draft-ietf-dime-group-signaling-00.txt   draft-ietf-dime-group-signaling-01.txt 
Diameter Maintenance and Extensions M. Jones Diameter Maintenance and M. Jones
(DIME) June 22, 2012 Extensions (DIME) M. Liebsch
Internet-Draft Internet-Draft L. Morand
Intended status: Standards Track Intended status: Standards Track July 15, 2013
Expires: December 24, 2012 Expires: January 16, 2014
Diameter Group Signaling Diameter Group Signaling
draft-ietf-dime-group-signaling-00.txt draft-ietf-dime-group-signaling-01.txt
Abstract Abstract
In large network deployments, a single Diameter peer can support over In large network deployments, a single Diameter peer can support over
a million concurrent Diameter sessions. Recent use cases have a million concurrent Diameter sessions. Recent use cases have
revealed the need for Diameter peers to apply the same operation to a revealed the need for Diameter peers to apply the same operation to a
large group of Diameter sessions concurrently. The Diameter base large group of Diameter sessions concurrently. The Diameter base
protocol commands operate on a single session so these use cases protocol commands operate on a single session so these use cases
could result in many thousands of command exchanges to enforce the could result in many thousands of command exchanges to enforce the
same operation on each session in the group. In order to reduce same operation on each session in the group. In order to reduce
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 24, 2012. This Internet-Draft will expire on January 16, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Grouping User Sessions . . . . . . . . . . . . . . . . . . . . 5 3. Grouping User Sessions . . . . . . . . . . . . . . . . . . . . 5
3.1. Group assignment at session initiation . . . . . . . . . . 5 3.1. Group assignment at session initiation . . . . . . . . . . 5
3.2. Mid-session group assignment modifications . . . . . . . . 5 3.2. Mid-session group assignment modifications . . . . . . . . 5
3.2.1. Client-initiated group assignment changes . . . . . . 5 3.2.1. Client-initiated group assignment changes . . . . . . 6
3.2.2. Server-initiated group assignment changes . . . . . . 5 3.2.2. Server-initiated group assignment changes . . . . . . 6
3.3. Server Initiated Group Re-auth . . . . . . . . . . . . . . 6 4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 7
3.4. Session Group Termination . . . . . . . . . . . . . . . . 7 4.1. Session Grouping and implicit Capability Discovery . . . . 7
3.5. Aborting a Group of Sessions . . . . . . . . . . . . . . . 8 4.2. Performing Group Operations . . . . . . . . . . . . . . . 8
4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 10 4.2.1. Sending Group Commands . . . . . . . . . . . . . . . . 8
4.1. Session Management . . . . . . . . . . . . . . . . . . . . 10 4.2.2. Receiving Group Commands . . . . . . . . . . . . . . . 8
4.1.1. Authorization Session State Machine . . . . . . . . . 10 4.2.3. Single-Session Fallback . . . . . . . . . . . . . . . 9
4.2. Commands . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.3. Session Management . . . . . . . . . . . . . . . . . . . . 9
4.2.1. Group-Re-Auth-Request . . . . . . . . . . . . . . . . 14 4.3.1. Authorization Session State Machine . . . . . . . . . 9
4.2.2. Group-Re-Auth-Answer . . . . . . . . . . . . . . . . . 14 5. Commands Formatting . . . . . . . . . . . . . . . . . . . . . 13
4.2.3. Group-Session-Termination-Request . . . . . . . . . . 15 5.1. Group Re-Auth-Request . . . . . . . . . . . . . . . . . . 13
4.2.4. Group-Session-Termination-Answer . . . . . . . . . . . 15 6. Attribute-Value-Pairs (AVP) . . . . . . . . . . . . . . . . . 14
4.2.5. Group-Abort-Session-Request . . . . . . . . . . . . . 16 6.1. Session-Group-Id AVP . . . . . . . . . . . . . . . . . . . 14
4.2.6. Group-Abort-Session-Answer . . . . . . . . . . . . . . 16 6.2. Session-Group-Action AVP . . . . . . . . . . . . . . . . . 14
5. AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 7. Result-Code AVP Values . . . . . . . . . . . . . . . . . . . . 15
5.1. Session-Group-Id AVP . . . . . . . . . . . . . . . . . . . 18 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
5.2. Session-Group-Action AVP . . . . . . . . . . . . . . . . . 18 8.1. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 16
6. Result-Code AVP Values . . . . . . . . . . . . . . . . . . . . 19 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
7.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 20 11. Normative References . . . . . . . . . . . . . . . . . . . . . 19
7.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
8. Security Considerations . . . . . . . . . . . . . . . . . . . 21
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
10. Normative References . . . . . . . . . . . . . . . . . . . . . 23
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
In large network deployments, a single Diameter peer can support over In large network deployments, a single Diameter peer can support over
a million concurrent Diameter sessions. Recent use cases have a million concurrent Diameter sessions. Recent use cases have
