Network Working Group M. Garcia-Martin, Ed. Request for Comments: 4740 Nokia Category: Standards Track M. Belinchon M. Pallares-Lopez C. Canales-Valenzuela Ericsson K. Tammi Nokia November 2006
Network Working Group M. Garcia-Martin, Ed. Request for Comments: 4740 Nokia Category: Standards Track M. Belinchon M. Pallares-Lopez C. Canales-Valenzuela Ericsson K. Tammi Nokia November 2006
Diameter Session Initiation Protocol (SIP) Application
Diameter会话启动协议(SIP)应用程序
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2006).
版权所有(C)IETF信托基金(2006年)。
Abstract
摘要
This document specifies the Diameter Session Initiation Protocol (SIP) application. This is a Diameter application that allows a Diameter client to request authentication and authorization information. This application is designed to be used in conjunction with SIP and provides a Diameter client co-located with a SIP server, with the ability to request the authentication of users and authorization of SIP resources usage from a Diameter server.
本文档指定Diameter会话启动协议(SIP)应用程序。这是一个Diameter应用程序,允许Diameter客户端请求身份验证和授权信息。此应用程序旨在与SIP结合使用,并提供与SIP服务器位于同一位置的Diameter客户端,能够从Diameter服务器请求用户身份验证和SIP资源使用授权。
Table of Contents
目录
1. Introduction ....................................................4 2. Terminology .....................................................5 3. Definitions .....................................................5 4. Acronyms ........................................................6 5. Applicability Statement .........................................6 6. Overview of Operation ...........................................7 6.1. General Architecture .......................................7 6.2. Diameter Server Authenticates the User .....................9 6.3. Delegating Final Authentication Check to the SIP Server ...12 6.4. SIP Server Requests Authentication and Authorization ......15 6.5. Locating the Recipient of the SIP Request .................16 6.6. Update of the User Profile ................................17 6.7. SIP Soft State Termination ................................18 6.8. Diameter Server Discovery .................................19 7. Advertising Application Support ................................21 8. Diameter SIP Application Command Codes .........................22 8.1. User-Authorization-Request (UAR) Command ..................22 8.2. User-Authorization-Answer (UAA) Command ...................23 8.3. Server-Assignment-Request (SAR) Command ...................27 8.4. Server-Assignment-Answer (SAA) Command ....................29 8.5. Location-Info-Request (LIR) Command .......................33 8.6. Location-Info-Answer (LIA) Command ........................33 8.7. Multimedia-Auth-Request (MAR) Command .....................35 8.8. Multimedia-Auth-Answer (MAA) Command ......................36 8.9. Registration-Termination-Request (RTR) Command ............39 8.10. Registration-Termination-Answer (RTA) Command ............39 8.11. Push-Profile-Request (PPR) Command .......................41 8.12. Push-Profile-Answer (PPA) Command ........................42 9. Diameter SIP Application AVPs ..................................44 9.1. SIP-Accounting-Information AVP ............................46 9.1.1. SIP-Accounting-Server-URI AVP ......................47 9.1.2. SIP-Credit-Control-Server-URI AVP ..................47 9.2. SIP-Server-URI AVP ........................................47 9.3. SIP-Server-Capabilities AVP ...............................47 9.3.1. SIP-Mandatory-Capability AVP .......................48 9.3.2. SIP-Optional-Capability AVP ........................48 9.4. SIP-Server-Assignment-Type AVP ............................48 9.5. SIP-Auth-Data-Item AVP ....................................50 9.5.1. SIP-Authentication-Scheme AVP ......................50 9.5.2. SIP-Item-Number AVP ................................51 9.5.3. SIP-Authenticate AVP ...............................51 9.5.4. SIP-Authorization AVP ..............................52 9.5.5. SIP-Authentication-Info AVP ........................52 9.5.6. Digest AVPs ........................................53 9.6. SIP-Number-Auth-Items AVP .................................55
1. Introduction ....................................................4 2. Terminology .....................................................5 3. Definitions .....................................................5 4. Acronyms ........................................................6 5. Applicability Statement .........................................6 6. Overview of Operation ...........................................7 6.1. General Architecture .......................................7 6.2. Diameter Server Authenticates the User .....................9 6.3. Delegating Final Authentication Check to the SIP Server ...12 6.4. SIP Server Requests Authentication and Authorization ......15 6.5. Locating the Recipient of the SIP Request .................16 6.6. Update of the User Profile ................................17 6.7. SIP Soft State Termination ................................18 6.8. Diameter Server Discovery .................................19 7. Advertising Application Support ................................21 8. Diameter SIP Application Command Codes .........................22 8.1. User-Authorization-Request (UAR) Command ..................22 8.2. User-Authorization-Answer (UAA) Command ...................23 8.3. Server-Assignment-Request (SAR) Command ...................27 8.4. Server-Assignment-Answer (SAA) Command ....................29 8.5. Location-Info-Request (LIR) Command .......................33 8.6. Location-Info-Answer (LIA) Command ........................33 8.7. Multimedia-Auth-Request (MAR) Command .....................35 8.8. Multimedia-Auth-Answer (MAA) Command ......................36 8.9. Registration-Termination-Request (RTR) Command ............39 8.10. Registration-Termination-Answer (RTA) Command ............39 8.11. Push-Profile-Request (PPR) Command .......................41 8.12. Push-Profile-Answer (PPA) Command ........................42 9. Diameter SIP Application AVPs ..................................44 9.1. SIP-Accounting-Information AVP ............................46 9.1.1. SIP-Accounting-Server-URI AVP ......................47 9.1.2. SIP-Credit-Control-Server-URI AVP ..................47 9.2. SIP-Server-URI AVP ........................................47 9.3. SIP-Server-Capabilities AVP ...............................47 9.3.1. SIP-Mandatory-Capability AVP .......................48 9.3.2. SIP-Optional-Capability AVP ........................48 9.4. SIP-Server-Assignment-Type AVP ............................48 9.5. SIP-Auth-Data-Item AVP ....................................50 9.5.1. SIP-Authentication-Scheme AVP ......................50 9.5.2. SIP-Item-Number AVP ................................51 9.5.3. SIP-Authenticate AVP ...............................51 9.5.4. SIP-Authorization AVP ..............................52 9.5.5. SIP-Authentication-Info AVP ........................52 9.5.6. Digest AVPs ........................................53 9.6. SIP-Number-Auth-Items AVP .................................55
9.7. SIP-Deregistration-Reason AVP .............................55 9.7.1. SIP-Reason-Code AVP ................................55 9.7.2. SIP-Reason-Info AVP ................................56 9.8. SIP-AOR AVP ...............................................56 9.9. SIP-Visited-Network-Id AVP ................................56 9.10. SIP-User-Authorization-Type AVP ..........................56 9.11. SIP-Supported-User-Data-Type AVP .........................57 9.12. SIP-User-Data AVP ........................................57 9.12.1. SIP-User-Data-Type AVP ............................58 9.12.2. SIP-User-Data-Contents AVP ........................58 9.13. SIP-User-Data-Already-Available AVP ......................58 9.14. SIP-Method AVP ...........................................59 10. New Values for Existing AVPs ..................................59 10.1. Extension to the Result-Code AVP Values ..................59 10.1.1. Success Result-Code AVP Values ....................59 10.1.2. Transient Failures Result-Code AVP Values .........60 10.1.3. Permanent Failures Result-Code AVP Values .........60 11. Authentication Details ........................................61 12. Migration from RADIUS .........................................63 12.1. Gateway from RADIUS Client to Diameter Server ............63 12.2. Gateway from Diameter Client to RADIUS Server ............63 12.3. Known Limitations ........................................64 13. IANA Considerations ...........................................64 13.1. Application Identifier ...................................64 13.2. Command Codes ............................................65 13.3. AVP Codes ................................................65 13.4. Additional Values for the Result-Code AVP Value ..........65 13.5. Creation of the SIP-Server-Assignment-Type Section in the AAA .......................................66 13.6. Creation of the SIP-Authentication-Scheme Section in the AAA ...............................................66 13.7. Creation of the SIP-Reason-Code Section in the AAA Registry .............................................66 13.8. Creation of the SIP-User-Authorization-Type Section in the AAA .......................................66 13.9. Creation of the SIP-User-Data-Already-Available Section in the ...........................................66 14. Security Considerations .......................................67 14.1. Final Authentication Check in the Diameter Client/SIP Server ........................................67 15. Contributors ..................................................68 16. Acknowledgements ..............................................68 17. References ....................................................68 17.1. Normative References .....................................68 17.2. Informative References ...................................69
9.7. SIP-Deregistration-Reason AVP .............................55 9.7.1. SIP-Reason-Code AVP ................................55 9.7.2. SIP-Reason-Info AVP ................................56 9.8. SIP-AOR AVP ...............................................56 9.9. SIP-Visited-Network-Id AVP ................................56 9.10. SIP-User-Authorization-Type AVP ..........................56 9.11. SIP-Supported-User-Data-Type AVP .........................57 9.12. SIP-User-Data AVP ........................................57 9.12.1. SIP-User-Data-Type AVP ............................58 9.12.2. SIP-User-Data-Contents AVP ........................58 9.13. SIP-User-Data-Already-Available AVP ......................58 9.14. SIP-Method AVP ...........................................59 10. New Values for Existing AVPs ..................................59 10.1. Extension to the Result-Code AVP Values ..................59 10.1.1. Success Result-Code AVP Values ....................59 10.1.2. Transient Failures Result-Code AVP Values .........60 10.1.3. Permanent Failures Result-Code AVP Values .........60 11. Authentication Details ........................................61 12. Migration from RADIUS .........................................63 12.1. Gateway from RADIUS Client to Diameter Server ............63 12.2. Gateway from Diameter Client to RADIUS Server ............63 12.3. Known Limitations ........................................64 13. IANA Considerations ...........................................64 13.1. Application Identifier ...................................64 13.2. Command Codes ............................................65 13.3. AVP Codes ................................................65 13.4. Additional Values for the Result-Code AVP Value ..........65 13.5. Creation of the SIP-Server-Assignment-Type Section in the AAA .......................................66 13.6. Creation of the SIP-Authentication-Scheme Section in the AAA ...............................................66 13.7. Creation of the SIP-Reason-Code Section in the AAA Registry .............................................66 13.8. Creation of the SIP-User-Authorization-Type Section in the AAA .......................................66 13.9. Creation of the SIP-User-Data-Already-Available Section in the ...........................................66 14. Security Considerations .......................................67 14.1. Final Authentication Check in the Diameter Client/SIP Server ........................................67 15. Contributors ..................................................68 16. Acknowledgements ..............................................68 17. References ....................................................68 17.1. Normative References .....................................68 17.2. Informative References ...................................69
This document specifies the Diameter Session Initiation Protocol (SIP) application. This is a Diameter application that allows a Diameter client to request authentication and authorization information to a Diameter server for SIP-based IP multimedia services (see [RFC3261] about SIP). Furthermore, this Diameter SIP application provides the Diameter client with functions that go beyond the typical authorization and authentication, such as the ability to download or receive updated user profiles, or rudimentary routing functions that can assist a SIP server in finding another SIP server allocated to the user.
本文档指定Diameter会话启动协议(SIP)应用程序。这是一个Diameter应用程序,允许Diameter客户端向Diameter服务器请求基于SIP的IP多媒体服务的身份验证和授权信息(请参阅[RFC3261]关于SIP)。此外,该Diameter SIP应用程序为Diameter客户端提供了超越典型授权和认证的功能,例如下载或接收更新的用户配置文件的能力,或者可以帮助SIP服务器查找分配给用户的另一SIP服务器的基本路由功能。
We assume that the SIP server (such as SIP proxy server, registrar, redirect server, or alike) and the Diameter client are co-located in the same node, so that the SIP server is able to receive and process SIP requests and responses. In turn, the SIP server relies on the Authentication, Authorization, and Accounting (AAA) infrastructure for authenticating the SIP request and authorizing the usage of particular SIP services.
我们假设SIP服务器(如SIP代理服务器、注册器、重定向服务器等)和Diameter客户端位于同一节点上,因此SIP服务器能够接收和处理SIP请求和响应。反过来,SIP服务器依赖于身份验证、授权和计费(AAA)基础设施来验证SIP请求并授权特定SIP服务的使用。
This document provides Diameter procedures to implement certain required functionality when SIP is the protocol chosen to initiate and tear down multimedia sessions or when SIP is used for other non-session-related applications. However, this document does not mandate any particular mapping of SIP procedures to Diameter SIP application procedures, nor does it mandate any particular sequence of events between SIP and Diameter. This document provides useful examples to show the interaction between SIP and the Diameter SIP application in order to achieve the desired functionality.
当选择SIP作为启动和中断多媒体会话的协议时,或者当SIP用于其他与会话无关的应用程序时,本文档提供了Diameter程序来实现某些必需的功能。然而,本文件并未规定SIP程序与Diameter SIP应用程序之间的任何特定映射,也未规定SIP和Diameter之间的任何特定事件序列。本文档提供了一些有用的示例来展示SIP和Diameter SIP应用程序之间的交互,以实现所需的功能。
This application does not require and is not related to other authentication services provided by the Diameter Mobile IPv4 [RFC4004] or the Diameter Network Access Server [RFC4005] applications.
此应用程序不需要且与Diameter Mobile IPv4[RFC4004]或Diameter网络访问服务器[RFC4005]应用程序提供的其他身份验证服务无关。
This Diameter SIP application is loosely related to the Diameter credit-control application [RFC4006]. Although both applications are independent, the Diameter SIP application is able to supply the addresses of credit-control servers that will be implementing the Diameter credit-control application [RFC4006].
此Diameter SIP应用程序与Diameter信用控制应用程序[RFC4006]松散相关。虽然两个应用程序都是独立的,但Diameter SIP应用程序能够提供将实现Diameter信用控制应用程序的信用控制服务器的地址[RFC4006]。
Section 5 discusses assumptions and configurations assumed by this document.
第5节讨论了本文件假设的假设和配置。
Section 6 provides the reader with informative descriptions of the Diameter SIP application commands and responses and with some guidance about their linkage with SIP procedures.
第6节为读者提供了Diameter SIP应用程序命令和响应的信息性描述,以及关于它们与SIP程序的链接的一些指导。
Advertisement of this application is specified in Section 7.
第7节规定了本申请的公告。
Section 8 provides a normative description of all the new Diameter commands defined by this specification.
第8节提供了本规范定义的所有新直径命令的规范性说明。
This application extends the Result-Code Attribute-Value-Pair (AVP) with some new values. Further information is described in Section 10.
此应用程序使用一些新值扩展结果代码属性值对(AVP)。更多信息见第10节。
This application defines some new AVPs. All these AVPs are described in Section 9.
此应用程序定义了一些新的AVP。第9节介绍了所有这些AVP。
Some extra information about authentication is provided in Section 11.
第11节提供了一些关于身份验证的额外信息。
In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [RFC2119] and indicate requirement levels for compliant implementations.
在本文件中,关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”将按照BCP 14、RFC 2119[RFC2119]中的描述进行解释,并指出合规实施的要求级别。
For the purpose of this document, the following terms and definitions apply:
在本文件中,以下术语和定义适用:
Node: an addressable device attached to a computer network that implements SIP functionality, Diameter functionality, or a combination of both.
节点:连接到计算机网络的可寻址设备,可实现SIP功能、Diameter功能或两者的组合。
For the purpose of this document, the following terms and definitions given in RFC 3261 [RFC3261] Section 6, apply:
就本文件而言,RFC 3261[RFC3261]第6节中给出的以下术语和定义适用:
o Address-of-Record (AOR) o Outbound proxy o Proxy o Registrar o Server (SIP server) o User Agent (UA) o User Agent Client (UAC) o User Agent Server (UAS)
o 记录地址(AOR)o出站代理o代理o注册器o服务器(SIP服务器)o用户代理(UA)o用户代理客户端(UAC)o用户代理服务器(UAS)
For the purpose of this document, the following terms and definitions given in RFC 3588 [RFC3588] Section 1.3, apply:
就本文件而言,RFC 3588[RFC3588]第1.3节中给出的以下术语和定义适用:
o Authorization o Authentication o Attribute-Value Pair (AVP) o Diameter Client o Diameter Server o Home Realm o Redirect Agent o User
o 授权o身份验证o属性值对(AVP)o直径客户端o直径服务器o主域o重定向代理o用户
AKA: Authentication and Key Agreement LIR: Location-Info-Request LIA: Location-Info-Answer MAR: Multimedia-Auth-Request MAA: Multimedia-Auth-Answer PPR: Push-Profile-Request PPA: Push-Profile-Answer RTR: Registration-Termination-Request RTA: Registration-Termination-Answer SAR: Server-Assignment-Request SAA: Server-Assignment-Answer SL: Subscriber Locator UAR: User-Authorization-Request UAA: User-Authorization-Answer
AKA:身份验证和密钥协议LIR:位置信息请求LIA:位置信息应答MAR:多媒体身份验证请求MAA:多媒体身份验证应答PPR:推送配置文件请求PPA:推送配置文件应答RTR:注册终止请求RTA:注册终止应答SAR:服务器分配请求SAA:服务器分配应答SL:订户定位器UAR:用户授权请求UAA:用户授权应答
This document assumes a general architecture where a Home Realm is composed of one or more nodes implementing Diameter or SIP functions. Users are issuing SIP requests to access SIP resources. For each particular user, the Home Realm needs to authenticate and authorize the usage of those resources and/or the route to the appropriate node. We assume that the database containing the user-related data is located outside the SIP node that requires authorization. Data belonging to different users may be stored in different nodes in the Home Realm, but we assume that all the data related to a particular user is stored in a single node.
本文档假设一个通用体系结构,其中主域由一个或多个实现Diameter或SIP功能的节点组成。用户正在发出SIP请求以访问SIP资源。对于每个特定用户,主域需要对这些资源的使用和/或到适当节点的路由进行身份验证和授权。我们假设包含用户相关数据的数据库位于需要授权的SIP节点之外。属于不同用户的数据可能存储在主域中的不同节点中,但我们假设与特定用户相关的所有数据都存储在单个节点中。
Note: Central to the architecture is the fact that the user data is stored in a single point in the network. This restriction does not mandate a particular implementation, e.g., it is possible to implement clusters of databases operating in mirror mode to provide redundancy. The property required by this specification is that the user data the Diameter server has access to is stored safely in what is seen, from the external point of view, as a single user database.
注:该体系结构的核心是用户数据存储在网络中的一个点上。此限制并不要求特定的实现,例如,可以实现以镜像模式运行的数据库集群以提供冗余。本规范要求的属性是,Diameter服务器可以访问的用户数据安全地存储在从外部角度看作为单用户数据库的内容中。
This document allows several configurations of the Home Realm. In one configuration, a SIP server (proxy, registrar, etc.) is allocated to a user for the purpose of triggering and executing services. The allocation of the SIP server may be done dynamically, e.g., at the time the user registers in the network. This configuration requires a SIP server, typically located at the edge of the network, that is able to allocate another SIP server for the user and that also supports routing of SIP requests and responses towards that allocated SIP server. Both SIP server nodes implement a Diameter client.
本文档允许对主域进行多种配置。在一种配置中,为了触发和执行服务,SIP服务器(代理、注册器等)被分配给用户。SIP服务器的分配可以动态地进行,例如,在用户在网络中注册时。此配置需要SIP服务器,通常位于网络边缘,该服务器能够为用户分配另一个SIP服务器,并且还支持向该分配的SIP服务器路由SIP请求和响应。两个SIP服务器节点都实现了Diameter客户端。
In another configuration, the address of a SIP outbound proxy is configured (by means outside the scope of this specification) into the SIP User Agent. The outbound Diameter client in the SIP outbound proxy node authenticates the user, requests authorization for SIP requests, and performs accounting activities.
在另一种配置中,SIP出站代理的地址(通过本规范范围之外的方式)配置到SIP用户代理中。SIP出站代理节点中的出站Diameter客户端对用户进行身份验证,请求SIP请求的授权,并执行记帐活动。
This section provides an informative description of how the Diameter SIP application can be used together with SIP. This section is not intended to mandate any specific usage of the Diameter SIP application nor does it mandate a specific mapping between SIP and Diameter messages. We provide a collection of examples that show how the required AAA functionality can be achieved in conjunction with SIP.
本节提供了Diameter SIP应用程序如何与SIP一起使用的信息性描述。本节不打算强制使用Diameter SIP应用程序的任何特定用法,也不强制使用SIP和Diameter消息之间的特定映射。我们提供了一组示例,展示了如何结合SIP实现所需的AAA功能。
The Diameter SIP application can be used in a SIP environment where an interface to a AAA infrastructure is required to authenticate and authorize the usage of SIP resources. This application provides support for SIP User Agents and proxies that implement and use HTTP Digest authentication [RFC2617], which is the authentication mechanism mandated by SIP [RFC3261]. The application is extensible and, if need arises, it can be extended to provide support for other authentication mechanisms or extensions to HTTP Digest authentication when they occur.
Diameter SIP应用程序可以在SIP环境中使用,其中需要AAA基础设施的接口来验证和授权SIP资源的使用。此应用程序为实现和使用HTTP摘要身份验证[RFC2617]的SIP用户代理和代理提供支持,HTTP摘要身份验证[RFC2617]是SIP[RFC3261]强制要求的身份验证机制。应用程序是可扩展的,如果需要,可以对其进行扩展,以便在出现其他身份验证机制或HTTP摘要身份验证扩展时提供支持。
This application provides limited support for accounting services as follows: the Diameter server is able to provide the addresses of accounting severs to the Diameter client. Figure 1, below, shows a general overview of the integration of the SIP architecture with the AAA architecture.
此应用程序为记帐服务提供以下有限支持:Diameter服务器能够向Diameter客户端提供记帐服务器的地址。下面的图1显示了SIP体系结构与AAA体系结构集成的一般概述。
According to Figure 1, there are one or more SIP User Agents (UAs) that initiate or terminate SIP traffic through one or more SIP servers. Both SIP servers implement a Diameter client that supports the Diameter application described in this specification.
根据图1,有一个或多个SIP用户代理(UAs)通过一个或多个SIP服务器发起或终止SIP通信。两个SIP服务器都实现了一个Diameter客户端,该客户端支持本规范中描述的Diameter应用程序。
+--------+ UAR/UAA +--->|Diameter|<----+ PPR/PPA LIR/LIA | | server | | MAR/MAA | +--------+ | SAR/SAA | | RTR/RTA | | v v +------+ SIP +--------+ SIP +--------+ SIP +------+ | SIP |<--------->| SIP |<-------->| SIP |<--------->| SIP | | UA | |server 1| |server 2| | UA | +------+ +--------+ +--------+ +------+ ^ ^ UAR/UAA | | LIR/LIA | | MAR/MAA | +--------+ | SAR/SAA +--->|Diameter|<----+ | SL | +--------+
+--------+ UAR/UAA +--->|Diameter|<----+ PPR/PPA LIR/LIA | | server | | MAR/MAA | +--------+ | SAR/SAA | | RTR/RTA | | v v +------+ SIP +--------+ SIP +--------+ SIP +------+ | SIP |<--------->| SIP |<-------->| SIP |<--------->| SIP | | UA | |server 1| |server 2| | UA | +------+ +--------+ +--------+ +------+ ^ ^ UAR/UAA | | LIR/LIA | | MAR/MAA | +--------+ | SAR/SAA +--->|Diameter|<----+ | SL | +--------+
Figure 1: Architecture of the Diameter application for SIP
图1:SIP的Diameter应用程序的体系结构
In Figure 1, it can be seen that SIP server 1 sends different Diameter commands and receives different responses than those sent and received by SIP server 2. This is because SIP server 1 in Figure 1 is located at the edge of a network, and its main task is to locate SIP server 2. SIP server 2 is requesting and receiving authentication and authorization data from the Diameter server and is not located at the edge of the network.
