The basic motive of this process is to KNOW about the other node to which a node intended to communicate before establishing the connection, ie. whether other node contains the applications for which node wants to communicate.
Technically speaking, It is the process where two diameter peer exchange their identity and its capabilities (such as protocol version number, supported diameter applications, security mechanism etc.). Peer share their capabilities by CER/CEA Message (Capability-Exchange-Request/Capability-Exchange-Answer).
If one peer sends a CER message to another Peer and receiver does not have support for
If one peer sends a CER message to another Peer and receiver does not have support for
1) any common application then it must return the CEA with Result-Code Avp set to DIAMETER_NO_COMMON_APPLICATION and should disconnect the transport layer connection.
2)no common security mechanism then it must return the CEA with Result-Code Avp set to DIAMETER_NO_COMMON_SECURITY and should disconnect the transport layer connection. (Only maintained to have backward compatibility Because in latest release Transport Level security is establish before diameter connection so CER/CEA message is also comes under TLS/DTLS for more Info Click Here)
3)If CER is received from any unknown peer then receiver should discard the message, or send the CEA with the Result-Code Avp set to DIAMETER_UNKNOWN_PEER.
If the local implementation policy permits to receive CER from unknown hosts,a successful CEA MAY be returned, and the life time of the peer entry in PEER-Table is equal to the lifetime of the transport connection. If in any case transport connection fails then all the pending transactions destined to the unknown peer can be discarded.
The CER and CEA messages MUST NOT be proxied, redirected or relayed. Since CER/CEA messages can not be proxied, but still it is possible that proxy will receive a CER message and proxy does not have any peer to handle the application requested in CER, in this case proxy set the E bit in CEA and set the Result-Code Avp to DIAMETER_UNABLE_TO_DELIVER, sends back to CER generator peer.
The CER and CEA messages MUST NOT be proxied, redirected or relayed. Since CER/CEA messages can not be proxied, but still it is possible that proxy will receive a CER message and proxy does not have any peer to handle the application requested in CER, in this case proxy set the E bit in CEA and set the Result-Code Avp to DIAMETER_UNABLE_TO_DELIVER, sends back to CER generator peer.
For Example:- consider two nodes A and B and Node-A contains three applications X,Y,Z and two security mechanism s1 and s2 while Node-B contains two applications A,X and s1 security mechanism. Now Node-A will send CER to Node-B. Node -B will process the request and will create and send the CEA showing success and the common application i.e. X and s1 security mechanism. Now Node-A become aware of the fact that it can communicate for X application and s1 security mechanism.
Probable CER And CEA would be:-
________ CER ________
| Node-A | ------------------------------>| Node-B |
|________| <------------------------------|________|
CEA
<CER> ::= < Diameter Header: 257, REQ > <CEA> ::= < Diameter Header: 257 >
{ Origin-Host } { Result-Code =SUCCESS}
{ Origin-Realm } { Origin-Host }
{ Origin-Host } { Result-Code =SUCCESS}
{ Origin-Realm } { Origin-Host }
{ Host-IP-Address } { Origin-Realm }
{ Vendor-Id } { Host-IP-Address }
{ Product-Name } { Vendor-Id }
[ Inband-Security-Id =s1 ] { Product-Name }
[ Inband-Security-Id =s2] [ Inband-Security-Id =s1 ]
{ Vendor-Id } { Host-IP-Address }
{ Product-Name } { Vendor-Id }
[ Inband-Security-Id =s1 ] { Product-Name }
[ Inband-Security-Id =s2] [ Inband-Security-Id =s1 ]
[ Vendor-Specific-Application-Id =X] [ Vendor-Specific-Application-Id =X]
[ Vendor-Specific-Application-Id =Y]
[ Vendor-Specific-Application-Id =Z]
[ Vendor-Specific-Application-Id =Y]
[ Vendor-Specific-Application-Id =Z]
CER/CEA Message Exchange
Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.
Hi ,
ReplyDeleteGot good knowledge on diameter protocol.
Can you please let me know if you know any free implementations for offline charging ?
Thanks
Please visit www.imszone.org for free Online and Offline Charging Systems
DeleteSuper, thanks for share useful info.
ReplyDeleteMay I know if Node-B can include all of the supported applications instead of only the intersection of the supported applications?
ReplyDeleteHi Vijay,
DeleteThanks for pointing out a very acute issue.
