idnits 2.17.1 draft-ietf-dime-app-design-guide-26.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 16, 2014) is 3539 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'AVP' is mentioned on line 427, but not defined == Missing Reference: 'RFC4005bis' is mentioned on line 790, but not defined ** Obsolete undefined reference: RFC 4005 (Obsoleted by RFC 7155) -- Obsolete informational reference (is this intentional?): RFC 2409 (Obsoleted by RFC 4306) -- Obsolete informational reference (is this intentional?): RFC 3588 (Obsoleted by RFC 6733) -- Obsolete informational reference (is this intentional?): RFC 4005 (Obsoleted by RFC 7155) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 5996 (Obsoleted by RFC 7296) Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Diameter Maintenance and Extensions (DIME) L. Morand, Ed. 3 Internet-Draft Orange Labs 4 Intended status: Best Current Practice V. Fajardo 5 Expires: February 17, 2015 Fluke Networks 6 H. Tschofenig 7 ARM Ltd. 8 August 16, 2014 10 Diameter Applications Design Guidelines 11 draft-ietf-dime-app-design-guide-26 13 Abstract 15 The Diameter base protocol provides facilities for protocol 16 extensibility enabling to define new Diameter applications or modify 17 existing applications. This document is a companion document to the 18 Diameter Base protocol that further explains and clarifies the rules 19 to extend Diameter. Furthermore, this document provides guidelines 20 to Diameter application designers reusing/defining Diameter 21 applications or creating generic Diameter extensions. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 17, 2015. 40 Copyright Notice 42 Copyright (c) 2014 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 57 10, 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 70 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 72 4. Reusing Existing Diameter Applications . . . . . . . . . . . 5 73 4.1. Adding a New Command . . . . . . . . . . . . . . . . . . 6 74 4.2. Deleting an Existing Command . . . . . . . . . . . . . . 7 75 4.3. Reusing Existing Commands . . . . . . . . . . . . . . . . 7 76 4.3.1. Adding AVPs to a Command . . . . . . . . . . . . . . 7 77 4.3.2. Deleting AVPs from a Command . . . . . . . . . . . . 9 78 4.3.3. Changing the Flags Setting of AVP in existing 79 Commands . . . . . . . . . . . . . . . . . . . . . . 10 80 4.4. Reusing Existing AVPs . . . . . . . . . . . . . . . . . . 10 81 4.4.1. Setting of the AVP Flags . . . . . . . . . . . . . . 10 82 4.4.2. Reuse of AVP of Type Enumerated . . . . . . . . . . . 11 83 5. Defining New Diameter Applications . . . . . . . . . . . . . 11 84 5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 11 85 5.2. Defining New Commands . . . . . . . . . . . . . . . . . . 11 86 5.3. Use of Application-Id in a Message . . . . . . . . . . . 12 87 5.4. Application-Specific Session State Machines . . . . . . . 13 88 5.5. Session-Id AVP and Session Management . . . . . . . . . . 13 89 5.6. Use of Enumerated Type AVPs . . . . . . . . . . . . . . . 14 90 5.7. Application-Specific Message Routing . . . . . . . . . . 16 91 5.8. Translation Agents . . . . . . . . . . . . . . . . . . . 17 92 5.9. End-to-End Application Capabilities Exchange . . . . . . 17 93 5.10. Diameter Accounting Support . . . . . . . . . . . . . . . 18 94 5.11. Diameter Security Mechanisms . . . . . . . . . . . . . . 20 95 6. Defining Generic Diameter Extensions . . . . . . . . . . . . 20 96 7. Guidelines for Registrations of Diameter Values . . . . . . . 22 97 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 98 9. Security Considerations . . . . . . . . . . . . . . . . . . . 24 99 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 24 100 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25 101 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 102 12.1. Normative References . . . . . . . . . . . . . . . . . . 25 103 12.2. Informative References . . . . . . . . . . . . . . . . . 25 104 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 106 1. Introduction 108 The Diameter base protocol [RFC6733] is intended to provide an 109 Authentication, Authorization, and Accounting (AAA) framework for 110 applications such as network access or IP mobility in both local and 111 roaming situations. 113 The Diameter base protocol provides facilities to extend Diameter 114 (see Section 1.3 of [RFC6733]) to support new functionality. In the 115 context of this document, extending Diameter means one of the 116 following: 118 1. Addition of new functionality to an existing Diameter application 119 without defining a new application. 121 2. Addition of new functionality to an existing Diameter application 122 that requires the definition of a new application. 124 3. The definition of an entirely new Diameter application to offer 125 functionality not supported by existing applications. 127 4. The definition of a new generic functionality that can be reused 128 across different applications. 130 All of these choices are design decisions that can be done by any 131 combination of reusing existing or defining new commands, AVPs or AVP 132 values. However, application designers do not have complete freedom 133 when making their design. A number of rules have been defined in 134 [RFC6733] that place constraints on when an extension requires the 135 allocation of a new Diameter application identifier or a new command 136 code value. The objective of this document is the following: 138 o Clarify the Diameter extensibility rules as defined in the 139 Diameter base protocol. 141 o Discuss design choices and provide guidelines when defining new 142 applications. 144 o Present trade-off choices. 146 2. Terminology 148 This document reuses the terminology defined in [RFC6733]. 149 Additionally, the following terms and acronyms are used in this 150 application: 152 Application Extension of the Diameter base protocol [RFC6733] via 153 the addition of new commands or AVPs. Each application is 154 uniquely identified by an IANA-allocated application identifier 155 value. 157 Command Diameter request or answer carrying AVPs between Diameter 158 endpoints. Each command is uniquely identified by a IANA- 159 allocated command code value and is described by a Command Code 160 Format (CCF) for an application. 162 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 163 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 164 document are to be interpreted as described in [RFC2119]. 166 3. Overview 168 As designed, the Diameter base protocol [RFC6733] can be seen as a 169 two-layer protocol. The lower layer is mainly responsible for 170 managing connections between neighboring peers and for message 171 routing. The upper layer is where the Diameter applications reside. 172 This model is in line with a Diameter node having an application 173 layer and a peer-to-peer delivery layer. The Diameter base protocol 174 document defines the architecture and behavior of the message 175 delivery layer and then provides the framework for designing Diameter 176 applications on the application layer. This framework includes 177 definitions of application sessions and accounting support (see 178 Section 8 and Section 9 of [RFC6733]). Accordingly, a Diameter node 179 is seen in this document as a single instance of a Diameter message 180 delivery layer and one or more Diameter applications using it. 182 The Diameter base protocol is designed to be extensible and the 183 principles are described in the Section 1.3 of [RFC6733]. As a 184 summary, Diameter can be extended by: 186 1. Defining new AVP values 188 2. Creating new AVPs 190 3. Creating new commands 191 4. Creating new applications 193 As a main guiding principle, application designers SHOULD follow the 194 following recommendation: "try to re-use as much as possible!". It 195 will reduce the time to finalize specification writing, and it will 196 lead to a smaller implementation effort as well as reduce the need 197 for testing. In general, it is clever to avoid duplicate effort when 198 possible. 