draft-ietf-dime-nat-control-13.txt   draft-ietf-dime-nat-control-14.txt 
Internet Engineering Task Force F. Brockners Internet Engineering Task Force F. Brockners
Internet-Draft S. Bhandari Internet-Draft S. Bhandari
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: July 14, 2012 V. Singh Expires: September 12, 2012 V. Singh
V. Fajardo V. Fajardo
Telcordia Technologies Telcordia Technologies
January 11, 2012 March 11, 2012
Diameter Network Address and Port Translation Control Application Diameter Network Address and Port Translation Control Application
draft-ietf-dime-nat-control-13 draft-ietf-dime-nat-control-14
Abstract Abstract
This document describes the framework, messages, and procedures for This document describes the framework, messages, and procedures for
the Diameter Network address and port translation Control the Diameter Network address and port translation Control
Application. This Diameter application allows per endpoint control Application. This Diameter application allows per endpoint control
of Network Address Translators and Network Address and Port of Network Address Translators and Network Address and Port
Translators, which are added to networks to cope with IPv4-address Translators, which are added to networks to cope with IPv4-address
space depletion. This Diameter application allows external devices space depletion. This Diameter application allows external devices
to configure and manage a Network Address Translator device - to configure and manage a Network Address Translator device -
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 14, 2012. This Internet-Draft will expire on September 12, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 33 skipping to change at page 4, line 33
13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
13.1. DNCA Session Establishment Example . . . . . . . . . . . . 46 13.1. DNCA Session Establishment Example . . . . . . . . . . . . 46
13.2. DNCA Session Update with Port Style Example . . . . . . . 49 13.2. DNCA Session Update with Port Style Example . . . . . . . 49
13.3. DNCA Session Query Example . . . . . . . . . . . . . . . . 50 13.3. DNCA Session Query Example . . . . . . . . . . . . . . . . 50
13.4. DNCA Session Termination Example . . . . . . . . . . . . . 51 13.4. DNCA Session Termination Example . . . . . . . . . . . . . 51
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 54 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 54
15. Change History (to be removed prior to publication as an 15. Change History (to be removed prior to publication as an
RFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 RFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 57 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 57
16.1. Normative References . . . . . . . . . . . . . . . . . . . 57 16.1. Normative References . . . . . . . . . . . . . . . . . . . 57
16.2. Informative References . . . . . . . . . . . . . . . . . . 57 16.2. Informative References . . . . . . . . . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 58 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 59
1. Introduction 1. Introduction
Internet service providers deploy Network Address Translators (NATs) Internet service providers deploy Network Address Translators (NATs)
and Network Address and Port Translators (NAPTs) [RFC3022] in their and Network Address and Port Translators (NAPTs) [RFC3022] in their
networks. A key motivation for doing so is the depletion of networks. A key motivation for doing so is the depletion of
available public IPv4 addresses. This document defines a Diameter available public IPv4 addresses. This document defines a Diameter
application allowing providers to control the behavior of NAT and application allowing providers to control the behavior of NAT and
NAPT devices that implement IPv4-to-IPv4 network address and port NAPT devices that implement IPv4-to-IPv4 network address and port
translation [RFC2663] as well as stateful IPv6-to-IPv4 address family translation [RFC2663] as well as stateful IPv6-to-IPv4 address family
translation translation as defined in [RFC2663], [RFC6145], and translation as defined in [RFC2663], [RFC6145], and [RFC6146]. The
[RFC6146]. The use of a Diameter application allows for simple use of a Diameter application allows for simple integration into the
integration into the existing Authentication, Authorization and existing Authentication, Authorization and Accounting (AAA)
Accounting (AAA) environment of a provider. environment of a provider.
