| 8.17. Session-Binding AVP . . . . . . . . . . . . . . . . . . . 128 | | 8.18. Session-Server-Failover AVP . . . . . . . . . . . . . . . 124 | |
| 8.18. Session-Server-Failover AVP . . . . . . . . . . . . . . . 128 | | 8.19. Multi-Round-Time-Out AVP . . . . . . . . . . . . . . . . 125 | |
| 8.19. Multi-Round-Time-Out AVP . . . . . . . . . . . . . . . . 129 | | 8.20. Class AVP . . . . . . . . . . . . . . . . . . . . . . . . 125 | |
| 8.20. Class AVP . . . . . . . . . . . . . . . . . . . . . . . . 129 | | 8.21. Event-Timestamp AVP . . . . . . . . . . . . . . . . . . . 125 | |
| 8.21. Event-Timestamp AVP . . . . . . . . . . . . . . . . . . . 130 | | 9. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 127 | |
| 9. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 131 | | 9.1. Server Directed Model . . . . . . . . . . . . . . . . . . 127 | |
| 9.1. Server Directed Model . . . . . . . . . . . . . . . . . . 131 | | 9.2. Protocol Messages . . . . . . . . . . . . . . . . . . . . 128 | |
| 9.2. Protocol Messages . . . . . . . . . . . . . . . . . . . . 132 | | 9.3. Accounting Application Extension and Requirements . . . . 128 | |
| 9.3. Accounting Application Extension and Requirements . . . . 132 | | 9.4. Fault Resilience . . . . . . . . . . . . . . . . . . . . 129 | |
| 9.4. Fault Resilience . . . . . . . . . . . . . . . . . . . . 133 | | 9.5. Accounting Records . . . . . . . . . . . . . . . . . . . 130 | |
| 9.5. Accounting Records . . . . . . . . . . . . . . . . . . . 134 | | 9.6. Correlation of Accounting Records . . . . . . . . . . . . 130 | |
| 9.6. Correlation of Accounting Records . . . . . . . . . . . . 135 | | 9.7. Accounting Command-Codes . . . . . . . . . . . . . . . . 131 | |
| 9.7. Accounting Command-Codes . . . . . . . . . . . . . . . . 135 | | 9.7.1. Accounting-Request . . . . . . . . . . . . . . . . . 131 | |
| 9.7.1. Accounting-Request . . . . . . . . . . . . . . . . . 135 | | 9.7.2. Accounting-Answer . . . . . . . . . . . . . . . . . 132 | |
| 9.7.2. Accounting-Answer . . . . . . . . . . . . . . . . . 136 | | 9.8. Accounting AVPs . . . . . . . . . . . . . . . . . . . . . 133 | |
| 9.8. Accounting AVPs . . . . . . . . . . . . . . . . . . . . . 137 | | 9.8.1. Accounting-Record-Type AVP . . . . . . . . . . . . . 133 | |
| 9.8.1. Accounting-Record-Type AVP . . . . . . . . . . . . . 137 | | 9.8.2. Acct-Interim-Interval . . . . . . . . . . . . . . . 134 | |
| 9.8.2. Acct-Interim-Interval . . . . . . . . . . . . . . . 138 | | 9.8.3. Accounting-Record-Number AVP . . . . . . . . . . . . 135 | |
| 9.8.3. Accounting-Record-Number AVP . . . . . . . . . . . . 139 | | 9.8.4. Acct-Session-Id AVP . . . . . . . . . . . . . . . . 135 | |
| 9.8.4. Acct-Session-Id AVP . . . . . . . . . . . . . . . . 139 | | 9.8.5. Acct-Multi-Session-Id AVP . . . . . . . . . . . . . 135 | |
| 9.8.5. Acct-Multi-Session-Id AVP . . . . . . . . . . . . . 139 | | 9.8.6. Accounting-Sub-Session-Id AVP . . . . . . . . . . . 135 | |
| 9.8.6. Accounting-Sub-Session-Id AVP . . . . . . . . . . . 140 | | 9.8.7. Accounting-Realtime-Required AVP . . . . . . . . . . 136 | |
| 9.8.7. Accounting-Realtime-Required AVP . . . . . . . . . . 140 | | 10. AVP Occurrence Table . . . . . . . . . . . . . . . . . . . . 137 | |
| 10. AVP Occurrence Table . . . . . . . . . . . . . . . . . . . . 141 | | 10.1. Base Protocol Command AVP Table . . . . . . . . . . . . . 137 | |
| 10.1. Base Protocol Command AVP Table . . . . . . . . . . . . . 141 | | 10.2. Accounting AVP Table . . . . . . . . . . . . . . . . . . 138 | |
| 10.2. Accounting AVP Table . . . . . . . . . . . . . . . . . . 142 | | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 140 | |
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 144 | | 11.1. AVP Header . . . . . . . . . . . . . . . . . . . . . . . 140 | |
| 11.1. AVP Header . . . . . . . . . . . . . . . . . . . . . . . 144 | | 11.1.1. AVP Codes . . . . . . . . . . . . . . . . . . . . . 140 | |
| 11.1.1. AVP Codes . . . . . . . . . . . . . . . . . . . . . 144 | | 11.1.2. AVP Flags . . . . . . . . . . . . . . . . . . . . . 141 | |
| 11.1.2. AVP Flags . . . . . . . . . . . . . . . . . . . . . 145 | | 11.2. Diameter Header . . . . . . . . . . . . . . . . . . . . . 141 | |
| 11.2. Diameter Header . . . . . . . . . . . . . . . . . . . . . 145 | | 11.2.1. Command Codes . . . . . . . . . . . . . . . . . . . 141 | |
