draft-ietf-dime-group-signaling-04.txt   draft-ietf-dime-group-signaling-05.txt 
Diameter Maintenance and Extensions (DIME) M. Jones Diameter Maintenance and Extensions (DIME) M. Jones
Internet-Draft Internet-Draft
Intended status: Standards Track M. Liebsch Intended status: Standards Track M. Liebsch
Expires: January 5, 2015 Expires: January 7, 2016
L. Morand L. Morand
July 6, 2015
July 4, 2014
Diameter Group Signaling Diameter Group Signaling
draft-ietf-dime-group-signaling-04.txt draft-ietf-dime-group-signaling-05.txt
Abstract Abstract
In large network deployments, a single Diameter peer can support over In large network deployments, a single Diameter node can support over
a million concurrent Diameter sessions. Recent use cases have a million concurrent Diameter sessions. Recent use cases have
revealed the need for Diameter peers to apply the same operation to a revealed the need for Diameter nodes to apply the same operation to a
large group of Diameter sessions concurrently. The Diameter base large group of Diameter sessions concurrently. The Diameter base
protocol commands operate on a single session so these use cases protocol commands operate on a single session so these use cases
could result in many thousands of command exchanges to enforce the could result in many thousands of command exchanges to enforce the
same operation on each session in the group. In order to reduce same operation on each session in the group. In order to reduce
signaling, it would be desirable to enable bulk operations on all (or signaling, it would be desirable to enable bulk operations on all (or
part of) the sessions managed by a Diameter peer using a single or a part of) the sessions managed by a Diameter node using a single or a
few command exchanges. This document specifies the Diameter protocol few command exchanges. This document specifies the Diameter protocol
extensions to achieve this signaling optimization. extensions to achieve this signaling optimization.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 5, 2015. This Internet-Draft will expire on January 7, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 24 skipping to change at page 2, line 24
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 3. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Building and Modifying Session Groups . . . . . . . . . . 4 3.1. Building and Modifying Session Groups . . . . . . . . . . 4
3.2. Issuing Group Commands . . . . . . . . . . . . . . . . . 4 3.2. Issuing Group Commands . . . . . . . . . . . . . . . . . 4
3.3. Permission Considerations . . . . . . . . . . . . . . . . 4 3.3. Permission Considerations . . . . . . . . . . . . . . . . 4
4. Protocol Description . . . . . . . . . . . . . . . . . . . . 6 4. Protocol Description . . . . . . . . . . . . . . . . . . . . 6
4.1. Session Grouping . . . . . . . . . . . . . . . . . . . . 6 4.1. Session Grouping Capability Discovery . . . . . . . . . . 7
4.1.1. Group assignment at session initiation . . . . . . . 7 4.1.1. Explicit Capability Discovery . . . . . . . . . . . . 7
4.1.2. Removing a session from a session group . . . . . . . 8 4.1.2. Implicit Capability Discovery . . . . . . . . . . . . 7
4.1.3. Mid-session group assignment modifications . . . . . 9 4.2. Session Grouping . . . . . . . . . . . . . . . . . . . . 7
4.2. Session Grouping Capability Discovery . . . . . . . . . . 10 4.2.1. Group assignment at session initiation . . . . . . . 8
4.2.1. Explicit Capability Discovery . . . . . . . . . . . . 10 4.2.2. Removing a session from a session group . . . . . . . 10
4.2.2. Implicit Capability Discovery . . . . . . . . . . . . 11 4.2.3. Mid-session group assignment modifications . . . . . 11
4.3. Deleting a Session Group . . . . . . . . . . . . . . . . 11 4.3. Deleting a Session Group . . . . . . . . . . . . . . . . 12
4.4. Performing Group Operations . . . . . . . . . . . . . . . 11 4.4. Performing Group Operations . . . . . . . . . . . . . . . 12
4.4.1. Sending Group Commands . . . . . . . . . . . . . . . 11 4.4.1. Sending Group Commands . . . . . . . . . . . . . . . 12
4.4.2. Receiving Group Commands . . . . . . . . . . . . . . 12 4.4.2. Receiving Group Commands . . . . . . . . . . . . . . 13
4.4.3. Error Handling for Group Commands . . . . . . . . . . 12 4.4.3. Error Handling for Group Commands . . . . . . . . . . 14
4.4.4. Single-Session Fallback . . . . . . . . . . . . . . . 13 4.4.4. Single-Session Fallback . . . . . . . . . . . . . . . 14
5. Operation with Proxies Agents . . . . . . . . . . . . . . . . 13 5. Operation with Proxies Agents . . . . . . . . . . . . . . . . 14
6. Commands Formatting . . . . . . . . . . . . . . . . . . . . . 13 6. Commands Formatting . . . . . . . . . . . . . . . . . . . . . 15
6.1. Formatting Example: Group Re-Auth-Request . . . . . . . . 14 6.1. Formatting Example: Group Re-Auth-Request . . . . . . . . 15
7. Attribute-Value-Pairs (AVP) . . . . . . . . . . . . . . . . . 14 7. Attribute-Value-Pairs (AVP) . . . . . . . . . . . . . . . . . 16
7.1. Session-Group-Info AVP . . . . . . . . . . . . . . . . . 15 7.1. Session-Group-Info AVP . . . . . . . . . . . . . . . . . 16
7.2. Session-Group-Control-Vector AVP . . . . . . . . . . . . 15 7.2. Session-Group-Control-Vector AVP . . . . . . . . . . . . 17
7.3. Session-Group-Id AVP . . . . . . . . . . . . . . . . . . 16 7.3. Session-Group-Id AVP . . . . . . . . . . . . . . . . . . 17
7.4. Group-Response-Action AVP . . . . . . . . . . . . . . . . 16 7.4. Group-Response-Action AVP . . . . . . . . . . . . . . . . 18
7.5. Session-Group-Capability-Vector AVP . . . . . . . . . . . 17 7.5. Session-Group-Capability-Vector AVP . . . . . . . . . . . 18
8. Result-Code AVP Values . . . . . . . . . . . . . . . . . . . 17 8. Result-Code AVP Values . . . . . . . . . . . . . . . . . . . 18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
9.1. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 17 9.1. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 19
10. Security Considerations . . . . . . . . . . . . . . . . . . . 17 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
12. Normative References . . . . . . . . . . . . . . . . . . . . 18 12. Normative References . . . . . . . . . . . . . . . . . . . . 20
Appendix A. Session Management -- Exemplary Session State Appendix A. Session Management -- Exemplary Session State
Machines . . . . . . . . . . . . . . . . . . . . . . 18 Machine . . . . . . . . . . . . . . . . . . . . . . 20
A.1. Authorization Session State Machine . . . . . . . . . . . 18 A.1. Use of groups for the Authorization Session State Machine 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
In large network deployments, a single Diameter peer can support over In large network deployments, a single Diameter node can support over
a million concurrent Diameter sessions. Recent use cases have a million concurrent Diameter sessions. Recent use cases have
revealed the need for Diameter peers to apply the same operation to a revealed the need for Diameter nodes to apply the same operation to a
large group of Diameter sessions concurrently. For example, a policy large group of Diameter sessions concurrently. For example, a policy
decision point may need to modify the authorized quality of service decision point may need to modify the authorized quality of service
for all active users having the same type of subscription. The for all active users having the same type of subscription. The
Diameter base protocol commands operate on a single session so these Diameter base protocol commands operate on a single session so these
use cases could result in many thousands of command exchanges to use cases could result in many thousands of command exchanges to
enforce the same operation on each session in the group. In order to enforce the same operation on each session in the group. In order to
reduce signaling, it would be desirable to enable bulk operations on reduce signaling, it would be desirable to enable bulk operations on
all (or part of) the sessions managed by a Diameter peer using a all (or part of) the sessions managed by a Diameter node using a
single or a few command exchanges. single or a few command exchanges.
