< draft-ietf-dime-app-design-guide-15.txt   draft-ietf-dime-app-design-guide-16.txt >
Diameter Maintenance and Extensions L. Morand, Ed. Diameter Maintenance and Extensions L. Morand, Ed.
(DIME) Orange Labs (DIME) Orange Labs
Internet-Draft V. Fajardo Internet-Draft V. Fajardo
Intended status: Informational Intended status: Informational
Expires: January 31, 2013 H. Tschofenig Expires: April 25, 2013 H. Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
July 30, 2012 October 22, 2012
Diameter Applications Design Guidelines Diameter Applications Design Guidelines
draft-ietf-dime-app-design-guide-15 draft-ietf-dime-app-design-guide-16
Abstract Abstract
The Diameter Base protocol provides facilities for protocol The Diameter Base protocol provides facilities for protocol
extensibility enabling to define new Diameter applications or modify extensibility enabling to define new Diameter applications or modify
existing applications. This document is a companion document to the existing applications. This document is a companion document to the
Diameter Base protocol that further explains and clarifies the rules Diameter base protocol that further explains and clarifies the rules
to extend the Diameter Base protocol. It is meant as a guidelines to extend the Diameter base protocol. It is meant as a guidelines
document and therefore it does not add, remove or change existing document and therefore it does not add, remove or change existing
rules. rules.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Status of this Memo Status of this Memo
skipping to change at page 2, line 26 skipping to change at page 2, line 26
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 31, 2013. This Internet-Draft will expire on April 25, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 10 skipping to change at page 3, line 10
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Reusing existing Diameter applications . . . . . . . . . . . . 8 4. Reusing Existing Diameter Applications . . . . . . . . . . . . 8
4.1. Adding a new command . . . . . . . . . . . . . . . . . . . 8 4.1. Adding a New Command . . . . . . . . . . . . . . . . . . . 8
4.2. Deleting a command . . . . . . . . . . . . . . . . . . . . 9 4.2. Deleting an Existing Command . . . . . . . . . . . . . . . 9
4.3. Reusing existing commands . . . . . . . . . . . . . . . . 9 4.3. Reusing Existing Commands . . . . . . . . . . . . . . . . 9
4.3.1. Adding AVPs to a ommand . . . . . . . . . . . . . . . 9 4.3.1. Adding AVPs to a Command . . . . . . . . . . . . . . . 9
4.3.2. Deleting AVPs from a command . . . . . . . . . . . . . 11 4.3.2. Deleting AVPs from a Command . . . . . . . . . . . . . 11
4.4. Reusing existing AVPs . . . . . . . . . . . . . . . . . . 12 4.4. Reusing Existing AVPs . . . . . . . . . . . . . . . . . . 12
4.4.1. Setting of the AVP flags . . . . . . . . . . . . . . . 12 4.4.1. Setting of the AVP Flags . . . . . . . . . . . . . . . 12
4.4.2. Reuse of AVP of type Enumerated . . . . . . . . . . . 12 4.4.2. Reuse of AVP of Type Enumerated . . . . . . . . . . . 12
5. Defining new Diameter applications . . . . . . . . . . . . . . 13 5. Defining New Diameter Applications . . . . . . . . . . . . . . 13
5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 13 5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 13
5.2. Defining new commands . . . . . . . . . . . . . . . . . . 13 5.2. Defining New Commands . . . . . . . . . . . . . . . . . . 13
5.3. Use of Application-Id in a message . . . . . . . . . . . . 14 5.3. Use of Application-Id in a Message . . . . . . . . . . . . 14
5.4. Application specific Session State Machine . . . . . . . . 14 5.4. Application-Specific Session State Machines . . . . . . . 14
5.5. Session-Id AVP and session management . . . . . . . . . . 15 5.5. Session-Id AVP and Session Management . . . . . . . . . . 15
5.6. AVPs defined as Boolean flag . . . . . . . . . . . . . . . 15 5.6. AVPs Defined as Boolean Flag . . . . . . . . . . . . . . . 15
5.7. Application-specific message routing . . . . . . . . . . . 16 5.7. Application-Specific Message Routing . . . . . . . . . . . 16
5.8. About Translation Agent . . . . . . . . . . . . . . . . . 17 5.8. About Translation Agent . . . . . . . . . . . . . . . . . 17
5.9. End-to-End applications capabilities exchange . . . . . . 17 5.9. End-to-End Application Capabilities Exchange . . . . . . . 17
5.10. Diameter accounting support . . . . . . . . . . . . . . . 18 5.10. Diameter Accounting Support . . . . . . . . . . . . . . . 18
5.11. Diameter security mechanisms . . . . . . . . . . . . . . . 20 5.11. Diameter Security Mechanisms . . . . . . . . . . . . . . . 20
6. Defining Generic Diameter Extensions . . . . . . . . . . . . . 22 6. Defining Generic Diameter Extensions . . . . . . . . . . . . . 22
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 26 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 26
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 27
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
11.1. Normative References . . . . . . . . . . . . . . . . . . . 28 11.1. Normative References . . . . . . . . . . . . . . . . . . . 28
11.2. Informative References . . . . . . . . . . . . . . . . . . 28 11.2. Informative References . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
1. Introduction 1. Introduction
The Diameter Base protocol provides facilities to extend the Diameter The Diameter base protocol provides facilities to extend the Diameter
Base protocol (see Section 1.3 of [I-D.ietf-dime-rfc3588bis]) for base protocol (see Section 1.3 of [I-D.ietf-dime-rfc3588bis]) for
supporting new functionalities. In the context of this document, supporting new functionalities. In the context of this document,
extending Diameter means one of the following: extending Diameter means one of the following:
1. Addition of a new functionality to an existing Diameter 1. Addition of a new functionality to an existing Diameter
application without defining a new application. application without defining a new application.
2. Addition of a new functionality to an existing Diameter 2. Addition of a new functionality to an existing Diameter
application that requires the definition of a new application. application that requires the definition of a new application.
3. The definition of a new Diameter application to provide a set of 3. The definition of a new Diameter application to provide a set of
skipping to change at page 4, line 33 skipping to change at page 4, line 33
All of these choices are design decisions that can be done by any All of these choices are design decisions that can be done by any
combination of reusing existing or defining new commands, AVPs or AVP combination of reusing existing or defining new commands, AVPs or AVP
values. However, application designers do not have total freedom values. However, application designers do not have total freedom
when making their design. A number of rules have been defined in when making their design. A number of rules have been defined in
[I-D.ietf-dime-rfc3588bis] and place constraints on when an extension [I-D.ietf-dime-rfc3588bis] and place constraints on when an extension
requires the allocation of a new Diameter application identifier or a requires the allocation of a new Diameter application identifier or a
new command code value. The objective of this document is the new command code value. The objective of this document is the
following: following:
o Clarify updated Diameter extensibility rules in the Diameter Base o Clarify updated Diameter extensibility rules in the Diameter base
Protocol. protocol.
o Clarify usage of certain Diameter functionalities that are not o Clarify usage of certain Diameter functionalities that are not
explicitly described in the Diameter Base specification. explicitly described in the Diameter Base specification.
o Discuss design choices and provide guidelines when defining new o Discuss design choices and provide guidelines when defining new
applications. applications.
o Present tradeoffs of design choices. o Present trade-off of design choices.