YES, RFC-6733 says Node-B SHOULD send information about all supported Application-IDs.
Node-B May send all supported application ids
DeleteNode-B May send all supported application ids
DeleteThanks for your query.
Happy to help you again.
Team-Diameter
May I know the difference between Vendor-Id AVP and the Supported-Vendor-Id AVPs sent in CER/CEA messages? How the diameter nodes will make use of the information sent in these AVPs? Can a diameter node sending its Vendor ID in the "Vendor-Id" AVP will again encode the same under the "Supported-Vendor-Id" AVP?
ReplyDeleteHi Vijay,
DeleteI feel i am not diverting you,
Vendor-ID AVP shall contain the ID given to vendor by IANA; E.g There are two vendors X and Y have given vendor id 111, 222 respectively and both have created a an Application App-A.
In this case whenever App-A shall interact with it's peer (say Relay) then Relay can identify App-A with vendor ID. I.e Message came from Application App-A of X vendor.
Vendor-Id is used to identify the Product Vendor. Product vendor can create/use an application of other vendor as well. That is why there is one more AVP Vendor-Specific-Application ID. In this AVP Vendor Id avp shall contain the ID of Application Vendor. Such as s6a/s6d application belongs to 3gpp, But vendor-X that has created the software implementation of that shall publish Vendor-ID 111 and Vendor-ID inside Vendor-Specific-Application ID AVP shall be 10415 (3gpp application vendor -ID)
There is one concept that a vendor can created a new AVP for it's application usage; and this new AVP shall be given AVP Code and Vendor ID by IANA which is to be filled in AVP structure.
If any of the application uses some other vendor's created AVP then this vendor id shall be published in Supported-Vendor-ID AVP.
Thanks for the detailed explaination. Suppose Vendor-X implemented an application (not related to Accounting) App-X, along with other 3gpp defined applications.
Delete1. Will the diameter node send this support in Auth-Application-Id or Vendor-Specific-Application-Id of CER message?
2. Do the diameter node of Vendor-X will also include Vendor-X in "Supported-Vendor-Id" AVP along with 3GPP vendor id as below in the CEA messages?
+ Vendor-Id=Vendor-X
+ Supported-Vendor-Id=10415
+ Supported-Vendor-Id=Vendor-X
+ Vendor-Specific-Application-Id
-- Vendor-Id=3GPP(10415)
-- Auth-Application-Id=3GPP S6a(16777251)
+ Vendor-Specific-Application-Id
-- Vendor-Id=3GPP(10415)
-- Auth-Application-Id=3GPP Sh(16777217)
+ Vendor-Specific-Application-Id
-- Vendor-Id=Vendor-X
-- Auth-Application-Id=App-X
Hi Vijay,
DeleteNo need to add following
1. + Supported-Vendor-Id=Vendor-X
2. + Vendor-Specific-Application-Id
-- Vendor-Id=Vendor-X
-- Auth-Application-Id=App-X
In Supported Vendor Applocation Ids you can put Vendor-Id value among {+ Vendor-Id=Vendor-X , + Supported-Vendor-Id=10415}
So CER will be as
+ Vendor-Id=Vendor-X
+ Supported-Vendor-Id=10415
+ Vendor-Specific-Application-Id
-- Vendor-Id=3GPP(10415)
-- Auth-Application-Id=3GPP S6a(16777251)
+ Vendor-Specific-Application-Id
-- Vendor-Id=3GPP(10415)
-- Auth-Application-Id=3GPP Sh(16777217)
Thank you for the clarification. Could you also please answer my first query: Will the diameter node send the support of App-X in Auth-Application-Id or Vendor-Specific-Application-Id of CER message?
DeleteWhat are the consequences at the peer diameter node if the diameter node-X sends its support of App-X in Vendor-Specific-Application-Id AVP instead of Auth-Application-Id AVP?
This comment has been removed by the author.
ReplyDeleteWhen a diameter node returns DIAMETER_NO_COMMON_APPLICATION error, should it also include the optional AVPs (Vendor-Specific-Application-Id, Firmware-Revision, Supported-Vendor-Id AVPs) in the CEA response?
ReplyDeleteImplementation Specific. (Generally only mandatory AVP are sent in Error response)
ReplyDeleteRFC-6733 says peer should close the transport connection.
Thanks for your query.
Happy to help you again.
