draft-ietf-dime-nat-control-15.txt   draft-ietf-dime-nat-control-16.txt 
Internet Engineering Task Force F. Brockners Internet Engineering Task Force F. Brockners
Internet-Draft S. Bhandari Internet-Draft S. Bhandari
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: September 27, 2012 V. Singh Expires: October 22, 2012 V. Singh
V. Fajardo V. Fajardo
Telcordia Technologies Telcordia Technologies
March 26, 2012 April 20, 2012
Diameter Network Address and Port Translation Control Application Diameter Network Address and Port Translation Control Application
draft-ietf-dime-nat-control-15 draft-ietf-dime-nat-control-16
Abstract Abstract
This document describes the framework, messages, and procedures for This document describes the framework, messages, and procedures for
the Diameter Network address and port translation Control the Diameter Network address and port translation Control
Application. This Diameter application allows per endpoint control Application. This Diameter application allows per endpoint control
of Network Address Translators and Network Address and Port of Network Address Translators and Network Address and Port
Translators, which are added to networks to cope with IPv4-address Translators, which are added to networks to cope with IPv4-address
space depletion. This Diameter application allows external devices space depletion. This Diameter application allows external devices
to configure and manage a Network Address Translator device - to configure and manage a Network Address Translator device -
skipping to change at page 2, line 7 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 27, 2012. This Internet-Draft will expire on October 22, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 15 skipping to change at page 3, line 15
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 7
3. Deployment Framework . . . . . . . . . . . . . . . . . . . . . 8 3. Deployment Framework . . . . . . . . . . . . . . . . . . . . . 8
3.1. Deployment Scenario . . . . . . . . . . . . . . . . . . . 8 3.1. Deployment Scenario . . . . . . . . . . . . . . . . . . . 8
3.2. Diameter NAPT Control Application Overview . . . . . . . . 10 3.2. Diameter NAPT Control Application Overview . . . . . . . . 10
3.3. Deployment Scenarios For DNCA . . . . . . . . . . . . . . 11 3.3. Deployment Scenarios For DNCA . . . . . . . . . . . . . . 11
4. DNCA Session Establishment and Management . . . . . . . . . . 13 4. DNCA Session Establishment and Management . . . . . . . . . . 13
4.1. Session Establishment . . . . . . . . . . . . . . . . . . 14 4.1. Session Establishment . . . . . . . . . . . . . . . . . . 14
4.2. Session Re-Authorization . . . . . . . . . . . . . . . . . 16 4.2. Session Update . . . . . . . . . . . . . . . . . . . . . . 17
4.3. Session and Binding Query . . . . . . . . . . . . . . . . 18 4.3. Session and Binding Query . . . . . . . . . . . . . . . . 19
4.4. Session Termination . . . . . . . . . . . . . . . . . . . 20 4.4. Session Termination . . . . . . . . . . . . . . . . . . . 21
4.5. Session Abort . . . . . . . . . . . . . . . . . . . . . . 21 4.5. Session Abort . . . . . . . . . . . . . . . . . . . . . . 22
4.6. Failure cases of the DNCA Diameter peers . . . . . . . . . 22 4.6. Failure cases of the DNCA Diameter peers . . . . . . . . . 23
5. Use of the Diameter Base Protocol . . . . . . . . . . . . . . 23 5. Use of the Diameter Base Protocol . . . . . . . . . . . . . . 24
5.1. Securing Diameter Messages . . . . . . . . . . . . . . . . 23 5.1. Securing Diameter Messages . . . . . . . . . . . . . . . . 24
5.2. Accounting Functionality . . . . . . . . . . . . . . . . . 24 5.2. Accounting Functionality . . . . . . . . . . . . . . . . . 25
5.3. Use of Sessions . . . . . . . . . . . . . . . . . . . . . 24 5.3. Use of Sessions . . . . . . . . . . . . . . . . . . . . . 25
5.4. Routing Considerations . . . . . . . . . . . . . . . . . . 24 5.4. Routing Considerations . . . . . . . . . . . . . . . . . . 25
5.5. Advertising Application Support . . . . . . . . . . . . . 24 5.5. Advertising Application Support . . . . . . . . . . . . . 25
6. DNCA Commands . . . . . . . . . . . . . . . . . . . . . . . . 24 6. DNCA Commands . . . . . . . . . . . . . . . . . . . . . . . . 26
6.1. NAT-Control Request (NCR) Command . . . . . . . . . . . . 24 6.1. NAT-Control Request (NCR) Command . . . . . . . . . . . . 26
6.2. NAT-Control Answer (NCA) Command . . . . . . . . . . . . . 25 6.2. NAT-Control Answer (NCA) Command . . . . . . . . . . . . . 27
7. NAT Control Application Session State Machine . . . . . . . . 26 7. NAT Control Application Session State Machine . . . . . . . . 27
8. DNCA AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . 29 8. DNCA AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.1. Reused Base Protocol AVPs . . . . . . . . . . . . . . . . 30 8.1. Reused Base Protocol AVPs . . . . . . . . . . . . . . . . 30
8.2. Additional Result-Code AVP Values . . . . . . . . . . . . 30 8.2. Additional Result-Code AVP Values . . . . . . . . . . . . 31
8.2.1. Success . . . . . . . . . . . . . . . . . . . . . . . 31 8.2.1. Success . . . . . . . . . . . . . . . . . . . . . . . 31
8.2.2. Transient Failures . . . . . . . . . . . . . . . . . . 31 8.2.2. Transient Failures . . . . . . . . . . . . . . . . . . 31
8.2.3. Permanent Failures . . . . . . . . . . . . . . . . . . 31 8.2.3. Permanent Failures . . . . . . . . . . . . . . . . . . 32
8.3. Reused NASREQ Diameter Application AVPs . . . . . . . . . 32 8.3. Reused NASREQ Diameter Application AVPs . . . . . . . . . 33
8.4. Reused AVPs from RFC 4675 . . . . . . . . . . . . . . . . 32 8.4. Reused AVPs from RFC 4675 . . . . . . . . . . . . . . . . 33
8.5. Reused AVPs from Diameter QoS Application . . . . . . . . 33 8.5. Reused AVPs from Diameter QoS Application . . . . . . . . 34
8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter 8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter
Application . . . . . . . . . . . . . . . . . . . . . . . 33 Application . . . . . . . . . . . . . . . . . . . . . . . 34
8.7. DNCA Defined AVPs . . . . . . . . . . . . . . . . . . . . 34 8.7. DNCA Defined AVPs . . . . . . . . . . . . . . . . . . . . 35
8.7.1. NC-Request-Type AVP . . . . . . . . . . . . . . . . . 35 8.7.1. NC-Request-Type AVP . . . . . . . . . . . . . . . . . 36
8.7.2. NAT-Control-Install AVP . . . . . . . . . . . . . . . 36 8.7.2. NAT-Control-Install AVP . . . . . . . . . . . . . . . 37
