1 - 2 - 3 - 6 - 7 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
connection
Click on the red underlined text to get to the source
... hop-by-hop security, or security across a
transport connection. When relays or proxy are involved, this
hop-by-hop security ...
... transport connection is a TCP or SCTP connection existing
directly between two Diameter peers, otherwise known as a Peer-
...
... directly between two Diameter peers, otherwise known as a Peer-
to-Peer Connection.
Upstream ...
...
A Diameter node MAY initiate connections from a source port other
than the one that it declares it accepts incoming connections ...
... initiate connections from a source port other
than the one that it declares it accepts incoming connections on, and
MUST be prepared to receive connections on port ...
... than the one that it declares it accepts incoming connections on, and
MUST be prepared to receive connections on port 3868. A given
Diameter ...
... Diameter instance of the peer state machine MUST NOT use more than
one transport connection to communicate with a given peer, unless
multiple instances exist on the peer in which case a separate
connection ...
... transport connection to communicate with a given peer, unless
multiple instances exist on the peer in which case a separate
connection per process is allowed.
When no transport connection ...
... connection per process is allowed.
When no transport connection exists with a peer, an attempt to
connect SHOULD be periodically made. This behavior is handled via
the Tc timer ...
... timer, whose recommended value is 30 seconds. There are
certain exceptions to this rule, such as when a peer has terminated
the transport connection stating that it does not wish to
communicate.
...
... Diameter implementations SHOULD also be able to interpret a reset
from the transport and timed-out connection attempts.
If Diameter ...
... Diameter error made by the peer, the stream is
compromised and cannot be recovered. The transport connection MUST
be closed using a RESET call (send a TCP RST ...
... Connections vs. Sessions ...
...
This section attempts to provide the reader with an understanding of
the difference between connection and session, which are terms used
extensively throughout this document.
...
... extensively throughout this document.
A connection is a transport level connection between two peers, used
...
... A connection is a transport level connection between two peers, used
to send and receive Diameter messages. A session ...
... +--------+ +-------+ +--------+
<----------> <---------->
peer connection A peer connection B
...
... <----------> <---------->
peer connection A peer connection B
<----------------------------->
...
... sessions
In the example provided in Figure 1, peer connection A is established
between the Client and its local Relay. Peer connection ...
... peer connection A is established
between the Client and its local Relay. Peer connection B is
established between the Relay and the Server. User session X spans
...
... server are aware of the session. It is important to note that there
is no relationship between a connection and a session, and that
Diameter ...
... Proxies MAY be used in call control centers or access ISPs that
provide outsourced connections, they can monitor the number and types
of ports in use, and make allocation and admission decisions
...
... information. Upon receipt of the redirect notification, DRL
establishes a transport connection with HMS, if one doesn't already
exist, and forwards the request to it.
...
... Diameter requires transmission level
security to be used on each connection (TLS or IPsec). Therefore,
...
... TLS or IPsec). Therefore,
each connection is authenticated, replay and integrity protected and
...
... per-packet basis.
In addition to authenticating each connection, each connection as
well as the entire session ...
...
In addition to authenticating each connection, each connection as
well as the entire session MUST also be authorized. Before
...
... well as the entire session MUST also be authorized. Before
initiating a connection, a Diameter Peer MUST check that its peers
are authorized to act in their roles ...
... Diameter applications.
Prior to bringing up a connection, authorization checks are performed
at each connection ...
... connection, authorization checks are performed
at each connection along the path. Diameter capabilities negotiation
...
... Hop-by-Hop identifier in a request
is unique on a given connection at any given time, and MAY attempt
to ensure that the number is unique across reboots. The sender of
...
...
DiameterIdentity value is used to uniquely identify a Diameter
node for purposes of duplicate connection and routing loop
detection.
...
... picked at startup, and used as the only DiameterIdentity for that
node, whatever the connection it is sent on.
DiameterURI
...
... ; One of the ports used to listen for
; incoming connections.
; If absent,
; the default Diameter ...
... ; One of the transports used to listen
; for incoming connections. If absent,
; the default SCTP [SCTP ...
... advertisement), sack (selective ack), ts (rfc1323
timestamp) and cc (rfc1644 t/tcp connection
count). The absence of a particular option may
be denoted with a '!'.
...
...
This section describes how Diameter nodes establish connections and
communicate with peers.
...
... Peer Connections ...
... Diameter node may have many possible peers that it is able
to communicate with, it may not be economical to have an established
connection to all of them. At a minimum, a Diameter node SHOULD have
an established connection ...
... connection to all of them. At a minimum, a Diameter node SHOULD have
an established connection with two peers per realm, known as the
primary and secondary peers. Of course, a node MAY have additional
...
... primary and secondary peers. Of course, a node MAY have additional
connections, if it is deemed necessary. Typically, all messages for
a realm are sent to the primary peer, but in the event that failover
procedures are invoked, any pending requests are sent to the
...
... invoked. When an active peer is moved to this mode, additional
connections SHOULD be established to ensure that the necessary number
of active connections ...