This document describes mechanisms for grouping Diameter sessions and This document describes mechanisms for grouping Diameter sessions and
applying Diameter commands, such as performing re-authentication, re- applying Diameter commands, such as performing re-authentication, re-
authorization, termination and abortion of sessions to a group of authorization, termination and abortion of sessions to a group of
sessions. This document does not define a new Diameter application. sessions. This document does not define a new Diameter application.
Instead it defines mechanisms, commands and AVPs that may be used by Instead it defines mechanisms, commands and AVPs that may be used by
any Diameter application that requires management of groups of any Diameter application that requires management of groups of
sessions. sessions.
skipping to change at page 4, line 20 skipping to change at page 4, line 20
Client and Server can assign a new Diameter session to a group, e.g. Client and Server can assign a new Diameter session to a group, e.g.
in case the subscription profile of the associated user has similar in case the subscription profile of the associated user has similar
characteristics as the profile of other users whose Diameter session characteristics as the profile of other users whose Diameter session
has been assigned to one or multiple groups. A single command can be has been assigned to one or multiple groups. A single command can be
issued and applied to all sessions associated with such group(s), issued and applied to all sessions associated with such group(s),
e.g. to adjust common profile or policy settings. e.g. to adjust common profile or policy settings.
The assignment of a Diameter session to a group can be changed mid- The assignment of a Diameter session to a group can be changed mid-
session. For example, if a user's subscription profile changes mid- session. For example, if a user's subscription profile changes mid-
session, a Diameter peer may remove the session from its current session, a Diameter server may remove the session from its current
group and assign the session to a different group that is more group and assign the session to a different group that is more
appropriate for the new subscription profile. appropriate for the new subscription profile.
In case of mobile users, the user's session may get transferred to a In case of mobile users, the user's session may get transferred to a
new Diameter client during handover and assigned to a different new Diameter client during handover and assigned to a different
group, which is maintained at the new Diameter client, mid-session. group, which is maintained at the new Diameter client, mid-session.
A session group, which has sessions assigned, can be deleted, e.g. A session group, which has sessions assigned, can be deleted, e.g.
due to a change in multiple users' subscription profile so that the due to a change in multiple users' subscription profile so that the
group's assigned sessions do not share certain characteristics group's assigned sessions do not share certain characteristics
anymore. Deletion of such group requires subsequent individual anymore. Deletion of such group requires subsequent individual
treatment of each of the assigned sessions. A peer may decide to treatment of each of the assigned sessions. A node may decide to
assign some of these sessions to any other existing or new group. assign some of these sessions to any other existing or new group.
3.2. Issuing Group Commands 3.2. Issuing Group Commands
Changes in the network condition may result in the Diameter server's Changes in the network condition may result in the Diameter server's
decision to close all sessions in a given group. The server issues a decision to close all sessions in a given group. The server issues a
single Session Termination Request (STR) command , identifying the single Session Termination Request (STR) command , identifying the
group of sessions which are to be terminated. The Diameter client group of sessions which are to be terminated. The Diameter client
treats the STR as group command and initiates termination of all treats the STR as group command and initiates termination of all
sessions associated with the identified group. Subsequently, the sessions associated with the identified group. Subsequently, the
skipping to change at page 5, line 13 skipping to change at page 5, line 13
session group. session group.
This specification follows the most flexible model where both, a This specification follows the most flexible model where both, a
Diameter client and a Diameter server can create a new group and Diameter client and a Diameter server can create a new group and
assign a new identifier to that session group. When a Diameter node assign a new identifier to that session group. When a Diameter node
decides to create a new session group, e.g. to group all sessions decides to create a new session group, e.g. to group all sessions
which share certain characteristics, the node builds a session group which share certain characteristics, the node builds a session group
identifier according to the rules described in Section 7.3) and identifier according to the rules described in Section 7.3) and
becomes the owner of the group. This specification does not becomes the owner of the group. This specification does not
constrain the permission to add or remove a session to/from a session constrain the permission to add or remove a session to/from a session
group to the group owner, instead each peer can add a session to any group to the group owner, instead each node can add a session to any
known group or remove a session from a group. A session group is known group or remove a session from a group. A session group is
deleted and its identifier released after the last session has been deleted and its identifier released after the last session has been
removed from the session group. Also the modification of groups in removed from the session group. Also the modification of groups in
terms of moving a session from one session group to a different terms of moving a session from one session group to a different
session group is permitted to any Diameter node. A Diameter peer can session group is permitted to any Diameter node. A Diameter node can
delete a session group and its group identifier mid-session, delete a session group and its group identifier mid-session,
resulting in individual treatment of the sessions which have been resulting in individual treatment of the sessions which have been
previously assigned to the deleted group. previously assigned to the deleted group. Prerequisite for deletion
of a session group is that the Diameter node created the session
beforehand, hence the node became the group owner.
The enforcement of more constrained permissions is left to the The enforcement of more constrained permissions is left to the
specification of a particular group signaling enabled Diameter specification of a particular group signaling enabled Diameter
application and compliant implementations of such application must application and compliant implementations of such application must
enforce the associated permission model. Details about enforcing a enforce the associated permission model. Details about enforcing a
more constraint permission model are out of scope of this more constraint permission model are out of scope of this
specification. For example, a more constrained model could require specification. For example, a more constrained model could require
that a client MUST NOT remove a session from a group which is owned that a client MUST NOT remove a session from a group which is owned
by the server. by the server.