在图1中,可以看到SIP服务器1发送的Diameter命令和接收的响应与SIP服务器2发送和接收的不同。这是因为图1中的SIP服务器1位于网络边缘,其主要任务是定位SIP服务器2。SIP服务器2正在请求和接收来自Diameter服务器的认证和授权数据,并且不位于网络边缘。
This Diameter application assumes that all the data pertaining to a given user is stored in a single Diameter server. For redundancy purposes, several Diameter servers can be configured in a redundancy fashion, in which case all of them keep the data synchronized and operate externally as a single Diameter server.
此Diameter应用程序假定与给定用户相关的所有数据都存储在单个Diameter服务器中。出于冗余目的,可以以冗余方式配置多个Diameter服务器,在这种情况下,所有Diameter服务器都保持数据同步,并作为单个Diameter服务器在外部运行。
With respect to SIP server 1 in Figure 1, the Diameter SIP application provides support for the existence of a farm of these servers, typically configured through one or more DNS records that point to several hosts (this is a typical configuration in common SIP deployments). There is no requirement for these types of servers to keep state related to the Diameter SIP application.
关于图1中的SIP服务器1,Diameter SIP应用程序为这些服务器的服务器场的存在提供支持,通常通过指向多个主机的一个或多个DNS记录进行配置(这是常见SIP部署中的典型配置)。这些类型的服务器不需要保持与Diameter SIP应用程序相关的状态。
The Diameter SIP application provides support for a feature that allows an administrative domain to provide a collection of SIP servers 2 (as per Figure 1). Once the user registers for the first time, one of these SIP servers is selected and all the SIP requests related to the user are processed by the same SIP server.
Diameter SIP应用程序支持允许管理域提供SIP服务器2集合的功能(如图1所示)。一旦用户第一次注册,将选择其中一个SIP服务器,并由同一个SIP服务器处理与该用户相关的所有SIP请求。
The Diameter Subscriber Locator (SL) serves the purpose of locating the Diameter server that contains the user-related data. Its functionality is based on the Diameter redirect mechanism and is further described in Section 6.8.
Diameter订户定位器(SL)用于定位包含用户相关数据的Diameter服务器。其功能基于直径重定向机制,并在第6.8节中进一步说明。
It should be noted that this document does not mandate any particular SIP/AAA architecture. However, the Diameter SIP application provides the functionality needed to accommodate all the different architectures where SIP and Diameter are used.
应该注意的是,本文档并不强制要求任何特定的SIP/AAA体系结构。但是,Diameter SIP应用程序提供了适应使用SIP和Diameter的所有不同体系结构所需的功能。
The following subsections provide an informative overview of the Diameter SIP application, its commands, and a possible interaction with SIP signaling.
以下小节提供Diameter SIP应用程序、其命令以及与SIP信令的可能交互的信息性概述。
This is the generic mechanism to authenticate users. In this approach, we show an example of an administrative network where the Diameter server is authenticating SIP user requests. This could be the case of a medium-size network where the Diameter server is keeping user records and authenticating SIP requests to perform a certain transaction. We have chosen to show a SIP REGISTER request in the example, but the SIP server could request authentication of any other SIP request.
这是对用户进行身份验证的通用机制。在这种方法中,我们展示了一个管理网络的示例,其中Diameter服务器正在验证SIP用户请求。这可能是中型网络的情况,其中Diameter服务器保存用户记录并验证SIP请求以执行特定事务。我们选择在示例中显示SIP注册请求,但是SIP服务器可以请求任何其他SIP请求的身份验证。
+--------+ +--------+ +--------+ | SIP | |Diameter| | SIP | |server 1| | server | |server 2| +--------+ +--------+ +--------+ | | | 1. SIP REGISTER | | | -------------------->| 2. UAR | | |------------------>| | | 3. UAA | | |<------------------| | | 4. SIP REGISTER | |-------------------------------------->| | | 5. MAR | | |<------------------| | | 6. MAA | | |------------------>| | 7. SIP 401 (Unauthorized) | 8. SIP 401 (Unauth.) |<--------------------------------------| <--------------------| | | 9. SIP REGISTER | | | -------------------->| 10. UAR | | |------------------>| | | 11. UAA | | |<------------------| | | 12. SIP REGISTER | |-------------------------------------->| | | 13. MAR | | |<------------------| | | 14. MAA | | |------------------>| | 15. SIP 200 (OK) | 16. SIP 200 (OK) |<--------------------------------------| <--------------------| | | | | 17. SAR | | |<------------------| | | 18. SAA | | |------------------>| | | |
+--------+ +--------+ +--------+ | SIP | |Diameter| | SIP | |server 1| | server | |server 2| +--------+ +--------+ +--------+ | | | 1. SIP REGISTER | | | -------------------->| 2. UAR | | |------------------>| | | 3. UAA | | |<------------------| | | 4. SIP REGISTER | |-------------------------------------->| | | 5. MAR | | |<------------------| | | 6. MAA | | |------------------>| | 7. SIP 401 (Unauthorized) | 8. SIP 401 (Unauth.) |<--------------------------------------| <--------------------| | | 9. SIP REGISTER | | | -------------------->| 10. UAR | | |------------------>| | | 11. UAA | | |<------------------| | | 12. SIP REGISTER | |-------------------------------------->| | | 13. MAR | | |<------------------| | | 14. MAA | | |------------------>| | 15. SIP 200 (OK) | 16. SIP 200 (OK) |<--------------------------------------| <--------------------| | | | | 17. SAR | | |<------------------| | | 18. SAA | | |------------------>| | | |
Figure 2: Authentication performed in the Diameter server
图2:在Diameter服务器中执行的身份验证
According to Figure 2, a SIP User Agent Client (UAC) sends a SIP REGISTER request (step 1) to SIP server 1, which receives the SIP request. In Figure 2, we assume that this SIP server is located at the edge of the administrative home domain. The Diameter client in SIP server 1 contacts its Diameter server by sending a Diameter User-Authorization-Request (UAR) message (step 2) to determine if this user is allowed to receive service, and if so, request the
根据图2,SIP用户代理客户端(UAC)向接收SIP请求的SIP服务器1发送SIP注册请求(步骤1)。在图2中,我们假设该SIP服务器位于管理主域的边缘。SIP服务器1中的Diameter客户端通过发送Diameter用户授权请求(UAR)消息(步骤2)联系其Diameter服务器,以确定是否允许该用户接收服务,如果允许,则请求
address of a local SIP server capable of handling this user. The Diameter server answers with a Diameter User-Authorization-Answer (UAA) message (step 3), which indicates a list of capabilities that SIP server 1 may use to select an appropriate SIP server (SIP server 2) and/or a SIP or SIPS URI pointing to SIP server 2.
能够处理此用户的本地SIP服务器的地址。Diameter服务器使用Diameter用户授权应答(UAA)消息进行应答(步骤3),该消息指示SIP服务器1可用于选择适当的SIP服务器(SIP服务器2)和/或指向SIP服务器2的SIP或SIPS URI的能力列表。
SIP server 1 forwards the SIP REGISTER request (step 4) to an appropriate SIP server (SIP server 2). Then the Diameter client in SIP server 2 requests user authentication from the Diameter server by sending a Diameter Multimedia-Auth-Request (MAR) message (step 5). This request also serves to make the Diameter server aware of the SIP or SIPS URI of SIP server 2, so as to return subsequent requests for the same user to the same SIP server 2. The Diameter server responds with a Diameter Multimedia-Auth-Answer (MAA) message (step 6) with Result-Code AVP set to the value DIAMETER_MULTI_ROUND_AUTH. The Diameter server also generates a nonce and includes a challenge in the MAA message. SIP server 2 uses that challenge to map into the WWW-Authenticate header in the SIP 401 (Unauthorized) response (step 7), which is sent back to SIP server 1 and then to the SIP UAC (step 8).
SIP服务器1将SIP注册请求(步骤4)转发到适当的SIP服务器(SIP服务器2)。然后,SIP服务器2中的Diameter客户端通过发送Diameter多媒体身份验证请求(MAR)消息从Diameter服务器请求用户身份验证(步骤5)。该请求还用于使Diameter服务器知道SIP服务器2的SIP或SIPS URI,以便将相同用户的后续请求返回到相同的SIP服务器2。Diameter服务器响应Diameter多媒体身份验证应答(MAA)消息(步骤6),结果代码AVP设置为Diameter\u MULTI\u ROUND\u Auth值。Diameter服务器还生成nonce,并在MAA消息中包含质询。SIP服务器2使用该质询映射到SIP 401(未经授权)响应(步骤7)中的WWW Authenticate报头,该响应被发送回SIP服务器1,然后发送回SIP UAC(步骤8)。
SIP server 1 receives a next SIP REGISTER request containing the user credentials (step 9). Note that SIP server 1 does not need to keep a state, and even more, there is no guarantee that the SIP request arrives at the same SIP server 1; there could be a farm of SIP servers 1 operating in redundant configuration. The Diameter client in SIP server 1 contacts the Diameter server by sending a Diameter UAR message (step 10) to determine the SIP server allocated to the user. The Diameter server sends the SIP or SIPS URI of SIP server 2 in a Diameter UAA message (step 11).
SIP服务器1接收包含用户凭据的下一个SIP注册请求(步骤9)。注意,SIP服务器1不需要保持状态,并且甚至不保证SIP请求到达相同的SIP服务器1;可能有一组SIP服务器1以冗余配置运行。SIP服务器1中的Diameter客户端通过发送Diameter UAR消息来联系Diameter服务器(步骤10),以确定分配给用户的SIP服务器。Diameter服务器在Diameter UAA消息中发送SIP服务器2的SIP或SIPS URI(步骤11)。
Then SIP server 1 forwards the SIP REGISTER request to SIP server 2 (step 12). SIP server 2 extracts the credentials from the SIP REGISTER request. The Diameter client in SIP server 2 sends those credentials in a Diameter MAR message (step 13) to the Diameter server. At this point, the Diameter server is able to authenticate the user, and upon success, returns a Diameter MAA message (step 14) with the AVP Result-Code set to the value DIAMETER_SUCCESS.
然后,SIP服务器1将SIP注册请求转发给SIP服务器2(步骤12)。SIP服务器2从SIP注册请求中提取凭据。SIP服务器2中的Diameter客户端将Diameter MAR消息中的那些凭证发送到Diameter服务器(步骤13)。此时,Diameter服务器能够对用户进行身份验证,成功后,返回Diameter MAA消息(步骤14),AVP结果代码设置为值Diameter_success。
Then SIP server 2 generates a SIP 200 (OK) response (step 15), which is forwarded to SIP server 1 and eventually to the SIP UAC (step 16).
然后,SIP服务器2生成SIP 200(OK)响应(步骤15),该响应被转发到SIP服务器1并最终转发到SIP UAC(步骤16)。
If the Diameter client in SIP server 2 is interested in downloading the user profile information or is required to store the address of the SIP server in the Diameter server, then the Diameter client sends a Diameter SAR message (step 17) to the Diameter server. The Diameter server replies with a Diameter SAA message (step 18) that contains the requested user profile information and the
如果需要下载SIP Diameter中的用户配置文件,则将SIP Diameter中的信息发送到SIP服务器(步骤17),或者将用户配置文件中的Diameter信息存储到客户端Diameter中。Diameter服务器回复Diameter SAA消息(步骤18),其中包含请求的用户配置文件信息和
acknowledgement of the SIP server address storage. These actions are needed when the SIP server has to retrieve a user profile used to provide services to the served user, or when the SIP server keeps a state for the user, so the Diameter server needs to store the SIP server's address.
SIP服务器地址存储的确认。当SIP服务器必须检索用于向服务用户提供服务的用户配置文件时,或者当SIP服务器为用户保留状态时,需要执行这些操作,因此Diameter服务器需要存储SIP服务器的地址。
An operator with a large base of installed SIP servers may wish to minimize the number of round-trips between the Diameter client and the Diameter server. We provide support for a mechanism where the Diameter server delegates the final authentication check to the SIP server, thereby saving a round-trip. Section 14.1 discusses the security considerations of this scenario.
安装了大量SIP服务器的运营商可能希望尽量减少Diameter客户端和Diameter服务器之间的往返次数。我们提供了对Diameter服务器将最终身份验证检查委托给SIP服务器的机制的支持,从而节省了往返时间。第14.1节讨论了该场景的安全注意事项。
It must noted that this scenario is not applicable when the Diameter server is configured to use a session MD5 (MD5-sess) algorithm, because the Diameter server requires the client nonce to compute the H(A1) before sending it to the Diameter client. However, the client nonce might not be available at that time.
必须注意,当Diameter服务器配置为使用会话MD5(MD5 sess)算法时,此场景不适用,因为Diameter服务器要求客户端nonce在将其发送到Diameter客户端之前计算H(A1)。但是,此时客户端nonce可能不可用。
+--------+ +--------+ +--------+ | SIP | |Diameter| | SIP | |server 1| | server | |server 2| +--------+ +--------+ +--------+ | | | 1. SIP REGISTER | | | -------------------->| 2. UAR | | |------------------>| | | 3. UAA | | |<------------------| | | 4. SIP REGISTER | |-------------------------------------->| | | 5. MAR | | |<------------------| | | 6. MAA | | |------------------>| | 7. SIP 401 (Unauthorized) | 8. SIP 401 (Unauth.) |<--------------------------------------| <--------------------| | | 9. SIP REGISTER | | | -------------------->| 10. UAR | | |------------------>| | | 11. UAA | | |<------------------| | | 12. SIP REGISTER | |-------------------------------------->| | | 13. SAR | | |<------------------| | | 14. SAA | | |------------------>| | 15. SIP 200 (OK) | 16. SIP 200 (OK) |<--------------------------------------| <--------------------| | | | | |
+--------+ +--------+ +--------+ | SIP | |Diameter| | SIP | |server 1| | server | |server 2| +--------+ +--------+ +--------+ | | | 1. SIP REGISTER | | | -------------------->| 2. UAR | | |------------------>| | | 3. UAA | | |<------------------| | | 4. SIP REGISTER | |-------------------------------------->| | | 5. MAR | | |<------------------| | | 6. MAA | | |------------------>| | 7. SIP 401 (Unauthorized) | 8. SIP 401 (Unauth.) |<--------------------------------------| <--------------------| | | 9. SIP REGISTER | | | -------------------->| 10. UAR | | |------------------>| | | 11. UAA | | |<------------------| | | 12. SIP REGISTER | |-------------------------------------->| | | 13. SAR | | |<------------------| | | 14. SAA | | |------------------>| | 15. SIP 200 (OK) | 16. SIP 200 (OK) |<--------------------------------------| <--------------------| | | | | |
Figure 3: Delegation of authentication to the SIP server
图3:将身份验证委托给SIP服务器
Figure 3 shows an example where a SIP server is dynamically allocated to serve a SIP User Agent with the support of the Diameter server. This may be the case of certain architectures, such as that of the 3rd Generation Partnership Project (3GPP) IP Multimedia Core Network Subsystem.
图3显示了一个示例,其中动态分配SIP服务器以在Diameter服务器的支持下为SIP用户代理提供服务。这可能是某些架构的情况,例如第三代合作伙伴计划(3GPP)IP多媒体核心网络子系统的架构。
A first SIP server receives a SIP REGISTER request (step 1) whose target is the home network domain. In Figure 3, we assume that this SIP server is located at the edge of the administrative home domain. The Diameter client in this SIP server requests authorization from the Diameter server to proceed with the registration, by sending a
第一SIP服务器接收以家庭网络域为目标的SIP注册请求(步骤1)。在图3中,我们假设该SIP服务器位于管理主域的边缘。此SIP服务器中的Diameter客户端通过发送
Diameter User-Authorization-Request (UAR) message (step 2). The message includes, among other Attribute-Value-Pairs (AVPs), the SIP Address-Of-Record (AOR) that is included in the SIP REGISTER request. The Diameter server verifies the SIP AOR and, if it is a valid defined user in the home network, authorizes the registration to proceed. The Diameter server responds with a Diameter User-Authorization-Answer (UAA) message (step 3), which informs the Diameter client/SIP server about the result of the user authorization. In case of a successful authorization, the Diameter UAA message indicates the address of a local SIP server (SIP server 2 in Figure 3) and/or a list of capabilities that SIP server 1 may use to select an appropriate SIP server 2.
Diameter用户授权请求(UAR)消息(步骤2)。在其他属性值对(avp)中,该消息包括SIP寄存器请求中包括的SIP记录地址(AOR)。Diameter服务器验证SIP AOR,如果它是家庭网络中定义的有效用户,则授权继续注册。Diameter服务器响应Diameter用户授权应答(UAA)消息(步骤3),通知Diameter客户端/SIP服务器用户授权的结果。在成功授权的情况下,Diameter UAA消息指示本地SIP服务器(图3中的SIP服务器2)的地址和/或SIP服务器1可用于选择适当SIP服务器2的能力列表。
When the authorization is successful, SIP server 1 forwards the SIP REGISTER request (step 4) to the appropriate SIP server (SIP server 2). The Diameter client in SIP server 2 requests authentication parameters by sending a Diameter Multimedia-Auth-Request (MAR) message (step 5) to the Diameter server. This request also makes the Diameter server aware of the SIP or SIPS URI of SIP server 2, so as to return subsequent requests of the same user to the same SIP server 2. The Diameter server responds with a Diameter Multimedia-Auth-Answer (MAA) message (step 6), which includes a nonce and all the rest of the parameters necessary for the designated authentication algorithm associated with the user. Among others, the MAA message includes a Digest-HA1 AVP that contains H(A1) (as defined in RFC 2617 [RFC2617]), and that allows the Diameter client to calculate the expected response. Then the Diameter client can compare this expected response with the response to the challenge sent from the SIP UA. The absence of the Digest-HA1 AVP in MAA indicates that authentication and authorization take place in the Diameter server, as per the scenario described in Section 6.2.
当授权成功时,SIP服务器1将SIP注册请求(步骤4)转发到适当的SIP服务器(SIP服务器2)。SIP服务器2中的Diameter客户端通过向Diameter服务器发送Diameter多媒体身份验证请求(MAR)消息(步骤5)来请求身份验证参数。该请求还使Diameter服务器知道SIP服务器2的SIP或SIPS URI,以便将同一用户的后续请求返回给同一SIP服务器2。Diameter服务器响应Diameter多媒体身份验证应答(MAA)消息(步骤6),该消息包括一个nonce和与用户相关联的指定身份验证算法所需的所有其他参数。除其他外,MAA消息包括包含H(A1)(如RFC 2617[RFC2617]中所定义)的摘要-HA1 AVP,其允许Diameter客户端计算预期响应。然后Diameter客户端可以将该预期响应与SIP UA发送的质询响应进行比较。MAA中缺少Digest-HA1 AVP表明,根据第6.2节中描述的场景,身份验证和授权在Diameter服务器中进行。
SIP server 2 creates a SIP 401 (Unauthorized) SIP response (step 7) based on the challenge included in the MAA message, including the authentication material needed by the SIP User Agent Client (UAC) to include the appropriate credentials. SIP server 1 forwards the SIP response to the SIP UAC (step 8).
SIP服务器2基于包括在MAA消息中的质询创建SIP 401(未授权)SIP响应(步骤7),该质询包括SIP用户代理客户端(UAC)需要的认证材料以包括适当的凭证。SIP服务器1将SIP响应转发给SIP UAC(步骤8)。
The SIP server 1 receives the next SIP REGISTER request containing the user credentials (step 9). Because SIP server 1 does not need to keep a state (and there is no guarantee that the SIP request arrives to the same SIP server 1), the Diameter client in SIP server 1 contacts the Diameter server again by sending a Diameter UAR message (step 10) to determine the SIP server allocated to the user. The Diameter server sends the SIP or SIPS URI of SIP server 2 in a Diameter UAA message (step 11).
SIP服务器1接收包含用户凭证的下一SIP注册请求(步骤9)。由于SIP服务器1不需要保持状态(并且不保证SIP请求到达相同的SIP服务器1),因此SIP服务器1中的Diameter客户端通过发送Diameter UAR消息(步骤10)来再次联系Diameter服务器,以确定分配给用户的SIP服务器。Diameter服务器在Diameter UAA消息中发送SIP服务器2的SIP或SIPS URI(步骤11)。
SIP server 1 forwards the SIP REGISTER request to SIP server 2 (step 12). SIP server 2 validates the credentials by comparing the response supplied by the SIP UA with the expected response calculated by the SIP server 2 (based on the H(A1) received from the Diameter server).
SIP服务器1将SIP注册请求转发给SIP服务器2(步骤12)。SIP服务器2通过比较SIP UA提供的响应与SIP服务器2计算的预期响应(基于从Diameter服务器接收的H(A1))来验证凭据。
If the credentials are valid, SIP server 2 sends a Diameter Server-Assignment-Request (SAR) message (step 13) requesting the Diameter server to confirm the completion of the authentication procedure and to confirm the SIP or SIPS URI of the SIP server that is currently serving the user. The Diameter SAR message also serves the purpose of requesting that the Diameter server send the user profile to the SIP server. The Diameter server responds with a Diameter Server-Assignment-Answer (SAA) message (step 14). If the Result-Code AVP value does not inform SIP Server 2 of an error, the SAA message can include zero or more SIP-User-Data AVPs containing the information that SIP server 2 needs in order to provide a service to the user.
如果凭证有效,SIP服务器2发送Diameter服务器分配请求(SAR)消息(步骤13),请求Diameter服务器确认认证过程的完成,并确认当前为用户服务的SIP服务器的SIP或SIPS URI。Diameter SAR消息还用于请求Diameter服务器向SIP服务器发送用户配置文件。Diameter服务器响应Diameter服务器分配应答(SAA)消息(步骤14)。如果结果代码AVP值没有将错误通知SIP服务器2,则SAA消息可以包括零个或多个SIP用户数据AVP,其中包含SIP服务器2为向用户提供服务所需的信息。
SIP server 2 generates a SIP 200 (OK) response (step 15), which is forwarded to SIP server 1 and eventually to the SIP UAC (step 16).