The Diameter Network address and port translation Control Application The Diameter Network address and port translation Control Application
(DNCA) offers the following capabilities: (DNCA) offers the following capabilities:
1. Limits or defines the number of NAPT/NAT bindings made available 1. Limits or defines the number of NAPT/NAT bindings made available
to an individual endpoint. The main motivation for restricting to an individual endpoint. The main motivation for restricting
the number of bindings on a per endpoint basis is to protect the the number of bindings on a per endpoint basis is to protect the
service of the service provider against denial of service service of the service provider against denial of service
attacks. If multiple endpoints share a single public IP address, attacks. If multiple endpoints share a single public IP address,
these endpoints can share fate. If one endpoint would (either these endpoints can share fate. If one endpoint would (either
skipping to change at page 22, line 37 skipping to change at page 22, line 37
4.6. Failure cases of the DNCA Diameter peers 4.6. Failure cases of the DNCA Diameter peers
This document does not specify the behavior in case the NAT-device This document does not specify the behavior in case the NAT-device
and NAT-controller, or their respective DNCA Diameter peers are out and NAT-controller, or their respective DNCA Diameter peers are out
of sync or lose state. This could happen for example if one of the of sync or lose state. This could happen for example if one of the
entities restarts, in case of a (temporary) loss of network entities restarts, in case of a (temporary) loss of network
connectivity etc. Example failure cases include the following: connectivity etc. Example failure cases include the following:
o NAT-controller and the DNCA Diameter peer within the NAT- o NAT-controller and the DNCA Diameter peer within the NAT-
controller lose state (e.g., due to a restart). In this case, controller loses state (e.g., due to a restart). In this case,
* the DNCA Diameter peer within the NAT-device MAY receive an NCR * the DNCA Diameter peer within the NAT-device MAY receive an NCR
with NC-Request-Type AVP set to INITIAL_REQUEST that matches an with NC-Request-Type AVP set to INITIAL_REQUEST that matches an
existing session of the DNCA Diameter peer within the NAT- existing session of the DNCA Diameter peer within the NAT-
device. The DNCA Diameter peer within the NAT-device MUST device. The DNCA Diameter peer within the NAT-device MUST
return Result-Code that contains Duplicate-Session-Id AVP to return Result-Code that contains Duplicate-Session-Id AVP to
report the Session-ID of the existing session. The DNCA report the Session-ID of the existing session. The DNCA
Diameter peer within the NAT-controller MAY send an explicit Diameter peer within the NAT-controller MAY send an explicit
Session Terminate Request (STR) for the older session, which Session Terminate Request (STR) for the older session, which
was lost. was lost.
skipping to change at page 23, line 19 skipping to change at page 23, line 19
state. In such a case, the DNCA Diameter peer MAY receive a NCR state. In such a case, the DNCA Diameter peer MAY receive a NCR
with NC-Request-Type AVP set to UPDATE_REQUEST for a non-existent with NC-Request-Type AVP set to UPDATE_REQUEST for a non-existent
session. The DNCA Diameter peer MUST return an NCA with Result- session. The DNCA Diameter peer MUST return an NCA with Result-
Code set to DIAMETER_UNKNOWN_SESSION_ID. Code set to DIAMETER_UNKNOWN_SESSION_ID.
o The DNCA Diameter peer within the NAT-controller is unreachable, o The DNCA Diameter peer within the NAT-controller is unreachable,
for example detected by Diameter device watchdog messages (as for example detected by Diameter device watchdog messages (as
defined in Section 5.5 of [RFC3588]), or down and accounting defined in Section 5.5 of [RFC3588]), or down and accounting
requests from the DNCA Diameter peer fail to get a response. The requests from the DNCA Diameter peer fail to get a response. The
mechanism to ensure that a DNCA Diameter peer within the NAT- mechanism to ensure that a DNCA Diameter peer within the NAT-
controller no longer has associated state for a session which was controller no longer has associated state for a session that was
cleared or removed by the DNCA Diameter peer within the NAT-device cleared or removed by the DNCA Diameter peer within the NAT-device
is beyond the scope of this document. is beyond the scope of this document.
o The DNCA Diameter peer within the NAT-device is unreachable or o The DNCA Diameter peer within the NAT-device is unreachable or
down and NCR fails to get a response. Handling of this case down and NCR fails to get a response. Handling of this case
depends on the actual service offering of the service provider. depends on the actual service offering of the service provider.
The service provider could for example choose to stop offering The service provider could for example choose to stop offering
connectivity service. connectivity service.
