Diameter Maintenance and Extensions (DIME) | M. Jones |
Internet-Draft | Bridgewater Systems |
Updates: 3588 (if approved) | J. Korhonen |
Intended status: Standards Track | Nokia Siemens Networks |
Expires: November 10, 2011 | L. Morand |
Orange Labs | |
May 09, 2011 |
Diameter S-NAPTR Usage
draft-ietf-dime-extended-naptr-08
The Diameter base protocol specifies mechanisms whereby a given realm may advertise Diameter nodes and the supported transport protocol. However, these mechanisms do not reveal the Diameter applications that each node supports. A peer outside the realm would have to perform a Diameter capability exchange with every node until it discovers one that supports the required application. This document updates [RFC3588] and describes an improvement using an extended format for the Straightforward-Naming Authority Pointer (S-NAPTR) Application Service Tag that allows for discovery of the supported applications without doing Diameter capability exchange beforehand.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 10, 2011.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Diameter base protocol [RFC3588] specifies three mechanisms for the Diameter peer discovery. One of these involves the Diameter implementation performing a Naming Authority Pointer (NAPTR) query [RFC3403] for a server in a particular realm. These NAPTR records provide a mapping from a domain, to the SRV record [RFC2782] or A/AAAA record [RFC1035][RFC3596] for contacting a server with the specific transport protocol in the NAPTR services field.
The extended NAPTR usage for Diameter peer discovery defined by this document is based on the Straightforward-NAPTR (S-NAPTR) Dynamic Delegation Discovery System (DDDS) Application defined in [RFC3958]. This document updates the Diameter peer discovery procedure described in Section 11.6 of [RFC3588] and defines S-NAPTR Application Service and Application Protocol Tag values that permit the discovery of Diameter peers that support a specific Diameter application and transport protocol.
The Diameter base protocol specification (Section 1.4 of [RFC3588]) and the Straightforward-NAPTR (S-NAPTR) DDDS application (section 2.1 in [RFC3958]) define the terminology used in this document.
service-parms = [ [app-service] *(":" app-protocol)] app-service = experimental-service / iana-registered-service app-protocol = experimental-protocol / iana-registered-protocol experimental-service = "x-" 1*30ALPHANUMSYM experimental-protocol = "x-" 1*30ALPHANUMSYM iana-registered-service = ALPHA *31ALPHANUMSYM iana-registered-protocol = ALPHA *31ALPHANUMSYM ALPHA = %x41-5A / %x61-7A ; A-Z / a-z DIGIT = %x30-39 ; 0-9 SYM = %x2B / %x2D / %x2E ; "+" / "-" / "." ALPHANUMSYM = ALPHA / DIGIT / SYM ; The app-service and app-protocol tags are limited to 32 ; characters and must start with an alphabetic character. ; The service-parms are considered case-insensitive.
The NAPTR Service Field format defined by the S-NAPTR DDDS application in [RFC3958] follows this Augmented Backus-Naur Form (ABNF, [RFC5234]):
iana-registered-service = aaa-service / ALPHA *31ALPHANUMSYM aaa-service = "aaa+ap" appln-id appln-id = 1*DIGIT ; Application identifier expressed as a ; decimal integer.
This specification refines the "iana-registered-service" tag definition for the discovery of Diameter agents supporting a specific Diameter application as defined below.
iana-registered-protocol = aaa-protocol / ALPHA *31ALPHANUMSYM aaa-protocol = "diameter." aaa-transport aaa-transport = "tcp" / "sctp" / "tls.tcp"
This specification also refines the "iana-registered-protocol" tag definition for the discovery of Diameter agents supporting a specific Diameter transport protocol as defined below.
The maximum length of the NAPTR service field is 256 octets including one octet length field (see Section 4.1 of RFC 3403 and Section 3.3 of [RFC1035]).
A Diameter agent MUST be capable of using the extended S-NAPTR Application Service Tag for dynamic discovery of a Diameter agent supporting Standard Track applications. Therefore, every IETF Standard Track Diameter application MUST be associated with a "aaa-service" tag formatted as defined in this specification and allocated in accordance with the IANA policy (see Section 7).
