idnits 2.17.1 

draft-calhoun-diameter-accounting-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == The page length should not exceed 58 lines per page, but there was 21
     longer pages, the longest (page 2) being 60 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 22 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There is 1 instance of too long lines in the document, the longest one
     being 1 character in excess of 72.

  ** The abstract seems to contain references ([2], [3], [10]), which it
     shouldn't.  Please replace those with straight textual mentions of the
     documents in question.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 963 has weird spacing: '... copied  and  ...'

  == Line 964 has weird spacing: '...s,  and  deriv...'

  == Line 966 has weird spacing: '...blished  and d...'

  == Line 967 has weird spacing: '...hat the  above...'

  == Line 968 has weird spacing: '...   and  this  ...'

  == (5 more instances...)

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '4' is defined on line 899, but no explicit reference
     was found in the text

  == Unused Reference: '5' is defined on line 902, but no explicit reference
     was found in the text

  == Outdated reference: A later version (-18) exists of
     draft-calhoun-diameter-08

  -- Possible downref: Normative reference to a draft: ref. '1' 

  -- No information found for draft-calhoun-diameter-auth - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '2' 

  == Outdated reference: A later version (-12) exists of
     draft-calhoun-diameter-mobileip-02

  -- Possible downref: Normative reference to a draft: ref. '3' 

  ** Obsolete normative reference: RFC 2138 (ref. '4') (Obsoleted by RFC 2865)

  ** Obsolete normative reference: RFC 2139 (ref. '5') (Obsoleted by RFC 2866)

  -- Possible downref: Normative reference to a draft: ref. '7' 

  ** Obsolete normative reference: RFC 2434 (ref. '8') (Obsoleted by RFC 5226)

  == Outdated reference: A later version (-04) exists of
     draft-calhoun-diameter-proxy-02

  -- Possible downref: Normative reference to a draft: ref. '9' 

  == Outdated reference: A later version (-08) exists of
     draft-ietf-roamops-actng-05

  -- Possible downref: Normative reference to a draft: ref. '10' 

  == Outdated reference: A later version (-02) exists of draft-aboba-acct-01

  -- Possible downref: Normative reference to a draft: ref. '11' 


     Summary: 11 errors (**), 0 flaws (~~), 17 warnings (==), 10 comments
     (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET DRAFT                                                Jari Arkko
2	Category: Standards Track                              Oy LM Ericsson Ab
3	Title: draft-calhoun-diameter-accounting-00.txt           Pat R. Calhoun
4	Date: September 1999                              Sun Microsystems, Inc.
5	                                                            Pankaj Patel
6	                                                   Convergys Corporation
7	                                                               Glen Zorn
8	                                                   Microsoft Corporation

10	                     DIAMETER Accounting Extension

12	Status of this Memo

14	   This document is an individual contribution for consideration by the
15	   AAA Working Group of the Internet Engineering Task Force.  Comments
16	   should be submitted to the diameter@ipass.com mailing list.

18	   Distribution of this memo is unlimited.

20	   This document is an Internet-Draft and is in full conformance with
21	   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
22	   documents of the Internet Engineering Task Force (IETF), its areas,
23	   and its working groups.  Note that other groups may also distribute
24	   working documents as Internet-Drafts.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at
28	   any time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   The list of current Internet-Drafts can be accessed at:

33	      http://www.ietf.org/ietf/1id-abstracts.txt

35	   The list of Internet-Draft Shadow Directories can be accessed at:

37	      http://www.ietf.org/shadow.html.

39	Abstract

41	   The DIAMETER protocol provides Authentication and Authorization for
42	   dial-up PPP clients [2] and for Mobile-IP [3]. The ROAMOPS WG has
43	   been working on an accounting data format, called Accounting Data
44	   Interchange Format (ADIF) [10], as a method to transfer accounting
45	   information over a wide variety of transports. This document describes
46	   how ADIF can be securely transmitted over the DIAMETER protocol.

48	Table of Contents

50	      1.0  Introduction
51	            1.1  Copyright Statement
52	            1.2  Requirements language
53	      2.0  Command Codes
54	            2.1  Accounting-Request
55	            2.2  Accounting-Answer
56	      3.0  DIAMETER AVPs
57	            3.1  Accounting-Session-Id
58	            3.2  Accounting-Record-Type
59	            3.3  ADIF-Record
60	            3.4  Accounting-Confirmation
61	            3.5  Accounting-Digital-Signature
62	            3.6  Accounting-Certificate
63	      4.0  Protocol overview
64	      4.1  Use of Accounting Certificate
65	      5.0  IANA Considerations
66	      6.0  Acknowledgments
67	      7.0  References
68	      8.0  Authors' Addresses
69	      9.0 Full Copyright Statement

71	1.0  Introduction

73	   The DIAMETER protocol provides Authentication and Authorization for
74	   dial-up PPP clients [2] and for Mobile-IP [3]. The ROAMOPS WG has
75	   been working on an accounting data format, called Accounting Data
76	   Interchange Format (ADIF) [10], as a method to transfer accounting
77	   information over a wide variety of transports. This document
78	   describes how ADIF can be securely transmitted over the DIAMETER
79	   protocol.