The following table depicts the permission considerations as per the The following table depicts the permission considerations as per the
present specification: present specification:
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Operation | Server | Client | | Operation | Server | Client |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Create a new Session Group (peer becomes | X | X | | Create a new Session Group (Diameter node | X | X |
| the group owner) | | | | becomes the group owner) | | |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Assign a Session to an owned Session Group | X | X | | Assign a Session to an owned Session Group | X | X |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Assign a Session to a non-owned Session Group | X | X | | Assign a Session to a non-owned Session Group | X | X |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Remove a Session from an owned Session Group | X | X | | Remove a Session from an owned Session Group | X | X |
+-------------------------------------------------+-----------------+ +-------------------------------------------------+-----------------+
| Remove a Session from a non-owned Session Group | X | X | | Remove a Session from a non-owned Session Group | X | X |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Remove a Session from a Session Group where the | X | X | | Remove a Session from a Session Group where the | X | X |
| peer created the assignment | | | | Diameter node created the assignment | | |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Remove a Session from a Session Group where the | | | | Remove a Session from a Session Group where a | | |
| peer did not create the assignment | | | | different Diameter node created the assignment | | |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Overrule a peer's group assignment *) | | | | Overrule a different Diameter node's | | |
| group assignment *) | | |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Delete a Session Group owned by the peer | X | X | | Delete a Session Group which is owned by the | X | X |
| Diameter node | | |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
| Delete a Session Group not owned by the peer | | | | Delete a Session Group which is not owned by | | |
| the Diameter node | | |
+-------------------------------------------------+--------+--------+ +-------------------------------------------------+--------+--------+
Default Permission as per this Specification Default Permission as per this Specification
*) Editors' note: The protocol specification in this document does *) Editors' note: The protocol specification in this document does
not consider overruling a peer's assignment of a session to a session not consider overruling a node's assignment of a session to a session
group. Group signaling enabled applications may take such protocol group. Here, overruling is to be understood as a node changing the
support and associated protocol semantics into account in their group(s) assignment as per the node's request. Group signaling
specification. enabled applications may take such protocol support and associated
protocol semantics into account in their specification. One
exception is adopted in this specifcation, which allows a Diameter
server to reject a group assignment as per the client's request.
4. Protocol Description 4. Protocol Description
4.1. Session Grouping Capability Discovery
4.1. Session Grouping Diameter nodes should assign a session to a session group and perform
session group operations with a node only after having ensured that
the node announced associated support beforehand.
Either Diameter peer can initiate the assignment of a session to a 4.1.1. Explicit Capability Discovery
single or multiple session groups. Modification of a group by
removing or adding a single or multiple user sessions can be New Diameter applications may consider support for Diameter session
initiated and performed mid-session by either Diameter peer. grouping and for performing group commands during the standardization
process. Such applications provide intrinsic discovery for the
support of group commands and announce this capability through the
assigned application ID.
System- and deployment-specific means, as well as out-of-band
mechanisms for capability exchange can be used to announce nodes'
support for session grouping and session group operations. In such
case, the optional Session-Group-Capability-Vector AVP, as described
in Section 4.1.2 can be omitted in Diameter messages being exchanged
between nodes.
4.1.2. Implicit Capability Discovery
If no explicit mechanism for capability discovery is deployed to
enable Diameter nodes to learn about nodes' capability to support
session grouping and group commands, a Diameter node SHOULD append
the Session-Group-Capability-Vector AVP to any Diameter messages
exchanged with its nodes to announce its capability to support
session grouping and session group operations. Implementations
following the specification as per this document set the
BASE_SESSION_GROUP_CAPABILITY flag of the Session-Group-Capability-
Vector AVP.
When a Diameter node receives at least one Session-Group-Capability-
Vector AVP from a node with the BASE_SESSION_GROUP_CAPABILITY flag
set, the Diameter node maintains a log to remember the node's
capability to support group commands.
4.2. Session Grouping
This specification does not limit the number of session groups, to
which a single session is assigned. It is left to the application to
determine the policy of session grouping. In case an application
facilitates a session to belong to multiple session groups, the
application must maintain consistency of associated application
session states for these multiple session groups.
Either Diameter node (client or server) can initiate the assignment
of a session to a single or multiple session groups. Modification of
a group by removing or adding a single or multiple user sessions can
be initiated and performed mid-session by either Diameter node.
Diameter AAA applications typically assign client and server roles to Diameter AAA applications typically assign client and server roles to
the Diameter peers, which are referred to as relevant Diameter peers the Diameter nodes, which are referred to as relevant Diameter nodes
to utilize session grouping and issue group commands. Section 5 to utilize session grouping and issue group commands. Section 5
describes particularities about session grouping and performing group describes particularities about session grouping and performing group
commands when relay agents or proxies are deployed. commands when relay agents or proxies are deployed.
Diameter peers, which are group-aware, must store and maintain an Diameter nodes, which are group-aware, must store and maintain an
entry about the group assignment together with a session's state. A entry about the group assignment together with a session's state. A
list of all known session groups should be locally maintained on each list of all known session groups should be locally maintained on each
peer, each group pointing to individual sessions being assigned to node, each group pointing to individual sessions being assigned to
the group. A peer must also keep a record about sessions, which have the group. A Diameter node must also keep a record about sessions,
been assigned to a session group by that peer. which have been assigned to a session group by itself.
4.1.1. Group assignment at session initiation 4.2.1. Group assignment at session initiation
To assign a session to a group at session initiation, a Diameter To assign a session to a group at session initiation, a Diameter
client sends a service specific request, e.g. NASREQ AAR [RFC4005], client sends a service specific request, e.g. NASREQ AA-Request
containing one or more group identifiers. Each of these groups need [RFC4005], containing one or more session group identifiers. Each of
to be identified by a unique Session-Group-Id contained in a separate these groups needs to be identified by a unique Session-Group-Id
Session-Group-Info AVP as specified in Section 7. contained in a separate Session-Group-Info AVP as specified in
Section 7.
The client may choose one or multiple sessions from a list of The client may choose one or multiple session groups from a list of
existing session groups. Alternatively, the client may decide to existing session groups. Alternatively, the client may decide to
create a new group and identify itself in the DiameterIdentity create a new group to which the session is assigned and identify
element of the Group-Session-Id AVP as per Section 7.3 itself in the <DiameterIdentity> portion of the Session-Group-Id AVP
as per Section 7.3
The client MUST set the SESSION_GROUP_ALLOCATION_ACTION of the The client MUST set the SESSION_GROUP_ALLOCATION_ACTION flag of the
Session-Group-Control-Vector AVP in each appended Session-Group-Info Session-Group-Control-Vector AVP in each appended Session-Group-Info
AVP to indicate that the identified session should be assigned to the AVP to indicate that the session contained in the request should be
identified session group. assigned to the identified session group.