2. Terminology 2. Terminology
This document reuses the terminology used in This document reuses the terminology used in
[I-D.ietf-dime-rfc3588bis]. [I-D.ietf-dime-rfc3588bis].
3. Overview 3. Overview
As designed, the Diameter Base protocol [I-D.ietf-dime-rfc3588bis] As designed, the Diameter base protocol [I-D.ietf-dime-rfc3588bis]
can be seen as a two-layer protocol. The lower layer is mainly can be seen as a two-layer protocol. The lower layer is mainly
responsible for managing connections between neighboring peers and responsible for managing connections between neighboring peers and
for message routing. The upper layer is where the Diameter for message routing. The upper layer is where the Diameter
applications reside. This model is in line with a Diameter node applications reside. This model is in line with a Diameter node
having an application layer and a peer-to-peer delivery layer. The having an application layer and a peer-to-peer delivery layer. The
Diameter Base protocol document defines the architecture and behavior Diameter base protocol document defines the architecture and behavior
of the message delivery layer and then provides the framework for of the message delivery layer and then provides the framework for
designing Diameter applications on the application layer. This designing Diameter applications on the application layer. This
framework includes definitions of application sessions and accounting framework includes definitions of application sessions and accounting
support (see Section 8 and 9 of [I-D.ietf-dime-rfc3588bis]). support (see Section 8 and 9 of [I-D.ietf-dime-rfc3588bis]).
Accordingly, a Diameter node is seen in this document as a single Accordingly, a Diameter node is seen in this document as a single
instance of a Diameter message delivery layer and one or more instance of a Diameter message delivery layer and one or more
Diameter applications using it. Diameter applications using it.
The Diameter Base protocol is designed to be extensible and the The Diameter base protocol is designed to be extensible and the
principles are described in the section 1.3 of principles are described in the section 1.3 of
[I-D.ietf-dime-rfc3588bis]. Extending Diameter can mean either the [I-D.ietf-dime-rfc3588bis]. Extending Diameter can mean either the
definition of a completly new Diameter application or the reuse of definition of a completely new Diameter application or the reuse of
commands, AVPs and AVP values in any combination for the purpose of commands, AVPs and AVP values in any combination for the purpose of
inheriting the features of an existing Diameter application. The inheriting the features of an existing Diameter application. The
recommendation for re-using as much as possible existing recommendation for re-using as much as possible existing
implementations is meaningful as most of the requirements defined for implementations is meaningful as most of the requirements defined for
a new application are likely already fulfilled by existing a new application are likely already fulfilled by existing
applications. applications.
However, when reusing existing applications, there is a greater However, when reusing existing applications, there is a greater
likelihood of ambiguity on how much of the existing application can likelihood of ambiguity on how much of the existing application can
be enhanced without being distorted too much and therefore requiring be enhanced without being distorted too much and therefore requiring
skipping to change at page 7, line 19 skipping to change at page 7, line 19
be the creation of a new command for providing functionality not be the creation of a new command for providing functionality not
supported by existing applications or the definition of a new AVP supported by existing applications or the definition of a new AVP
with M-bit set to carry in an existing command. For such with M-bit set to carry in an existing command. For such
extension, a significant specification effort is required and a extension, a significant specification effort is required and a
careful approach is recommended. careful approach is recommended.
The rules outlined in the section 1.3 of [I-D.ietf-dime-rfc3588bis] The rules outlined in the section 1.3 of [I-D.ietf-dime-rfc3588bis]
indicate when an extension requires a new command code to be indicate when an extension requires a new command code to be
registered and when new Diameter applications have to be defined. registered and when new Diameter applications have to be defined.
The subsequent sections further explain and clarify the rules to The subsequent sections further explain and clarify the rules to
extend the Diameter Base protocol. It is meant as a guidelines extend the Diameter base protocol. It is meant as a guidelines
document and therefore it does not add, remove or change existing document and therefore it does not add, remove or change existing
rules. rules.
4. Reusing existing Diameter applications 4. Reusing Existing Diameter Applications
When selecting the Diameter Base protocol to support new When selecting the Diameter base protocol to support new
functionalities, protocol designers are advised to try to re-use as functionalities, protocol designers are advised to reuse as much as
much as possible existing Diameter applications to simplify possible existing Diameter applications in order to simplify
standardization, implementation and avoid potential interoperability standardization, implementation and avoid potential interoperability
issues. However, existing application needs to be adapted to support issues. However, existing application needs to be adapted to support
new requirements and these modifications can be at the command level new requirements and these modifications can be at the command level
and/or at the AVP level. The following sections describe the and/or at the AVP level. The following sections describe the
possible modifications that can be performed on existing applications possible modifications that can be performed on existing applications
and their related impacts. and their related impacts.
4.1. Adding a new command 4.1. Adding a New Command
Adding a new command is considered as a major extension and requires Adding a new command is considered as a major extension and requires
a new Diameter application to be defined. Adding a new command to an a new Diameter application to be defined. Adding a new command to an
application means either defining a completely new command or application means either defining a completely new command or
importing the command's CCF syntax specification from another importing the command's CCF syntax specification from another
application whereby the new application inherits some or all of the application whereby the new application inherits some or all of the
functionality of the application where the command came from. In the functionality of the application where the command came from. In the
former case, the decision to create an new application is former case, the decision to create a new application is
straightforward since this is typically a result of adding a new straightforward since this is typically a result of adding a new
functionality that does not exist yet. For the latter, the decision functionality that does not exist yet. For the latter, the decision
to create a new application will depend on whether importing the to create a new application will depend on whether importing the
command in a new application is more suitable than simply using the command in a new application is more suitable than simply using the
existing application as it is in conjunction with any other existing application as it is in conjunction with any other
application. Therefore, a case by case study of each application application. Therefore, a case by case study of each application
requirement should be applied. requirement should be applied.
An illustrative example is the command pair defined in Diameter EAP An illustrative example is the command pair defined in Diameter EAP
application [RFC4072] that can be re-used conjointly with any other application [RFC4072] that can be re-used conjointly with any other
application (e.g. the Diameter NASREQ application [RFC4005]) as soon application (e.g. the Diameter NASREQ application [RFC4005]) as soon
as standard EAP-based authentication procedures need to be supported as standard EAP-based authentication procedures need to be supported
by the implementation. It may therefore not be required to import by the implementation. It may therefore not be required to import
the command pair in the new defined application. the command pair in the new defined application.
However, in general, it is difficult to come to a hard guideline, and However, in general, it is difficult to come to a hard guideline, and
so a case by case study of each application requirement should be so a case-by-case study of each application requirement should be
applied. Before adding or importing a command, application designers applied. Before adding or importing a command, application designers
should consider the following: should consider the following:
o Can the new functionality be fulfilled by creating a new command o Can the new functionality be fulfilled by creating a new command
independent from any existing command? In this case, the independent from any existing command? In this case, the
resulting new application and the existing application can work resulting new application and the existing application can work
independent of, but cooperating with each other. independent of, but cooperating with each other.
o Can the existing command be reused without major extensions and o Can the existing command be reused without major extensions and
therefore without the need for the definition of a new therefore without the need for the definition of a new
application, e.g. new functionality introduced by the creation of application, e.g. new functionality introduced by the creation of
new optional AVPs. new optional AVPs.
o Care should be taken to avoid a liberal method of importing o Care should be taken to avoid a liberal method of importing an
existing command's CCF syntax specification. This would result in existing command's CCF syntax specification. This would result in
a monolithic and hard to manage applications supporting too many a monolithic and hard to manage application supporting too many
different functionalities and can cause interoperability issues different functionalities and can cause interoperability issues
between the different applications. . between the different applications.