200 However, re-use is not appropriate when the existing functionality 201 does not fit the new requirement and/or the re-use leads to 202 ambiguity. 204 The impact on extending existing applications can be categorized into 205 two groups: 207 Minor Extension: Enhancing the functional scope of an existing 208 application by the addition of optional features to support. Such 209 enhancement has no backward compatibility issue with the existing 210 application. 212 A typical example would be the definition of a new optional AVP 213 for use in an existing command. Diameter implementations 214 supporting the existing application but not the new AVP will 215 simply ignore it, without consequences for the Diameter message 216 handling, as described in [RFC6733]. The standardization effort 217 will be fairly small. 219 Major Extension: Enhancing an application that requires the 220 definition of a new Diameter application. Such enhancement causes 221 backward compatibility issue with existing implementations 222 supporting the application. 224 Typical examples would be the creation of a new command for 225 providing functionality not supported by existing applications or 226 the definition of a new AVP to be carried in an existing command 227 with the M-bit set in the AVP flags (see Section 4.1 of [RFC6733] 228 for definition of the "M-bit"). For such extension, a significant 229 specification effort is required and a careful approach is 230 recommended. 232 4. Reusing Existing Diameter Applications 234 An existing application may need to be enhanced to fulfill new 235 requirements and these modifications can be at the command level and/ 236 or at the AVP level. The following sections describe the possible 237 modifications that can be performed on existing applications and 238 their related impact. 240 4.1. Adding a New Command 242 Adding a new command to an existing application is considered as a 243 major extension and requires a new Diameter application to be 244 defined, as stated in the Section 1.3.4 of [RFC6733]. The need for a 245 new application is because a Diameter node that is not upgraded to 246 support the new command(s) within the (existing) application would 247 reject any unknown command with the protocol error 248 DIAMETER_COMMAND_UNSUPPORTED and cause the failure of the 249 transaction. The new application ensures that Diameter nodes only 250 receive commands within the context of applications they support. 252 Adding a new command means either defining a completely new command 253 or importing the command's Command Code Format (CCF) syntax from 254 another application whereby the new application inherits some or all 255 of the functionality of the application where the command came from. 256 In the former case, the decision to create a new application is 257 straightforward since this is typically a result of adding a new 258 functionality that does not exist yet. For the latter, the decision 259 to create a new application will depend on whether importing the 260 command in a new application is more suitable than simply using the 261 existing application as it is in conjunction with any other 262 application. Therefore, a case by case study of each application 263 requirement SHOULD be applied. 265 An example considers the Diameter EAP application [RFC4072] and the 266 Diameter Network Access Server application [RFC7155]. When network 267 access authentication using EAP is required, the Diameter EAP 268 commands (Diameter-EAP-Request/Diameter-EAP-Answer) are used; 269 otherwise the Diameter Network Access Server application will be 270 used. When the Diameter EAP application is used, the accounting 271 exchanges defined in the Diameter Network Access Server may be used. 273 However, in general, it is difficult to come to a hard guideline, and 274 so a case-by-case study of each application requirement should be 275 applied. Before adding or importing a command, application designers 276 should consider the following: 278 o Can the new functionality be fulfilled by creating a new command 279 independent from any existing command? In this case, the 280 resulting new application and the existing application can work 281 independent of, but cooperating with each other. 283 o Can the existing command be reused without major extensions and 284 therefore without the need for the definition of a new 285 application, e.g. new functionality introduced by the creation of 286 new optional AVPs. 288 It is important to note that importing commands too liberally could 289 result in a monolithic and hard to manage application supporting too 290 many different features. 292 4.2. Deleting an Existing Command 294 Although this process is not typical, removing a command from an 295 application requires a new Diameter application to be defined and 296 then it is considered as a major extension. This is due to the fact 297 that the reception of the deleted command would systematically result 298 in a protocol error (i.e., DIAMETER_COMMAND_UNSUPPORTED). 300 It is unusual to delete an existing command from an application for 301 the sake of deleting it or the functionality it represents. An 302 exception might be if the intent of the deletion is to create a newer 303 variance of the same application that is somehow simpler than the 304 application initially specified. 306 4.3. Reusing Existing Commands 308 This section discusses rules in adding and/or deleting AVPs from an 309 existing command of an existing application. The cases described in 310 this section may not necessarily result in the creation of new 311 applications. 313 From a historical point of view, it is worth to note that there was a 314 strong recommendation to re-use existing commands in the [RFC3588] to 315 prevent rapid depletion of code values available for vendor-specific 316 commands. However, [RFC6733] has relaxed the allocation policy and 317 enlarged the range of available code values for vendor-specific 318 applications. Although reuse of existing commands is still 319 RECOMMENDED, protocol designers can consider defining a new command 320 when it provides a solution more suitable than the twisting of an 321 existing command's use and applications. 323 4.3.1. Adding AVPs to a Command 325 Based on the rules in [RFC6733], AVPs that are added to an existing 326 command can be categorized into: 328 o Mandatory (to understand) AVPs. As defined in [RFC6733], these 329 are AVPs with the M-bit flag set in this command, which means that 330 a Diameter node receiving them is required to understand not only 331 their values but also their semantics. Failure to do so will 332 cause an message handling error: either a error message with the 333 result-code set to DIAMETER_AVP_UNSUPPORTED if the AVP not 334 understood in a request or a application specific error handling 335 if the given AVP is in an answer. 