revealed the need for Diameter peers to apply the same operation to a revealed the need for Diameter peers to apply the same operation to a
large group of Diameter sessions concurrently. For example, a policy large group of Diameter sessions concurrently. For example, a policy
decision point may need to modify the authorized quality of service decision point may need to modify the authorized quality of service
for all active users having the same type of subscription. The for all active users having the same type of subscription. The
Diameter base protocol commands operate on a single session so these Diameter base protocol commands operate on a single session so these
use cases could result in many thousands of command exchanges to use cases could result in many thousands of command exchanges to
enforce the same operation on each session in the group. In order to enforce the same operation on each session in the group. In order to
reduce signaling, it would be desirable to enable bulk operations on reduce signaling, it would be desirable to enable bulk operations on
all (or part of) the sessions managed by a Diameter peer using a all (or part of) the sessions managed by a Diameter peer using a
single or a few command exchanges. single or a few command exchanges.
This document describes a mechanism for grouping Diameter sessions This document describes mechanisms for grouping Diameter sessions and
and performing re-authentication, re-authorization, termination and applying Diameter commands, such as performing re-authentication, re-
abortion of groups of sessions. This document does not define a new authorization, termination and abortion of sessions to a group of
Diameter application. Instead it defines mechanisms, commands and sessions. This document does not define a new Diameter application.
AVPs that may be used by any Diameter application that requires Instead it defines mechanisms, commands and AVPs that may be used by
management of groups of sessions. any Diameter application that requires management of groups of
sessions.
These mechanisms take the following design goals and features into
account:
o Minimal impact to existing applications
o Extension of existing commands' CCF with optional AVPs to enable
grouping and group operations
o Fallback to single session operation
o Implicit discovery of capability to support grouping and group
operations
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses terminology defined [RFC3588]. This document uses terminology defined [RFC3588].
3. Grouping User Sessions 3. Grouping User Sessions
Either Diameter peer may assign a session to a group. Diameter AAA Either Diameter peer may assign a session to a group. Diameter AAA
applications typically assign client and server roles to the Diameter applications typically assign client and server roles to the Diameter
peers. In this document, a Diameter client is a node at the edge of peers.
the network that performs access control. A Diameter server is a
node that performs authentication and/or authorization of the user.
3.1. Group assignment at session initiation 3.1. Group assignment at session initiation
Assignment of a new session to a group is accomplished by the
Diameter server when requested by the Diameter client. Without being
explicitly requested by the client, the Diameter server can assign a
new session to a server-assigned group based on its own decision.
When a new session is to be assigned to a group by the Diameter
server, the server assigns a new session to at least one server-
assigned group. To complement server-assigned grouping, a Diameter
client can assign a session to a client-assigned group.
To assign a session to a group at session initiation, a Diameter To assign a session to a group at session initiation, a Diameter
client sends a service specific auth request, e.g. NASREQ AAR client sends a service specific request, e.g. NASREQ AAR [RFC4005],
[RFC4005], containing zero or more client-assigned group identifiers. containing one or more group identifiers. The Diameter client can
Assuming the user is successfully authenticated and/or authorized, assign the session to a client-assigned group and identify the
the Diameter server responds with service-specific auth response, associated group with an appended client-assigned group identifier.
e.g. NASREQ AAA [RFC4005], containing both the client-assigned group The client can append multiple client-assigned group identifiers if
identifiers and zero or more server-assigned group identifiers. the client assigns the new session to more than one group. If the
Diameter client does not send a client-assigned group identifier, the
client may receive one or multiple server-assigned group identifiers
in the server's response, which identify the server-assigned groups
to which the new session has been assigned. The Diameter client can
explicitly request the Diameter server to perform grouping of the new
session.
Assuming the user has been successfully authenticated and/or
authorized, the Diameter server responds with service-specific auth
response, e.g. NASREQ AAA [RFC4005], containing both the client-
assigned group identifiers (if sent with the request) and one or more
server-assigned group identifiers.
