4. DNCA Session Establishment and Management
Note that from this section on, there are references to some of the
commands and AVPs defined for DNCA. Please refer to Sections 6 and 8
for details. DNCA runs between a Diameter peer residing in a NAT
controller and a Diameter peer residing in a NAT device. Note that,
per what was already mentioned above, each DNCA session between
Diameter peers in a NAT controller and a NAT device represents a
single endpoint, with an endpoint being either a network element, a
device, or an IPv4 host associated with a subscriber, a user, or a
group of users. The Diameter peer within the NAT controller is
always the control-requesting entity: it initiates, updates, or
terminates the sessions. Sessions are initiated when the NAT
controller learns about a new endpoint (i.e., host) that requires a
NAT service. This could be due to, for example, the entity hosting
the NAT controller receiving authentication, authorization, or
accounting requests for or from the endpoint. Alternate methods that
could trigger session setup include local configuration, receipt of a
packet from a formerly unknown IP address, etc.
4.1. Session Establishment
The DNCA Diameter peer within the NAT controller establishes a
session with the DNCA Diameter peer within the NAT device to control
the behavior of the NAT function within the NAT device. During
session establishment, the DNCA Diameter peer within the NAT
controller passes along configuration information to the DNCA
Diameter peer within the NAT device. The session configuration
information comprises the maximum number of bindings allowed for the
endpoint associated with this session, a set of predefined NAT-
bindings to be established for this endpoint, or a description of the
address pool, from which external addresses are to be allocated.
The DNCA Diameter peer within the NAT controller generates a NAT-
Control-Request (NCR) message to the DNCA Diameter peer within the
NAT device with the NC-Request-Type AVP set to INITIAL_REQUEST to
initiate a Diameter NAT control session. On receipt of an NCR, the
DNCA Diameter peer within the NAT device sets up a new session for
the endpoint associated with the endpoint classifier(s) contained in
the NCR. The DNCA Diameter peer within the NAT device notifies its
DNCA Diameter peer within the NAT controller about successful session
setup using a NAT-Control-Answer (NCA) message with the Result-Code
set to DIAMETER_SUCCESS. Figure 5 shows the initial protocol
interaction between the two DNCA Diameter peers.
The initial NAT-Control-Request MAY contain configuration information
for the session, which specifies the behavior of the NAT device for
the session. The configuration information that MAY be included,
comprises:
o A list of NAT-bindings, which should be pre-allocated for the
session; for example, in case an endpoint requires a fixed
external IP address/port pair for an application.
o The maximum number of NAT-bindings allowed for an endpoint.
o A description of the external IP address pool(s) to be used for
the session.
o A reference to a NAT-binding Predefined template on the NAT
device, which is applied to the session. Such a NAT-binding
Predefined template on the NAT device may contain, for example,
the name of the IP address pool from which external IP addresses
should be allocated, the maximum number of bindings permitted for
the endpoint, etc.
In certain cases, the NAT device may not be able to perform the tasks
requested within the NCR. These include the following:
o If a DNCA Diameter peer within the NAT device receives an NCR from
a DNCA Diameter peer within a NAT controller with the NC-Request-
Type AVP set to INITIAL_REQUEST that identifies an already
existing session, that is, the endpoint identifier matches an
already existing session, the DNCA Diameter peer within the NAT
device MUST return an NCA with the Result-Code set to
SESSION_EXISTS and provide the Session-Id of the existing session
in the Duplicate-Session-Id AVP.
o If a DNCA Diameter peer within the NAT device receives an NCR from
a DNCA Diameter peer within a NAT controller with the NC-Request-
Type AVP set to INITIAL_REQUEST that matches more than one of the
already existing sessions, that is, the DNCA Diameter peer and
endpoint identifier match already existing sessions, the DNCA
Diameter peer within the NAT device MUST return an NCA with the
Result-Code set to INSUFFICIENT-CLASSIFIERS. In case a DNCA
Diameter peer receives an NCA that reports Insufficient-
Classifiers, it MAY choose to retry establishing a new session
using additional or more specific classifiers.
o If the NCR contains a NAT-binding Predefined template not defined
on the NAT device, the DNCA Diameter peer within the NAT device
MUST return an NCA with the Result-Code AVP set to
UNKNOWN_BINDING_TEMPLATE_NAME.
o In case the NAT device is unable to establish all of the bindings
requested in the NCR, the DNCA Diameter peer MUST return an NCA
with the Result-Code set to BINDING_FAILURE. A DNCA Diameter peer
within a NAT device MUST treat an NCR as an atomic operation;
hence, none of the requested bindings will be established by the
NAT device. Either all requested actions within an NCR MUST be
completed successfully or the entire request fails.
o If a NAT device cannot conform to a request to set the maximum
number of NAT-bindings allowed for a session, the DNCA Diameter
peer in the NAT device MUST return an NCA with the Result-Code AVP
set to MAX_BINDINGS_SET_FAILURE. Such a condition can, for
example, occur if the operator specified the maximum number of
NAT-bindings through another mechanism, which, per the operator's
policy, takes precedence over DNCA.
o If a NAT device does not have sufficient resources to process a
request, the DNCA Diameter peer MUST return an NCA with the
Result-Code set to RESOURCE_FAILURE.
o In the case where Max-NAT-Bindings, NAT-Control-Definition, and
NAT-Control-Binding-Template are included in the NCR, and the
values in Max-NAT-Bindings and NAT-Control-Definition contradict
those specified in the pre-provisioned template on the NAT device
that NAT-Control-Binding-Template references, Max-NAT-Bindings and
NAT-Control-Definition MUST override the values specified in the
template to which NAT-Control-Binding-Template refers.