337 o Optional (to understand) AVPs. As defined in [RFC6733], these are 338 AVPs with the M-bit flag cleared in this command. A Diameter node 339 receiving these AVPs can simply ignore them if it does not support 340 them. 341 It is important to note that the definition given above are 342 independent of whether these AVPs are required or optional in the 343 command as specified by the command's Command Code Format (CCF) 344 syntax [RFC6733]. 346 NOTE: As stated in [RFC6733], the M-bit setting for a given AVP is 347 relevant to an application and each command within that 348 application that includes the AVP. 350 The rules are strict in the case where the AVPs to be added in an 351 exiting command are mandatory to understand, i.e., they have the 352 M-bit set. A mandatory AVP MUST NOT be added to an existing command 353 without defining a new Diameter application, as stated in [RFC6733]. 354 This falls into the "Major Extensions" category. Despite the clarity 355 of the rule, ambiguity still arises when evaluating whether a new AVP 356 being added should be mandatory to begin with. Application designers 357 should consider the following questions when deciding about the M-bit 358 for a new AVP: 360 o Would it be required for the receiving side to be able to process 361 and understand the AVP and its content? 363 o Would the new AVPs change the state machine of the application? 365 o Would the presence of the new AVP lead to a different number of 366 round-trips, effectively changing the state machine of the 367 application? 369 o Would the new AVP be used to differentiate between old and new 370 variances of the same application whereby the two variances are 371 not backward compatible? 373 o Would the new AVP have duality in meaning, i.e., be used to carry 374 application-related information as well as to indicate that the 375 message is for a new application? 377 If the answer to at least one of the questions is "yes" then the 378 M-bit MUST be set for the new AVP and a new Diameter application MUST 379 be defined. This list of questions is non-exhaustive and other 380 criteria MAY be taken into account in the decision process. 382 If application designers are instead contemplating the use of 383 optional AVPs, i.e., with the M-bit cleared, there are still pitfalls 384 that will cause interoperability problems and therefore must be 385 avoided. Some examples of these pitfalls are : 387 o Use of optional AVPs with intersecting meaning. One AVP has 388 partially the same usage and meaning as another AVP. The presence 389 of both can lead to confusion. 391 o An optional AVPs with dual purpose, i.e., to carry application 392 data as well as to indicate support for one or more features. 393 This has a tendency to introduce interpretation issues. 395 o Adding one or more optional AVPs and indicating (usually within 396 descriptive text for the command) that at least one of them has to 397 be understood by the receiver of the command. This would be 398 equivalent to adding a mandatory AVP, i.e., an AVP with the M-bit 399 set, to the command. 401 4.3.2. Deleting AVPs from a Command 403 Application designers may want to reuse an existing command but some 404 of the AVP present in the command's CCF syntax specification may be 405 irrelevant for the functionality foreseen to be supported by this 406 command. It may be then tempting to delete those AVPs from the 407 command. 409 The impacts of deleting an AVP from a command depends on its command 410 code format specification and M-bit setting: 412 o Case 1: Deleting an AVP that is indicated as a required AVP (noted 413 as {AVP}) in the command's CCF syntax specification (regardless of 414 the M-bit setting). 416 In this case, a new command code and subsequently a new Diameter 417 application MUST be specified. 419 o Case 2: Deleting an AVP, which has the M-bit set, and is indicated 420 as optional AVP (noted as [AVP]) in the command CCF) in the 421 command's CCF syntax specification. 423 In this case, no new command code has to be specified but the 424 definition of a new Diameter application is REQUIRED. 426 o Case 3: Deleting an AVP, which has the M-bit cleared, and is 427 indicated as [AVP] in the command's CCF syntax specification. 429 In this case, the AVP can be deleted without consequences. 431 Application designers SHOULD attempt the reuse the command's CCF 432 syntax specification without modification and simply ignore (but not 433 delete) any optional AVP that will not be used. This is to maintain 434 compatibility with existing applications that will not know about the 435 new functionality as well as maintain the integrity of existing 436 dictionaries. 438 4.3.3. Changing the Flags Setting of AVP in existing Commands 440 Although unusual, implementors may want to change the setting of the 441 AVP flags a given AVP used in a command. 443 Into an existing command, a AVP that was initially defined as 444 mandatory AVP to understand, i.e., an AVP with the M-bit flag set in 445 the command, MAY be safely turned to an optional AVP, i.e., with the 446 M-bit cleared. Any node supporting the existing application will 447 still understand the AVP, whatever the setting of the M-bit. On the 448 contrary, an AVP initially defined as an optional AVP to understand, 449 i.e., an AVP with the M-bit flag cleared in the command, MUST NOT be 450 changed into a mandatory AVP with the M-bit flag set without defining 451 a new Diameter application. Setting the M-bit for an AVP that was 452 defined as an optional AVP is equivalent to adding a new mandatory 453 AVP to an existing command and the rules given in the section 4.3.1 454 apply. 456 All other AVP flags (V-bit, P-bit, reserved bits) MUST remain 457 unchanged. 459 4.4. Reusing Existing AVPs 461 This section discusses rules in reusing existing AVP when reusing an 462 existing command or defining a new command in a new application. 464 4.4.1. Setting of the AVP Flags 466 When reusing existing AVPs in a new application, application 467 designers MUST specify the setting of the M-bit flag for a new 468 Diameter application and, if necessary, for every command of the 469 application that can carry these AVPs. In general, for AVPs defined 470 outside of the Diameter base protocol, the characteristics of an AVP 471 are tied to its role within a given application and the commands used 472 in this application. 474 All other AVP flags (V-bit, P-bit, reserved bits) MUST remain 475 unchanged. 477 4.4.2. Reuse of AVP of Type Enumerated 479 When reusing an AVP of type Enumerated in a command for a new 480 application, it is RECOMMENDED to avoid modifying the set of valid 481 values defined for this AVP. Modifying the set of Enumerated values 482 includes adding a value or deprecating the use of a value defined 483 initially for the AVP. Modifying the set of values will impact the 484 application defining this AVP and all the applications using this 485 AVP, causing potential interoperability issues: a value used by a 486 peer that will not be recognized by all the nodes between the client 487 and the server will cause an error response with the Result-Code AVP 488 set to DIAMETER_INVALID_AVP_VALUE. When the full range of values 489 defined for this Enumerated AVP is not suitable for the new 490 application, it is RECOMMENDED to define a new AVP to avoid backwards 491 compatibility issues with existing implementations. 