Both peers, the Diameter client and the Diameter server, must keep a
list of all group identifiers which identify all client- and server-
assigned groups to which the session has been assigned.
3.2. Mid-session group assignment modifications 3.2. Mid-session group assignment modifications
Either Diameter peer may modify the group membership of an active Either Diameter peer may modify the group membership of an active
Diameter session. A Diameter client MAY remove the group(s) assigned Diameter session. A Diameter client MAY remove the group(s) assigned
to the active session by the Diameter server and vice versa. to the active session by the Diameter server and vice versa.
This document does not define a permission model that limits removal This document does not define a permission model that limits removal
of a session from a group by the same peer that added the session to of a session from a group by the same peer that added the session to
the group. However, applications which re-use the commands and the group. However, applications which re-use the commands and
skipping to change at page 6, line 6 skipping to change at page 7, line 5
3.2.2. Server-initiated group assignment changes 3.2.2. Server-initiated group assignment changes
To update the assigned groups mid-session, a Diameter server sends a To update the assigned groups mid-session, a Diameter server sends a
Re-authorization Request (RAR) message requesting re-authorization Re-authorization Request (RAR) message requesting re-authorization
and the client responds with a Re-authorization Answer (RAA) message. and the client responds with a Re-authorization Answer (RAA) message.
The Diameter client sends a service specific re-authorization request The Diameter client sends a service specific re-authorization request
containing the current list of group identifiers and the Diameter containing the current list of group identifiers and the Diameter
server responds with a service-specific auth response containing the server responds with a service-specific auth response containing the
updated list of group identifiers. updated list of group identifiers.
3.3. Server Initiated Group Re-auth 4. Protocol Description
This document defines a new Group-Re-Auth-Request/Answer (GRAR/
GRAA)command exchange which allows a server to initiate a re-
authentication and/or re-authorization of all services that are
assigned to one of the groups specified in the Session-Group-Id AVP
in the request.
An access device that receives a Group-Re-Auth-Request(GRAR) message
with Session-Group-Id equal to one of the group assigned to a
currently active session MUST initiate the type of re-auth specified
by the Re-Auth-Request-Type AVP in the manner specified by the
Session-Group-Action AVP if the service supports this particular
feature. Each Diameter application MUST state whether service-
initiated group re-authentication and/or re-authorization is
supported and which Session-Group-Action AVP values are supported for
re-authorization.
The Session-Group-Action AVP specifies whether the server requires a
re-authorization request per session, per group or for all groups.
For a Re-Auth-Request-Type value of AUTHORIZE_AUTHENTICATE, the
Session-Group-Action value MUST be PER_SESSION since re-
authentication MUST be performed per user session.
For Session-Group-Action values of PER_GROUP or ALL_GROUPS, the re- 4.1. Session Grouping and implicit Capability Discovery
authorization is accomplished with an application-specifc group re-
authorization command exchange. This command exchange as well as any
limitations on which aspects of the service can be modified during a
re-authorization MUST be defined by the Diameter application.
If the client is able to perform the requested re-authentication Either Diameter peer, a Diameter client or server, can initiate
and/or re-authentication for the sessions assigned to the group(s) assigning a session to a single or multiple session groups according
specified in the GRAR, it shall return a GRAA command with the to the procedure described in Section 3. Modification of a group by
Result-Code AVP set to DIAMETER_SUCCESS and Session-Group-Id AVP(s) removing or adding a single or multiple user sessions can be
indicating the groups for which the GRAR receiver has active sessions initiated and performed at runtime by either Diameter peer.
assigned. If there are no sessions assigned to the group(s)
specified in the GRAR, the Result-Code is set to
DIAMETER_UNKNOWN_SESSION_ID. If the client is unable to perform the
requested re-authentication and/or re-authentication, the Result-Code
is set to DIAMETER_UNABLE_TO_COMPLY.