8.7.3. NAT-Control-Remove AVP . . . . . . . . . . . . . . . . 36 8.7.3. NAT-Control-Remove AVP . . . . . . . . . . . . . . . . 37
8.7.4. NAT-Control-Definition AVP . . . . . . . . . . . . . . 37 8.7.4. NAT-Control-Definition AVP . . . . . . . . . . . . . . 38
8.7.5. NAT-Internal-Address AVP . . . . . . . . . . . . . . . 37 8.7.5. NAT-Internal-Address AVP . . . . . . . . . . . . . . . 38
8.7.6. NAT-External-Address AVP . . . . . . . . . . . . . . . 38 8.7.6. NAT-External-Address AVP . . . . . . . . . . . . . . . 39
8.7.7. Max-NAT-Bindings . . . . . . . . . . . . . . . . . . . 38 8.7.7. Max-NAT-Bindings . . . . . . . . . . . . . . . . . . . 39
8.7.8. NAT-Control-Binding-Template AVP . . . . . . . . . . . 38 8.7.8. NAT-Control-Binding-Template AVP . . . . . . . . . . . 39
8.7.9. Duplicate-Session-Id AVP . . . . . . . . . . . . . . . 38 8.7.9. Duplicate-Session-Id AVP . . . . . . . . . . . . . . . 39
8.7.10. NAT-External-Port-Style AVP . . . . . . . . . . . . . 39 8.7.10. NAT-External-Port-Style AVP . . . . . . . . . . . . . 40
9. Accounting Commands . . . . . . . . . . . . . . . . . . . . . 39 9. Accounting Commands . . . . . . . . . . . . . . . . . . . . . 40
9.1. NAT Control Accounting Messages . . . . . . . . . . . . . 40 9.1. NAT Control Accounting Messages . . . . . . . . . . . . . 41
9.2. NAT Control Accounting AVPs . . . . . . . . . . . . . . . 40 9.2. NAT Control Accounting AVPs . . . . . . . . . . . . . . . 41
9.2.1. NAT-Control-Record . . . . . . . . . . . . . . . . . . 40 9.2.1. NAT-Control-Record . . . . . . . . . . . . . . . . . . 41
9.2.2. NAT-Control-Binding-Status . . . . . . . . . . . . . . 40 9.2.2. NAT-Control-Binding-Status . . . . . . . . . . . . . . 41
9.2.3. Current-NAT-Bindings . . . . . . . . . . . . . . . . . 41 9.2.3. Current-NAT-Bindings . . . . . . . . . . . . . . . . . 42
10. AVP Occurrence Table . . . . . . . . . . . . . . . . . . . . . 41 10. AVP Occurrence Table . . . . . . . . . . . . . . . . . . . . . 42
10.1. DNCA AVP Table for NAT Control Initial and Update 10.1. DNCA AVP Table for NAT Control Initial and Update
Requests . . . . . . . . . . . . . . . . . . . . . . . . . 41 Requests . . . . . . . . . . . . . . . . . . . . . . . . . 42
10.2. DNCA AVP Table for Session Query request . . . . . . . . . 42 10.2. DNCA AVP Table for Session Query request . . . . . . . . . 43
10.3. DNCA AVP Table for Accounting Message . . . . . . . . . . 43 10.3. DNCA AVP Table for Accounting Message . . . . . . . . . . 44
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
11.1. Application Identifier . . . . . . . . . . . . . . . . . . 43 11.1. Application Identifier . . . . . . . . . . . . . . . . . . 44
11.2. Command Codes . . . . . . . . . . . . . . . . . . . . . . 44 11.2. Command Codes . . . . . . . . . . . . . . . . . . . . . . 45
11.3. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 44 11.3. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 45
11.4. Result-Code AVP Values . . . . . . . . . . . . . . . . . . 44 11.4. Result-Code AVP Values . . . . . . . . . . . . . . . . . . 45
11.5. NC-Request-Type AVP . . . . . . . . . . . . . . . . . . . 44 11.5. NC-Request-Type AVP . . . . . . . . . . . . . . . . . . . 45
11.6. NAT-External-Port-Style AVP . . . . . . . . . . . . . . . 44 11.6. NAT-External-Port-Style AVP . . . . . . . . . . . . . . . 45
11.7. NAT-Control-Binding-Status AVP . . . . . . . . . . . . . . 44 11.7. NAT-Control-Binding-Status AVP . . . . . . . . . . . . . . 45
12. Security Considerations . . . . . . . . . . . . . . . . . . . 44 12. Security Considerations . . . . . . . . . . . . . . . . . . . 45
13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
13.1. DNCA Session Establishment Example . . . . . . . . . . . . 47 13.1. DNCA Session Establishment Example . . . . . . . . . . . . 48
13.2. DNCA Session Update with Port Style Example . . . . . . . 50 13.2. DNCA Session Update with Port Style Example . . . . . . . 51
13.3. DNCA Session Query Example . . . . . . . . . . . . . . . . 51 13.3. DNCA Session Query Example . . . . . . . . . . . . . . . . 52
13.4. DNCA Session Termination Example . . . . . . . . . . . . . 52 13.4. DNCA Session Termination Example . . . . . . . . . . . . . 53
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 55 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 56
15. Change History (to be removed prior to publication as an 15. Change History (to be removed prior to publication as an
RFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 RFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60
16.1. Normative References . . . . . . . . . . . . . . . . . . . 59 16.1. Normative References . . . . . . . . . . . . . . . . . . . 60
16.2. Informative References . . . . . . . . . . . . . . . . . . 59 16.2. Informative References . . . . . . . . . . . . . . . . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 62
1. Introduction 1. Introduction
Internet service providers deploy Network Address Translators (NATs) Internet service providers deploy Network Address Translators (NATs)
and Network Address and Port Translators (NAPTs) [RFC3022] in their and Network Address and Port Translators (NAPTs) [RFC3022] in their
networks. A key motivation for doing so is the depletion of networks. A key motivation for doing so is the depletion of
available public IPv4 addresses. This document defines a Diameter available public IPv4 addresses. This document defines a Diameter
application allowing providers to control the behavior of NAT and application allowing providers to control the behavior of NAT and
NAPT devices that implement IPv4-to-IPv4 network address and port NAPT devices that implement IPv4-to-IPv4 network address and port
translation [RFC2663] as well as stateful IPv6-to-IPv4 address family translation [RFC2663] as well as stateful IPv6-to-IPv4 address family
skipping to change at page 11, line 20 skipping to change at page 11, line 20
endpoint basis during initial session establishment and at later endpoint basis during initial session establishment and at later
stages by providing an update procedure for already established stages by providing an update procedure for already established
sessions. Using DNCA, per endpoint NAT binding information can be sessions. Using DNCA, per endpoint NAT binding information can be
retrieved either using accounting mechanisms or through an explicit retrieved either using accounting mechanisms or through an explicit
session query to the NAT. session query to the NAT.