81	   This document describes how Accounting Records can be transmitted
82	   within the DIAMETER protocol in a secure fashion, even when the
83	   messages must traverse DIAMETER proxies [1, 9]. This extension allows
84	   for both real-time and batched accounting transfers.

86	   This document introduces AVPs that are very similar to some found in
87	   the base [1] and the end-to-end security extension [9]. However,
88	   since this extension requires that the AVPs in question must have
89	   bits set which are not currently permitted in both the stated drafts,
90	   a new version of the AVP has been defined here. However, a future
91	   version of this document may make use of the original AVPs once the
92	   [1] and [9] have been corrected. If there is interest in this
93	   extension, the impact of changing [1] and [9] must be carefully
94	   evaluated.

96	   The Extension number for this draft is five (5). This value is used
97	   in the Extension-Id Attribute value Pair (AVP) as defined in [7].

99	1.1  Copyright Statement

101	   Copyright   (C) The Internet Society 1999.  All Rights Reserved.

103	1.2  Requirements language

105	   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
106	   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
107	   described in [6].

109	2.0  Command Codes

111	   This section will define the Commands [1] for DIAMETER
112	   implementations supporting the Mobile IP extension.

114	      Command Name          Command Code
115	      -----------------------------------
116	      Accounting-Request        ???
117	      Accounting-Answer         ???

119	2.1  Accounting-Request

121	   Description

123	      The Accounting-Request command is sent by a DIAMETER node in order
124	      to exchange accounting information with a peer. The Accounting
125	      information is contained within an ADIF record, as described in
126	      [10].

128	      The Accounting-request command MAY contain accounting information
129	      for more than a single session, which allows it to send batched
130	      accounting information. When the batch mode is used, the session-
131	      Id AVP [1] and the Digital-Signature AVP [6] MUST be present, and
132	      MUST have a tag of the same value as the ADIF-Record AVP.

134	   Message Format

136	      <Accounting-Request> ::= <DIAMETER Header>
137	                               <Accounting-Request Command AVP>
138	                               <Host-IP-Address AVP>
139	                               [<Host-Name AVP>]
140	                               (<Accounting-Session-Id AVP> &&
141	                                <Accounting-Record-Type> &&
142	                                <User-Name AVP> &&
143	                                <ADIF-Record AVP> &&
144	                                <Accounting-Digital-Signature AVP)
145	                               <Timestamp AVP>
146	                               <Initialization-Vector AVP>
147	                               {<Integrity-Check-Vector AVP> ||
148	                                <Digital-Signature AVP }

150	   AVP Format

152	      A summary of the Accounting-Request packet format is shown below.
153	      The fields are transmitted from left to right.

155	      0                   1                   2                   3
156	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
157	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
158	      |                           AVP Code                            |
159	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
160	      |          AVP Length           |CFlags |C|Z|Reservd|P|E|T|V|H|M|
161	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
162	      |                         Command Code                          |
163	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

165	      AVP Code

167	         256     DIAMETER Command

169	      AVP Length

171	         The length of this attribute MUST be 12.

173	      Command Flags

175	         The Command Flags MUST be set to zero.

177	      AVP Flags

179	         The 'M' bit MUST be set. The 'P' bits MAY be set if end to end
180	         message integrity is required.  The 'E', 'V', 'H' and 'T' bits
181	         MUST NOT be set.

183	      Command Code

185	         The Command Code field MUST be set to ??? (Accounting-Request).

187	2.2  Accounting-Answer

189	   Description

191	      The Accounting-Answer command is used to acknowledge an
192	      Accounting-Request command. The Accounting-Answer command contains
193	      the same Accounting-Session-Id AVP that was sent in the
194	      Accounting-Request command, and the MD5 hash in Accounting-
195	      Confirmation AVP forms a confirmation that the right accounting
196	      record was accepted.  This can be signed using the Accounting-
197	      Digital-Signature AVP for end-to-end message integrity and
198	      possible non-repudiation.

200	      Only the target DIAMETER Server, known as the home DIAMETER
201	      Server, SHOULD respond with the Accounting-Answer command.