493 5. Defining New Diameter Applications 495 5.1. Introduction 497 This section discusses the case where new applications have 498 requirements that cannot be fulfilled by existing applications and 499 would require definition of completely new commands, AVPs and/or AVP 500 values. Typically, there is little ambiguity about the decision to 501 create these types of applications. Some examples are the interfaces 502 defined for the IP Multimedia Subsystem of 3GPP, e.g., Cx/Dx 503 ([TS29.228] and [TS29.229]), Sh ([TS29.328] and [TS29.329]) etc. 505 Application designers SHOULD try to import existing AVPs and AVP 506 values for any newly defined commands. In certain cases where 507 accounting will be used, the models described in Section 5.10 SHOULD 508 also be considered. 510 Additional considerations are described in the following sections. 512 5.2. Defining New Commands 514 As a general recommendation, commands SHOULD NOT be defined from 515 scratch. It is instead RECOMMENDED to re-use an existing command 516 offering similar functionality and use it as a starting point. Code 517 re-use lead to a smaller implementation effort as well as reduce the 518 need for testing. 520 Moreover, the new command's CCF syntax specification SHOULD be 521 carefully defined when considering applicability and extensibility of 522 the application. If most of the AVPs contained in the command are 523 indicated as fixed or required, it might be difficult to reuse the 524 same command and therefore the same application in a slightly changed 525 environment. Defining a command with most of the AVPs indicated as 526 optional is considered as a good design choice in many cases, despite 527 the flexibility it introduces in the protocol. Protocol designers 528 MUST clearly state the reasons why these optional AVPs might or might 529 not be present and properly define the corresponding behavior of the 530 Diameter nodes when these AVPs are absent from the command. 532 NOTE: As a hint for protocol designers, it is not sufficient to just 533 look at the command's CCF syntax specification. It is also 534 necessary to carefully read through the accompanying text in the 535 specification. 537 In the same way, the CCF syntax specification SHOULD be defined such 538 that it will be possible to add any arbitrary optional AVPs with the 539 M-bit cleared (including vendor-specific AVPs) without modifying the 540 application. For this purpose, "* [AVP]" SHOULD be added in the 541 command's CCF, which allows the addition of any arbitrary number of 542 optional AVPs as described in [RFC6733]. 544 5.3. Use of Application-Id in a Message 546 When designing new applications, application designers SHOULD specify 547 that the Application Id carried in all session-level messages is the 548 Application Id of the application using those messages. This 549 includes the session-level messages defined in Diameter base 550 protocol, i.e., RAR/RAA, STR/STA, ASR/ASA and possibly ACR/ACA in the 551 coupled accounting model, see Section 5.10. Some existing 552 specifications do not adhere to this rule for historical reasons. 553 However, this guidance SHOULD be followed by new applications to 554 avoid routing problems. 556 When a new application has been allocated with a new Application Id 557 and it also reuses existing commands with or without modifications, 558 the commands SHOULD use the newly allocated Application Id in the 559 header and in all relevant Application Id AVPs (Auth-Application-Id 560 or Acct-Application-Id) present in the commands message body. 562 Additionally, application designers using Vendor-Specific- 563 Application-Id AVP SHOULD NOT use the Vendor-Id AVP to further 564 dissect or differentiate the vendor-specification Application Id. 565 Diameter routing is not based on the Vendor-Id. As such, the Vendor- 566 Id SHOULD NOT be used as an additional input for routing or delivery 567 of messages. The Vendor-Id AVP is an informational AVP only and kept 568 for backward compatibility reasons. 570 5.4. Application-Specific Session State Machines 572 Section 8 of [RFC6733] provides session state machines for 573 authentication, authorization and accounting (AAA) services and these 574 session state machines are not intended to cover behavior outside of 575 AAA. If a new application cannot clearly be categorized into any of 576 these AAA services, it is RECOMMENDED that the application defines 577 its own session state machine. Support for server-initiated request 578 is a clear example where an application-specific session state 579 machine would be needed, for example, the Rw interface for ITU-T push 580 model (cf.[Q.3303.3]). 582 5.5. Session-Id AVP and Session Management 584 Diameter applications are usually designed with the aim of managing 585 user sessions (e.g., Diameter network access session (NASREQ) 586 application [RFC4005]) or specific service access session (e.g., 587 Diameter SIP application [RFC4740]). In the Diameter base protocol, 588 session state is referenced using the Session-Id AVP. All Diameter 589 messages that use the same Session-Id will be bound to the same 590 session. Diameter-based session management also implies that both 591 Diameter client and server (and potentially proxy agents along the 592 path) maintain session state information. 594 However, some applications may not need to rely on the Session-Id to 595 identify and manage sessions because other information can be used 596 instead to correlate Diameter messages. Indeed, the User-Name AVP or 597 any other specific AVP can be present in every Diameter message and 598 used therefore for message correlation. Some applications might not 599 require the notion of Diameter session concept at all. For such 600 applications, the Auth-Session-State AVP is usually set to 601 NO_STATE_MAINTAINED in all Diameter messages and these applications 602 are therefore designed as a set of stand-alone transactions. Even if 603 an explicit access session termination is required, application- 604 specific commands are defined and used instead of the Session- 605 Termination-Request/Answer (STR/STA) or Abort-Session-Request/Answer 606 (ASR/ASA) defined in the Diameter base protocol [RFC6733]. In such a 607 case, the Session-Id is not significant. 609 Based on these considerations, protocol designers SHOULD carefully 610 appraise whether the application currently defined relies on its own 611 session management concept or whether the Session-Id defined in the 612 Diameter base protocol would be used for correlation of messages 613 related to the same session. If not, the protocol designers MAY 614 decide to define application commands without the Session-Id AVP. If 615 any session management concept is supported by the application, the 616 application documentation MUST clearly specify how the session is 617 handled between client and server (as possibly Diameter agents in the 618 path). 620 Based on these considerations, protocol designers SHOULD carefully 621 appraise whether the Diameter application being defined relies on the 622 session management specified in the Diameter base protocol: 624 o If it is, the Diameter command defined for the new application 625 MUST include the Session-Id AVP defined in the Diameter base 626 protocol [RFC6733] and the Session-Id AVP MUST be used for 627 correlation of messages related to the same session. Guidance on 628 the use of the Auth-Session-State AVP is given in the Diameter 629 base protocol [RFC6733]. 