... connections SHOULD be established to ensure that the necessary number
of active connections exists.
There are two ways that a peer is removed ...
... removed from the suspect peer list:
1. The peer is no longer reachable, causing the transport connection
to be shutdown. The peer is moved to the closed state.
...
... 2. Three watchdog messages are exchanged with accepted round trip
times, and the connection to the peer is considered stabilized.
In the event the peer being removed ...
...
When two Diameter peers establish a transport connection, they MUST
exchange the Capabilities Exchange messages, as specified in the peer
state machine ...
... DIAMETER_NO_COMMON_APPLICATION, and SHOULD disconnect the transport
layer connection. Note that receiving a CER or CEA from a peer
...
... SECURITY, and SHOULD disconnect the
transport layer connection.
CERs received from unknown peers MAY be silently discarded, or a CEA
...
... AVP set to DIAMETER_UNKNOWN_PEER.
In both cases, the transport connection is closed. If the local
policy permits receiving CERs from unknown hosts ...
... lifetime of the peer entry is equal to the
lifetime of the transport connection. In case of a transport
failure, all the pending transactions ...
... Diameter is run over SCTP [SCTP], which allows for connections
to span multiple interfaces and multiple IP addresses ...
... Diameter is run over SCTP [SCTP], which allows connections to
span multiple interfaces, hence, multiple IP addresses ...
... Disconnecting Peer connections ...
...
When a Diameter node disconnects one of its transport connections,
its peer cannot know the reason for the disconnect, and will most
likely assume that a connectivity problem occurred, or that the peer
...
... any Diameter messages to the peer in the foreseeable future, a
periodic connection request would not be welcomed. The
Disconnection-Reason AVP contains the reason the Diameter node ...
... to 282 and the Command Flags' 'R' bit set, is sent to a peer to
inform its intentions to shutdown the transport connection. Upon
detection of a transport failure, this message MUST NOT be sent to an
...
... to the Disconnect-Peer-Request message. Upon receipt of this
message, the transport connection is shutdown.
Message Format ...
... AVP in the Disconnect-Peer-Request
message to inform the peer of the reason for its intention to
shutdown the transport connection. The following values are
supported:
...
... BUSY 1
The peer's internal resources are constrained, and it has
determined that the transport connection needs to be closed.
DO ...
... DO_NOT_WANT_TO_TALK_TO_YOU 2
The peer has determined that it does not see a need for the
transport connection to exist, since it does not expect any
messages to be exchanged in the near future.
...
... used to identify duplicate messages.
As described in Section 2.1, a connection request should be
periodically attempted with the failed peer in order to re-establish
the transport connection ...
... connection request should be
periodically attempted with the failed peer in order to re-establish
the transport connection. Once a connection has been successfully
established, messages can once again be forwarded to the peer. This
...
... periodically attempted with the failed peer in order to re-establish
the transport connection. Once a connection has been successfully
established, messages can once again be forwarded to the peer. This
is commonly referred to as failback.
...
... AAATRANS], which is used to open, close, failover,
probe, and reopen transport connections. Note in particular that
[AAATRANS] requires the use of watchdog messages to probe ...
... AAATRANS] requires the use of watchdog messages to probe
connections. For Diameter, DWR and DWA messages are to be used.
...
...
I- is used to represent the initiator (connecting) connection, while
the R- is used to represent the responder (listening) connection ...
... connection, while
the R- is used to represent the responder (listening) connection.
The lack of a prefix indicates that the event or action is the same
...
... The lack of a prefix indicates that the event or action is the same
regardless of the connection on which the event occurred.
The stable states that a state machine ...
...
A CER message is always sent on the initiating connection immediately
after the connection request is successfully completed. In the case
...
... CER message is always sent on the initiating connection immediately
after the connection request is successfully completed. In the case
of an election, one of the two connections will shut down. The
...
... after the connection request is successfully completed. In the case
of an election, one of the two connections will shut down. The
responder connection ...
... connections will shut down. The
responder connection will survive if the Origin-Host of the local
Diameter ...
... entity is higher than that of the peer; the initiator
connection will survive if the peer's Origin-Host is higher. All
subsequent messages are sent on the surviving connection ...
... connection will survive if the peer's Origin-Host is higher. All
subsequent messages are sent on the surviving connection. Note that
the results of an election on one peer are guaranteed to be the
inverse of the results on the other.
...
... Incoming connections ...
...
When a connection request is received from a Diameter peer, it is
not, in the general case, possible to know the identity ...
... Diameter peer; and the source port of an
incoming connection is arbitrary. Upon receipt of CER, the identity
...
... Diameter peer must employ logic separate from the
state machine to receive connection requests, accept them, and await
CER. Once CER ...
... CER. Once CER arrives on a new connection, the Origin-Host that
identifies the peer is used to locate the state machine ...
... identifies the peer is used to locate the state machine associated
with that peer, and the new connection and CER are passed to the
state machine ...
... CER event.