203	      If the Accounting-Request command contained more than one ADIF-
204	      Record AVP, the Accounting-Answer SHOULD contain the same number
205	      of ADIF-Record AVPs. However, it is possible for the DIAMETER
206	      Server to acknowledge each ADIF-Record in a separate response.
207	      This allows the sender of the ADIF-Records to send a batch of
208	      records, whose final destination are different.

210	   Message Format

212	      <Accounting-Answer> ::= <DIAMETER Header>
213	                              <Accounting-Answer Command AVP>
214	                              <Result-Code AVP>
215	                              <Host-IP-Address AVP>
216	                              [<Host-Name AVP>]
217	                              (<Accounting-Session-Id AVP> &&
218	                               <Result-Code AVP>
219	                               <Accounting-Confirmation AVP> &&
220	                               <Accounting-Digital-Signature AVP)
221	                              <Timestamp AVP>
222	                              <Initialization-Vector AVP>
223	                              {<Integrity-Check-Vector AVP> ||
224	                               <Digital-Signature AVP }

226	   AVP Format

228	      A summary of the Accounting-Answer packet format is shown below.
229	      The fields are transmitted from left to right.

231	      0                   1                   2                   3
232	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
233	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234	      |                           AVP Code                            |
235	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
236	      |          AVP Length           |CFlags |C|Z|Reservd|P|E|T|V|H|M|
237	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
238	      |                         Command Code                          |
239	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

241	      AVP Code

243	         256     DIAMETER Command

245	      AVP Length

247	         The length of this attribute MUST be 12.

249	      Command Flags

251	         The Command Flags MUST be set to zero.

253	      AVP Flags

255	         The 'M' bit MUST be set. The 'P' bits MAY be set if end to end
256	         message integrity is required.  The 'E', 'V', 'H' and 'T' bits
257	         MUST NOT be set.

259	      Command Code

261	         The Command Code field MUST be set to ??? (DIAMETER-EAP-
262	         Answer).

264	3.0  DIAMETER AVPs

266	   This section will define the mandatory AVPs which MUST be supported
267	   by all DIAMETER implementations supporting this extension. The
268	   following AVPs are defined in this document:

270	      Attribute Name               Attribute Code
271	      -------------------------------------------
272	      Accounting-Session-Id             ???
273	      Accounting-Record-Type            ???
274	      ADIF-Record                       ???
275	      Accounting-Confirmation           ???
276	      Accounting-Digital-Signature      ???
277	      Accounting-Interim-Interval       ???

279	3.1  Accounting-Session-Id

281	   Description

283	      The Accounting-Session-Id AVP contains the same value as the
284	      session-Id [1] AVP, but has different rules. This AVP MAY
285	      have the tag bit set in order to allow accounting records to
286	      be sent in batches via the DIAMETER protocol.

288	   AVP Format

290	      0                   1                   2                   3
291	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
292	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
293	      |                           AVP Code                            |
294	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
295	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
296	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
297	      |    Data ...
298	      +-+-+-+-+-+-+-+-+

300	      AVP Code

302	         ???    Accounting-Session-Id

304	      AVP Length

306	         The length of this attribute MUST be at least 8.

308	      AVP Flags

310	         The 'M' bit MUST be set. The 'T' bit MAY be set if more than
311	         one Accounting record is being sent in an Accounting-Request
312	         message.  The 'P' bit MAY be set if end to end message
313	         integrity is required, but may not be necessary if the
314	         Accounting-Digital-Signature is used.  The 'H', 'E', 'V' bits
315	         MUST NOT be set.

317	      Data

319	         The Data field contains a Session-Id AVP as defined in [1].

321	3.2  Accounting-Record-Type
322	   Description

324	      The Accounting-Record-Type AVP contains the type of record that
325	      can be found in the ADIF-Record AVP.

327	   AVP Format

329	      0                   1                   2                   3
330	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
331	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
332	      |                           AVP Code                            |
333	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
334	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
335	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
336	      |                           Integer32                           |
337	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

339	      AVP Code

341	         ???    Accounting-Record-Type

343	      AVP Length

345	         The length of this attribute MUST be at least 8.

347	      AVP Flags

349	         The 'M' bit MUST be set. The 'T' bit MAY be set if more than
350	         one Accounting record is being sent in an Accounting-Request
351	         message.  The 'P' bit MAY be set if end to end message
352	         integrity is required, but may not be necessary if the
353	         Accounting-Digital-Signature is used.  The 'H', 'E', 'V' bits
354	         MUST NOT be set.