NAT controller (DNCA Diameter peer) NAT device (DNCA Diameter peer)
| |
| |
| |
Trigger |
| |
| NCR |
|------------------------------------------>|
| |
| |
| |
| |
| If able to comply
| with request, then
| create session state
| |
| |
| NCA |
|<------------------------------------------|
| |
| |
Figure 5: Initial NAT-Control-Request and Session Establishment
Note: The DNCA Diameter peer within the NAT device creates session
state only if it is able to comply with the NCR. On success, it will
reply with an NCA with the Result-Code set to DIAMETER_SUCCESS.
4.2. Session Update
A session update is performed if the NAT controller desires to change
the behavior of the NAT device for an existing session. A session
update could be used, for example, to change the number of allowed
bindings for a particular session or establish or remove a predefined
binding.
The DNCA Diameter peer within the NAT controller generates an NCR
message to the DNCA Diameter peer within the NAT device with the NC-
Request-Type AVP set to UPDATE_REQUEST upon receiving a trigger
signal. If the session is updated successfully, the DNCA Diameter
peer within the NAT device notifies the DNCA Diameter peer within the
NAT controller about the successful session update using a NAT-
Control-Answer (NCA) message with the Result-Code set to
DIAMETER_SUCCESS. Figure 6 shows the protocol interaction between
the two DNCA Diameter peers.
In certain cases, the NAT device may not be able to perform the tasks
requested within the NCR. These include the following:
o If a DNCA Diameter peer within a NAT device receives an NCR update
or query request for a non-existent session, it MUST set the
Result-Code in the answer to DIAMETER_UNKNOWN_SESSION_ID.
o If the NCR contains a NAT-binding Predefined template not defined
on the NAT device, an NCA with the Result-Code AVP set to
UNKNOWN_BINDING_TEMPLATE_NAME MUST be returned.
o If the NAT device cannot establish the requested binding because
the maximum number of allowed bindings has been reached for the
endpoint classifier, an NCA with the Result-Code AVP set to
MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT MUST be returned to the DNCA
Diameter peer.
o If the NAT device cannot establish some or all of the bindings
requested in an NCR, but has not yet reached the maximum number of
allowed bindings for the endpoint, an NCA with the Result-Code set
to BINDING_FAILURE MUST be returned. As already noted, the DNCA
Diameter peer in a NAT device MUST treat an NCR as an atomic
operation. Hence, none of the requested bindings will be
established by the NAT device in case of failure. Actions
requested within an NCR are either all successful or all fail.
o If the NAT device cannot conform to a request to set the maximum
number of bindings allowed for a session as specified by the Max-
NAT-Bindings, the DNCA Diameter peer in the NAT device MUST return
an NCA with the Result-Code AVP set to MAX_BINDINGS_SET_FAILURE.
o If the NAT device does not have sufficient resources to process a
request, an NCA with the Result-Code set to RESOURCE_FAILURE MUST
be returned.
o If an NCR changes the maximum number of NAT-bindings allowed for
the endpoint defined through an earlier NCR, the new value MUST
override any previously defined limit on the maximum number of
NAT-bindings set through the DNCA. Note that, prior to
overwriting an existing value, the NAT device MUST check whether
the overwrite action conforms to the locally configured policy.
Deployment dependent, an existing value could have been set by a
protocol or mechanism different from DNCA and with higher
priority. In which case, the NAT device will refuse the change
and the DNCA Diameter peer in the NAT device MUST return an NCA
with the Result-Code AVP set to MAX_BINDINGS_SET_FAILURE. It
depends on the implementation of the NAT device on how the NAT
device copes with a case where the new value is lower than the
actual number of allocated bindings. The NAT device SHOULD
refrain from enforcing the new limit immediately (that is,
actively remove bindings), but rather disallows the establishment
of new bindings until the current number of bindings is lower than
the newly established maximum number of allowed bindings.
o If an NCR specifies a new NAT-binding Predefined template on the
NAT device, the NAT-binding Predefined template overrides any
previously defined rule for the session. Existing NAT-bindings
SHOULD NOT be impacted by the change of templates.
o In case Max-NAT-Bindings, NAT-Control-Definition, and NAT-Control-
Binding-Template are included in the NCR, and the values in Max-
NAT-Bindings and NAT-Control-Definition contradict those specified
in the pre-provisioned template on the NAT device that NAT-
Control-Binding-Template references, Max-NAT-Bindings and NAT-
Control-Definition MUST override the values specified in the
template to which the NAT-Control-Binding-Template refers.
Note: Already established bindings for the session SHOULD NOT be
affected in case the tasks requested within the NCR cannot be
completed.
NAT controller (DNCA Diameter peer) NAT device (DNCA Diameter peer)
| |
| |
| |
Change of session |
attributes |
| |
| NCR |
|------------------------------------------>|
| |
| |
| If able to comply
| with the request:
| update session state
| |
| |
| NCA |
|<------------------------------------------|
| |
Figure 6: NAT-Control-Request for Session Update4.3. Session and Binding Query
A session and NAT-binding query MAY be used by the DNCA Diameter peer
within the NAT controller either to retrieve information on the
current bindings for a particular session at the NAT device or to
discover the session identifier for a particular external IP address/
port pair.
A DNCA Diameter peer within the NAT controller starts a session query
by sending an NCR message with NC-Request-Type AVP set to
QUERY_REQUEST. Figure 7 shows the protocol interaction between the
DNCA Diameter peers.