Diameter Diameter A Diameter client as sender of a command for session initiation can
Client Server determine one or multiple groups to which the new session should be
| | assigned. Each of these groups need to be identified in a separate
(1)+-------------Svc-Specific-Auth-Request--------------->| Session-Group-Id AVP as specified in Section 6. In each appended
| Session-Id=ABC | Session-Group-Id AVP which carries a client-assigned group
| | identifier, a flag must indicate that the carried group identifier is
(2)|<------------Svc-Specific-Auth-Answer-----------------+ not a server-assigned but a client-assigned one. If the Diameter
| Session-Id=ABC; Session-Group-Id=XYZ | client does not determine the group to which the new session should
| | be assigned, the client can set a flag in an appended
(3)+-------------Svc-Specific-Auth-Request--------------->| Session-Group-Id AVP to explicitly request the Diameter server as
| Session-Id=DEF | recipient of the message to assign the new session to one or multiple
| | groups.
(4)|<------------Svc-Specific-Auth-Answer-----------------+
| Session-Id=DEF; Session-Group-Id=XYZ |
| |
(5)|<--------------Group-Re-Auth-Request------------------+
| Session-Group-Id=XYZ; Session-Group-Action=PER_GROUP |
| Re-Auth_Request-Type=AUTHORIZE_ONLY |
| |
(6)+---------------Group-Re-Auth-Answer------------------>|
| |
(7)+----------Svc-Specific-Group-Auth-Request------------>|
| Session-Group-Id=XYZ |
| |
(8)|<---------Svc-Specific-Group-Auth-Answer--------------+
| Updated Service Specific AVPs |
| |
Figure 1: Example: Group Re-authorization By appending at least one Session-Group-Id AVP, the Diameter client
announces its capability to support group operations according to the
specification in this document to the addressed Diameter server. If
the Diameter client supports group operations, it MUST append at
least one Session-Group-Id AVP to announce its capability to support
group operations.
In the example above, the Diameter server authorizes two sessions A Diameter server receiving a command for session initiation which
(ABC and DEF) and assigns them to a group named XYZ (Session-Group- includes at least one Session-Group-Id AVP learns about the sender's
Id=XYZ in steps 2 and 4). Some time later, an event occurs on the capability to support group operations. If a flag in the appended
Diameter server which requires it to change one or more of the Session-Group-Id AVPs identifies a client-assigned group, the server
service parameters for the sessions assigned to group XYZ. The must store the one or multiple identifiers and associate the new
Diameter server sends a Group-Re-Auth-Request (step 5) specifying the session with these groups.
impacted group (Session-Group-Id=XYZ) must be re-authorized (Re-Auth-
Request-Type=AUTHORIZE_ONLY) with a single re-authorize command per
group (Session-Group-Action=PER_GROUP). The Diameter client
acknowledges the request (step 6) and issues a service-specific group
authorization request to retrieve the updated service parameters
(step 7).
3.4. Session Group Termination If a flag in a received Session-Group-Id AVP indicates that the
Diameter client explicitly requests the Diameter server to assign the
new session to a server-assigned group, the Diameter server should
assign the new session to one or multiple groups. The Diameter
server identifies each of these server-assigned groups in a Session-
Group-Id AVP, which are appended to the response to the received
command. Each of these Session-Group-Id AVPs must indicate in a flag
that the carried identifier is a server-assigned group identifier.
This document defines a new Group-Session-Termination-Request/Answer If a flag in a received Session-Group-Id AVP indicates that the
(GSTR/GSTA) command exchange which allows a client to communicate to Diameter client does not explicitly request the Diameter server to
the server the termination of all sessions that are assigned to one assign the new session to a server-assigned group, the Diameter
of the groups specified in the Session-Group-Id AVP in the request. server may assign the new session to one or multiple groups. The
The termination of a group of sessions could occur as a result of a Diameter server identifies each of these server-assigned groups in a
local action or in reponse to a request to abort one or more groups Session-Group-Id AVP, which are appended to the response to the
of sessions. received command. Each of these Session-Group-Id AVPs must indicate
in a flag that the carried identifier is a server-assigned group
identifier.
FFS: When a client sends an GSTR to a server indicating termination By appending at least one Session-Group-Id AVP, the Diameter server
of a specific group, is it indicating termination of the sessions announces its capability to support group operations according to the
that the server authorized and that are assigned to the specified specification in this document to the addressed Diameter client.
group? Or does imply termination of all sessions on the client that
are assigned to the specified group?