3.3. Deployment Scenarios For DNCA 3.3. Deployment Scenarios For DNCA
DNCA can be deployed in different ways. DNCA supports deployments DNCA can be deployed in different ways. DNCA supports deployments
with "n" NAT-controllers and "m" NAT-devices, with n and m equal to with "n" NAT-controllers and "m" NAT-devices, with n and m equal to
or greater than 1. For DNCA, the session representing a particular or greater than 1. From a DNCA perspective an operator should ensure
endpoint is atomic. Any deployment MUST ensure that for every given that the session representing a particular endpoint is atomic. Any
endpoint only a single NAT-controller and only a single NAT-device deployment MUST ensure that for any given endpoint only a single DNCA
are active at any point in time. This is to ensure that NAT-devices NAT-controller and is active at any point in time. This is to ensure
controlled by multiple NAT-controllers do not receive conflicting that NAT-devices controlled by multiple NAT-controllers do not
control requests for a particular endpoint, or would be unclear which receive conflicting control requests for a particular endpoint, or
NAT-controller to send accounting information to. would be unclear which NAT-controller to send accounting information
to. Operational considerations MAY require an operator to use
alternate control mechanisms or protocols such as SNMP or manual
configuration via a Command-Line-Interface to apply per-endpoint NAT-
specific configuration, like for example static NAT-bindings. For
these cases, the NAT-device MUST allow the operator to configure a
policy how configuration conflicts are resolved. Such a policy could
for example specify that manually configured NAT-bindings using the
Command-Line-Interface always take precedence over those configured
using DNCA.
Two common deployment scenarios are outlined in Figure 3 ("integrated Two common deployment scenarios are outlined in Figure 3 ("integrated
deployment") and Figure 4 ("autonomous deployment"). Per the note deployment") and Figure 4 ("autonomous deployment"). Per the note
above, multiple instances of NAT-controllers and NAT-devices could be above, multiple instances of NAT-controllers and NAT-devices could be
deployed. The figures only show single instances for reasons of deployed. The figures only show single instances for reasons of
clarity. The two shown scenarios differ in which entity fulfills the clarity. The two shown scenarios differ in which entity fulfills the
role of the NAT-controller. Within the figures (C) denotes the role of the NAT-controller. Within the figures (C) denotes the
network element performing the role of the NAT-controller. network element performing the role of the NAT-controller.
The integrated deployment approach hides the existence of the NAT- The integrated deployment approach hides the existence of the NAT-
skipping to change at page 15, line 13 skipping to change at page 15, line 23
the name of the IP-address pool that external IP-addresses should the name of the IP-address pool that external IP-addresses should
be allocated from, the maximum number of bindings permitted for be allocated from, the maximum number of bindings permitted for
the endpoint, etc. the endpoint, etc.
In certain cases, the NAT-device may not be able to perform the tasks In certain cases, the NAT-device may not be able to perform the tasks
requested within the NCR. These include the following: requested within the NCR. These include the following:
o If a DNCA Diameter peer within the NAT-device receives a NCR from o If a DNCA Diameter peer within the NAT-device receives a NCR from
a DNCA Diameter peer within a NAT-controller with NC-Request-Type a DNCA Diameter peer within a NAT-controller with NC-Request-Type
AVP set to INITIAL_REQUEST that identifies an already existing AVP set to INITIAL_REQUEST that identifies an already existing
session; that is, DNCA Diameter peer and endpoint identifier match session; that is endpoint identifier match an already existing
an already existing session, the DNCA Diameter peer within the session, the DNCA Diameter peer within the NAT-device MUST return
NAT-device MUST return an NCA with Result-Code set to an NCA with Result-Code set to SESSION_EXISTS, and provide the
SESSION_EXISTS, and provide the Session-Id of the existing session Session-Id of the existing session in the Duplicate-Session-Id
in the Duplicate-Session-Id AVP. AVP.