Two types of query requests exist. The first type of query request
uses the Session-Id as input parameter to the query. It is to allow
the DNCA Diameter peer within the NAT controller to retrieve the
current set of bindings for a specific session. The second type of
query request is used to retrieve the session identifiers, along with
the associated bindings, matching a criteria. This enables the DNCA
Diameter peer within the NAT controller to find those sessions, which
utilize a specific external or internal IP address.
1. Request a list of currently allocated NAT-bindings for a
particular session: On receiving an NCR, the NAT device SHOULD
look up the session information for the Session-Id contained in
the NCR and report all currently active NAT-bindings for the
session using an NCA message with the Result-Code set to
DIAMETER_SUCCESS. In this case, the NCR MUST NOT contain a NAT-
Control-Definition AVP. Each NAT-binding is reported in a NAT-
Control-Definition AVP. In case the Session-Id is unknown, the
DNCA Diameter peer within the NAT device MUST return an NCA
message with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID.
2. Retrieve Session-Ids and bindings for internal IP address or one
or multiple external IP address/port pairs: If the DNCA Diameter
peer within the NAT controller wishes to retrieve the Session-
Id(s) for an internal IP address or one or multiple external IP
address/port pairs, it MUST include the internal IP address as
part of the Framed-IP-Address AVP or external IP address/port
pair(s) as part of the NAT-External-Address AVP of the NCR. The
external IP address/port pair(s) are known in advance by the
controller via configuration, AAA interactions, or other means.
The Session-Id is not included in the NCR or the NCA for this
type of a query. The DNCA Diameter peer within the NAT device
SHOULD report the NAT-bindings and associated Session-Ids
corresponding to the internal IP address or external IP address/
port pairs in an NCA message using one or multiple instances of
the NAT-Control-Definition AVP. The Result-Code is set to
DIAMETER_SUCCESS. In case an external IP address/port pair has
no associated existing NAT-binding, the NAT-Control-Definition
AVP contained in the reply just contains the NAT-External-Address
AVP.
NAT controller (DNCA Diameter peer) NAT device (DNCA Diameter peer)
| |
| |
| |
DNCA Session Established |
| |
| NCR |
|------------------------------------------>|
| |
| |
| |
| |
| Look up corresponding session
| and associated NAT-bindings
| |
| NCA |
|<------------------------------------------|
| |
| |
| |
Figure 7: Session Query4.4. Session Termination
Similar to session initiation, session tear down MUST be initiated by
the DNCA Diameter peer within the NAT controller. The DNCA Diameter
peer sends a Session-Termination-Request (STR) message to its peer
within the NAT device upon receiving a trigger signal. The source of
the trigger signal is outside the scope of this document. As part of
STR-message processing, the DNCA Diameter peer within the NAT device
MAY send an accounting stop record reporting all bindings. All the
NAT-bindings belonging to the session MUST be removed, and the
session state MUST be cleaned up. The DNCA Diameter peer within the
NAT device MUST notify its DNCA Diameter peer in the NAT controller
about successful session termination using a Session-Termination-
Answer (STA) message with Result-Code set to DIAMETER_SUCCESS.
Figure 8 shows the protocol interaction between the two DNCA Diameter
peers.
If a DNCA Diameter peer within a NAT device receives an STR and fails
to find a matching session, the DNCA Diameter peer MUST return an STA
with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID.
NAT controller (DNCA Diameter peer) NAT device (DNCA Diameter peer)
| |
| |
Trigger |
| |
| STR |
|------------------------------------------->|
| |
| |
| |
| |
| |
| Send accounting stop |
|<-------------------------------------------|
| reporting all session bindings |
| |
| |
| Remove NAT-bindings
| of session
| |
| Terminate session /
| Remove session state
| |
| |
| |
| STA |
|<-------------------------------------------|
| |
| |
Figure 8: Terminate NAT Control Session4.5. Session Abort
An Abort-Session-Request (ASR) message is sent from the DNCA Diameter
peer within the NAT device to the DNCA Diameter peer within the NAT
controller when it is unable to maintain a session due to resource
limitations. The DNCA Diameter peer within the NAT controller MUST
acknowledge a successful session abort using an Abort-Session-Answer
(ASA) message with the Result-Code set to DIAMETER_SUCCESS. Figure 9
shows the protocol interaction between the DNCA Diameter peers. The
DNCA Diameter peers will start a session termination procedure as
described in Section 4.4 following an ASA with the Result-Code set to
DIAMETER_SUCCESS.
If the DNCA Diameter peer within a NAT controller receives an ASR but
fails to find a matching session, it MUST return an ASA with the
Result-Code set to DIAMETER_UNKNOWN_SESSION_ID. If the DNCA Diameter
peer within the NAT controller is unable to comply with the ASR for
any other reason, an ASA with the Result-Code set to
DIAMETER_UNABLE_TO_COMPLY MUST be returned.
NAT controller (DNCA Diameter peer) NAT device (DNCA Diameter peer)
| |
| |
| Trigger
| |
| ASR |
|<-------------------------------------------|
| |
| |
| |
| ASA |
|------------------------------------------->|
| |
| |
| |
| On successful ASA |
|<------Session Termination Procedure------->|
Figure 9: Abort NAT Control Session4.6. Failure Cases of the DNCA Diameter Peers
This document does not specify the behavior in case the NAT device
and NAT controller, or their respective DNCA Diameter peers, are out
of sync or lose state. This could happen, for example, if one of the
entities restarts, in case of a (temporary) loss of network
connectivity, etc. Example failure cases include the following:
o NAT controller and the DNCA Diameter peer within the NAT
controller lose state (e.g., due to a restart). In this case:
* the DNCA Diameter peer within the NAT device MAY receive an NCR
with the NC-Request-Type AVP set to INITIAL_REQUEST that
matches an existing session of the DNCA Diameter peer within
the NAT device. The DNCA Diameter peer within the NAT device
MUST return a Result-Code that contains a Duplicate-Session-Id
AVP to report the Session-Id of the existing session. The DNCA
Diameter peer within the NAT controller MAY send an explicit
Session-Termination-Request (STR) for the older session, which
was lost.