SIP服务器2生成SIP 200(OK)响应(步骤15),该响应被转发到SIP服务器1并最终转发到SIP UAC(步骤16)。
Figure 4 depicts a typical scenario where a stateless SIP proxy requests authentication information and authorization to a Diameter server, for the purpose of providing SIP routing services to a SIP User Agent. The SIP proxy server may be configured as an outbound SIP proxy, so that all the requests initiated by the SIP UA traverse the SIP proxy.
图4描述了一个典型场景,其中无状态SIP代理向Diameter服务器请求身份验证信息和授权,以便向SIP用户代理提供SIP路由服务。SIP代理服务器可以配置为出站SIP代理,以便SIP UA发起的所有请求都遍历SIP代理。
According to Figure 4, a SIP User Agent sends a SIP request to its outbound SIP proxy server. In this case, the message is a SIP INVITE request (see step 1), but it could be any other SIP request. We assume that this SIP request does not contain any credentials at this time. The outbound SIP proxy server needs to authenticate and authorize the proxy services offered to the user. The Diameter client in the SIP server sends a Multimedia-Auth-Request (MAR) message (step 2). The Diameter server generates a nonce and sends a Multimedia-Auth-Answer (MAA) message (step 3) that includes the nonce and the rest of the data necessary for the SIP server to challenge the user, typically with HTTP Digest Authentication indicated in the MAA message. This data enables the SIP server to create a SIP 407 (Proxy Authentication Required) response (step 4) that contains a challenge. The SIP UA creates a new INVITE request (step 5) that contains the credentials. The Diameter client in the SIP server sends the credentials to the Diameter server in a new Diameter MAR message (step 6). The Diameter server validates the credentials and
根据图4,SIP用户代理向其出站SIP代理服务器发送SIP请求。在本例中,消息是SIP INVITE请求(请参见步骤1),但它可以是任何其他SIP请求。我们假设此SIP请求此时不包含任何凭据。出站SIP代理服务器需要对提供给用户的代理服务进行身份验证和授权。SIP服务器中的Diameter客户端发送多媒体身份验证请求(MAR)消息(步骤2)。Diameter服务器生成一个nonce并发送一个多媒体认证应答(MAA)消息(步骤3),该消息包括该nonce和SIP服务器质询用户所需的其余数据,通常使用MAA消息中指示的HTTP摘要认证。该数据使SIP服务器能够创建包含质询的SIP 407(需要代理身份验证)响应(步骤4)。SIP UA创建一个包含凭据的新INVITE请求(步骤5)。SIP服务器中的Diameter客户端在新的Diameter MAR消息中向Diameter服务器发送凭据(步骤6)。Diameter服务器验证凭据和
authorize the SIP transaction in a Diameter MAA message (step 7). The SIP server forwards the SIP INVITE request to its destination (step 8) as per regular SIP procedures. Eventually, the session setup is confirmed with a SIP 200 (OK) response (step 9) that is forwarded to the SIP UA (step 10). The session setup is complete.
在Diameter MAA消息中授权SIP事务(步骤7)。SIP服务器根据常规SIP过程将SIP INVITE请求转发到其目的地(步骤8)。最终,会话设置通过转发给SIP UA的SIP 200(OK)响应(步骤9)确认(步骤10)。会话设置已完成。
+--------+ +--------+ |Diameter| | SIP | | server | | server | +--------+ +--------+ | | | | 1. SIP INVITE | ----------------------------------->| | 2. MAR | |<------------------| | 3. MAA | |------------------>| | | 4. SIP 407 (Proxy | Authentication Required) | <-----------------------------------| | | 5. SIP INVITE | ----------------------------------->| | 6. MAR | |<------------------| | 7. MAA | |------------------>| 8. SIP INVITE | |----------------> | | 9. SIP 200 (OK) 10. SIP 200 (OK) |<---------------- <-----------------------------------| | |
+--------+ +--------+ |Diameter| | SIP | | server | | server | +--------+ +--------+ | | | | 1. SIP INVITE | ----------------------------------->| | 2. MAR | |<------------------| | 3. MAA | |------------------>| | | 4. SIP 407 (Proxy | Authentication Required) | <-----------------------------------| | | 5. SIP INVITE | ----------------------------------->| | 6. MAR | |<------------------| | 7. MAA | |------------------>| 8. SIP INVITE | |----------------> | | 9. SIP 200 (OK) 10. SIP 200 (OK) |<---------------- <-----------------------------------| | |
Figure 4: SIP server requests authorization
图4:SIP服务器请求授权
Figure 5 shows the scenario where SIP server 1 may be configured as a SIP edge proxy server, processing SIP traffic at the edge of a network. SIP server 1 receives a SIP INVITE request (step 1). SIP server 1 needs to find the address of SIP server 2, which is serving the recipient of the SIP request. The Diameter client in SIP server 1 sends a Diameter Location-Info-Request (LIR) message (step 2) to the Diameter server. The Diameter server responds with a Diameter Location-Info-Answer (LIA) message (step 3) that contains the SIP or
图5显示了SIP服务器1可以配置为SIP边缘代理服务器,在网络边缘处理SIP流量的场景。SIP服务器1接收SIP INVITE请求(步骤1)。SIP服务器1需要找到SIP服务器2的地址,该服务器为SIP请求的接收者提供服务。SIP服务器1中的Diameter客户端向Diameter服务器发送Diameter位置信息请求(LIR)消息(步骤2)。Diameter服务器响应Diameter位置信息应答(LIA)消息(步骤3),该消息包含SIP或
SIPS URI of SIP server 2. SIP server 1 then forwards the SIP INVITE to SIP server 2 (step 4). SIP server 2 eventually forwards the SIP INVITE to the appropriate UAS (step 5).
SIP服务器2的SIPS URI。然后,SIP服务器1将SIP INVITE转发给SIP服务器2(步骤4)。SIP服务器2最终将SIP INVITE转发给适当的UAS(步骤5)。
+--------+ +--------+ +--------+ | SIP | |Diameter| | SIP | |server 1| | server | |server 2| +--------+ +--------+ +--------+ | | | 1. SIP INVITE | | | -------------->| 2. LIR | | |---------------->| | | 3. LIA | | |<----------------| | | 4. SIP INVITE | |--------------------------------->| | | | 5. SIP INVITE | | |--------------> | | | | | |
+--------+ +--------+ +--------+ | SIP | |Diameter| | SIP | |server 1| | server | |server 2| +--------+ +--------+ +--------+ | | | 1. SIP INVITE | | | -------------->| 2. LIR | | |---------------->| | | 3. LIA | | |<----------------| | | 4. SIP INVITE | |--------------------------------->| | | | 5. SIP INVITE | | |--------------> | | | | | |
Figure 5: Locating the SIP server of the recipient
图5:定位收件人的SIP服务器
Although the example shows the connection between a SIP INVITE request and the Diameter LIR message, any SIP request other than REGISTER (such as SUBSCRIBE, OPTIONS, etc.) would trigger the same Diameter message. (A SIP REGISTER request will trigger a Diameter UAR message, as indicated in Figure 2 and Figure 3.)
尽管该示例显示了SIP INVITE请求和Diameter LIR消息之间的连接,但除REGISTER之外的任何SIP请求(如SUBSCRIBE、OPTIONS等)都会触发相同的Diameter消息。(SIP寄存器请求将触发Diameter UAR消息,如图2和图3所示。)
The scenario described in this section is also applicable in case an outbound SIP server is not interested in authenticating the user, but is required to locate a further SIP server to route the outbound SIP requests. In this case, the outbound SIP server is mapped to SIP server 1 as shown in Figure 5.
本节中描述的场景也适用于出站SIP服务器对验证用户不感兴趣,但需要定位另一个SIP服务器以路由出站SIP请求的情况。在这种情况下,出站SIP服务器映射到SIP服务器1,如图5所示。
The Diameter SIP application provides a mechanism for a Diameter server to asynchronously download a user profile to a SIP server whenever there is an update of such user profile. It must be noted that the Diameter server also attaches the user profile to the Diameter Server-Assignment-Answer (SAA) message. This is valid for most of the daily situations; however, the administrator may decide to update or modify the user profile for a particular user, due to, e.g., new services made available to the user. This may involve mechanisms outside the scope of this specification, such as human
Diameter SIP应用程序为Diameter服务器提供了一种机制,以便在用户配置文件更新时将用户配置文件异步下载到SIP服务器。必须注意,Diameter服务器还将用户配置文件附加到Diameter服务器分配应答(SAA)消息。这适用于大多数日常情况;然而,管理员可能决定更新或修改特定用户的用户简档,这是由于,例如,向用户提供了新的服务。这可能涉及本规范范围之外的机制,例如人的行为
intervention, in the Diameter server. In this situation, the Diameter server is able to push the new user profile into the SIP server allocated to the user.
干预,在Diameter服务器中。在这种情况下,Diameter服务器能够将新的用户配置文件推送到分配给该用户的SIP服务器中。
The scenario is illustrated in Figure 6. When the user profile changes, the Diameter server sends a Diameter Push-Profile-Request (PPR) message (step 1) to the Diameter client in the SIP server allocated to that user (SIP server 2 in the examples). The Diameter PPR message contains one or more SIP-User-Data AVPs, a User-Name AVP and zero or more SIP-AOR AVPs. The Diameter client in SIP server 2 acknowledges the Diameter PPR message by sending a Diameter Push-Profile-Answer (PPA) message (step 2) to the Diameter server.
该场景如图6所示。当用户配置文件更改时,Diameter服务器向分配给该用户的SIP服务器(示例中的SIP服务器2)中的Diameter客户端发送Diameter推送配置文件请求(PPR)消息(步骤1)。Diameter PPR消息包含一个或多个SIP用户数据AVP、用户名AVP和零个或多个SIP-AOR AVP。SIP服务器2中的Diameter客户端通过向Diameter服务器发送Diameter推送配置文件应答(PPA)消息(步骤2)来确认Diameter PPR消息。
+--------+ +--------+ |Diameter| | SIP | | server | |server 2| +--------+ +--------+ | | | 1. PPR | |------------------>| | | | 2. PPA | |<------------------| | |
+--------+ +--------+ |Diameter| | SIP | | server | |server 2| +--------+ +--------+ | | | 1. PPR | |------------------>| | | | 2. PPA | |<------------------| | |
Figure 6: Diameter server pushes an update of the user profile
图6:Diameter服务器推送用户配置文件的更新
SIP can create soft states in SIP nodes based on events such as SIP registrations or SIP event subscriptions. These states are periodically refreshed, and cease to exist if they are not refreshed. Additionally, an administrative action can be taken to terminate a SIP soft state, or the SIP UA can explicitly terminate a SIP soft state.
SIP可以基于SIP注册或SIP事件订阅等事件在SIP节点中创建软状态。这些状态会定期刷新,如果不刷新,则不再存在。此外,可以采取管理动作来终止SIP软状态,或者SIP UA可以显式终止SIP软状态。
The Diameter base protocol offers a mechanism to create and delete states in Diameter nodes. These states are called Diameter user sessions. The Diameter server decides whether to use a Diameter user session as a mechanism to map to a SIP soft state. If the Diameter server decides to use Diameter user sessions, the termination of a Diameter user session implies the termination of the corresponding SIP soft state (e.g., registration, event subscription), and vice versa. If the Diameter server does not use Diameter user sessions, this Diameter SIP application offers specific commands to manage the SIP soft states. Implementations compliant with this specification MUST support both mechanisms of session management.
Diameter基本协议提供了在Diameter节点中创建和删除状态的机制。这些状态称为Diameter用户会话。Diameter服务器决定是否使用Diameter用户会话作为映射到SIP软状态的机制。如果Diameter服务器决定使用Diameter用户会话,Diameter用户会话的终止意味着相应SIP软状态(例如,注册、事件订阅)的终止,反之亦然。如果Diameter服务器不使用Diameter用户会话,则此Diameter SIP应用程序提供特定命令来管理SIP软状态。符合此规范的实现必须支持会话管理的两种机制。
We provide support for both Diameter client- and Diameter server-initiated session termination. Depending on whether Diameter sessions are used, termination of a SIP soft state can be achieved by one of the following methods:
我们为Diameter客户端和Diameter服务器启动的会话终止提供支持。根据是否使用Diameter会话,可以通过以下方法之一实现SIP软状态的终止:
o When the Diameter client (SIP proxy) wants to terminate the SIP soft state and Diameter user sessions are not maintained (i.e., the Auth-Session-State AVP has been previously set to NO_STATE_MAINTAINED), the Diameter client MUST send a Server-Assignment-Request (SAR) message with the SIP-Server-Assignment-Type AVP (Section 9.4) set to any of the deregistration values: TIMEOUT_DEREGISTRATION, USER_DEREGISTRATION, TIMEOUT_DEREGISTRATION_STORE_SERVER_NAME, USER_DEREGISTRATION_STORE_SERVER_NAME, ADMINISTRATIVE_DEREGISTRATION, DEREGISTRATION_TOO_MUCH_DATA.
o 当Diameter客户端(SIP代理)想要终止SIP软状态且Diameter用户会话未维护时(即,验证会话状态AVP先前已设置为无维护状态),Diameter客户端必须发送SIP服务器分配类型AVP的服务器分配请求(SAR)消息(第9.4节)设置为任意注销值:超时\u注销、用户\u注销、超时\u注销\u存储\u服务器\u名称、用户\u注销\u存储\u服务器\u名称、管理\u注销、注销\u数据过多。
o When the Diameter client (SIP proxy) wants to terminate the SIP soft state and Diameter user sessions are maintained (i.e., the Auth-Session-State AVP has been previously set to STATE_MAINTAINED), the Diameter client MUST send a Session-Termination-Request (STR) message as per regular procedures according to RFC 3588 [RFC3588].
o 当Diameter客户端(SIP代理)想要终止SIP软状态并且Diameter用户会话被维护时(即,验证会话状态AVP先前已设置为状态_维护),Diameter客户端必须根据RFC 3588[RFC3588]按照常规程序发送会话终止请求(STR)消息。
o When the Diameter server wants to terminate the SIP soft state and Diameter user sessions are not maintained (i.e., the Auth-Session-State AVP has been previously set to NO_STATE_MAINTAINED), the Diameter server MUST send a Registration-Termination-Request (RTR) message (see Section 8.9).
o 当Diameter服务器想要终止SIP软状态且Diameter用户会话未维护时(即,验证会话状态AVP先前已设置为NO_state_maintenanted),Diameter服务器必须发送注册终止请求(RTR)消息(见第8.9节)。
o When the Diameter server wants to terminate the SIP soft state and Diameter user sessions are maintained (i.e., the Auth-Session-State AVP has been previously set to STATE_MAINTAINED), the Diameter server MUST send an Abort-Session-Request (ASR) message as per regular procedures according to RFC 3588 [RFC3588].
o 当Diameter服务器想要终止SIP软状态并且Diameter用户会话被维护时(即,验证会话状态AVP先前已被设置为状态_维护),Diameter服务器必须按照RFC 3588[RFC3588]的常规程序发送中止会话请求(ASR)消息。
The basic architecture assumption of this document is that all the data related to a user is stored in a unique Diameter server. Contrary to general opinion, this does not create a single point of failure. It is assumed that Diameter servers are configured in a redundant fashion in an attempt to mitigate the single-point-of-failure problem.
本文档的基本架构假设是,与用户相关的所有数据都存储在唯一的Diameter服务器中。与一般观点相反,这不会造成单一的故障点。假设Diameter服务器以冗余方式配置,以缓解单点故障问题。
In large networks, where the number of users may be significantly high, there might be a need to scale the number of Diameter servers. All the data associated with a user is still stored in one Diameter
在用户数量可能非常多的大型网络中,可能需要扩展Diameter服务器的数量。与用户关联的所有数据仍存储在一个直径中
server (typically, operating in a redundant configuration), but the data associated with different users may reside in different Diameter servers.
服务器(通常在冗余配置下运行),但与不同用户关联的数据可能驻留在不同的Diameter服务器中。
Although this configuration scales well, it introduces a new problem, namely: given the user's SIP AOR as an input, how to determine which of various Diameter servers is storing the data for that particular SIP AOR. We solve this problem with inspiration from the Diameter redirection mechanism specified in RFC 3588 [RFC3588]. We include in the architecture a new Diameter node that, for the purpose of this document, is known as Diameter Subscriber Locator (SL). The Diameter SL contains a database or routing tables that map SIP AORs to Diameter server URIs. A particular Diameter server URI points to the actual Diameter server that stores all the data related to a particular SIP AOR, and in consequence, to the user who owns the SIP AOR. The Diameter SL acts in a similar way to a Diameter Redirect Agent, dispatching Diameter requests (e.g., providing the redirection URI in the answer). The Diameter SL can redirect all the request pertaining to a user by setting the Redirect-Host-Usage AVP with a value ALL_USER, as specified in RFC 3588 [RFC3588].
尽管此配置具有良好的扩展性,但它引入了一个新问题,即:给定用户的SIP AOR作为输入,如何确定各个Diameter服务器中的哪个服务器正在存储该特定SIP AOR的数据。我们从RFC 3588[RFC3588]中指定的直径重定向机制中得到启发,从而解决了这个问题。我们在体系结构中包括一个新的Diameter节点,在本文档中,该节点称为Diameter订户定位器(SL)。Diameter SL包含将SIP AOR映射到Diameter服务器URI的数据库或路由表。特定Diameter服务器URI指向实际的Diameter服务器,该服务器存储与特定SIP AOR相关的所有数据,并因此指向拥有SIP AOR的用户。Diameter SL的作用方式与Diameter重定向代理类似,它发送Diameter请求(例如,在应答中提供重定向URI)。Diameter SL可以通过使用值all_user设置重定向主机使用AVP重定向与用户相关的所有请求,如RFC 3588[RFC3588]中所述。
The Diameter SL can be replicated in different nodes along the network, for the purpose of building scalability and redundancy. The database or routing tables have to be consistent across all these different Diameter SLs, so that equal Diameter requests will produce equal Diameter answers, no matter which Diameter SL processes the request.
Diameter SL可以在网络上的不同节点中复制,以构建可伸缩性和冗余。数据库或路由表必须在所有这些不同直径的SL之间保持一致,以便无论哪个直径的SL处理请求,相同直径的请求都将产生相同直径的答案。
+--------+ +--------+ +--------+ +--------+ | SIP | |Diameter| |Diameter| | SIP | |server 1| |SL red. | |server 1| |server 2| +--------+ +--------+ +--------+ +--------+ | | | | 1. SIP INVITE| | | | ------------>| 2. LIR | | | |---------->| | | | 3. LIA | | | |<----------| | | | 4. LIR | | |---------------------->| | | 5. LIA | | |<----------------------| | | 6. SIP INVITE | | |----------------------------------->| 7. SIP INVITE | | | | -------------> | | | |
+--------+ +--------+ +--------+ +--------+ | SIP | |Diameter| |Diameter| | SIP | |server 1| |SL red. | |server 1| |server 2| +--------+ +--------+ +--------+ +--------+ | | | | 1. SIP INVITE| | | | ------------>| 2. LIR | | | |---------->| | | | 3. LIA | | | |<----------| | | | 4. LIR | | |---------------------->| | | 5. LIA | | |<----------------------| | | 6. SIP INVITE | | |----------------------------------->| 7. SIP INVITE | | | | -------------> | | | |
Figure 7: Locating a Diameter server. SL redirecting requests
图7:定位Diameter服务器。SL重定向请求
Figure 7 shows an example of operation of a Diameter SL acting in redirect mode. SIP server 1 receives an INVITE request (step 1) addressed (in the SIP Request-URI) to a user for which the Diameter client in SIP server 1 does not possess routing information. In other words, the Diameter client in SIP server 1 does not know the URI of the Diameter server 1. The Diameter client sends a Diameter LIR message (step 2) to any of the Diameter SLs configured in the network. The address of those SLs is assumed to be pre-provisioned in the Diameter client. The Diameter SL, based on the contents of the SIP-AOR AVP and its own routing tables, determines the Diameter server that stores the information allocated to such user. Then it builds a Diameter LIA message (step 3) that includes a Result-Code AVP set to DIAMETER_REDIRECT_INDICATION and one Redirect-Host AVP, whose value is set to the URI of the Diameter server that stores the information related to such user. Then the Diameter client in SIP server 1 builds a new LIR message (step 4) addressed to the Diameter server received in the Redirect-Host AVP. The rest of the procedure is completed as described in previous sections.
图7显示了在重定向模式下作用的Diameter SL的操作示例。SIP服务器1接收(在SIP请求URI中)寻址到用户的INVITE请求(步骤1),SIP服务器1中的Diameter客户端不具有该用户的路由信息。换句话说,SIP服务器1中的Diameter客户端不知道Diameter服务器1的URI。Diameter客户端向网络中配置的任何Diameter SL发送Diameter LIR消息(步骤2)。假设这些SLs的地址在Diameter客户端中预先设置。Diameter SL基于SIP-AOR AVP的内容及其自己的路由表,确定存储分配给该用户的信息的Diameter服务器。然后构建Diameter LIA消息(步骤3),该消息包括设置为Diameter_REDIRECT_指示的结果代码AVP和一个重定向主机AVP,其值设置为存储与该用户相关信息的Diameter服务器的URI。然后,SIP服务器1中的Diameter客户端构建一个新的LIR消息(步骤4),该消息发往重定向主机AVP中接收的Diameter服务器。程序的其余部分如前几节所述完成。
Diameter implementations conforming to this specification MUST advertise its support by including an Auth-Application-Id AVP in the Capabilities-Exchange-Request (CER) and Capabilities-Exchange-Answer (CEA) commands, according to the Diameter base protocol, RFC 3588 [RFC3588]. This Auth-Application-Id AVP MUST be set to the value of this Diameter SIP application (Section 13.1 indicates the actual value allocated by IANA).
根据Diameter基本协议RFC 3588[RFC3588],符合本规范的Diameter实现必须通过在功能交换请求(CER)和功能交换应答(CEA)命令中包含身份验证应用程序Id AVP来公布其支持。此验证应用程序Id AVP必须设置为此Diameter SIP应用程序的值(第13.1节指出IANA分配的实际值)。
All the Diameter implementations conforming to this specification MUST implement and support the list of Diameter commands listed in Table 1.