o If a DNCA Diameter peer within the NAT-device receives a NCR from o If a DNCA Diameter peer within the NAT-device receives a NCR from
a DNCA Diameter peer within a NAT-controller with NC-Request-Type a DNCA Diameter peer within a NAT-controller with NC-Request-Type
AVP set to INITIAL_REQUEST that matches more than one of the AVP set to INITIAL_REQUEST that matches more than one of the
already existing sessions; that is, DNCA Diameter peer and already existing sessions; that is, DNCA Diameter peer and
endpoint identifier match already existing sessions, the DNCA endpoint identifier match already existing sessions, the DNCA
Diameter peer within the NAT-device MUST return an NCA with Diameter peer within the NAT-device MUST return an NCA with
Result-Code set to INSUFFICIENT-CLASSIFIERS. In case a DNCA Result-Code set to INSUFFICIENT-CLASSIFIERS. In case a DNCA
Diameter peer receives a NCA that reports Insufficient- Diameter peer receives a NCA that reports Insufficient-
Classifiers, it MAY choose to retry establishing a new session Classifiers, it MAY choose to retry establishing a new session
using additional or more specific classifiers. using additional or more specific classifiers.
o If the NCR contains a NAT Binding Predefined template not defined o If the NCR contains a NAT Binding predefined template not defined
on the NAT-device, the DNCA Diameter peer within the NAT-device on the NAT-device, the DNCA Diameter peer within the NAT-device
MUST return an NCA with Result-Code AVP set to MUST return an NCA with Result-Code AVP set to
UNKNOWN_BINDING_TEMPLATE_NAME. UNKNOWN_BINDING_TEMPLATE_NAME.
o In case the NAT-device is unable to establish all of the bindings o In case the NAT-device is unable to establish all of the bindings
requested in the NCR, the DNCA Diameter peer MUST return an NCA requested in the NCR, the DNCA Diameter peer MUST return an NCA
with Result-Code set to BINDING_FAILURE. A DNCA Diameter peer with Result-Code set to BINDING_FAILURE. A DNCA Diameter peer
within a NAT-device MUST treat a NCR as an atomic operation; hence within a NAT-device MUST treat a NCR as an atomic operation; hence
none of the requested bindings will be established by the NAT- none of the requested bindings will be established by the NAT-
device. Either all requested actions within a NCR MUST be device. Either all requested actions within a NCR MUST be
completed successfully, or the entire request fails. completed successfully, or the entire request fails.
o If a NAT-device cannot conform to a request to set the maximum
number of NAT bindings allowed for a session, the DNCA Diameter
peer in the NAT-device MUST return an NCA with Result-Code AVP set
to MAX_BINDINGS_SET_FAILURE. Such a condition can for example
occur if the operator specified the maximum number of NAT bindings
through another mechanism, which per the operator's policy, takes
precedence over DNCA.
o If a NAT-device does not have sufficient resources to process a o If a NAT-device does not have sufficient resources to process a
request, the DNCA Diameter peer MUST return an NCA with Result- request, the DNCA Diameter peer MUST return an NCA with Result-
Code set to RESOURCE_FAILURE. Code set to RESOURCE_FAILURE.
o In case Max-NAT-Binding, NAT-Control-Definition as well as NAT- o In case Max-NAT-Bindings, NAT-Control-Definition as well as NAT-
Control-Binding-Template are included in the NCR, and the values Control-Binding-Template are included in the NCR, and the values
in Max-NAT-Binding and NAT-Control-Definition contradict those in Max-NAT-Bindings and NAT-Control-Definition contradict those
specified in the pre-provisioned template on the NAT-device which specified in the pre-provisioned template on the NAT-device which
NAT-Control-Binding-Template references, Max-NAT-Binding and NAT- NAT-Control-Binding-Template references, Max-NAT-Bindings and NAT-
Control-Definition MUST override the values specified in the Control-Definition MUST override the values specified in the
template that NAT-Control-Binding-Template refers to. template that NAT-Control-Binding-Template refers to.
NAT-controller (DNCA Diameter peer) NAT-device (DNCA Diameter peer) NAT-controller (DNCA Diameter peer) NAT-device (DNCA Diameter peer)
| | | |
| | | |
| | | |
Trigger | Trigger |
| | | |
| NCR | | NCR |
skipping to change at page 16, line 35 skipping to change at page 17, line 5
|<------------------------------------------| |<------------------------------------------|
| | | |
| | | |
Figure 5: Initial NAT control request and session establishment Figure 5: Initial NAT control request and session establishment
Note: The DNCA Diameter peer within the NAT-device creates session Note: The DNCA Diameter peer within the NAT-device creates session
state only if it is able to comply with the NCR. On success it will state only if it is able to comply with the NCR. On success it will
reply with an NCA with Result-Code set to DIAMETER_SUCCESS. reply with an NCA with Result-Code set to DIAMETER_SUCCESS.
4.2. Session Re-Authorization 4.2. Session Update
Session re-authorization is performed if the NAT-controller desires Session update is performed if the NAT-controller desires to change
to change the behavior of the NAT-device for an existing session. the behavior of the NAT-device for an existing session. Session
Session re-authorization could be used, for example, to change the update could be used, for example, to change the number of allowed
number of allowed bindings for a particular session, or establish or bindings for a particular session, or establish or remove a pre-
remove a pre-defined binding. defined binding.
The DNCA Diameter peer within the NAT-controller generates a NCR The DNCA Diameter peer within the NAT-controller generates a NCR
message to the DNCA Diameter peer within the NAT-device with NC- message to the DNCA Diameter peer within the NAT-device with NC-
Request-Type AVP set to UPDATE_REQUEST upon receiving a trigger Request-Type AVP set to UPDATE_REQUEST upon receiving a trigger
signal. If the session is updated successfully, the DNCA Diameter signal. If the session is updated successfully, the DNCA Diameter
peer within the NAT-device notifies the DNCA Diameter peer within the peer within the NAT-device notifies the DNCA Diameter peer within the
NAT-controller about the successful session update using a NAT- NAT-controller about the successful session update using a NAT-
Control Answer (NCA) message with Result-Code set to Control Answer (NCA) message with Result-Code set to
DIAMETER_SUCCESS. Figure 6 shows the protocol interaction between DIAMETER_SUCCESS.Figure 6 shows the protocol interaction between the
the two DNCA Diameter peers. two DNCA Diameter peers.