356	      Integer32

358	         The Integer32 field contains the record type that can be found
359	         in the ADIF-Record AVP. The following values are currently
360	         defined:

362	            EVENT_RECORD                    1
363	               An Accounting Event Record is used to indicate a service
364	               of indivisible nature has occurred.  This record contains
365	               all information relevant to the service, and is the only
366	               record of the service.

368	            SESSION_RECORD                  2
369	               An Accounting Session Record is used to indicate that a
370	               service of a measurable length has been given. This
371	               record contains all information relevant to the service,
372	               and is the only record of the service.

374	            START_RECORD                    3
375	               An Accounting Start Record is used to initiate an
376	               accounting session, and contains accounting information
377	               that is relevant to the initiation of the session.

379	            INTERIM_RECORD                  4
380	               An Interim Accounting Record contains cumulative
381	               accounting information for an existing Accounting
382	               session. Interim Accounting Records SHOULD be sent
383	               everytime a re-authentication or re-authorization occurs.

385	            STOP_RECORD                     5
386	               An Accounting Stop Record is sent to terminate an
387	               accounting session and contains cumulative accounting
388	               information relevant to the existing session.

390	         START_RECORD, INTERIM_RECORD, and STOP_RECORD are used as an
391	         alternative mechanism to represent SESSION_RECORDs, but to give
392	         more timely information about the session to the DIAMETER
393	         Server. The selection of whether to use these records is
394	         directed by the Accounting-Interim-Interval AVP.

396	3.3  ADIF-Record

398	   Description

400	      This attribute contains an ADIF record, as defined in [10].

402	   AVP Format

404	      0                   1                   2                   3
405	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
406	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
407	      |                           AVP Code                            |
408	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
409	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
410	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
411	      |    Data ...
412	      +-+-+-+-+-+-+-+-+

414	      AVP Code

416	         ???    ADIF-Record

418	      AVP Length

420	         The length of this attribute MUST be at least 8.

422	      AVP Flags

424	         The 'M' bit MUST be set. The 'T' bit MAY be set if more than
425	         one Accounting record is being sent in an Accounting-Request
426	         message.  The 'P' bit MAY be set if end to end message
427	         integrity is required, but may not be necessary if the
428	         Accounting-Digital-Signature is used.  The 'H', 'E', 'V' bits
429	         MUST NOT be set.

431	      Data

433	         The Data field contains an ADIF payload as defined in [10].

435	3.4  Accounting-Confirmation

437	   Description

439	      This AVP contains an MD5 hash of a previous ADIF-Record, and is
440	      used to confirm receipt of the ADIF-Record. When signed via the
441	      Accounting-Digital-Signature, this AVP provides the sender of the
442	      Accounting-Request with proof that the receiver accepted the
443	      Accounting record.

445	   AVP Format

447	      0                   1                   2                   3
448	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
449	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
450	      |                           AVP Code                            |
451	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
452	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
453	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
454	      |    Data ...
455	      +-+-+-+-+-+-+-+-+

457	      AVP Code

459	         ???    Accounting-Confirmation

461	      AVP Length

463	         The length of this attribute MUST be at least 8.

465	      AVP Flags

467	         The 'M' bit MUST be set. The 'T' bit MAY be set if more than
468	         one Accounting record is being sent in an Accounting-Request
469	         message.  The 'P' bit MAY be set if end to end message
470	         integrity is required, but may not be necessary if the
471	         Accounting-Digital-Signature is used.  The 'H', 'E', 'V' bits
472	         MUST NOT be set.

474	      Data

476	         The Data field contains an MD5 hash of the ADIF-Record AVP
477	         being confirmed.

479	3.5  Accounting-Digital-Signature

481	   Description

483	      The Accounting-Digital-Signature is similar to the Digital-
484	      Signature described in [9], except that it is used to sign all
485	      AVPs with the same tag value as the one found in this AVP.

487	   AVP Format

489	      0                   1                   2                   3
490	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
491	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
492	      |                           AVP Code                            |
493	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
494	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
495	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
496	      |                            Address                            |
497	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
498	      |                          Transform ID                         |
499	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
500	      |    Data ...
501	      +-+-+-+-+-+-+-+-+

503	      AVP Code

505	         ???    Accounting-Digital-Signature

507	      AVP Length

509	         The length of this attribute MUST be at least 17.

511	      AVP Flags
512	         The 'M' and 'T' bits MUST be set. The 'P', 'H', 'E' and 'V'
513	         bits MUST NOT be set.

515	      Address

517	         The Address field contains the IP address of the DIAMETER host
518	         which generated the Digital-Signature.