符合本规范的所有Diameter实现必须实现并支持表1中列出的Diameter命令列表。
+-------------------------------------+-------+------+--------------+ | Command Name | Abbr. | Code | Reference | +-------------------------------------+-------+------+--------------+ | User-Authorization-Request | UAR | 283 | Section 8.1 | | User-Authorization-Answer | UAA | 283 | Section 8.2 | | Server-Assignment-Request | SAR | 284 | Section 8.3 | | Server-Assignment-Answer | SAA | 284 | Section 8.4 | | Location-Info-Request | LIR | 285 | Section 8.5 | | Location-Info-Answer | LIA | 285 | Section 8.6 | | Multimedia-Auth-Request | MAR | 286 | Section 8.7 | | Multimedia-Auth-Answer | MAA | 286 | Section 8.8 | | Registration-Termination-Request | RTR | 287 | Section 8.9 | | Registration-Termination-Answer | RTA | 287 | Section 8.10 | | Push-Profile-Request | PPR | 288 | Section 8.11 | | Push-Profile-Answer | PPA | 288 | Section 8.12 | +-------------------------------------+-------+------+--------------+
+-------------------------------------+-------+------+--------------+ | Command Name | Abbr. | Code | Reference | +-------------------------------------+-------+------+--------------+ | User-Authorization-Request | UAR | 283 | Section 8.1 | | User-Authorization-Answer | UAA | 283 | Section 8.2 | | Server-Assignment-Request | SAR | 284 | Section 8.3 | | Server-Assignment-Answer | SAA | 284 | Section 8.4 | | Location-Info-Request | LIR | 285 | Section 8.5 | | Location-Info-Answer | LIA | 285 | Section 8.6 | | Multimedia-Auth-Request | MAR | 286 | Section 8.7 | | Multimedia-Auth-Answer | MAA | 286 | Section 8.8 | | Registration-Termination-Request | RTR | 287 | Section 8.9 | | Registration-Termination-Answer | RTA | 287 | Section 8.10 | | Push-Profile-Request | PPR | 288 | Section 8.11 | | Push-Profile-Answer | PPA | 288 | Section 8.12 | +-------------------------------------+-------+------+--------------+
Table 1: Defined command codes
表1:定义的命令代码
Sections defining commands contain the Message Format for that particular command. The Message Formats included in this document are defined as per Section 3.2 of RFC 3588 [RFC3588].
定义命令的部分包含该特定命令的消息格式。本文件中包含的消息格式根据RFC 3588[RFC3588]第3.2节定义。
The User-Authorization-Request (UAR) is indicated by the Command-Code set to 283 and the Command Flags' 'R' bit set. The Diameter client in a SIP server sends this command to the Diameter server to request authorization for the SIP User Agent to route a SIP REGISTER request. Because the SIP REGISTER request implicitly carries a permission to bind an AOR to a contact address, the Diameter client uses the Diameter UAR as a first authorization request towards the Diameter server to authorize the registration. For instance, the Diameter server can verify that the AOR is a legitimate user of the realm.
用户授权请求(UAR)由设置为283的命令代码和设置的命令标志“R”位指示。SIP服务器中的Diameter客户端将此命令发送到Diameter服务器,以请求授权SIP用户代理路由SIP注册请求。由于SIP注册请求隐式地携带将AOR绑定到联系人地址的权限,Diameter客户端使用Diameter UAR作为对Diameter服务器的第一个授权请求来授权注册。例如,Diameter服务器可以验证AOR是否是域的合法用户。
The Diameter client in the SIP server requests authorization for one of the possible values defined in the SIP-User-Authorization-Type AVP (Section 9.10).
SIP服务器中的Diameter客户端请求对SIP用户授权类型AVP(第9.10节)中定义的一个可能值进行授权。
The user name used for authentication of the user is conveyed in a User-Name AVP (defined in the Diameter base protocol, RFC 3588 [RFC3588]). The location of the authentication user name in the SIP
用于用户身份验证的用户名以用户名AVP(在Diameter基本协议RFC 3588[RFC3588]中定义)来传送。身份验证用户名在SIP中的位置
REGISTER request varies depending on the authentication mechanism. When the authentication mechanism is HTTP Digest as defined in RFC 2617 [RFC2617], the authentication user name is found in the "username" directive of the SIP Authorization header field value. This Diameter SIP application only provides support for HTTP Digest authentication in SIP; other authentication mechanisms are not currently supported.
注册请求因身份验证机制而异。当认证机制为RFC 2617[RFC2617]中定义的HTTP摘要时,认证用户名可在SIP授权标头字段值的“username”指令中找到。此Diameter SIP应用程序仅支持SIP中的HTTP摘要身份验证;目前不支持其他身份验证机制。
The SIP or SIPS URI to be registered is conveyed in the SIP-AOR AVP (Section 9.8). Typically this SIP or SIPS URI is found in the To header field value of the SIP REGISTER request that triggered the Diameter UAR message.
要注册的SIP或SIPS URI在SIP-AOR AVP中传输(第9.8节)。通常,此SIP或SIPS URI位于触发Diameter UAR消息的SIP REGISTER请求的To头字段值中。
The SIP-Visited-Network-Id AVP indicates the network that is providing SIP services (e.g., SIP proxy functionality or any other kind of services) to the SIP User Agent.
SIP访问的网络Id AVP指示正在向SIP用户代理提供SIP服务(例如,SIP代理功能或任何其他种类的服务)的网络。
The Message Format of the UAR command is as follows:
UAR命令的消息格式如下:
<UAR> ::= < Diameter Header: 283, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-AOR } [ Destination-Host ] [ User-Name ] [ SIP-Visited-Network-Id ] [ SIP-User-Authorization-Type ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<UAR> ::= < Diameter Header: 283, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-AOR } [ Destination-Host ] [ User-Name ] [ SIP-Visited-Network-Id ] [ SIP-User-Authorization-Type ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The User-Authorization-Answer (UAA) is indicated by the Command-Code set to 283 and the Command Flags' 'R' bit cleared. The Diameter server sends this command in response to a previously received Diameter User-Authorization-Request (UAR) command. The Diameter server indicates the result of the requested registration authorization. Additionally, the Diameter server may indicate a collection of SIP capabilities that assists the Diameter client to select a SIP proxy to the AOR under registration.
用户授权应答(UAA)由设置为283的命令代码和清除的命令标志“R”位指示。Diameter服务器发送此命令以响应先前收到的Diameter用户授权请求(UAR)命令。Diameter服务器指示请求的注册授权的结果。此外,Diameter服务器可以指示SIP能力的集合,该SIP能力帮助Diameter客户端选择要注册的AOR的SIP代理。
In addition to the values already defined in RFC 3588 [RFC3588], the Result-Code AVP may contain one of the values defined in Section 10.1.
除RFC 3588[RFC3588]中已定义的值外,结果代码AVP可能包含第10.1节中定义的值之一。
Whenever the Diameter server fails to process the Diameter UAR message, it MUST stop processing and return the relevant error in the Diameter UAA message. When there is success in the process, the Diameter server MUST set the code to DIAMETER_SUCCESS in the Diameter UAA message.
每当Diameter服务器无法处理Diameter UAR消息时,它必须停止处理并在Diameter UAA消息中返回相关错误。当流程成功时,Diameter服务器必须在Diameter UAA消息中将代码设置为Diameter_success。
If the Diameter server requires a User-Name AVP value to process the Diameter UAR request, but the Diameter UAR message did not contain a User-Name AVP value, the Diameter server MUST set the Result-Code AVP value to DIAMETER_USER_NAME_REQUIRED (see Section 10.1.2) and return it in a Diameter UAA message. Upon reception of this Diameter UAA message with the Result-Code AVP value set to DIAMETER_USER_NAME_REQUIRED, the SIP server typically requests authentication by sending a SIP 401 (Unauthorized) or SIP 407 (Proxy Authentication Required) response back to the originator.
如果Diameter服务器需要用户名AVP值来处理Diameter UAR请求,但Diameter UAR消息不包含用户名AVP值,Diameter服务器必须将结果代码AVP值设置为Diameter_User_Name_REQUIRED(参见第10.1.2节),并在Diameter UAA消息中返回。当接收到结果代码AVP值设置为Diameter_USER_NAME_REQUIRED的Diameter UAA消息时,SIP服务器通常通过向发起人发送SIP 401(未经授权)或SIP 407(需要代理认证)响应来请求认证。
When the authorization procedure succeeds, the Diameter server constructs a User-Authorization-Answer (UAA) message that MUST include (1) the address of the SIP server already assigned to the user name, (2) the capabilities needed by the SIP server (Diameter client) to select another SIP server for the user, or (3) a combination of the previous two options.
当授权过程成功时,Diameter服务器构造用户授权应答(UAA)消息,该消息必须包括(1)已分配给用户名的SIP服务器地址,(2)SIP服务器(Diameter客户端)为用户选择另一个SIP服务器所需的能力,或(3)前两个选项的组合。
If the Diameter server is already aware of a SIP server allocated to the user, the Diameter UAA message contains the address of that SIP server.
如果Diameter服务器已经知道分配给用户的SIP服务器,Diameter UAA消息将包含该SIP服务器的地址。
The Diameter UAA message contains the capabilities required by a SIP server to trigger and execute services. It is required that these capabilities are present in the Diameter UAA message due to the possibility that the Diameter client (in the SIP server) allocates a different SIP server to trigger and execute services for that particular user.
Diameter UAA消息包含SIP服务器触发和执行服务所需的功能。由于Diameter客户端(在SIP服务器中)可能会分配不同的SIP服务器来触发和执行该特定用户的服务,因此要求这些功能出现在Diameter UAA消息中。
If a User-Name AVP is present in the Diameter UAR message, then the Diameter server MUST verify the existence of the user in the realm, i.e., the User-Name AVP value is a valid user within that realm. If the Diameter server does not recognize the user name received in the User-Name AVP, the Diameter server MUST build a Diameter User-Authorization-Answer (UAA) message and MUST set the Result-Code AVP to DIAMETER_ERROR_USER_UNKNOWN.
如果Diameter UAR消息中存在用户名AVP,则Diameter服务器必须验证域中是否存在该用户,即用户名AVP值是该域中的有效用户。如果Diameter服务器无法识别用户名AVP中接收到的用户名,Diameter服务器必须生成Diameter用户授权应答(UAA)消息,并且必须将结果代码AVP设置为Diameter_ERROR_user_UNKNOWN。
If a User-Name AVP is present in the Diameter UAR message, then the Diameter server MUST authorize that User-Name AVP value is able to register the SIP or SIPS URI included in the SIP-AOR AVP. If this authorization fails, the Diameter server must set the Result-Code AVP to DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter User-Authorization-Answer (UAA) message.
如果Diameter UAR消息中存在用户名AVP,则Diameter服务器必须授权用户名AVP值能够注册SIP-AOR AVP中包含的SIP或SIPS URI。如果此授权失败,Diameter服务器必须将结果代码AVP设置为Diameter\u ERROR\u Identifications\u Not\u MATCH,并将其发送到Diameter用户授权应答(UAA)消息中。
Note: Correlation between User-Name and SIP-AOR AVP values is required in order to avoid registration of a SIP-AOR allocated to another user.
注意:需要用户名和SIP-AOR AVP值之间的相关性,以避免注册分配给另一个用户的SIP-AOR。
If there is a SIP-Visited-Network-Id AVP in the Diameter UAR message, and the SIP-User-Authorization-Type AVP value received in the Diameter UAR message is set to REGISTRATION or REGISTRATION& CAPABILITIES, then the Diameter server SHOULD verify whether the user is allowed to roam into the network specified in the SIP-Visited-Network-Id AVP in the Diameter UAR message. If the user is not allowed to roam into that network, the Diameter AAA server MUST set the Result-Code AVP value in the Diameter UAA message to DIAMETER_ERROR_ROAMING_NOT_ALLOWED.
如果Diameter UAR消息中存在SIP访问网络Id AVP,并且Diameter UAR消息中接收到的SIP用户授权类型AVP值设置为REGISTRATION或REGISTRATION&CAPABILITIES,然后,Diameter服务器应验证是否允许用户漫游到Diameter UAR消息中SIP访问的网络Id AVP中指定的网络。如果不允许用户漫游到该网络,Diameter AAA服务器必须将Diameter UAA消息中的结果代码AVP值设置为Diameter\u ERROR\u ROAMING\u not\u allowed。
If the SIP-User-Authorization-Type AVP value received in the Diameter UAR message is set to REGISTRATION or REGISTRATION&CAPABILITIES, then the Diameter server SHOULD verify whether the SIP-AOR AVP value is authorized to register in the Home Realm. Where the SIP AOR is not authorized to register in the Home Realm, the Diameter server MUST set the Result-Code AVP to DIAMETER_AUTHORIZATION_REJECTED and send it in a Diameter UAA message.
如果Diameter UAR消息中接收的SIP用户授权类型AVP值设置为REGISTRATION或REGISTRATION&CAPABILITIES,则Diameter服务器应验证SIP-AOR AVP值是否被授权在主域中注册。如果SIP AOR未被授权在主域中注册,Diameter服务器必须将结果代码AVP设置为Diameter_AUTHORIZATION_REJECTED,并在Diameter UAA消息中发送。
When the SIP-User-Authorization-Type AVP is not present in the Diameter UAR message, or when it is present and its value is set to REGISTRATION, then:
当Diameter UAR消息中不存在SIP用户授权类型AVP时,或当存在且其值设置为REGISTRATION时,则:
o If the Diameter server is not aware of any previous registration of the user name (including registrations of other SIP AORs allocated to the same user name), then the Diameter server does not know of any SIP server allocated to the user. In this case, the Diameter server MUST set the Result-Code AVP value to DIAMETER_FIRST_REGISTRATION in the Diameter UAA message, and the Diameter server SHOULD include the required SIP server capabilities in the SIP-Server-Capabilities AVP value in the Diameter UAA message. The SIP-Server-Capabilities AVP assists the Diameter client (SIP server) to select an appropriate SIP server for the user, according to the required capabilities.
o 如果Diameter服务器不知道用户名的任何先前注册(包括分配给相同用户名的其他SIP AOR的注册),则Diameter服务器不知道分配给该用户的任何SIP服务器。在这种情况下,Diameter服务器必须在Diameter UAA消息中将结果代码AVP值设置为Diameter_FIRST_REGISTRATION,并且Diameter服务器应在Diameter UAA消息的SIP server capabilities AVP值中包含所需的SIP server功能。SIP服务器功能AVP帮助Diameter客户端(SIP服务器)根据所需的功能为用户选择合适的SIP服务器。
o In some cases, the Diameter server is aware of a previously assigned SIP server for the same or different SIP AORs allocated to the same user name. In these cases, re-assignment of a new SIP
o 在某些情况下,Diameter服务器知道先前为分配给相同用户名的相同或不同SIP AOR分配的SIP服务器。在这些情况下,需要重新分配新的SIP
server may or may not be needed, depending on the capabilities of the SIP server. The Diameter server MUST always include the allocated SIP server URI in the SIP-Server-URI AVP of the UAA message. If the Diameter server does not return the SIP capabilities, the Diameter server MUST set the Result-Code AVP in the Diameter UAA message to DIAMETER_SUBSEQUENT_REGISTRATION. Otherwise (i.e., if the Diameter server includes a SIP-Server-Capabilities AVP), then the Diameter server MUST set the Result-Code AVP in the Diameter UAA message to DIAMETER_SERVER_SELECTION. Then the Diameter client determines, based on the received information, whether it needs to select a new SIP server.
根据SIP服务器的功能,可能需要也可能不需要服务器。Diameter服务器必须始终在UAA消息的SIP服务器URI AVP中包含分配的SIP服务器URI。如果Diameter服务器未返回SIP功能,Diameter服务器必须将Diameter UAA消息中的结果代码AVP设置为Diameter_后续_注册。否则(即,如果Diameter服务器包括SIP服务器功能AVP),则Diameter服务器必须将Diameter UAA消息中的结果代码AVP设置为Diameter_服务器_选择。然后,Diameter客户端根据接收到的信息确定是否需要选择新的SIP服务器。
When the SIP-User-Authorization-Type AVP value received in the Diameter UAR message is set to REGISTRATION&CAPABILITIES, then Diameter Server MUST return the list of capabilities in the SIP-Server-Capabilities AVP value of the Diameter UAA message, it MUST set the Result-Code to DIAMETER_SUCCESS, and it MUST NOT return a SIP-Server-URI AVP. The SIP-Server-Capabilities AVP enables the SIP server (Diameter client) to select another appropriate SIP server for invoking and executing services for the user, depending on the required capabilities. The Diameter server MAY leave the list of capabilities empty to indicate that any SIP server can be selected.
当Diameter UAR消息中接收到的SIP用户授权类型AVP值设置为REGISTRATION&CAPABILITIES时,Diameter Server必须返回Diameter UAA消息的SIP Server CAPABILITIES AVP值中的功能列表,必须将结果代码设置为Diameter_SUCCESS,并且不得返回SIP Server URI AVP。SIP服务器功能AVP使SIP服务器(Diameter客户端)能够根据所需的功能选择另一个适当的SIP服务器来调用和执行用户服务。Diameter服务器可能会将功能列表留空,以指示可以选择任何SIP服务器。
When the SIP-User-Authorization-Type AVP value received in the Diameter UAR message is set to DEREGISTRATION, then:
当Diameter UAR消息中接收到的SIP用户授权类型AVP值设置为注销时,则:
o If the Diameter server is aware of a SIP server assigned to the SIP AOR under deregistration, the Diameter server MUST set the Result-Code AVP to DIAMETER_SUCCESS and MUST set the SIP-Server-URI AVP value to the known SIP server, and return them in the Diameter UAA message.
o 如果Diameter服务器知道在注销下分配给SIP AOR的SIP服务器,Diameter服务器必须将结果代码AVP设置为Diameter_SUCCESS,并且必须将SIP服务器URI AVP值设置为已知SIP服务器,并在Diameter UAA消息中返回它们。
o If the Diameter server is not aware of a SIP server assigned to the SIP AOR under deregistration, then the Diameter server MUST set the Result-Code AVP in the Diameter UAA message to DIAMETER_ERROR_IDENTITY_NOT_REGISTERED.
o 如果Diameter服务器不知道在注销下分配给SIP AOR的SIP服务器,则Diameter服务器必须将Diameter UAA消息中的结果代码AVP设置为Diameter\u ERROR\u IDENTITY\u not\u REGISTERED。
The Message Format of the UAA command is as follows:
UAA命令的消息格式如下:
<UAA> ::= < Diameter Header: 283, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Result-Code } { Origin-Host } { Origin-Realm } [ SIP-Server-URI ]
<UAA> ::= < Diameter Header: 283, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Result-Code } { Origin-Host } { Origin-Realm } [ SIP-Server-URI ]
[ SIP-Server-Capabilities ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
[ SIP-Server-Capabilities ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Server-Assignment-Request (SAR) command is indicated by the Command-Code set to 284 and the Command Flags' 'R' bit set. The Diameter client in a SIP server sends this command to the Diameter server to indicate the completion of the authentication process and to request that the Diameter server store the URI of the SIP server that is currently serving the user. The main functions of the Diameter SAR command are to inform the Diameter server of the URI of the SIP server allocated to the user, and to store or clear it from the Diameter server. Additionally, the Diameter client can request to download the user profile or part of it.
服务器分配请求(SAR)命令由设置为284的命令代码和设置的命令标志“R”位指示。SIP服务器中的Diameter客户端向Diameter服务器发送此命令,以指示身份验证过程的完成,并请求Diameter服务器存储当前为用户服务的SIP服务器的URI。Diameter SAR命令的主要功能是通知Diameter服务器分配给用户的SIP服务器的URI,并从Diameter服务器存储或清除它。此外,Diameter客户端可以请求下载用户配置文件或其中的一部分。
During the registration procedure, a SIP server becomes assigned to the user. The Diameter client in the assigned SIP server MUST include its own URI in the SIP-Server-URI AVP of the Server-Assignment-Request (SAR) Diameter message and send it to the Diameter server. The Diameter server then becomes aware of the allocation of the SIP server to the user name and the server's URI.
在注册过程中,SIP服务器被分配给用户。分配的SIP服务器中的Diameter客户端必须在服务器分配请求(SAR)Diameter消息的SIP服务器URI AVP中包含自己的URI,并将其发送到Diameter服务器。Diameter服务器随后意识到SIP服务器分配给用户名和服务器的URI。
The Diameter client in the SIP server MAY send a Diameter SAR message because of other reasons. These reasons are identified in the SIP-Server-Assignment-Type AVP (Section 9.4) value. For instance, a Diameter client in a SIP server may contact the Diameter server to request deregistration of a user, to inform the Diameter server of an authentication failure, or just to download the user profile. For a complete description of all the SIP-Server-Assignment-Type AVP values, see Section 9.4.
由于其他原因,SIP服务器中的Diameter客户端可能会发送Diameter SAR消息。这些原因在SIP服务器分配类型AVP(第9.4节)值中确定。例如,SIP服务器中的Diameter客户端可以联系Diameter服务器以请求取消用户注册、通知Diameter服务器认证失败,或者仅仅下载用户简档。有关所有SIP服务器分配类型AVP值的完整说明,请参阅第9.4节。
Typically the reception of a SIP REGISTER request in a SIP server will trigger the Diameter client in the SIP server to send the Diameter SAR message. However, if a SIP server is receiving other SIP request, such as INVITE, and the SIP server does not have the user profile, the Diameter client in the SIP server may send the Diameter SAR message to the Diameter server in order to download the user profile and make the Diameter server aware of the SIP server assigned to the user.
通常,SIP服务器中SIP注册请求的接收将触发SIP服务器中的Diameter客户端发送Diameter SAR消息。然而,如果SIP服务器正在接收其他SIP请求,例如INVITE,并且SIP服务器没有用户简档,则SIP服务器中的Diameter客户端可以向Diameter服务器发送Diameter SAR消息,以便下载用户简档并使Diameter服务器知道分配给用户的SIP服务器。
The user profile is an important piece of information that dictates the behavior of the SIP server when triggering or providing services for the user. Typically the user profile is divided into:
用户配置文件是指示SIP服务器在触发或为用户提供服务时的行为的重要信息。通常,用户配置文件分为:
o Services to be rendered to the user when the user is registered and initiates a SIP request.
o 当用户注册并启动SIP请求时向用户提供的服务。
o Services to be rendered to the user when the user is registered and a SIP request destined to that user arrives to the SIP proxy.
o 当用户注册并且发送给该用户的SIP请求到达SIP代理时,要向该用户提供的服务。
o Services to be rendered to the user when the user is not registered and a SIP request destined to that user arrives to the SIP proxy.
o 当用户未注册且发送给该用户的SIP请求到达SIP代理时,要向该用户提供的服务。
The SIP-Server-Assignment-Type AVP indicates the reason why the Diameter client (SIP server) contacted the Diameter server. If the Diameter client sets the SIP-Server-Assignment-Type AVP value to REGISTRATION, RE_REGISTRATION, UNREGISTERED_USER, NO_ASSIGNMENT, AUTHENTICATION_FAILURE or AUTHENTICATION_TIMEOUT, the Diameter client MUST include exactly one SIP-AOR AVP in the Diameter SAR message.
SIP服务器分配类型AVP表示Diameter客户端(SIP服务器)联系Diameter服务器的原因。如果Diameter客户端将SIP Server Assignment Type AVP值设置为REGISTRATION、RE_REGISTRATION、Unregisted_USER、NO_Assignment、AUTHENTICATION_FAILURE或AUTHENTICATION_TIMEOUT,则Diameter客户端必须在Diameter SAR消息中仅包含一个SIP-AOR AVP。
The SAR message MAY contain zero or more SIP-Supported-User-Data-Type AVPs. Each of them contains a type of user data understood by the SIP server. This allows the Diameter client to provide an indication to the Diameter server of the different format of user data understood by the SIP server. The Diameter server uses this information to select one or more SIP-User-Data AVPs that will be included in the SAA message.