5. Use of the Diameter Base Protocol 5. Use of the Diameter Base Protocol
skipping to change at page 25, line 12 skipping to change at page 25, line 12
from the DNCA Diameter peer within the NAT-controller to the DNCA from the DNCA Diameter peer within the NAT-controller to the DNCA
Diameter peer within the NAT-device in order to install NAT-bindings. Diameter peer within the NAT-device in order to install NAT-bindings.
User-Name, Logical-Access-Id, Physical-Access-ID, Framed-IP-Address, User-Name, Logical-Access-Id, Physical-Access-ID, Framed-IP-Address,
Framed-IPv6-Prefix, Framed-Interface-Id, EGRESS-VLANID, NAS-Port-ID, Framed-IPv6-Prefix, Framed-Interface-Id, EGRESS-VLANID, NAS-Port-ID,
Address-Realm, Calling-Station-ID AVPs serve as identifiers for the Address-Realm, Calling-Station-ID AVPs serve as identifiers for the
endpoint. endpoint.
Message format: Message format:
< NC-Request > ::= < Diameter Header: TBD, REQ, PXY> < NC-Request > ::= < Diameter Header: TBD, REQ, PXY>
[ Session-Id ]
{ Auth-Application-Id } { Auth-Application-Id }
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
{ Destination-Realm } { Destination-Realm }
{ Destination-Host } { Destination-Host }
{ NC-Request-Type } { NC-Request-Type }
[ Session-Id ]
[ Origin-State-Id ] [ Origin-State-Id ]
*1 [ NAT-Control-Remove ] *1 [ NAT-Control-Remove ]
*1 [ NAT-Control-Install ] *1 [ NAT-Control-Install ]
[ NAT-External-Address ]
[ User-Name ] [ User-Name ]
[ Logical-Access-Id ] [ Logical-Access-Id ]
[ Physical-Access-ID ] [ Physical-Access-ID ]
[ Framed-IP-Address ] [ Framed-IP-Address ]
[ Framed-IPv6-Prefix ] [ Framed-IPv6-Prefix ]
[ Framed-Interface-Id ] [ Framed-Interface-Id ]
[ EGRESS-VLANID] [ EGRESS-VLANID]
[ NAS-Port-ID] [ NAS-Port-ID]
[ Address-Realm ] [ Address-Realm ]
[ Calling-Station-ID ] [ Calling-Station-ID ]
skipping to change at page 26, line 6 skipping to change at page 26, line 6
6.2. NAT-Control Answer (NCA) Command 6.2. NAT-Control Answer (NCA) Command
The NAT-Control-Answer (NCA) command, indicated by the Command-Code The NAT-Control-Answer (NCA) command, indicated by the Command-Code
field set to TBD and the "R" bit cleared in the Command Flags field, field set to TBD and the "R" bit cleared in the Command Flags field,
is sent by the DNCA Diameter peer within the NAT-device in response is sent by the DNCA Diameter peer within the NAT-device in response
to NAT-Control-Request command. to NAT-Control-Request command.
Message format: Message format:
<NC-Answer> ::= < Diameter Header: TBD, PXY > <NC-Answer> ::= < Diameter Header: TBD, PXY >
[ Session-Id ]
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
{ Result-Code } { Result-Code }
[ Session-Id ]
[ NC-Request-Type ] [ NC-Request-Type ]
* [ NAT-Control-Definition ] * [ NAT-Control-Definition ]
[ Current-NAT-Bindings ] [ Current-NAT-Bindings ]
[ Origin-State-Id ] [ Origin-State-Id ]
[ Error-Message ] [ Error-Message ]
[ Error-Reporting-Host ] [ Error-Reporting-Host ]
* [ Failed-AVP ] * [ Failed-AVP ]
* [ Proxy-Info ] * [ Proxy-Info ]
[ Duplicate-Session-ID ] [ Duplicate-Session-ID ]
* [ Redirect-Host] * [ Redirect-Host]
skipping to change at page 30, line 8 skipping to change at page 30, line 8
Discon Discon
Any STR Received Send STA, Idle Any STR Received Send STA, Idle
Clean up Clean up
8. DNCA AVPs 8. DNCA AVPs
8.1. Reused Base Protocol AVPs 8.1. Reused Base Protocol AVPs
The following table describes the AVPs reused from Diameter Base The following table describes the AVPs reused from Diameter Base
Protocol [RFC3588]; their AVP Code values, types, and possible flag Protocol [RFC3588]; their AVP Code values, types, and possible flag
values; and whether the AVP MAY be encrypted.The [RFC3588] specifies values; and whether the AVP MAY be encrypted. The [RFC3588]
the AVP Flag rules for AVPs in section 4.5. The Diameter AVP rules specifies the AVP Flag rules for AVPs in section 4.5. The Diameter
are defined in the [RFC3588], section 4. AVP rules are defined in the [RFC3588], section 4.