* a DNCA Diameter peer MAY receive accounting records for a
session that does not exist. The DNCA Diameter peer sends an
accounting answer with the Result-Code set to
DIAMETER_UNKNOWN_SESSION_ID in response. On receiving the
response, the DNCA Diameter peer SHOULD clear the session and
remove associated session state.
o The NAT device and the DNCA Diameter peer within NAT device lose
state. In such a case, the DNCA Diameter peer MAY receive an NCR
with the NC-Request-Type AVP set to UPDATE_REQUEST for a non-
existent session. The DNCA Diameter peer MUST return an NCA with
the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID. When a DNCA
application within a NAT controller receives this NCA with the
Result-Code set to DIAMETER_UNKNOWN_SESSION_ID, it MAY try to re-
establish DNCA session or disconnect corresponding access session.
o The DNCA Diameter peer within the NAT controller is unreachable,
for example, it is detected by Diameter device watchdog messages
(as defined in Section 5.5 of [RFC6733]) or accounting requests
from the DNCA Diameter peer fail to get a response, NAT-bindings
and NAT device state pertaining to that session MUST be cleaned up
after a grace period that is configurable on the NAT device. The
grace period can be configured as zero or higher, depending on
operator preference.
o The DNCA Diameter peer within the NAT device is unreachable or
down and the NCR fails to get a response. Handling of this case
depends on the actual service offering of the service provider.
The service provider could, for example, choose to stop offering
connectivity service.
o A discussion of the mechanisms used for a NAT device to clean up
state in case the DNCA Diameter peer within the NAT device crashes
is outside the scope of this document. Implementers of NAT
devices could choose from a variety of options such as coupling
the state (e.g., NAT-bindings) to timers that require periodic
refresh, or time out otherwise, operating system watchdogs for
applications, etc.
5. Use of the Diameter Base Protocol
The Diameter base protocol [RFC6733] applies with the clarifications
listed in the present specification.
5.1. Securing Diameter Messages
For secure transport of Diameter messages, the recommendations in
[RFC6733] apply.
DNCA Diameter peers SHOULD verify their identity during the
Capabilities Exchange Request procedure.
A DNCA Diameter peer within the NAT device SHOULD verify that a DNCA
Diameter peer that issues an NCR command is allowed to do so based
on:
o The identity of the DNCA Diameter peer
o The type of NCR Command
o The content of the NCR Command
o Any combination of the above
5.2. Accounting Functionality
Accounting functionality (the accounting session state machine,
related Command Codes and AVPs) is defined in Section 9.
5.3. Use of Sessions
Each DNCA session MUST have a globally unique Session-Id, as defined
in [RFC6733], which MUST NOT be changed during the lifetime of the
DNCA session. The Diameter Session-Id serves as the global endpoint
identifier. The DNCA Diameter peers maintain state associated with
the Session-Id. This globally unique Session-Id is used for
updating, accounting, and terminating the session. A DNCA session
MUST NOT have more than one outstanding request at any given time. A
DNCA Diameter peer sends an Abort-Session-Request as defined in
[RFC6733] if it is unable to maintain sessions due to resource
limitation.
5.4. Routing Considerations
It is assumed that the DNCA Diameter peer within a NAT controller
knows the DiameterIdentity of the Diameter peer within a NAT device
for a given endpoint. Both the Destination-Realm and Destination-
Host AVPs are present in the request from a DNCA Diameter peer within
a NAT controller to a DNCA Diameter peer within a NAT device.
5.5. Advertising Application Support
Diameter nodes conforming to this specification MUST advertise
support for DNCA by including the value of 12 in the Auth-
Application-Id of the Capabilities-Exchange-Request and Capabilities-
Exchange-Answer commands [RFC6733].
6. DNCA Commands
The following commands are used to establish, maintain, and query
NAT-bindings.
6.1. NAT-Control-Request (NCR) Command
The NAT-Control-Request (NCR) command, indicated by the command field
set to 330 and the 'R' bit set in the Command Flags field, is sent
from the DNCA Diameter peer within the NAT controller to the DNCA
Diameter peer within the NAT device in order to install NAT-bindings.
User-Name, Logical-Access-Id, Physical-Access-ID, Framed-IP-Address,
Framed-IPv6-Prefix, Framed-Interface-Id, EGRESS-VLANID, NAS-Port-ID,
Address-Realm, and Calling-Station-ID AVPs serve as identifiers for
the endpoint.
Message format:
< NC-Request > ::= < Diameter Header: 330, REQ, PXY>
{ Auth-Application-Id }
{ Origin-Host }
{ Origin-Realm }
{ Destination-Realm }
{ Destination-Host }
{ NC-Request-Type }
[ Session-Id ]
[ Origin-State-Id ]
*1 [ NAT-Control-Remove ]
*1 [ NAT-Control-Install ]
[ NAT-External-Address ]
[ User-Name ]
[ Logical-Access-Id ]
[ Physical-Access-ID ]
[ Framed-IP-Address ]
[ Framed-IPv6-Prefix ]
[ Framed-Interface-Id ]
[ EGRESS-VLANID]
[ NAS-Port-ID]
[ Address-Realm ]
[ Calling-Station-ID ]
* [ Proxy-Info ]
* [ Route-Record ]
* [ AVP ]
6.2. NAT-Control-Answer (NCA) Command
The NAT-Control-Answer (NCA) command, indicated by the Command Code
field set to 330 and the 'R' bit cleared in the Command Flags field,
is sent by the DNCA Diameter peer within the NAT device in response
to the NAT-Control-Request command.