SAR消息可以包含零个或多个SIP支持的用户数据类型avp。它们中的每一个都包含SIP服务器可以理解的用户数据类型。这允许Diameter客户端向Diameter服务器提供SIP服务器理解的不同格式的用户数据的指示。Diameter服务器使用此信息选择将包含在SAA消息中的一个或多个SIP用户数据AVP。
The Message Format of the SAR command is as follows:
SAR命令的消息格式如下:
<SAR> ::= < Diameter Header: 284, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-Server-Assignment-Type } { SIP-User-Data-Already-Available } [ Destination-Host ] [ User-Name ] [ SIP-Server-URI ] * [ SIP-Supported-User-Data-Type ] * [ SIP-AOR ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<SAR> ::= < Diameter Header: 284, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-Server-Assignment-Type } { SIP-User-Data-Already-Available } [ Destination-Host ] [ User-Name ] [ SIP-Server-URI ] * [ SIP-Supported-User-Data-Type ] * [ SIP-AOR ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Server-Assignment-Answer (SAA) is indicated by the Command-Code set to 284 and the Command Flags' 'R' bit cleared. The Diameter server sends this command in response to a previously received Diameter Server-Assignment-Request (SAR) command. The response may include the user profile or part of it, if requested.
服务器分配应答(SAA)由设置为284的命令代码和清除的命令标志“R”位指示。Diameter服务器发送此命令以响应先前收到的Diameter服务器分配请求(SAR)命令。如果请求,响应可以包括用户简档或其一部分。
In addition to the values already defined in RFC 3588 [RFC3588], the Result-Code AVP may contain one of the values defined in Section 10.1.
除RFC 3588[RFC3588]中已定义的值外,结果代码AVP可能包含第10.1节中定义的值之一。
The Result-Code AVP value in the Diameter SAA message may indicate a success or an error in the execution of the Diameter SAR command. If Result-Code AVP value in the Diameter SAA message does not contain an error code, the SAA message MAY include one or more SIP-User-Data AVPs that typically contain the profile of the user, indicating services that the SIP server can provide to that user.
Diameter SAA消息中的结果代码AVP值可能表示Diameter SAR命令执行成功或错误。如果用户配置文件中不包含一个或多个用户配置文件数据,则该用户配置文件通常可以包含一个或多个用户配置文件的AVP错误消息。
The Diameter server MAY include one or more SIP-Supported-User-Data-Type AVPs, each one identifying a type of user data format supported in the Diameter server. If there is not a common supported user data type between the Diameter client and the Diameter server, the Diameter server SHOULD declare its list of supported user data types by including one or more SIP-Supported-User-Data-Type AVPs in a Diameter SAA message. This indication is merely for debugging reasons, since there is not a fallback mechanism that allows the Diameter client to retrieve the profile in a supported format.
Diameter服务器可以包括一个或多个SIP支持的用户数据类型avp,每个avp标识Diameter服务器中支持的用户数据格式的类型。如果Diameter客户端和Diameter服务器之间没有共同支持的用户数据类型,Diameter服务器应通过在Diameter SAA消息中包含一个或多个SIP支持的用户数据类型AVP来声明其支持的用户数据类型列表。此指示仅用于调试,因为没有允许Diameter客户端以支持的格式检索概要文件的回退机制。
If the Diameter server requires a User-Name AVP value to process the Diameter SAR request, but the Diameter SAR message did not contain a User-Name AVP value, the Diameter server MUST set the Result-Code AVP value to DIAMETER_USER_NAME_REQUIRED (see Section 10.1.2) and return it in a Diameter SAA message. Upon reception of this Diameter SAA message with the Result-Code AVP value set to DIAMETER_USER_NAME_REQUIRED, the SIP server typically requests authentication by generating a SIP 401 (Unauthorized) or SIP 407 (Proxy Authentication Required) response back to the originator.
如果Diameter服务器需要用户名AVP值来处理Diameter SAR请求,但Diameter SAR消息不包含用户名AVP值,Diameter服务器必须将结果代码AVP值设置为Diameter_User_Name_REQUIRED(参见第10.1.2节),并在Diameter SAA消息中返回。当接收到结果代码AVP值设置为Diameter_USER_NAME_REQUIRED的Diameter SAA消息时,SIP服务器通常通过生成SIP 401(未经授权)或SIP 407(需要代理身份验证)响应来请求身份验证。
If the User-Name AVP is included in the Diameter SAR message, upon reception of the Diameter SAR message, the Diameter server MUST verify the existence of the user in the realm, i.e., the User-Name AVP value is a valid user within that realm. If the Diameter server does not recognize the user name received in the User-Name AVP, the Diameter server MUST build a Diameter Server-Assignment-Answer (SAA) message and MUST set the Result-Code AVP to DIAMETER_ERROR_USER_UNKNOWN.
如果Diameter SAR消息中包含用户名AVP,则在接收到Diameter SAR消息后,Diameter服务器必须验证域中是否存在该用户,即用户名AVP值是该域中的有效用户。如果Diameter服务器无法识别用户名AVP中接收到的用户名,Diameter服务器必须生成Diameter server Assignment Answer(SAA)消息,并且必须将结果代码AVP设置为Diameter_ERROR_user_UNKNOWN。
Then the Diameter server MUST authorize that User-Name AVP value is a valid authentication name for the SIP or SIPS URI included in the SIP-AOR AVP of the Diameter SAR message. If this authorization fails, the Diameter server must set the Result-Code AVP to DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter Server-Assignment-Answer (SAA) message.
然后,Diameter服务器必须授权用户名AVP值是Diameter SAR消息的SIP-AOR AVP中包含的SIP或SIPS URI的有效身份验证名称。如果此授权失败,Diameter服务器必须将结果代码AVP设置为Diameter\u ERROR\u Identifications\u Not\u MATCH,并将其发送到Diameter服务器分配应答(SAA)消息中。
After successful execution of the Diameter SAR command, the Diameter server MUST clear the "authentication pending" flag and SHOULD move the temporarily stored SIP server URI to permanent storage.
成功执行Diameter SAR命令后,Diameter服务器必须清除“身份验证挂起”标志,并应将临时存储的SIP服务器URI移动到永久存储。
The actions of the Diameter server upon reception of the Diameter SAR message depend on the value of the SIP-Server-Assignment-Type:
Diameter服务器在接收Diameter SAR消息时的操作取决于SIP服务器分配类型的值:
o If the SIP-Server-Assignment-Type AVP value in the Diameter SAR message is set to REGISTRATION or RE_REGISTRATION, the Diameter server SHOULD verify that there is only one SIP-AOR AVP. Otherwise, the Diameter server MUST answer with a Diameter SAA message with the Result-Code AVP value set to DIAMETER_AVP_OCCURS_TOO_MANY_TIMES and MUST NOT include any SIP-User-Data AVP. If there is only one SIP-AOR AVP and if the SIP-User-Data-Already-Available AVP value is set to USER_DATA_NOT_AVAILABLE, then the Diameter server SHOULD include one or more user profile data with the SIP or SIPS URI (SIP-AOR AVP) and all other SIP identities associated with that AVP in the SIP-User-Data AVP value of the Diameter SAA message. On selecting the type of user data, the Diameter server SHOULD take into account the supported formats at the SIP server (SIP-Supported-User-Data-Type AVP in the SAR message) and the local policy. Additionally, the Diameter server MUST set the Result-Code AVP value to DIAMETER_SUCCESS in the Diameter SAA message. The Diameter server considers the SIP AOR authenticated and registered.
o 如果Diameter SAR消息中的SIP Server Assignment Type AVP值设置为REGISTRATION或RE_REGISTRATION,则Diameter Server应验证是否只有一个SIP-AOR AVP。否则,Diameter服务器必须使用Diameter SAA消息进行应答,结果代码AVP值设置为Diameter_AVP_OCCURS_TOO_多次,并且不得包含任何SIP用户数据AVP。如果只有一个SIP-AOR AVP,并且如果SIP用户数据已可用AVP值设置为用户数据不可用,则Diameter服务器应在Diameter SAA消息的SIP用户数据AVP值中包含一个或多个具有SIP或SIPS URI(SIP-AOR AVP)的用户配置文件数据以及与该AVP相关联的所有其他SIP标识。在选择用户数据类型时,Diameter服务器应考虑SIP服务器上支持的格式(SAR消息中支持的SIP用户数据类型AVP)和本地策略。此外,Diameter服务器必须在Diameter SAA消息中将结果代码AVP值设置为Diameter_SUCCESS。Diameter服务器认为SIP AOR经过身份验证和注册。
o If the SIP-Server-Assignment-Type AVP value in the Diameter SAR message is set to UNREGISTERED_USER, then the Diameter server MUST store the SIP server address included in the SIP-Server-URI AVP value. The Diameter server will return the SIP server address in Diameter Location-Info-Answer (LIA) messages. If the SIP-User-Data-Already-Available AVP value is set to USER_DATA_NOT_AVAILABLE, then the Diameter server SHOULD include one or more user profile data associated with the SIP or SIPS URI (SIP-AOR AVP) and associated identities in the SIP-User-Data AVP value of the Diameter SAA message. On selecting the type of user data, the Diameter server SHOULD take into account the supported formats at the SIP server (SIP-Supported-User-Data-Type AVP in the SAR message) and the local policy. The Diameter server MUST set the Result-Code AVP value to DIAMETER_SUCCESS. The Diameter
o 如果Diameter SAR消息中的SIP Server Assignment Type AVP值设置为UNREGISTERED_USER,则Diameter Server必须存储SIP Server URI AVP值中包含的SIP Server地址。Diameter服务器将在Diameter位置信息应答(LIA)消息中返回SIP服务器地址。如果SIP用户数据已可用AVP值设置为User_Data_NOT_Available,则Diameter服务器应在Diameter SAA消息的SIP用户数据AVP值中包括一个或多个与SIP或SIPS URI(SIP-AOR AVP)相关联的用户配置文件数据和相关标识。在选择用户数据类型时,Diameter服务器应考虑SIP服务器上支持的格式(SAR消息中支持的SIP用户数据类型AVP)和本地策略。Diameter服务器必须将结果代码AVP值设置为Diameter\u SUCCESS。直径
server considers the SIP AOR UNREGISTERED, but with a SIP server allocated to trigger and provide services for unregistered users. Note that in case of UNREGISTERED_USER (SIP-Server-Assignment-Type AVP), the Diameter server MUST verify that there is only one SIP-AOR AVP. Otherwise, the Diameter server MUST answer the Diameter SAR message with a Diameter SAA message, and it MUST set the Result-Code AVP value to DIAMETER_AVP_OCCURS_TOO_MANY_TIMES and MUST NOT include any SIP-User-Data AVP. If the User-Name AVP was not present in the Diameter SAR message and the SIP-AOR is not known for the Diameter server, the Diameter server MUST NOT include a User-Name AVP in the Diameter SAA message and MUST set the Result-Code AVP value to DIAMETER_ERROR_USER_UNKNOWN.
服务器认为SIP AOR未注册,但分配了一个SIP服务器来触发未注册用户并为其提供服务。注意,对于未注册的_用户(SIP服务器分配类型AVP),Diameter服务器必须验证只有一个SIP-AOR AVP。否则,Diameter服务器必须使用Diameter SAA消息应答Diameter SAR消息,并且必须将结果代码AVP值设置为Diameter_AVP_OCCURS_to_Low_多次,并且不得包含任何SIP用户数据AVP。如果Diameter SAR消息中不存在用户名AVP,且Diameter服务器的SIP-AOR未知,则Diameter服务器不得在Diameter SAA消息中包含用户名AVP,并且必须将结果代码AVP值设置为Diameter_ERROR_User_UNKNOWN。
o If the SIP-Server-Assignment-Type AVP value in the Diameter SAR message is set to TIMEOUT_DEREGISTRATION, USER_DEREGISTRATION, DEREGISTRATION_TOO_MUCH_DATA, or ADMINISTRATIVE_DEREGISTRATION, the Diameter server MUST clear the SIP server address associated with all SIP AORs indicated in each of the SIP-AOR AVP values included in the Diameter SAR message. The Diameter server considers all of these SIP AORs as not registered. The Diameter server MUST set the Result-Code AVP value to DIAMETER_SUCCESS in the Diameter SAA message.
o 如果Diameter SAR消息中的SIP服务器分配类型AVP值设置为超时\u注销、用户\u注销、注销\u过多\u数据或管理\u注销,Diameter服务器必须清除与Diameter SAR消息中包含的每个SIP-AOR AVP值中指示的所有SIP AOR相关联的SIP服务器地址。Diameter服务器认为所有这些SIP AOR都未注册。Diameter服务器必须在Diameter SAA消息中将结果代码AVP值设置为Diameter_SUCCESS。
o If the SIP-Server-Assignment-Type AVP value in the Diameter SAR message is set to TIMEOUT_DEREGISTRATION_STORE_SERVER_NAME or USER_DEREGISTRATION_STORE_SERVER_NAME, the Diameter server MAY keep the SIP server address associated with the SIP AORs included in the SIP-AOR AVP values of the Diameter SAR message, even though the SIP AORs become unregistered. This feature allows a SIP server to request that the Diameter server remain an assigned SIP server for those SIP AORs (SIP-AOR AVP values) allocated to the same user name, and avoid SIP server assignment. The Diameter server MUST consider all these SIP AORs as not registered. If the Diameter server honors the request of the Diameter client (SIP server) to remain as an allocated SIP server, then the Diameter server MUST keep the SIP server assigned to those SIP AORs allocated to the username and MUST set the Result-Code AVP value to DIAMETER_SUCCESS in the Diameter SAA message. Otherwise, when the Diameter server does not honor the request of the Diameter client (SIP server) to remain as an allocated SIP server, the Diameter server MUST clear the SIP server name assigned to those SIP AORs and it MUST set the Result-Code AVP value to DIAMETER_SUCCESS_SERVER_NAME_NOT_STORED in the Diameter SAA message.
o 如果Diameter SAR消息中的SIP服务器分配类型AVP值设置为超时\注销\存储\服务器\名称或用户\注销\存储\服务器\名称,Diameter服务器可以保留与Diameter SAR消息的SIP-AOR AVP值中包括的SIP AOR相关联的SIP服务器地址,即使SIP AOR未注册。此功能允许SIP服务器请求Diameter服务器保持为分配给相同用户名的SIP AOR(SIP-AOR AVP值)分配的SIP服务器,并避免SIP服务器分配。直径服务器必须考虑所有这些SIP AORS作为未注册。如果Diameter服务器接受Diameter客户端(SIP服务器)的请求,继续作为分配的SIP服务器,则Diameter服务器必须将SIP服务器分配给分配给用户名的SIP AOR,并且必须在Diameter SAA消息中将结果代码AVP值设为Diameter_SUCCESS。否则,当Diameter服务器不满足Diameter客户端(SIP服务器)作为已分配SIP服务器的请求时,Diameter服务器必须清除分配给这些SIP AOR的SIP服务器名称,并且必须将结果代码AVP值设置为Diameter SAA消息中存储的Diameter_SUCCESS_server_name_not_。
o If the SIP-Server-Assignment-Type AVP value in the Diameter SAR message is set to NO_ASSIGNMENT, the Diameter server SHOULD first verify that the SIP-Server-URI AVP value in the Diameter SAR message is the same URI as the one assigned to the SIP-AOR AVP value. If they differ, then the Diameter server MUST set the Result-Code AVP value to DIAMETER_UNABLE_TO_COMPLY in the Diameter SAA message. Otherwise, if the SIP-User-Data-Already-Available AVP value is set to USER_DATA_NOT_AVAILABLE, then the Diameter server SHOULD include the user profile data with the SIP or SIPS URI (SIP-AOR AVP) and all other SIP identities associated with that AVP in the SIP-User-Data AVP value of the Diameter SAA message. On selecting the type of user data, the Diameter server SHOULD take into account the supported formats at the SIP server (SIP-Supported-User-Data-Type AVP in the SAR message) and the local policy.
o 如果Diameter SAR消息中的SIP服务器分配类型AVP值设置为NO_分配,Diameter服务器应首先验证Diameter SAR消息中的SIP服务器URI AVP值是否与分配给SIP-AOR AVP值的URI相同。如果它们不同,则Diameter服务器必须在Diameter SAA消息中将结果代码AVP值设置为Diameter\u UNABLE\u to\u Compliance。否则,如果SIP User Data ready Available AVP值设置为User_Data_NOT_Available,则Diameter服务器应在Diameter SAA消息的SIP User Data AVP值中包括具有SIP或SIPS URI(SIP-AOR AVP)的用户配置文件数据以及与该AVP相关联的所有其他SIP标识。在选择用户数据类型时,Diameter服务器应考虑SIP服务器上支持的格式(SAR消息中支持的SIP用户数据类型AVP)和本地策略。
o If the SIP-Server-Assignment-Type AVP value in the Diameter SAR message is set to AUTHENTICATION_FAILURE or AUTHENTICATION_TIMEOUT, the Diameter server MUST verify that there is exactly one SIP-AOR AVP in the Diameter SAR message. If the number of occurrences of the SIP-AOR AVP is not exactly one, the Diameter server MUST set the Result-Code AVP value to DIAMETER_AVP_OCCURS_TOO_MANY_TIMES in the Diameter SAA message, and SHOULD not take further actions. If there is exactly one SIP-AOR AVP in the Diameter SAR message, the Diameter server MUST clear the address of the SIP server assigned to the SIP AOR allocated to the user name, and the Diameter server MUST set the Result-Code AVP value to DIAMETER_SUCCESS in the Diameter SAA message. The Diameter server MUST consider the SIP AOR as not registered.
o 如果Diameter SAR消息中的SIP服务器分配类型AVP值设置为AUTHENTICATION_FAILURE或AUTHENTICATION_TIMEOUT,则Diameter服务器必须验证Diameter SAR消息中是否只有一个SIP-AOR AVP。如果SIP-AOR AVP的出现次数不是一次,Diameter服务器必须将结果代码AVP值设置为Diameter\u AVP\u在Diameter SAA消息中出现过多次,并且不应采取进一步的措施。如果Diameter SAR消息中正好有一个SIP-AOR AVP,Diameter服务器必须清除分配给分配给用户名的SIP AOR的SIP服务器地址,并且Diameter服务器必须在Diameter SAA消息中将结果代码AVP值设置为Diameter_SUCCESS。直径服务器必须考虑SIP AOR未注册。
The Message Format of the SAA command is as follows:
SAA命令的消息格式如下:
<SAA> ::= < Diameter Header: 284, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } * [ SIP-User-Data ] [ SIP-Accounting-Information ] * [ SIP-Supported-User-Data-Type ] [ User-Name ] [ Auth-Grace-Period ] [ Authorization-Lifetime ] [ Redirect-Host ] [ Redirect-Host-Usage ]
<SAA> ::= < Diameter Header: 284, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } * [ SIP-User-Data ] [ SIP-Accounting-Information ] * [ SIP-Supported-User-Data-Type ] [ User-Name ] [ Auth-Grace-Period ] [ Authorization-Lifetime ] [ Redirect-Host ] [ Redirect-Host-Usage ]
[ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
[ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Location-Info-Request (LIR) is indicated by the Command-Code set to 285 and the Command Flags' 'R' bit set. The Diameter client in a SIP server sends this command to the Diameter server to request routing information, e.g., the URI of the SIP server assigned to the SIP-AOR AVP value allocated to the users.
“将请求标志(LIR)设置为”位,命令代码为“LIR”。SIP服务器中的Diameter客户端向Diameter服务器发送该命令以请求路由信息,例如,分配给分配给用户的SIP-AOR AVP值的SIP服务器的URI。
The Message Format of the LIR command is as follows:
LIR命令的消息格式如下:
<LIR> ::= < Diameter Header: 285, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-AOR } [ Destination-Host ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<LIR> ::= < Diameter Header: 285, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-AOR } [ Destination-Host ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Location-Info-Answer (LIA) is indicated by the Command-Code set to 285 and the Command Flags' 'R' bit cleared. The Diameter server sends this command in response to a previously received Diameter Location-Info-Request (LIR) command.
位置信息应答(LIA)由设置为285的命令代码和清除的命令标志“R”位指示。Diameter服务器发送此命令以响应先前收到的Diameter位置信息请求(LIR)命令。
In addition to the values already defined in RFC 3588 [RFC3588], the Result-Code AVP may contain one of the values defined in Section 10.1. When the Diameter server finds an error in processing the Diameter LIR message, the Diameter server MUST stop the process of the message and answer with a Diameter LIA message that includes the appropriate error code in the Result-Code AVP value. When there is no error, the Diameter server MUST set the Result-Code AVP value to DIAMETER_SUCCESS in the Diameter LIA message.
除RFC 3588[RFC3588]中已定义的值外,结果代码AVP可能包含第10.1节中定义的值之一。当Diameter服务器在处理Diameter LIR消息时发现错误时,Diameter服务器必须停止消息处理,并使用Diameter LIA消息进行应答,该消息在结果代码AVP值中包含适当的错误代码。如果没有错误,Diameter服务器必须在Diameter LIA消息中将结果代码AVP值设置为Diameter_SUCCESS。
One of the errors that the Diameter server may find is that the SIP-AOR AVP value is not a valid user in the realm. In such cases, the Diameter server MUST set the Result-Code AVP value to DIAMETER_ERROR_USER_UNKNOWN and return it in a Diameter LIA message.
Diameter服务器可能发现的错误之一是SIP-AOR AVP值不是域中的有效用户。在这种情况下,Diameter服务器必须将结果代码AVP值设置为Diameter_ERROR_USER_UNKNOWN,并在Diameter LIA消息中返回该值。
If the Diameter server cannot process the Diameter LIR command, e.g., due to a database error, the Diameter server MUST set the Result-Code AVP value to DIAMETER_UNABLE_TO_COMPLY and return it in a Diameter LIA message. The Diameter server MUST NOT include any SIP-Server-URI or SIP-Server-Capabilities AVP in the Diameter LIA message.
如果Diameter服务器无法处理Diameter LIR命令,例如,由于数据库错误,Diameter服务器必须将结果代码AVP值设置为Diameter\u UNABLE\u to\u Compliance,并在Diameter LIA消息中返回。Diameter服务器不得在Diameter LIA消息中包含任何SIP服务器URI或SIP服务器功能AVP。
The Diameter server may or may not be aware of a SIP server assigned to the SIP-AOR AVP value included in the Diameter LIR message. If the Diameter server is aware of a SIP server allocated to that particular user, the Diameter server MUST include the URI of such SIP server in the SIP-Server-URI AVP and return it in a Diameter LIA message. This is typically the situation when the user is either registered, or unregistered but a SIP server is still assigned to the user.