Upon receipt of the GSTR, the Diameter Server MUST release all A Diameter server receiving a command for session initiation which
resources for the sessions assigned to the group(s) specified in the includes at least one Session-Group-Id AVP but the server does not
Session-Group-Id AVP and return a GSTA with the Result-Code set to understand the semantics of this optional AVP because it does not
DIAMETER_SUCCESS to acknowledge the successful termination. If there support group operations according to the specification in this
are no sessions assigned to the group(s) specified in the GSTR, the document, MUST ignore the optional group operations specific AVPs and
Result-Code is set to DIAMETER_UNKNOWN_SESSION_ID. If the server is proceed with processing the command for a single session.
unable to perform the session termination, the Result-Code is set to
DIAMETER_UNABLE_TO_COMPLY.
3.5. Aborting a Group of Sessions A Diameter client, which sent a request for session initiation to a
Diameter server and appended a single or multiple Session-Group-Id
AVPs but cannot find any Session-Group-Id AVP in the associated
response from the Diameter server proceeds with processing the
command for a single session. Furthermore, the client keeps a log to
remember that the server is not able to perform group operations.
This document defines a new Group-Abort-Session-Request/Answer (GASR/ 4.2. Performing Group Operations
GASA)command exchange which allows a server to request the
termination of all sessions that are assigned to one of the groups
specified in the Session-Group-Id AVP in the request.
A client that receives an GASR with Session-Group-Id equal to a group 4.2.1. Sending Group Commands
assigned to a currently active session MAY stop the session. Whether
the client stops the session or not is implementation- and/or
configuration-dependent. For example, a client may honor GASRs from
certain agents only. In any case, the client MUST respond with an
Group-Abort-Session-Answer, including a Result-Code AVP to indicate
what action it took.
If the client is able to perform the requested termination of the Either Diameter peer can request the recipient of a request to
sessions assigned to the group(s) specified in the GASR, it shall process an associated command for all sessions being assigned to one
return a GASA command with the Result-Code AVP set to or multiple groups by identifying these groups in the request. The
DIAMETER_SUCCESS and Session-Group-Id AVP(s) indicating the groups sender of the request appends for each group, to which the command
for which the GASR receiver has active sessions assigned. If there applies, a Session-Group-Id AVP and indicates in a flag whether the
are no sessions assigned to the group(s) specified in the GASR, the identifier represents a server- or a client-assigned group. If the
Result-Code is set to DIAMETER_UNKNOWN_SESSION_ID. If the client is CCF of the request mandates a Session-Id AVP, the Session-Id AVP MUST
unable to perform the requested termination for any of the sessions, identify a single session which is assigned to at least one of the
the Result-Code is set to DIAMETER_UNABLE_TO_COMPLY. groups being identified in the appended Session-Group-Id AVPs. If
the sender wants the receiver of the request to process the
associated command solely for a single session does not append any
group identifier, but identifies the relevant session in the
Session-Id AVP.
When a client terminates a session upon receipt of a Group-Abort- 4.2.2. Receiving Group Commands
Session-Request, it MUST issue a session termination request to the
Diameter server that authorized the service. The Session-Group-
Action AVP specifies whether the server requires a single session
termination request per session (with STR message), per group (with
GSTR message) or for all groups (with GSTR message).
Diameter Diameter A Diameter peer receiving a request to process a command for a group
Client Server of sessions identifies the relevant groups according to the appended
| | Session-Group-Id AVP. If the received request identifies multiple
(1)+-------------Svc-Specific-Auth-Request--------------->| groups in multiple appended Session-Group-Id AVPs, the receiver
| Session-Id=ABC | should process the associated command for each of these groups. if a
| | session has been assigned to more than one of the identified groups,
(2)|<------------Svc-Specific-Auth-Answer-----------------+ the receiver must process the associated command only once per
| Session-Id=ABC; Session-Group-Id=XYZ | session.
| |
(3)+-------------Svc-Specific-Auth-Request--------------->|
| Session-Id=DEF |
| |
(4)|<------------Svc-Specific-Auth-Answer-----------------+
| Session-Id=DEF; Session-Group-Id=XYZ |
| |
(5)|<-----------Group-Abort-Session-Request---------------+
| Session-Group-Id=XYZ; Session-Group-Action=PER_GROUP |
| |
(6)+------------Group-Abort-Session-Answer--------------->|
| |
(7)+---------Group-Session-Termination-Request----------->|
| Session-Group-Id=XYZ |
| |
(8)|<---------Group-Session-Termination-Answer------------+
| |
Figure 2: Example: Aborting a Group of Sessions 4.2.3. Single-Session Fallback
In the example above, the Diameter server authorizes two sessions Either Diameter peer, a Diameter client or a Diameter server, can
(ABC and DEF) and assigns them to a group named XYZ (Session-Group- fall back to single session operation by ignoring and omitting the
Id=XYZ in steps 2 and 4). Some time later, an event occurs on the optional and group session-specific AVPs. Fallback to single-session
Diameter server which requires it to abort the sessions assigned to operation is performed by processing the Diameter command solely for
group XYZ. The Diameter server sends a Group-Abort-Session-Request the session identified in the mandatory Session-Id AVP. The response
(step 5) specifying the sessions assigned to the impacted group to the group command must not identify any group but identify solely
(Session-Group-Id=XYZ) are to be terminated and a single termination the single session for which the command has been processed.
