Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

6
Diameter Applications

6.1 Introduction

This chapter discusses some widely used Diameter applications. Recall that application messages are exchanged between Diameter nodes only after capabilities have been discovered.

We will start with the application defined by the base specification, Base Accounting (Section 6.2), then look at another accounting application defined by the IETF called Credit‐Control (Section 6.3). Next, we will take a look at an authorization application to specify quality of service (Section 6.4). The section that covers the authentication application, Diameter Extensible Authentication Protocol (EAP), also has a freeDiameter example (Section 6.5). The last and most complex application to be covered in this section is an authentication and authorization application used in mobile networks called the S6a Interface (Section 6.6).

Note that this chapter provides overviews of the applications' modes of operation, commands, and AVPs. The finer details for each application can be found in the application's RFC or technical specification.

We will cover some examples of these applications as they are extended by a standards development organization known as the 3rd Generation Partnership Project (3GPP) and deployed in mobile networks. The work of 3GPP is a good example of the adoption of Diameter and the development of Diameter applications. The area of mobile telecommunications provides fertile ground for Diameter applications due to the size of the networks, the heavy interoperability process performed by vendors and operators, and feedback from operational fields.

Over 30 Diameter applications have been defined and used in 3GPP networks. 3GPP refers to these applications as interfaces or reference points between two network elements and provides them with short labels, S6a, Rf, Gx, etc. 3GPP groups their specifications under a release system, which, when frozen, provides a stable platform upon which to implement the specifications. As of this writing Release 14 is the most current, frozen release.

6.2 Base Accounting

Accounting is the collection of information on resource usage, occurring in parallel with a user activity such as accessing the network or placing a voice call, for the purpose of billing, capacity planning, auditing, or cost allocation. Accounting takes place after a user has been authenticated and authorized for a service.

The Diameter base specification defines an accounting application, known as the base accounting application (Table 6.1), that is not a standalone application but is used by other Diameter applications, such as authorization applications, that also want to provide accounting information.

Table 6.1 Base accounting application.

Reference	RFC 6733 1
Application‐Id value	3
Commands	Accounting‐Request/Answer (ACR/ACA)	271

In Diameter, accounting information is not streamed, but is instead sent in discrete messages. Depending on the type of user access and the direction received from the accounting server, an accounting client can send accounting information via just one message, which contains an event record, or via multiple messages, which start with a start record, continue with interim records, and end with a stop record. The accounting server then needs a way to correlate the records it receives with the application and the user.

6.2.1 Actors

The actors for this application include the Diameter application that is using the base Accounting‐Request and Accounting‐Answer commands in addition to its own Diameter application commands for authentication and authorization. We will call this application a Network Access Server (NAS). The other actors include the accounting application client and the accounting application server.

6.2.2 Accounting Application Setup

Typically a successful transaction with the NAS starts the accounting application. The accounting application server selects how often the accounting application client should send accounting records based on provisioned information about the user and any relationships with roaming partners (if the accounting application is deployed in a mobile network), and communicates this mode to the client via the Acct‐Interim‐Interval and Accounting‐Realtime‐Required AVPs in its main application response.

Acct‐Interim‐Interval: The inclusion of this AVP (type Unsigned32) instructs the client to send snapshots of usage during a user's session, known as an interim record. Interim records provide a partial accounting of a user's session in case a device or network problem prevents the delivery of a session summary message or session record.
- The omission of this AVP or its inclusion with its value field set to 0 means that the client should produce only event records, start records, and stop records.
- The inclusion of the AVP with its value field set to a non‐zero value means that the client produces interim records between the start record and the stop record. The value field of this AVP specifies the interval in seconds between the sending of these records. The client starts a timer when it sends a start record, sends the first interim record roughly when this interval time elapses, and continues to send interim records at timed intervals until the session ends, at which point the client sends a stop record. The client randomizes the production times of interim records to avoid creating message storms around a common service start time.
Accounting‐Realtime‐Required: This AVP provides guidance to the client on what the client should do when its transfer of accounting records is delayed or unsuccessful. Real‐time accounting is the processing of information on resource usage within a defined time window in order to limit financial risk.
- 1 DELIVER_AND_GRANT: The service is granted only when there is a connection to an accounting server or to a set of accounting servers.
- 2 GRANT_AND_STORE: Service is granted when there is a connection or for as long as the client can store records. This is the default behavior if the Accounting‐Realtime‐Required AVP is not included.
- 3 GRANT_AND_LOSE: Service will be granted even if the records cannot be delivered or stored.
Note that the Accounting‐Realtime‐Required AVP doesn't indicate whether the accounting data is actually sent to the server in real time. The Diameter Credit‐Control Application (Section 6.3 ) and the 3GPP Rf interface (Section 6.2.10) are examples of real‐time accounting applications.

When the client receives a successful authentication and/or authorization message from the Diameter server, it starts collecting accounting information for the session according to the server's directives.

Depending on which accounting service, described in the next section, is used by the Diameter application, the client sends accounting information either to the main application server or to a centralized accounting server. The client transmits accounting records to the server via the Accounting‐Request message. The server acknowledges with the Accounting‐Answer message.

If the client interacts with an accounting server directly after successful authorization, then that accounting server can override directives given previously by the main application server by including the Acct‐Interim‐Interval or Accounting‐Realtime‐Required AVP in the Accounting‐Answer message. The client always uses the latest values received.

6.2.3 Accounting Services

Diameter applications that want to incorporate the base accounting commands can route them in one of the following ways:

Split Accounting Service
The Accounting‐Request and Accounting‐Answer commands carry the Application‐Id of 3, which is the Application‐Id of the Diameter base accounting application, and they can be routed to Diameter nodes other than the server that handles the main Diameter application, such as centralized accounting servers (Figure 6.1). Since the Application‐Id doesn't provide information about the specific Diameter application that is sending the commands, the accounting server needs to inspect the message's other AVPs or their content to correlate messages.¹

Figure 6.1 Split accounting service. The user's protocol is abstracted, as is the Diameter authorization application.
Because of this overhead, if you are creating a new Diameter application that requires an accounting component (designing new applications is covered in Chapter 7), the split accounting service is not recommended.
Examples of applications that use split accounting services are the Diameter Extensible Authentication Protocol (EAP) Application (Section 6.5 ) and the 3GPP Rf interface (Section 6.2.10 ).
Coupled Accounting Service
The Accounting‐Request and Accounting‐Answer commands carry the Application‐Id of the Diameter application that is using it. The accounting messages are routed the same way as the other Diameter application messages and thus go to the authorization server (Figure 6.2). The authorization server then either processes the accounting records itself or forwards them to an accounting server.

Figure 6.2 Coupled accounting service. The user's protocol is abstracted, as is the Diameter authorization application.
When creating new Diameter applications that have an accounting component, the best current practice is to use the coupled accounting service.
Examples of applications that use a coupled accounting service are the Diameter Network Access Server Application 2 and the Diameter Mobile IPv4 Application 3.

6.2.4 Accounting Records

Accounting records, which summarize the user's resource consumption, vary by the type of accounted service and the authorization server's directions. The client sends the accounting record in an Accounting‐Request, where the details are captured in the service‐specific AVPs.

If the accounted service is a one‐time event, meaning that the start and stop of the event are simultaneous, then the client sets the Accounting‐Record‐Type AVP to EVENT_RECORD in the Accounting‐Request.

If the accounted service session continues for some length of time, then the client sets the Accounting‐Record‐Type AVP to the value START_RECORD in the initial Accounting‐Request for a session. When the client sends the last Accounting‐Request, it sets the Accounting‐Record‐Type AVP value to STOP_RECORD. If the authorization server has enabled interim accounting, then the client sends additional records between the START_RECORD and STOP_RECORD, marked INTERIM_RECORD.

A session sequence then is either one record with Accounting‐Record‐Type AVP set to the value EVENT_RECORD or several records starting with START_RECORD, followed by zero or more INTERIM_RECORDs and a single STOP_RECORD. Since a session can have more than one accounting sequence, the Accounting‐Sub‐Session‐Id is used to identify a particular sequence.

6.2.5 Correlation of Accounting Records

A Diameter application defines the concept of a session that is being accounted, and it may define the concept of a multi‐session. For instance, the Diameter Network Access Server Application 2 treats a single point‐to‐point (PPP) connection 4 to an NAS as one session and a set of multilink PPP sessions as one multi‐session.

An application can correlate accounting records within a session by using the Session‐Id AVP found in the messages. If the accounting messages use a different Session‐Id than the application sessions, then other session‐related information is needed to perform correlation.

When an application requires multiple accounting sub‐sessions, then each sub‐session is differentiated by an Accounting‐Sub‐Session‐Id AVP. The Session‐Id remains constant for all sub‐sessions and is used to correlate all the sub‐sessions to a particular application session.

There are cases where an application needs to correlate multiple application sessions into a single accounting record; the accounting record may span multiple Diameter applications and sessions used by the same user at a given time. When the main application server determines that a request belongs to an existing session, it sends the Acct‐Multi‐Session‐Id AVP during the authorization phase. The client then includes the Acct‐Multi‐Session‐Id AVP in all subsequent accounting messages. The contents of Acct‐Multi‐Session‐Id AVP are implementation specific, but are globally unique and do not change during the life of a session.

When the split accounting service is used, a centralized Diameter accounting server will need to sort messages from different applications; however, the Accounting‐Request messages all use the same Application‐Id of 3. The accounting server will need to look for application‐specific AVPs in order to determine to which application the message applies.

6.2.6 Sending Accounting Information

The client sends an Accounting‐Request (Figure 6.3) command to provide accounting information to the main application server or to an accounting server. In addition to the AVPs covered below, Accounting‐Request messages usually include service‐specific accounting AVPs.

       <ACR> ::= < Diameter Header: 271, REQ, PXY >           < Session-Id >           { Origin-Host }           { Origin-Realm }           { Destination-Realm }           { Accounting-Record-Type }           { Accounting-Record-Number }           [ Acct-Application-Id ]           [ Vendor-Specific-Application-Id ]           [ User-Name ]           [ Destination-Host ]           [ Accounting-Sub-Session-Id ]           [ Acct-Session-Id ]           [ Acct-Multi-Session-Id ]           [ Acct-Interim-Interval ]           [ Accounting-Realtime-Required ]           [ Origin-State-Id ]           [ Event-Timestamp ]          * [ Proxy-Info ]          * [ Route-Record ]          * [ AVP ]

Figure 6.3 Accounting‐Request Command Code Format.

By issuing an Accounting‐Request corresponding to the authorization response, the client or the local realm implicitly agrees to provide the service indicated in the authorization response. If the local realm cannot provide the service, it sends a DIAMETER_UNABLE_TO_COMPLY error message within the Accounting‐Request.

The server acknowledges an Accounting‐Request command with an Accounting‐Answer command (Figure 6.4). The Accounting‐Answer command contains the same Session‐Id as the corresponding request.

       <ACA> ::= < Diameter Header: 271, PXY >           < Session-Id >           { Result-Code }           { Origin-Host }           { Origin-Realm }           { Accounting-Record-Type }           { Accounting-Record-Number }           [ Acct-Application-Id ]           [ Vendor-Specific-Application-Id ]           [ User-Name ]           [ Accounting-Sub-Session-Id ]           [ Acct-Session-Id ]           [ Acct-Multi-Session-Id ]           [ Error-Message ]           [ Error-Reporting-Host ]           [ Failed-AVP ]           [ Acct-Interim-Interval ]                  [ Accounting-Realtime-Required ]                     [ Origin-State-Id ]                     [ Event-Timestamp ]                   * [ Proxy-Info ]                   * [ AVP ]

Figure 6.4 Accounting‐Answer Command Code Format.

In addition to the AVPs listed in RFC 6733, Accounting‐Answer messages usually include service‐specific accounting AVPs.

6.2.7 Accounting AVPs

This section describes the AVPs that carry accounting usage information related to a specific session.