Message format:
<NC-Answer> ::= < Diameter Header: 330, PXY >
{ Origin-Host }
{ Origin-Realm }
{ Result-Code }
[ Session-Id ]
[ NC-Request-Type ]
* [ NAT-Control-Definition ]
[ Current-NAT-Bindings ]
[ Origin-State-Id ]
[ Error-Message ]
[ Error-Reporting-Host ]
* [ Failed-AVP ]
* [ Proxy-Info ]
[ Duplicate-Session-Id ]
* [ Redirect-Host]
[ Redirect-Host-Usage ]
[ Redirect-Max-Cache-Time ]
* [ Proxy-Info ]
* [ Route-Record ]
* [ Failed-AVP ]
* [ AVP ]
7. NAT Control Application Session State Machine
This section contains a set of finite state machines, representing
the life cycle of a DNCA session, which MUST be observed by all
implementations of the DNCA Diameter application. The DNCA Diameter
peers are stateful and the state machine maintained is similar to the
stateful client and server authorization state machine described in
[RFC6733]. When a session is moved to the Idle state, any resources
that were allocated for the particular session must be released. Any
event not listed in the state machines MUST be considered an error
condition, and an answer, if applicable, MUST be returned to the
originator of the message.
In the state table, the event "Failure to send NCR" means that the
DNCA Diameter peer within the NAT controller is unable to send the
NCR command to the desired destination. This could be due to the
peer being down or due to the peer sending back the transient failure
or temporary protocol error notification DIAMETER_TOO_BUSY or
DIAMETER_LOOP_DETECTED in the Result-Code AVP of an NCA.
In the state table, "FAILED NCA" means that the DNCA Diameter peer
within the NAT device was not able to honor the corresponding NCR.
This can happen due to any transient or permanent error at the NAT
device or its associated DNCA Diameter peer within indicated by the
following error Result-Code values: RESOURCE_FAILURE,
UNKNOWN_BINDING_TEMPLATE_NAME, MAX_BINDINGS_SET_FAILURE,
BINDING_FAILURE, MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT,
SESSION_EXISTS, INSUFFICIENT_CLASSIFIERS.
The following state machine is observed by a DNCA Diameter peer
within a NAT controller. The state machine description uses the term
"access session" to describe the connectivity service offered to the
endpoint or host. "Access session" should not be confused with the
Diameter session.
DNCA Diameter peer within a NAT controller
State Event Action New State
-------------------------------------------------------------
Idle New endpoint detected that Send Pending
requires NAT control NCR
Initial
Request
Idle ASR received Send ASA Idle
for unknown session with
Result-Code
= UNKNOWN_
SESSION_ID
Pending Successful NCA Setup Open
received complete
Pending Successful NCA Send STR Discon
received,
but peer unable to provide
service
Pending Error processing successful Send STR Discon
NCA
Pending Failed Clean up Idle
NCA received
Open NAT control Send Open
update required NCR update
request
Open Successful Open
NCA received
Open Failed Clean up Idle
NCA received
Open Access session end detected Send STR Discon
Open ASR received, Send ASA Discon
access session will be with
terminated Result-Code
= SUCCESS,
Send STR
Open ASR received, Send ASA Open
access session will not with
be terminated Result-Code
!= SUCCESS
Discon ASR Received Send ASA Idle
Discon STA Received Discon. Idle
endpoint
The following state machine is observed by a DNCA Diameter peer
within a NAT device.
DNCA Diameter peer within a NAT device
State Event Action New State
-------------------------------------------------------------
Idle NCR query request Send Idle
received, and successful
able to provide requested NCA
NAT-binding report
Idle NCR received Send Open
and able to successful
provide requested NCA
NAT control service
Idle NCR request Send Idle
received, and failed
unable to provide requested NCA
NAT control service
Open NCR request Send Open
received, and successful
able to provide requested NCA
NAT control service
Open NCR request Send Idle
received, and failed
unable to provide requested NCA,
NAT control service Clean up
Open Unable to continue Send ASR Discon
providing requested
NAT control service
Open Unplanned loss of session/ Clean up Idle
connection to DNCA Diameter
peer in NAT controller
detected (e.g., due to Diameter
watchdog notification)
Discon Failure to send ASR Wait, Discon
resend ASR
Discon ASR successfully sent and Clean up Idle
ASA received with Result-Code
Not ASA received None No change
Discon
Any STR received Send STA, Idle
Clean up
8. DNCA AVPs
8.1. Reused Base Protocol AVPs
The following table describes the AVPs reused from the Diameter base
protocol [RFC6733]; their AVP Code values, types, and possible flag
values and whether the AVP MAY be encrypted. [RFC6733] specifies the
AVP Flag rules for AVPs in Section 4.5. The Diameter AVP rules are
defined in [RFC6733], Section 4.