In certain cases, the NAT-device may not be able to perform the tasks In certain cases, the NAT-device may not be able to perform the tasks
requested within the NCR. These include the following: requested within the NCR. These include the following:
o If DNCA Diameter peer within a NAT-device receives an NCR update o If DNCA Diameter peer within a NAT-device receives an NCR update
or query request for a non-existent session, it MUST set Result- or query request for a non-existent session, it MUST set Result-
Code in the answer to DIAMETER_UNKNOWN_SESSION_ID. Code in the answer to DIAMETER_UNKNOWN_SESSION_ID.
o If the NCR contains a NAT Binding Predefined template not defined o If the NCR contains a NAT Binding Predefined template not defined
on the NAT-device, an NCA with Result-Code AVP set to on the NAT-device, an NCA with Result-Code AVP set to
skipping to change at page 17, line 32 skipping to change at page 17, line 49
o If the NAT-device cannot establish some or all of the bindings o If the NAT-device cannot establish some or all of the bindings
requested in an NCR, but has not yet reached the maximum number of requested in an NCR, but has not yet reached the maximum number of
allowed bindings for the endpoint, an NCA with Result-Code set to allowed bindings for the endpoint, an NCA with Result-Code set to
BINDING_FAILURE MUST be returned. As already noted, the DNCA BINDING_FAILURE MUST be returned. As already noted, the DNCA
Diameter peer in a NAT-device MUST treat an NCR as an atomic Diameter peer in a NAT-device MUST treat an NCR as an atomic
operation. Hence none of the requested bindings will be operation. Hence none of the requested bindings will be
established by the NAT-device in case of failure. Actions established by the NAT-device in case of failure. Actions
requested within a NCR are either all successful or all fail. requested within a NCR are either all successful or all fail.
o If the NAT-device cannot conform to a request to set the maximum
number of bindings allowed for a session as specified by the Max-
NAT-Bindings, the DNCA Diameter peer in the NAT-device MUST return
an NCA with Result-Code AVP set to MAX_BINDINGS_SET_FAILURE.
o If the NAT-device does not have sufficient resources to process a o If the NAT-device does not have sufficient resources to process a
request, an NCA with Result-Code set to RESOURCE_FAILURE MUST be request, an NCA with Result-Code set to RESOURCE_FAILURE MUST be
returned. returned.
o If an NCR redefines the maximum number of NAT-bindings allowed for o If an NCR changes the maximum number of NAT-bindings allowed for
the endpoint, the new value MUST override any previously defined the endpoint defined through an earlier NCR, the new value MUST
limit on NAT bindings. It depends on the implementation of the override any previously defined limit on the maximum number of NAT
NAT-device on how the NAT-device copes with a case where the new bindings set through DNCA. Note that prior to overwriting an
value is lower than the actual number of allocated bindings. The existing value, the NAT-device MUST check whether the overwrite
NAT-device SHOULD refrain from enforcing the new limit immediately action conforms to the locally configured policy. Deployment
(that is, actively remove bindings), but rather disallows the dependent, an existing value could have been set by a protocol or
establishment of new bindings until the current number of bindings mechanism different from DNCA and with higher priority. In which
is lower than the newly established maximum number of allowed case, the NAT-device will refuse the change and the DNCA Diameter
bindings. peer in the NAT-device MUST return an NCA with Result-Code AVP set
to MAX_BINDINGS_SET_FAILURE. It depends on the implementation of
the NAT-device on how the NAT-device copes with a case where the
new value is lower than the actual number of allocated bindings.
The NAT-device SHOULD refrain from enforcing the new limit
immediately (that is, actively remove bindings), but rather
disallows the establishment of new bindings until the current
number of bindings is lower than the newly established maximum
number of allowed bindings.
o If an NCR specifies a new NAT Binding Predefined template on the o If an NCR specifies a new NAT Binding Predefined template on the
NAT-device, the NAT Binding Predefined template overrides any NAT-device, the NAT Binding Predefined template overrides any
previously defined rule for the session. Existing NAT-bindings previously defined rule for the session. Existing NAT-bindings
SHOULD NOT be impacted by the change of templates. SHOULD NOT be impacted by the change of templates.
o In case Max-NAT-Binding, NAT-Control-Definition as well as NAT- o In case Max-NAT-Binding, NAT-Control-Definition as well as NAT-
Control-Binding-Template are included in the NCR, and the values Control-Binding-Template are included in the NCR, and the values
in Max-NAT-Binding and NAT-Control-Definition contradict those in Max-NAT-Bindings and NAT-Control-Definition contradict those
specified in the pre-provisioned template on the NAT-device which specified in the pre-provisioned template on the NAT-device which
NAT-Control-Binding-Template references, Max-NAT-Binding and NAT- NAT-Control-Binding-Template references, Max-NAT-Bindings and NAT-
Control-Definition MUST override the values specified in the Control-Definition MUST override the values specified in the
template that the NAT-Control-Binding-Template refers to. template that the NAT-Control-Binding-Template refers to.
Note: Already established bindings for the session SHOULD NOT be Note: Already established bindings for the session SHOULD NOT be
affected in case the tasks requested within the NCR cannot be affected in case the tasks requested within the NCR cannot be
completed. completed.
NAT-controller (DNCA Diameter peer) NAT-device (DNCA Diameter peer) NAT-controller (DNCA Diameter peer) NAT-device (DNCA Diameter peer)
| | | |
| | | |
skipping to change at page 22, line 37 skipping to change at page 23, line 37
4.6. Failure cases of the DNCA Diameter peers 4.6. Failure cases of the DNCA Diameter peers
This document does not specify the behavior in case the NAT-device This document does not specify the behavior in case the NAT-device
and NAT-controller, or their respective DNCA Diameter peers are out and NAT-controller, or their respective DNCA Diameter peers are out
of sync or lose state. This could happen for example if one of the of sync or lose state. This could happen for example if one of the
entities restarts, in case of a (temporary) loss of network entities restarts, in case of a (temporary) loss of network
connectivity etc. Example failure cases include the following: connectivity etc. Example failure cases include the following:
o NAT-controller and the DNCA Diameter peer within the NAT- o NAT-controller and the DNCA Diameter peer within the NAT-
controller loses state (e.g., due to a restart). In this case, controller lose state (e.g., due to a restart). In this case,
* the DNCA Diameter peer within the NAT-device MAY receive an NCR * the DNCA Diameter peer within the NAT-device MAY receive an NCR
with NC-Request-Type AVP set to INITIAL_REQUEST that matches an with NC-Request-Type AVP set to INITIAL_REQUEST that matches an
existing session of the DNCA Diameter peer within the NAT- existing session of the DNCA Diameter peer within the NAT-
device. The DNCA Diameter peer within the NAT-device MUST device. The DNCA Diameter peer within the NAT-device MUST
return Result-Code that contains Duplicate-Session-Id AVP to return Result-Code that contains Duplicate-Session-Id AVP to
report the Session-ID of the existing session. The DNCA report the Session-ID of the existing session. The DNCA
Diameter peer within the NAT-controller MAY send an explicit Diameter peer within the NAT-controller MAY send an explicit
Session Terminate Request (STR) for the older session, which Session Terminate Request (STR) for the older session, which
was lost. was lost.