631 o Otherwise, because session management is not required or the 632 application relies on its own session management mechanism, 633 Diameter commands for the application need not include the 634 Session-Id AVP. If any specific session management concept is 635 supported by the application, the application documentation MUST 636 clearly specify how the session is handled between client and 637 server (and possibly Diameter agents in the path). Moreover, 638 because the application is not maintaining session state at the 639 Diameter base protocol level, the Auth-Session-State AVP MUST be 640 included in all Diameter commands for the application and MUST be 641 set to NO_STATE_MAINTAINED. 643 5.6. Use of Enumerated Type AVPs 645 The type Enumerated was initially defined to provide a list of valid 646 values for an AVP with their respective interpretation described in 647 the specification. For instance, AVPs of type Enumerated can be used 648 to provide further information on the reason for the termination of a 649 session or a specific action to perform upon the reception of the 650 request. 652 As described in the section 4.4.2 above, defining an AVP of type 653 Enumerated presents some limitations in term of extensibility and 654 reusability. Indeed, the finite set of valid values defined at the 655 definition of the AVP of type Enumerated cannot be modified in 656 practice without causing backward compatibility issues with existing 657 implementations. As a consequence, AVPs of Type Enumerated MUST NOT 658 be extended by adding new values to support new capabilities. 659 Diameter protocol designers SHOULD carefully consider before defining 660 an Enumerated AVP whether the set of values will remain unchanged or 661 new values may be required in a near future. If such extension is 662 foreseen or cannot be avoided, it is RECOMMENED to rather define AVPs 663 of type Unsigned32 or Unsigned64 in which the data field would 664 contain an address space representing "values" that would have the 665 same use of Enumerated values. Whereas only the initial values 666 defined at the definition of the AVP of type Enumerated are valid as 667 described in section 4.4.2, any value from the address space from 0 668 to 2^32 - 1 for AVPs of type Unsigned32 or from 0 to 2^64 - 1 for 669 AVPs of type Unsigned64 is valid at the Diameter base protocol level 670 and will not interoperability issues for intermediary nodes between 671 clients and servers. Only clients and servers will be able to 672 process the values at the application layer. 674 For illustration, an AVP describing possible access networks would be 675 defined as follow: 677 Access-Network-Type AVP (XXX) is of type Unsigned32 and contains a 678 32-bit address space representing types of access networks. This 679 application defines the following classes of access networks, all 680 identified by the thousands digit in the decimal notation: 682 o 1xxx (Mobile Access Networks) 684 o 2xxx (Fixed Access Network) 686 o 3xxx (Wireless Access Networks) 688 Values that fall within the Mobile Access Networks category are used 689 to inform a peer that a request has been sent for a user attached to 690 a mobile access network. The following values are defined in this 691 application: 693 1001: 3GPP-GERAN 695 The user is attached to a GSM EDGE Radio Access Network. 697 1002: 3GPP-UTRAN-FDD 699 The user is attached to a UMTS access network that uses 700 frequency-division duplexing for duplexing. 702 Unlike Enumerated AVP, any new value can be added in the address 703 space defined by this Unsigned32 AVP without modifying the definition 704 of the AVP. There is therefore no risk of backward compatibility 705 issue, especially when intermediate nodes may be present between 706 Diameter endpoints. 708 In the same line, AVPs of type Enumerated are too often used as a 709 simple Boolean flag, indicating for instance a specific permission or 710 capability, and therefore only two values are defined, e.g., TRUE/ 711 FALSE, AUTORIZED/UNAUTHORIZED or SUPPORTED/UNSUPPORTED. This is a 712 sub-optimal design since it limits the extensibility of the 713 application: any new capability/permission would have to be supported 714 by a new AVP or new Enumerated value of the already defined AVP, with 715 the backward compatibility issues described above. Instead of using 716 an Enumerated AVP for a Boolean flag, protocol designers SHOULD use 717 AVPs of type Unsigned32 or Unsigned64 AVP in which the data field 718 would be defined as bit mask whose bit settings are described in the 719 relevant Diameter application specification. Such AVPs can be reused 720 and extended without major impact on the Diameter application. The 721 bit mask SHOULD leave room for future additions. Examples of AVPs 722 that use bit masks are the Session-Binding AVP defined in [RFC6733] 723 and the MIP6-Feature-Vector AVP defined in [RFC5447]. 725 5.7. Application-Specific Message Routing 727 As described in [RFC6733], a Diameter request that needs to be sent 728 to a home server serving a specific realm, but not to a specific 729 server (such as the first request of a series of round trips), will 730 contain a Destination-Realm AVP and no Destination-Host AVP. 732 For such a request, the message routing usually relies only on the 733 Destination-Realm AVP and the Application Id present in the request 734 message header. However, some applications may need to rely on the 735 User-Name AVP or any other application-specific AVP present in the 736 request to determine the final destination of a request, e.g., to 737 find the target AAA server hosting the authorization information for 738 a given user when multiple AAA servers are addressable in the realm. 740 In such a context, basic routing mechanisms described in [RFC6733] 741 are not fully suitable, and additional application-level routing 742 mechanisms MUST be described in the application documentation to 743 provide such specific AVP-based routing. Such functionality will be 744 basically hosted by an application-specific proxy agent that will be 745 responsible for routing decisions based on the received specific 746 AVPs. 748 Examples of such application-specific routing functions can be found 749 in the Cx/Dx applications ([TS29.228] and [TS29.229]) of the 3GPP IP 750 Multimedia Subsystem, in which the proxy agent (Subscriber Location 751 Function aka SLF) uses specific application-level identities found in 752 the request to determine the final destination of the message. 754 Whatever the criteria used to establish the routing path of the 755 request, the routing of the answer MUST follow the reverse path of 756 the request, as described in [RFC6733], with the answer being sent to 757 the source of the received request, using transaction states and hop- 758 by-hop identifier matching. This ensures that the Diameter Relay or 759 Proxy agents in the request routing path will be able to release the 760 transaction state upon receipt of the corresponding answer, avoiding 761 unnecessary failover. Moreover, especially in roaming cases, proxy 762 agents in the path must be able to apply local policies when 763 receiving the answer from the server during authentication/ 764 authorization and/or accounting procedures, and maintain up-to-date 765 session state information by keeping track of all authorized active 766 sessions. Therefore, application designers MUST NOT modify the 767 answer-routing principles described in [RFC6733] when defining a new 768 application. 