+---------+ +---------+
| AVP | | AVP |
| Flag | | Flag |
| rules | | rules |
+-----------------------------------------------|-----+---+---------+ +-----------------------------------------------|-----+---+---------+
| AVP | | | | | AVP | | | |
| Attribute Name Code Data Type |MUST |MAY| Encr | | Attribute Name Code Data Type |MUST |MAY| Encr |
+-----------------------------------------------+-----+---+---------+ +-----------------------------------------------+-----+---+---------+
|Acct-Interim-Interval 85 Unsigned32 | M | P | Y | |Acct-Interim-Interval 85 Unsigned32 | M | P | Y |
|Auth-Application-Id 258 Unsigned32 | M | P | N | |Auth-Application-Id 258 Unsigned32 | M | P | N |
skipping to change at page 30, line 43 skipping to change at page 30, line 43
|User-Name 1 UTF8String | M | P | Y | |User-Name 1 UTF8String | M | P | Y |
+-----------------------------------------------+-----+---+---------+ +-----------------------------------------------+-----+---+---------+
Table 1: DIAMETER AVPs used from Diameter base Table 1: DIAMETER AVPs used from Diameter base
The Auth-Application-Id AVP (AVP Code 258) is assigned by IANA to The Auth-Application-Id AVP (AVP Code 258) is assigned by IANA to
Diameter applications. The value of the Auth-Application-Id for the Diameter applications. The value of the Auth-Application-Id for the
Diameter NAT Control Application is TBD. Diameter NAT Control Application is TBD.
8.2. Additional Result-Code AVP Values 8.2. Additional Result-Code AVP Values
This section defines new values for the Result-Code AVP which SHALL This section defines new values for the Result-Code AVP that SHALL be
be supported by all Diameter implementations that conform to the supported by all Diameter implementations that conform to the present
present document. document.
8.2.1. Success 8.2.1. Success
No new Result-Code AVP value is defined within this category. No new Result-Code AVP value is defined within this category.
8.2.2. Transient Failures 8.2.2. Transient Failures
Result-Code AVP values that fall within the transient failures Result-Code AVP values that fall within the transient failures
category are those used to inform a peer that the request could not category are those used to inform a peer that the request could not
be satisfied at the time that it was received. The request may be be satisfied at the time that it was received. The request may be
skipping to change at page 32, line 19 skipping to change at page 32, line 19
The DNCA Diameter peer within the NAT-device requests to The DNCA Diameter peer within the NAT-device requests to
initialize a new session, if the classifiers in the request initialize a new session, if the classifiers in the request
match more than one of the existing sessions on the DNCA match more than one of the existing sessions on the DNCA
Diameter peer within the NAT-device. Diameter peer within the NAT-device.
8.3. Reused NASREQ Diameter Application AVPs 8.3. Reused NASREQ Diameter Application AVPs
The following table describes the AVPs reused from the Diameter The following table describes the AVPs reused from the Diameter
Network Access Server Application [RFC4005]; their AVP Code values, Network Access Server Application [RFC4005]; their AVP Code values,
types, and possible flag values; and whether the AVP MAY be types, and possible flag values; and whether the AVP MAY be
encrypted.The [RFC3588] specifies the AVP Flag rules for AVPs in encrypted. The [RFC3588] specifies the AVP Flag rules for AVPs in
section 4.5. The Diameter AVP rules are defined in the [RFC3588], section 4.5. The Diameter AVP rules are defined in the [RFC3588],
section 4. section 4.