skipping to change at page 23, line 12 skipping to change at page 24, line 12
session that does not exist. The DNCA Diameter peer sends an session that does not exist. The DNCA Diameter peer sends an
accounting answer with Result-Code set to accounting answer with Result-Code set to
DIAMETER_UNKNOWN_SESSION_ID in response. On receiving the DIAMETER_UNKNOWN_SESSION_ID in response. On receiving the
response, the DNCA Diameter peer SHOULD clear the session and response, the DNCA Diameter peer SHOULD clear the session and
remove associated session state. remove associated session state.
o NAT-device and the DNCA Diameter peer within NAT-device lose o NAT-device and the DNCA Diameter peer within NAT-device lose
state. In such a case, the DNCA Diameter peer MAY receive a NCR state. In such a case, the DNCA Diameter peer MAY receive a NCR
with NC-Request-Type AVP set to UPDATE_REQUEST for a non-existent with NC-Request-Type AVP set to UPDATE_REQUEST for a non-existent
session. The DNCA Diameter peer MUST return an NCA with Result- session. The DNCA Diameter peer MUST return an NCA with Result-
Code set to DIAMETER_UNKNOWN_SESSION_ID. Code set to DIAMETER_UNKNOWN_SESSION_ID. When DNCA application
within NAT-controller receives this NCA within Result-Code set to
DIAMETER_UNKNOWN_SESSION_ID, it MAY try to reestablish DNCA
session or disconnect corresponding access session.
o The DNCA Diameter peer within the NAT-controller is unreachable, o The DNCA Diameter peer within the NAT-controller is unreachable,
for example detected by Diameter device watchdog messages (as for example detected by Diameter device watchdog messages (as
defined in Section 5.5 of [RFC3588]), or down and accounting defined in Section 5.5 of [RFC3588]), or accounting requests from
requests from the DNCA Diameter peer fail to get a response. The the DNCA Diameter peer fail to get a response, NAT-bindings and
mechanism to ensure that a DNCA Diameter peer within the NAT- NAT-device state pertaining to that session MUST be cleaned up
controller no longer has associated state for a session that was after a grace period that is configurable on the NAT-device. The
cleared or removed by the DNCA Diameter peer within the NAT-device grace period can be configured as zero or higher, depending on
is beyond the scope of this document. operator preference.
o The DNCA Diameter peer within the NAT-device is unreachable or o The DNCA Diameter peer within the NAT-device is unreachable or
down and NCR fails to get a response. Handling of this case down and NCR fails to get a response. Handling of this case
depends on the actual service offering of the service provider. depends on the actual service offering of the service provider.
The service provider could for example choose to stop offering The service provider could for example choose to stop offering
connectivity service. connectivity service.
o A discussion of the mechanisms how a NAT-device cleans up state in
case the DNCA Diameter peer within the NAT-device crashes is
outside the scope of this document. Implementers of NAT-devices
could choose from a variety of options such as coupling the state
(e.g. NAT bindings) to timers which require periodic refresh, or
time out otherwise, operating system watchdogs for applications,
etc.
5. Use of the Diameter Base Protocol 5. Use of the Diameter Base Protocol
The Diameter Base Protocol defined by [RFC3588] applies with the The Diameter Base Protocol defined by [RFC3588] applies with the
clarifications listed in the present specification. clarifications listed in the present specification.
5.1. Securing Diameter Messages 5.1. Securing Diameter Messages
For secure transport of Diameter messages, the recommendations in For secure transport of Diameter messages, the recommendations in
[RFC3588] apply. [RFC3588] apply.
skipping to change at page 26, line 4 skipping to change at page 27, line 13
* [ AVP ] * [ AVP ]
6.2. NAT-Control Answer (NCA) Command 6.2. NAT-Control Answer (NCA) Command
The NAT-Control-Answer (NCA) command, indicated by the Command-Code The NAT-Control-Answer (NCA) command, indicated by the Command-Code
field set to TBD.COM-CODE and the "R" bit cleared in the Command field set to TBD.COM-CODE and the "R" bit cleared in the Command
Flags field, is sent by the DNCA Diameter peer within the NAT-device Flags field, is sent by the DNCA Diameter peer within the NAT-device
in response to NAT-Control-Request command. in response to NAT-Control-Request command.
Message format: Message format:
<NC-Answer> ::= < Diameter Header: TBD.COM-CODE, PXY > <NC-Answer> ::= < Diameter Header: TBD.COM-CODE, PXY >
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
{ Result-Code } { Result-Code }
[ Session-Id ] [ Session-Id ]
[ NC-Request-Type ] [ NC-Request-Type ]
* [ NAT-Control-Definition ] * [ NAT-Control-Definition ]
[ Current-NAT-Bindings ] [ Current-NAT-Bindings ]
[ Origin-State-Id ] [ Origin-State-Id ]
[ Error-Message ] [ Error-Message ]
[ Error-Reporting-Host ] [ Error-Reporting-Host ]
* [ Failed-AVP ] * [ Failed-AVP ]
* [ Proxy-Info ] * [ Proxy-Info ]
[ Duplicate-Session-ID ] [ Duplicate-Session-ID ]
* [ Redirect-Host] * [ Redirect-Host]
[ Redirect-Host-Usage ] [ Redirect-Host-Usage ]
[ Redirect-Max-Cache-Time ] [ Redirect-Max-Cache-Time ]
* [ Proxy-Info ] * [ Proxy-Info ]
skipping to change at page 27, line 5 skipping to change at page 28, line 13
NCR command to the desired destination. This could be due to the NCR command to the desired destination. This could be due to the
peer being down, or due to the peer sending back the transient peer being down, or due to the peer sending back the transient
failure or temporary protocol error notification DIAMETER_TOO_BUSY or failure or temporary protocol error notification DIAMETER_TOO_BUSY or
DIAMETER_LOOP_DETECTED in the Result-Code AVP of an NCA. DIAMETER_LOOP_DETECTED in the Result-Code AVP of an NCA.