The client may also indicate in the request that the server is
responsible for the assignment of the session in one or multiple
sessions owned by the server. In such a case, the client MUST
includes in the request the Session-Group-Info AVP in the request
including the Session-Group-Control-Vector AVP with
SESSION_GROUP_ALLOCATION_ACTION flag set but no Session-Group-Id AVP.
If the Diameter server receives a command request from a Diameter If the Diameter server receives a command request from a Diameter
client and the command comprises at least one Session-Group-Info AVP client and the command comprises at least one Session-Group-Info AVP
having the SESSION_GROUP_ALLOCATION_ACTION flag of the Session-Group- having the SESSION_GROUP_ALLOCATION_ACTION flag set in the Session-
Control-Vector AVP set, the server must assign the new session to Group-Control-Vector AVP set, the server can accept or reject the
each of the one or multiple identified session groups. In case one request for group assignment. Reasons for rejection may be e.g. lack
or multiple identified session groups are not know to the server, the of resources for managing additional groups. When rejected, the
server must add the one or multiple new groups to its local list of session must not be assigned to any session group but be treated as
known session groups. When sending the response to the client, e.g. single session.
a service-specific auth response as per NASREQ AAA [RFC4005], the
server must include all Session-Group-Info AVPs as received in the If the Diameter server accepts the client's request for a group
client's request. assignment, the server must assign the new session to each of the one
or multiple identified session groups when present in the Session-
Group-Info AVP. In case one or multiple identified session groups
are not already stored by the server, the server must store the new
identified group(s) to its local list of known session groups. When
sending the response to the client, e.g. a service-specific auth
response as per NASREQ AA-Answer [RFC4005], the server must include
all Session-Group-Info AVPs as received in the client's request.
In addition to the one or multiple session groups identified in the In addition to the one or multiple session groups identified in the
client's request, the server may decide to assign the new session to client's request, the server may decide to assign the new session to
one or multiple additional groups. In such case, the server adds to one or multiple additional groups. In such a case, the server adds
the response additional Session-Group-Info AVPs, each identifying a to the response the additional Session-Group-Info AVPs, each
session group, to which the server has assigned the new session. identifying a session group to which the new session is assigned by
Each of the Session-Group-Info AVP added by the server must have the the server. Each of the Session-Group-Info AVP added by the server
SESSION_GROUP_ALLOCATION_ACTION flag of the Session-Group-Control- must have the SESSION_GROUP_ALLOCATION_ACTION flag set in the
Vector AVP set. Session-Group-Control-Vector AVP set.
If the Diameter server rejects the client's request for a group
assignment, the server sends the response to the client, e.g. a
service-specific auth response as per NASREQ AA-Answer [RFC4005], and
must include all Session-Group-Info AVPs as received in the client's
request (if any) while clearing the SESSION_GROUP_ALLOCATION_ACTION
flag of the Session-Group-Control-Vector AVP.
If the Diameter server receives a command request from a Diameter
client and the command comprises one or multiple Session-Group-Info
AVPs and none of them including a Session-Group-Id AVP, the server
MAY decide to assign the session to one or multiple session groups.
For each session group, to which the server assigns the new session,
the server includes a Session-Group-Info AVP with the Session-Group-
Id AVP identifying a session group in the response sent to the
client. Each of the Session-Group-Info AVPs included by the server
must have the SESSION_GROUP_ALLOCATION_ACTION flag of the Session-
Group-Control-Vector AVP set.
If the Diameter server receives a command request from a Diameter
client and the command does not contain any Session-Group-Info AVP,
the server MUST not assign the new session to any session group but
treat the request as for a single session. The server MUST return
any Session-Group-Info AVP in the command response.
If the Diameter client receives a response to its previously issued If the Diameter client receives a response to its previously issued
request from the server and the response comprises at least one request from the server and the response comprises at least one
Session-Group-Info AVP having the SESSION_GROUP_ALLOCATION_ACTION Session-Group-Info AVP having the SESSION_GROUP_ALLOCATION_ACTION
flag of the associated Session-Group-Control-Vector AVP set, the flag of the associated Session-Group-Control-Vector AVP set, the
client must add the new session to all session groups as identified client MUST add the new session to all session groups as identified
in the one or multiple Session-Group-Info AVPs. in the one or multiple Session-Group-Info AVPs.
A Diameter server receiving a command for session initiation which If the Diameter client receives a response to its previously issued
includes at least one Session-Group-Info AVP but the server does not request from the server and the one or more Session-Group-Info AVPs
understand the semantics of this optional AVP because it does not have the SESSION_GROUP_ALLOCATION_ACTION flag of the associated
support group operations according to the specification in this Session-Group-Control-Vector AVP cleared, the client MUST terminate
document, MUST ignore the optional group operations specific AVPs and the assignment of the session to the one or multiple groups and
proceed with processing the command for a single session. continue to treat the session as single session without group
assignment.
A Diameter client, which sent a request for session initiation to a A Diameter client, which sent a request for session initiation to a
Diameter server and appended a single or multiple Session-Group-Id Diameter server and appended a single or multiple Session-Group-Id
AVPs but cannot find any Session-Group-Info AVP in the associated AVPs but cannot find any Session-Group-Info AVP in the associated
response from the Diameter server proceeds with processing the response from the Diameter server proceeds as if the request was
command for a single session. Furthermore, the client keeps a log to processed for a single session.
remember that the server is not able to perform group operations.
4.1.2. Removing a session from a session group 4.2.2. Removing a session from a session group
When a Diameter client decides to remove a session from a particular When a Diameter client decides to remove a session from a particular
session group, the client sends a service-specific re-authorization session group, the client sends a service-specific re-authorization
request to the server and adds one Session-Group-Info AVP to the request to the server and adds one Session-Group-Info AVP to the
request for each session group, from which the client wants to remove request for each session group, from which the client wants to remove
the session. The session, which is to be removed from a group, is the session. The session, which is to be removed from a group, is
identified in the Session-Id AVP of the command request. The identified in the Session-Id AVP of the command request. The
SESSION_GROUP_ALLOCATION_ACTION flag of the Session-Group-Control- SESSION_GROUP_ALLOCATION_ACTION flag of the Session-Group-Control-
Vector AVP in each Session-Group-Info AVP must be cleared to indicate Vector AVP in each Session-Group-Info AVP must be cleared to indicate
removal of the session from the session group identified in the removal of the session from the session group identified in the
skipping to change at page 9, line 13 skipping to change at page 11, line 13
Session-Group-Id AVP. If the request comprises at least one Session- Session-Group-Id AVP. If the request comprises at least one Session-
Group-info AVP with the SESSION_GROUP_ALLOCATION_ACTION flag cleared Group-info AVP with the SESSION_GROUP_ALLOCATION_ACTION flag cleared
and no Session-Id AVP present, the server must remove the session and no Session-Id AVP present, the server must remove the session
from all session groups to which the session has been previously from all session groups to which the session has been previously
assigned. The server must include in its response to the requesting assigned. The server must include in its response to the requesting
client all Session-Group-Id AVPs as received in the request. client all Session-Group-Id AVPs as received in the request.