520	      Transform ID

522	         The Transform ID field contains a value that identifies the
523	         transform that was used to compute the signature. The following
524	         values are defined in this document:

526	         RSA [9]          1

528	      Data

530	         The Data field contains a digital signature of all AVPs within
531	         the message that have the same AVP tag as the one found in this
532	         AVP.

534	3.6  Accounting-Certificate

536	   Description

538	      The Accounting-Certificate AVP is created by the home DIAMETER
539	      server as a result of a successful Authentication and/or
540	      Authorization. This "token" is used in the subsequent Accounting-
541	      Request messages as a proof that the user was in fact authorized
542	      for the service. The document [7] and section 4.1 provides further
543	      information on this AVP.

545	   AVP Format
546	      0                   1                   2                   3
547	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
548	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
549	      |                           AVP Code                            |
550	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
551	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
552	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
553	      |      Length of Session-Id     |Length of Accounting-Session-Id|
554	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
555	      |      Length of User-Name      |  Length of Digital-Signature  |
556	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
557	      |  Digital-Signature Transform  |           Reserved            |
558	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
559	      |                       Session-Lifetime                        |
560	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
561	      |                           Timestamp                           |
562	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
563	      |         Session-Id...         |     Accounting-Session-Id     |
564	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
565	      |         User-Name...          |     Digital-Signature...
566	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

568	      AVP Code

570	         ???    Accounting-Certificate

572	      AVP Length

574	         The length of this attribute MUST be at least 32.

576	      AVP Flags

578	         The 'M' bit MUST be set. The 'T' bit MAY be set if more than
579	         one Accounting record is being sent in an Accounting-Request
580	         message.  The 'P' bit MAY be set if end to end message
581	         integrity is required, but may not be necessary if the
582	         Accounting-Digital-Signature is used.  The 'H', 'E', 'V' bits
583	         MUST NOT be set.

585	      Length of Session-Id

587	         This 16 bit field contains the length of the Session-Id field
588	         found in this AVP.

590	      Length of Accounting-Session-Id

592	         This 16 bit field contains the length of the locally generated
593	         Accounting-Session-Id value that is found in this AVP.

595	      Length of User-Name

597	         This 16 bit field contains the length of the User-Name field
598	         found in this AVP.

600	      Length of Digital-Signature

602	         This 16 bit field contains the length of the Digital-Signature
603	         field found in this AVP.

605	      Digital-Signature Transform

607	         This 16 bit field contains the transform used to generate the
608	         Digital-Signature field, as defined in the Digital-Signature
609	         AVP in [9].

611	      Session-Lifetime

613	         This 32 bit field contains the number of seconds that the
614	         session has been autorized for. This field MUST be the same as
615	         the value of the Session-Timeout AVP [1].

617	      TimeStamp

619	         This 32 bit field contains a timestamp representing when this
620	         AVP was created. The format of this field is identical to the
621	         Timestamp AVP defined in [1].

623	      Session-Id

625	         This variable length field contains the Session-Id, and MUST be
626	         identical to the value found in the Session-Id AVP [1].

628	      Accounting-Session-Id

630	         This variable length field contains a Session-Id created by the
631	         home DIAMETER server for the purposes to matching accounting
632	         records.

634	      User-Name

636	         This variable length field contains the User-Name and MUST be
637	         identical to the value of the User-Name AVP [1].

639	      Digital-Signature

641	         This variable length field contains a signature of the AVP's
642	         data, not including the AVP header and is generated using the
643	         transform specified in the Digital-Signature-Transform field.

645	3.7  Accounting-Interim-Interval

647	   Description

649	      The Accounting-Interim-Interval AVP is sent from the DIAMETER
650	      authenticating/authorizing server to the DIAMETER Client. The
651	      Client uses information in the AVP to decide how and when to
652	      produce accounting records. With different values in this AVP,
653	      service sessions can result in one, two, or two+N accounting
654	      records, based on the needs of the home-organization.

656	   AVP Format

658	      0                   1                   2                   3
659	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
660	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
661	      |                           AVP Code                            |
662	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
663	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
664	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
665	      |                             Value                             |
666	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

668	      AVP Code

670	         ???    Accounting-Interim-Interval

672	      AVP Length

674	         The length of this attribute MUST be 12.

676	      AVP Flags

678	         As defined in the DIAMETER Base Protocol.

680	      Value

682	         The following accounting record production behaviour is
683	         directed by the inclusion of this AVP:

685	            1. The omission of the Accounting-Interim-Interval AVP means
686	            that only a SESSION_RECORD or EVENT_RECORD records are
687	            produced from the service.

689	            2. The inclusion of the AVP with Value field set to 0 means
690	            that START_RECORD and STOP_RECORD records are produced.