+---------------------+ +---------------------+
| AVP Flag rules | | AVP Flag rules |
+------------------+------+------------|----+-----+----+-----|----+ +------------------+------+------------|----+-----+----+-----|----+
| | AVP | | | |SHLD| MUST| | | | AVP | | | |SHLD| MUST| |
| Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr| | Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr|
|------------------|------|------------|----+-----+----+-----|----| |------------------|------|------------|----+-----+----+-----|----|
| NAS-Port | 5 | Unsigned32 | M | P | | V | Y | | NAS-Port | 5 | Unsigned32 | M | P | | V | Y |
| NAS-Port-Id | 87 | UTF8String | M | P | | V | Y | | NAS-Port-Id | 87 | UTF8String | M | P | | V | Y |
skipping to change at page 32, line 45 skipping to change at page 32, line 45
| Framed-IPv6- | 97 | OctetString| M | P | | V | Y | | Framed-IPv6- | 97 | OctetString| M | P | | V | Y |
| Prefix | | | | | | | | | Prefix | | | | | | | |
+------------------+------+------------|----+-----+----+-----|----+ +------------------+------+------------|----+-----+----+-----|----+
Table 2: Reused NASREQ Diameter application AVPs Table 2: Reused NASREQ Diameter application AVPs
8.4. Reused AVPs from RFC 4675 8.4. Reused AVPs from RFC 4675
The following table describes the AVPs reused from "RADIUS Attributes The following table describes the AVPs reused from "RADIUS Attributes
for Virtual LAN and Priority Support" specification [RFC4675]; their for Virtual LAN and Priority Support" specification [RFC4675]; their
AVP Code values, types, and possible flag values; and whether the AVP AVP Code values, types, and possible flag values; and whether the AVP
MAY be encrypted.The [RFC3588] specifies the AVP Flag rules for AVPs MAY be encrypted. The [RFC3588] specifies the AVP Flag rules for
in section 4.5. The Diameter AVP rules are defined in the [RFC3588], AVPs in section 4.5. The Diameter AVP rules are defined in the
section 4. [RFC3588], section 4.
+---------------------+ +---------------------+
| AVP Flag rules | | AVP Flag rules |
+------------------+------+------------|----+-----+----+-----|----+ +------------------+------+------------|----+-----+----+-----|----+
| | AVP | | | |SHLD| MUST| | | | AVP | | | |SHLD| MUST| |
| Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr| | Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr|
|------------------|------|------------|----+-----+----+-----|----| |------------------|------|------------|----+-----+----+-----|----|
| Egress-VLANID | 56 | OctetString| M | P | | V | Y | | Egress-VLANID | 56 | OctetString| M | P | | V | Y |
+------------------+------+------------|----+-----+----+-----|----+ +------------------+------+------------|----+-----+----+-----|----+
Table 3: Reused attributes from RFC 4675 Table 3: Reused attributes from RFC 4675
8.5. Reused AVPs from Diameter QoS Application 8.5. Reused AVPs from Diameter QoS Application
The following table describes the AVPs reused from the Traffic The following table describes the AVPs reused from the Traffic
Classification and Quality of Service (QoS) Attributes for Diameter Classification and Quality of Service (QoS) Attributes for Diameter
[RFC5777]; their AVP Code values, types, and possible flag values; [RFC5777]; their AVP Code values, types, and possible flag values;
and whether the AVP MAY be encrypted.The [RFC3588] specifies the AVP and whether the AVP MAY be encrypted. The [RFC3588] specifies the
Flag rules for AVPs in section 4.5. The Diameter AVP rules are AVP Flag rules for AVPs in section 4.5. The Diameter AVP rules are
defined in the [RFC3588], section 4. defined in the [RFC3588], section 4.