Team-Diameter
great article!! good place to start
ReplyDeletegreat article!! good place to start
ReplyDeleteHow is the version number of a particular protocol taken care of in CER/CEA?
ReplyDeleteAssuming that I have a protocol and I know 1.0 version and the other entity is updated to 2.0 version of same protocol. how will I make sure that we communicate in Protocol "p" version 1.0 to be on the same page. Assuming that "p" Application Id 167XXX1.
Hi Karan,
DeleteRFC-6733 does not tell any thing about Version negotiation in CER-CEA. Currently this field remain set to 1.
Thanks for your query.
Happy to help you again.
Team-Diameter
Great,I learned a lot from this article.
ReplyDeleteHi team, great job. One question about the CER/CEA, when the client initiate it with DRA then what kind of application ids will be there and what app id DRA is suppose to check to have success in the diameter connection?
ReplyDeletethanks
Hi Tejas,
DeleteIdeally, client should advertise all application ids supported by client to DRA, and DRA shall reply back with common application ids, DRA should advertise all application ids supported by it.
In practical implementation both entities show only limited application IDs on which they suppose to interact. Sharing unused information is just a burden.
Thanks for your query.
Happy to help you again.
Team-Diameter
I am using seagull diameter on s6 interface. MME -> DRA -> HSS .
DeleteIn CLR/CLA case HSS/DRA initiates CLR always. so Can HSS/DRA send CER to MME.
Hi Vipula,
DeleteI am doing a similar thing. I need to send a IDR to MME.
The MME is implemented in such a way that it can send CER but it cannot receive CER. But seagull doesnt allow to receive CER in init and then send IDR in traffic. Did you face any similar problem ?
Thanks,
Bhanu
Hi Bhanu/Vipula
DeleteIn context to above discussion, we would like to highlight following points that shall help you
1) CER/CEA is used only once just to establish connection. If CER is initiated by any node (Peers) on a already eshtablished connection then it is shall be treated as fresh connection implying peer node might have rebooted.
2)In case of CLR/IDR (Deployment/Practically), CER shall not be triggered neither by HSS nor by MME because DIAMETER connection is already established with peer DRA/MME as HSS has received AIR/ULR messages from MME/DRA on that DIAMETER connection.
3)In case of Seagull, it is a testing tool doesn't keep connection establish with node(HSS/DRA/MME) so therefore need to send CER before sending IDR/CLR to MME during functional testing if seagull acts as HSS.
Following link might help you
http://diameter-protocol.blogspot.in/2016/01/diameter-routing-agent-dra_17.html
http://diameter-protocol.blogspot.in/2013/08/diameter-connection-establishment.html
Hope above suffice your query.
Happy to help you again.
Team-Diameter
Thanks for the reply team-diameter. Just to bring some more clarity if the DRA is suppose to work as just relay agent then what kind of App id it's suppose to support?
ReplyDeleteBy mistake If initiate connection is configured in both client and server side,let's say both are trying to send CER message towards another peer means ( both acts as client )what should happen ideally ..My assumption is the node which CER message first in time wise will get priority and link get established.....for the CER sent by another peer will be rejected ...am I right ?
ReplyDeleteI read here in the same blog somewhere that for such cases,the alphabetic order comparison will be done for the host-id.host with higher order( xyz>abc) win and terminate the connection initiated by it and send the CEA to peer.
DeleteHi Anand
DeleteFollowing link shall help you.
http://diameter-protocol.blogspot.in/2013/09/election-process.html
Thanks for your query.
Happy to help you again.
Team-Diameter
Hi,
ReplyDeleteWhat if the transport layer connection lost after successfully CER/CEA and exchanging some CC messages, and we re-establish the connection again, here, should we send CER or the first one is enough?
Hi Mohamed Yacout,
DeleteIdeally, CER/CEA shall be exchanged.
Thanks for your query.
Happy to help you again.
Team-Diameter
What's the real purpose of CER/ CEA when they can't be proxied/ relayed? Since a client will never be able to know the exact capabilities of a server to which it wishes to communicate?
ReplyDeleteCan anyone tell me that why UDP protocol is not used in transporting Diameter messages..Why TCP
ReplyDeleteandSCTP are used.?