| 11.2.1. Command Codes . . . . . . . . . . . . . . . . . . . 145 | | 11.2.2. Command Flags . . . . . . . . . . . . . . . . . . . 142 | |
| 11.2.2. Command Flags . . . . . . . . . . . . . . . . . . . 146 | | 11.3. Application Identifiers . . . . . . . . . . . . . . . . . 142 | |
| 11.3. Application Identifiers . . . . . . . . . . . . . . . . . 146 | | 11.4. AVP Values . . . . . . . . . . . . . . . . . . . . . . . 142 | |
| 11.4. AVP Values . . . . . . . . . . . . . . . . . . . . . . . 146 | | 11.4.1. Result-Code AVP Values . . . . . . . . . . . . . . . 142 | |
| 11.4.1. Result-Code AVP Values . . . . . . . . . . . . . . . 147 | | 11.4.2. Accounting-Record-Type AVP Values . . . . . . . . . 143 | |
| 11.4.2. Accounting-Record-Type AVP Values . . . . . . . . . 147 | | 11.4.3. Termination-Cause AVP Values . . . . . . . . . . . . 143 | |
| 11.4.3. Termination-Cause AVP Values . . . . . . . . . . . . 147 | | 11.4.4. Redirect-Host-Usage AVP Values . . . . . . . . . . . 143 | |
| 11.4.4. Redirect-Host-Usage AVP Values . . . . . . . . . . . 147 | | 11.4.5. Session-Server-Failover AVP Values . . . . . . . . . 143 | |
| 11.4.5. Session-Server-Failover AVP Values . . . . . . . . . 147 | | 11.4.6. Session-Binding AVP Values . . . . . . . . . . . . . 143 | |
| 11.4.6. Session-Binding AVP Values . . . . . . . . . . . . . 147 | | 11.4.7. Disconnect-Cause AVP Values . . . . . . . . . . . . 143 | |
| 11.4.7. Disconnect-Cause AVP Values . . . . . . . . . . . . 147 | | 11.4.8. Auth-Request-Type AVP Values . . . . . . . . . . . . 143 | |
| 11.4.8. Auth-Request-Type AVP Values . . . . . . . . . . . . 147 | | 11.4.9. Auth-Session-State AVP Values . . . . . . . . . . . 144 | |
| 11.4.9. Auth-Session-State AVP Values . . . . . . . . . . . 148 | | 11.4.10. Re-Auth-Request-Type AVP Values . . . . . . . . . . 144 | |
| 11.4.10. Re-Auth-Request-Type AVP Values . . . . . . . . . . 148 | | 11.4.11. Accounting-Realtime-Required AVP Values . . . . . . 144 | |
| 11.4.11. Accounting-Realtime-Required AVP Values . . . . . . 148 | | 11.4.12. Inband-Security-Id AVP (code 299) . . . . . . . . . 144 | |
| 11.4.12. Inband-Security-Id AVP (code 299) . . . . . . . . . 148 | | 11.5. Diameter TCP/SCTP Port Numbers . . . . . . . . . . . . . 144 | |
| 11.5. Diameter TCP/SCTP Port Numbers . . . . . . . . . . . . . 148 | | 11.6. NAPTR Service Fields . . . . . . . . . . . . . . . . . . 144 | |
| 11.6. NAPTR Service Fields . . . . . . . . . . . . . . . . . . 148 | | 12. Diameter protocol related configurable parameters . . . . . . 146 | |
| 12. Diameter protocol related configurable parameters . . . . . . 150 | | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 147 | |
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 151 | | 13.1. TLS Usage . . . . . . . . . . . . . . . . . . . . . . . . 147 | |
| 13.1. IPsec Usage . . . . . . . . . . . . . . . . . . . . . . . 151 | | 13.2. Peer-to-Peer Considerations . . . . . . . . . . . . . . . 148 | |
| 13.2. TLS Usage . . . . . . . . . . . . . . . . . . . . . . . . 152 | | 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 149 | |
| 13.3. Peer-to-Peer Considerations . . . . . . . . . . . . . . . 153 | | 14.1. Normative References . . . . . . . . . . . . . . . . . . 149 | |
| 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 155 | | 14.2. Informational References . . . . . . . . . . . . . . . . 151 | |
| 14.1. Normative References . . . . . . . . . . . . . . . . . . 155 | | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 153 | |
| 14.2. Informational References . . . . . . . . . . . . . . . . 157 | | Appendix B. NAPTR Example . . . . . . . . . . . . . . . . . . . 154 | |
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 160 | | Appendix C. Duplicate Detection . . . . . . . . . . . . . . . . 155 | |
| Appendix B. Diameter Service Template . . . . . . . . . . . . . 161 | | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 157 | |
| Appendix C. NAPTR Example . . . . . . . . . . . . . . . . . . . 163 | | Intellectual Property and Copyright Statements . . . . . . . . . 158 | |
| Appendix D. Duplicate Detection . . . . . . . . . . . . . . . . 164 | | | |
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 166 | | | |
| Intellectual Property and Copyright Statements . . . . . . . . . 167 | | | |
| | | | |
| 1. Introduction | | 1. Introduction | |
| | | | |