When the Diameter server decides to remove a session from one or When the Diameter server decides to remove a session from one or
multiple particular session groups or from all session groups to multiple particular session groups or from all session groups to
which the session has been assigned beforehand, the server sends a which the session has been assigned beforehand, the server sends a
Re-Authorization Request (RAR) to the client, indicating the session Re-Authorization Request (RAR) or a service-specific server-intiated
in the requests Session-Id AVP. The client sends a Re-Authorization request to the client, indicating the session in the Session-Id AVP
Answer (RAA) to respond to the server's request. The client of the request. The client sends a Re-Authorization Answer (RAA) or
subsequently sends service-specific re-authorization request a service-specific answer to respond to the server's request. The
client subsequently sends service-specific re-authorization request
containing one or multiple Session-Group-Info AVPs, each indicating a containing one or multiple Session-Group-Info AVPs, each indicating a
session group, to which the session had been previously assigned. To session group, to which the session had been previously assigned. To
indicate removal of the indicated session from one or multiple indicate removal of the indicated session from one or multiple
session groups, the server sends a service-specific auth response to session groups, the server sends a service-specific auth response to
the client, containing a list of Session-Group-Info AVPs with the the client, containing a list of Session-Group-Info AVPs with the
SESSION_GROUP_ALLOCATION_ACTION flag cleared and the Session-Group-Id SESSION_GROUP_ALLOCATION_ACTION flag cleared and the Session-Group-Id
AVP identifying the session group, from which the session should be AVP identifying the session group, from which the session should be
removed. The server MAY include to the service-specific auth removed. The server MAY include to the service-specific auth
response a list of Session-Group-Info AVPs with the response a list of Session-Group-Info AVPs with the
SESSION_GROUP_ALLOCATION_ACTION flag set and the Session-Group-Id AVP SESSION_GROUP_ALLOCATION_ACTION flag set and the Session-Group-Id AVP
identifying session groups to which the session remains subscribed. identifying session groups to which the session remains subscribed.
In case the server decides to remove the identified session from all In case the server decides to remove the identified session from all
session groups, to which the session has been previously assigned, session groups, to which the session has been previously assigned,
the server includes in the service-specific auth response at least the server includes in the service-specific auth response at least
one Session-Group-Info AVP with the SESSION_GROUP_ALLOCATION_ACTION one Session-Group-Info AVP with the SESSION_GROUP_ALLOCATION_ACTION
flag cleared and Session-Group-Id AVP absent. flag cleared and Session-Group-Id AVP absent.
4.1.3. Mid-session group assignment modifications 4.2.3. Mid-session group assignment modifications
Either Diameter peer can modify the group membership of an active Either Diameter node (client or server) can modify the group
Diameter session according to the specified permission membership of an active Diameter session according to the specified
considerations. permission considerations.
To update an assigned group mid-session, a Diameter client sends a To update an assigned group mid-session, a Diameter client sends a
service-specific re-authorization request to the server, containing service-specific re-authorization request to the server, containing
one or multiple Session-Group-Info AVPs with the one or multiple Session-Group-Info AVPs with the
SESSION_GROUP_ALLOCATION_ACTION flag set and the Session-Group-Id AVP SESSION_GROUP_ALLOCATION_ACTION flag set and the Session-Group-Id AVP
present, identifying the session group to which the session should be present, identifying the session group to which the session should be
assigned. With the same message, the client may send one or multiple assigned. With the same message, the client may send one or multiple
Session-Group-Info AVP with the SESSION_GROUP_ALLOCATION_ACTION flag Session-Group-Info AVP with the SESSION_GROUP_ALLOCATION_ACTION flag
cleared and the Session-Group-Id AVP identifying the session group cleared and the Session-Group-Id AVP identifying the session group
from which the identified session is to be removed. To remove the from which the identified session is to be removed. To remove the
skipping to change at page 10, line 35 skipping to change at page 12, line 36
identified session is to be assigned. With the same response identified session is to be assigned. With the same response
message, the server may send one or multiple Session-Group-Info AVPs message, the server may send one or multiple Session-Group-Info AVPs
with the SESSION_GROUP_ALLOCATION_ACTION flag cleared and the with the SESSION_GROUP_ALLOCATION_ACTION flag cleared and the
Session-Group-Id AVP identifying the session groups from which the Session-Group-Id AVP identifying the session groups from which the
identified session is to be removed. When server wants to remove the identified session is to be removed. When server wants to remove the
session from all previously assigned session groups, it send at least session from all previously assigned session groups, it send at least
on Session-Group-Info AVP with the response having the on Session-Group-Info AVP with the response having the
SESSION_GROUP_ALLOCATION_ACTION flag cleared and no Session-Group-Id SESSION_GROUP_ALLOCATION_ACTION flag cleared and no Session-Group-Id
AVP present. AVP present.
4.2. Session Grouping Capability Discovery
Diameter nodes should assign a session to a session group and perform
session group operations with a peer only after having ensured that
the peer announced associated support beforehand.
4.2.1. Explicit Capability Discovery
New Diameter applications may consider support for Diameter session
grouping and for performing group commands during the standardization
process. Such applications provide intrinsic discovery for the
support of group commands and announce this capability through the
assigned application ID.
System- and deployment-specific means for capability exchange can be
used to announce peers' support for session grouping and session
group operations. In such case, the optional Session-Group-
Capability-Vector AVP, as described in Section 4.2.2 can be omitted
in Diameter messages being exchanged between peers.
4.2.2. Implicit Capability Discovery
If no explicit mechanism for capability discovery is deployed to
enable Diameter nodes to learn about peers' capability to support
session grouping and group commands, Diameter peers SHOULD append the
Session-Group-Capability-Vector AVP to any Diameter messages
exchanged with its peers to announce its capability to support
session grouping and session group operations. Implementations
following this specification set the BASE_SESSION_GROUP_CAPABILITY
flag of the Session-Group-Capability-Vector AVP.