4.2. Deleting a command 4.2. Deleting an Existing Command
Although this process is not typical, removing a command to an Although this process is not typical, removing a command from an
application requires a new Diameter application to be defined. this application requires a new Diameter application to be defined. This
is due to the fact that the reception of the deleted command would is due to the fact that the reception of the deleted command would
systematically result in a protocol error systematically result in a protocol error
(DIAMETER_COMMAND_UNSUPPORTED). (DIAMETER_COMMAND_UNSUPPORTED).
It is unusual to delete an existing command from an application for It is unusual to delete an existing command from an application for
the sake of deleting it or the functionality it represents. This the sake of deleting it or the functionality it represents. This
normally indicates of a flawed design. An exception might be if the normally indicates of a flawed design. An exception might be if the
intent of the deletion is to create a newer version of the same intent of the deletion is to create a newer version of the same
application which is somehow simpler than the previous version. application that is somehow simpler than the previous version.
4.3. Reusing existing commands 4.3. Reusing Existing Commands
This section discusses rules in adding and/or deleting AVPs from an This section discusses rules in adding and/or deleting AVPs from an
existing command of an existing application. The cases described in existing command of an existing application. The cases described in
this section may not necessarily result in the creation of new this section may not necessarily result in the creation of new
applications. applications.
It is worth to note that the strong recommendation to re-use existing It is worth to note that the strong recommendation to re-use existing
commands in the [RFC3588] was to prevent rapid scarcity of code commands in the [RFC3588] was to prevent rapid scarcity of code
values available for vendor-specific commands. values available for vendor-specific commands.
[I-D.ietf-dime-rfc3588bis] relaxes the policy with respect to the [I-D.ietf-dime-rfc3588bis] relaxes the policy with respect to the
allocation of command codes for vendor-specific uses and enlarges the allocation of command codes for vendor-specific uses and enlarges the
range of available code values for vendor-specific applications. range of available code values for vendor-specific applications.
Therefore, if it is still recommended to re-use as much as possible Although reuse of existing commands is still recommended, protocol
existing commands, protocol designers can consider more easily the designers can consider defining a new command when it provides a
definition of a new command when it is a solution more suitable than solution more suitable than the twisting of an existing command's use
twisting existing command use and applications. and applications.
4.3.1. Adding AVPs to a ommand 4.3.1. Adding AVPs to a Command
Based on the rules in [I-D.ietf-dime-rfc3588bis], AVPs that are added Based on the rules in [I-D.ietf-dime-rfc3588bis], AVPs that are added
to an existing command can be categorized into: to an existing command can be categorized into:
o Mandatory (to understand) AVPs. As defined in o Mandatory (to understand) AVPs. As defined in
[I-D.ietf-dime-rfc3588bis], these are AVPs with the M-bit flag [I-D.ietf-dime-rfc3588bis], these are AVPs with the M-bit flag
set, which means that a Diameter node receiving are required to set, which means that a Diameter node receiving them is required
understand not only their values but their semantics. Failure to to understand not only their values but their semantics. Failure
do so will cause an message handling error. This is regardless of to do so will cause an message handling error. This is regardless
whether these AVPs are required or optional as specified by the of whether these AVPs are required or optional as specified by the
command's CCF syntax specification. command's CCF syntax specification.
o Optional (to understand) AVPs. As defined in o Optional (to understand) AVPs. As defined in
[I-D.ietf-dime-rfc3588bis], these are AVPs with the M-bit flag [I-D.ietf-dime-rfc3588bis], these are AVPs with the M-bit flag
cleared, which mean that a Diameter node receiving these AVP can cleared, which mean that a Diameter node receiving these AVPs can
simply ignore them if not supported in the process of the received simply ignore them if not supported in the process of the received
command. command.
The rules are strict in the case where the AVPs to be added are The rules are strict in the case where the AVPs to be added are
mandatory to understand i.e. with the M-bit set. A mandatory AVP mandatory to understand i.e. with the M-bit set. A mandatory AVP
cannot be added to an existing command without defining a new cannot be added to an existing command without defining a new
Diameter application, as stated in [I-D.ietf-dime-rfc3588bis]. This Diameter application, as stated in [I-D.ietf-dime-rfc3588bis]. This
falls into the "Major Extensions" category. Despite the clarity of falls into the "Major Extensions" category. Despite the clarity of
the rule, ambiguity still arises when evaluating whether a new AVP the rule, ambiguity still arises when evaluating whether a new AVP
being added should be mandatory to begin with. Here is a list of few being added should be mandatory to begin with. Application designers
common questions that application designers should wonder when trying should consider the following questions when deciding to set the
to decide: M-bit for a new AVP:
o Would it be required for the receiving side to be able to process o Would it be required for the receiving side to be able to process
and understand the AVP and its content? and understand the AVP and its content?
o Would the new AVPs change the state machine of the application? o Would the new AVPs change the state machine of the application?
o Would the presence of the new AVP lead to a different number of o Would the presence of the new AVP lead to a different number of
roundtrips, effectively changing the state machine of the round-trips, effectively changing the state machine of the
application? application?
o Would the new AVP be used to differentiate between old and new o Would the new AVP be used to differentiate between old and new
versions of the same application whereby the two versions are not versions of the same application whereby the two versions are not
backward compatible? backward compatible?
o Would the new AVP have duality in meaning i.e. be used to carry o Would the new AVP have duality in meaning i.e. be used to carry
application related information as well as be used to indicate application-related information as well as be used to indicate
that the message is for a new application? that the message is for a new application?
When one of the above questions can be answered in the affirmative When one of the above questions can be answered in the affirmative
then the M-bit has to be set for the new AVP. then the M-bit has to be set for the new AVP. This list of questions
is non-exhaustive and other criteria can be taken into account in the
decision process.
If application designers are instead contemplating on the use of If application designers are instead contemplating the use of
optional AVPs i.e. with the M-bit cleared, then the following are optional AVPs i.e. with the M-bit cleared, then the following are
some of the pitfalls that should be avoided: some of the pitfalls that should be avoided:
o Use of optional AVPs with intersecting meaning. One AVP has o Use of optional AVPs with intersecting meaning. One AVP has
partially the same usage and meaning as another AVP. The presence partially the same usage and meaning as another AVP. The presence
of both can lead to confusion. of both can lead to confusion.
o An optional AVPs with dual purpose, i.e. to carry applications o An optional AVPs with dual purpose, i.e. to carry application data
data as well as to indicate support for one or more features. as well as to indicate support for one or more features. This has
This has a tendency to introduce interpretation issues. a tendency to introduce interpretation issues.
o Adding one or more optional AVPs and indicating (usually within o Adding one or more optional AVPs and indicating (usually within
descriptive text for the command) that at least one of them has to descriptive text for the command) that at least one of them has to
be present in the command. This essentially circumventing the be present in the command. This essentially circumventing the
ABNF and is equivalent to adding a mandatory AVPs to the command. ABNF and is equivalent to adding a mandatory AVP to the command.