| Authentication, Authorization and Accounting (AAA) protocols such as | | Authentication, Authorization and Accounting (AAA) protocols such as | |
| TACACS [RFC1492] and RADIUS [RFC2865] were initially deployed to | | TACACS [RFC1492] and RADIUS [RFC2865] were initially deployed to | |
| provide dial-up PPP [RFC1661] and terminal server access. Over time, | | provide dial-up PPP [RFC1661] and terminal server access. Over time, | |
| with the growth of the Internet and the introduction of new access | | with the growth of the Internet and the introduction of new access | |
| technologies, including wireless, DSL, Mobile IP and Ethernet, | | technologies, including wireless, DSL, Mobile IP and Ethernet, | |
| routers and network access servers (NAS) have increased in complexity | | routers and network access servers (NAS) have increased in complexity | |
| and density, putting new demands on AAA protocols. | | and density, putting new demands on AAA protocols. | |
| | | | |
| skipping to change at page 7, line 48 | | skipping to change at page 7, line 48 | |
|---|
| | | | |
| While [RFC3162] defines the use of IPsec with RADIUS, support for | | While [RFC3162] defines the use of IPsec with RADIUS, support for | |
| IPsec is not required. Since within [RFC2409] authentication | | IPsec is not required. Since within [RFC2409] authentication | |
| occurs only within Phase 1 prior to the establishment of IPsec SAs | | occurs only within Phase 1 prior to the establishment of IPsec SAs | |
| in Phase 2, it is typically not possible to define separate trust | | in Phase 2, it is typically not possible to define separate trust | |
| or authorization schemes for each application. This limits the | | or authorization schemes for each application. This limits the | |
| usefulness of IPsec in inter-domain AAA applications (such as | | usefulness of IPsec in inter-domain AAA applications (such as | |
| roaming) where it may be desirable to define a distinct | | roaming) where it may be desirable to define a distinct | |
| certificate hierarchy for use in a AAA deployment. In order to | | certificate hierarchy for use in a AAA deployment. In order to | |
| provide universal support for transmission-level security, and | | provide universal support for transmission-level security, and | |
|
| enable both intra- and inter-domain AAA deployments, IPsec support | | enable both intra- and inter-domain AAA deployments, Diameter also | |
| is mandatory in Diameter, and TLS support is optional. Security | | provides support for TLS. Security is discussed in Section 13. | |
| is discussed in Section 13. | | | |
| | | | |
| Reliable transport | | Reliable transport | |
| | | | |
| RADIUS runs over UDP, and does not define retransmission behavior; | | RADIUS runs over UDP, and does not define retransmission behavior; | |
| as a result, reliability varies between implementations. As | | as a result, reliability varies between implementations. As | |
| described in [RFC2975], this is a major issue in accounting, where | | described in [RFC2975], this is a major issue in accounting, where | |
| packet loss may translate directly into revenue loss. In order to | | packet loss may translate directly into revenue loss. In order to | |
| provide well defined transport behavior, Diameter runs over | | provide well defined transport behavior, Diameter runs over | |
| reliable transport mechanisms (TCP, SCTP) as defined in [RFC3539]. | | reliable transport mechanisms (TCP, SCTP) as defined in [RFC3539]. | |
| | | | |
| | | | |
| skipping to change at page 8, line 37 | | skipping to change at page 8, line 37 | |
|---|
| reauthorization on demand across a heterogeneous deployment. | | reauthorization on demand across a heterogeneous deployment. | |
| Support for server-initiated messages is mandatory in Diameter, | | Support for server-initiated messages is mandatory in Diameter, | |
| and is described in Section 8. | | and is described in Section 8. | |
| | | | |
| Auditability | | Auditability | |
| | | | |
| RADIUS does not define data-object security mechanisms, and as a | | RADIUS does not define data-object security mechanisms, and as a | |
| result, untrusted proxies may modify attributes or even packet | | result, untrusted proxies may modify attributes or even packet | |
| headers without being detected. Combined with lack of support for | | headers without being detected. Combined with lack of support for | |