In the state table "FAILED NCA" means that the DNCA Diameter peer In the state table "FAILED NCA" means that the DNCA Diameter peer
within the NAT-device was not able to honor the corresponding NCR. within the NAT-device was not able to honor the corresponding NCR.
This can happen due to any transient and permanent error at the NAT- This can happen due to any transient and permanent error at the NAT-
device or its associated DNCA Diameter peer within indicated by the device or its associated DNCA Diameter peer within indicated by the
following error Result-Code values: RESOURCE_FAILURE, following error Result-Code values: RESOURCE_FAILURE,
UNKNOWN_BINDING_TEMPLATE_NAME, BINDING_FAILURE, UNKNOWN_BINDING_TEMPLATE_NAME, MAX_BINDINGS_SET_FAILURE,
MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT, SESSION_EXISTS, BINDING_FAILURE, MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT,
INSUFFICIENT_CLASSIFIERS. SESSION_EXISTS, INSUFFICIENT_CLASSIFIERS.
The following state machine is observed by a DNCA Diameter peer The following state machine is observed by a DNCA Diameter peer
within a NAT-controller. The state machine description uses the term within a NAT-controller. The state machine description uses the term
"access session" to describe the connectivity service offered to the "access session" to describe the connectivity service offered to the
endpoint or host. "Access session" should not be confused with the endpoint or host. "Access session" should not be confused with the
Diameter session ID. Diameter session ID.
DNCA Diameter peer within a NAT-controller DNCA Diameter peer within a NAT-controller
State Event Action New State State Event Action New State
------------------------------------------------------------- -------------------------------------------------------------
Idle New endpoint detected that Send Pending Idle New endpoint detected that Send Pending
requires NAT Control NCR requires NAT Control NCR
Initial Initial
Request Request
Idle ASR Received Send ASA Idle Idle ASR Received Send ASA Idle
for unknown session with for unknown session with
Result-Code Result-Code
= UNKNOWN_ = UNKNOWN_
SESSION_ID SESSION_ID
Pending Successful NCA Setup Open Pending Successful NCA Setup Open
received complete received complete
Pending Successful NCA Send STR Discon Pending Successful NCA Send STR Discon
received received
but peer unable to provide but peer unable to provide
service service
Pending Error processing successful Send STR Discon Pending Error processing successful Send STR Discon
NCA NCA
Pending Failed Clean up Idle Pending Failed Clean up Idle
NCA received NCA received
Open NAT control Send Open Open NAT control Send Open
update required NCR Update update required NCR Update
Request Request
Open Successful Open
Open Successful Open
NCA received NCA received
Open Failed Clean up Idle Open Failed Clean up Idle
NCA received NCA received
Open Access session end detected Send STR Discon Open Access session end detected Send STR Discon
Open ASR Received, Send ASA Discon Open ASR Received, Send ASA Discon
access session will be with access session will be with
terminated Result-Code terminated Result-Code
= SUCCESS, = SUCCESS,
Send STR Send STR
Open ASR Received, Send ASA Open Open ASR Received, Send ASA Open
access session will not with access session will not with
be terminated Result-Code be terminated Result-Code
!= SUCCESS != SUCCESS
Discon ASR Received Send ASA Idle Discon ASR Received Send ASA Idle
Discon STA Received Discon. Idle Discon STA Received Discon. Idle
endpoint endpoint
The following state machine is observed by a DNCA Diameter peer The following state machine is observed by a DNCA Diameter peer
within a NAT-device. within a NAT-device.
DNCA Diameter peer within a NAT-device DNCA Diameter peer within a NAT-device
State Event Action New State State Event Action New State
------------------------------------------------------------- -------------------------------------------------------------
Idle NCR Query request Send Idle Idle NCR Query request Send Idle
received, and successful received, and successful
skipping to change at page 29, line 37 skipping to change at page 30, line 19
Open NCR request Send Idle Open NCR request Send Idle
received, and failed received, and failed
unable to provide requested NCA, unable to provide requested NCA,
NAT control service Clean up NAT control service Clean up
Open Unable to continue Send ASR Discon Open Unable to continue Send ASR Discon
providing requested providing requested
NAT control service NAT control service
Open Unplanned loss of session/ Clean up Idle
connection to DNCA Diameter
peer in NAT controller
detected (e.g. due to Diameter
watchdog notification)
Discon Failure to send ASR Wait, Discon Discon Failure to send ASR Wait, Discon
resend ASR resend ASR
Discon ASR successfully sent and Clean up Idle Discon ASR successfully sent and Clean up Idle
ASA Received with Result-Code ASA Received with Result-Code
Not ASA Received None No change Not ASA Received None No change
Discon Discon
Any STR Received Send STA, Idle Any STR Received Send STA, Idle
skipping to change at page 31, line 43 skipping to change at page 32, line 32
UNKNOWN_BINDING_TEMPLATE_NAME (TBD.RCX) UNKNOWN_BINDING_TEMPLATE_NAME (TBD.RCX)
The DNCA Diameter peer within the NAT-device indicates that the The DNCA Diameter peer within the NAT-device indicates that the
binding could not be installed or a new session could not be binding could not be installed or a new session could not be
created because the specified NAT-Control-Binding-Template AVP, created because the specified NAT-Control-Binding-Template AVP,
that refers to a predefined policy template in the NAT-device, that refers to a predefined policy template in the NAT-device,
is unknown. is unknown.