692	            3. The inclusion of the AVP with Value field set to a non-
693	            zero value means that START_RECORD, INTERIM_RECORD, and
694	            STOP_RECORD records are produced. The DIAMETER Client SHOULD
695	            that INTERIM_RECORD records are produced roughly in with the
696	            interval which is the number in the Value field of this AVP
697	            interpreted as the number of seconds. The Client MUST ensure
698	            that the interim record production times are randomized so
699	            that large accounting packet storms are not created either
700	            among records or around a common service start time.

702	4.0  Protocol overview

704	   This accounting protocol is based on an authorization-server directed
705	   model with capabilities for both efficient batch and fast real-time
706	   delivery of accounting information. Several fault resilience methods
707	   [11] have been built in to the protocol in order minimize loss of
708	   accounting data in various fault situations and under different
709	   assumptions about the capabilities of the used devices.

711	4.1  Authorization-Server Directed Model

713	   The authorization-server directed model means that at authorization
714	   time, the device generating the accounting data gets information from
715	   the authorization server regarding the way accounting data shall be
716	   forwarded. This information includes a certificate to prove that the
717	   session truly was authorized, as well as accounting record timeliness
718	   requirements.

720	   When the user's home DIAMETER Server successfully authenticates
721	   and/or authorizes a session, it generates the Accounting-Certificate
722	   AVP that is returned in the response. The document [7] describes a
723	   possible format for the AVP, which is also described in section 3.6.

725	   As discussed in [11], batch transfer of accounting data is more CPU-
726	   and bandwidth efficient than real-time transfer.  However, there are
727	   many applications where real-time transfer is a requirement for at
728	   least some of the accounting records.  These applications include
729	   roaming, where most (local) accounting records can be transferred in
730	   batch mode, but roaming (visiting) accounting records should be
731	   transferred fast due to the needs of credit limit checks and fraud
732	   detection. For these reasons this accounting protocol defines both
733	   batch and real-time transfer modes, and allows their use
734	   simultaneously. The authorization server (chain) directs the
735	   selection of proper transfer strategy, based on its knowledge of the
736	   user and relationships of roaming partnerships. The server (or
737	   proxies in between) use the Accounting-Delivery-Max-Batch,
738	   Accounting-Delivery- Max-Delay, and Accounting-Interim-Interval AVPs
739	   to control the operation of the DIAMETER Client. The first two
740	   attributes set the requirements in terms of number of records and
741	   maximum delay before accounting data transfer for this session SHOULD
742	   begin.  The DIAMETER Client MAY deliver the data earlier due to a
743	   full batch of records, device reboot, lack of memory, or explicit
744	   configuration. The DIAMETER Client MUST begin the transfer in the
745	   given limits unless prevented from doing so by network partitions,
746	   client or server failures, network congestion, or client overload.

748	   The Accounting-Interim-Interval AVP, when present, instructs the
749	   DIAMETER Client to produce accounting records continuously even
750	   during a session.

752	   Typically, the authorization server uses a few batching/real-time
753	   classes, such as the local users whose data might be transferred once
754	   in an hour and the roaming users whose data would be transferred
755	   immediately. Each Accounting-Delivery-Max-Batch / Accounting-
756	   Delivery- Max-Delay AVP pair with different values forms one pool of
757	   accounting data in the DIAMETER Client. That is, a new record is
758	   placed to same pool as the previous one if the authorization server
759	   returned same values for both AVPs and the pool has not been emptied
760	   in between.

762	4.2  Protocol Messages

764	   The DIAMETER Client generating the accounting data will use the
765	   Accounting-Request message to send one or more accounting records to
766	   the DIAMETER Server. The Server MUST reply with the Accounting-Answer
767	   message with appropriate confirmations.

769	   It is possible that a DIAMETER Proxy breaks up a batch of accounting
770	   records and sends them towards different DIAMETER Home Servers. In
771	   this case it is possible that a separate Accounting-Answer message
772	   contain the response for each block.  Therefore, a Client MUST be
773	   prepared to handle this scenario.

775	   Upon receipt of an Accounting-Request, a home DIAMETER Server MUST
776	   generate a response. The response includes the Result-Code, which MAY
777	   contain an error if the ADIF-Record, or some other AVP, is not
778	   acceptable. Furthermore, an Accounting-Confirmation MUST be returned.
779	   The Accounting-Confirmation is an MD5 hash of the ADIF-Record data
780	   which is being confirmed.