Accounting‐Record‐Type: Identifies the type of accounting record:
- 1 EVENT_RECORD: This record contains all information relevant to the service, and it is the only record of the service.
- 2 START_RECORD: Initiates an accounting session and contains accounting information that is applicable to the start of the session.
- 3 INTERIM_RECORD: Contains cumulative accounting information for an existing session. Interim Accounting Records are sent every time a re‐authentication or re‐authorization occurs or when triggered by application‐specific events. The use of interim records is determined by the Acct‐Interim‐Interval AVP.
- 4 STOP_RECORD: Ends an accounting session and contains cumulative accounting information relevant to the existing session. When a service uses the accounting portion of the Diameter protocol, even in combination with an application, session termination messages are not used, since a session is terminated with an accounting stop message.
Accounting‐Record‐Number: Identifies this record within one session. Since Session‐Id AVPs are globally unique, the combination of Session‐Id and Accounting‐Record‐Number AVPs can be used to identify a single record within a session.
Acct‐Session‐Id: This AVP is only used when RADIUS/Diameter translation occurs. This AVP contains the contents of the RADIUS Acct‐Session‐Id attribute.
Acct‐Multi‐Session‐Id: Links multiple, related accounting sessions, where each session has a unique Session‐Id but the same Acct‐Multi‐Session‐Id AVP. The server provides the value for this AVP, which the client includes in all accounting messages for the given session.
Accounting‐Sub‐Session‐Id: Contains the accounting sub‐session identifier. The combination of the Session‐Id and this AVP is unique per sub‐session, and the value of this AVP is monotonically increased by one for all new sub‐sessions. If the client does not include this AVP, then there are no sub‐sessions in use, except when Accounting‐Record‐Type is set to STOP_RECORD, which signals the termination of all sub‐sessions for a given Session‐Id.

6.2.8 `freeDiameter` Example

Here is an example of a Split Accounting Service message exchange captured from freeDiameter:

6.2.9 Fault Resilience

If the primary server fails, clients are expected to fail over to alternate servers in order to minimize loss of accounting data. To guard against reboots, extended network failures, and server failures, the client should store accounting records in non‐volatile memory immediately after creation and until a positive Accounting‐Answer has been received from the server. The client should overwrite any previously locally stored interim accounting records to ensure that only one interim record exists for a session. Upon a reboot, the client should send stored records to the accounting server after updating the records' termination cause, session length, and other relevant information.

Diameter peers acting as agents or offline processing systems should detect duplication caused by the sending of the same record to several servers and duplication of messages in transit by inspecting the Session‐Id and Accounting‐Record‐Number AVP pairs.

6.2.10 Example: 3GPP Rf Interface for Mobile Offline Charging

A real‐world example of the Diameter base accounting application is its use in mobile networks for offline charging. Offline charging is the simultaneous collection of charging information for the use of a network resource (a voice call, data transport, or multimedia message transmission) that does not affect, in real‐time, the service rendered. That is, the future use of the resource during the session is not based on the current use, for example a customer may be billed more for exceeding the number of minutes in her call plan, but she will not be cut off.

Within 3GPP networks, one of the offline charging applications is the Rf interface 5. The Rf interface is the reference point between a 3G network element,² and more specifically a component within that network element known as a Charging Trigger Function (CTF), and the Charging Data Function (CDF), which collects the accounting data to send it to the network operator's billing domain.

The CTF acts as a Diameter client and the CDF acts as a stateless accounting server that implements the functionality of the Diameter base accounting application. With each chargeable event, the CTF creates an Accounting Request (ACR) and sends it to the CDF in real time. Chargeable events include the transmission of a multimedia message, the start of a session, like a voice call, a change in a session, for instance a change in quality of service, and the end of a session

The Rf interface handles both event‐based and session‐based accounting records. The event record is used for registration or interrogation and for successful service events (the sending of a multimedia message, for instance) triggered by a network element. In addition, event records are also used for unsuccessful session establishment attempts. The ACR record types used for accounting data related to successful sessions are start, interim, and stop. Interim events describe changes to session characteristics (e.g., tariff time switch, change of quality of service or change of session media types) or when certain limits (e.g., time or volume) are exceeded.

The CDF transfers the charging events to the network operator's billing domain via FTP.

6.2.10.1 Rf Interface Commands

The Rf interface reuses, with some modifications, the Accounting‐Request and Accounting‐Answer commands specified in the base protocol. The Application‐Id is 3, and thus the Rf interface uses a split accounting service.

Rf Accounting‐Request

The Rf ACR command lacks the Vendor‐Specific‐Application‐Id since the command is not part of a vendor‐specific application. The command also does not use the Accounting‐Sub‐Session‐Id, Acct‐Session‐Id, or Acct‐Multi‐Session‐Id AVPs.

The Accounting‐Realtime‐Required AVP is not included in the request since the Rf application requires the CTF to buffer its accounting data in non‐volatile memory if the CTF cannot connect to either its primary or failover CDF. Once the CTF can connect again to the CDF, it sends all stored accounting messages in the order in which they were stored.

Two new AVPs are added to Rf ACR:

Service‐Context‐Id: Contains a unique identifier of the 3GPP technical specification on which associated call detail records should be based. The AVP was originally defined in RFC 4006 6 and expanded by 3GPP.
Service‐Information: Holds service‐specific parameters as defined by the service's charging technical specification.

Rf Accounting‐Answer

Based on the ACA defined in the base protocol, the Rf ACA command does not add any new AVPs. However, the Rf ACA command omits the following optional AVPs:

Vendor‐Specific‐Application‐Id
Accounting‐Sub‐Session‐Id
Acct‐Session‐Id
Acct‐Multi‐Session‐Id
Accounting‐Realtime‐Required

6.3 Credit Control

An application that monitors and controls the charges related to an end user's consumption of a service, such as network access, voice services, messaging, and downloading, is known as a credit‐control application. A credit‐control application checks if the user has credit available, reserves the user's credit, deducts the credit from the user's account when service is completed, and refunds any reserved credit that the user has not consumed.

The Diameter base accounting application was not designed to determine a user's account state or control the user's consumption of credit in real time. A separate application, known as the Diameter Credit‐Control application and specified in 6, can be used to implement real‐time credit control (Table 6.2). This generic application can be applied to many service environments that support pre‐paid services.

Table 6.2 Credit‐Control application.

Reference	RFC 4006 6
Application‐Id value	4
Commands	Credit‐Control‐Request/Answer (CCR/CCA)	272

In addition to consumption monitoring, the Diameter Credit‐Control application supports service price enquiry, user's balance check, and refund of credit on the user's account. The Credit‐Control application can also support a multi‐service environment, where an end user can request additional service during an ongoing service, for example requesting data service during voice service.

Support for the Diameter Credit‐Control application is indicated in the CER and CEA by setting the Auth‐Application‐Id to 4.

A typical credit‐control architecture consists of the following actors:

Service element with an embedded Diameter credit‐control client A network element, such as a NAS, SIP proxy, or an application server (gaming, messaging, etc.), that provides a service to the end users. A Diameter credit‐control client monitors the usage of the granted quota according to instructions returned by the credit‐control server.
Diameter credit‐control server Performs real‐time rating and credit control. It may also interact with a business support system. This is a logical entity, and can be combined with an AAA server.
AAA server A logical entity can be combined with a credit‐control server.
Business support system Provides billing support.

The credit‐control client contacts the credit‐control server with information about a possible service event using the Credit‐Control‐Request command. The credit‐control application determines potential charges and verifies whether the user's account balance can cover the cost of the service being rendered and replies with a Credit‐Control‐Answer.

The credit‐control application supports two credit authorization models. In both models, the credit‐control client requests credit authorization from the credit‐control server prior to allowing any service to be delivered to the end user.

h3

Money Reservation

When the credit‐control server receives a Credit‐Control‐Request, it reserves a suitable amount of money from the user's account and returns the corresponding amount of credit resources, which can be in money, data volume, or time units, in the Credit‐Control‐Answer.

Upon receipt of a successful Credit‐Control‐Answer, the credit‐control client allows the delivery of service to the user, monitoring the user's consumption of the granted resources. When the user consumes the credit resources, or after delivery or termination of the service, the credit‐control client reports the consumption to the credit‐control server, which deducts the used amount from the end user's account.

Multiple requests and answers can be exchanged for session‐based credit control, with the credit‐control server performing rating and making new credit reservations. Both the credit‐control client and the credit‐control server maintain session state when engaging in session‐based credit control.

Direct Debiting

Direct debiting is a single transaction, where the credit‐control server deducts the money from the user's account when it receives the Credit‐Control‐Request. When the credit‐control client receives a successful Credit‐Control‐Answer, it permits the service to be delivered to the end user and does not maintain session state.

6.3.1 Credit‐Control‐Request Command

After the user has been authenticated and authorized, the Diameter credit‐control client requests credit authorization from the credit‐control server for a given service with the Credit‐Control‐Request message (Figure 6.5).

  <Credit-Control-Request> ::= < Diameter Header: 272, REQ, PXY >                              < Session-Id >                              { Origin-Host }                              { Origin-Realm }                              { Destination-Realm }                              { Auth-Application-Id }                              { Service-Context-Id }                              { CC-Request-Type }                              { CC-Request-Number }                              [ Destination-Host ]                              [ User-Name ]                              [ CC-Sub-Session-Id ]                              [ Acct-Multi-Session-Id ]                              [ Origin-State-Id ]                              [ Event-Timestamp ]                            * [ Subscription-Id ]                              [ Service-Identifier ]                              [ Termination-Cause ]                              [ Requested-Service-Unit ]                              [ Requested-Action ]                            * [ Used-Service-Unit ]                              [ Multiple-Services-Indicator ]                            * [ Multiple-Services-Credit-Control ]                            * [ Service-Parameter-Info ]                              [ CC-Correlation-Id ]                              [ User-Equipment-Info ]                            * [ Proxy-Info ]                            * [ Route-Record ]                            * [ AVP ]

Figure 6.5 Credit‐Control‐Request Command Code Format.

The following AVPs occur in both the Credit‐Control‐Request and Credit‐Control‐Answer messages:

CC‐Request‐Type: Contains the reason for sending the message:
- 1 INITIAL_REQUEST: Used to initiate a credit‐control session.³
- 2 UPDATE_REQUEST: Sent when the allocated quota or validity time expires and re‐authorization is needed, or when service‐specific events trigger an update.
- 3 TERMINATION_REQUEST: Sent to terminate a session.
- 4 EVENT_REQUEST: Used when the credit‐control server does not need to maintain session state. The request contains all information relevant to the service, and is the only request of the service. The reason for the Event request is given in the Requested‐Action AVP.
CC‐Request‐Number: Identifies the request message within one session. The combination of Session‐Id and CC‐Request‐Number, which is globally unique, can be used in matching credit‐control requests with answers.
CC‐Sub‐Session‐Id: Contains the credit‐control sub‐session identifier. Applications that require multiple credit‐control sub‐sessions can send messages with the same Session‐Id AVP and different CC‐Sub‐Session‐Id AVPs. If there are multiple credit sub‐sessions, the sub‐sessions are closed before the main session is closed to ensure proper reporting. If this AVP is not included, then there are no sub‐sessions.
Multiple‐Services‐Credit‐Control: Contains the AVPs related to the independent credit control of multiple services feature.

The following AVPs are specific to the Credit‐Control‐Request message:

Service‐Context‐Id: Contains a unique identifier of the service‐specific document that applies to the request. Service‐specific documents are documents created by standards bodies, service providers, or vendors that define the AVPs that are used as input to the rating process. The format of this AVP is a token that contains an arbitrary string, plus the domain of the standards body or the FQDN of the service provider or vendor if the identifier is allocated by a private entity and no interoperability is required.
Subscription‐Id: Identifies the end user.
Service‐Identifier: Contains the identifier of a service. The combination of the Service‐Identifier and Service‐Context‐Id AVPs uniquely identifies the specific service.
Requested‐Service‐Unit: Contains the number of units requested by the credit‐control client. Units can include CC‐Time and CC‐Money.
Requested‐Action: Included when the CC‐Request‐Type AVP indicates an Event request, and contains the requested action:
- 0 DIRECT_DEBITING: Decreases the end user's account using the information in the Requested‐Service‐Unit and/or the Service‐Identifier AVPs.
- 1 REFUND_ACCOUNT: Increases the end user's account using the information in the Requested‐Service‐Unit and/or the Service‐Identifier AVPs.
- 2 CHECK_BALANCE: Indicates a balance check request.
- 4 PRICE_ENQUIRY: Indicates a price enquiry request.
Used‐Service‐Unit: Contains the number of used units measured either from the point when the service became active or when the previous measurement ended, if interim interrogations are used.
Multiple‐Services‐Indicator: Indicates whether the credit‐control client can handle multiple services independently within a (sub‐)session.
Service‐Parameter‐Info: Contains service‐specific information used for price calculation or rating. The contents of this AVP are defined by the service‐specific documentation.
CC‐Correlation‐Id: Contains information to correlate requests generated for different components of the service, for instance transport and application levels.
User‐Equipment‐Info: Indicates the identity and capabilities of the end user's terminal.

6.3.2 Credit‐Control‐Answer Command

The credit‐control server sends a Credit‐Control‐Answer message (Figure 6.6) to the credit‐control client to acknowledge a Credit‐Control‐Request command.