command is to be sent per impacted group (Session-Group-
Action=PER_GROUP). The Diameter client acknowledges the request with
a GASA (step 6) and issues a GSTR (step 7) command to release all
resources for the sessions assigned to the group XYZ. The Diameter
server acknowledges the termination with a GGSTA (Step 8).
4. Protocol Description 4.3. Session Management
4.1. Session Management Editor's note: This first document revision adopts the WG's current
view on how Diameter commands can be formatted to enable group
signaling. The required change in the formatting and protocol
operation has not yet been considered in this Section 4.3 , which
still reflects the formatting as per version 0 of this specification.
The described session state machines still need revision to reflect
the generalized formatting and the adopted protocol operation.
4.1.1. Authorization Session State Machine 4.3.1. Authorization Session State Machine
Section 8.1 in [RFC3588] defines a set of finite state machines, Section 8.1 in [RFC3588] defines a set of finite state machines,
representing the life cycle of Diameter sessions, and which MUST be representing the life cycle of Diameter sessions, and which MUST be
observed by all Diameter implementations that make use of the observed by all Diameter implementations that make use of the
authentication and/or authorization portion of a Diameter authentication and/or authorization portion of a Diameter
application. This section defines the additional state transitions application. This section defines the additional state transitions
related to the processing of the new commands which may impact related to the processing of the new commands which may impact
multiple sessions. multiple sessions.
The group membership is session state and therefore only those state The group membership is session state and therefore only those state
skipping to change at page 14, line 5 skipping to change at page 13, line 5
Open Service-specific group Send Idle Open Service-specific group Send Idle
re-authorization request failed re-authorization request failed
received and user is service received and user is service
not authorized specific not authorized specific
group group
re-auth re-auth
answer, answer,
cleanup cleanup
4.2. Commands 5. Commands Formatting
Editor's Note: The content of this section does not represent working
group consensus but rather the views of the draft author prior to
(and post) adoption. Alternative methods for manipulating groups of
sessions are being considered by the working group and this section
may be heavily modified or removed in subsequent versions.
This specification extends the existing RAR, RAA, STR, STA, ASR and
ASA command ABNFs.
4.2.1. Group-Re-Auth-Request
The Group-Re-Auth-Request (GRAR), indicated by the Command-Code set
to TBD and the message flags' 'R' bit set, may be sent by any server
to the access device that is providing session service, to request
that one or more groups of users be re-authenticated and/or re-
authorized.
<GRAR> ::= < Diameter Header: TBD, REQ, PXY >
* { Session-Group-Id }
{ Origin-Host }
{ Origin-Realm }
{ Destination-Realm }
{ Destination-Host }
{ Auth-Application-Id }
{ Re-Auth-Request-Type }
[ Origin-State-Id ]
* [ Proxy-Info ]
* [ Route-Record ]
[ Session-Group-Action ]
* [ AVP ]
4.2.2. Group-Re-Auth-Answer
The Group-Re-Auth-Answer (GRAA), indicated by the Command-Code set to
TBD and the message flags' 'R' bit clear, is sent in response to the
GRAR. The Result-Code AVP MUST be present, and indicates the
disposition of the request.
<GRAA> ::= < Diameter Header: TBD, PXY >
* { Session-Group-Id }
{ Result-Code }
{ Origin-Host }
{ Origin-Realm }
[ Origin-State-Id ]
[ Error-Message ]
[ Error-Reporting-Host ]
* [ Failed-AVP ]
* [ Redirect-Host ]
[ Redirect-Host-Usage ]
[ Redirect-Host-Cache-Time ]
* [ Proxy-Info ]
* [ AVP ]
4.2.3. Group-Session-Termination-Request
The Group-Session-Termination-Request (GSTR), indicated by the
Command-Code set to TBD and the Command Flags' 'R' bit set, is sent
by the access device to inform the Diameter Server that one or more
groups of authenticated and/or authorized sessions are being
terminated.