782	   Each DIAMETER Accounting protocol message MAY be compressed using
783	   IPComp in order to reduce the used network bandwidth.  DIAMETER peers
784	   MUST use a negotiation mechanisms such as ISAKMP/IKE in order to
785	   ensure that both peers are able to handle IPComp. Note that it
786	   usually makes sense to compress only Accounting-Request messages with
787	   possibly lengthy ADIF data, not Accounting-Answer messages.

789	4.3  Fault Resilience

791	   DIAMETER Base protocol mechanisms are used to overcome small packet
792	   loss and network faults of temporary nature.

794	   DIAMETER Clients MUST implement the use of alternate servers to guard
795	   against server failures and certain network failures. DIAMETER
796	   Servers or related off-line processing systems MUST detect duplicate
797	   accounting records caused by the sending of same record to several
798	   servers and duplication of messages in transit. This detection MUST
799	   be based on the inspection of Accounting-Record-Id and Host-IP-
800	   Address AVP pairs.

802	   DIAMETER Clients MAY have non-volatile memory for the safe storage of
803	   accounting records over reboots or extended network failures, network
804	   partitions, and server failures. If such memory is available the
805	   Client SHOULD store new accounting records there as soon as the
806	   records are created and until a positive acknowledgement of their
807	   reception from the DIAMETER Server has been received. Upon a reboot,
808	   the Client MUST starting sending the records in the non-volatile
809	   memory to the accounting server with appropriate modifications in
810	   termination cause, session length, and other relevant information in
811	   the records.

813	   A further extension of this protocol may include AVPs to control how
814	   many accounting records may at most be stored in the DIAMETER Client
815	   without committing them to the non-volatile memory or transferring
816	   them to the DIAMETER Server.

818	   The Client SHOULD NOT remove the accounting data from any of its
819	   memory areas before the correct Accounting-Answer has been received.
820	   The Client MAY remove oldest, undelivered or yet unacknowledged
821	   accounting data if it runs out of resources such as memory. It is an
822	   implementation dependent matter for the client to accept new sessions
823	   under this condition.

825	4.4  Session Records

827	   In all accounting records the Accounting-Session-Id AVP, ADIF-Record
828	   AVP, and User-Name AVPs MUST be present. If only one accounting
829	   record is present in the message, the whole message may be protected
830	   using the Digital-Signature, as defined in [9].

832	   However, if the accounting records are being in sent in batch mode,
833	   the sender can create several "blocks" of accounting records by
834	   making use of the AVP Tag field (bit 'T' [1]). Each block is
835	   individually signed, unless all blocks are destined for the same home
836	   DIAMETER Server.

838	   Different types of session records are sent depending on the actual
839	   type of accounted service and the authorization server's directions
840	   for interim accounting. If the accounted service is of an indivisible
841	   nature, then the Accounting-Record-Type AVP MUST be present and set
842	   to the value EVENT_RECORD. This can be used to account for services
843	   such as "send an e-mail to this wireless terminal". If the accounted
844	   service is of a measurable length, then the AVP MUST contain the
845	   value SESSION_RECORD. In both cases only one accounting record is
846	   generated.

848	   If the authorization server has directed interim accounting to be on
849	   but with no specified interim interval, two accounting records MUST
850	   be generated for each service of type SESSION_RECORD.  When the
851	   initial Accounting-Request is sent for a given session is sent, the
852	   Accounting-Record-Type AVP MUST be set to the value START_RECORD.
853	   When the last Accounting-Request is sent, the value MUST be
854	   STOP_RECORD.

856	   If a specified interim interval exists, the DIAMETER Client MUST
857	   produce additional records between the START_RECORD and STOP_RECORD,
858	   marked INTERIM_RECORD. The production of these records is directed
859	   both by Accounting-Interim-Interval as well as any re-authentication
860	   or -authorization of the session.  If a batch size of greater than 1
861	   has been specified by the authorization server, then the DIAMETER
862	   Client MUST ensure that new interim records overwrite previous
863	   interim records for the same session and batch as this reduces the
864	   amount of memory required to store the records. In effect, this means
865	   that interim records are delivered at least as often as dictated by
866	   Accounting-Delivery-Max-Delay.

868	5.0  IANA Considerations

870	   The numbers for the Command Code AVPs (section 2) is taken from the
871	   numbering space defined for Command Codes in [1]. The numbers for the
872	   various AVPs defined in section 3 were taken from the AVP numbering
873	   space defined in [1].  The numbering for the AVP and Command Codes
874	   MUST NOT conflict with values specified in [1] and other DIAMETER
875	   related Internet Drafts.

877	   This document introduces the Accounting-Record-Type AVP, which may
878	   contain pre-defined values. This document defines the values 1-3.
879	   All remaining values are available for assignment via IETF Consensus
880	   [8].