  <Credit-Control-Answer> ::= < Diameter Header: 272, PXY >                             < Session-Id >                             { Result-Code }                             { Origin-Host }                             { Origin-Realm }                             { Auth-Application-Id }                             { CC-Request-Type }                             { CC-Request-Number }                             [ User-Name ]                             [ CC-Session-Failover ]                             [ CC-Sub-Session-Id ]                             [ Acct-Multi-Session-Id ]                             [ Origin-State-Id ]                             [ Event-Timestamp ]                             [ Granted-Service-Unit ]                           * [ Multiple-Services-Credit-Control ]                             [ Cost-Information]                             [ Final-Unit-Indication ]                             [ Check-Balance-Result ]                             [ Credit-Control-Failure-Handling ]                             [ Direct-Debiting-Failure-Handling ]                             [ Validity-Time]                           * [ Redirect-Host]                             [ Redirect-Host-Usage ]                             [ Redirect-Max-Cache-Time ]                           * [ Proxy-Info ]                           * [ Route-Record ]                           * [ Failed-AVP ]                           * [ AVP ]

Figure 6.6 Credit‐Control‐Answer Command Code Format.

The following AVPs are specific to the Credit‐Control‐Answer message:

CC‐Session‐Failover: Indicates whether the client can move the credit‐control message stream of an ongoing session to a backup server during a communication failure.
Granted‐Service‐Unit: Contains the number of service units that the credit‐control client can provide to the end user until the client must send another Credit‐Control‐Request.
Cost‐Information: Contains cost information of a service, such as an estimate in the case of price enquiry or accumulated cost estimation in the case of a session, that the credit‐control client can then provide to the end user.
Final‐Unit‐Indication: Indicates that the Granted‐Service‐Unit AVP contains the final units for the service. When these units have been exhausted, the credit‐control client performs the action indicated in the Final‐Unit‐Action AVP given in this AVP:
- 0 TERMINATE: The credit‐control client must terminate the service session.
- 1 REDIRECT: The user must be redirected, using protocols other than Diameter, to the address specified in the Redirect‐Server‐Address AVP. This can be a web page that allows the user to refresh his account balance, for instance.
- 2 RESTRICT_ACCESS: The access device must restrict the user access according to the IP packet filters defined in the Restriction‐Filter‐Rule AVP or or the Filter‐Id AVP. Packets that do not match the filters are to be dropped.
Check‐Balance‐Result: Contains the result of the balance check.
Credit‐Control‐Failure‐Handling: The credit‐control client uses information in this AVP to decide what to do if sending messages to the credit‐control server has been interrupted due to network issues:
- 0 TERMINATE: The credit‐control client can only grant the service as long as it has a connection to the credit‐control server. If the client does not receive a Credit‐Control‐Answer message within the Tx timer, then it terminates the end user's service session. This is the default behavior if the AVP is not included.
- 1 CONTINUE: The credit‐control client should resend the request to a backup server if one exists. The client should continue to grant the service even if its credit‐control messages are not delivered.
- 2 RETRY_AND_TERMINATE: The credit‐control client should resend the request to a backup server if one is available. The client should terminate the service if its credit‐control messages cannot be delivered.
Direct‐Debiting‐Failure‐Handling: The credit‐control client uses information in this AVP to decide what to do if sending direct‐debiting messages to the credit‐control server has been interrupted due to network issues:
- 0 TERMINATE_OR_BUFFER: The credit‐control client grants the service as long as there is a connection to the credit‐control server. If the client does not receive a Credit‐Control‐Answer message within the Tx timer, then the client terminates the service if it can determine from the failed answer that units have not been debited. Otherwise the client grants the service and tries to re‐send the request. This is the default behavior if the AVP is not included.
- 1 CONTINUE: The client should continue to grant the service even if its credit‐control messages are not delivered.
Validity‐Time: Contains the validity time of the granted service units. The credit‐control client starts to measure the the validity time when it receives the Credit‐Control‐Answer. If the granted service units have not been consumed within the specified validity time, the credit‐control client sends a Credit‐Control‐Request with CC‐Request‐Type set to UPDATE_REQUEST.

6.3.3 Failure Handling

To ensure that the end user's account is not debited or credited multiple times for the same service event, only one place in the credit‐control system should perform duplicate detection.

As covered in Section 6.3.2, the credit‐control server provides guidance to the credit‐control client on how to handle communication interruptions with two optional AVPs:

Credit‐Control‐Failure‐Handling
Direct‐Debiting‐Failure‐Handling

If the Credit‐Control‐Answer does not contain the above AVPs, then the credit‐control client grants service as long as it has a connection to the credit‐control server, otherwise it terminates the end user's service session.

6.3.4 Extensibility

Because the credit‐control application is a generic framework, it has been made extensible, and use of service‐specific documents to define inputs to the rating process is expected. It is assumed that any service‐specific AVPs are known to both the credit‐control client and the credit‐control server before Diameter credit‐control messages are exchanged between them, and the document that defines those AVPs is captured in the Service‐Context‐Id AVP of the Credit‐Control‐Request. To help with interoperability, it is preferable that new credit‐control AVPs are defined within a standards organization. For example, 3GPP has several service‐specific documents, and the Service‐Context‐Id AVP contains a reference to the technical specification that defines the AVPs.

At the time of writing of this book, RFC 4006 is being updated by the IETF. Changes include updating references, fixing errata, improving the security section, clarifying details of some of the AVPs (Used‐Service‐Unit, Redirect‐Address‐Type, Filter‐Rule), and adding a few new ones to extend current AVPs, such as User‐Equipment‐Info‐Extension, Subscription‐Id‐Extension, Redirect‐Server‐Extension, and QoS‐Final‐Unit‐Indication, which supports quality of service.

6.3.5 Example: 3GPP Ro Interface for Online Charging

3GPP uses a credit‐control application on the Ro interface for online charging for SIP services, the details of which are captured in TS 32.240 7 and TS 32.299 5. The Ro interface supports real‐time transactions, and both stateless (event‐based charging) and stateful (session‐based charging) modes of operation. The Ro interface exists between a charging trigger function (CTF or credit‐control client) and an online charging system (OCS or credit‐control server). The CTF is a 3G network element and can be a media resource function controller or a SIP application server. The CTF sends charging events via Credit‐Control‐Requests for online charging to the OCS.

Two new AVPs are added to the Credit‐Control‐Request command:

AoC‐Request‐Type: Denotes if the user equipment (UE) has requested advice of charge (AoC) and what type of information, such as cost or tariff information, is needed.
Service‐Information: Holds service‐specific parameters as defined by the service's charging technical specification.

The following AVPs defined for the Credit‐Control‐Request command are not used in 3GPP networks:

CC‐Sub‐Session‐Id
Acct‐Multi‐Session‐Id
Service‐Identifier
Requested‐Service‐Unit
Used‐Service‐Unit
Service‐Parameter‐Info

The OCS sends a Credit‐Control‐Answer to acknowledge these charging events to the CTF to grant or reject the network resource usage requested in the charging event, according to the decision taken by the online charging system.

The following AVPs defined for the Credit‐Control‐Answer command are not used in 3GPP networks:

User‐Name
CC‐Sub‐Session‐Id
Acct‐Multi‐Session‐Id
Origin‐State‐Id
Event‐Timestamp
Granted‐Service‐Unit
Final‐Unit‐Indication
Check‐Balance‐Result
Validity‐Time

Although the protocol may be stateless for event‐based charging, the CTF and OCS may keep internal state across the different charging events.

6.4 Quality of Service

Quality of Service (QoS) refers to the performance of a network from the user's perspective. To provide a certain level of QoS, the network operator takes performance measurements and acts upon them. Operators may provide different levels of QoS to different users if users have paid for a greater or lesser level of service.

RFC 5866 defines the framework and messages used for the Diameter QoS application. The commands specific to the QoS application are given in Table 6.3.

Table 6.3 Quality of service application.

References	RFC 5866 8, RFC 5777 9, RFC 5624 10
Application‐Id value	9
Commands	QoS‐Authorization‐Request/Answer (QAR/QAA)	326
	QoS‐Install‐Request/Answer (QIR/QIA)	327

The QoS application also uses the Re‐Auth‐Request/Answer (RAR/RAA), Abort‐Session‐Request/Answer (ASR/ASA), and Session‐Term‐Request/Answer (STR/STA) commands from the base protocol.

6.4.1 Actors

The actors in the Diameter QoS application include both Diameter and non‐Diameter entities. Although RFC 5866 assigns stylized acronyms to all of the actors, it does not rigidly define the behavior of the non‐Diameter actors:

application endpoint (AppE) This is the end user's signaling application. The AppE exchanges messages, for instance SIP messages, with an application server and/or with other AppEs. It may or may not have the ability to request QoS enhancement for its signaling messages.
application server This non‐Diameter node supports the signaling protocol. Depending on the signaling protocol used, the application server may be a source of authorization for QoS‐enhanced application flows.
network element (NE) This is the Diameter client in the QoS application and is a QoS‐aware router. It can effect QoS changes when it is given information from the Diameter server (AE) that handles the Diameter QoS application.
authorizing entity (AE) This is the Diameter server in the QoS application and authorizes QoS requests. It may be a standalone entity or may be integrated with an application server.
resource‐requesting entity (RRE) This non‐Diameter, logical node supports the signaling protocol interaction for QoS resources. The RRE resides in the AppE and communicates with its peer logical entity in the AE or NE to trigger the QoS authorization process. The communication between the RRE and the NE or AE is not defined by the QoS application.

The Diameter QoS application is executed between the NE and AE.

6.4.2 Modes of Operation

The Diameter QoS mechanisms can be divided into two modes: Push or Pull. Which mode is used depends on the AppE's ability to initiate QoS resource requests. If the AppE cannot initiate QoS requests, Push mode is used. If the AppE can initiate QoS requests, Pull mode is used.

After receiving the authorization request from the application server or the NE, the AE decides the appropriate mode (Push or Pull) based on information received from the request and/or based on configuration.

6.4.2.1 Push Mode

In the Push mode, since the AppE cannot request the QoS resource authorization on its own, the authorization process is triggered either by the application server's request or by policies defined by the operator. For example, an operator policy may be to modify QoS depending on time of day in order to improve throughput.

The AE authenticates and authorizes the QoS request based on information from the application server. The AE then determines to which NE(s) to push the QoS authorization information, with the selection also being based on information received from the application server, such as the IP addresses of media flows. The AE then sends a QoS‐Install‐Request message to the NE to apply the QoS authorization state. The NE acknowledges the QoS instruction with a QoS‐Install‐Answer message.

6.4.2.2 Pull Mode

Pull mode provides QoS for AppEs and NEs that have the ability to request QoS authorization. The authorization process is initiated when NE receives the network signaling from the AppE or a local event occurs in the NE according to pre‐configured policies. The NE requests QoS authorization from the AE with a QoS‐Authorization‐Request command. The AE returns the result of the authorization decision in a QoS‐Authorization‐Answer command.

6.4.3 Authorization

6.4.3.1 Push Mode Authorization Schemes

Push mode can be divided into two types: endpoint‐initiated and network‐initiated.

In the endpoint‐initiated mode (Figure 6.7), the RRE sends a QoS request to the application server via application signaling. The application server extracts application‐level QoS information and triggers the authorization process to the AE.

c06f007 — Figure 6.7 Authorization scheme for Push mode.

In the network‐initiated mode, the application server triggers the authorization process without a QoS request from the endpoint.

If the endpoint does not indicate QoS attributes, the AE and/or application server determines the QoS requirements from a combination of application‐level QoS information, network policies, end‐user subscription, and network resource availability.

The AE makes an authorization decision and sends the decision to the NE directly.

6.4.3.2 Pull Mode Authorization

Authorization schemes for Pull mode can involve either two or three parties. From the Diameter QoS application's point of view, these authorization schemes differ only in the type of information carried.

In the two‐party scheme, the NE authenticates the QoS RRE. The NE either makes authorization decisions locally or delegates the decision to a trusted entity. No Diameter QoS protocol interaction is required for this authorization scheme.

In the basic three‐party scheme (Figure 6.8), the NE forwards a received QoS reservation request to the AE, which makes the authorization decision.

The figure also shows an accounting step to track resources used by the application endpoint.

c06f008 — Figure 6.8 Three‐party authorization scheme for Pull mode.

The token‐based three‐party scheme (Figure 6.9) uses authorization tokens to assist the authorization process at the NE or the AE. Tokens can assist in preventing fraud and ensuring accurate billing. RFC 3521 11, Framework for Session Set‐up with Media Authorization, covers using tokens in establishing media streams with QoS.

c06f009 — Figure 6.9 Token‐based three‐party scheme for Pull mode.