These practices generally result in interoperability issues and These practices generally result in interoperability issues and
should be avoided as much as possible. should be avoided as much as possible.
4.3.2. Deleting AVPs from a command 4.3.2. Deleting AVPs from a Command
When deleting an AVP from a command, the following cases need to be The impacts of deleting an AVP from a command depend on its command
differentiated: code format specification and M-bit setting:
o Deleting an AVP that is indicated as { AVP } in the command's CCF o Deleting an AVP that is indicated as { AVP } in the command's CCF
syntax specification, whatever the setting of the M-bit set. This syntax specification, whatever the setting of the M-bit set. This
means the definition of a new command. In this case, a new means the definition of a new command. In this case, a new
command code and subsequently a new Diameter application have to command code and subsequently a new Diameter application have to
be specified. be specified.
o Deleting an AVP with M-bit set that is indicated as [ AVP ] in the o Deleting an AVP with M-bit set that is indicated as [ AVP ] in the
command's CCF syntax specification. No new command code has to be command's CCF syntax specification. No new command code has to be
specified but the definition of a new Diameter application is specified but the definition of a new Diameter application is
skipping to change at page 12, line 5 skipping to change at page 12, line 6
] in the command's CCF syntax specification. In this case, the ] in the command's CCF syntax specification. In this case, the
AVP can be deleted without consequences. AVP can be deleted without consequences.
If possible application designers should attempt the reuse the If possible application designers should attempt the reuse the
command's CCF syntax specification without modification and simply command's CCF syntax specification without modification and simply
ignore (but not delete) any optional AVP that will not be used. This ignore (but not delete) any optional AVP that will not be used. This
is to maintain compatibility with existing applications that will not is to maintain compatibility with existing applications that will not
know about the new functionality as well as maintain the integrity of know about the new functionality as well as maintain the integrity of
existing dictionaries. existing dictionaries.
4.4. Reusing existing AVPs 4.4. Reusing Existing AVPs
This section discusses rules in reusing existing AVP when reusing an This section discusses rules in reusing existing AVP when reusing an
existing command or defining a new command in a new application. existing command or defining a new command in a new application.
4.4.1. Setting of the AVP flags 4.4.1. Setting of the AVP Flags
When reusing AVPs in a new application, the AVP flag setting, such as When reusing AVPs in a new application, the AVP flag setting, such as
the mandatory flag ('M'-bit), has to be re-evaluated for a new the mandatory flag ('M'-bit), has to be re-evaluated for a new
Diameter application and, if necessary, even for every command within Diameter application and, if necessary, even for every command within
the application. In general, for AVPs defined outside of the base the application. In general, for AVPs defined outside of the
protocol, its mandatory characteristics are tied to its role within Diameter base protocol, its mandatory characteristics are tied to its
an application and command. role within an application and command.
All other AVP flags shall remain unchanged All other AVP flags shall remain unchanged.
4.4.2. Reuse of AVP of type Enumerated 4.4.2. Reuse of AVP of Type Enumerated
When modifying the set of values supported by an AVP of type When modifying the set of values supported by an AVP of type
Enumerated, this means defining a new AVP. Modifying the set of Enumerated, this means defining a new AVP. Modifying the set of
Enumerated values includes adding a value or deprecating the use of a Enumerated values includes adding a value or deprecating the use of a
value defined initially for the AVP. Defining a new AVP will avoid value defined initially for the AVP. Defining a new AVP will avoid
interoperability issues. interoperability issues.
5. Defining new Diameter applications 5. Defining New Diameter Applications
5.1. Introduction 5.1. Introduction
The general recommendation for Diameter extensibility is to reuse The general recommendation for Diameter extensibility is to reuse
commands, AVPs and AVP values as much as possible. However, some of commands, AVPs and AVP values as much as possible. However, some of
the extensibility rules described in the previous sections also apply the extensibility rules described in the previous sections also apply
to scenarios where a designer is trying to define a completely new to scenarios where a designer is trying to define a completely new
Diameter application. Diameter application.
This section discusses the case where new applications have This section discusses the case where new applications have
requirements that cannot be filled by existing applications and would requirements that cannot be filled by existing applications and would
require definition of completely new commands, AVPs and/or AVP require definition of completely new commands, AVPs and/or AVP
values. Typically, there is little ambiguity about the decision to values. Typically, there is little ambiguity about the decision to
create these types of applications. Some examples are the interfaces create these types of applications. Some examples are the interfaces
defined for the IP Multimedia Subsystem of 3GPP, i.e. Cx/Dx defined for the IP Multimedia Subsystem of 3GPP, i.e. Cx/Dx
([TS29.228] and [TS29.229]), Sh ([TS29.328] and [TS29.329]) etc. ([TS29.228] and [TS29.229]), Sh ([TS29.328] and [TS29.329]) etc.
Application designers should also follow the theme of Diameter Application designers should also follow the theme of Diameter
extensibility which in this case means to import existing AVPs and extensibility, which in this case means to import existing AVPs and
AVP values for any newly defined commands. In certain cases where AVP values for any newly defined commands. In certain cases where
accounting will be used, the models described in Section 5.10 should accounting will be used, the models described in Section 5.10 should
also be considered. Though some decisions may be clear, designers also be considered. Though some decisions may be clear, designers
should also consider certain aspects of defining a new application. should also consider certain aspects of defining a new application.
Some of these aspects are described in following sections. Some of these aspects are described in following sections.
5.2. Defining new commands 5.2. Defining New Commands
As a general recommendation, Reusing as much as possible of existing As a general recommendation, reusing as much as possible of existing
material is encouraged when defining new commands. Protocol material is encouraged when defining new commands. Protocol
designers can thus usefully benefit from the experience gained with designers can thus usefully benefit from the experience gained with
the implementation of existing commands. This includes good pratices the implementation of existing commands. This includes good
to reuse but also known mistakes not to repeat. Therefore it is practices to reuse but also known mistakes not to repeat. Therefore
advisable to avoid the definition of a command from scratch and it is advisable to avoid the definition of a command from scratch and
rather take as an example an existing command that would be rather take as an example an existing command that would be
functionally close to command under definition. functionally close to command under definition.
Moreover, the new command's CCF should be carefully defined when Moreover, the new command's CCF should be carefully defined when
considering applicability and extensibility of the application. If considering applicability and extensibility of the application. If
most of the AVPs contained in the command are indicated as fixed or most of the AVPs contained in the command are indicated as fixed or
required, it might be difficult to reuse the same command and required, it might be difficult to reuse the same command and
therefore the same application if the context has slightly changed therefore the same application if the context has slightly changed
and some AVPs become obsolete. Defining a command with most of the and some AVPs become obsolete. Defining a command with most of the
AVPs indicated as optional must not be seen as a sub-optimal design AVPs indicated as optional must not be seen as a sub-optimal design
skipping to change at page 14, line 12 skipping to change at page 14, line 12
of these AVPs and properly define the corresponding behaviour of the of these AVPs and properly define the corresponding behaviour of the
Diameter nodes when these AVPs are absent from the command. Diameter nodes when these AVPs are absent from the command.