When a Diameter node receives at least one Session-Group-Capability-
Vector AVP from a peer with the BASE_SESSION_GROUP_CAPABILITY flag
set, the Diameter node maintains a log to remember the peer's
capability to support group commands.
4.3. Deleting a Session Group 4.3. Deleting a Session Group
To delete a session group and release the associated Session-Group-Id To delete a session group and release the associated Session-Group-Id
value, the owner of a session group appends a single Session-Group- value, the owner of a session group appends a single Session-Group-
Info AVP having the SESSION_GROUP_STATUS_IND flag cleared and the Info AVP having the SESSION_GROUP_STATUS_IND flag cleared and the
Session-Group-Id AVP identifying the session group, which is to be Session-Group-Id AVP identifying the session group, which is to be
deleted. The SESSION_GROUP_ALLOCATION_ACTION flag of the associated deleted. The SESSION_GROUP_ALLOCATION_ACTION flag of the associated
Session-Group-Control-Vector AVP MUST be cleared. Session-Group-Control-Vector AVP MUST be cleared.
4.4. Performing Group Operations 4.4. Performing Group Operations
4.4.1. Sending Group Commands 4.4.1. Sending Group Commands
Either Diameter peer can request the recipient of a request to Either Diameter node (lient or server) can request the recipient of a
process an associated command for all sessions being assigned to one request to process an associated command for all sessions being
or multiple groups by identifying these groups in the request. The assigned to one or multiple groups by identifying these groups in the
sender of the request appends for each group, to which the command request. The sender of the request appends for each group, to which
applies, a Session-Group-Info AVP including the Session-Group-Id AVP the command applies, a Session-Group-Info AVP including the Session-
to identify the associated session group. Both, the Group-Id AVP to identify the associated session group. Both, the
SESSION_GROUP_ALLOCATION_ACTION flag as well as the SESSION_GROUP_ALLOCATION_ACTION flag as well as the
SESSION_GROUP_STATUS_IND flag must be set. SESSION_GROUP_STATUS_IND flag must be set.
If the CCF of the request mandates a Session-Id AVP, the Session-Id If the CCF of the request mandates a Session-Id AVP, the Session-Id
AVP MUST identify a single session which is assigned to at least one AVP MUST identify one of the single sessions which is assigned to at
of the groups being identified in the appended Session-Group-Id AVPs. least one of the groups being identified in the appended Session-
Group-Id AVPs.
The sender of the request MUST indicate to the receiver how follow up The sender of the request MUST indicate to the receiver how follow up
message exchanges should be performed by appending a single instance message exchanges should be performed by appending a single instance
of the Group-Response-Action AVP. Even if the request includes of the Group-Response-Action AVP. Even if the request includes
multiple instances of a Session-Group-Info AVP, the request MUST NOT multiple instances of a Session-Group-Info AVP, the request MUST NOT
comprise more than a single instance of a Group-Response-Action AVP. comprise more than a single instance of a Group-Response-Action AVP.
If the sender wants the receiver to perform follow up exchanges with If the sender wants the receiver to perform follow up exchanges with
a single command for all impacted groups, the sender sets the value a single command for all impacted groups, the sender sets the value
of the Group-Response-Action AVP to ALL_GROUPS (1). If follow up of the Group-Response-Action AVP to ALL_GROUPS (1). If follow up
message exchanges should be performed on a per-group basis in case message exchanges should be performed on a per-group basis in case
multiple groups are identified in the group command, the value of the multiple groups are identified in the group command, the value of the
Group-Response-Action AVP is set to PER_GROUP (2). A value set to Group-Response-Action AVP is set to PER_GROUP (2). A value set to
PER_SESSION (3) indicates to the receiver that all follow up PER_SESSION (3) indicates to the receiver that all follow up
exchanges should be performed using a single message for each exchanges should be performed using a single message for each
impacted session. impacted session.
If the sender sends a request including the Group-Response-Action AVP
set to ALL_GROUPS (1) or PER_GROUP (2), it MUST expect some delays
before receiving the corresponding answer(s) as the answer(s) will
only be sent back when the request is processed for all the sessions
or all the session of a session group. If the process of the request
is delay-sensitive, the sender SHOULD NOT set the Group-Response-
Action AVP to ALL_GROUPS (1) or PER_GROUP (2). If the answer can be
sent before the complete process of the request for all the sessions
or if the request timeout timer is high enough, the sender MAY set
the Group-Response-Action AVP to ALL_GROUPS (1) or PER_GROUP (2).
If the sender wants the receiver of the request to process the If the sender wants the receiver of the request to process the
associated command solely for a single session does not append any associated command solely for a single session does not append any
group identifier, but identifies the relevant session in the Session- group identifier, but identifies the relevant session in the Session-
Id AVP. Id AVP.
4.4.2. Receiving Group Commands 4.4.2. Receiving Group Commands
A Diameter peer receiving a request to process a command for a group A Diameter node receiving a request to process a command for a group
of sessions identifies the relevant groups according to the appended of sessions identifies the relevant groups according to the appended
Session-Group-Id AVP in the Session-Group-Info AVP and processes the Session-Group-Id AVP in the Session-Group-Info AVP and processes the
group command according to the appended Group-Response-Action AVP . group command according to the appended Group-Response-Action AVP .
If the received request identifies multiple groups in multiple If the received request identifies multiple groups in multiple
appended Session-Group-Id AVPs, the receiver should process the appended Session-Group-Id AVPs, the receiver should process the
associated command for each of these groups. if a session has been associated command for each of these groups. if a session has been
assigned to more than one of the identified groups, the receiver must assigned to more than one of the identified groups, the receiver must
process the associated command only once per session. process the associated command only once per session.
The Diameter peer receiving a request which requests performing the The Diameter node receiving a request which requests performing the
command to at least on session group SHOULD perform follow up message command to at least on session group SHOULD perform follow up message
exchanges according to the value identified in the Session-Group-Info exchanges according to the value identified in the Session-Group-Info
AVP. AVP.
4.4.3. Error Handling for Group Commands 4.4.3. Error Handling for Group Commands
When a Diameter peer receives a request to process a command for one When a Diameter node receives a request to process a command for one
or more session groups and the result of processing the command is an or more session groups and the result of processing the command is an
error that applies to all sessions in the identified groups, an error that applies to all sessions in the identified groups, an
associated protocol error must be returned to the source of the associated protocol error must be returned to the source of the
request. In such case, the sender of the request MUST fall back to request. In such case, the sender of the request MUST fall back to
single-session processing and the session groups, which have been single-session processing and the session groups, which have been
identified in the group command, MUST be deleted according to the identified in the group command, MUST be deleted according to the
procedure described in Section 4.3. procedure described in Section 4.3.