+---------+
| AVP |
| Flag |
| rules |
+-----------------------------------------------|-----+---+---------+
| AVP | | | |
| Attribute Name Code Data Type |MUST |MAY| Encr |
+-----------------------------------------------+-----+---+---------+
|Acct-Interim-Interval 85 Unsigned32 | M | P | Y |
|Auth-Application-Id 258 Unsigned32 | M | P | N |
|Destination-Host 293 DiamIdent | M | P | N |
|Destination-Realm 283 DiamIdent | M | P | N |
|Error-Message 281 UTF8String | M | P | N |
|Error-Reporting-Host 294 DiamIdent | M | P | N |
|Failed-AVP 279 Grouped | M | P | N |
|Origin-Host 264 DiamIdent | M | P | N |
|Origin-Realm 296 DiamIdent | M | P | N |
|Origin-State-Id 278 Unsigned32 | M | P | N |
|Proxy-Info 284 Grouped | M | P | N |
|Result-Code 268 Unsigned32 | M | P | N |
|Route-Record 282 DiamIdent | M | | N |
|Session-Id 263 UTF8String | M | P | Y |
|User-Name 1 UTF8String | M | P | Y |
+-----------------------------------------------+-----+---+---------+
Table 1: DIAMETER AVPs from the Diameter Base Protocol
The Auth-Application-Id AVP (AVP Code 258) is assigned by IANA to
Diameter applications. The value of the Auth-Application-Id for the
Diameter NAT Control Application is 12. Please refer to [RFC6733]
for the definition of the Diameter AVP flag rules and the associated
abbreviations used in the table.
8.2. Additional Result-Code AVP Values
This section defines new values for the Result-Code AVP that SHALL be
supported by all Diameter implementations that conform to the present
document.
8.2.1. Success
No new Result-Code AVP value is defined within this category.
8.2.2. Transient Failures
Result-Code AVP values that fall within the transient failures
category are those used to inform a peer that the request could not
be satisfied at the time that it was received. The request may be
able to be satisfied in the future.
The following new values of the Result-Code AVP are defined:
RESOURCE_FAILURE (4014)
The DNCA Diameter peer within the NAT device indicates that the
binding could not be installed or a new session could not be
created due to resource shortage.
8.2.3. Permanent Failures
The Result-Code AVP values, which fall within the permanent failures
category are used to inform the peer that the request failed and
should not be attempted again. The request may be able to be
satisfied in the future.
The following new values of the Result-Code AVP are defined:
UNKNOWN_BINDING_TEMPLATE_NAME (5042)
The DNCA Diameter peer within the NAT device indicates that the
binding could not be installed or a new session could not be
created because the specified NAT-Control-Binding-Template AVP,
which refers to a predefined policy template in the NAT device,
is unknown.
BINDING_FAILURE (5043)
The DNCA Diameter peer within the NAT device indicates that the
requested binding(s) could not be installed. For example,
Requested ports are already in use.
MAX_BINDINGS_SET_FAILURE (5044)
The DNCA Diameter peer within the NAT device indicates that it
failed to conform to a request to configure the maximum number
of bindings for a session. For example, an operator defined
the maximum number of bindings on the NAT device using a method
or protocol that takes precedence over DNCA.
MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT (5045)
The DNCA Diameter peer within the NAT device denies the request
because the maximum number of allowed bindings has been reached
for the specified endpoint classifier.
SESSION_EXISTS (5046)
The DNCA Diameter peer within the NAT device denies a request
to initialize a new session, if it already has a DNCA session
that uses the same set of classifiers as indicated by the DNCA
Diameter peer within the NAT controller in the new session
initialization request.
INSUFFICIENT_CLASSIFIERS (5047)
The DNCA Diameter peer within the NAT device requests to
initialize a new session, if the classifiers in the request
match more than one of the existing sessions on the DNCA
Diameter peer within the NAT device.
8.3. Reused NASREQ Diameter Application AVPs
The following table describes the AVPs reused from the Diameter
Network Access Server Application [RFC4005]; their AVP Code values,
types, and possible flag values; and whether the AVP MAY be
encrypted. The [RFC6733] specifies the AVP Flag rules for AVPs in
Section 4.5. The Diameter AVP rules are defined in the [RFC6733],
Section 4.
+---------------------+
| AVP Flag Rules |
+------------------+------+------------|----+-----+----+-----|----+
| | AVP | | | |SHLD| MUST| |
| Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr|
|------------------|------|------------|----+-----+----+-----|----|
| NAS-Port | 5 | Unsigned32 | M | P | | V | Y |
| NAS-Port-Id | 87 | UTF8String | M | P | | V | Y |
| Calling-Station- | 31 | UTF8String | M | P | | V | Y |
| Id | | | | | | | |
| Framed-IP-Address| 8 | OctetString| M | P | | V | Y |
| Framed-Interface-| 96 | Unsigned64 | M | P | | V | Y |
| Id | | | | | | | |
| Framed-IPv6- | 97 | OctetString| M | P | | V | Y |
| Prefix | | | | | | | |
+------------------+------+------------|----+-----+----+-----|----+
Table 2: Reused NASREQ Diameter application AVPs. Please refer to
[RFC6733] for the definition of the Diameter AVP Flag rules and the
associated abbreviations used in the table.
8.4. Reused AVPs from RFC 4675
The following table describes the AVPs reused from "RADIUS Attributes
for Virtual LAN and Priority Support" [RFC4675]; their AVP Code
values, types, and possible flag values; and whether the AVP MAY be
encrypted. [RFC6733] specifies the AVP Flag rules for AVPs in
Section 4.5. The Diameter AVP rules are defined in [RFC6733],
Section 4.