770 5.8. Translation Agents 772 As defined in [RFC6733], a translation agent is a device that 773 provides interworking between Diameter and another AAA protocol, such 774 as RADIUS . 776 In the case of RADIUS, it was initially thought that defining the 777 translation function would be straightforward by adopting few basic 778 principles, e.g., by the use of a shared range of code values for 779 RADIUS attributes and Diameter AVPs. Guidelines for implementing a 780 RADIUS-Diameter translation agent were put into the Diameter NASREQ 781 Application ([RFC4005]). 783 However, it was acknowledged that such translation mechanism was not 784 so obvious and deeper protocol analysis was required to ensure 785 efficient interworking between RADIUS and Diameter. Moreover, the 786 interworking requirements depend on the functionalities provided by 787 the Diameter application under specification, and a case-by-case 788 analysis is required. As a consequence, all the material related to 789 RADIUS-to-Diameter translation is removed from the new version of the 790 Diameter NASREQ application specification [RFC4005bis], (see 791 [RFC7155]) which deprecates the RFC4005 ([RFC4005]). 793 Therefore, protocol designers SHOULD NOT assume the availability of a 794 "standard" Diameter-to-RADIUS gateways agent when planning to 795 interoperate with the RADIUS infrastructure. They SHOULD specify the 796 required translation mechanism along with the Diameter application, 797 if needed. This recommendation applies for any kind of translation. 799 5.9. End-to-End Application Capabilities Exchange 801 Diameter applications can rely on optional AVPs to exchange 802 application-specific capabilities and features. These AVPs can be 803 exchanged on an end-to-end basis at the application layer. Examples 804 of this can be found with the MIP6-Feature-Vector AVP in [RFC5447] 805 and the QoS-Capability AVP in [RFC5777]. 807 End-to-end capabilities AVPs can be added as optional AVPs with the 808 M-bit cleared to existing applications to announce support of new 809 functionality. Receivers that do not understand these AVPs or the 810 AVP values can simply ignore them, as stated in [RFC6733]. When 811 supported, receivers of these AVPs can discover the additional 812 functionality supported by the Diameter end-point originating the 813 request and behave accordingly when processing the request. Senders 814 of these AVPs can safely assume the receiving end-point does not 815 support any functionality carried by the AVP if it is not present in 816 corresponding response. This is useful in cases where deployment 817 choices are offered, and the generic design can be made available for 818 a number of applications. 820 When used in a new application, these end-to-end capabilities AVPs 821 SHOULD be added as optional AVP into the CCF of the commands used by 822 the new application. Protocol designers SHOULD clearly specify this 823 end-to-end capabilities exchange and the corresponding behaviour of 824 the Diameter nodes supporting the application. 826 It is also important to note that this end-to-end capabilities 827 exchange relying on the use of optional AVPs is not meant as a 828 generic mechanism to support extensibility of Diameter applications 829 with arbitrary functionality. When the added features drastically 830 change the Diameter application or when Diameter agents must be 831 upgraded to support the new features, a new application SHOULD be 832 defined, as recommended in [RFC6733]. 834 5.10. Diameter Accounting Support 836 Accounting can be treated as an auxiliary application that is used in 837 support of other applications. In most cases, accounting support is 838 required when defining new applications. This document provides two 839 possible models for using accounting: 841 Split Accounting Model: 843 In this model, the accounting messages will use the Diameter base 844 accounting Application Id (value of 3). The design implication 845 for this is that the accounting is treated as an independent 846 application, especially for Diameter routing. This means that 847 accounting commands emanating from an application may be routed 848 separately from the rest of the other application messages. This 849 may also imply that the messages end up in a central accounting 850 server. A split accounting model is a good design choice when: 852 * The application itself does not define its own accounting 853 commands. 855 * The overall system architecture permits the use of centralized 856 accounting for one or more Diameter applications. 858 Centralizing accounting may have advantages but there are also 859 drawbacks. The model assumes that the accounting server can 860 differentiate received accounting messages. Since the received 861 accounting messages can be for any application and/or service, the 862 accounting server MUST have a method to match accounting messages 863 with applications and/or services being accounted for. This may 864 mean defining new AVPs, checking the presence, absence or contents 865 of existing AVPs, or checking the contents of the accounting 866 record itself. One of these means could be to insert into the 867 request sent to the accounting server an Auth-Application-Id AVP 868 containing the identifier of the application for which the 869 accounting request is sent. But in general, there is no clean and 870 generic scheme for sorting these messages. Therefore, the use of 871 this model is NOT RECOMMENDED when all received accounting 872 messages cannot be clearly identified and sorted. For most cases, 873 the use of Coupled Accounting Model is RECOMMENDED. 875 Coupled Accounting Model: 877 In this model, the accounting messages will use the Application Id 878 of the application using the accounting service. The design 879 implication for this is that the accounting messages are tightly 880 coupled with the application itself; meaning that accounting 881 messages will be routed like the other application messages. It 882 would then be the responsibility of the application server 883 (application entity receiving the ACR message) to send the 884 accounting records carried by the accounting messages to the 885 proper accounting server. The application server is also 886 responsible for formulating a proper response (ACA). A coupled 887 accounting model is a good design choice when: 889 * The system architecture or deployment does not provide an 890 accounting server that supports Diameter. Consequently, the 891 application server MUST be provisioned to use a different 892 protocol to access the accounting server, e.g., via LDAP, SOAP 893 etc. This case includes the support of older accounting 894 systems that are not Diameter aware. 896 * The system architecture or deployment requires that the 897 accounting service for the specific application should be 898 handled by the application itself. 900 In all cases above, there will generally be no direct Diameter 901 access to the accounting server. 903 These models provide a basis for using accounting messages. 904 Application designers may obviously deviate from these models 905 provided that the factors being addressed here have also been taken 906 into account. Defining a new set of commands to carry application- 907 specific accounting records is NOT RECOMMENDED. 