In the same way, the CCF should be defined in a way that it will be In the same way, the CCF should be defined in a way that it will be
possible to add any arbitrary optional AVPs with the M-bit cleared possible to add any arbitrary optional AVPs with the M-bit cleared
(including vendor-specific AVPs) without modifying the application. (including vendor-specific AVPs) without modifying the application.
For this purpose, it is strongly recommended to add "* [AVP]" in the For this purpose, it is strongly recommended to add "* [AVP]" in the
command's CCF that will allow the addition of any arbitrary AVP as command's CCF that will allow the addition of any arbitrary AVP as
described in [I-D.ietf-dime-rfc3588bis]. described in [I-D.ietf-dime-rfc3588bis].
5.3. Use of Application-Id in a message 5.3. Use of Application-Id in a Message
When designing new applications, designers should specify that the When designing new applications, designers should specify that the
application ID carried in all session level messages must be the application ID carried in all session-level messages must be the
application ID of the application using those messages. This application ID of the application using those messages. This
includes the session level messages defined in base protocol, i.e., includes the session-level messages defined in Diameter base
RAR/RAA, STR/STA, ASR/ASA and possibly ACR/ACA in the coupled protocol, i.e., RAR/RAA, STR/STA, ASR/ASA and possibly ACR/ACA in the
accounting model, see Section 5.10. Existing specifications may not coupled accounting model, see Section 5.10. Existing specifications
adhere to this rule for historical or other reasons. However, this may not adhere to this rule for historical or other reasons.
scheme should be followed to avoid possible routing problems for However, this scheme should be followed to avoid possible routing
these messages. problems for these messages.
In general, when a new application has been allocated with a new In general, when a new application has been allocated with a new
application id and it also reuses existing commands with or without application id and it also reuses existing commands with or without
modifications (Sec 4.1), it must use the newly allocated application modifications (Sec 4.1), it must use the newly allocated application
id in the header and in all relevant application id AVPs (Auth- id in the header and in all relevant application id AVPs (Auth-
Application-Id or Acct-Application-Id) present in the commands Application-Id or Acct-Application-Id) present in the commands
message body. message body.
Additionally, application designs using Additionally, application designs using
Vendor-Specific-Application-Id AVP should not use the Vendor-Id AVP Vendor-Specific-Application-Id AVP should not use the Vendor-Id AVP
to further dissect or differentiate the vendor-specification to further dissect or differentiate the vendor-specification
application id. Diameter routing is not based on the Vendor-Id. As application id. Diameter routing is not based on the Vendor-Id. As
such, the Vendor-ID should not be used as an additional input for such, the Vendor-ID should not be used as an additional input for
routing or delivery of messages. In general, the Vendor-Id AVP is an routing or delivery of messages. In general, the Vendor-Id AVP is an
informational AVP only and kept for backward compatibility reasons. informational AVP only and kept for backward compatibility reasons.
5.4. Application specific Session State Machine 5.4. Application-Specific Session State Machines
Section 8 of [I-D.ietf-dime-rfc3588bis] provides session state Section 8 of [I-D.ietf-dime-rfc3588bis] provides session state
machines for authentication, authorization and accounting (AAA) machines for authentication, authorization and accounting (AAA)
services. When a new application is being defined that cannot services and these session state machines are not intended to cover
clearly be categorized into any of these services it is recommended behavior outside of AAA. If a new application cannot clearly be
that the application itself define its own session state machine. categorized into any of these AAA services, it is recommended that
The existing session state machines defined by the application define its own session state machine. Support for
[I-D.ietf-dime-rfc3588bis] is not intended for general use beyond AAA server-initiated request is a clear example where an application-
services, therefore any behavior not covered by that category would specific session state machine would be needed, for example, the Rw
not fit well. Support for server initiated request is a clear interface for ITU-T push model (cf.[Q.3303.3]).
example where an application specific session state machine would be
needed, for example, the Rw interface for ITU-T push model (
cf.[Q.3303.3]).
5.5. Session-Id AVP and session management 5.5. Session-Id AVP and Session Management
Diameter applications are usually designed with the aim of managing Diameter applications are usually designed with the aim of managing
user sessions, e.g. network access session (NASREQ application user sessions, e.g. network access session (NASREQ application
[RFC4005]) or specific service access session (Diameter SIP [RFC4005]) or specific service access session (Diameter SIP
application [RFC4740]). In the Diameter base protocol, the session application [RFC4740]). In the Diameter base protocol, the session
management is based on the Session-Id AVP that it used to identify a management is based on the Session-Id AVP that it used to identify a
given session and all the Diameter messages including the same given session and all the Diameter messages including the same
Session-Id will be bound to the same session. Diameter-based session Session-Id will be bound to the same session. Diameter-based session
management also implies that both Diameter client and server (and management also implies that both Diameter client and server (and
potentially proxy agents in the diameter path) are maintaining potentially proxy agents in the diameter path) are maintaining
skipping to change at page 15, line 37 skipping to change at page 15, line 37
Diameter messages and these applications are therefore designed as a Diameter messages and these applications are therefore designed as a
set of stand-alone transactions. Even if an explicit access session set of stand-alone transactions. Even if an explicit access session
termination is required, application-specific commands are defined termination is required, application-specific commands are defined
and used instead of the Session-Termination-Request/Answer (STR/STA) and used instead of the Session-Termination-Request/Answer (STR/STA)
or Abort-Session-Request/Answer (ASR/ASA) defined in the Diameter or Abort-Session-Request/Answer (ASR/ASA) defined in the Diameter
base protocol. In such a case, the Session-Id is not significant. base protocol. In such a case, the Session-Id is not significant.
Based on these considerations, protocol designers should carefully Based on these considerations, protocol designers should carefully
appraise whether the application currently defined relies on the appraise whether the application currently defined relies on the
concept of session management and whether the Session-Id defined in concept of session management and whether the Session-Id defined in
the Diameter Base protocol would be really used for correlation of the Diameter base protocol would be used for correlation of messages
messages related to the same session. If not, the protocol designers related to the same session. If not, the protocol designers could
could decide to define application commands without the Session-Id decide to define application commands without the Session-Id AVP. If
AVP. If any session management concept is supported by the any session management concept is supported by the application, the
application the application documentation must clearly specify how application documentation must clearly specify how the session is
the session is handled between client and server (as possibly handled between client and server (as possibly Diameter agents in the
Diameter agents in the path). path).
5.6. AVPs defined as Boolean flag 5.6. AVPs Defined as Boolean Flag
The type Enumerated was initially defined to provide list of valid The type Enumerated was initially defined to provide a list of valid
values for an AVP with their respective interpretation described in values for an AVP with their respective interpretation described in
the specification. For instance, AVPs of type Enumerated can be used the specification. For instance, AVPs of type Enumerated can be used
to provide further information on the reason for the termination of a to provide further information on the reason for the termination of a
session or a specific action to perform on the reception of the session or a specific action to perform upon the reception of the
request. request.