Reliable transport
DeleteRADIUS runs over UDP, and does not define retransmission behavior;
as a result, reliability varies between implementations. As
described in [ACCMGMT], this is a major issue in accounting, where
packet loss may translate directly into revenue loss. In order to
provide well defined transport behavior, Diameter runs over
reliable transport mechanisms (TCP, SCTP) as defined in
[AAATRANS].
Why CER/CEA messages cannot be proxied or relayed.
ReplyDeleteHi,
ReplyDeleteCan multiple CER/CEAs exchanged between 2 nodes? if yes, then in which scenario.
Hi Subhalaxmi behera,
DeleteNo, ideally CER-CEA shall exchanged once and that only at the time of diameter connection establishment.
If another CER is received on existing connection then it is treated as Fresh connection implying peer(other) node is restarted. All data(Sessions) pertaining to previous connection shall be flushed.
Thanks for your query.
Happy to help you.
Team-Diameter
This comment has been removed by the author.
ReplyDeleteHi Team,
ReplyDeleteIn CER message,Only this parameters are mandatory:
{ Origin-Host }
{ Origin-Realm }
1* { Host-IP-Address }
{ Vendor-Id }
{ Product-Name }
How the server will know the what are application supported by client ?
Hi Naresh
DeleteYou are right. CER must include at-least one of the following AVPs Auth-Application-Id, Acct-Application-Id, Vendor-Specific-Application-Id and Supported-Vendor-Id, but in current given notations({Mandatory} ,[Optional]) there is no way to represent at-least feature that why it shows as [].
There is one more notation[Conditional] means optional AVPs that become mandatory in specific situation shall be called as conditional and shall be represented as[].
Below statement shall help you.
" The receiver of the Capabilities-Exchange-Request (CER) MUST
determine common applications by computing the intersection of its
own set of supported Application Ids against all of the
Application-Id AVPs (Auth-Application-Id, Acct-Application-Id, and
Vendor-Specific-Application-Id) present in the CER."
Thanks for your query.
Happy to help you again.
Team-Diameter
Hello...
ReplyDeleteI just started a Diameter application and learning the protocol. In my application I see CER/CEA exchange happening all the time, as I read this happens if CEA does not contain "Diameter Success" Result-Code, but in my case the CEA contains that. Can you help me find out another reason for this? I am using TCP connection without any TLS.
This comment has been removed by the author.
DeleteHi Diego Quevedo
DeleteThere could be multiple reasons of it. First check TCP connection is successfully up.
on linux
netstat -apn | grep [ listen port ]
Kindly share wireshark trace or logfiles.
Thanks for your query.
Happy to help you again.
Team-Diameter
Thank you very much for your reply. I did find the problem being the "Origin-Host" in the CEA, the client did not accept this value and then tear up the TCP connection to restart, after setting the appropriate value, it was all ok.
DeleteThanks for choosing us as your help.
DeleteTeam-Diameter
I am having a long delay (more than 20 seconds) to receive CEA for a particular CER. Sometime there is no CEA corresponding to CER. I am new to diameter and unable to figure out what is wrong?
ReplyDeleteHi Zainul Abedin,
DeleteKindly check TCP or SCTP connection between Client and Server. If still fails kindly share some more details and logs.
Thanks for your query.
Happy to help you again.
Team-Dimeter
Hello.
ReplyDeleteI'd like to clarify some details about message flow for an application which uses diameter protocol.
I'm working on a client software which communicates with diameter application with Application-Id=App-X. There is three request messages I need to implement - CER (capability-exchange-request), DWR (device-watchdog-request) and NFR (this is a custom request message defined by the application).
1. Which Application-Id should I insert into diameter header of CER message - 0 (common applications) or App-X?
2. Which AVP should I insert App-X id into to inform the server that I'm going to communicate with this application - Auth-Application-Id, Acct-Application-Id, Vendor-Specific-Application-Id.Auth-Application-Id or Vendor-Specific-Application-Id.Acct-Application-Id? What is the difference between Auth-Application-Id and Vendor-Specific-Application-Id.Auth-Application-Id?
3. Which Application-Id should I insert into diameter header of DWR message - 0 (common applications) or App-X?
4. In NFR header Application-Id has to be App-X, correct?
Hello,
DeleteAs per your client configuration use below configuration.
1. CER
Auth-Application-Id" value=X
Acct-Application-Id value=0
Vendor-Specific-Application-Id
Vendor-Id value = 3GPP_ID/Vendor_id
Auth-Application-Id value=X
2&4. NFR: Use only Vendor-Specific-Application-Id in application.