882	6.0  Acknowledgments

884	   Thanks to the various people that have contributed to accounting
885	   related requirements at the IETF. This document could not have been
886	   put together without all of those napkin design sessions.

888	7.0  References

890	   [1] P. R. Calhoun, A. Rubens, "DIAMETER Base Protocol",
891	       draft-calhoun-diameter-08.txt, Work in Progress,
892	       August 1999.
893	   [2] P. R. Calhoun, "DIAMETER Authentication Extension",
894	       draft-calhoun-diameter-auth-06.txt, Work in Progress,
895	       August 1999.
896	   [3] P. R. Calhoun, C. Perkins, "DIAMETER Mobile IP Extension",
897	       draft-calhoun-diameter-mobileip-02.txt, Work in Progress,
898	       August 1999.
899	   [4] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote
900	       Authentication Dial In User Service (RADIUS)." RFC 2138,
901	       April 1997.
902	   [5] C. Rigney, "RADIUS Accounting." RFC 2139,  April 1997.
903	   [6] S. Bradner, "Key words for use in RFCs to Indicate
904	       Requirement Levels", BCP 14, RFC 2119, March 1997.
905	   [7] G. Zorn, P. R. Calhoun, "Limiting Fraud in Roaming",
906	       draft-ietf-roamops-fraud-limit-00.txt, May 1999.
907	   [8] Narten, Alvestrand,"Guidelines for Writing an IANA
908	       Considerations Section in RFCs", BCP 26, RFC 2434,
909	       October 1998
910	   [9] P. Calhoun, W. Bulley, "DIAMETER Proxy Server Extensions",
911	        draft-calhoun-diameter-proxy-02.txt, Work in Progress,
912	        August 1999.
913	   [10] B. Aboba, D. Lidyard, "The Accounting Data Interchange
914	       Format (ADIF)", draft-ietf-roamops-actng-05.txt,
915	       Work in Progress, November 1998.
916	   [11] B. Aboba, J. Arkko. Introduction to Accounting Management.
917	        draft-aboba-acct-01.txt. Work in progress, June 1999.

919	8.0  Authors' Addresses
920	   Questions about this memo can be directed to:

922	      Jari Arkko
923	      Oy LM Ericsson Ab
924	      02420 Jorvas
925	      Finland

927	       Phone: +358 40 5079256
928	      E-Mail: Jari.Arkko@ericsson.com

930	      Pat R. Calhoun
931	      Network and Security Research Center, Sun Labs
932	      Sun Microsystems, Inc.
933	      15 Network Circle
934	      Menlo Park, California, 94025
935	      USA

937	       Phone:  1-650-786-7733
938	         Fax:  1-650-786-6445
939	      E-mail:  pcalhoun@eng.sun.com

941	      Pankaj Patel
942	      Convergys Corporation
943	      4600 Montgomery Road
944	      Cincinnati, OH 45212
945	      USA

947	       Phone: 1-513-723-2018
948	      E-Mail: pankaj.patel@convergys.com

950	      Glen Zorn
951	      Microsoft Corporation
952	      One Microsoft Way
953	      Redmond, WA 98052
954	      USA

956	       Phone: 1-425-703-1559
957	      E-Mail: gwz@acm.org

959	9.0  Full Copyright Statement

961	   Copyright (C) The Internet Society (1999).  All Rights Reserved.

963	   This document and translations of it may be copied  and  furnished
964	   to others,  and  derivative works that comment on or otherwise
965	   explain it or assist in its implmentation may be prepared, copied,
966	   published  and distributed,  in  whole  or  in part, without
967	   restriction of any kind, provided that the  above  copyright  notice
968	   and  this  paragraph  are included on all such copies and derivative
969	   works.  However, this docu- ment itself may not be modified in any
970	   way, such as  by  removing  the copyright notice or references to the
971	   Internet Society or other Inter- net organizations, except as needed
972	   for  the  purpose  of  developing Internet standards in which case
973	   the procedures for copyrights defined in the Internet Standards
974	   process must be followed, or as required  to translate it into
975	   languages other than   English.  The limited permis- sions granted
976	   above are perpetual and  will  not  be  revoked  by  the Internet
977	   Society or its successors or assigns.  This document and the
978	   information contained herein is provided on an "AS IS" basis  and
979	   THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE
980	   DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
981	   LIMITED TO ANY  WAR- RANTY  THAT  THE  USE  OF THE INFORMATION HEREIN
982	   WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
983	   MERCHANTABILITY OR FITNESS  FOR  A PARTICULAR PURPOSE."