Diameter服务器可能知道也可能不知道分配给Diameter LIR消息中包括的SIP-AOR AVP值的SIP服务器。如果Diameter服务器知道分配给该特定用户的SIP服务器,Diameter服务器必须在SIP服务器URI AVP中包含该SIP服务器的URI,并在Diameter LIA消息中返回该URI。这通常是当用户已注册或未注册但SIP服务器仍分配给该用户时的情况。
When the Diameter server is not aware of a SIP server allocated to the user (typically the case when the user unregistered), the Result-Code AVP value in the Diameter LIA message depends on whether the Diameter server is aware that the user has services defined for unregistered users:
当Diameter服务器不知道分配给用户的SIP服务器时(通常是用户未注册的情况),Diameter LIA消息中的结果代码AVP值取决于Diameter服务器是否知道用户已为未注册用户定义了服务:
o Those users who have services defined for unregistered users may require the allocation of a SIP server to trigger and perhaps execute those services. Therefore, when the Diameter server is not aware of an assigned SIP server, but the user has services defined for unregistered users, the Diameter server MUST set the Result-Code AVP value to DIAMETER_UNREGISTERED_SERVICE and return it in a Diameter LIA message. The Diameter server MAY also include a SIP-Server-Capabilities AVP to facilitate the SIP server (Diameter client) with the selection of an appropriate SIP server with the required capabilities. Absence of the SIP-Server-Capabilities AVP indicates to the SIP server (Diameter client) that any SIP server is suitable to be allocated for the user.
o 那些为未注册用户定义了服务的用户可能需要分配SIP服务器来触发并可能执行这些服务。因此,当Diameter服务器不知道分配的SIP服务器,但用户为未注册用户定义了服务时,Diameter服务器必须将结果代码AVP值设置为Diameter_unregistered_SERVICE,并在Diameter LIA消息中返回该值。Diameter服务器还可以包括SIP服务器能力AVP,以便于SIP服务器(Diameter客户端)选择具有所需能力的适当SIP服务器。缺少SIP服务器能力AVP向SIP服务器(Diameter客户端)指示任何SIP服务器都适合分配给用户。
o Those users who do not have service defined for unregistered users do not require further processing. The Diameter server MUST set the Result-Code AVP value to DIAMETER_ERROR_IDENTITY_NOT_REGISTERED and return it to the Diameter client in a Diameter LIA message. The SIP server (Diameter client) may return the appropriate SIP response (e.g., 480 (Temporarily unavailable)) to the original SIP request.
o 那些没有为未注册用户定义服务的用户不需要进一步处理。Diameter服务器必须将结果代码AVP值设置为Diameter\u ERROR\u IDENTITY\u NOT\u REGISTERED,并在Diameter LIA消息中将其返回给Diameter客户端。SIP服务器(Diameter客户端)可以向原始SIP请求返回适当的SIP响应(例如,480(暂时不可用))。
The Message Format of the LIA command is as follows:
LIA命令的消息格式如下:
<LIA> ::= < Diameter Header: 285, PXY > < Session-Id > { Auth-Application-Id } { Result-Code }
<LIA> ::= < Diameter Header: 285, PXY > < Session-Id > { Auth-Application-Id } { Result-Code }
{ Auth-Session-State } { Origin-Host } { Origin-Realm } [ SIP-Server-URI ] [ SIP-Server-Capabilities ] [ Auth-Grace-Period ] [ Authorization-Lifetime ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
{ Auth-Session-State } { Origin-Host } { Origin-Realm } [ SIP-Server-URI ] [ SIP-Server-Capabilities ] [ Auth-Grace-Period ] [ Authorization-Lifetime ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Multimedia-Auth-Request (MAR) command is indicated by the Command-Code set to 286 and the Command Flags' 'R' bit set. The Diameter client in a SIP server sends this command to the Diameter server to request that the Diameter server authenticate and authorize a user attempt to use some SIP service (in this context, SIP service can be something as simple as a SIP subscription or using the proxy services for a SIP request).
The Multimedia-Auth-Request (MAR) command is indicated by the Command-Code set to 286 and the Command Flags' 'R' bit set. The Diameter client in a SIP server sends this command to the Diameter server to request that the Diameter server authenticate and authorize a user attempt to use some SIP service (in this context, SIP service can be something as simple as a SIP subscription or using the proxy services for a SIP request).translate error, please retry
The MAR command may also register the SIP server's own URI to the Diameter server, so that future LIR/LIA messages can return this URI. If the SIP server is acting as a SIP registrar (see examples in Sections 6.2 and 6.3), its Diameter client MUST include a SIP-Server-URI AVP in the MAR command. In any other cases (see example in Section 6.4), its Diameter client MUST NOT include a SIP-Server-URI AVP in the MAR command.
MAR命令还可以将SIP服务器自己的URI注册到Diameter服务器,以便将来的LIR/LIA消息可以返回此URI。如果SIP服务器充当SIP注册器(参见第6.2节和第6.3节中的示例),则其Diameter客户端必须在MAR命令中包含SIP服务器URI AVP。在任何其他情况下(参见第6.4节中的示例),其Diameter客户端不得在MAR命令中包含SIP服务器URI AVP。
The SIP-Method AVP MUST include the SIP method name of the SIP request that triggered this Diameter MAR message. The Diameter server can use this AVP to authorize some SIP requests depending on the method.
SIP方法AVP必须包括触发此消息的SIP请求的SIP方法名称。Diameter服务器可以使用此AVP根据方法授权某些SIP请求。
The Diameter MAR message MUST include a SIP-AOR AVP. The SIP-AOR AVP indicates the target of the SIP request. The value of the AVP is extracted from different places in SIP request, depending on the semantics of the SIP request. For SIP REGISTER messages the SIP-AOR AVP value indicates the intended public user identity under registration, and it is the SIP or SIPS URI populated in the To header field value (addr-spec as per RFC 3261 [RFC3261]) of the SIP REGISTER request. For other types of SIP requests, such as INVITE, SUBSCRIBE, MESSAGE, etc., the SIP-AOR AVP value indicates the intended destination of the request. This is typically populated in the Request-URI of the SIP request. Extracting the SIP-AOR AVP value
Diameter MAR消息必须包括SIP-AOR AVP。SIP-AOR AVP指示SIP请求的目标。AVP的值是从SIP请求的不同位置提取的,具体取决于SIP请求的语义。对于SIP注册消息,SIP-AOR AVP值表示注册中的预期公共用户身份,它是SIP注册请求的To头字段值(根据RFC 3261[RFC3261]的addr规范)中填充的SIP或SIPS URI。对于其他类型的SIP请求,例如INVITE、SUBSCRIBE、MESSAGE等,SIP-AOR AVP值指示请求的预期目的地。这通常填充在SIP请求的请求URI中。提取SIP-AOR AVP值
from the proper SIP header field is the Diameter client's responsibility. Extensions to SIP (new SIP methods or new semantics) may require the SIP-AOR to be extracted from other parts of the request.
Diameter客户机负责从适当的SIP头字段开始。对SIP的扩展(新SIP方法或新语义)可能需要从请求的其他部分提取SIP-AOR。
If the SIP request includes some sort of authentication information, the Diameter client MUST include the user name, extracted from the authentication information of the SIP request, in the User-Name AVP value.
如果SIP请求包括某种认证信息,Diameter客户端必须在用户名AVP值中包括从SIP请求的认证信息中提取的用户名。
The Message Format of the MAR command is as follows:
MAR命令的消息格式如下:
<MAR> ::= < Diameter Header: 286, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-AOR } { SIP-Method } [ Destination-Host ] [ User-Name ] [ SIP-Server-URI ] [ SIP-Number-Auth-Items ] [ SIP-Auth-Data-Item ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<MAR> ::= < Diameter Header: 286, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { SIP-AOR } { SIP-Method } [ Destination-Host ] [ User-Name ] [ SIP-Server-URI ] [ SIP-Number-Auth-Items ] [ SIP-Auth-Data-Item ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Multimedia-Auth-Answer (MAA) is indicated by the Command-Code set to 286 and the Command Flags' 'R' bit cleared. The Diameter server sends this command in response to a previously received Diameter Multimedia-Auth-Request (MAR) command.
多媒体身份验证应答(MAA)由设置为286的命令代码和清除的命令标志“R”位指示。Diameter服务器发送此命令以响应先前接收到的Diameter多媒体身份验证请求(MAR)命令。
In addition to the values already defined in RFC 3588 [RFC3588], the Result-Code AVP may contain one of the values defined in Section 10.1.
除RFC 3588[RFC3588]中已定义的值外,结果代码AVP可能包含第10.1节中定义的值之一。
If the Diameter server requires a User-Name AVP value to process the Diameter MAR request, but the Diameter MAR message did not contain a User-Name AVP value, the Diameter server MUST set the Result-Code AVP value to DIAMETER_USER_NAME_REQUIRED (see Section 10.1.2) and return it in a Diameter MAA message. The Diameter server MAY include a SIP-Number-Auth-Items AVP and one or more SIP-Auth-Data-Item AVPs with authentication information (e.g., a challenge). Upon reception
如果Diameter服务器需要用户名AVP值来处理Diameter MAR请求,但Diameter MAR消息不包含用户名AVP值,Diameter服务器必须将结果代码AVP值设置为Diameter_User_Name_REQUIRED(参见第10.1.2节),并在Diameter MAA消息中返回。Diameter服务器可以包括SIP号码认证项AVP和一个或多个具有认证信息(例如,质询)的SIP认证数据项AVP。接待时
of this Diameter MAA message with the Result-Code AVP value set to DIAMETER_USER_NAME_REQUIRED, the SIP server typically requests authentication by generating a SIP 401 (Unauthorized) or SIP 407 (Proxy Authentication Required) response back to the originator.
对于结果代码AVP值设置为Diameter_USER_NAME_REQUIRED的该Diameter MAA消息,SIP服务器通常通过生成SIP 401(未经授权)或SIP 407(需要代理身份验证)响应来请求身份验证。
If the User-Name AVP is present in the Diameter MAR message, the Diameter server MUST verify the existence of the user in the realm, i.e., the User-Name AVP value is a valid user within that realm. If the Diameter server does not recognize the user name received in the User-Name AVP, the Diameter server MUST build a Diameter Multimedia-Auth-Answer (MAA) message and MUST set the Result-Code AVP to DIAMETER_ERROR_USER_UNKNOWN.
如果Diameter MAR消息中存在用户名AVP,则Diameter服务器必须验证域中是否存在该用户,即用户名AVP值是该域中的有效用户。如果Diameter服务器无法识别用户名AVP中接收到的用户名,Diameter服务器必须生成Diameter Multimedia Auth Answer(MAA)消息,并且必须将结果代码AVP设置为Diameter_ERROR_user_UNKNOWN。
If the SIP-Methods AVP value of the Diameter MAR message is set to REGISTER and a User-Name AVP is present, then the Diameter server MUST authorize that User-Name AVP value is able to use the URI included in the SIP-AOR AVP. If this authorization fails, the Diameter server must set the Result-Code AVP to DIAMETER_ERROR_IDENTITIES_DONT_MATCH and send it in a Diameter Multimedia-Auth-Answer (MAA) message.
如果Diameter MAR消息的SIP Methods AVP值设置为REGISTER且存在用户名AVP,则Diameter服务器必须授权该用户名AVP值能够使用SIP-AOR AVP中包含的URI。如果此授权失败,Diameter服务器必须将结果代码AVP设置为Diameter\u ERROR\u Identifications\u Not\u MATCH,并以Diameter Multimedia Auth Answer(MAA)消息的形式发送。
Note: Correlation between User-Name and SIP-AOR AVP values is only required for SIP REGISTER request, to prevent a user from registering a SIP-AOR allocated to another user. In other types of SIP requests (e.g., INVITE), the SIP-AOR indicates the intended destination of the request, rather than the originator of it.
注意:用户名和SIP-AOR AVP值之间的相关性仅在SIP注册请求中需要,以防止用户注册分配给其他用户的SIP-AOR。在其他类型的SIP请求(例如,INVITE)中,SIP-AOR指示请求的预期目的地,而不是请求的发起人。
The Diameter server MUST verify whether the authentication scheme (SIP-Authentication-Scheme AVP value) indicated in the grouped SIP-Auth-Data-Item AVP is supported or not. If that authentication scheme is not supported, then the Diameter server MUST set the Result-Code AVP to DIAMETER_ERROR_AUTH_SCHEME_NOT_SUPPORTED and send it in a Diameter Multimedia-Auth-Answer (MAA) message.
Diameter服务器必须验证是否支持分组的SIP验证数据项AVP中指示的验证方案(SIP验证方案AVP值)。如果不支持该身份验证方案,则Diameter服务器必须将结果代码AVP设置为Diameter\u ERROR\u AUTH\u scheme\u not\u supported,并在Diameter多媒体身份验证应答(MAA)消息中发送。
If the SIP-Number-Auth-Items AVP is present in the Diameter MAR message, it indicates the number of authentication data items that the Diameter client is requesting. It is RECOMMENDED that the Diameter server, when building the Diameter MAA message, includes a number of SIP-Auth-Data-Item AVPs that are a subset of the authentication data items requested by the Diameter client in the SIP-Number-Auth-Items AVP value of the Diameter MAR message.
如果Diameter MAR消息中存在SIP Number Auth Items AVP,则表示Diameter客户端正在请求的身份验证数据项的数量。建议Diameter服务器在构建Diameter MAA消息时,在Diameter MAR消息的SIP number Auth items AVP值中包含许多SIP Auth数据项AVP,这些AVP是Diameter客户端请求的验证数据项的子集。
If the SIP-Server-URI AVP is present in the Diameter MAR message, then the Diameter server MUST compare the stored SIP server (assigned to the user) with the SIP-Server-URI AVP value (received in the Diameter MAR message). If they don't match, the Diameter server MUST temporarily save the newly received SIP server assigned to the user, and MUST set an "authentication pending" flag for the user. If they
如果Diameter MAR消息中存在SIP服务器URI AVP,则Diameter服务器必须将存储的SIP服务器(分配给用户)与SIP服务器URI AVP值(在Diameter MAR消息中接收)进行比较。如果它们不匹配,Diameter服务器必须临时保存分配给用户的新收到的SIP服务器,并且必须为用户设置“身份验证挂起”标志。如果他们
match, the Diameter server shall clear the "authentication pending" flag for the user.
匹配时,Diameter服务器应为用户清除“待验证”标志。
In any other situation, if there is a success in processing the Diameter MAR command and the Diameter server stored the SIP-Server-URI, the Diameter server MUST set the Result-Code AVP value to DIAMETER_SUCCESS and return it in a Diameter MAA message.
在任何其他情况下,如果成功处理Diameter MAR命令,并且Diameter服务器存储了SIP服务器URI,Diameter服务器必须将结果代码AVP值设置为Diameter_success,并在Diameter MAA消息中返回它。
If there is a success in processing the Diameter MAR command, but the Diameter server does not store the SIP-Server-URI because the AVP was not present in the Diameter MAR command, then the Diameter server MUST set the Result-Code AVP value to either:
如果成功处理Diameter MAR命令,但Diameter服务器不存储SIP服务器URI,因为Diameter MAR命令中不存在AVP,则Diameter服务器必须将结果代码AVP值设置为:
1. DIAMETER_SUCCESS_AUTH_SENT_SERVER_NOT_STORED, if the Diameter server is sending authentication credentials to create a challenge.
1. 如果DIAMETER服务器正在发送身份验证凭据以创建质询,则DIAMETER\u成功\u验证\u已发送\u服务器\u未存储。
2. DIAMETER_SUCCESS_SERVER_NAME_NOT_STORED, if the Diameter server successfully authenticated the user and authorized the SIP server to proceed with the SIP request.
2. DIAMETER\u成功\u服务器\u名称\u未存储,前提是DIAMETER服务器成功验证了用户身份并授权SIP服务器继续执行SIP请求。
Otherwise, the Diameter server MUST set the Result-Code AVP value to DIAMETER_UNABLE_TO_COMPLY, and it MUST NOT include any SIP-Auth-Data-Item AVP.
否则,Diameter服务器必须将结果代码AVP值设置为Diameter\u UNABLE\u to\u Compliance,并且不得包含任何SIP Auth数据项AVP。
The Message Format of the MAA command is as follows:
MAA命令的消息格式如下:
<MAA> ::= < Diameter Header: 286, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } [ User-Name ] [ SIP-AOR ] [ SIP-Number-Auth-Items ] * [ SIP-Auth-Data-Item ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<MAA> ::= < Diameter Header: 286, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } [ User-Name ] [ SIP-AOR ] [ SIP-Number-Auth-Items ] * [ SIP-Auth-Data-Item ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Registration-Termination-Request (RTR) command is indicated by the Command-Code set to 287 and the Command Flags' 'R' bit set. The Diameter server sends this command to the Diameter client in a SIP server to indicate to the SIP server that one or more SIP AORs have to be deregistered. The command allows an operator to administratively cancel the registration of a user from a centralized Diameter server.
注册终止请求(RTR)命令由设置为287的命令代码和设置的命令标志“R”位指示。Diameter服务器向SIP服务器中的Diameter客户端发送此命令,以指示SIP服务器必须注销一个或多个SIP AOR。该命令允许操作员从集中式Diameter服务器以管理方式取消用户注册。
The Diameter server has the capability to initiate the deregistration of a user and inform the SIP server by means of the Diameter RTR command. The Diameter server can decide whether only one SIP AOR is going to be deregistered, a list of SIP AORs, or all the SIP AORs allocated to the user.
Diameter服务器能够启动用户注销,并通过Diameter RTR命令通知SIP服务器。Diameter服务器可以决定是只注销一个SIP AOR、一个SIP AOR列表,还是所有分配给用户的SIP AOR。
The absence of a SIP-AOR AVP in the Diameter RTR message indicates that all the SIP AORs allocated to the user identified by the User-Name AVP are being deregistered.
Diameter RTR消息中缺少SIP-AOR AVP表示分配给用户名AVP标识的用户的所有SIP AOR正在注销。
The Diameter server MUST include a SIP-Deregistration-Reason AVP value to indicate the reason for the deregistration.
Diameter服务器必须包含SIP注销原因AVP值,以指示注销原因。
The Message Format of the RTR command is as follows:
RTR命令的消息格式如下:
<RTR> ::= < Diameter Header: 287, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Host } { SIP-Deregistration-Reason } [ Destination-Realm ] [ User-Name ] * [ SIP-AOR ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<RTR> ::= < Diameter Header: 287, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Host } { SIP-Deregistration-Reason } [ Destination-Realm ] [ User-Name ] * [ SIP-AOR ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Registration-Termination-Answer (RTA) is indicated by the Command-Code set to 287 and the Command Flags' 'R' bit cleared. The Diameter client sends this command in response to a previously received Diameter Registration-Termination-Request (RTR) command.
注册终止应答(RTA)由设置为287的命令代码和清除的命令标志“R”位指示。Diameter客户端发送此命令以响应先前收到的Diameter注册终止请求(RTR)命令。
In addition to the values already defined in RFC 3588 [RFC3588], the Result-Code AVP may contain one of the values defined in Section 10.1.
除RFC 3588[RFC3588]中已定义的值外,结果代码AVP可能包含第10.1节中定义的值之一。
If the SIP server (Diameter client) requires a User-Name AVP value to process the Diameter RTR request, but the Diameter RTR message did not contain a User-Name AVP value, the Diameter client MUST set the Result-Code AVP value to DIAMETER_USER_NAME_REQUIRED (see Section 10.1.2) and return it in a Diameter RTA message.
如果SIP服务器(Diameter客户端)需要用户名AVP值来处理Diameter RTR请求,但Diameter RTR消息不包含用户名AVP值,Diameter客户端必须将结果代码AVP值设置为Diameter_User_Name_REQUIRED(参见第10.1.2节),并在Diameter RTA消息中返回。
The SIP server (Diameter client) applies the administrative deregistration to each of the URIs included in each of the SIP-AOR AVP values, or, if there is no SIP-AOR AVP present in the Diameter RTR request, to all the URIs allocated to the User-Name AVP value.
SIP服务器(Diameter客户端)将管理注销应用于每个SIP-AOR AVP值中包含的每个URI,或者,如果Diameter RTR请求中不存在SIP-AOR AVP,则应用于分配给用户名AVP值的所有URI。
The value of the SIP-Deregistration-Reason AVP in the Diameter RTR command has an effect on the actions performed at the SIP server (Diameter client):
Diameter RTR命令中SIP注销原因AVP的值对SIP服务器(Diameter客户端)上执行的操作有影响:
o If the value is set to PERMANENT_TERMINATION, then the user has terminated his/her registration to the realm. If informing the interested parties (e.g., subscribers to the "reg" event [RFC3680]) about the administrative deregistration is supported through SIP procedures, the SIP server (Diameter client) will do so. The Diameter Client in the SIP Server SHOULD NOT request a new user registration. The SIP server clears the registration state of the deregistered AORs.
o 如果该值设置为永久终止,则用户已终止其对领域的注册。如果通过SIP程序向相关方(例如,“reg”事件[RFC3680]的订户)通知管理注销,则SIP服务器(Diameter客户端)将这样做。SIP服务器中的Diameter客户端不应请求新用户注册。SIP服务器清除已注销AOR的注册状态。
o If the value is set to NEW_SIP_SERVER_ASSIGNED, the Diameter server informs the SIP server (Diameter client) that a new SIP server has been allocated to the user, due to some reason. The SIP server, if supported through SIP procedures, will inform the interested parties (e.g., subscribers to the "reg" event [RFC3680]) about the administrative deregistration at this SIP server. The Diameter client in the SIP server SHOULD NOT request a new user registration. The SIP server clears the registration state of the deregistered SIP AORs.
o 如果该值设置为NEW_SIP_SERVER_ASSIGNED,则Diameter服务器会通知SIP服务器(Diameter客户端),由于某种原因,新的SIP服务器已分配给用户。如果通过SIP程序得到支持,SIP服务器将通知相关方(例如,“reg”事件[RFC3680]的订户)该SIP服务器的管理注销。SIP服务器中的Diameter客户端不应请求新用户注册。SIP服务器清除已取消注册的SIP AOR的注册状态。
o If the value is set to SIP_SERVER_CHANGE, the Diameter server informs the SIP server (Diameter client) that a new SIP server has to be allocated to the user, e.g., due to user's capabilities requiring a new SIP server, or not enough resources in the current SIP server. If informing the interested parties about the administrative deregistration is supported through SIP procedures (e.g., subscriptions to the "reg" event [RFC3680]), the SIP server will do so. The Diameter client in the SIP Server SHOULD NOT request a new user registration. The SIP server clears the registration state of the deregistered SIP AORs.
o 如果该值设置为SIP_SERVER_CHANGE,则Diameter服务器通知SIP服务器(Diameter客户端)必须为用户分配新的SIP服务器,例如,由于用户的能力需要新的SIP服务器,或者当前SIP服务器中没有足够的资源。如果通过SIP程序(例如,订阅“reg”事件[RFC3680])支持通知相关方管理注销,则SIP服务器将这样做。SIP服务器中的Diameter客户端不应请求新用户注册。SIP服务器清除已取消注册的SIP AOR的注册状态。
o If the value is set to REMOVE_SIP_SERVER, the Diameter server informs the SIP server (Diameter client) that the SIP server will no longer be bound in the Diameter server with that user. The SIP server can delete all data related to the user.
o 如果该值设置为REMOVE_SIP_SERVER,Diameter服务器将通知SIP服务器(Diameter客户端),SIP服务器将不再与该用户绑定在Diameter服务器中。SIP服务器可以删除与用户相关的所有数据。
The Message Format of the RTA command is as follows:
RTA命令的消息格式如下:
<RTA> ::= < Diameter Header: 287, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<RTA> ::= < Diameter Header: 287, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Push-Profile-Request (PPR) command is indicated by the Command-Code set to 288 and the Command Flags' 'R' bit set. The Diameter server sends this command to the Diameter client in a SIP server to update either the user profile of an already registered user in that SIP server or the SIP accounting information. This allows an operator to modify the data of a user profile or the accounting information and push it to the SIP server where the user is registered.