909 5.11. Diameter Security Mechanisms 911 As specified in [RFC6733], the Diameter message exchange SHOULD be 912 secured between neighboring Diameter peers using TLS/TCP or DTLS/ 913 SCTP. However, IPsec MAY also be deployed to secure communication 914 between Diameter peers. When IPsec is used instead of TLS or DTLS, 915 the following recommendations apply. 917 IPsec ESP [RFC4301] in transport mode with non-null encryption and 918 authentication algorithms MUST be used to provide per-packet 919 authentication, integrity protection and confidentiality, and support 920 the replay protection mechanisms of IPsec. IKEv2 [RFC5996] SHOULD be 921 used for performing mutual authentication and for establishing and 922 maintaining security associations (SAs). 924 IKEv1 [RFC2409] was used with RFC 3588 [RFC3588] and for easier 925 migration from IKEv1 based implementations both RSA digital 926 signatures and pre-shared keys SHOULD be supported in IKEv2. 927 However, if IKEv1 is used, implementers SHOULD follow the guidelines 928 given in Section 13.1 of RFC 3588 [RFC3588]. 930 6. Defining Generic Diameter Extensions 932 Generic Diameter extensions are AVPs, commands or applications that 933 are designed to support other Diameter applications. They are 934 auxiliary applications meant to improve or enhance the Diameter 935 protocol itself or Diameter applications/functionality. Some 936 examples include the extensions to support realm-based redirection of 937 Diameter requests (see [RFC7075]), convey a specific set of priority 938 parameters influencing the distribution of resources (see [RFC6735]), 939 and the support for QoS AVPs (see [RFC5777]). 941 Since generic extensions may cover many aspects of Diameter and 942 Diameter applications, it is not possible to enumerate all scenarios. 943 However, some of the most common considerations are as follows: 945 Backward Compatibility: 947 When defining generic extensions designed to be supported by 948 existing Diameter applications, protocol designers MUST consider 949 the potential impacts of the introduction of the new extension on 950 the behavior of node that would not be yet upgraded to support/ 951 understand this new extension. Designers MUST also ensure that 952 new extensions do not break expected message delivery layer 953 behavior. 955 Forward Compatibility: 957 Protocol designers MUST ensure that their design will not 958 introduce undue restrictions for future applications. 960 Trade-off in Signaling: 962 Designers may have to choose between the use of optional AVPs 963 piggybacked onto existing commands versus defining new commands 964 and applications. Optional AVPs are simpler to implement and may 965 not need changes to existing applications. However, this ties the 966 sending of extension data to the application's transmission of a 967 message. This has consequences if the application and the 968 extensions have different timing requirements. The use of 969 commands and applications solves this issue, but the trade-off is 970 the additional complexity of defining and deploying a new 971 application. It is left up to the designer to find a good balance 972 among these trade-offs based on the requirements of the extension. 974 In practice, generic extensions often use optional AVPs because they 975 are simple and non-intrusive to the application that would carry 976 them. Peers that do not support the generic extensions need not 977 understand nor recognize these optional AVPs. However, it is 978 RECOMMENDED that the authors of the extension specify the context or 979 usage of the optional AVPs. As an example, in the case that the AVP 980 can be used only by a specific set of applications then the 981 specification MUST enumerate these applications and the scenarios 982 when the optional AVPs will be used. In the case where the optional 983 AVPs can be carried by any application, it should be sufficient to 984 specify such a use case and perhaps provide specific examples of 985 applications using them. 987 In most cases, these optional AVPs piggybacked by applications would 988 be defined as a Grouped AVP and it would encapsulate all the 989 functionality of the generic extension. In practice, it is not 990 uncommon that the Grouped AVP will encapsulate an existing AVP that 991 has previously been defined as mandatory ('M'-bit set) e.g., 3GPP IMS 992 Cx/Dx interfaces ([TS29.228] and [TS29.229]). 994 7. Guidelines for Registrations of Diameter Values 996 As summarized in the Section 3 of this document and further described 997 in the Section 1.3 of [RFC6733], there are four main ways to extend 998 Diameter. The process for defining new functionality slightly varies 999 based on the different extensions. This section provides protocol 1000 designers with some guidance regarding the definition of values for 1001 possible Diameter extensions and the necessary interaction with IANA 1002 to register the new functionality. 1004 a. Defining new AVP values 1006 The specifications defining AVPs and AVP values MUST provide 1007 guidance for defining new values and the corresponding policy for 1008 adding these values. For example, the RFC 5777 [RFC5777] defines 1009 the Treatment-Action AVP which contains a list of valid values 1010 corresponding to pre-defined actions (drop, shape, mark, permit). 1011 This set of values can be extended following the Specification 1012 Required policy defined in [RFC5226]. As a second example, the 1013 Diameter base specification [RFC6733] defines the Result-Code AVP 1014 that contains a 32-bit address space used to identity possible 1015 errors. According to the Section 11.3.2 of [RFC6733], new values 1016 can be assigned by IANA via an IETF Review process [RFC5226]. 1018 b. Creating new AVPs 1020 Two different types of AVP Codes namespaces can be used to create 1021 a new AVPs: 1023 * IETF AVP Codes namespace; 1025 * Vendor-specific AVP Codes namespace. 1027 In the latter case, a vendor needs to be first assigned by IANA 1028 with a private enterprise number, which can be used within the 1029 Vendor-Id field of the vendor-specific AVP. This enterprise 1030 number delimits a private namespace in which the vendor is 1031 responsible for vendor-specific AVP code value assignment. The 1032 absence of a Vendor-Id or a Vendor-Id value of zero (0) in the AVP 1033 header identifies standard AVPs from the IETF AVP Codes namespace 1034 managed by IANA. The allocation of code values from the IANA- 1035 managed namespace is conditioned by an Expert Review of the 1036 specification defining the AVPs or an IETF review if a block of 1037 AVPs needs to be assigned. Moreover, the remaining bits of the 1038 AVP Flags field of the AVP header are also assigned via Standard 1039 Action if the creation of new AVP Flags is desired. 1041 c. Creating new commands 1042 Unlike the AVP Code namespace, the Command Code namespace is flat 1043 but the range of values is subdivided into three chunks with 1044 distinct IANA registration policies: 1046 * A range of standard Command Code values that are allocated via 1047 IETF review; 1049 * A range of vendor-specific Command Code values that are 1050 allocated on a First-Come/First-Served basis; 1052 * A range of values reserved only for experimental and testing 1053 purposes. 1055 As for AVP Flags, the remaining bits of the Command Flags field of 1056 the Diameter header are also assigned via a Standards Action to 1057 create new Command Flags if required. 