Vendor-Specific-Application-Id
Vendor-Id value = 3GPP_ID/Vendor_id
Auth-Application-Id value=X
3. No Application id in DWR
Ask more if you require more information.
Hi Team,
ReplyDeleteI have two questions below on Diameter Connection Establishment
1.If 2 Diameter nodes configured with both TCP and SCTP connection,which one will take higher priority? What is the reason?
2.If 5 Diameter Servers configured with same Host name and Realm name and listening on port 3868.How to make client to connect to one of these servers?How connection will be chosen ?
Thanks,
Vinayak
Dear Vinayak,
Delete1. Any Diameter node can use TCP & SCTP both. There is nothing like priority. Its depends upon your client which transport it want to use.
2. I have a question for you. How can you configure multiple servers having same Hostname & Realm on a single lan ?
Rather use different identity for each.
I would like what would be possible impact if both peers initiates connection with each other i.e. sends INIT and once the transport layer connection established, sends CER to each other. Is that a good solution or ideally only one peer should initiate connection and the other should respond ?
ReplyDeleteHi
DeleteTheoritically CER-Election process shall be initiated and only one tranport is used
Following link shall help you to explain in detail
http://diameter-protocol.blogspot.in/2013/09/election-process.html
Thanks for your query
Hi Team ,
ReplyDeleteSuppose Vendor-y implemented an application App-y, along with other 3gpp defined applications (like auth application).
1. Will the diameter node should send this support in Auth-Application-Id or Vendor-Specific-Application-Id of CER message?
2.What is the need of supported vendor id avp ?
Can multiple vendor specific application ids be sent with requests other than CER ? Also I dont understand when when the following three are to be used-
ReplyDeleteAcct Application id AVP, vendor specific application id AVP and Auth Application id
Hi Team,
ReplyDeleteIs there any change to have Auth-Application-Id 0 in CER? I know that ApplicationId 0 is in Diameter message header of CER. Does it causes any error if I set Auth-Application-Id 0 besides Vendor-Specific-Application-Id with correct Auth-Application-Id X inside?
Many thanks!
Hi Khang Tran
DeleteRFC-6733 Says
"The base protocol does not require an Application Id since its
support is mandatory." therefore advertising Auth-Application-Id 0 does not make any sense.
Hope suffice your query.
Thanks for your query.
Happy to help you again.
Team-Diameter
Hi Neeraj Surana
ReplyDeleteWe have not found any refence in RFC-6733 to used FQDN instead of IP address Host-IP-Address AVP.
The Host-IP-Address AVP (AVP Code 257) is of type Address, IP addresses (IPv4, IPv6) would be passed.
Thanks for your query.
Happy to help you again.
Team-Diameter
What is the difference between the services advertised during peer discovery and negotiating for compatible applications via Capability Negotiation.
ReplyDeleteHow CER/CEA exchange happens in case of a DRA? Given that CER/CEA are not proxied/relayed, therefore we should assume that the DRA opens two separate connections with the two ends (i.e. two "stacks"), right? The question is how the end-to-end negotiation of supported applications will actually be done.
ReplyDeleteI understand that the DRA had better support at least as many applications as the client & server and always setup the connections happily with both ends, but how the client will know that the server does not support some certain application?
I have got same question. For example if PCRF and P-Gateway are connected via DRA,how the capabilities are exchanged,since DRA will have independent SCTP session between each nodes?
DeleteHi,
ReplyDeleteMy question is regarding the origin-host M bit in the CER message. Is it mandatory to set the M-bit to SET for a CER message?
One remote peer sends the CER message origin-host AVP with M-bit not set. Our diameter node rejects with CEA diameter error code 3009 Invalid_AVP Bit.
Regards
Ebru
According to RFC-6733 Origin-Host must follow as share below:
Delete+----------+
| AVP Flag |
| rules |
|----+-----|
AVP Section | |MUST |
Attribute Name Code Defined Data Type |MUST| NOT |
-----------------------------------------|----+-----|
Origin-Host 264 6.3 DiamIdent | M | V |
So M-bit must set for Origin-Host AVP.
Is CER-CEA allowed with duplicate peer (host/realm etc are same for 2 or more clients) ?
ReplyDeleteIs there any blog which talks about prior messages for LDAP links establishment between HSS FE and BE Database UDR ?
ReplyDelete