| capabilities negotiation, this makes it very difficult to | | capabilities negotiation, this makes it very difficult to | |
|
| determine what occurred in the event of a dispute. While | | determine what occurred in the event of a dispute. | |
| implementation of data object security is not mandatory within | | | |
| Diameter, these capabilities are supported, and are described in | | | |
| [AAACMS]. | | | |
| | | | |
| Transition support | | Transition support | |
| | | | |
| While Diameter does not share a common protocol data unit (PDU) | | While Diameter does not share a common protocol data unit (PDU) | |
| with RADIUS, considerable effort has been expended in enabling | | with RADIUS, considerable effort has been expended in enabling | |
| backward compatibility with RADIUS, so that the two protocols may | | backward compatibility with RADIUS, so that the two protocols may | |
| be deployed in the same network. Initially, it is expected that | | be deployed in the same network. Initially, it is expected that | |
| Diameter will be deployed within new network devices, as well as | | Diameter will be deployed within new network devices, as well as | |
| within gateways enabling communication between legacy RADIUS | | within gateways enabling communication between legacy RADIUS | |
| devices and Diameter agents. This capability, described in | | devices and Diameter agents. This capability, described in | |
| | | | |
| skipping to change at page 10, line 9 | | skipping to change at page 10, line 6 | |
|---|
| [RFC2607]. In order to improve scalability, [RFC2607] introduced | | [RFC2607]. In order to improve scalability, [RFC2607] introduced | |
| the concept of proxy chaining via an intermediate server, | | the concept of proxy chaining via an intermediate server, | |
| facilitating roaming between providers. However, since RADIUS | | facilitating roaming between providers. However, since RADIUS | |
| does not provide explicit support for proxies, and lacks | | does not provide explicit support for proxies, and lacks | |
| auditability and transmission-level security features, RADIUS- | | auditability and transmission-level security features, RADIUS- | |
| based roaming is vulnerable to attack from external parties as | | based roaming is vulnerable to attack from external parties as | |
| well as susceptible to fraud perpetrated by the roaming partners | | well as susceptible to fraud perpetrated by the roaming partners | |
| themselves. As a result, it is not suitable for wide-scale | | themselves. As a result, it is not suitable for wide-scale | |
| deployment on the Internet [RFC2607]. By providing explicit | | deployment on the Internet [RFC2607]. By providing explicit | |
| support for inter-domain roaming and message routing (Sections 2.7 | | support for inter-domain roaming and message routing (Sections 2.7 | |
|
| and 6), auditability [AAACMS], and transmission-layer security | | and 6), and transmission-layer security (Section 13) features, | |
| (Section 13) features, Diameter addresses these limitations and | | Diameter addresses these limitations and provides for secure and | |
| provides for secure and scalable roaming. | | scalable roaming. | |
| | | | |
| In the decade since AAA protocols were first introduced, the | | In the decade since AAA protocols were first introduced, the | |
| capabilities of Network Access Server (NAS) devices have increased | | capabilities of Network Access Server (NAS) devices have increased | |
| substantially. As a result, while Diameter is a considerably more | | substantially. As a result, while Diameter is a considerably more | |
| sophisticated protocol than RADIUS, it remains feasible to implement | | sophisticated protocol than RADIUS, it remains feasible to implement | |
| within embedded devices, given improvements in processor speeds and | | within embedded devices, given improvements in processor speeds and | |
|
| the widespread availability of embedded IPsec and TLS | | the widespread availability of embedded TLS implementations. | |
| implementations. | | | |
| | | | |
| 1.1. Diameter Protocol | | 1.1. Diameter Protocol | |
| | | | |
| The Diameter base protocol provides the following facilities: | | The Diameter base protocol provides the following facilities: | |