+---------+ +---------+
| AVP | | AVP |
| Flag | | Flag |
| rules | | rules |
+-----------------------------------------------|-----+---+---------+ +-----------------------------------------------|-----+---+---------+
| AVP | | | | | AVP | | | |
| Attribute Name Code Data Type |MUST |MAY| Encr | | Attribute Name Code Data Type |MUST |MAY| Encr |
+-----------------------------------------------+-----+---+---------+ +-----------------------------------------------+-----+---+---------+
|Port 530 Integer32 | M | P | Y | |Port 530 Integer32 | M | P | Y |
|Protocol 513 Enumerated | M | P | Y | |Protocol 513 Enumerated | M | P | Y |
|Direction 514 Enumerated | M | P | Y | |Direction 514 Enumerated | M | P | Y |
+-----------------------------------------------+-----+---+---------+ +-----------------------------------------------+-----+---+---------+
Table 4: Reused QoS-attributes Table 4: Reused QoS-attributes
8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter Application 8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter Application
The following table describes the AVPs reused from the Diameter e4 The following table describes the AVPs reused from the Diameter e4
Application [ETSIES283034]; their AVP Code values, types, and Application [ETSIES283034]; their AVP Code values, types, and
possible flag values; and whether the AVP MAY be encrypted.The possible flag values; and whether the AVP MAY be encrypted. The
[RFC3588] specifies the AVP Flag rules for AVPs in section 4.5. The [RFC3588] specifies the AVP Flag rules for AVPs in section 4.5. The
Diameter AVP rules are defined in the [RFC3588], section 4. The Diameter AVP rules are defined in the [RFC3588], section 4. The
Vendor-ID field in these AVP header will be set to ETSI (13019). Vendor-ID field in these AVP header will be set to ETSI (13019).
+---------+ +---------+
| AVP | | AVP |
| Flag | | Flag |
| rules | | rules |
+-----------------------------------------------|-----+---+---------+ +-----------------------------------------------|-----+---+---------+
| AVP | | | | | AVP | | | |
skipping to change at page 34, line 24 skipping to change at page 34, line 24
|Logical-Access-Id 302 OctetString | V | M | Y | |Logical-Access-Id 302 OctetString | V | M | Y |
|Physical-Access-ID 313 UTF8String | V | M | Y | |Physical-Access-ID 313 UTF8String | V | M | Y |
+-----------------------------------------------+-----+---+---------+ +-----------------------------------------------+-----+---+---------+
Table 5: Reused AVPs from Diameter e4 application Table 5: Reused AVPs from Diameter e4 application
8.7. DNCA Defined AVPs 8.7. DNCA Defined AVPs
The following table describes the new Diameter AVPs defined in this The following table describes the new Diameter AVPs defined in this
document; their AVP Code values, types, and possible flag values; and document; their AVP Code values, types, and possible flag values; and
whether the AVP MAY be encrypted.The [RFC3588] specifies the AVP Flag whether the AVP MAY be encrypted. The [RFC3588] specifies the AVP
rules for AVPs in section 4.5. The Diameter AVP rules are defined in Flag rules for AVPs in section 4.5. The Diameter AVP rules are
the [RFC3588], section 4. The AVPs defined here MUST NOT have the V defined in the [RFC3588], section 4. The AVPs defined here MUST NOT
bit in the AVP Flag set. have the V bit in the AVP Flag set.
+---------+ +---------+
| AVP | | AVP |
| Flag | | Flag |
| rules | | rules |
+-----------------------------------------------|-----+---+---------+ +-----------------------------------------------|-----+---+---------+
| AVP | | | | | AVP | | | |
| Attribute Name Code Data Type |MUST |MAY| Encr | | Attribute Name Code Data Type |MUST |MAY| Encr |
+-----------------------------------------------+-----+---+---------+ +-----------------------------------------------+-----+---+---------+
|NC-Request-Type TBD 8.7.1 Enumerated | M | P | Y | |NC-Request-Type TBD 8.7.1 Enumerated | M | P | Y |
skipping to change at page 44, line 38 skipping to change at page 44, line 38
all datagrams received from the originator. Lack of authentication all datagrams received from the originator. Lack of authentication
of Diameter messages between the Diameter peers can jeopardize the of Diameter messages between the Diameter peers can jeopardize the
fundamental service of the peering network elements. A consequence fundamental service of the peering network elements. A consequence
of not authenticating the message sender by the recipient would be of not authenticating the message sender by the recipient would be
that an attacker could spoof the identity of a "legitimate" that an attacker could spoof the identity of a "legitimate"
authorizing entity in order to change the behavior of the receiver. authorizing entity in order to change the behavior of the receiver.