The RRE requests an authorization token from the AE via the application layer. If the authorization decision is successful, the AE generates an authorization token and sends it to the RRE for inclusion in the QoS signaling protocol. For an RRE/AE interaction example, refer to RFC 3313 12, which specifies Session Initiation Protocol (SIP) extensions for media authorization.

The authorization token associates the application‐layer authorization decision with the corresponding QoS signaling session. At a minimum the authorization token contains the following authorization parameters:

an identifier for the issuing AE,
an identifier for the application protocol session for which the token was issued,
a keyed message digest or digital signature protecting the token's content.

An example structure for the authorization token can be found in RFC 3520 13, Session Authorization Policy Element.

The RRE sends the QoS signaling message containing the authorization token to the NE. The NE uses the authorization token to authorize the QoS request. Alternatively, the NE can forward the authorization token to the AE in the user's home network using the Diameter QoS application.

In scenarios where the RRE interacts with the AE at the application layer, binding mechanisms that do not use tokens can also work. For instance, the application‐layer protocol interaction may inform the RRE of the transport port numbers where it will receive media streams. The RRE then informs the NE about the port numbers in an IP filter indication so that the NE can tunnel the inbound packets. The NE forwards the RRE's IP address and the IP filter indications to the AE in the QoS authorization request. The AE matches the filter information with the port numbers given in the earlier application‐layer protocol interaction and identifies the policy information to send to the NE in its QoS authorization response.

6.4.4 Establishing and Managing a QoS Application Session

6.4.4.1 Establishing a Session

Pull and Push modes use different Diameter messages for session establishment. Pull mode uses QoS‐Authorization‐Request/Answer, and Push mode uses QoS‐Install‐Request/Answer. However, they use the same set of base commands for other operations, such as session modification (RAR/RAA) and termination (STR/STA).

The QoS authorization session is typically established on a per‐subscriber basis (i.e., all requests with the same User‐ID), but it can also be established on a per‐node or per‐request basis. The concurrent sessions between an NE and an AE are identified by different Session‐Ids.

Session Establishment for Pull Mode

A Diameter QoS authorization session starts when the NE receives a request for a QoS reservation or local events trigger it. The NE converts the following information from the QoS signaling message to Diameter AVPs and generates a QAR message (Figure 6.10):

The AE's identity goes into the Destination‐Host and Destination‐Realm AVPs.
The RRE's identity is used to create the User‐Name AVP.
The QoS‐Authorization‐Data AVP contains the RRE's authorization token credentials.
Requested QoS parameters are carried in the QoS‐Resources AVP, which is defined in RFC 5777 9.

The NE also includes the following information in the QAR message:

information about the application session,
the signaling session identifier and/or QoS‐enabled data flows identifier.

 <QoS-Authorization-Request> ::= < Diameter Header: 326, REQ, PXY >                                < Session-Id >                                { Auth-Application-Id }                                { Origin-Host }                                { Origin-Realm }                                { Destination-Realm }                                { Auth-Request-Type }                                [ Destination-Host ]                                [ User-Name ]                             *  [ QoS-Resources ]                                [ QoS-Authorization-Data ]                                [ Bound-Auth-Session-Id ]                             *  [ AVP ]

Figure 6.10 QoS‐Authorization‐Request Command Code Format.

The NE sends the QAR to an AE. When the AE receives the QAR, it starts authorization processing. Based on the information in the QoS‐Authorization‐Data, User‐Name, and QoS‐Resources AVPs, the AE determines the QoS resources and flow state (enabled/disabled) from locally available information (e.g., application‐layer policy or the user's subscription profile). The AE sends its decision to the NE in its QoS‐Authorization‐Answer (QAA) message (Figure 6.11).

  <QoS-Authorization-Answer> ::= < Diameter Header: 326, PXY >                                < Session-Id >                                { Auth-Application-Id }                                { Auth-Request-Type }                                { Result-Code }                                { Origin-Host }                                { Origin-Realm }                             *  [ QoS-Resources ]                                [ Acct-Multisession-Id ]                                [ Session-Timeout ]                                [ Authorization-Session-Lifetime ]                                [ Authorization-Grace-Period ]                             *  [ AVP ]

Figure 6.11 QoS‐Authorization‐Answer Command Code Format.

The AE saves authorization session state and session state information (e.g., Signaling‐Session‐Id, authentication data) for management of the session.

The Result‐Code AVP of the QAA message contains the result of the authorization request. If the authorization was successful (DIAMETER_LIMITED_SUCCESS), the QoS‐Resources AVP will contain information about the authorized QoS resources and the status of the authorized flow (enabled/disabled). The QoS information provided via the QAA is applied by the QoS Traffic Control function of the NE.

The value DIAMETER_LIMITED_SUCCESS indicates that the AE expects confirmation via another QAR message for successful QoS resource reservation and for final reserved QoS resources.

The QAA also contains the Authorization‐Session‐Lifetime AVP, which states the length of time for which the authorization decision is valid and is determined by the user's subscription profile and/or credit availability. To extend the authorization period, the NE will need to send a new QoS‐Authorization‐Request.

The NE sends another QAR to indicate successful QoS reservation and activation of the data flow. This QAR contains the established QoS resources, which may be different than those authorized with the initial QAA due to QoS‐signaling‐specific behavior or the result of QoS negotiation along the data path. The AE acknowledges the reserved QoS resources by setting the Result‐Code AVP to DIAMETER_SUCCESS in its QAA.

Session Establishment for Push Mode

The AE starts authorization processing when it receives a request from an RRE through an application server or when it is triggered by a local event. Based on information in the request, the AE determines the authorized QoS resources and flow state (enabled/disabled) from locally available information (e.g., policy information that may be previously established as part of an application‐layer signaling exchange, or the user's subscription profile). The AE determines how to contact the NE via base protocol peer discovery mechanisms and determines the data flow for which the QoS reservation should be established. Then the AE sends its authorization decision in the QoS‐Install‐Request (QIR) to the NE (Figure 6.12).

    <QoS-Install-Request> ::= < Diameter Header: 327, REQ, PXY >                             < Session-Id >                             { Auth-Application-Id }                             { Origin-Host }                             { Origin-Realm }                             { Destination-Realm }                             { Auth-Request-Type }                             [ Destination-Host ]                          *  [ QoS-Resources ]                             [ Session-Timeout ]                             [ Authorization-Session-Lifetime ]                             [ Authorization-Grace-Period ]                             [ Authorization-Session-Volume ]                          *  [ AVP ]

Figure 6.12 QoS‐Install‐Request Command Code Format.

The following information is contained in the QIR:

The NE's identity goes into the Destination‐Realm and Destination‐Host AVPs.
The RRE's identity is used to populate the User‐Name AVP.
The QoS‐Authorization‐Data AVP contains the RRE's authorization token credentials.
Requested QoS parameters are used to create the QoS‐Resources AVP, which is defined in RFC 5777 9.
Information about the application session.
The signaling session identifier and/or QoS‐enabled data flows identifier.

The AE keeps authorization session state and information for management of the session (e.g., Signaling‐Session‐Id, authentication data).

The AE provides the authorization decision in the QoS‐Resources AVP of the QIR. The QoS information provided in the QIR is applied by the QoS Traffic Control function of the NE.

The Authorization‐Session‐Lifetime AVP allows the NE to determine the validity period of the QoS reservation. The user's subscriber profile and account standing may influence the session's duration. To extend the authorization period, the AE should send a new QoS‐Install‐Request.

The NE sends QoS‐Install‐Answer (Figure 6.13) to indicate QoS reservation and activation of the signaling data flow. To indicate success, the NE sets the Result‐Code AVP to DIAMETER_SUCCESS. The QIA contains the established QoS resources, which may be different than those authorized with the initial QIR due to QoS‐signaling‐specific behavior or the result of QoS negotiation along the data path.

      <QoS-Install-Answer> ::= < Diameter Header: 327, PXY >                              < Session-Id >                              { Auth-Application-Id }                              { Origin-Host }                              { Origin-Realm }                              { Result-Code }                           *  [ QoS-Resources ]                           *  [ AVP ]

Figure 6.13 QoS‐Install‐Answer Command Code Format

6.4.5 Re‐Authorizing a Session

Re‐authorization policies depend on the QoS signaling protocol.

6.4.5.1 Re‐Authorization Initiated by the NE

In the Authorization‐Session‐Lifetime AVP of the QAA, the AE specifies the duration of the authorization session. The NE may send a new QAR when the NE receives a QoS signaling message that requires modification of the authorized parameters of an ongoing QoS session or the authorization lifetime expiration.

6.4.5.2 Re‐Authorization Initiated by the Authorizing Elements

The AE may use a base protocol Re‐Authorization‐Request (RAR) to perform re‐authorization with the authorized parameters directly when the re‐authorization is triggered by a service request, local events, or policy rules. The RAR may include the parameters of the re‐authorized QoS state such as reserved resources, the duration of the reservation, and identification of the QoS‐enabled flow or signaling session.

When the NE receives a RAR message, it checks to see that the Session‐Id matches an active QoS session. The NE then sends a Re‐Auth‐Answer (RAA) message to the AE.

If the RAR does not include any parameters of the re‐authorized QoS state, the NE sends a QoS‐Authorization‐Request (QAR) message to the AE.

6.4.6 Terminating a Session

6.4.6.1 Session Terminated by the NE

A session can be terminated due to the expiration of the QoS reservation soft state or due to a request via a QoS signaling message to delete the QoS reservation state.

To end the authorization session for an installed QoS reservation state, the NE sends a Session‐Termination‐Request (STR) message to the AE. The AE replies with a Session‐Termination‐Acknowledgement (STA) message.

6.4.6.2 Session Terminated by the AE

An AE may terminate a session due to insufficient credits or session termination at the application layer.

To end a session, the AE sends an Abort‐Session‐Request (ASR) message to the NE. The NE notifies the application endpoint and deletes the QoS reservation state. The NE then sends an Abort‐Session‐Answer (ASA) message to the AE, which deletes the authorization session state it had been maintaining.

6.5 Interworking RADIUS and Diameter

Diameter was designed to allow transitioning from RADIUS to Diameter in existing deployments, where it may not be realistic to replace all the network components at once. To address this need, Diameter defined a type of gateway, called a translation agent, to convert from RADIUS to Diameter. The RFC 4005 (Diameter Network Access Server Application) specification 14 documented basic guidelines for RADIUS/Diameter protocol interactions. In addition, many Diameter protocol values (e.g., AVP codes) have been aligned with RADIUS protocol values to simplify the conversion work. Furthermore, the IETF required each RADIUS RFC to include a Diameter Considerations section to describe how translation between the two protocols could be achieved. It was rather quickly noticed that translation between RADIUS and Diameter only works for very simple AAA interactions or for interactions that are specified in fine detail for each use case/application (i.e., the behavior of the translation agent). The RFC (RFC 7155 2) that obsoleted RFC4005 removed all material regarding RADIUS/Diameter protocol interactions, and the IETF no longer requires Diameter Considerations sections in RADIUS specifications. Nowadays, the gap between RADIUS and Diameter has diminished such that only the concepts of the application and capabilities exchange are missing from RADIUS when compared to Diameter. It has been accepted that these two protocols evolve separately.

Table 6.4 Extensible Authentication Protocol (EAP) application.

Reference	RFC 4072 15
Application‐Id value	5
Commands	Diameter‐EAP‐Request/Answer (DER/DEA)	268

There is, however, no magic here. Converting between the protocols, accommodating different state machines, and a few fundamental differences between the protocol designs make the implementation of a conversion gateway both difficult and limited to specific Diameter applications in general.

freeDiameter comes with a specific example of such gateway (i.e., translation agent functionality) to convert between a RADIUS client application and a Diameter backend server. The gateway functionality is limited to the Diameter EAP application (Table 6.4) and the Diameter Base Accounting application, but it can serve as a basis to extend the implementation when useful.

In order to set up the test environment for deploying the gateway by yourself, you will need to create three clones of the freeDiameter VM; please refer to Appendix A for information on this VM if you have not already. The three clones to be created are the following:

eap.srv The backend server that runs the Diameter EAP application backend as well as the Diameter Accounting server.
eap.gw The conversion gateway between RADIUS and Diameter.
eap.cli The RADIUS client application.