| | | | |
| o Delivery of AVPs (attribute value pairs) | | o Delivery of AVPs (attribute value pairs) | |
| | | | |
| o Capabilities negotiation | | o Capabilities negotiation | |
| | | | |
| o Error notification | | o Error notification | |
| | | | |
| skipping to change at page 17, line 27 | | skipping to change at page 17, line 26 | |
|---|
| Diameter Node | | Diameter Node | |
| | | | |
| A Diameter node is a host process that implements the Diameter | | A Diameter node is a host process that implements the Diameter | |
| protocol, and acts either as a Client, Agent or Server. | | protocol, and acts either as a Client, Agent or Server. | |
| | | | |
| Diameter Peer | | Diameter Peer | |
| | | | |
| A Diameter Peer is a Diameter Node to which a given Diameter Node | | A Diameter Peer is a Diameter Node to which a given Diameter Node | |
| has a direct transport connection. | | has a direct transport connection. | |
| | | | |
|
| Diameter Security Exchange | | | |
| | | | |
| A Diameter Security Exchange is a process through which two | | | |
| Diameter nodes establish end-to-end security. | | | |
| | | | |
| Diameter Server | | Diameter Server | |
| | | | |
| A Diameter Server is one that handles authentication, | | A Diameter Server is one that handles authentication, | |
| authorization and accounting requests for a particular realm. By | | authorization and accounting requests for a particular realm. By | |
| its very nature, a Diameter Server MUST support Diameter | | its very nature, a Diameter Server MUST support Diameter | |
| applications in addition to the base protocol. | | applications in addition to the base protocol. | |
| | | | |
| Downstream | | Downstream | |
| | | | |
| Downstream is used to identify the direction of a particular | | Downstream is used to identify the direction of a particular | |
| Diameter message from the home server towards the access device. | | Diameter message from the home server towards the access device. | |
| | | | |
|
| End-to-End Security | | | |
| | | | |
| TLS and IPsec provide hop-by-hop security, or security across a | | | |
| transport connection. When relays or proxy are involved, this | | | |
| hop-by-hop security does not protect the entire Diameter user | | | |
| session. End-to-end security is security between two Diameter | | | |
| nodes, possibly communicating through Diameter Agents. This | | | |
| security protects the entire Diameter communications path from the | | | |
| originating Diameter node to the terminating Diameter node. | | | |
| | | | |
| Home Realm | | Home Realm | |
| | | | |
| A Home Realm is the administrative domain with which the user | | A Home Realm is the administrative domain with which the user | |
| maintains an account relationship. | | maintains an account relationship. | |
| | | | |
| Home Server | | Home Server | |
| | | | |
| See Diameter Server. | | See Diameter Server. | |
| | | | |
| Interim accounting | | Interim accounting | |
| | | | |
| skipping to change at page 20, line 27 | | skipping to change at page 20, line 11 | |
|---|
| acting as relay or proxy agents for other types. As with proxy | | acting as relay or proxy agents for other types. As with proxy | |
| agents, redirect agents do not keep state with respect to sessions | | agents, redirect agents do not keep state with respect to sessions | |
| or NAS resources. | | or NAS resources. | |
| | | | |
| Roaming Relationships | | Roaming Relationships | |
| | | | |
| Roaming relationships include relationships between companies and | | Roaming relationships include relationships between companies and | |
| ISPs, relationships among peer ISPs within a roaming consortium, | | ISPs, relationships among peer ISPs within a roaming consortium, | |
| and relationships between an ISP and a roaming consortium. | | and relationships between an ISP and a roaming consortium. | |
| | | | |
|
| Security Association | | | |
| | | | |
| A security association is an association between two endpoints in | | | |
| a Diameter session which allows the endpoints to communicate with | | | |
| integrity and confidentially, even in the presence of relays | | | |
| and/or proxies. | | | |
| | | | |
| Session | | Session | |
| | | | |
| A session is a related progression of events devoted to a | | A session is a related progression of events devoted to a | |