An attacker could for example launch a denial of service attack by An attacker could for example launch a denial of service attack by
setting the maximum number of bindings for a session on the NAT- setting the maximum number of bindings for a session on the NAT-
device to zero; provision bindings on a NAT-device which include IP- device to zero; provision bindings on a NAT-device which include IP-
addresses already in use in other parts of the network; or request addresses already in use in other parts of the network; or request
session termination of the Diameter session and hamper an endpoints's session termination of the Diameter session and hamper an endpoint's
(i.e. a user's) connectivity. Lack of authentication of a NAT-device (i.e. a user's) connectivity. Lack of authentication of a NAT-device
to a NAT-controller could lead to situations where the NAT-device to a NAT-controller could lead to situations where the NAT-device
could provide a wrong view of the resources (i.e. NAT-bindings). In could provide a wrong view of the resources (i.e. NAT-bindings). In
addition, NAT Binding Predefined template on the NAT-device could be addition, NAT Binding Predefined template on the NAT-device could be
configured differently than expected by the NAT-controller. Failing configured differently than expected by the NAT-controller. Failing
of any of the two DNCA Diameter peers to provide the required of any of the two DNCA Diameter peers to provide the required
credentials should be subject to logging. The corresponding logging credentials should be subject to logging. The corresponding logging
infrastructure of the operator SHOULD be built in a way that it can infrastructure of the operator SHOULD be built in a way that it can
mitigate potential denial of service attacks resulting from large mitigate potential denial of service attacks resulting from large
amounts of logging events. This could include proper dimensioning of amounts of logging events. This could include proper dimensioning of
skipping to change at page 56, line 47 skipping to change at page 56, line 47
d. Section 13 added to provide example DNCA message exchange flows d. Section 13 added to provide example DNCA message exchange flows
e. Added a description to provide DNCA comparison with MIDCOM e. Added a description to provide DNCA comparison with MIDCOM
f. n:1 deployment model for NAT-controllers and NAT-devices f. n:1 deployment model for NAT-controllers and NAT-devices
explicitly specified explicitly specified
g. editorial changes as per IESG DISCUSS comments g. editorial changes as per IESG DISCUSS comments
Changes from -10 to -11
a. clarified DNCA session query to be done after Diameter session is
established
b. Section 4.4 Session Termination updated to specify resource
cleanup at NAT-Device upon session termination
c. Removed Framed-IP-Netmask AVP from NAT-External-Address as
external address is fully defined by Framed-IP-Address AVP
d. Updated Section 12 to highlight Session-Id to be chosen such that
it is hard to guess
e. editorial changes as per IESG DISCUSS
Changes from -11 to -12
a. endpoint replaces references to end point and user and defines
what Endpoint means in this draft
b. editorial changes as per IESG DISCUSS
Changes from -12 to -13 Changes from -12 to -13
a. Section 4.3 session query updated to use NAT-External-Address for a. Section 4.3 session query updated to use NAT-External-Address for
external IP-address based query external IP-address based query
Changes from -13 to -14
a. Added NAT-External-Address in NC-request for session query by
external IP-address
b. Reordered all mandatory AVPs in NCR and NCA to appear before
optional AVPs
16. References 16. References
16.1. Normative References 16.1. Normative References
[ETSIES283034] [ETSIES283034]
ETSI, "Telecommunications and Internet Converged Services ETSI, "Telecommunications and Internet Converged Services
and Protocols for Advanced Networks (TISPAN),Network and Protocols for Advanced Networks (TISPAN),Network
Attachment Sub-System (NASS),e4 interface based on the Attachment Sub-System (NASS),e4 interface based on the
Diameter protocol.", September 2008. Diameter protocol.", September 2008.
 End of changes. 23 change blocks. 
32 lines changed or deleted 64 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/