+---------------------+
| AVP Flag Rules |
+------------------+------+------------|----+-----+----+-----|----+
| | AVP | | | |SHLD| MUST| |
| Attribute Name | Code | Value Type|MUST| MAY | NOT| NOT|Encr|
|------------------|------|------------|----+-----+----+-----|----|
| Egress-VLANID | 56 | OctetString| M | P | | V | Y |
+------------------+------+------------|----+-----+----+-----|----+
Table 3: Reused attributes from [RFC4675]. Please refer to [RFC6733]
for the definition of the Diameter AVP Flag rules and the associated
abbreviations used in the table.
8.5. Reused AVPs from Diameter QoS Application
The following table describes the AVPs reused from the "Traffic
Classification and Quality of Service (QoS) Attributes for Diameter"
[RFC5777]; their AVP Code values, types, and possible flag values;
and whether the AVP MAY be encrypted. [RFC6733] specifies the AVP
Flag rules for AVPs in Section 4.5. The Diameter AVP rules are
defined in [RFC6733], Section 4.
+---------+
| AVP |
| Flag |
| Rules |
+-----------------------------------------------|-----+---+---------+
| AVP | | | |
| Attribute Name Code Data Type |MUST |MAY| Encr |
+-----------------------------------------------+-----+---+---------+
|Port 530 Integer32 | M | P | Y |
|Protocol 513 Enumerated | M | P | Y |
|Direction 514 Enumerated | M | P | Y |
+-----------------------------------------------+-----+---+---------+
Table 4: Reused QoS-attributes. Please refer to [RFC6733] for the
definition of the Diameter AVP Flag rules and the associated
abbreviations used in the table.
8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter Application
The following table describes the AVPs reused from the Diameter e4
Application [ETSIES283034]; their AVP Code values, types, and
possible flag values; and whether the AVP MAY be encrypted.
[RFC6733] specifies the AVP Flag rules for AVPs in Section 4.5. The
Diameter AVP rules are defined in [RFC6733], Section 4. The
Vendor-ID field in these AVP header will be set to ETSI (13019).
+---------+
| AVP |
| Flag |
| Rules |
+-----------------------------------------------|-----+---+---------+
| AVP | | | |
| Attribute Name Code Data Type |MUST |MAY| Encr |
+-----------------------------------------------+-----+---+---------+
|Address-Realm 301 OctetString | M,V | | Y |
|Logical-Access-Id 302 OctetString | V | M | Y |
|Physical-Access-ID 313 UTF8String | V | M | Y |
+-----------------------------------------------+-----+---+---------+
Table 5: Reused AVPs from the Diameter e4 application. Please refer
to [RFC6733] for the definition of the Diameter AVP Flag rules and
the associated abbreviations used in the table.
8.7. DNCA-Defined AVPs
The following table describes the new Diameter AVPs defined in this
document; their AVP Code values, types, and possible flag values; and
whether the AVP MAY be encrypted. [RFC6733] specifies the AVP Flag
rules for AVPs in Section 4.5. The Diameter AVP rules are defined in
[RFC6733], Section 4. The AVPs defined here MUST NOT have the 'V'
bit in the AVP Flags field set.
+---------+
| AVP |
| Flag |
| Rules |
+--------------------------------------------------|-----+---+------+
| AVP | | | |
| Attribute Name Code Sect. Data Type |MUST |MAY| Encr |
+--------------------------------------------------+-----+---+------+
|NC-Request-Type 595 8.7.1 Enumerated | M | P | Y |
|NAT-Control-Install 596 8.7.2 Grouped | M | P | Y |
|NAT-Control-Remove 597 8.7.3 Grouped | M | P | Y |
|NAT-Control-Definition 598 8.7.4 Grouped | M | P | Y |
|NAT-Internal-Address 599 8.7.5 Grouped | M | P | Y |
|NAT-External-Address 600 8.7.6 Grouped | M | P | Y |
|Max-NAT-Bindings 601 8.7.7 Unsigned32 | M | P | Y |
|NAT-Control- 602 8.7.8 OctetString| M | P | Y |
| Binding-Template | | | |
|Duplicate- 603 8.7.9 UTF8String | M | P | Y |
| Session-Id | | | |
|NAT-External-Port- 604 8.7.10 Enumerated | M | P | Y |
| Style | | | |
|NAT-Control-Record 605 9.2.1 Grouped | M | P | Y |
|NAT-Control- 606 9.2.2 Enumerated | M | P | Y |
| Binding-Status | | | |
|Current-NAT-Bindings 607 9.2.3 Unsigned32 | M | P | Y |
+--------------------------------------------------+-----+---+------+
Table 6: New Diameter AVPs. Please refer to [RFC6733] for the
definition of the Diameter AVP Flag rules and the associated
abbreviations used in the table.
8.7.1. NC-Request-Type AVP
The NC-Request-Type AVP (AVP Code 595) is of type Enumerated and
contains the reason for sending the NAT-Control-Request command. It
shall be present in all NAT-Control-Request messages.
The following values are defined:
INITIAL_REQUEST (1)
An Initial Request is to initiate a Diameter NAT control
session between the DNCA Diameter peers.
UPDATE_REQUEST (2)
An Update Request is used to update bindings previously
installed on a given access session, to add new binding on a
given access session, or to remove one or several binding(s)
activated on a given access session.
QUERY_REQUEST (3)
Query Request is used to query a NAT device about the currently
installed bindings for an endpoint classifier.
8.7.2. NAT-Control-Install AVP
The NAT-Control-Install AVP (AVP code 596) is of type Grouped, and it
is used to activate or install NAT-bindings. It also contains Max-
NAT-Bindings that defines the maximum number of NAT-bindings allowed
for an endpoint and the NAT-Control-Binding-Template that references
a predefined template on the NAT device that may contain static
binding, a maximum number of bindings allowed, an IP address pool
from which external binding addresses should be allocated, etc. If
the NAT-External-Port-Style AVP is present, then the NAT device MUST
select the external ports for the NAT-bindings, per the style
specified. The NAT-External-Port-Style is applicable for NAT-
bindings defined by the NAT-Control-Definition AVPs whose NAT-
External-Address or Port AVPs within the NAT-External-Address are
unspecified.