The logic that handles incoming connections SHOULD close and discard
the connection if any message other than CER ...
... The logic that handles incoming connections SHOULD close and discard
the connection if any message other than CER arrives, or if an
implementation-defined ...
... CER.
Because handling of incoming connections up to and including receipt
of CER requires logic, separate from that of any individual state
machine ...
... prefix, since the actual
event would be identical, but would occur on one of two possible
connections.
Start ...
... Start The Diameter application has signaled that a
connection should be initiated with the peer.
R-Conn-CER ...
... R-Conn-CER An acknowledgement is received stating that the
transport connection has been established, and the
associated CER has arrived.
...
...
Rcv-Conn-Ack A positive acknowledgement is received confirming that
the transport connection is established.
Rcv-Conn-Nack A negative acknowledgement ...
... Rcv-Conn-Nack A negative acknowledgement was received stating that
the transport connection was not established.
Timeout An application-defined timer ...
... Stop The Diameter application has signaled that a
connection should be terminated (e.g., on system
shutdown).
...
... Actions in the automaton are caused by events and typically indicate
the transmission of packets and/or an action to be taken on the
connection. In this section we will ignore the I- and R-prefix,
since the actual action would be identical, but would occur on one of
...
... prefix,
since the actual action would be identical, but would occur on one of
two possible connections.
Snd-Conn-Req A transport connection ...
... connections.
Snd-Conn-Req A transport connection is initiated with the peer.
Accept The incoming connection ...
... transport connection is initiated with the peer.
Accept The incoming connection associated with the R-Conn-CER
is accepted as the responder ...
... Snd-CEA A CEA message is sent to the peer.
Cleanup If necessary, the connection is shutdown, and any
local resources are freed.
...
...
Error The transport layer connection is disconnected, either
politely or abortively, in response to an error
condition. Local resources are freed.
...
...
Disc The transport layer connection is disconnected, and
local resources are freed.
...
... pending message queue (see Section 5.3) that is to be redirected. If
no transport connection exists with the new agent, one is created,
...
... ELECTION_LOST 4003
The peer has determined that it has lost the election process and
has therefore disconnected the transport connection.
...
... CER/CEA messages, an access device
allows a next-hop server to determine immediately upon connection
whether the device has lost its sessions since the last connection ...
... connection
whether the device has lost its sessions since the last connection.
By including Origin-State-Id ...
... NASREQ DIAMETER application treats
a single PPP connection to a Network Access Server as one session,
...
... Value field set to DELIVER_AND_GRANT means that the
service MUST only be granted as long as there is a connection to
an accounting server. Note that the set of alternative accounting ...
... Value field set to GRANT_AND_STORE means that service
SHOULD be granted if there is a connection, or as long as records
can still be stored as described in Section 9.4.
...
... timer
The Tc timer controls the frequency that transport connection
attempts are done to a peer with whom no active transport
connection ...
... transport connection
attempts are done to a peer with whom no active transport
connection exists. The recommended value is 30 seconds.
...
... Quick Mode exchanges used to negotiate protection for
Diameter connections MUST explicitly carry the Identity Payload
fields (IDci and IDcr). The DOI ...
... delete
message SHOULD NOT be interpreted as a reason for tearing down a
Diameter connection. Rather, it is preferable to leave the
connection up, and if additional traffic ...
... Diameter connection. Rather, it is preferable to leave the
connection up, and if additional traffic is sent on it, to bring up
another IKE ...
... IKE Phase 2 SA to protect it. This avoids the potential for
continually bringing connections up and down.
...
... certificate
policy, TLS SHOULD be used to protect Diameter connections between
administrative domains. IPsec ...
... IPsec or TLS) across all its peer-to-peer connections.
Inconsistent use of security mechanisms can result in redundant
...
... IPsec to be used whenever a Diameter peer
initiates a connection to another Diameter peer, and to be required
whenever an inbound Diameter ...
... Diameter peer, and to be required
whenever an inbound Diameter connection occurs. This policy is
attractive, since it does not require policy to be set for each peer
or dynamically modified each time a new Diameter ...
... attractive, since it does not require policy to be set for each peer
or dynamically modified each time a new Diameter connection is
created; an IPsec ...
... IPsec policy is put in place, a
TLS-protected connection will match the IPsec policy, and both IPsec
...
... and TLS will be used to protect the Diameter connection. To avoid
this, it would be necessary to plumb peer-specific policies either
statically or dynamically.
...
... IPsec is used to secure Diameter peer-to-peer connections, IPsec
policy SHOULD be set so as to require IPsec protection ...
... policy SHOULD be set so as to require IPsec protection for inbound
connections, and to initiate IPsec protection for outbound
connections ...
... connections, and to initiate IPsec protection for outbound
connections. This can be accomplished via use of inbound and
outbound filter policy.
...
... processing records with the T flag set until a time period
TIME_WAIT + RECORD_PROCESSING_TIME has elapsed after the closing
of the original transport connection. After this time period has
expired, then it may check the T flag marked records against the
database ...