After you have created the VMs listed above, here are the configuration steps to run on each VM:

eap.srv The backend is preconfigured for you; just execute the following commands in a Terminal window to get it started: $ nw_configure.sh server.eap.example.net to set up the network configuration, $ fD_configure.sh 7_srv to compile and configure the relevant freeDiameter extensions, and finally $ freeDiameterd to start the server.
eap.gw The gateway follows the same steps: $ nw_configure.sh gw.eap.example.net, $ fD_configure.sh 7_gw, and $ freeDiameterd. If the server is already running, you should see both instances connecting to each others at this point.
eap.cli This machine contains the RADIUS client application. We are using hostapd, a software access point implementation, as the EAP authenticator and RADIUS client, and wpasupplicant as the EAP supplicant. They communicate over a virtual WiFi interface emulated by the Linux kernel. The steps to configure this machine are slightly different: $ nw_configure.sh client.eap.example.net, $ fD_configure.sh 7_cli, then we are not starting freeDiameterd since this machine is a RADIUS client. Instead, two commands are available to help triggering an authentication. Open two Terminal windows, in the first one run $ run‐hostapd.sh. In the other Terminal window, run $ run‐wpasupplicant.sh.

When the backend server starts, it loads two important extensions. app_acct.fdx is a Diameter Accounting server implementation that establishes a connection to a local PostgreSQL database in which it stores the accounting records it receives. app_diameap.fdx is a Diameter EAP backend application that authenticates clients based on a configuration stored in a local MySQL database. The environment is pre‐configured so that a user “client1” is authenticated using EAP‐TLS.

When the gateway starts, its Diameter side connects to the backend server as a client. At the same time the gateway opens RADIUS server ports for authentication and accounting, and waits for incoming connections. No additional activity happens until messages are received, except for the regular watchdog exchange with the server.

On the client, when hostapd starts (which is the typical implementation used in many WiFi access points) its configuration tells it to connect to the RADIUS backend located on the gateway. An initial RADIUS accounting message is sent to the gateway that replies (without converting to Diameter in that case, as this is an example of behavior that does not translate to Diameter) and hostapd is ready to handle incoming clients.

Finally, when wpasupplicant is started, it emulates a client connecting to the access point. This client is configured to use the “client1” identity with a specific private key and certificate that matches the configuration of the backend server.

As a first step, an EAP exchange takes place between the client and the backend server. The exchange is carried over emulated WPA between wpasupplicant and hostapd, then over RADIUS between hostapd and the gateway, and finally over Diameter between the gateway and the backend server. Responses follow the same reverse path. The exchange goes on until the backend server is able to authenticate the client successfully and derive key material to secure the WPA link. This key material is sent to hostapd through an EAP‐Master‐Session‐Key AVP that gets converted to its RADIUS equivalent by the gateway. On the other side, the client has derived the same key material during the EAP exchange. The WPA link is now secured with key derived from this material.

Once the authentication and authorization are successful, hostapd sends accounting records for the session in progress. The gateway receives these and converts them to Diameter as well, using the Diameter Accounting application this time. The resulting messages are handled by the appropriate server extension on the backend. In a real‐life deployment case, the accounting server would probably be a different physical entity from the authentication server, but this is not important for the purpose of this example. As long as the client remains connected to the hostapd instance, the accounting session continues. Depending on the configuration, interim records may be exchanged (this can be forced in hostapd.conf file using the “radius_acct_interim_interval=60” parameter, for example). Finally, when the client disconnects, which can be emulated by stopping the wpasupplicant instance, hostapd sends a final accounting record for the session and cleans its state machine.

Here is an edited log from the backend server showing the process.

Using such a gateway component it becomes possible to migrate a deployment as follows. We assume an existing infrastructure with many access points and one RADIUS server. First of all, create a new Diameter backend server and configure it to be able to authenticate the users from your realm. Create a second Diameter backend server if you are using accounting and configure it as well. Then set a RADIUS‐Diameter gateway similar to the example above. Reconfigure your legacy access points to connect to the gateway, while your new access points may support Diameter directly and can be configured to connect to the backend directly. Finally, you may retire your RADIUS server and benefit from the flexibility and dynamic security of Diameter.

6.6 S6a Interface

The setup, maintenance, and release of the connection between the mobile phone, known as the UE in 3GPP parlance, and the mobile network is called mobility management. The Diameter application that handles mobility management is called the S6a interface and is part of the Evolved Packet Core (EPC), the all‐packet network specified by 3GPP and introduced in Release 8.

6.6.1 Evolved Packet Core

The four main network elements of the EPC are the Mobility Management Entity, the Home Subscriber Server, the Serving Gateway, and the Packet Data Network Gateway. Figure 6.14 illustrates the EPC network architecture and its main Diameter‐based signaling interfaces.

Schematic diagram depicting Evolved Packet Core with eNodeB, UE, and External network, and dashed line depicting Control plane and user plane. — Figure 6.14 Evolved Packet Core. Connections to charging and policy functions are not shown.

The Mobility Management Entity (MME) is the network element that provides UE authentication, network security, UE roaming capability, and selection of the UE's Serving Gateway and Packet Data Network Gateway. Generically, it is also referred to as a serving node in 3GPP specifications. The MME is a Diameter client node in the S6a application.

The MME accesses the Home Subscriber Server (HSS) for identity, authentication, and policy information about the UE's subscriber. The HSS is a Diameter server node in the S6a application.

The Serving Gateway (Serving GW) is the anchor point when the UE moves from one cell to another and when the UE moves from one 3GPP technology to another (2G to LTE, for example). The SGW routes user data packets and keeps track of UE session data.

The Packet Data Network Gateway (PDN GW) provides the UE with an entrance to and exit from the external packet data networks like the Internet. The PDN GW provides the UE an IP address and enforces operator policy, filters packets, and provides charging support, lawful interception, and packet screening.

6.6.2 S6a Overview

The S6a interface is the Diameter interface between the MME and the HSS. The S6a interface enables the transfer of subscriber‐related (subscription and authentication) data between the HSS and the MME over SCTP. It is also used to communicate location changes (roaming) of the UE. Multiple Diameter commands are defined for this interface and are listed in Table 6.5. This application does not use the base Diameter accounting commands. This book only provides an overview of the S6a interface. For more information on the S6a Diameter commands and AVPs, see TS 29.272 16. Details of HSS and MME behavior can be found in TS 23.401 17.

Table 6.5 S6a interface application.

Reference	TS 29.272 16, TS 23.401 17
Application‐Id value	16777251
Commands	Update‐Location‐Request/Answer (ULR/ULA)	316
	Cancel‐Location‐Request/Answer (CLR/CLA)	317
	Authentication‐Information‐Request/Answer (AIR/AIA)	318
	Insert‐Subscriber‐Data‐Request/Answer (IDR/IDA)	319
	Delete‐Subscriber‐Data‐Request/Answer (DSR/DSA)	320
	Purge‐UE‐Request/Answer (PUR/PUA)	321
	Reset‐Request/Answer (RSR/RSA)	322
	Notify‐Request/Answer (NOR/NOA)	323

Note there is a very similar interface, known as S6d, between the HSS and the Serving GPRS Support Node (SGSN), which is responsible for the delivery of data packets to and from the mobile stations using older radio access technologies. The S6d interface uses the same Diameter commands as the S6a interface, but includes different AVPs.

The HSS and MME advertise support of the Diameter S6a application in CER/CEA commands by including the value of the S6a Application‐Id (16777251) in the Auth‐Application‐Id AVP within the Vendor‐Specific‐Application‐Id grouped AVP.

The 3GPP's vendor identifier (10415) is used in the Supported‐Vendor‐Id AVP and Vendor‐Id AVPs within the Vendor‐Specific‐Application‐Id grouped AVP. The manufacturer of a S6a Diameter node includes its ID in the top‐level Vendor‐Id AVP in the CER/CEA only, and not in the Vendor‐Specific‐Application‐Id AVP.

6.6.2.1 Common AVPs for S6a Commands

The following AVPs are common to most S6a commands. Diving into the details of all S6a AVPs is beyond the scope of this book. For more information regarding S6a AVPs, consult TS 29.272 16.

Auth‐Session‐State: Set to NO_STATE_MAINTAINED to indicate that the S6a Diameter sessions are implicitly terminated, which means the server does not maintain state information, and the client does not send re‐authorization or session termination requests to the server. Neither the MME nor the HSS include the Authorization‐Lifetime AVP nor the Session‐Timeout AVP in their requests or responses.
Experimental‐Result: While the Result‐Code AVP is used to convey Diameter base protocol success or error messages, this AVP is used for S6a‐specific errors. This grouped AVP contains the 3GPP Vendor ID in the Vendor‐Id AVP, and the error code in the Experimental‐Result‐Code AVP. The error code conveyed can indicate transient failure at the HSS, unknown user, lack of subscription, and issues with the user equipment.
Error‐Diagnostic: Provides more information about the error given in the Experimental‐Result AVP. Diagnostics include details on the GPRS data and operator determined barring.
Supported‐Features: Indicates the MME's and HSS's support for various network features. This mechanism ensures interoperability across various 3GPP releases. The MME and HSS can exchange feature support information in any of the S6a commands, although the exchange typically takes place with Update‐Location‐Request/Answer and Insert‐Subscriber‐Data‐Request/Answer messages. As of Release 14, there are more than 50 features that can be supported. For some features, like operator‐determined barring or regional subscriptions, if the MME does not indicate support, then the HSS may bar the UE from roaming. For other features, if the MME does not support them, the HSS merely stores this information and doesn't send any more information regarding the feature to the MME:
- Tracing
- LoCation Services
- Mobile‐Originated Point‐to‐Point SMS
- Supplementary Service Barring
- UE Reachability and Attachment
- Local Time Zone Retrieval
- SMS in MME
- Proximity‐based Services
- P‐CSCF Restoration
- Reset‐ID.
Subscription‐Data: Contains the subscription profile of the user and is used with the Update‐Location‐Answer and Insert‐Subscriber‐Data‐Request commands.
Destination‐Host: Although the CCF for some of the Diameter S6a requests indicate that the Destination‐Host AVP is optional, this is for compatibility with older 3GPP releases. As of Release 12, the Destination‐Host AVP is mandatory for all S6a commands.

6.6.3 Authentication

6.6.3.1 Authentication‐Information‐Request Command

When an UE attaches to the network, it needs to be authenticated. If the UE has attached previously, the MME will request authentication parameters from the MME that handled the previous attachment to the network.⁴ If the UE is new to the network, or if the security parameters for the UE's Attach Request are invalid, the MME uses S6a authentication commands to receive vectors from the HSS that the MME will use to perform authentication and key agreement. The MME requests authentication information for the subscriber from the HSS with the Authentication‐Information‐Request (AIR) (Figure 6.15).

     < AIR > ::= < Diameter Header: 318, REQ, PXY, 16777251 >                < Session-Id >                [ DRMP ]                [ Vendor-Specific-Application-Id ]                { Auth-Session-State }                { Origin-Host }                { Origin-Realm }                [ Destination-Host ]                { Destination-Realm }                { User-Name }                [ OC-Supported-Features ]              * [ Supported-Features ]                [ Requested-EUTRAN-Authentication-Info ]                { Visited-PLMN-Id }                [ AIR-Flags ]              * [ AVP ]              * [ Proxy-Info ]              * [ Route-Record ]

Figure 6.15 Authentication‐Information‐Request Command Code Format.

Authentication‐Information‐Request AVPs

Requested‐EUTRAN‐Authentication‐Info: A grouped AVP that contains information related to authentication requests for the radio access network used in LTE networks (E‐UTRAN). The AVPs carry the number of requested authentication vectors that the MME can receive and whether the MME needs the vectors immediately (Immediate‐Response‐Preferred AVP). If the authentication synchronization fails on the UE, the MME includes re‐synchronization information in the included Re‐Synchronization‐Info AVP.
Visited‐PLMN‐ID: Identifies the visited public land mobile network (PLMN).
AIR‐Flags: A bit mask indicating that the MME requests the HSS to send the UE's usage type, which will enable the selection of a specific dedicated core network (DCN).

6.6.3.2 Authentication‐Information‐Answer Command

When the HSS receives the MME's Authentication‐Information‐Request, it checks the Origin‐Realm AVP to ensure that the MME is allowed to use the information in the serving network given in the Visited‐PLMN‐Id AVP.

If the Re‐Synchronization‐Info AVP is present, the HSS must successfully verify the AUTS parameter before the HSS requests that the Authentication Centre (AuC) generate the corresponding requested authentication vectors. Fewer vectors than requested may be generated due to load and/or the presence of the Immediate‐Response‐Preferred AVP. If the HSS cannot calculate authentication vectors due to problems with provided UE information, the HSS returns the error DIAMETER_AUTHORIZATION_REJECTED. If the HSS experiences internal database errors, it responds to the MME with a DIAMETER_AUTHENTICATION_DATA_UNAVAILABLE error message. If the MME receives an error, it may re‐attempt the Authentication‐Information‐Request.

The HSS sends the requested authentication vectors in its Authentication‐Information‐Answer (AIA) (Figure 6.16).