When a Diameter peer receives a request to process a command for one When a Diameter node receives a request to process a command for one
or more session groups and the result of processing the command or more session groups and the result of processing the command
succeeds for some sessions identified in one or multiple session succeeds for some sessions identified in one or multiple session
groups, but fails for one or more sessions, the Result-Code AVP in groups, but fails for one or more sessions, the Result-Code AVP in
the response message SHOULD indicate DIAMETER_LIMITED_SUCCESS as per the response message SHOULD indicate DIAMETER_LIMITED_SUCCESS as per
Section 7.1.2 of [RFC6733]. In case of limited success, the Section 7.1.2 of [RFC6733]. In case of limited success, the
sessions, for which the processing of the group command failed, MUST sessions, for which the processing of the group command failed, MUST
be identified using a Failed-AVP AVP as per Session 7.5 of [RFC6733]. be identified using a Failed-AVP AVP as per Session 7.5 of [RFC6733].
4.4.4. Single-Session Fallback 4.4.4. Single-Session Fallback
Either Diameter peer, a Diameter client or a Diameter server, can Either Diameter node can fall back to single session operation by
fall back to single session operation by ignoring and omitting the ignoring and omitting the optional group session-specific AVPs.
optional group session-specific AVPs. Fallback to single-session Fallback to single-session operation is performed by processing the
operation is performed by processing the Diameter command solely for Diameter command solely for the session identified in the mandatory
the session identified in the mandatory Session-Id AVP. The response Session-Id AVP. The response to the group command must not identify
to the group command must not identify any group but identify solely any group but identify solely the single session for which the
the single session for which the command has been processed. command has been processed.
5. Operation with Proxies Agents 5. Operation with Proxies Agents
This specification assumes in case of a present stateful Proxy Agent In case of a present stateful Proxy Agent between a Diameter client
between a Diameter client and a Diameter server that the Proxy Agent and a Diameter server, this specification assumes that the Proxy
is aware of session groups and session group handling. The Proxy Agent is aware of session groups and session group handling. The
MUST reflect the state of each session associated with a session Proxy MUST update and maintain consistency of its local session
group according to the result of a group command operated between a states as per the result of the group commands which are operated
Diameter client and a server. between a Diameter client and a server.
In case a Proxy Agent manipulates session groups, it MUST maintain In case a Proxy Agent manipulates session groups, it MUST maintain
consistency of session groups between a client and a server. This consistency of session groups between a client and a server. This
applies to deployment where the Proxy Agent utilizes session grouping applies to a deployment where the Proxy Agent utilizes session
and performing group commands with, for example, a Diameter server, grouping and performs group operations with, for example, a Diameter
whereas the Diameter client is not group-aware. The same applies to server, whereas the Diameter client is not aware of session groups.
deployment where all nodes, the Diameter client and server, as well In such case the Proxy Agent must reflect the states associated with
as the Proxy Agent are group-aware but the Proxy Agent manipulates the session groups as individual session operations towards the
groups, e.g. to adopt different administrative policies that apply to client and ensure the client has a consistent view of each session.
the client's domain and the server's domain. The same applies to a deployment where all nodes, the Diameter client
and server, as well as the Proxy Agent are group-aware but the Proxy
Agent manipulates groups, e.g. to adopt different administrative
policies that apply to the client's domain and the server's domain.
6. Commands Formatting 6. Commands Formatting
This document does not specify new Diameter commands to enable group This document does not specify new Diameter commands to enable group
operations, but relies on command extensibility capability provided operations, but relies on command extensibility capability provided
by the Diameter Base protocol. This section provides the guidelines by the Diameter Base protocol. This section provides the guidelines
to extend the CCF of existing Diameter commands with optional AVPs to to extend the CCF of existing Diameter commands with optional AVPs to
enable the recipient of the command to perform the command to all enable the recipient of the command applying the command to all
sessions associated with the identified group(s). sessions associated with the identified group(s).
6.1. Formatting Example: Group Re-Auth-Request 6.1. Formatting Example: Group Re-Auth-Request
A request that one or more groups of users are re-authentication is A request for re-authentication of one or more groups of users is
issued by appending one or multiple Session-Group-Id AVP(s) to the issued by appending one or multiple Session-Group-Id AVP(s), as well
Re-Auth-Request (RAR) and a single instance of a Group-Response- as a single instance of a Group-Response-Action AVP to the Re-Auth-
Action AVP. The one or multiple Session-Group-Id AVP(s) identify the Request (RAR). The one or multiple Session-Group-Id AVP(s) identify
associated group(s) for which the group re-authentication has been the associated group(s) for which the group re-authentication has
requested. The Group-Response-Action AVP identifies the expected been requested. The Group-Response-Action AVP identifies the
means to perform and respond to the group command. The recipient of expected means to perform and respond to the group command. The
the group command initiates re-authentication for all users recipient of the group command initiates re-authentication for all
associated with the identified group(s). Furthermore, the sender of users associated with the identified group(s). Furthermore, the
the group re-authentication request appends a Group-Response-Action sender of the group re-authentication request appends a Group-
AVP to provide more information to the receiver of the command about Response-Action AVP to provide more information to the receiver of
how to accomplish the group operation. the command about how to accomplish the group operation.
The value of the mandatory Session-Id AVP MUST identify a session The value of the mandatory Session-Id AVP MUST identify a session
associated with a single user, which is assigned to at least one of associated with a single user, which is assigned to at least one of
the groups being identified in the appended Session-Group-Id AVPs. the groups being identified in the appended Session-Group-Id AVPs.
<RAR> ::= < Diameter Header: 258, REQ, PXY > <RAR> ::= < Diameter Header: 258, REQ, PXY >
< Session-Id > < Session-Id >
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
{ Destination-Realm } { Destination-Realm }
skipping to change at page 16, line 28 skipping to change at page 17, line 51
The Session-Group-Id AVP (AVP Code TBD3) is of type UTF8String and The Session-Group-Id AVP (AVP Code TBD3) is of type UTF8String and
identifies a group of Diameter sessions. identifies a group of Diameter sessions.
The Session-Group-Id MUST be globally and eternally unique, as it is The Session-Group-Id MUST be globally and eternally unique, as it is
meant to uniquely identify a group of Diameter sessions without meant to uniquely identify a group of Diameter sessions without
reference to any other information. reference to any other information.