| particular activity. Each application SHOULD provide guidelines | | particular activity. Each application SHOULD provide guidelines | |
| as to when a session begins and ends. All Diameter packets with | | as to when a session begins and ends. All Diameter packets with | |
| the same Session-Identifier are considered to be part of the same | | the same Session-Identifier are considered to be part of the same | |
| session. | | session. | |
| | | | |
| Session state | | Session state | |
| | | | |
| | | | |
| skipping to change at page 25, line 28 | | skipping to change at page 24, line 28 | |
|---|
| 1. For interoperability: All Diameter nodes MUST be prepared to | | 1. For interoperability: All Diameter nodes MUST be prepared to | |
| receive Diameter messages on any SCTP stream in the association. | | receive Diameter messages on any SCTP stream in the association. | |
| | | | |
| 2. To prevent blocking: All Diameter nodes SHOULD utilize all SCTP | | 2. To prevent blocking: All Diameter nodes SHOULD utilize all SCTP | |
| streams available to the association to prevent head-of-the-line | | streams available to the association to prevent head-of-the-line | |
| blocking. | | blocking. | |
| | | | |
| 2.2. Securing Diameter Messages | | 2.2. Securing Diameter Messages | |
| | | | |
| Diameter clients, such as Network Access Servers (NASes) and Mobility | | Diameter clients, such as Network Access Servers (NASes) and Mobility | |
|
| Agents MUST support IP Security [RFC2401], and MAY support TLS | | Agents MAY support TLS [RFC2246]. Diameter servers MUST support TLS. | |
| [RFC2246]. Diameter servers MUST support TLS and IPsec. The | | IPSec [RFC2401] can be deployed between Diameter peers as an | |
| Diameter protocol MUST NOT be used without any security mechanism | | additional security measure independent of the Diameter protocol. | |
| (TLS or IPsec). | | The Diameter protocol SHOULD NOT be used without any security | |
| | | mechanism. | |
| It is suggested that IPsec can be used primarily at the edges and in | | | |
| intra-domain traffic, such as using pre-shared keys between a NAS a | | | |
| local AAA proxy. This also eases the requirements on the NAS to | | | |
| support certificates. It is also suggested that inter-domain traffic | | | |
| would primarily use TLS. See Sections 13.1 and 13.2 for more details | | | |
| on IPsec and TLS usage. | | | |
| | | | |
| 2.3. Diameter Application Compliance | | 2.3. Diameter Application Compliance | |
| | | | |
| Application Identifiers are advertised during the capabilities | | Application Identifiers are advertised during the capabilities | |
| exchange phase (see Section 5.3). For a given application, | | exchange phase (see Section 5.3). For a given application, | |
| advertising support of an application implies that the sender | | advertising support of an application implies that the sender | |
| supports all command codes, and the AVPs specified in the associated | | supports all command codes, and the AVPs specified in the associated | |
| ABNFs, described in the specification. | | ABNFs, described in the specification. | |
| | | | |
| An implementation MAY add arbitrary non-mandatory AVPs to any command | | An implementation MAY add arbitrary non-mandatory AVPs to any command | |
| | | | |
| skipping to change at page 32, line 27 | | skipping to change at page 31, line 15 | |
|---|
| | | | |
| 2.8.2. Proxy Agents | | 2.8.2. Proxy Agents | |
| | | | |
| Similarly to relays, proxy agents route Diameter messages using the | | Similarly to relays, proxy agents route Diameter messages using the | |
| Diameter Routing Table. However, they differ since they modify | | Diameter Routing Table. However, they differ since they modify | |
| messages to implement policy enforcement. This requires that proxies | | messages to implement policy enforcement. This requires that proxies | |
| maintain the state of their downstream peers (e.g., access devices) | | maintain the state of their downstream peers (e.g., access devices) | |
| to enforce resource usage, provide admission control, and | | to enforce resource usage, provide admission control, and | |
| provisioning. | | provisioning. | |
| | | | |
|
| It is important to note that although proxies MAY provide a value-add | | | |
| function for NASes, they do not allow access devices to use end-to- |