        < AIA > ::= < Diameter Header: 318, PXY, 16777251 >                   < Session-Id >                   [ DRMP ]                   [ Vendor-Specific-Application-Id ]                   [ Result-Code ]                   [ Experimental-Result ]                   [ Error-Diagnostic ]                   { Auth-Session-State }                   { Origin-Host }                   { Origin-Realm }                   [ OC-Supported-Features ]                   [ OC-OLR ]                 * [ Load ]                 * [ Supported-Features ]                   [ Authentication-Info ]                   [ UE-Usage-Type ]                 * [ AVP ]                 * [ Failed-AVP ]                 * [ Proxy-Info ]                 * [ Route-Record ]

Figure 6.16 Authentication‐Information‐Answer Command Code Format.

Authentication‐Information‐Answer AVPs

Authentication‐Info: A Grouped AVP that only contains the E‐UTRAN‐Vector AVP when transmitted on the S6a interface. The E‐UTRAN‐Vector AVP is type Grouped and contains:
- Item‐Number: Used to order vectors received within one request. The MME should use the vector with the lowest Item‐Number first.
- RAND: Contains a RANDom number, a challenge.
- XRES: Contains the eXpected RESponse.
- AUTN: Contains the AUThentication tokeN.
- KASME: Contains the K_ASME, a key derived from a cipher key, integrity key, and serving network's identity.
UE‐Usage‐Type: Used to specify the usage characteristics of the UE. As of Release 14, there are no standardized values, only operator‐specific ones.

The MME sends the challenge, authentication token, and a key set identifier KSI_ASME,⁵ which identifies the K_ASME, to the UE. The UE computes the expected message authentication code and compares it to the message authentication code within the authentication token 18. If the comparison is successful, the UE computes a response and sends it to the MME. The MME checks that the response equals the expected response received from the HSS. If it does, the authentication is successful. If the authentication is not successful, the MME may either send another identity request to the UE or reject the UE's authentication request. More details on authentication can be found in TS 33.401 19.

6.6.4 Location Management

The S6a interface commands Update‐Location‐Request/Answer (ULR/ULA) (command code 316) allow the MME to inform the HSS that it is currently serving an UE, and allow the HSS to update the MME with user subscription data.

6.6.4.1 Update‐Location‐Request Command

The MME sends a Update‐Location‐Request command (ULR) (Figure 6.17) to the HSS when one of the following scenarios happens:

the UE attaches to the network for the first time,
the UE has changed MMEs since it last attached to the network,
the MME does not have valid subscription data for the UE,
for some network sharing scenarios (e.g., where multiple operators share MMEs in a core network) if the PLMN‐ID supplied by the network is different from that of the Globally Unique Temporary Identity of the UE.

  < ULR > ::= < Diameter Header: 316, REQ, PXY, 16777251 >             < Session-Id >             [ DRMP ]             [ Vendor-Specific-Application-Id ]             { Auth-Session-State }             { Origin-Host }             { Origin-Realm }             [ Destination-Host ]             { Destination-Realm }             { User-Name }             [ OC-Supported-Features ]           * [ Supported-Features ]             [ Terminal-Information ]             { RAT-Type }             { ULR-Flags }             [ UE-SRVCC-Capability ]             { Visited-PLMN-Id }             [ Homogeneous-Support-of-IMS-Voice-Over-PS-Sessions ]             [ GMLC-Address ]           * [ Active-APN ]             [ Equivalent-PLMN-List ]             [ MME-Number-for-MT-SMS ]             [ SMS-Register-Request ]             [ SGs-MME-Identity ]             [ Coupled-Node-Diameter-ID ]             [ Adjacent-PLMNs ]             [ Supported-Services ]           * [ AVP ]           * [ Proxy-Info ]           * [ Route-Record ]

Figure 6.17 Update‐Location‐Request Command Code Format.

Update‐Location‐Request AVPs

User‐Name: Contains the user's identity (IMSI).
Terminal‐Information: Contains information about the UE itself.
RAT‐Type: Identifies the Radio Access Type (RAT) the UE is using.
ULR‐Flags: A bit mask that indicates whether the UE's network attachment is initial, type of node (i.e., MME or SGSN) that sent the ULR, whether the HSS should send subscriber data to the MME, and whether the UE can support UE‐based location services.
UE‐SRVCC‐Capability: Indicates whether the UE supports Single Radio Voice Call Continuity, which provides an interim solution for handing VoLTE traffic to 2G/3G networks.
Visited‐PLMN‐ID: Identifies the visited PLMN.
Homogeneous‐Support‐of‐IMS‐Voice‐Over‐PS‐Sessions: Indicates homogeneous support. In order to route incoming IMS voice calls to the correct domain, the Terminating Access Domain Selection (T‐ADS) requires homogeneous support/non‐support of IMS voice over PS session for all of the UE's tracking areas 17. If the support is either non‐homogeneous or unknown, the MME does not include this AVP. The MME can send the AVP later when it has more information.
GMLC‐Address: Contains the IPv4 or IPv6 address of the Visited Gateway Mobile Location Centre (V‐GMLC) associated with the MME.
Active‐APN: Contains the list of active access point names stored by the MME, including the identity of the PDN GW assigned to each APN. The MME may include it when the MME needs to restore PDN GW data in the HSS due to a reset procedure.
Equivalent‐PLMN‐List: Contains the equivalent PLMN list for which the MME requests the corresponding Closed Subscriber Group (CSG) Subscription data. A CSG identifies subscribers of an operator who are permitted only restricted access to one or more of the PLMN's cells.
MME‐Number‐for‐MT‐SMS: Included when the MME supports SMS and contains the ISDN number of the MME to route SMS to the UE.
SMS‐Register‐Request: Informs the HSS if the MME needs to be registered for SMS, prefers not to be registered for SMS, or has no preference.
SGs‐MME‐Identity: Informs the HSS of the MME identity that it uses over the SG interface, which is the interface to the Mobile Switching Center (MSC) that supports circuit‐switched fallback.
Coupled‐Node‐Diameter‐ID: A DiameterIdentity that is included if the requesting node is a combined MME/SGSN.
Adjacent‐PLMNs: Type Grouped, contains a list of PLMN IDs where an UE is likely to make a handover from the PLMN where the MME is located.
Supported‐Services: Type Grouped, contains monitoring events supported by the MME, such as UE reachability, UE location, roaming status, etc.

Note that currently none of the features in the Supported‐Features AVP of the ULR command requires HSS support to successfully process the ULR command. For this reason the MME does not need to set the M‐bit of the Supported‐Features AVP in the ULR command.

If the UE is making an emergency attachment to the network, but the UE was not successfully authenticated, the MME does not send an Update‐Location‐Request to the HSS. The MME also ignores any unsuccessful Update‐Location‐Answer from HSS and continues with the attach procedure.

6.6.4.2 Cancel‐Location‐Request Command

When the HSS receives an Update‐Location‐Request, it first sends a Cancel‐Location‐Request (CLR) (Figure 6.18) with a Cancellation‐Type of MME_UPDATE_PROCEDURE to the previous MME (if any) and replaces the stored MME Identity with the received value in the Origin‐Host AVP. The HSS deletes any stored last‐known MME location information.

      < CLR > ::= < Diameter Header: 317, REQ, PXY, 16777251 >                 < Session-Id >                 [ DRMP ]                 [ Vendor-Specific-Application-Id ]                 { Auth-Session-State }                 { Origin-Host }                 { Origin-Realm }                 { Destination-Host }                 { Destination-Realm }                 { User-Name }               * [ Supported-Features ]                 { Cancellation-Type }                 [ CLR-Flags ]               * [ AVP ]               * [ Proxy-Info ]               * [ Route-Record ]

Figure 6.18 Cancel‐Location‐Request Command Code Format.

Cancel‐Location‐Request AVPs

Cancellation‐Type: The following values indicate the reason for cancellation:
- 0 MME_UPDATE_PROCEDURE: The HSS has received a ULR from a new MME, and is cancelling location with the MME receiving the CLR.
- 1 SGSN_UPDATE_PROCEDURE: S6d interface only.
- 2 SUBSCRIPTION_WITHDRAWAL: The HSS's operator has withdrawn the user's subscription.
- 3 UPDATE_PROCEDURE_IWF: Used by an InterWorking Function when interworking with a pre‐Release 8 HSS.
- 4 INITIAL_ATTACH_PROCEDURE: The HSS has received an ULR for an Initial Attach procedure.
CLR‐Flags: Indicates whether the MME needs to request that the UE re‐attach.

6.6.4.3 Cancel‐Location‐Answer Command

The MME responds to the HSS's Cancel‐Location‐Request with a Cancel‐Location‐Answer (CLA) (Figure 6.19).

         < CLA > ::= < Diameter Header: 317, PXY, 16777251 >                    < Session-Id >                    [ DRMP ]                    [ Vendor-Specific-Application-Id ]                  * [ Supported-Features ]                    [ Result-Code ]                    [ Experimental-Result ]                    { Auth-Session-State }                    { Origin-Host }                    { Origin-Realm }                  * [ AVP ]                  * [ Failed-AVP ]                  * [ Proxy-Info ]                  * [ Route-Record ]

Figure 6.19 Cancel‐Location‐Answer Command Code Format.

The Result‐Code AVP contains Success and Permanent Failure result codes that are defined in the base protocol. The Experimental‐Result AVP conveys S6a‐specific failures.

6.6.4.4 Update‐Location‐Answer Command

After the HSS sends the Cancel‐Location‐Request to the old MME, the HSS acknowledges the Update‐Location‐Request from the new MME by sending the new MME an Update‐Location‐Answer (ULA) message (Figure 6.20).

         < ULA > ::= < Diameter Header: 316, PXY, 16777251 >                    < Session-Id >                    [ DRMP ]                    [ Vendor-Specific-Application-Id ]                    [ Result-Code ]                    [ Experimental-Result ]                    [ Error-Diagnostic ]                    { Auth-Session-State }                    { Origin-Host }                    { Origin-Realm }                    [ OC-Supported-Features ]                    [ OC-OLR ]                    [ Load ]                  * [ Supported-Features ]                    [ ULA-Flags ]                    [ Subscription-Data ]                  * [ Reset-ID ]                  * [ AVP ]                  * [ Failed-AVP ]                  * [ Proxy-Info ]                  * [ Route-Record ]

Figure 6.20 Update‐Location‐Answer Command Code Format.

If the Update‐Location‐Request includes information on one or more active APNs, the HSS deletes its stored PDN GW information, if any, and replaces it with the PDN GW information received in the list of Active‐APN AVPs.

If the MME does not indicate support for an operator‐determined barring feature or regional subscriptions in the Supported‐Features AVP, the HSS will reject the MME's Update‐Location‐Request with a DIAMETER_ERROR_ROAMING_NOT_ALLOWED error.

Update‐Location‐Answer AVPs

ULA‐Flags: A bit mask that is added when the Result‐Code AVP is DIAMETER_SUCCESS and indicates how the HSS stores the MME information in memory and whether the HSS has registered the MME for SMS.

When the MME receives a Update‐Location‐Answer, it validates the UE's presence in the (new) tracking area. The MME can reject the UE's Attach Request if there are restrictions in the user's regional subscription or access, or if there are subscription check failures, such as the APN provided by the UE is not allowed by subscription. If all checks are successful then the new MME constructs a context (basically, sets up the UE's data session) for the UE.

6.6.5 Subscriber Data Handling

6.6.5.1 Insert‐Subscriber‐Data‐Request Command

HSS sends an Insert‐Subscriber‐Data‐Request (ISDR) (Figure 6.21) to replace or add user data stored in the MME. The HSS can use the Insert‐Subscriber‐Data‐Request message to inform the MME about the following:

Operator changes to the user data, i.e., if the user's subscription to services has changed, or if the operator barred the user from roaming.
Operator activates subscriber tracing.
HSS requests notification from the MME when the UE becomes reachable.
HSS requires data from the MME to support the Terminating Access Domain Selection functionality.
HSS wants location information and/or state information from the MME.
HSS wants the local time zone of the location in the visited network where the UE is attached.
There was an update to the Session Transfer Number for Single Radio Voice Call Continuity (SRVCC), which provides an interim solution for handing over VoLTE to 2G/3G networks.
HSS provides the MME with the identity of a dynamically allocated PDN GW as a result of the first PDN connection establishment associated with an APN over non‐3GPP access.
HSS has deregistered the MME for SMS.
HSS has executed the P‐CSCF restoration procedures, which are described in TS 23.380 20.