推送配置文件请求(PPR)命令由设置为288的命令代码和设置的命令标志“R”位指示。Diameter服务器将此命令发送到SIP服务器中的Diameter客户端,以更新该SIP服务器中已注册用户的用户配置文件或SIP记帐信息。这允许操作员修改用户配置文件的数据或会计信息,并将其推送到注册用户的SIP服务器。
Each user has a user profile associated with him/her and other accounting information. The profile or the accounting information may change with time, e.g., due to addition of new services to the user. When the user profile or the accounting information changes, the Diameter server sends a Diameter Push-Profile-Request (PPR) command to the Diameter client in a SIP server, in order to start applying those new services.
每个用户都有一个与其关联的用户配置文件和其他会计信息。配置文件或会计信息可能会随着时间而改变,例如,由于向用户添加了新服务。当用户配置文件或记帐信息更改时,Diameter服务器向SIP服务器中的Diameter客户端发送Diameter推送配置文件请求(PPR)命令,以便开始应用这些新服务。
A PPR command MAY contain a SIP-Accounting-Information AVP that updates the addresses of the accounting servers. Changes in the addresses of the accounting servers take effect immediately. The Diameter client SHOULD close any existing accounting session with the existing server and start providing accounting information to the newly acquired accounting server.
PPR命令可能包含更新记帐服务器地址的SIP记帐信息AVP。记帐服务器地址的更改将立即生效。Diameter客户端应关闭与现有服务器的任何现有记帐会话,并开始向新获取的记帐服务器提供记帐信息。
A PPR command MAY contain zero or more SIP-User-Data AVP values containing the new user profile. On selecting the type of user data, the Diameter server SHOULD take into account the supported formats at the SIP server (SIP-Supported-User-Data-Type AVP sent in a previous SAR message) and the local policy.
PPR命令可以包含零个或多个包含新用户配置文件的SIP用户数据AVP值。在选择用户数据类型时,Diameter服务器应考虑SIP服务器上支持的格式(在以前的SAR消息中发送的SIP支持的用户数据类型AVP)和本地策略。
The User-Name AVP indicates the user to whom the profile is applicable.
用户名AVP表示配置文件适用的用户。
The Message Format of the PPR command is as follows:
PPR命令的消息格式如下:
<PPR> ::= < Diameter Header: 288, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { User-Name } * [ SIP-User-Data ] [ SIP-Accounting-Information ] [ Destination-Host ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<PPR> ::= < Diameter Header: 288, REQ, PXY > < Session-Id > { Auth-Application-Id } { Auth-Session-State } { Origin-Host } { Origin-Realm } { Destination-Realm } { User-Name } * [ SIP-User-Data ] [ SIP-Accounting-Information ] [ Destination-Host ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
The Push-Profile-Answer (PPA) is indicated by the Command-Code set to 288 and the Command Flags' 'R' bit cleared. The Diameter client sends this command in response to a previously received Diameter Push-Profile-Request (PPR) command.
推送配置文件应答(PPA)由设置为288的命令代码和清除的命令标志“R”位指示。Diameter客户端发送此命令以响应先前收到的Diameter推送配置文件请求(PPR)命令。
In addition to the values already defined in RFC 3588 [RFC3588], the Result-Code AVP may contain one of the values defined in Section 10.1.
除RFC 3588[RFC3588]中已定义的值外,结果代码AVP可能包含第10.1节中定义的值之一。
If there is no error when processing the received Diameter PPR message, the SIP server (Diameter client) MUST download the received user profile from the SIP-User-Data AVP values in the Diameter PPR message and store it associated with the user specified in the User-Name AVP value.
如果在处理收到的Diameter PPR消息时没有错误,SIP服务器(Diameter客户端)必须从Diameter PPR消息中的SIP用户数据AVP值下载收到的用户配置文件,并将其存储在与用户名AVP值中指定的用户相关联的位置。
If the SIP server does not recognize or does not support some of the data transferred in the SIP-User-Data AVP values, the Diameter client in the SIP server MUST return a Diameter PPA message that includes a
如果SIP服务器不识别或不支持在SIP用户数据AVP值中传输的某些数据,则SIP服务器中的Diameter客户端必须返回包含
Result-Code AVP set to the value DIAMETER_ERROR_NOT_SUPPORTED_USER_DATA.
结果代码AVP设置为值DIAMETER\u ERROR\u NOT\u SUPPORTED\u USER\u DATA。
If the SIP server (Diameter client) receives a Diameter PPR message with a User-Name AVP that is unknown, the Diameter client MUST set the Result-Code AVP value to DIAMETER_ERROR_USER_UNKNOWN and MUST return it to the Diameter server in a Diameter PPA message.
如果SIP服务器(Diameter客户端)接收到用户名为AVP的Diameter PPR消息未知,Diameter客户端必须将结果代码AVP值设置为Diameter_ERROR_User_unknown,并且必须在Diameter PPA消息中将其返回给Diameter服务器。
If the SIP server (Diameter client) receives in the SIP-User-Data-Content AVP value (of the grouped SIP-User-Data AVP) more data than it can accept, it MUST set the Result-Code AVP value to DIAMETER_ERROR_TOO_MUCH_DATA and MUST return it to the Diameter server in a Diameter PPA message. The SIP server MUST NOT override the existing user profile with the one received in the PPR message.
如果SIP服务器(Diameter客户端)在SIP用户数据内容AVP值(分组的SIP用户数据AVP)中接收的数据超过其可接受的数量,则必须将结果代码AVP值设置为Diameter_ERROR_TOO_MUCH_Data,并且必须在Diameter PPA消息中将其返回给Diameter服务器。SIP服务器不得使用PPR消息中接收到的用户配置文件覆盖现有用户配置文件。
If the Diameter server receives the Result-Code AVP value set to DIAMETER_ERROR_TOO_MUCH_DATA in a Diameter PPA message, it SHOULD force a new re-registration of the user by sending to the Diameter client a Diameter Registration-Termination-Request (RTR) with the SIP-Deregistration-Reason AVP value set to SIP_SERVER_CHANGE. This will force a re-registration of the user and will trigger a selection of a new SIP server.
如果Diameter服务器在Diameter PPA消息中接收到结果代码AVP值设置为Diameter_ERROR_TOO_MUCH_DATA,则它应通过向Diameter客户端发送Diameter注册终止请求(RTR),并将SIP注销原因AVP值设置为SIP_server_CHANGE,强制用户重新注册。这将强制用户重新注册,并将触发选择新的SIP服务器。
If the Diameter client is not able to honor the command, for any other reason, it MUST set the Result-Code AVP value to DIAMETER_UNABLE_TO_COMPLY and it MUST return it in a Diameter PPA message.
如果Diameter客户端由于任何其他原因无法执行该命令,则必须将结果代码AVP值设置为Diameter\u UNABLE\u to\u Compliance,并且必须在Diameter PPA消息中返回该值。
The Message Format of the PPA command is as follows:
PPA命令的消息格式如下:
<PPA> ::= < Diameter Header: 288, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
<PPA> ::= < Diameter Header: 288, PXY > < Session-Id > { Auth-Application-Id } { Result-Code } { Auth-Session-State } { Origin-Host } { Origin-Realm } [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
This section defines new AVPs used in this Diameter SIP application. Applications compliant with this specification MUST implement these AVPs.
本节定义了此Diameter SIP应用程序中使用的新AVP。符合本规范的应用程序必须实现这些AVP。
Table 2 lists the new AVPs defined in this Diameter SIP application. The following abbreviations are used in the Data-Type column:
表2列出了此Diameter SIP应用程序中定义的新AVP。数据类型列中使用了以下缩写:
o DURI: DiameterURI o E: Enumerated o G: Grouped o OS: OctetString o UTF8S: UTF8String o U32: Unsigned32
o DURI:DiameterURI o E:枚举o G:分组o OS:八位字符串o UTF8S:UTF8String o U32:无符号32
+-----------------------------------+------+----------------+-------+ | Attribute Name | AVP | Reference | Data- | | | Code | | Type | +-----------------------------------+------+----------------+-------+ | SIP-Accounting-Information | 368 | Section 9.1 | G | | SIP-Accounting-Server-URI | 369 | Section 9.1.1 | DURI | | SIP-Credit-Control-Server-URI | 370 | Section 9.1.2 | DURI | | SIP-Server-URI | 371 | Section 9.2 | UTF8S | | SIP-Server-Capabilities | 372 | Section 9.3 | G | | SIP-Mandatory-Capability | 373 | Section 9.3.1 | U32 | | SIP-Optional-Capability | 374 | Section 9.3.2 | U32 | | SIP-Server-Assignment-Type | 375 | Section 9.4 | E | | SIP-Auth-Data-Item | 376 | Section 9.5 | G | | SIP-Authentication-Scheme | 377 | Section 9.5.1 | E | | SIP-Item-Number | 378 | Section 9.5.2 | U32 | | SIP-Authenticate | 379 | Section 9.5.3 | G | | SIP-Authorization | 380 | Section 9.5.4 | G | | SIP-Authentication-Info | 381 | Section 9.5.5 | G | | SIP-Number-Auth-Items | 382 | Section 9.6 | U32 | | SIP-Deregistration-Reason | 383 | Section 9.7 | G | | SIP-Reason-Code | 384 | Section 9.7.1 | E | | SIP-Reason-Info | 385 | Section 9.7.2 | UTF8S | | SIP-Visited-Network-Id | 386 | Section 9.9 | UTF8S | | SIP-User-Authorization-Type | 387 | Section 9.10 | E | | SIP-Supported-User-Data-Type | 388 | Section 9.11 | UTF8S | | SIP-User-Data | 389 | Section 9.12 | G | | SIP-User-Data-Type | 390 | Section 9.12.1 | UTF8S | | SIP-User-Data-Contents | 391 | Section 9.12.2 | OS | | SIP-User-Data-Already-Available | 392 | Section 9.13 | E | | SIP-Method | 393 | Section 9.14 | UTF8S | +-----------------------------------+------+----------------+-------+
+-----------------------------------+------+----------------+-------+ | Attribute Name | AVP | Reference | Data- | | | Code | | Type | +-----------------------------------+------+----------------+-------+ | SIP-Accounting-Information | 368 | Section 9.1 | G | | SIP-Accounting-Server-URI | 369 | Section 9.1.1 | DURI | | SIP-Credit-Control-Server-URI | 370 | Section 9.1.2 | DURI | | SIP-Server-URI | 371 | Section 9.2 | UTF8S | | SIP-Server-Capabilities | 372 | Section 9.3 | G | | SIP-Mandatory-Capability | 373 | Section 9.3.1 | U32 | | SIP-Optional-Capability | 374 | Section 9.3.2 | U32 | | SIP-Server-Assignment-Type | 375 | Section 9.4 | E | | SIP-Auth-Data-Item | 376 | Section 9.5 | G | | SIP-Authentication-Scheme | 377 | Section 9.5.1 | E | | SIP-Item-Number | 378 | Section 9.5.2 | U32 | | SIP-Authenticate | 379 | Section 9.5.3 | G | | SIP-Authorization | 380 | Section 9.5.4 | G | | SIP-Authentication-Info | 381 | Section 9.5.5 | G | | SIP-Number-Auth-Items | 382 | Section 9.6 | U32 | | SIP-Deregistration-Reason | 383 | Section 9.7 | G | | SIP-Reason-Code | 384 | Section 9.7.1 | E | | SIP-Reason-Info | 385 | Section 9.7.2 | UTF8S | | SIP-Visited-Network-Id | 386 | Section 9.9 | UTF8S | | SIP-User-Authorization-Type | 387 | Section 9.10 | E | | SIP-Supported-User-Data-Type | 388 | Section 9.11 | UTF8S | | SIP-User-Data | 389 | Section 9.12 | G | | SIP-User-Data-Type | 390 | Section 9.12.1 | UTF8S | | SIP-User-Data-Contents | 391 | Section 9.12.2 | OS | | SIP-User-Data-Already-Available | 392 | Section 9.13 | E | | SIP-Method | 393 | Section 9.14 | UTF8S | +-----------------------------------+------+----------------+-------+
Table 2: Defined AVPs
表2:定义的平均值
Table 3 expands the table of AVPs included in Section 4.5 of RFC 3588 [RFC3588]. The table indicates the Diameter AVPs defined in this Diameter SIP Application, their possible flag values, and whether the AVP may be encrypted. The acronyms 'M', 'P', and 'V' refer to AVP flags whose semantics are described in RFC 3588 [RFC3588]. The value of the 'Encr' column is also described in RFC 3588 [RFC3588].
表3扩展了RFC 3588[RFC3588]第4.5节中包含的AVP表。该表显示了此Diameter SIP应用程序中定义的Diameter AVP、其可能的标志值以及AVP是否可以加密。缩写词“M”、“P”和“V”指的是AVP标志,其语义在RFC 3588[RFC3588]中有描述。RFC 3588[RFC3588]中也描述了“Encr”列的值。
+----------------------------------+------+-----+-----+------+------+ | Attribute Name | MUST | MAY | SHD | MUST | Encr | | | | | NOT | NOT | | +----------------------------------+------+-----+-----+------+------+ | SIP-Accounting-Information | M | P | | V | N | | SIP-Accounting-Server-URI | M | P | | V | N | | SIP-Credit-Control-Server-URI | M | P | | V | N | | SIP-Server-URI | M | P | | V | N | | SIP-Server-Capabilities | M | P | | V | N | | SIP-Mandatory-Capability | M | P | | V | N | | SIP-Optional-Capability | M | P | | V | N | | SIP-Server-Assignment-Type | M | P | | V | N | | SIP-Auth-Data-Item | M | P | | V | N | | SIP-Authentication-Scheme | M | P | | V | N | | SIP-Item-Number | M | P | | V | N | | SIP-Authenticate | M | P | | V | N | | SIP-Authorization | M | P | | V | N | | SIP-Authentication-Info | M | P | | V | N | | SIP-Number-Auth-Items | M | P | | V | N | | SIP-Deregistration-Reason | M | P | | V | N | | SIP-Reason-Code | M | P | | V | N | | SIP-Reason-Info | M | P | | V | N | | SIP-Visited-Network-Id | M | P | | V | N | | SIP-User-Authorization-Type | M | P | | V | N | | SIP-Supported-User-Data-Type | M | P | | V | N | | SIP-User-Data | M | P | | V | N | | SIP-User-Data-Type | M | P | | V | N | | SIP-User-Data-Contents | M | P | | V | N | | SIP-User-Data-Already-Available | M | P | | V | N | | SIP-Method | M | P | | V | N | +----------------------------------+------+-----+-----+------+------+
+----------------------------------+------+-----+-----+------+------+ | Attribute Name | MUST | MAY | SHD | MUST | Encr | | | | | NOT | NOT | | +----------------------------------+------+-----+-----+------+------+ | SIP-Accounting-Information | M | P | | V | N | | SIP-Accounting-Server-URI | M | P | | V | N | | SIP-Credit-Control-Server-URI | M | P | | V | N | | SIP-Server-URI | M | P | | V | N | | SIP-Server-Capabilities | M | P | | V | N | | SIP-Mandatory-Capability | M | P | | V | N | | SIP-Optional-Capability | M | P | | V | N | | SIP-Server-Assignment-Type | M | P | | V | N | | SIP-Auth-Data-Item | M | P | | V | N | | SIP-Authentication-Scheme | M | P | | V | N | | SIP-Item-Number | M | P | | V | N | | SIP-Authenticate | M | P | | V | N | | SIP-Authorization | M | P | | V | N | | SIP-Authentication-Info | M | P | | V | N | | SIP-Number-Auth-Items | M | P | | V | N | | SIP-Deregistration-Reason | M | P | | V | N | | SIP-Reason-Code | M | P | | V | N | | SIP-Reason-Info | M | P | | V | N | | SIP-Visited-Network-Id | M | P | | V | N | | SIP-User-Authorization-Type | M | P | | V | N | | SIP-Supported-User-Data-Type | M | P | | V | N | | SIP-User-Data | M | P | | V | N | | SIP-User-Data-Type | M | P | | V | N | | SIP-User-Data-Contents | M | P | | V | N | | SIP-User-Data-Already-Available | M | P | | V | N | | SIP-Method | M | P | | V | N | +----------------------------------+------+-----+-----+------+------+
Table 3: Summary of the new AVPs flags
表3:新AVPs标志汇总
The SIP-Accounting-Information (AVP Code 368) is of type Grouped, and contains the Diameter addresses of those nodes that are able to collect accounting information.
SIP记帐信息(AVP代码368)属于分组类型,并且包含能够收集记帐信息的那些节点的直径地址。
The SIP-Accounting-Information AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP会计信息AVP定义如下(根据RFC 3588[RFC3588]的分组AVP定义):
SIP-Accounting-Information ::= < AVP Header: 368 > * [ SIP-Accounting-Server-URI ] * [ SIP-Credit-Control-Server-URI ] * [ AVP]
SIP-Accounting-Information ::= < AVP Header: 368 > * [ SIP-Accounting-Server-URI ] * [ SIP-Credit-Control-Server-URI ] * [ AVP]
The SIP-Accounting-Server-URI AVP (AVP Code 369) is of type DiameterURI. This AVP contains the address of a Diameter server that is able to receive SIP-session-related accounting information.
SIP记帐服务器URI AVP(AVP代码369)的类型为DiameterURI。此AVP包含能够接收SIP会话相关记帐信息的Diameter服务器的地址。
The SIP-Credit-Control-Server-URI AVP (AVP Code 370) is of type DiameterURI. This AVP contains the address of a Diameter server that is able to authorize real-time credit control usage. The Diameter Credit-Control Application [RFC4006] may be used for this purpose.
SIP信用控制服务器URI AVP(AVP代码370)是DiameterURI类型。此AVP包含能够授权实时信用控制使用的Diameter服务器的地址。Diameter信用控制应用程序[RFC4006]可用于此目的。
The SIP-Server-URI AVP (AVP Code 371) is of type UTF8String. This AVP contains a SIP or SIPS URI (as defined in RFC 3261 [RFC3261]) that identifies a SIP server.
SIP服务器URI AVP(AVP代码371)的类型为UTF8String。此AVP包含标识SIP服务器的SIP或SIPS URI(如RFC 3261[RFC3261]中定义的)。
The SIP-Server-Capabilities AVP (AVP Code 372) is of type Grouped. The Diameter indicates in this AVP the requirements for a particular SIP capability, so that the Diameter client (SIP server) is able to select another appropriate SIP server to serve the user.
SIP服务器能力AVP(AVP代码372)属于分组类型。Diameter在该AVP中指示特定SIP能力的需求,以便Diameter客户端(SIP服务器)能够选择另一个适当的SIP服务器来为用户服务。
The SIP-Server-Capabilities AVP allows a Diameter client (SIP server) to select another SIP server for triggering or executing services to the user. A user may have enabled some services that require the implementation of certain capabilities in the SIP server that triggers or executes those services. For example, the SIP server that triggers or executes services to this user may need to implement SIP servlets [JSR-000116], Call Processing Language (CPL) [RFC3880], or any other kind of capability. Or perhaps that user belongs to a premium users group that has a certain stringent quality-of-service agreement that requires a fast SIP server. The capabilities required or recommended to a given user are conveyed in the SIP-Server-Capabilities AVP. When it receives them, the Diameter client (SIP server) that does the SIP server selection needs to have the means to find out available SIP servers that meet the required or optional capabilities. Such means are outside the scope of this specification.
SIP服务器功能AVP允许Diameter客户端(SIP服务器)选择另一个SIP服务器来触发或执行向用户提供的服务。用户可能启用了某些服务,这些服务需要在SIP服务器中实现触发或执行这些服务的某些功能。例如,触发或执行该用户服务的SIP服务器可能需要实现SIP servlet[JSR-000116]、呼叫处理语言(CPL)[RFC3880]或任何其他类型的功能。或者,该用户可能属于高级用户组,该组具有某种严格的服务质量协议,需要快速SIP服务器。给定用户所需或建议的功能在SIP服务器功能AVP中传递。当收到它们时,进行SIP服务器选择的Diameter客户端(SIP服务器)需要找到满足所需或可选功能的可用SIP服务器。此类方法不在本规范的范围内。
Note that the SIP-Server-Capabilities AVP assists the Diameter client (SIP server) to produce a subset of all the available SIP servers to be allocated to the user in the Home Realm; this is the subset that conforms the requirements of capabilities on a per-user basis. Typically this subset will be formed of more than a single SIP
注意,SIP服务器能力AVP协助Diameter客户端(SIP服务器)生成要分配给家庭领域中的用户的所有可用SIP服务器的子集;这是在每个用户的基础上符合功能需求的子集。通常,该子集将由多个SIP组成
server, so once the subset of those SIP servers is identified, it is possible that several instances of these SIP servers exist, in which case the Diameter client (SIP server) should choose one particular SIP server to execute and trigger services to this user. It is expected that at this point the SIP server (Diameter client) will follow the procedures of RFC 3263 [RFC3263] to allocate one SIP server to the user.
因此,一旦识别出这些SIP服务器的子集,这些SIP服务器可能存在多个实例,在这种情况下,Diameter客户端(SIP服务器)应该选择一个特定的SIP服务器来执行并触发向该用户提供的服务。预计此时SIP服务器(Diameter客户端)将按照RFC 3263[RFC3263]的程序为用户分配一个SIP服务器。
The SIP-Server-Capabilities AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP服务器功能AVP定义如下(根据RFC 3588[RFC3588]的分组AVP定义):
SIP-Server-Capabilities ::= < AVP Header: 372 > * [ SIP-Mandatory-Capability ] * [ SIP-Optional-Capability ] * [ SIP-Server-URI ] * [ AVP ]
SIP-Server-Capabilities ::= < AVP Header: 372 > * [ SIP-Mandatory-Capability ] * [ SIP-Optional-Capability ] * [ SIP-Server-URI ] * [ AVP ]
The SIP-Mandatory-Capability AVP (AVP Code 373) is of type Unsigned32. The value represents a certain capability (or set of capabilities) that have to be fulfilled by the SIP server allocated to the user.