However, AVPs of type Enumerated are too often used as simple Boolean However, AVPs of type Enumerated are too often used as a simple
flag, indicating for instance a specific permission or capability, Boolean flag, indicating for instance a specific permission or
and therefore only two values are defined e.g. TRUE/FALSE, capability, and therefore only two values are defined e.g. TRUE/
AUTORIZED/UNAUTHORIZED or SUPPORTED/UNSUPPORTED. This has to be FALSE, AUTORIZED/UNAUTHORIZED or SUPPORTED/UNSUPPORTED. This is a
considered as a sub-optimal design as this limits the extensibility sub-optimal design since it limits the extensibility of the
of the application: any new capability/permission would have to be application: any new capability/permission would have to be supported
supported by a new AVP or new Enumerated value of the already defined by a new AVP or new Enumerated value of the already defined AVP,
AVP that would cause in consequence backwards compatibility issues causing backwards compatibility issues with existing implementations.
with existing implementations.
Instead of defining Enumerated AVP when the AVP simply used as a Instead of using an Enumerated AVP for a Boolean flag, protocol
Boolean flag, protocol designers are encouraged to rely on AVP designers are encouraged to use Unsigned32 or Unsigned64 AVP type as
defined in the form of a bit mask with the interpretation of the bit mask whose bit settings are described in the relevant Diameter
setting of each bit described in the relevant Diameter application application specification. Such AVPs can be reused and extended
specification. Such AVPs can be reused and extended to multiplex without major impact on the Diameter application. The bit mask
several indications without major impact on the Diameter application. should leave room for future additions. Examples of bit mask AVP are
The bit-mask should be therefore long enough to leave room for future the Session-Binding AVP defined in [I-D.ietf-dime-rfc3588bis] and the
additions. Examples of AVP defined as bit mask are the Session- MIP6-Feature-Vector AVP defined in [RFC5447]
Binding AVP defined in [I-D.ietf-dime-rfc3588bis] and the MIP6-
Feature-Vector AVP defined in [RFC5447]
5.7. Application-specific message routing 5.7. Application-Specific Message Routing
Diameter request message routing usually relies on the Destination- Diameter request message routing usually relies on the Destination-
Realm AVP and the Application Id present in the request message Realm AVP and the Application Id present in the request message
header. However, some applications may need to rely on the User-Name header. However, some applications may need to rely on the User-Name
AVP or any other application-specific AVP present in the request to AVP or any other application-specific AVP present in the request to
determine the final destination of a request e.g. find the target AAA determine the final destination of a request e.g. find the target AAA
server hosting the authorization information for a given user when server hosting the authorization information for a given user when
multiple AAA servers are addressable in the realm. multiple AAA servers are addressable in the realm.
In such a context, basic routing mechanisms described in In such a context, basic routing mechanisms described in
[I-D.ietf-dime-rfc3588bis] are not fully suitable and additional [I-D.ietf-dime-rfc3588bis] are not fully suitable, and additional
application-level routing mechanisms have to be described in the application-level routing mechanisms have to be described in the
application documentation to provide such specific AVP-based routing. application documentation to provide such specific AVP-based routing.
Such functionality will be basically hosted by an application- Such functionality will be basically hosted by an application-
specific Proxy agent that will be responsible for routing decisions specific Proxy agent that will be responsible for routing decisions
based on the received specific AVPs. based on the received specific AVPs.
Example of such specific routing function can be found the Example of such application-specific routing functions can be found
applications defined for the IP Multimedia Subsystem of 3GPP, i.e. in the Cx/Dx applications ([TS29.228] and [TS29.229]) of the 3GPP IP
Cx/Dx applications ([TS29.228] and [TS29.229]) in which the Multimedia Subsystem, in which the proxy agent (Subscriber Location
Subscriber Location Function (SLF) is defined a proxy agent (or Function aka SLF) uses specific application-level identities found in
enhanced Redirect agent) using specific application-level identities the request to determine the final destination of the message.
found in the request to determine the final destination of the
message.
Whatever the criteria used to establish the routing path of the Whatever the criteria used to establish the routing path of the
request, the routing of the answer should follow the reverse path of request, the routing of the answer should follow the reverse path of
the request, as described in [I-D.ietf-dime-rfc3588bis], the answer the request, as described in [I-D.ietf-dime-rfc3588bis], with the
being sent to the source of the received request, using transaction answer being sent to the source of the received request, using
states and Hop-by-hop identifier matching. In particular, this transaction states and hop-by-hop identifier matching. In
ensures that Diameter agents in the request routing path (Relay or particular, this ensures that the Diameter Relay or Proxy agents in
Proxy agents) will be able to correctly release the transaction state the request routing path will be able to release the transaction
associated to the request upon receipt of the answer, avoiding thus state upon receipt of the corresponding answer, avoiding unnecessary
unnecessary failover triggering due to non reception of the answer failover. Application designers are strongly dissuaded from
corresponding to the request. Application designers are strongly modifying the answer-routing principles described in
recommended to not attempt to modify the answer routing principles [I-D.ietf-dime-rfc3588bis] when defining a new application.
described in [I-D.ietf-dime-rfc3588bis] when defining a new
application.
5.8. About Translation Agent 5.8. About Translation Agent
As defined in [I-D.ietf-dime-rfc3588bis], a translation agent is a As defined in [I-D.ietf-dime-rfc3588bis], a translation agent is a
device that provides interworking between Diameter and another device that provides interworking between Diameter and another
protocol (e.g. RADIUS, TACACS+). protocol (e.g. RADIUS, TACACS+).
In the specific case of RADIUS, it was initially foreseen that the In the case of RADIUS, it was initially thought that defining the
translation function would have been straightforward to define and translation function would be straightforward by adopting few basic
deploy by adopting few basic principles e.g. use of a shared range of principles e.g. use of a shared range of code values for RADIUS
code values for RADIUS attributes and Diameter AVPs, some guidelines attributes and Diameter AVPs. Guidelines for implementing a RADIUS-
on translation and management of key information (such as Diameter translation agent were put into RFC 4005 ([RFC4005]).
authentication parameter, routing/accounting or states), etc. And
all this material was put in the RFC 4005 ([RFC4005]) to be used as
generic guideline for implementation of RADIUS-Diameter translation
agent.
However, it was acknowledged that such translation mechanism was not However, it was acknowledged that such translation mechanism was not
so obvious and deeper protocol analysis was required to ensure so obvious and deeper protocol analysis was required to ensure
efficient interworking between RADIUS and Diameter. Moreover, the efficient interworking between RADIUS and Diameter. Moreover, the
interworking requirements will likely depend on the functionalities interworking requirements depend on the functionalities provided by
provided by the Diameter application under specification and a case- the Diameter application under specification, and a case-by-case
by-case analysis will be required. analysis will be required.
Therefore, when interoperability with RADIUS infrastructure is Therefore, protocol designers cannot assume the availability of a
foreseen, protocol designers are advised that they cannot assume the "standard" Diameter-to-RADIUS gateways agent when planning to
availability of "standard" Diameter-to-RADIUS gateways agent and the interoperate with the RADIUS infrastructure. They should specify the
required translation mechanism should be then specified along with required translation mechanism along with the Diameter application.
the Diameter application. And the recommendation in the case of This recommendation applies for any kind of translation (e.g.