<GSTR> ::= < Diameter Header: TBD, REQ, PXY >
* { Session-Group-Id }
{ Origin-Host }
{ Origin-Realm }
{ Destination-Realm }
{ Auth-Application-Id }
{ Termination-Cause }
[ Destination-Host ]
* [ Class ]
[ Origin-State-Id ]
* [ Proxy-Info ]
* [ Route-Record ]
* [ AVP ]
4.2.4. Group-Session-Termination-Answer
The Group-Session-Termination-Answer (GSTA), indicated by the
Command-Code set to TBD and the message flags' 'R' bit clear, is sent
by the Diameter Server to acknowledge the notification that one or
more groups of session have been terminated. The Result-Code AVP
MUST be present, and MAY contain an indication that an error occurred
while servicing the GSTR.
<GSTA> ::= < Diameter Header: TBD, PXY >
* { Session-Group-Id }
{ Result-Code }
{ Origin-Host }
{ Origin-Realm }
* [ Class ]
[ Error-Message ]
[ Error-Reporting-Host ]
* [ Failed-AVP ]
[ Origin-State-Id ]
* [ Redirect-Host ]
[ Redirect-Host-Usage ]
[ Redirect-Max-Cache-Time ]
* [ Proxy-Info ]
* [ AVP ]
4.2.5. Group-Abort-Session-Request
The Group-Abort-Session-Request (GASR), indicated by the Command-Code This document does not specify new Diameter commands to enable group
set to TBD and the message flags' 'R' bit set, may be sent by any operations, but relies on command extensibility capability provided
server to the access device that is providing session service, to by the Diameter Base protocol. This section provides the guidelines
request that the sessions identified by the Session-Group-Id be to extend the CCF of existing Diameter commands with optional AVPs to
stopped. enable the recipient of the command to perform the command to all
sessions associated with the identified group(s).
<GASR> ::= < Diameter Header: TBD, REQ, PXY > 5.1. Group Re-Auth-Request
* { Session-Group-Id }
{ Origin-Host }
{ Origin-Realm }
{ Destination-Realm }
{ Destination-Host }
{ Auth-Application-Id }
[ Origin-State-Id ]
* [ Proxy-Info ]
* [ Route-Record ]
[ Group-Action ]
* [ AVP ]
4.2.6. Group-Abort-Session-Answer A request that one or more groups of users are re-authentication is
issues by appending one or multiple Session-Group-Id AVP(s) to the
Re-Auth-Request (RAR). The one or multiple Session-Group-Id AVP(s)
identify the associated group(s) for which the group re-
authentication has been requested. The recipient of the group
command initiates re-authentication for all users associated with the
identified group(s). Furthermore, the sender of the group re-
authentication request appends a Session-Group-Action AVP to provide
more information to the receiver of the command about how to
accomplish the group operation.
The Group-Abort-Session-Answer (GASA), indicated by the Command-Code The value of the mandatory Session-Id AVP MUST identify a session
set to TBD and the message flags' 'R' bit clear, is sent in response associated with a single user, which is assigned to at least one of
to the GASR. The Result-Code AVP MUST be present, and indicates the the groups being identified in the appended Session-Group-Id AVPs.
disposition of the request.