BINDING_FAILURE (TBD.RCX) BINDING_FAILURE (TBD.RCX)
DNCA indicates that the requested binding(s) could not be The DNCA Diameter peer within the NAT-device indicates that the
installed. For example: Requested ports are already in use. requested binding(s) could not be installed. For example:
Requested ports are already in use.
MAX_BINDINGS_SET_FAILURE (TBD.RCX)
The DNCA Diameter peer within the NAT-device indicates that it
failed to conform to a request to configure the maximum number
of bindings for a session. For example: An operator defined
the maximum number of bindings on the NAT-device using a method
or protocol which takes precendence over DNCA.
MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT (TBD.RCX) MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT (TBD.RCX)
The DNCA Diameter peer within the NAT-device denies the request The DNCA Diameter peer within the NAT-device denies the request
because the maximum number of allowed bindings has been reached because the maximum number of allowed bindings has been reached
for the specified endpoint classifier. for the specified endpoint classifier.
SESSION_EXISTS (TBD.RCX) SESSION_EXISTS (TBD.RCX)
The DNCA Diameter peer within the NAT-device denies request to The DNCA Diameter peer within the NAT-device denies request to
initialize a new session, if it already has a DNCA session that initialize a new session, if it already has a DNCA session that
uses the same set of classifiers as indicated by the DNCA uses the same set of classifiers as indicated by the DNCA
Diameter peer within the NAT-controller in the new session Diameter peer within the NAT-controller in the new session
initialization request. initialization request.
INSUFFICIENT_CLASSIFIERS (TBD.RCX) INSUFFICIENT_CLASSIFIERS (TBD.RCX)
The DNCA Diameter peer within the NAT-device requests to The DNCA Diameter peer within the NAT-device requests to
initialize a new session, if the classifiers in the request initialize a new session, if the classifiers in the request
skipping to change at page 46, line 44 skipping to change at page 47, line 44
the NAT-device given that it enables the definition of per- the NAT-device given that it enables the definition of per-
destination or per-source rules. Misuse could include anti- destination or per-source rules. Misuse could include anti-
competitive practices among providers, censorship, crime, etc. NAT- competitive practices among providers, censorship, crime, etc. NAT-
control could be used as a tool for preventing or redirecting access control could be used as a tool for preventing or redirecting access
to particular sites. For instance, by controlling the NAT bindings, to particular sites. For instance, by controlling the NAT bindings,
one could ensure that endpoints aren't able to receive particular one could ensure that endpoints aren't able to receive particular
flows, or that those flows are redirected to a relay that snoops or flows, or that those flows are redirected to a relay that snoops or
tampers with traffic instead of directly forwarding the traffic to tampers with traffic instead of directly forwarding the traffic to
the intended endpoint. In addition one could set up a binding in a the intended endpoint. In addition one could set up a binding in a
way that the source IP address used is one of a relay so that traffic way that the source IP address used is one of a relay so that traffic
coming back can be snooped on or interfered with. The protections on coming back can be snooped on or interfered with. The operator also
DNCA and its Diameter protocol exchanges don't prevent such abuses of needs to consider security threats resulting from unplanned
NAT-control. Prevention of mis-use or mis-configuration of a NAT- termination of the DNCA session. Unplanned session termination,
device by an authorized NAT-controller is beyond the scope of this which could e.g. happen due to an attacker taking down the NAT-
protocol specification. A service provider deploying DNCA needs to controller, leads to the NAT-device cleaning up the state associated
make sure that higher layer processes and procedures are put in place with this session after a grace period. If the grace period is set
which allow them to detect and mitigate misuses. to zero, the endpoint will experience an immediate loss of
connectivity to services reachable through the NAT-device following
the termination of the DNCA session.The protections on DNCA and its
Diameter protocol exchanges don't prevent such abuses of NAT-control.
Prevention of mis-use or mis-configuration of a NAT-device by an
authorized NAT-controller is beyond the scope of this protocol
specification. A service provider deploying DNCA needs to make sure
that higher layer processes and procedures are put in place which
allow them to detect and mitigate misuses.
13. Examples 13. Examples
This section shows example DNCA message content and exchange. This section shows example DNCA message content and exchange.
13.1. DNCA Session Establishment Example 13.1. DNCA Session Establishment Example
Figure 15 depicts a typical call flow for DNCA session establishment. Figure 15 depicts a typical call flow for DNCA session establishment.
In this example, the NAT-controller: In this example, the NAT-controller:
skipping to change at page 58, line 48 skipping to change at page 59, line 48
a. As part of IESG discuss - clarified that multiple methods if used a. As part of IESG discuss - clarified that multiple methods if used
along with DNCA for NAT control should be configured to prevent along with DNCA for NAT control should be configured to prevent
conflict. conflict.
b. Clarified misuse of NAT-device by a Diameter authorized NAT- b. Clarified misuse of NAT-device by a Diameter authorized NAT-
controller using DNCA is beyond the scope of this protocol controller using DNCA is beyond the scope of this protocol
specification. specification.
c. Editorial updates. c. Editorial updates.
Changes from -15 to -16
a. Extended section covering case of a single NAT-device controlled
by multiple NAT-ontrollers which use different protocols for
configuring the NAT-device.
b. Added NAT-device state cleanup in case of unexpected/unplanned
termination of Diameter session or application either on NAT-
controller or NAT-device.
c. Added MAX_BINDINGS_SET_FAILURE failure case (for those scenarios
where the maximum number of bindings cannot be set by the
controller)
16. References 16. References
16.1. Normative References 16.1. Normative References
[ETSIES283034] [ETSIES283034]
ETSI, "Telecommunications and Internet Converged Services ETSI, "Telecommunications and Internet Converged Services
and Protocols for Advanced Networks (TISPAN),Network and Protocols for Advanced Networks (TISPAN),Network
Attachment Sub-System (NASS),e4 interface based on the Attachment Sub-System (NASS),e4 interface based on the
Diameter protocol.", September 2008. Diameter protocol.", September 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
 End of changes. 51 change blocks. 
141 lines changed or deleted 217 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/