RADIUS-Diameter interworking applies of course for any other kind of Diameter/MAP).
translation (e.g. Diameter/MAP).
5.9. End-to-End applications capabilities exchange 5.9. End-to-End Application Capabilities Exchange
New Diameter applications can rely on optional AVPs to exchange New Diameter applications can rely on optional AVPs to exchange
application specific capabilities and features. These AVPs can be application-specific capabilities and features. These AVPs can be
exchanged on an end-to-end basis at the application layer. Examples exchanged on an end-to-end basis at the application layer. Examples
of this can be found in [RFC5447] and [RFC5777]. of this can be found in [RFC5447] and [RFC5777].
The end-to-end capabilities AVPs can aid in the following cases: The end-to-end capabilities AVPs formalize the addition of new
optional functionality to existing applications by announcing support
o Formalizing the way new functionality is added to existing for it. Applications that do not understand these AVPs can discard
applications by announcing support for it. them upon receipt. Recevers of these AVPs can discover the addional
functionalities supported the end-point orignating the request and
o Applications that do not understand these AVP can discard it upon behave accordingly when processing the request. Senders of these
receipt. In such case, senders of the AVP can also safely assume AVPs can safely assume the receiving end-point does not support any
the receiving end-point does not support any functionality carried functionality carried by the AVP if it is not present in
by the AVP if it is not present in subsequent responses. corresponding response. This is useful in cases where deployment
choices are offered, and the generic design can be made available for
o Useful in cases where deployment choices are offered and the a number of applications.
generic design can be made available for a number of applications.
Note that this list is not meant to be comprehensive.
When used in a new application, protocol designers should clearly When used in a new application, protocol designers should clearly
specify this end-to-end capabilities exchange and the corresponding specify this end-to-end capabilities exchange and the corresponding
behaviour of the Diameter nodes supporting the application. behaviour of the Diameter nodes supporting the application.
5.10. Diameter accounting support It is also important to note that this end-to-end capabilities
exchange relying on the use of optional AVPs is not meant as a
generic mechanism to support extensibility of Diameter applications
with arbitrary functionalities. When the added features drastically
change the Diameter application or when Diameter agents have to be
upgraded to support the new features, a new application should be
defined.
Accounting can be treated as an auxiliary application which is used 5.10. Diameter Accounting Support
in support of other applications. In most cases, accounting support
is required when defining new applications. This document provides Accounting can be treated as an auxiliary application that is used in
support of other applications. In most cases, accounting support is
required when defining new applications. This document provides
two(2) possible models for using accounting: two(2) possible models for using accounting:
Split Accounting Model Split Accounting Model
In this model, the accounting messages will use the Diameter base In this model, the accounting messages will use the Diameter base
accounting application ID (value of 3). The design implication accounting application ID (value of 3). The design implication
for this is that the accounting is treated as an independent for this is that the accounting is treated as an independent
application, especially during Diameter routing. This means that application, especially during Diameter routing. This means that
accounting commands emanating from an application may be routed accounting commands emanating from an application may be routed
separately from the rest of the other application messages. This separately from the rest of the other application messages. This
may also imply that the messages generally end up in a central may also imply that the messages end up in a central accounting
accounting server. A split accounting model is a good design server. A split accounting model is a good design choice when:
choice when:
* The application itself will not define its own unique * The application itself will not define its own unique
accounting commands. accounting commands.
* The overall system architecture permits the use of centralized * The overall system architecture permits the use of centralized
accounting for one or more Diameter applications. accounting for one or more Diameter applications.
Centralizing accounting may have advantages but there are also Centralizing accounting may have advantages but there are also
drawbacks. The model assumes that the accounting server can drawbacks. The model assumes that the accounting server can
somehow differentiate received accounting messages. Since the differentiate received accounting messages. Since the received
received accounting messages can be for any application and/or accounting messages can be for any application and/or service, the
service, the accounting server has to be have a method to uniquely accounting server has to have a method to match accounting
match accounting messages with applications and/or services being messages with applications and/or services being accounted for.
accounted for. This may mean defining new AVPs, checking the This may mean defining new AVPs, checking the presence, absence or
presence, absence or contents of existing AVPs or checking the contents of existing AVPs, or checking the contents of the
contents of the accounting records itself. But in general, there accounting record itself. But in general, there is no clean and
is no clean and generic scheme for sorting these messages. generic scheme for sorting these messages. Therefore, the use of
Therefore, the use of this model is recommended only when all this model is recommended only when all received accounting
received accounting messages can be clearly identified and sorted. messages can be clearly identified and sorted. For most cases,
For most cases, the use of Coupled Accounting Model is the use of Coupled Accounting Model is recommended.
recommended.
Coupled Accounting Model Coupled Accounting Model
In this model, the accounting messages will use the application ID In this model, the accounting messages will use the application ID
of the application using the accounting service. The design of the application using the accounting service. The design
implication for this is that the accounting messages are tightly implication for this is that the accounting messages are tightly
coupled with the application itself; meaning that accounting coupled with the application itself; meaning that accounting
messages will be routed like any other application messages. It messages will be routed like any other application messages. It
would then be the responsibility of the application server would then be the responsibility of the application server
(application entity receiving the ACR message) to send the (application entity receiving the ACR message) to send the
skipping to change at page 20, line 17 skipping to change at page 20, line 4
etc. This includes attempting to support older accounting etc. This includes attempting to support older accounting
systems that are not Diameter aware. systems that are not Diameter aware.
In all cases above, there will generally be no direct Diameter In all cases above, there will generally be no direct Diameter
access to the accounting server. access to the accounting server.
These models provide a basis for using accounting messages. These models provide a basis for using accounting messages.
Application designers may obviously deviate from these models Application designers may obviously deviate from these models
provided that the factors being addressed here have also been taken provided that the factors being addressed here have also been taken
into account. Though it is not recommended, examples of other into account. Though it is not recommended, examples of other
methods might be defining a new set of commands to carry application methods might be defining a new set of commands to carry application-
specific accounting records. specific accounting records.
5.11. Diameter security mechanisms 5.11. Diameter Security Mechanisms
As specified in [I-D.ietf-dime-rfc3588bis], the Diameter message As specified in [I-D.ietf-dime-rfc3588bis], the Diameter message
exchange should be secured by using TLS/TCP or DTLS/SCTP. However, exchange should be secured by using TLS/TCP or DTLS/SCTP. However,
IPsec Additional security mechanisms such as IPsec can also be IPsec can also be deployed to secure connections between Diameter
deployed to secure connections between Diameter peers. When IPsec is peers. When IPsec is used instead of TLS or DTLS, the following
used instead of TLS or DTLS, the following recommendations apply. recommendations apply.