<GASA> ::= < Diameter Header: TBD, PXY > <RAR> ::= < Diameter Header: 258, REQ, PXY >
* { Session-Group-Id } < Session-Id >
{ Result-Code } { Origin-Host }
{ Origin-Host } { Origin-Realm }
{ Origin-Realm } { Destination-Realm }
[ Origin-State-Id ] { Destination-Host }
[ Error-Message ] { Auth-Application-Id }
[ Error-Reporting-Host ] { Re-Auth-Request-Type }
* [ Failed-AVP ] [ User-Name ]
* [ Redirect-Host ] [ Origin-State-Id ]
[ Redirect-Host-Usage ] * [ Proxy-Info ]
[ Redirect-Max-Cache-Time ] * [ Route-Record ]
* [ Proxy-Info ] * [ Session-Group-Id ]
* [ AVP ] [ Session-Group-Action ]
* [ AVP ]
5. AVPs 6. Attribute-Value-Pairs (AVP)
+--------------------+ +--------------------+
| AVP Flag rules | | AVP Flag rules |
+----+---+------+----+ +----+---+------+----+
AVP | | |SHOULD|MUST| AVP | | |SHOULD|MUST|
Attribute Name Code Value Type |MUST|MAY| NOT | NOT| Attribute Name Code Value Type |MUST|MAY| NOT | NOT|
+---------------------------------------+----+---+------+----+ +---------------------------------------+----+---+------+----+
|Session-Group-Id TBD OctetString | | P | | V | |Session-Group-Id TBD OctetString | | P | | V |
|Session-Group-Action TBD Enumerated | | P | | V | |Session-Group-Action TBD Enumerated | | P | | V |
+---------------------------------------+----+---+------+----+ +---------------------------------------+----+---+------+----+
AVPs for the Diameter Group Signaling AVPs for the Diameter Group Signaling
5.1. Session-Group-Id AVP 6.1. Session-Group-Id AVP
The Session-Group-Id AVP (AVP Code TBD) is of type OctetString and The Session-Group-Id AVP (AVP Code TBD) is of type OctetString and
identifies a group of sessions. This uniqueness scope of this AVP is identifies a group of sessions. This uniqueness scope of this AVP is
specified by the Diameter application which makes use of group specified by the Diameter application which makes use of group
signaling commands. signaling commands.
5.2. Session-Group-Action AVP 6.2. Session-Group-Action AVP
The Session-Group-Action AVP (AVP Code TBD) is of type Enumerated and The Session-Group-Action AVP (AVP Code TBD) is of type Enumerated and
specifies how the peer SHOULD issue follow up exchanges in response specifies how the peer SHOULD issue follow up exchanges in response
to a command which impacts mulitple sessions. The following values to a command which impacts mulitple sessions. The following values
are supported: are supported:
ALL_GROUPS (0) ALL_GROUPS (0)
Follow up exchanges should be performed with a single message Follow up exchanges should be performed with a single message
exchange for all impacted groups. exchange for all impacted groups.
PER_GROUP (1) PER_GROUP (1)
Follow up exchanges should be performed with a message exchange Follow up exchanges should be performed with a message exchange
for each impacted group. for each impacted group.
PER_SESSION (2) PER_SESSION (2)
Follow up exchanges should be performed with a message exchange Follow up exchanges should be performed with a message exchange
for each impacted session. for each impacted session.
6. Result-Code AVP Values 7. Result-Code AVP Values
This section defines new Result-Code [RFC3588] values that MUST be This section defines new Result-Code [RFC3588] values that MUST be
supported by all Diameter implementations that conform to this supported by all Diameter implementations that conform to this
specification. specification.
[Editor's Note: Group specific error values may need to be added [Editor's Note: Group specific error values may need to be added
here.] here.]
7. IANA Considerations 8. IANA Considerations
This section contains the namespaces that have either been created in This section contains the namespaces that have either been created in
this specification or had their values assigned to existing this specification or had their values assigned to existing
namespaces managed by IANA. namespaces managed by IANA.
7.1. Command Codes 8.1. AVP Codes
This specification requires IANA to register the following new
Commands from the Command Code namespace defined in [RFC3588].
o Group-Re-Auth-Request/Answer
o Group-Session-Termination-Request/Answer
o Group-Abort-Session-Request/Answer
The commands are defined in Section 4.2.
7.2. AVP Codes
This specification requires IANA to register the following new AVPs This specification requires IANA to register the following new AVPs
from the AVP Code namespace defined in [RFC3588]. from the AVP Code namespace defined in [RFC3588].
o Session-Group-Id o Session-Group-Id
o Session-Group-Action o Session-Group-Action
The AVPs are defined in Section 5. The AVPs are defined in Section 6.
8. Security Considerations 9. Security Considerations
TODO TODO
9. Acknowledgments 10. Acknowledgments
10. Normative References 11. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
"Diameter Network Access Server Application", RFC 4005, "Diameter Network Access Server Application", RFC 4005,
August 2005. August 2005.
Author's Address Authors' Addresses
Mark Jones Mark Jones
Email: mark@azu.ca Email: mark@azu.ca
Marco Liebsch
Email: marco.liebsch@neclab.eu
Lionel Morand
Email: lionel.morand@orange.com
 End of changes. 47 change blocks. 
379 lines changed or deleted 233 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/