For example, a NAPTR service field value of:
S-NAPTR Application Service and Application Protocol Tag values can also be used to discover Diameter peers that support a vendor-specific Diameter application. In this case, the vendor-specific Diameter application MUST be associated with a "aaa-service" tag formatted as defined in this specification and allocated in accordance with the IANA policy (see Section 7).
For example, a NAPTR service field value of:
Domain Name System (DNS) administrators SHOULD also provision legacy RFC 3588 style NAPTR records [RFC3403] in order to guarantee backwards compatibility with legacy RFC 3588 compliant Diameter peers. If the DNS administrator provisions both extended S-NAPTR records as defined in this specification and legacy RFC 3588 NAPTR records, then the extended S-NAPTR records MUST have higher priority (e.g. lower order and/or preference values) than legacy NAPTR records.
The Diameter Peer Discovery principles are described in Section 5.2 of [RFC3588]. This specification updates the NAPTR query procedure in the Diameter peer discovery mechanism by allowing the querying node to determine which applications are supported by resolved Diameter peers.
The extended format NAPTR records provide a mapping from a domain to the SRV record or A/AAAA record for contacting a server supporting a specific transport protocol and Diameter application. The resource record will contain an empty regular expression and a replacement value, which is the SRV record or the A/AAAA record for that particular transport protocol.
The assumption for this mechanism to work is that the DNS administrator of the queried domain has first provisioned the DNS with extended format NAPTR entries. The steps below replace the NAPTR query procedure steps in Section 5.2 of [RFC3588].
Diameter is a peer to peer protocol whereas most of the applications that extend the base protocol behave like client/server applications. The role of the peer is not advertised in the NAPTR tags and not even communicated during Diameter capability negotiation (Capabilities-Exchange-Request and Capabilities-Exchange-Answer message exchange). For this reason, NAPTR-based Diameter peer discovery for an application defining client/server roles should only be used by a client to discover servers.
IANA is requested to reserve a value of "aaa" for Diameter in the S-NAPTR Application Service Tag registry created by [RFC3958]. IANA is also requested to reserve the following S-NAPTR Application Service Tags for existing IETF Diameter applications in the same registry.
Tag | Diameter Application |
---|---|
aaa+ap1 | NASREQ [RFC3588] |
aaa+ap2 | Mobile IPv4 [RFC4004] |
aaa+ap3 | Base Accounting [RFC3588] |
aaa+ap4 | Credit Control [RFC4006] |
aaa+ap5 | EAP [RFC4072] |
aaa+ap6 | SIP [RFC4740] |
aaa+ap7 | Mobile IPv6 IKE [RFC5778] |
aaa+ap8 | Mobile IPv6 Auth [RFC5778] |
aaa+ap9 | QoS [RFC5866] |
aaa+ap4294967295 | Relay [RFC3588] |
Future IETF Diameter applications MUST reserve the S-NAPTR Application Service Tag corresponding to the allocated Diameter Application ID as defined in Section 3.
IANA is requested to reserve the following S-NAPTR Application Service Tags for existing 3GPP Diameter applications in the S-NAPTR Application Service Tag registry created by [RFC3958].
Tag | Diameter Application |
---|---|
aaa+ap16777250 | 3GPP STa [TS29.273] |
aaa+ap16777251 | 3GPP S6a [TS29.272] |
aaa+ap16777264 | 3GPP SWm [TS29.273] |
aaa+ap16777267 | 3GPP S9 [TS29.215] |
Future 3GPP Diameter applications can reserve entries in the S-NAPTR Application Service Tag registry created by [RFC3958] which correspond to the allocated Diameter Application IDs as defined in Section 3.
IANA is requested to reserve the following S-NAPTR Application Service Tags for existing WiMAX Forum Diameter applications in the S-NAPTR Application Service Tag registry created by [RFC3958].