1059 d. Creating new applications 1061 Similarly to the Command Code namespace, the Application-Id 1062 namespace is flat but divided into two distinct ranges: 1064 * A range of values reserved for standard Application-Ids 1065 allocated after Expert Review of the specification defining the 1066 standard application; 1068 * A range for values for vendor specific applications, allocated 1069 by IANA on a First-Come/First-Serve basis. 1071 The IANA AAA parameters page can be found at 1072 http://www.iana.org/assignments/aaa-parameters and the enterprise 1073 number IANA page is available at http://www.iana.org/assignments/ 1074 enterprise-numbers. More details on the policies followed by IANA 1075 for namespace management (e.g. First-Come/First-Served, Expert 1076 Review, IETF Review, etc.) can be found in [RFC5226]. 1078 NOTE: 1079 When the same functionality/extension is used by more than one 1080 vendor, it is RECOMMENDED to define a standard extension. 1081 Moreover, a vendor-specific extension SHOULD be registered to 1082 avoid interoperability issues in the same network. With this aim, 1083 the registration policy of vendor-specific extension has been 1084 simplified with the publication of [RFC6733] and the namespace 1085 reserved for vendor-specific extensions is large enough to avoid 1086 exhaustion. 1088 8. IANA Considerations 1090 This document does not require actions by IANA. 1092 9. Security Considerations 1094 This document provides guidelines and considerations for extending 1095 Diameter and Diameter applications. Although such an extension may 1096 be related to a security functionality, the document does not 1097 explicitly give additional guidance on enhancing Diameter with 1098 respect to security. However, as a general guideline, it is 1099 recommended that any Diameter extension SHOULD NOT break the security 1100 concept given in the [RFC6733]. In particular, it is reminded here 1101 that any command defined or reused in a new Diameter application 1102 SHOULD be secured by using TLS [RFC5246] or DTLS/SCTP [RFC6083] and 1103 MUST NOT be used without one of TLS, DTLS, or IPsec [RFC4301]. When 1104 defining a new Diameter extension, any possible impact of the 1105 existing security principles described in the [RFC6733] MUST be 1106 carefully appraised and documented in the Diameter application 1107 specification. 1109 10. Contributors 1111 The content of this document was influenced by a design team created 1112 to revisit the Diameter extensibility rules. The team was formed in 1113 February 2008 and finished its work in June 2008. Except the 1114 authors, the design team members were: 1116 o Avi Lior 1118 o Glen Zorn 1120 o Jari Arkko 1122 o Jouni Korhonen 1124 o Mark Jones 1126 o Tolga Asveren 1128 o Glenn McGregor 1130 o Dave Frascone 1132 We would like to thank Tolga Asveren, Glenn McGregor, and John 1133 Loughney for their contributions as co-authors to earlier versions of 1134 this document. 1136 11. Acknowledgments 1138 We greatly appreciate the insight provided by Diameter implementers 1139 who have highlighted the issues and concerns being addressed by this 1140 document. The authors would also like to thank Jean Mahoney, Ben 1141 Campbell, Sebastien Decugis and Benoit Claise for their invaluable 1142 detailed reviews and comments on this document. 1144 12. References 1146 12.1. Normative References 1148 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1149 Requirement Levels", BCP 14, RFC 2119, March 1997. 1151 [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, 1152 "Diameter Base Protocol", RFC 6733, October 2012. 1154 12.2. Informative References 1156 [Q.3303.3] 1157 3rd Generation Partnership Project, "ITU-T Recommendation 1158 Q.3303.3, "Resource control protocol no. 3 (rcp3): 1159 Protocol at the Rw interface between the Policy Decision 1160 Physical Entity (PD-PE) and the Policy Enforcement 1161 Physical Entity (PE-PE): Diameter"", 2008. 1163 [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange 1164 (IKE)", RFC 2409, November 1998. 1166 [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. 1167 Arkko, "Diameter Base Protocol", RFC 3588, September 2003. 1169 [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, 1170 "Diameter Network Access Server Application", RFC 4005, 1171 August 2005. 1173 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible 1174 Authentication Protocol (EAP) Application", RFC 4072, 1175 August 2005. 1177 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1178 Internet Protocol", RFC 4301, December 2005. 1180 [RFC4740] Garcia-Martin, M., Belinchon, M., Pallares-Lopez, M., 1181 Canales-Valenzuela, C., and K. Tammi, "Diameter Session 1182 Initiation Protocol (SIP) Application", RFC 4740, November 1183 2006. 1185 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1186 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1187 May 2008. 1189 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1190 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1192 [RFC5447] Korhonen, J., Bournelle, J., Tschofenig, H., Perkins, C., 1193 and K. Chowdhury, "Diameter Mobile IPv6: Support for 1194 Network Access Server to Diameter Server Interaction", RFC 1195 5447, February 2009. 1197 [RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M., 1198 and A. Lior, "Traffic Classification and Quality of 1199 Service (QoS) Attributes for Diameter", RFC 5777, February 1200 2010. 1202 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 1203 "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 1204 5996, September 2010. 1206 [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram 1207 Transport Layer Security (DTLS) for Stream Control 1208 Transmission Protocol (SCTP)", RFC 6083, January 2011. 1210 [RFC6735] Carlberg, K. and T. Taylor, "Diameter Priority Attribute- 1211 Value Pairs", RFC 6735, October 2012. 1213 [RFC7075] Tsou, T., Hao, R., and T. Taylor, "Realm-Based Redirection 1214 In Diameter", RFC 7075, November 2013. 1216 [RFC7155] Zorn, G., "Diameter Network Access Server Application", 1217 RFC 7155, April 2014. 1219 [TS29.228] 1220 3rd Generation Partnership Project, "3GPP TS 29.228; 1221 Technical Specification Group Core Network and Terminals; 1222 IP Multimedia (IM) Subsystem Cx and Dx Interfaces; 1223 Signalling flows and message contents", 1224 . 1226 [TS29.229] 1227 3rd Generation Partnership Project, "3GPP TS 29.229; 1228 Technical Specification Group Core Network and Terminals; 1229 Cx and Dx interfaces based on the Diameter protocol; 1230 Protocol details", 1231 . 1233 [TS29.328] 1234 3rd Generation Partnership Project, "3GPP TS 29.328; 1235 Technical Specification Group Core Network and Terminals; 1236 IP Multimedia (IM) Subsystem Sh interface; signalling 1237 flows and message content", 1238 . 1240 [TS29.329] 1241 3rd Generation Partnership Project, "3GPP TS 29.329; 1242 Technical Specification Group Core Network and Terminals; 1243 Sh Interface based on the Diameter protocol; Protocol 1244 details", 1245 . 1247 Authors' Addresses 1249 Lionel Morand (editor) 1250 Orange Labs 1251 38/40 rue du General Leclerc 1252 Issy-Les-Moulineaux Cedex 9 92794 1253 France 1255 Phone: +33145296257 1256 Email: lionel.morand@orange.com 1258 Victor Fajardo 1259 Fluke Networks 1261 Email: vf0213@gmail.com 1263 Hannes Tschofenig 1264 ARM Ltd. 1265 Hall in Tirol 6060 1266 Austria 1268 Email: Hannes.Tschofenig@gmx.net 1269 URI: http://www.tschofenig.priv.at