AVP format:
NAT-Control-Install ::= < AVP Header: 596 >
* [ NAT-Control-Definition ]
[ NAT-Control-Binding-Template ]
[ Max-NAT-Bindings ]
[ NAT-External-Port-Style ]
* [ AVP ]
8.7.3. NAT-Control-Remove AVP
The NAT-Control-Remove AVP (AVP code 597) is of type Grouped, and it
is used to deactivate or remove NAT-bindings. At least one of the
two AVPs (NAT-Control-Definition AVP or NAT-Control-Binding-Template
AVP) SHOULD be present in the NAT-Control-Remove AVP.
AVP format:
NAT-Control-Remove ::= < AVP Header: 597 >
* [ NAT-Control-Definition ]
[ NAT-Control-Binding-Template ]
* [ AVP ]
8.7.4. NAT-Control-Definition AVP
The NAT-Control-Definition AVP (AVP code 598) is of type Grouped, and
it describes a binding.
The NAT-Control-Definition AVP uniquely identifies the binding
between the DNCA Diameter peers.
If both the NAT-Internal-Address and NAT-External-Address AVP(s) are
supplied, it is a predefined binding.
If the NAT-External-Address AVP is not specified, then the NAT device
MUST select the external port as per the NAT-External-Port-Style AVP,
if present in the NAT-Control-Definition AVP.
The Protocol AVP describes the transport protocol for the binding.
The NAT-Control-Definition AVP can contain either zero or one
Protocol AVP. If the Protocol AVP is omitted and if both internal
and external IP addresses are specified, then the binding reserves
the IP addresses for all transport protocols.
The Direction AVP is of type Enumerated. It specifies the direction
for the binding. The values of the enumeration applicable in this
context are: "IN","OUT". If Direction AVP is OUT or absent, the NAT-
Internal-Address refers to the IP address of the endpoint that needs
to be translated. If Direction AVP is "IN", NAT-Internal-Address is
the destination IP address that has to be translated.
AVP format:
NAT-Control-Definition ::= < AVP Header: 598 >
{ NAT-Internal-Address }
[ Protocol ]
[ Direction ]
[ NAT-External-Address ]
[ Session-Id ]
* [ AVP ]
8.7.5. NAT-Internal-Address AVP
The NAT-Internal-Address AVP (AVP code 599) is of type Grouped. It
describes the internal IP address and port for a binding. Framed-
IPV6-Prefix and Framed-IP-Address AVPs are mutually exclusive. The
endpoint identifier Framed-IP-Address, Framed-IPv6-Prefix, and the
internal address in this NAT-Internal-Address AVP to install NAT-
bindings for the session MUST match.
AVP format:
NAT-Internal-Address ::= < AVP Header: 599 >
[ Framed-IP-Address ]
[ Framed-IPv6-Prefix ]
[ Port]
* [ AVP ]
8.7.6. NAT-External-Address AVP
The NAT-External-Address AVP (AVP code 600) is of type Grouped, and
it describes the external IP address and port for a binding. The
external IP address specified in this attribute can be reused for
multiple endpoints by specifying the same address in the respective
NAT-External-Address AVPs. If the external IP address is not
specified and the NAT-External-Port-Style AVP is specified in the
NAT-Control-Definition AVP, then the NAT device MUST select an
external port as per the NAT-External-Port-Style AVP.
AVP format:
NAT-External-Address ::= < AVP Header: 600 >
[ Framed-IP-Address ]
[ Port ]
* [ AVP ]
8.7.7. Max-NAT-Bindings
The Max-NAT-Bindings AVP (AVP code 601) is of type Unsigned32. It
indicates the maximum number of NAT-bindings allowed for a particular
endpoint.
8.7.8. NAT-Control-Binding-Template AVP
The NAT-Control-Binding-Template AVP (AVP code 602) is of type
OctetString. It defines a name for a policy template that is
predefined at the NAT device. Details on the contents and structure
of the template and configuration are outside the scope of this
document. The policy to which this AVP refers may contain NAT-
bindings, an IP address pool for allocating the external IP address
of a NAT-binding, and a maximum number of allowed NAT-bindings. Such
a policy template can be reused by specifying the same NAT-Control-
Binding-Template AVP in the corresponding NAT-Control-Install AVPs of
multiple endpoints.
8.7.9. Duplicate-Session-Id AVP
The Duplicate-Session-Id AVP (AVP Code 603) is of type UTF8String.
It is used to report errors and contains the Session-Id of an
existing session.
8.7.10. NAT-External-Port-Style AVP
The NAT-External-Port-Style AVP (AVP Code 604) is of type Enumerated
and contains the style to be followed while selecting the external
port for a NAT-binding relative to the internal port.
The following values are defined:
FOLLOW_INTERNAL_PORT_STYLE (1)
External port numbers selected MUST follow the same sequence
and oddity as the internal ports of the NAT-bindings. The port
oddity is required to support protocols like RTP and RTCP as
defined in [RFC3550]. If for example the internal port in a
requested NAT-binding is odd numbered, then the external port
allocated MUST also be odd numbered, and vice versa for an even
numbered port. In addition, the sequence of port numbering is
maintained: if internal ports are consecutive, then the NAT
device MUST choose consecutive external ports for the NAT-
bindings.