     < ISDR > ::= < Diameter Header: 319, REQ, PXY, 16777251 >                 < Session-Id >                 [ DRMP ]                 [ Vendor-Specific-Application-Id ]                 { Auth-Session-State }                 { Origin-Host }                 { Origin-Realm }                 { Destination-Host }                 { Destination-Realm }                 { User-Name }               * [ Supported-Features ]                 { Subscription-Data }                 [ IDR-Flags ]               * [ Reset-ID ]               * [ AVP ]               * [ Proxy-Info ]               * [ Route-Record ]

Figure 6.21 Insert‐Subscriber‐Data‐Request Command Code Format.

Insert‐Subscriber‐Data‐Request AVPs

IDR‐Flags: A bit mask used by the HSS to indicate the information it is seeking about the UE, such as its attachment state, radio access type, location, and timezone. The HSS can also tell the MME that the MME has been unregistered for SMS, or that the HSS has started P‐CSCF restoration procedures.
Subscription‐Data: Contains the part of the subscription profile that is to be added to or replaced by the subscription profile stored in the MME.

6.6.5.2 Insert‐Subscriber‐Data‐Answer Command

In response to the Insert‐Subscriber‐Data‐Request from the HSS, the MME updates its stored subscription data and sends back an Insert‐Subscriber‐Data‐Answer (ISDA) (Figure 6.22). Various AVPs are included if the HSS requested the information and if the information is available to the MME.

       < ISDA > ::= < Diameter Header: 319, PXY, 16777251 >                   < Session-Id >                   [ DRMP ]                   [ Vendor-Specific-Application-Id ]                 * [ Supported-Features ]                   [ Result-Code ]                   [ Experimental-Result ]                   { Auth-Session-State }                   { Origin-Host }                   { Origin-Realm }                   [ IMS-Voice-Over-PS-Sessions-Supported ]                   [ Last-UE-Activity-Time ]                   [ RAT-Type ]                   [ EPS-User-State ]                   [ EPS-Location-Information ]                   [ Local-Time-Zone ]                   [ Supported-Services ]                 * [ Monitoring-Event-Report ]                 * [ Monitoring-Event-Config-Status ]                 * [ AVP ]                 * [ Failed-AVP ]                 * [ Proxy-Info ]                 * [ Route-Record ]

Figure 6.22 Insert‐Subscriber‐Data‐Answer Command Code Format.

If the HSS indicated an operator‐determined barring or regional subscriptions features in the Supported‐Features AVP in its Insert‐Subscriber‐Data‐Request, but the MME did not indicate support for it in its answer, the HSS may bar roaming and send a Cancel‐Location‐Request.

Insert‐Subscriber‐Data‐Answer AVPs

IMS‐Voice‐Over‐PS‐Sessions‐Supported: Indicates whether IMS Voice over PS sessions are supported by the UE's most recently used tracking area or routing area (0 NOT_SUPPORTED, 1 SUPPORTED). If the UE is in detached state, the MME does not include this AVP.
Last‐UE‐Activity‐Time: Contains the time of the last radio contact with the UE. If the UE is detached from the network, this AVP is not included.
RAT‐Type: Indicates the type of radio access technology the UE used during the last radio contact. If the UE is in detached state, this AVP is not included. Defined values are found in TS 29.212 21.
EPS‐User‐State: Contains information about whether the UE is attached to the network.
EPS‐Location‐Information: Contains the UE's location.
Local‐Time‐Zone: Contains the local time zone and the daylight saving time adjustment of the location in the visited network where the UE is attached.
Supported‐Services: Type Grouped, contains monitoring events supported by the MME, such as UE reachability, UE location, roaming status, etc.
Monitoring‐Event‐Report: Type Grouped, contains the report data for the monitoring event.
Monitoring‐Event‐Config‐Status: Type Grouped, contains error details for the monitoring event.

6.6.5.3 Delete‐Subscriber‐Data‐Request Command

The HSS uses the Delete‐Subscriber‐Data‐Request (DSR) command (Figure 6.23) to remove the following data from the user profile stored in the MME:

some or all of the EPS subscription data (Access Point Name Configuration Profile) for the subscriber
the regional subscription
the subscribed charging characteristics
session Transfer Number for SRVCC
trace data, which will cause the MME to deactivate the trace session
ProSe subscription data
Reset‐IDs.

     < DSR > ::= < Diameter Header: 320, REQ, PXY, 16777251 >                < Session-Id >                [ DRMP ]                [ Vendor-Specific-Application-Id ]                { Auth-Session-State }                { Origin-Host }                { Origin-Realm }                { Destination-Host }                { Destination-Realm }                { User-Name }              * [ Supported-Features ]                { DSR-Flags }                [ SCEF-ID ]              * [ Context-Identifier ]                [ Trace-Reference ]              * [ TS-Code ]              * [ SS-Code ]              * [ AVP ]              * [ Proxy-Info ]              * [ Route-Record ]

Figure 6.23 Delete‐Subscriber‐Data‐Request Command Code Format.

Delete‐Subscriber‐Data‐Request AVPs

DSR‐Flags: A bit mask that indicates what should be deleted from the subscriber data. Data to be deleted can include regional subscriptions, APN configurations, session information, and service information.
SCEF‐ID: Type DiameterIdentity, contains the identity of the Service Capability Exposure Function (SCEF) that originated the service request towards the HSS.
Context‐Identifier: Identifies the session information to be deleted and is included only if the PDN subscription contexts Withdrawal bit or the PDP context withdrawal bit is set in the DSR‐Flags AVP.
Trace‐Reference: Contains the same value as used for the activation of the trace session. This element is present only if the Trace Data Withdrawal bit is set in the DSR‐Flags AVP.
TS‐Code: Contains the SMS‐related teleservice codes to be deleted from the subscription. Included only if the SMS Withdrawal bit is set in the DSR‐Flags AVP.
SS‐Code: Contains the supplementary service codes to be deleted. Included only if the SMS Withdrawal bit or LCS Withdrawal bit is set in the DSR‐Flags AVP.

6.6.5.4 Delete‐Subscriber‐Data‐Answer Message

The MME responds to the HSS with a Delete‐Subscriber‐Data‐Answer (DSA) (Figure 6.24), letting it know whether the data was successfully deleted.

        < DSA > ::= < Diameter Header: 320, PXY, 16777251 >                   < Session-Id >                   [ DRMP ]                   [ Vendor-Specific-Application-Id ]                 * [ Supported-Features ]                   [ Result-Code ]                   [ Experimental-Result ]                   { Auth-Session-State }                   { Origin-Host }                   { Origin-Realm }                 * [ AVP ]                 * [ Failed-AVP ]                 * [ Proxy-Info ]                 * [ Route-Record ]

Figure 6.24 Delete‐Subscriber‐Data‐Answer Command Code Format.

6.6.6 Fault Recovery

The S6a interface commands Reset‐Request/Answer (RSR/RSA) (command code 322) are used by the HSS to indicate to the MME that a failure has occurred. The RSR can also be used by the HSS as part of operation and maintenance actions to allow planned HSS outages without service interruption.

6.6.6.1 Reset‐Request Command

The HSS sends Reset‐Request (RSR) (Figure 6.25) to inform all relevant MMEs that the HSS has restarted and may have lost the current MME‐Identity of some of its subscribers who may be roaming, and that the HSS, therefore, cannot send Cancel‐Location‐Requests or Insert‐Subscriber‐Data‐Requests when needed.

      < RSR > ::= < Diameter Header: 322, REQ, PXY, 16777251 >                 < Session-Id >                 [ DRMP ]                 [ Vendor-Specific-Application-Id ]                 { Auth-Session-State }                 { Origin-Host }                 { Origin-Realm }                 { Destination-Host }                 { Destination-Realm }               * [ Supported-Features ]               * [ User-Id ]               * [ Reset-ID ]                 [ Subscription-Data ]                 [ Subscription-Data-Deletion ]               * [ AVP ]               * [ Proxy-Info ]               * [ Route-Record ]

Figure 6.25 Reset‐Request Command Code Format.

Reset‐Request AVPs

User‐Id: Contains a list of User‐Ids where a User‐Id comprises the leading digits of an IMSI (i.e., MCC, MNC, leading digits of MSIN) and identifies the set of subscribers whose IMSIs begin with the User‐Id. The HSS may include this AVP if the failure is limited to subscribers identified by one or more User‐Ids. Basically, a set of subscribers with identical leading IMSI digits.
Reset‐ID: The HSS can include one or more Reset‐ID AVPs identifying failed hardware components if the failure is limited to those subscribers associated with those components.
Subscription‐Data: If the Reset‐Request is to add or modify subscription data shared by multiple subscribers, this AVP contains the part of the subscription profile that is to be added to or to replaces the subscription profiles of the impacted subscribers stored in the MME.
Subscription‐Data‐Deletion: If the Reset‐Request is to delete subscription data shared by multiple subscribers, this AVP identifies the part of the subscription profile that is to be deleted from the subscription profiles of the impacted subscribers stored in the MME.

6.6.6.2 Reset‐Answer Command

When the MME receives a Reset‐Request, it marks all impacted subscriber records. If the MME supports the Reset‐ID AVP, it uses them together with the HSS's realm to determine which subscriber records are impacted. Otherwise the MME compares the HSS Identity received in the Origin‐Host AVP with the value stored after successful ULA, and may use the received User‐Id‐List (if any) to determine which subscriber records are impacted.

At the next authenticated radio contact with the impacted UE, the restoration procedure is triggered.

The MME indicates success or failure to the HSS with a Reset‐Answer (RSA) (Figure 6.26).

             < RSA > ::= < Diameter Header: 322, PXY, 16777251 >                        < Session-Id >                        [ DRMP ]                        [ Vendor-Specific-Application-Id ]                      * [ Supported-Features ]                        [ Result-Code ]                        [ Experimental-Result ]                        { Auth-Session-State }                        { Origin-Host }                        { Origin-Realm }                      * [ AVP ]                      * [ Failed-AVP ]                      * [ Proxy-Info ]                      * [ Route-Record ]

Figure 6.26 Reset‐Answer Command Code Format.

6.6.7 Notifications

The S6a interface commands Notify‐Request/Answer (NOR/NOA) (command code 323) are used between the MME and the HSS when an inter‐MME location update does not occur, but the HSS needs to be notified about the following updates:

terminal information
changes in UE SRVCC capability (if the MME supports SRVCC)
an assignment/change of a dynamically allocated PDN GW for an APN, depending on access restrictions
the HSS needs to send a Cancel‐Location‐Request to the current SGSN
removal of MME registration for SMS
when the SMS in MME feature is applied
when the HSS has requested to be notified about when the UE is reachable, or if there is an update of the Homogeneous Support of IMS Voice Over PS Sessions.

6.6.7.1 Notify‐Request Command

The MME sends a Notify‐Request (NOR) (Figure 6.27) to notify the HSS about the following:

an assignment or change of a dynamically allocated PDN GW for an access point name
the need to send a Cancel Location when an inter‐MME location update does not occur
when the UE is reachable
if the SMS in MME feature is applied, when the UE is reachable or the UE has memory capacity available to receive one or more short messages
an update of the Homogeneous Support of IMS Voice Over PS Sessions
the removal of MME registration for SMS.

 < NOR > ::= < Diameter Header: 323, REQ, PXY, 16777251 >            < Session-Id >            [ Vendor-Specific-Application-Id ]            [ DRMP ]            { Auth-Session-State }            { Origin-Host }            { Origin-Realm }            [ Destination-Host ]            { Destination-Realm }            { User-Name }            [ OC-Supported-Features ]          * [ Supported-Features ]            [ Terminal-Information ]            [ MIP6-Agent-Info ]            [ Visited-Network-Identifier ]            [ Context-Identifier ]            [ Service-Selection ]            [ Alert-Reason ]            [ UE-SRVCC-Capability ]            [ NOR-Flags ]            [ Homogeneous-Support-of-IMS-Voice-Over-PS-Sessions ]            [ Maximum-UE-Availability-Time ]          * [ Monitoring-Event-Config-Status ]            [ Emergency-Services ]          * [ AVP ]          * [ Proxy-Info ]          * [ Route-Record ]

Figure 6.27 Notify‐Request Command Code Format.