Tag | Diameter Application |
---|---|
aaa+ap16777281 | WiMAX Network Access Authentication and Authorization Diameter Application (WNAAADA) [WiMAX] |
aaa+ap16777282 | WiMAX Network Accounting Diameter Application (WNADA) [WiMAX] |
aaa+ap16777283 | WiMAX MIP4 Diameter Application (WM4DA) [WiMAX] |
aaa+ap16777284 | WiMAX MIP6 Diameter Application (WM6DA) [WiMAX] |
aaa+ap16777285 | WiMAX DHCP Diameter Application (WDDA) [WiMAX] |
aaa+ap16777286 | WiMAX Location Authentication Authorization Diameter Application (WLAADA) [WiMAX] |
aaa+ap16777287 | WiMAX Policy and Charging Control R3 Policies Diameter Application (WiMAX PCC-R3-P) [WiMAX] |
aaa+ap16777288 | WiMAX Policy and Charging Control R3 Offline Charging Diameter Application (WiMAX PCC-R3-OFC) [WiMAX] |
aaa+ap16777289 | WiMAX Policy and Charging Control R3 Offline Charging Prime Diameter Application (WiMAX PCC-R3-OFC-PRIME) [WiMAX] |
aaa+ap16777290 | WiMAX Policy and Charging Control R3 Online Charging Diameter Application (WiMAX PCC-R3-OC) [WiMAX] |
Future WiMAX Forum Diameter applications can reserve entries in the S-NAPTR Application Service Tag registry created by [RFC3958] which correspond to the allocated Diameter Application IDs as defined in Section 3.
Vendor-Specific Diameter Application IDs are allocated by IANA according to the "First Come First Served" policy and do not require an IETF specification. However, the S-NAPTR Application Service Tag registry created by [RFC3958] defines a registration policy of "Specification Required" with a further stipulation that the "specification" is an RFC (of any category). If a Vendor-Specific Diameter Application requires the functionality defined in this document, an RFC of any category MUST be published which reserves the S-NAPTR Application Service Tag corresponding to the Vendor-Specific Diameter Application ID as defined in Section 3.
IANA is requested to reserve the following S-NAPTR Application Protocol Tags for the Diameter transport protocols in the S-NAPTR Application Protocol Tag registry created by [RFC3958].
Tag | Protocol |
---|---|
diameter.tcp | TCP |
diameter.sctp | SCTP |
diameter.tls.tcp | TLS/TCP |
This document specifies an enhancement to RFC 3588 Diameter base protocol defined NAPTR service field format and also modifications to the NAPTR processing logic defined. The enhancements and modifications are based on the S-NAPTR, which is actually a simplification of the NAPTR, and therefore the same security considerations described in RFC 3588 are applicable to this document. No further extensions are required beyond the security mechanisms offered by RFC 3588. However, a malicious host doing S-NAPTR queries learns applications supported by Diameter agents in a certain realm faster, which might help the malicious host to scan potential targets for an attack more efficiently when some applications have known vulnerabilities.
We would like to thank Glen Zorn, Avi Lior, Itsuma Tanaka, Lionel Morand and Sebastien Decugis for their comprehensive review comments.
This section to be removed prior to publication.
This draft updates sections of RFC3588 that are also being updated by RFC3588bis. At the time this draft was started, it was uncertain whether RFC3588bis would be published first. The authors of this draft decided to proceed optimistically assuming this draft would be published first with the understanding that minor updates are required if this is not the case.
The application-neutral aspects of Diameter S-NAPTR usage (e.g "aaa:diameter.sctp") were also contributed to RFC3588bis to ensure that it would be functionally complete if it got published first and this draft would come along later to add the application-specific S-NAPTR entries (e.g."aaa+ap5:diameter.sctp").
Depending on the publication order, the S-NAPTR Application Service Tag registry value of "aaa" and the S-NAPTR Application Protocol Tags values ("diameter.tcp"/"diameter.sctp"/"diameter.tls.tcp") will need to be removed either from this draft or RFC3588bis.