IPsec ESP 5.3 [RFC4301] in transport mode with non-null encryption IPsec ESP 5.3 [RFC4301] in transport mode with non-null encryption
and authentication algorithms is used to provide per-packet and authentication algorithms is used to provide per-packet
authentication, integrity protection and confidentiality, and support authentication, integrity protection and confidentiality, and support
the replay protection mechanisms of IPsec. IKE is used for peer the replay protection mechanisms of IPsec. IKE is used for peer
authentication, negotiation of security associations, and key authentication, negotiation of security associations, and key
management, using the IPsec DOI [RFC2407]. Peer authentication can management, using the IPsec DOI [RFC2407]. Peer authentication can
be achieved by using a pre-shared key or certificate-based peer be achieved by using a pre-shared key, or certificate-based peer
authentication using digital signatures can be used as alternative. authentication using digital signatures can be used as alternative.
Peer authentication using the public key encryption methods outlined Peer authentication using the public key encryption methods outlined
in IKE's Sections 5.2 and 5.3 [RFC2409] should not be used. in IKE's Sections 5.2 and 5.3 [RFC2409] should not be used.
Diameter implementations using IPsec as security mechanisms must Diameter implementations using IPsec as the security mechanism must
support both IKE Main Mode and Aggressive Mode. When pre-shared keys support both IKE Main Mode and Aggressive Mode. When pre-shared keys
are used for authentication, IKE Aggressive Mode should be used are used for authentication, IKE Aggressive Mode should be used
instead of IKE Main Mode. When digital signatures are used for instead of IKE Main Mode. When digital signatures are used for
authentication, either IKE Main Mode or IKE Aggressive Mode can be authentication, either IKE Main Mode or IKE Aggressive Mode can be
used. used.
When digital signatures are used to achieve authentication, an IKE When digital signatures are used to achieve authentication, an IKE
negotiator should use IKE Certificate Request Payload(s) to specify negotiator should use IKE Certificate Request Payload(s) to specify
the certificate authority (or authorities) that are trusted in the certificate authority (or authorities) that are trusted in
accordance with its local policy. IKE negotiators should use accordance with its local policy. IKE negotiators should use
skipping to change at page 22, line 31 skipping to change at page 22, line 31
o Backward compatibility: Dealing with existing applications that do o Backward compatibility: Dealing with existing applications that do
not understand the new extension. Designers also have to make not understand the new extension. Designers also have to make
sure that new extensions do not break expected message delivery sure that new extensions do not break expected message delivery
layer behavior. layer behavior.
o Forward compatibility: Making sure that the design will not o Forward compatibility: Making sure that the design will not
introduce undue restrictions for future applications. Future introduce undue restrictions for future applications. Future
applications attempting to support this feature should not have to applications attempting to support this feature should not have to
go through great lengths to implement any new extensions. go through great lengths to implement any new extensions.
o Tradeoffs in signaling: Designers may have to choose between the o Trade-off in signaling: Designers may have to choose between the
use of optional AVPs piggybacked onto existing commands versus use of optional AVPs piggybacked onto existing commands versus
defining new commands and applications. Optional AVPs are simpler defining new commands and applications. Optional AVPs are simpler
to implement and may not need changes to existing applications; to implement and may not need changes to existing applications.
However, the drawback is that the timing of sending extension data However, this ties the sending of extension data to the
will be tied to when the application would be sending a message. application's transmission of a message. This has consequences if
This has consequences if the application and the extensions have the application and the extensions have different timing
different timing requirements. The use of commands and requirements. The use of commands and applications solves this
applications solves this issue but the tradeoff is the additional issue, but the trade-off is the additional complexity of defining
complexity of defining and deploying a new application. It is and deploying a new application. It is left up to the designer to
left up to the designer to find a good balance among these find a good balance among these trade-offs based on the
tradeoffs based on the requirements of the extension. requirements of the extension.
In practice, it is often the case that the generic extensions use In practice, generic extensions often use optional AVPs because they
optional AVPs because it's simple and not intrusive to the are simple and non-intrusive to the application that would carry
application that would carry it. Peers that do not support the them. Peers that do not support the generic extensions need not
generic extensions need not understand nor recognize these optional understand nor recognize these optional AVPs. However, it is
AVPs. However, it is recommended that the authors of the extension recommended that the authors of the extension specify the context or
specify the context or usage of the optional AVPs. As an example, in usage of the optional AVPs. As an example, in the case that the AVP
the case that the AVP can be used only by a specific set of can be used only by a specific set of applications then the
applications then the specification must enumerate these applications specification must enumerate these applications and the scenarios
and the scenarios when the optional AVPs will be used. In the case when the optional AVPs will be used. In the case where the optional
where the optional AVPs can be carried by any application, it is AVPs can be carried by any application, it is should be sufficient to
should be sufficient to specify such a use case and perhaps provide specify such a use case and perhaps provide specific examples of
specific examples of applications using them. applications using them.
In most cases, these optional AVPs piggybacked by applications would In most cases, these optional AVPs piggybacked by applications would
be defined as a Grouped AVP and it would encapsulate all the be defined as a Grouped AVP and it would encapsulate all the
functionality of the generic extension. In practice, it is not functionality of the generic extension. In practice, it is not
uncommon that the Grouped AVP will encapsulate an existing AVP that uncommon that the Grouped AVP will encapsulate an existing AVP that
has previously been defined as mandatory ('M'-bit set) e.g., 3GPP IMS has previously been defined as mandatory ('M'-bit set) e.g., 3GPP IMS
Cx/Dx interfaces ([TS29.228] and [TS29.229]). Cx/Dx interfaces ([TS29.228] and [TS29.229]).
7. IANA Considerations 7. IANA Considerations
This document does not require actions by IANA. This document does not require actions by IANA.
8. Security Considerations 8. Security Considerations
This document does provides guidelines and considerations for This document provides guidelines and considerations for extending
extending Diameter and Diameter applications. It does not define nor Diameter and Diameter applications. It does not define nor address
address security related protocols or schemes. security-related protocols or schemes.
9. Contributors 9. Contributors
The content of this document was influenced by a design team created The content of this document was influenced by a design team created
to revisit the Diameter extensibility rules. The team consisting of to revisit the Diameter extensibility rules. The team consisting of
the members listed below was formed in February 2008 and finished its the members listed below was formed in February 2008 and finished its
work in June 2008. work in June 2008.
o Avi Lior o Avi Lior
skipping to change at page 27, line 9 skipping to change at page 27, line 9
o Dave Frascone o Dave Frascone
We would like to thank Tolga Asveren, Glenn McGregor, and John We would like to thank Tolga Asveren, Glenn McGregor, and John
Loughney for their contributions as co-authors to earlier versions of Loughney for their contributions as co-authors to earlier versions of
this document. this document.
10. Acknowledgments 10. Acknowledgments
We greatly appreciate the insight provided by Diameter implementers We greatly appreciate the insight provided by Diameter implementers
who have highlighted the issues and concerns being addressed by this who have highlighted the issues and concerns being addressed by this
document. document. The authors would also like to thank A. Jean Mahoney and
Ben Campbell for their invaluable detailed review and comments on
this document.
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-dime-rfc3588bis] [I-D.ietf-dime-rfc3588bis]
Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, Fajardo, V., Arkko, J., Loughney, J., and G. Zorn,
"Diameter Base Protocol", draft-ietf-dime-rfc3588bis-34 "Diameter Base Protocol", draft-ietf-dime-rfc3588bis-34
(work in progress), June 2012. (work in progress), June 2012.
 End of changes. 87 change blocks. 
244 lines changed or deleted 236 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/