Notify‐Request AVPs

Terminal‐Information: Notifies the HSS about changes to UE terminal information. Within this grouped AVP, only the IMEI and the Software‐Version AVPs are used with the S6a interface.
MIP6‐Agent‐Info: This grouped AVP is included if a new PDN‐GW has been selected, and the subscriber is allowed handover to non‐3GPP access. It contains the identity of the PDN‐GW as either an IP address or FQDN.
Visited‐Network‐Identifier: Contains the PLMN in which the PDN GW is located. The MME includes this when the PDN GW Identity is present but it does not contain an FQDN.
Context‐Identifier: Identifies the APN configuration with which the selected PDN GW is correlated. The MME includes this AVP if it is available and the PDN‐GW is present and is for a specific APN.
Service‐Selection: Contains the APN for the selected and dynamically allocated PDN GW. This AVP is included if the selected PDN‐GW is present and is for a specific APN.
Alert‐Reason: Indicates if the subscriber is present, or if the handset has memory available to receive one or more short messages.
UE‐SRVCC‐Capability: Indicates whether the UE supports SRVCC capability.
NOR‐Flags: A bit mask that can indicate whether HSS needs to send a Cancel‐Location‐Request, the UE has become reachable, if the UE can receive short messages via MME, if information regarding Homogeneous Support of IMS Voice Over PS Sessions has changed, or that the MME requests removal of its registration for SMS.
Homogeneous‐Support‐of‐IMS‐Voice‐Over‐PS‐Sessions: This AVP is included if Homogeneous Support of IMS Voice Over PS Sessions has changed. If this AVP is not present, it indicates that there is no homogeneous support of this feature, or that the homogeneity of this support is unknown to the MME.
Maximum‐UE‐Availability‐Time: Included to notify the HSS that the UE is reachable and provides a timestamp until which time a UE using a power‐saving mechanism is expected to be reachable for Short Message delivery.
Monitoring‐Event‐Config‐Status: Contains the status of those monitoring events whose configuration status has changed since the last status update.
Emergency‐Services: Notifies the HSS that a new PDN‐GW has been selected for the establishment of an emergency PDN connection.

6.6.7.2 Notify‐Answer Command

The HSS responds to the MME with a Notify‐Answer (NOA) (Figure 6.28) to indicate success or failure of the notification.

        < NOA > ::= < Diameter Header: 323, PXY, 16777251 >                   < Session-Id >                   [ DRMP ]                   [ Vendor-Specific-Application-Id ]                   [ Result-Code ]                   [ Experimental-Result ]                   { Auth-Session-State }                   { Origin-Host }                   { Origin-Realm }                   [ OC-Supported-Features ]                   [ OC-OLR ]                 * [ Load ]                 * [ Supported-Features ]                 * [ AVP ]                 * [ Failed-AVP ]                 * [ Proxy-Info ]                 * [ Route-Record ]

Figure 6.28 Notify‐Answer Command Code Format.

6.6.8 Ending Subscriber Sessions

When the user detaches from the network by turning off the phone or by being inactive for several days, the MME deletes the UE's subscription data and context and then informs the HSS via a Purge‐UE‐Request command (PUR) (Figure 6.29). Depending on implementation, the MME may delete UE data immediately after its detachment, or the MME may wait before purging, so that it can reuse the UE data when the UE attaches again without accessing the HSS.

     < PUR > ::= < Diameter Header: 321, REQ, PXY, 16777251 >                < Session-Id >                [ DRMP ]                [ Vendor-Specific-Application-Id ]                { Auth-Session-State }                { Origin-Host }                { Origin-Realm }                [ Destination-Host ]                { Destination-Realm }                { User-Name }                [ OC-Supported-Features ]                [ PUR-Flags ]              * [ Supported-Features ]                [ EPS-Location-Information ]              * [ AVP ]              * [ Proxy-Info ]              * [ Route-Record ]

Figure 6.29 Purge‐UE‐Request Command Code Format.

Purge‐UE‐Request AVPs

PUR‐Flags: A bit mask to indicate from which part of a combined MME/SGSN the UE was purged.
EPS‐Location‐Information: Contains the last known location information of the purged UE.

6.6.8.2 Purge‐UE‐Answer Command

When the HSS receives a Purge‐UE‐Request, it checks the user's IMSI. If the IMSI is known, the HSS sets the Result‐Code to DIAMETER_SUCCESS and stores the last known location information given in the Purge‐UE‐Request message. It sends back to the MME a Purge‐UE‐Answer (PUA) command (Figure 6.30).

        < PUA > ::= < Diameter Header: 321, PXY, 16777251 >                   < Session-Id >                   [ DRMP ]                   [ Vendor-Specific-Application-Id ]                 * [ Supported-Features ]                   [ Result-Code ]                   [ Experimental-Result ]                   { Auth-Session-State }                   { Origin-Host }                   { Origin-Realm }                   [ OC-Supported-Features ]                   [ OC-OLR ]                 * [ Load ]                   [ PUA-Flags ]                 * [ AVP ]                 * [ Failed-AVP ]                 * [ Proxy-Info ]                 * [ Route-Record ]

Figure 6.30 Purge‐UE‐Answer Command Code Format.

Purge‐UE‐Answer AVPs

PUA‐Flags: Indicates that the MME should not immediately reuse the Temporary Mobile Subscriber Identity.

When the MME receives a successful Purge‐UE‐Answer from the HSS, it then checks the PUA‐Flags AVP for the Freeze M‐TMSI flag, and if set, it blocks M‐TMSI for immediate reuse.

6.6.9 Extensibility

The S6a interface supports many features and is extensible. To preserve backwards‐compatibility, any new functionality should be defined as optional. When extending the S6a application by adding new AVPs, the new AVPs should have the M‐bit cleared and are defined as optional in the command code format.

However, if changes are unavoidably backwards‐incompatible, the new functionality should be introduced as a new feature, and support for it advertised with the Supported‐Features AVP. If the receiver must support the feature in order to process the request, then the feature is included in the Supported‐Features AVP and the M‐bit of the Supported‐Features AVP is set.

References

1 V. Fajardo, J. Arkko, J. Loughney, and G. Zorn. Diameter Base Protocol. RFC 6733, Internet Engineering Task Force, Oct. 2012.
2 G. Zorn. Diameter Network Access Server Application. RFC 7155, Internet Engineering Task Force, Apr. 2014.
3 P. Calhoun, T. Johansson, C. Perkins, T. Hiller, and P. McCann. Diameter Mobile IPv4 Application. RFC 4004, Internet Engineering Task Force, Aug. 2005.
4 K. Sklower, B. Lloyd, G. McGregor, D. Carr, and T. Coradetti. The PPP Multilink Protocol (MP). RFC 1990, Internet Engineering Task Force, Aug. 1996.
5 3GPP. Telecommunication management; Charging management; Diameter charging applications. TS 32.299, 3rd Generation Partnership Project, Jan. 2018.
6 H. Hakala, L. Mattila, J.‐P. Koskinen, M. Stura, and J. Loughney. Diameter Credit‐Control Application. RFC 4006, Internet Engineering Task Force, Aug. 2005.
7 3GPP. Telecommunication management; Charging management; Charging architecture and principles. TS 32.240, 3rd Generation Partnership Project, Apr. 2011.
8 D. Sun, P. McCann, H. Tschofenig, T. Tsou, A. Doria, and G. Zorn. Diameter Quality‐of‐Service Application. RFC 5866, Internet Engineering Task Force, May 2010.
9 J. Korhonen, H. Tschofenig, M. Arumaithurai, M. Jones, and A. Lior. Traffic Classification and Quality of Service (QoS) Attributes for Diameter. RFC 5777, Internet Engineering Task Force, Feb. 2010.
10 J. Korhonen, H. Tschofenig, and E. Davies. Quality of Service Parameters for Usage with Diameter. RFC 5624, Internet Engineering Task Force, Aug. 2009.
11 L.‐N. Hamer, B. Gage, and H. Shieh. Framework for Session Set‐up with Media Authorization. RFC 3521, Internet Engineering Task Force, Apr. 2003.
12 W. Marshall. Private Session Initiation Protocol (SIP) Extensions for Media Authorization. RFC 3313, Internet Engineering Task Force, Jan. 2003.
13 L.‐N. Hamer, B. Gage, B. Kosinski, and H. Shieh. Session Authorization Policy Element. RFC 3520, Internet Engineering Task Force, Apr. 2003.
14 P. Calhoun, G. Zorn, D. Spence, and D. Mitton. Diameter Network Access Server Application. RFC 4005, Internet Engineering Task Force, Aug. 2005.
15 P. Eronen, T. Hiller, and G. Zorn. Diameter Extensible Authentication Protocol (EAP) Application. RFC 4072, Internet Engineering Task Force, Aug. 2005.
16 3GPP. Evolved Packet System (EPS); Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol. TS 29.272, 3rd Generation Partnership Project, Jan. 2018.
17 3GPP. General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E‐UTRAN) access. TS 23.401, 3rd Generation Partnership Project, Apr. 2015.
18 3GPP. Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); 3G security; Security architecture. TS 33.102, 3rd Generation Partnership Project, Jan. 2015.
19 3GPP. Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE); Security architecture. TS 33.401, 3rd Generation Partnership Project, Oct. 2015.
20 3GPP. Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; IMS Restoration Procedures. TS 23.380, 3rd Generation Partnership Project, May 2017.
21 3GPP. Universal Mobile Telecommunications System (UMTS); LTE; Policy and Charging Control (PCC); Reference points. TS 29.212, 3rd Generation Partnership Project, Apr. 2015.

Notes

1 You may have noticed the Acct‐Application‐Id AVP, which is specified by the base protocol, is not mentioned as a way to differentiate applications when using the split accounting service. The Acct‐Application‐Id AVP is used when the Vendor‐Specific‐Application‐Id is present, and it must be included if the vendor‐specific application has an accounting component. However, the base accounting application does not have any vendor‐specific AVPs.

3 Yes, this enumerated AVP starts with the value 1 instead of 0.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 6 Diameter Applications

Create new playlist

Sign In

Sign Up

6.1 Introduction

6.2 Base Accounting

6.2.1 Actors

6.2.2 Accounting Application Setup

6.2.3 Accounting Services

6.2.4 Accounting Records

6.2.5 Correlation of Accounting Records

6.2.6 Sending Accounting Information

6.2.7 Accounting AVPs

6.2.8 freeDiameter Example

6.2.9 Fault Resilience

6.2.10 Example: 3GPP Rf Interface for Mobile Offline Charging

6.2.10.1 Rf Interface Commands

Rf Accounting‐Request

Rf Accounting‐Answer

6.3 Credit Control

h3

6.3.1 Credit‐Control‐Request Command

6.3.2 Credit‐Control‐Answer Command

6.3.3 Failure Handling

6.3.4 Extensibility

6.3.5 Example: 3GPP Ro Interface for Online Charging

6.4 Quality of Service

6.4.1 Actors

6.4.2 Modes of Operation

6.4.2.1 Push Mode

6.4.2.2 Pull Mode

6.4.3 Authorization

6.4.3.1 Push Mode Authorization Schemes

6.4.3.2 Pull Mode Authorization

6.4.4 Establishing and Managing a QoS Application Session

6.4.4.1 Establishing a Session

Session Establishment for Pull Mode

Session Establishment for Push Mode

6.4.5 Re‐Authorizing a Session

6.4.5.1 Re‐Authorization Initiated by the NE

6.4.5.2 Re‐Authorization Initiated by the Authorizing Elements

6.4.6 Terminating a Session

6.4.6.1 Session Terminated by the NE

6.4.6.2 Session Terminated by the AE

6.5 Interworking RADIUS and Diameter

6.6 S6a Interface

6.6.1 Evolved Packet Core

6.6.2 S6a Overview

6.6.2.1 Common AVPs for S6a Commands

6.6.3 Authentication

6.6.3.1 Authentication‐Information‐Request Command

Authentication‐Information‐Request AVPs

6.6.3.2 Authentication‐Information‐Answer Command

Authentication‐Information‐Answer AVPs

6.6.4 Location Management

6.6.4.1 Update‐Location‐Request Command

Update‐Location‐Request AVPs

6.6.4.2 Cancel‐Location‐Request Command

Cancel‐Location‐Request AVPs

6.6.4.3 Cancel‐Location‐Answer Command

6.6.4.4 Update‐Location‐Answer Command

Update‐Location‐Answer AVPs

6.6.5 Subscriber Data Handling

6.6.5.1 Insert‐Subscriber‐Data‐Request Command

Insert‐Subscriber‐Data‐Request AVPs

6.6.5.2 Insert‐Subscriber‐Data‐Answer Command

Insert‐Subscriber‐Data‐Answer AVPs

6.6.5.3 Delete‐Subscriber‐Data‐Request Command

Delete‐Subscriber‐Data‐Request AVPs

6.6.5.4 Delete‐Subscriber‐Data‐Answer Message

6.6.6 Fault Recovery

6.6.6.1 Reset‐Request Command

Reset‐Request AVPs

6.6.6.2 Reset‐Answer Command

6.6.7 Notifications

6.6.7.1 Notify‐Request Command

Notify‐Request AVPs

6.6.7.2 Notify‐Answer Command

6.6.8 Ending Subscriber Sessions

Purge‐UE‐Request AVPs

Table of Contents for
6 Diameter Applications

6.2.8 `freeDiameter` Example