The default format of the Session-Group-id MUST comply to the format The default format of the Session-Group-id MUST comply to the format
recommended for a Session-Id, as defined in the section 8.8 of the recommended for a Session-Id, as defined in the section 8.8 of the
[RFC6733]. The DiameterIdentity element of the Session-Group-Id MUST [RFC6733]. The <DiameterIdentity> portion of the Session-Group-Id
identify the Diameter node, which owns the session group. MUST identify the Diameter node, which owns the session group.
7.4. Group-Response-Action AVP 7.4. Group-Response-Action AVP
The Group-Response-Action AVP (AVP Code TBD4) is of type Unsigned32 The Group-Response-Action AVP (AVP Code TBD4) is of type Unsigned32
and contains a 32-bit address space representing values indicating and contains a 32-bit address space representing values indicating
how the peer SHOULD issue follow up exchanges in response to a how the node SHOULD issue follow up exchanges in response to a
command which impacts multiple sessions. The following values are command which impacts multiple sessions. The following values are
defined by this application: defined by this application:
ALL_GROUPS (1) ALL_GROUPS (1)
Follow up exchanges should be performed with a single message Follow up exchanges should be performed with a single message
exchange for all impacted groups. exchange for all impacted groups.
PER_GROUP (2) PER_GROUP (2)
Follow up exchanges should be performed with a message exchange Follow up exchanges should be performed with a message exchange
for each impacted group. for each impacted group.
skipping to change at page 17, line 50 skipping to change at page 19, line 24
o Session-Group-Id o Session-Group-Id
o Group-Response-Action o Group-Response-Action
o Session-Group-Capability-Vector o Session-Group-Capability-Vector
The AVPs are defined in Section 7. The AVPs are defined in Section 7.
10. Security Considerations 10. Security Considerations
TODO The security considerations of the Diameter protocol itself are
discussed in [RFC6733]. Use of the AVPs defined in this document
MUST take into consideration the security issues and requirements of
the Diameter base protocol. In particular, the Session-Group-Info
AVP (including the Session-group-Control-Vector and the Session-
Group-Id AVPs) should be considered as a security-sensitive AVPs in
the same manner than the Session-Id AVP in the Diameter base protocol
[RFC6733].
The management of session groups relies upon the existing trust
relationship between the Diameter client and the Diameter server
managing the groups of sessions. This document defines a mechanism
that allows a client or a server to act on multiple sessions at the
same time using only one command. if the Diameter client or server is
compromised, an attacker could launch DoS attacks by terminating a
large number of sessions with a limited set of commands using the
session group management concept.
According to the Diameter base protocol [RFC6733], transport
connections between Diameter peers are protected by TLS/TCP, DTLS/
SCTP or alternative security mechanisms that are independent of
Diameter, such as IPsec. However, the lack of end-to-end security
features makes it difficult to establish trust in the session group
related information received from non-adjacent nodes. Any Diameter
agent in the message path can potentially modify the content of the
message and therefore the information sent by the Diameter client or
the server. The DIME working group is currently working on solutions
for providing end-to-end security features. When available, these
features should enable the establishment of trust relationship
between non-adjacent nodes and the security required for session
group management would normally rely on this end-to-end security.
However, there is no assumption in this document that such end-to-end
security mechanism will be available. It is only assume that the
solution defined on this document relies on the security framework
provided by the Diameter based protocol.
In some cases, a Diameter Proxy agent can act on behalf of a client
or server. In such a case, the security requirements that normally
apply to a client (or a server) apply equally to the Proxy agent.
11. Acknowledgments 11. Acknowledgments
The authors of this document want to thank Ben Campbell and Eric The authors of this document want to thank Ben Campbell and Eric
McMurry for their valuable comments to early versions of this draft. McMurry for their valuable comments to early versions of this draft.
Furthermore, authors thank Steve Donovan for the thorough review and
comments on the adopted WG document, which helped a lot to improve
this specification.
12. Normative References 12. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
"Diameter Network Access Server Application", RFC 4005, "Diameter Network Access Server Application", RFC 4005,
August 2005. August 2005.
[RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn,
"Diameter Base Protocol", RFC 6733, October 2012. "Diameter Base Protocol", RFC 6733, October 2012.
Appendix A. Session Management -- Exemplary Session State Machines Appendix A. Session Management -- Exemplary Session State Machine
A.1. Authorization Session State Machine A.1. Use of groups for the Authorization Session State Machine
Section 8.1 in [RFC6733] defines a set of finite state machines, Section 8.1 in [RFC6733] defines a set of finite state machines,
representing the life cycle of Diameter sessions, and which MUST be representing the life cycle of Diameter sessions, and which MUST be
observed by all Diameter implementations that make use of the observed by all Diameter implementations that make use of the
authentication and/or authorization portion of a Diameter authentication and/or authorization portion of a Diameter
application. This section defines the additional state transitions application. This section defines, as example, additional state
related to the processing of the new commands which may impact transitions related to the processing of the group commands which may
multiple sessions. impact multiple sessions.
The group membership is session state and therefore only those state The group membership is session state and therefore only those state
machines from [RFC6733] in which the server is maintaining session machines from [RFC6733] in which the server is maintaining session
state are relevant in this document. As in [RFC6733], the term state are relevant in this document. As in [RFC6733], the term
Service-Specific below refers to a message defined in a Diameter Service-Specific below refers to a message defined in a Diameter
application (e.g., Mobile IPv4, NASREQ). application (e.g., Mobile IPv4, NASREQ).
The following state machine is observed by a client when state is The following state machine is observed by a client when state is
maintained on the server. State transitions which are unmodified maintained on the server. State transitions which are unmodified
from [RFC6733] are not repeated here. from [RFC6733] are not repeated here.
A Diameter group command in the following tables is differentiated The Diameter group command in the following tables is differentiated
from a single-session related command by a preceding 'G'. A Group from a single-session related command by a preceding 'G' (Group). A
Re-Auth Request, which applies to one or multiple session groups, has Group Re-Auth Request, which applies to one or multiple session
been exemplarily described in Section 6.1. Such Group RAR command is groups, has been exemplarily described in Section 6.1. Such Group
denoted as 'GRAR' in the following table. The same notation applies RAR command is denoted as 'GRAR' in the following table. The same
to other commands as per [RFC6733]. notation applies to other commands as per [RFC6733].
CLIENT, STATEFUL CLIENT, STATEFUL
State Event Action New State State Event Action New State
--------------------------------------------------------------- ---------------------------------------------------------------
Idle Client or Device Requests Send Pending Idle Client or Device Requests Send Pending
access service access service
specific specific
auth req auth req
optionally optionally
including including
 End of changes. 68 change blocks. 
211 lines changed or deleted 324 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/