SIP强制功能AVP(AVP代码373)的类型为Unsigned32。该值表示分配给用户的SIP服务器必须实现的特定功能(或一组功能)。
The semantics of the different values are not standardized, as it is a matter of the administrative network to allocate its own semantics within its own network. Each value has to represent a single capability within the administrative network.
不同值的语义没有标准化,因为在自己的网络中分配自己的语义是管理网络的问题。每个值必须表示管理网络中的单个功能。
The SIP-Optional-Capability AVP (AVP Code 374) is of type Unsigned32. The value represents a certain capability (or set of capabilities) that, optionally, may be fulfilled by the SIP server allocated to the user.
SIP可选功能AVP(AVP代码374)的类型为Unsigned32。该值表示特定功能(或一组功能),可选择地,该功能可由分配给用户的SIP服务器实现。
The semantics of the different values are not standardized, as it is a matter of the administrative network to allocate its own semantics within its own network. Each value has to represent a single capability within the administrative network.
不同值的语义没有标准化,因为在自己的网络中分配自己的语义是管理网络的问题。每个值必须表示管理网络中的单个功能。
The SIP-Server-Assignment-Type AVP (AVP Code 375) is of type Enumerated and indicates the type of server update being performed in a Diameter Server-Assignment-Request (SAR) operation. The following values are defined:
SIP服务器分配类型AVP(AVP代码375)是枚举的类型,并且指示在Diameter服务器分配请求(SAR)操作中执行的服务器更新的类型。定义了以下值:
o NO_ASSIGNMENT (0) The Diameter client uses this value to request the user profile of a SIP AOR, without affecting the registration state of that identity.
o 无_分配(0)Diameter客户端使用此值请求SIP AOR的用户配置文件,而不影响该身份的注册状态。
o REGISTRATION (1) First SIP registration of a SIP AOR.
o 注册(1)SIP AOR的第一次SIP注册。
o RE_REGISTRATION (2) Subsequent SIP registration of a SIP AOR.
o 重新注册(2)SIP AOR的后续SIP注册。
o UNREGISTERED_USER (3) The SIP server has received a SIP request (e.g., SIP INVITE) addressed for a SIP AOR that is not registered.
o 未注册用户(3)SIP服务器已收到针对未注册SIP AOR的SIP请求(例如SIP INVITE)。
o TIMEOUT_DEREGISTRATION (4) The SIP registration timer of an identity has expired.
o 超时\取消注册(4)标识的SIP注册计时器已过期。
o USER_DEREGISTRATION (5) The SIP server has received a request to deregister a SIP AOR.
o 用户注销(5)SIP服务器已收到注销SIP AOR的请求。
o TIMEOUT_DEREGISTRATION_STORE_SERVER_NAME (6) The SIP registration timer of an identity has expired. The SIP server keeps the user data stored and requests the Diameter server to store the SIP server address.
o 超时\取消注册\存储\服务器\名称(6)标识的SIP注册计时器已过期。SIP服务器保存用户数据并请求Diameter服务器存储SIP服务器地址。
o USER_DEREGISTRATION_STORE_SERVER_NAME (7) The SIP server has received a user-initiated deregistration request. The SIP server keeps the user data stored and requests the Diameter server to store the SIP server address.
o 用户\注销\存储\服务器\名称(7)SIP服务器已收到用户发起的注销请求。SIP服务器保存用户数据并请求Diameter服务器存储SIP服务器地址。
o ADMINISTRATIVE_DEREGISTRATION (8) The SIP server, due to administrative reasons, has deregistered a SIP AOR.
o 管理注销(8)由于管理原因,SIP服务器注销了SIP AOR。
o AUTHENTICATION_FAILURE (9) The authentication of a user has failed.
o 身份验证失败(9)用户身份验证失败。
o AUTHENTICATION_TIMEOUT (10) The authentication timer has expired.
o 身份验证超时(10)身份验证计时器已过期。
o DEREGISTRATION_TOO_MUCH_DATA (11) The SIP server has requested user profile information from the Diameter server and has received a volume of data higher than it can accept.
o 取消注册\u太多\u数据(11)SIP服务器已从Diameter服务器请求用户配置文件信息,并且接收到的数据量超出了其可接受的范围。
The SIP-Auth-Data-Item (AVP Code 376) is of type Grouped and contains the authentication and/or authorization information pertaining to a user.
SIP认证数据项(AVP代码376)属于分组类型,并且包含关于用户的认证和/或授权信息。
When the Diameter server uses the grouped SIP-Auth-Data-Item AVP to include a SIP-Authenticate AVP, the Diameter server MUST send a maximum of one authentication data item (e.g., in case the SIP request contained several credentials). Section 11 contains a detailed discussion and normative text of the case when a SIP request contains several credentials.
当Diameter服务器使用分组的SIP Auth数据项AVP来包括SIP Authenticate AVP时,Diameter服务器必须最多发送一个认证数据项(例如,如果SIP请求包含多个凭据)。第11节详细讨论了SIP请求包含多个凭证时的情况,并给出了规范性文本。
The SIP-Auth-Data-Item AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP Auth数据项AVP定义如下(根据RFC 3588[RFC3588]的分组AVP def):
SIP-Auth-Data-Item ::= < AVP Header: 376 > { SIP-Authentication-Scheme } [ SIP-Item-Number ] [ SIP-Authenticate ] [ SIP-Authorization ] [ SIP-Authentication-Info ] * [ AVP ]
SIP-Auth-Data-Item ::= < AVP Header: 376 > { SIP-Authentication-Scheme } [ SIP-Item-Number ] [ SIP-Authenticate ] [ SIP-Authorization ] [ SIP-Authentication-Info ] * [ AVP ]
The SIP-Authentication-Scheme AVP (AVP Code 377) is of type Enumerated and indicates the authentication scheme used in the authentication of SIP services. RFC 2617 identifies this value as an "auth-scheme" (see Section 1.2 of RFC 2617 [RFC2617]). The only currently defined value is:
SIP认证方案AVP(AVP代码377)是枚举的类型,并且指示在SIP服务的认证中使用的认证方案。RFC 2617将该值标识为“认证方案”(参见RFC 2617[RFC2617]第1.2节)。当前唯一定义的值是:
o DIGEST (0) to indicate HTTP Digest authentication as specified in RFC 2617 [RFC2617] Section 3.2.1. Derivative work is also considered Digest authentication scheme, as long as the "auth-scheme" is identified as Digest in the SIP headers carrying the HTTP authentication. This includes, e.g., the HTTP Digest authentication using AKA [RFC3310].
o 摘要(0)表示RFC 2617[RFC2617]第3.2.1节中规定的HTTP摘要身份验证。派生工作也被认为是摘要身份验证方案,只要“身份验证方案”在承载HTTP身份验证的SIP头中被标识为摘要。这包括,例如,使用AKA[RFC3310]的HTTP摘要认证。
Each HTTP Digest directive (parameter) is transported in a corresponding AVP, whose name follows the pattern Digest-*. The Digest-* AVPs are RADIUS attributes imported from the RADIUS Extension for Digest Authentication [RFC4590] namespace, allowing a smooth transition between RADIUS and Diameter applications supporting SIP. The Diameter SIP application goes a step further by grouping the Digest-* AVPs into the SIP-Authenticate, SIP-Authorization, and
每个HTTP摘要指令(参数)在相应的AVP中传输,AVP的名称遵循模式摘要-*。摘要-*AVP是从RADIUS扩展导入的RADIUS属性,用于摘要身份验证[RFC4590]命名空间,允许RADIUS和Diameter应用程序之间平滑过渡,以支持SIP。Diameter SIP应用程序进一步将摘要-*AVP分组为SIP身份验证、SIP授权和
SIP-Authentication-Info grouped AVPs that correspond to the SIP WWW-Authenticate/Proxy-Authentication, Authorization/Proxy-Authorization, and Authentication-Info headers fields, respectively.
SIP Authentication Info分组的AVP分别对应于SIP WWW Authentication/Proxy Authentication、Authorization/Proxy Authorization和Authentication Info Header字段。
Note: Due to the fact that HTTP Digest authentication [RFC2617] is the only mandatory authentication mechanism in SIP, this memo only provides support for HTTP Digest authentication and derivative work such as HTTP Digest authentication using AKA [RFC3310]. Extensions to this memo can register new values and new AVPs to provide support for other authentication schemes or extensions to HTTP Digest authentication.
注意:由于HTTP摘要身份验证[RFC2617]是SIP中唯一的强制身份验证机制,因此本备忘录仅支持HTTP摘要身份验证和使用AKA[RFC3310]的衍生工作,如HTTP摘要身份验证。此备忘录的扩展可以注册新值和新AVP,以支持其他身份验证方案或HTTP摘要身份验证的扩展。
Note: Although RFC 2617 [RFC2617] defines the Basic and Digest schemes for authenticating HTTP requests, RFC 3261 [RFC3261] only imports HTTP Digest as a mechanism to provide authentication in SIP.
注意:尽管RFC 2617[RFC2617]定义了用于验证HTTP请求的基本和摘要方案,但RFC 3261[RFC3261]仅导入HTTP摘要作为在SIP中提供验证的机制。
Due to syntactic requirements, HTTP Digest authentication has to escape quote characters in contents of HTTP Digest directives. When translating directives into Digest-* AVPs, the Diameter client or server removes the surrounding quotes where present, as required by the syntax of the Digest-* attributes defined in the "RADIUS Extension for Digest Authentication" [RFC4590].
由于语法要求,HTTP摘要身份验证必须转义HTTP摘要指令内容中的引号字符。当将指令转换为Digest-*AVP时,Diameter客户端或服务器会根据“Digest身份验证的RADIUS扩展”[RFC4590]中定义的Digest-*属性语法的要求,删除周围的引号。
The SIP-Item-Number (AVP Code 378) is of type Unsigned32 and is included in a SIP-Auth-Data-Item grouped AVP in circumstances where there are multiple occurrences of SIP-Auth-Data-Item AVPs and the order of processing is relevant. The AVP indicates the order in which the Grouped SIP-Auth-Data-Item should be processed. Lower values of the SIP-Item-Number AVP indicate that the whole SIP-Auth-Data-Item SHOULD be processed before other SIP-Auth-Data-Item AVPs that contain higher values in the SIP-Item-Number AVP.
SIP项目编号(AVP代码378)的类型为Unsigned32,并且在SIP Auth数据项AVP多次出现且处理顺序相关的情况下,包括在分组为AVP的SIP Auth数据项中。AVP指示分组的SIP Auth数据项的处理顺序。SIP项目编号AVP的较低值表示整个SIP Auth数据项应在SIP项目编号AVP中包含较高值的其他SIP Auth数据项AVP之前进行处理。
The SIP-Authenticate AVP (AVP Code 379) is of type Grouped and contains a reconstruction of either the SIP WWW-Authenticate or Proxy-Authentication header fields specified in RFC 2617 [RFC2617] for the HTTP Digest authentication scheme. Additionally, the AVP may include a Digest-HA1 AVP that contains H(A1) (as defined in RFC 2617 [RFC2617]). H(A1) allows the Diameter client to create an expected response and compare it with the Digest response received from the SIP UA.
SIP Authenticate AVP(AVP代码379)属于分组类型,并且包含在RFC 2617[RFC2617]中为HTTP摘要认证方案指定的SIP WWW Authenticate或代理认证报头字段的重构。此外,AVP可包括包含H(A1)(如RFC 2617[RFC2617]中所定义)的Digest-HA1 AVP。H(A1)允许Diameter客户端创建预期响应,并将其与从SIP UA接收的摘要响应进行比较。
The SIP-Authenticate AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP认证AVP定义如下(根据RFC 3588[RFC3588]的分组AVP def):
SIP-Authenticate ::= < AVP Header: 379 > { Digest-Realm } { Digest-Nonce } [ Digest-Domain ] [ Digest-Opaque ] [ Digest-Stale ] [ Digest-Algorithm ] [ Digest-QoP ] [ Digest-HA1] * [ Digest-Auth-Param ] * [ AVP ]
SIP-Authenticate ::= < AVP Header: 379 > { Digest-Realm } { Digest-Nonce } [ Digest-Domain ] [ Digest-Opaque ] [ Digest-Stale ] [ Digest-Algorithm ] [ Digest-QoP ] [ Digest-HA1] * [ Digest-Auth-Param ] * [ AVP ]
The SIP-Authorization AVP (AVP Code 380) is of type Grouped and contains a reconstruction of either the SIP Authorization or Proxy-Authorization header fields specified in RFC 2617 [RFC2617] for the HTTP Digest authentication scheme.
SIP授权AVP(AVP代码380)属于分组类型,并且包含RFC 2617[RFC2617]中为HTTP摘要认证方案指定的SIP授权或代理授权报头字段的重构。
The SIP-Authorization AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP授权AVP定义如下(根据RFC 3588[RFC3588]的分组AVP def):
SIP-Authorization ::= < AVP Header: 380 > { Digest-Username } { Digest-Realm } { Digest-Nonce } { Digest-URI } { Digest-Response } [ Digest-Algorithm ] [ Digest-CNonce ] [ Digest-Opaque ] [ Digest-QoP ] [ Digest-Nonce-Count ] [ Digest-Method] [ Digest-Entity-Body-Hash ] * [ Digest-Auth-Param ] * [ AVP ]
SIP-Authorization ::= < AVP Header: 380 > { Digest-Username } { Digest-Realm } { Digest-Nonce } { Digest-URI } { Digest-Response } [ Digest-Algorithm ] [ Digest-CNonce ] [ Digest-Opaque ] [ Digest-QoP ] [ Digest-Nonce-Count ] [ Digest-Method] [ Digest-Entity-Body-Hash ] * [ Digest-Auth-Param ] * [ AVP ]
The SIP-Authentication-Info AVP (AVP Code 381) is of type Grouped and contains a reconstruction of the SIP Authentication-Info header specified in RFC 2617 [RFC2617] for the HTTP Digest authentication scheme.
SIP认证信息AVP(AVP代码381)属于分组类型,并且包含RFC 2617[RFC2617]中为HTTP摘要认证方案指定的SIP认证信息报头的重构。
The SIP-Authentication-Info AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP认证信息AVP定义如下(根据RFC 3588[RFC3588]的分组AVP def):
SIP-Authentication-Info ::= < AVP Header: 381 > [ Digest-Nextnonce ] [ Digest-QoP ] [ Digest-Response-Auth ] [ Digest-CNonce ] [ Digest-Nonce-Count ] * [ AVP ]
SIP-Authentication-Info ::= < AVP Header: 381 > [ Digest-Nextnonce ] [ Digest-QoP ] [ Digest-Response-Auth ] [ Digest-CNonce ] [ Digest-Nonce-Count ] * [ AVP ]
Note that, in some cases, the Digest-Response-Auth AVP cannot be calculated at the Diameter server, but has to be calculated at the Diameter client (SIP server). For example, if the value of the quality of protection (qop) parameter in Digest is set to "auth-int", then the response-digest (rspauth parameter value in Digest) is calculated with the hash of the body of the SIP response, which is not available at the Diameter server. In this case, the Diameter client (SIP server) must calculate the response-digest once the body of the SIP response is calculated.
注意,在某些情况下,摘要响应Auth AVP不能在Diameter服务器上计算,但必须在Diameter客户端(SIP服务器)上计算。例如,如果摘要中的保护质量(qop)参数的值设置为“auth int”,则响应摘要(摘要中的rspauth参数值)将使用SIP响应主体的散列计算,这在Diameter服务器上不可用。在这种情况下,Diameter客户端(SIP服务器)必须在计算SIP响应主体后计算响应摘要。
Therefore, a value of "auth-int" in the Digest-QoP AVP of the SIP-Authentication-Info AVP indicates that the Diameter client (SIP server) MUST compute the Digest "rspauth" parameter value at the Diameter client (SIP server).
因此,SIP认证信息AVP的摘要QoP AVP中的值“auth int”指示Diameter客户端(SIP服务器)必须在Diameter客户端(SIP服务器)处计算摘要“rspauth”参数值。
The following AVPs are RADIUS attributes defined in the RADIUS Extension for Digest Authentication [RFC4590] and imported by this specification: Digest-AKA-Auts, Digest-Algorithm, Digest-Auth-Param, Digest-CNonce, Digest-Domain, Digest-Entity-Body-Hash, Digest-HA1, Digest-Method, Digest-Nextnonce, Digest-Nonce, Digest-Nonce-Count, Digest-Opaque, Digest-QoP, Digest-Realm, Digest-Response, Digest-Response-Auth, Digest-URI, Digest-Username, and Digest-Stale.
以下AVP是用于摘要身份验证[RFC4590]的RADIUS扩展中定义并由本规范导入的RADIUS属性:摘要AKA Auts、摘要算法、摘要身份验证参数、摘要CNonce、摘要域、摘要实体散列、摘要HA1、摘要方法、摘要下一次、摘要Nonce、摘要Nonce计数、摘要不透明、,摘要QoP、摘要域、摘要响应、摘要响应身份验证、摘要URI、摘要用户名和摘要过期。
The Digest-HA1 AVP contains the value, pre-calculated at the Diameter server, of H(A1) as defined in RFC 2617 [RFC2617]. The Diameter client can use H(A1) to calculate the expected Digest response, according to this challenge. If the SIP UA is in possession of the credentials, the calculated expected response and the response sent from the SIP UA will match. The Diameter server MAY include this AVP to enable and assist the SIP server in authenticating the SIP UA.
Digest-HA1 AVP包含在Diameter服务器上预先计算的RFC 2617[RFC2617]中定义的H(A1)值。Diameter客户端可以根据此挑战使用H(A1)计算预期摘要响应。如果SIP UA拥有凭据,则计算出的预期响应和从SIP UA发送的响应将匹配。Diameter服务器可以包括该AVP以启用和协助SIP服务器认证SIP UA。
This scenario is not applicable when the Diameter server is configured to use a session MD5 (MD5-sess) algorithm, because the
当Diameter服务器配置为使用会话MD5(MD5 sess)算法时,此场景不适用,因为
Diameter server requires the client nonce to compute the H(A1) before sending it to the Diameter client, and the client nonce might not be available when the computation of H(A1) is done. Therefore, if the final authentication is delegated to the Diameter client, it is RECOMMENDED to configure the Diameter server to use algorithms different than MD5-sess in HTTP Digest.
Diameter server要求客户端nonce在将H(A1)发送到Diameter客户端之前计算H(A1),并且在计算H(A1)时,客户端nonce可能不可用。因此,如果最终身份验证委托给Diameter客户端,建议将Diameter服务器配置为使用不同于HTTP摘要中MD5 sess的算法。
It is up to the Diameter server to include a Digest-HA1 AVP. The Diameter server calculates the Digest H(A1) with the username, password, and realm (and nonce and cnonce, if applicable) as inputs, and places the result in the Digest-HA1 AVP value. For more details of the A1 computation, see RFC 2617 [RFC2617] Section 3.2.2.2. The Diameter client can calculate the Digest expected response with H(A1) as input, as described in RFC 2617 [RFC2617] Section 3.2.2.
由Diameter服务器决定是否包含Digest-HA1 AVP。Diameter服务器使用用户名、密码和领域(以及nonce和cnonce,如果适用)作为输入来计算摘要H(A1),并将结果放入摘要HA1 AVP值中。有关A1计算的更多详细信息,请参见RFC 2617[RFC2617]第3.2.2.2节。Diameter客户机可以计算H(A1)作为输入的摘要预期响应,如RFC 2617[RFC2617]第3.2.2节所述。
Section 11 provides further normative details about the usage of the Digest-HA1 AVP.
第11节提供了关于Digest-HA1 AVP使用的更多规范性细节。
The Digest-Entity-Body-Hash AVP contains a hash of the entity body contained in the SIP message. This hash is required by HTTP Digest with quality of protection set to "auth-int". Diameter clients MUST use this AVP to transport the hash of the entity body when HTTP Digest is the authentication mechanism and the Diameter server requires verification of the integrity of the entity body (e.g., qop parameter set to "auth-int").
摘要实体体哈希AVP包含SIP消息中包含的实体体哈希。HTTP摘要需要此哈希,保护质量设置为“auth int”。当HTTP摘要是身份验证机制且Diameter服务器要求验证实体实体的完整性(例如,qop参数设置为“auth int”)时,Diameter客户端必须使用此AVP传输实体实体的哈希。
The clarifications described in Section 22.4 of RFC 3261 [RFC3261] about the hash of empty entity bodies apply to the Digest-Entity-Body-Hash AVP.
RFC 3261[RFC3261]第22.4节中描述的关于空实体散列的澄清适用于摘要实体散列AVP。
The Digest-Auth-Param AVP is the mechanism whereby the Diameter client and Diameter server can exchange possible extension parameters contained in Digest headers that are either not understood by the Diameter client or for which there are no corresponding stand-alone AVPs. Unlike the previously listed Digest-* AVPs, the Digest-Auth-Param contains not only the value, but also the parameter name, since it is unknown to the Diameter client. The Diameter node MUST insert one Digest parameter/value combination per AVP value. If the Digest header contains several unknown parameters, then the Diameter implementation MUST repeat this AVP and each instance MUST contain one different unknown Digest parameter/value combination. This AVP corresponds to the "auth-param" parameter defined in Section 3.2.1 of RFC 2617 [RFC2617].
Digest Auth Param AVP是一种机制,Diameter客户端和Diameter服务器可以通过该机制交换Dimeter客户端无法理解或没有相应独立AVP的摘要头中包含的可能扩展参数。与前面列出的Digest-*AVPs不同,Digest Auth参数不仅包含值,而且还包含参数名,因为Diameter客户端不知道它。直径节点必须为每个AVP值插入一个摘要参数/值组合。如果摘要标头包含多个未知参数,则Diameter实现必须重复此AVP,并且每个实例必须包含一个不同的未知摘要参数/值组合。该AVP对应于RFC 2617[RFC2617]第3.2.1节中定义的“auth param”参数。
Example: Assume that the Diameter server wants the SIP server to send a "foo" parameter with the value set to "bar", so that the SIP server sends that combination in a SIP WWW-Authenticate header field. The Diameter server builds a grouped SIP-Authenticate AVP that contains a Digest-Auth-Param whose value is set to foo="bar". Then the SIP server creates the WWW-Authenticate header field with all the digest parameters (received in Digest-* AVPs) and adds the foo="bar" parameter to that header field.
示例:假设Diameter服务器希望SIP服务器发送值设置为“bar”的“foo”参数,以便SIP服务器在SIP WWW Authenticate标头字段中发送该组合。Diameter服务器构建一个分组的SIP Authenticate AVP,其中包含一个摘要身份验证参数,其值设置为foo=“bar”。然后,SIP服务器使用所有摘要参数(在摘要-*AVPs中接收)创建WWW Authenticate标头字段,并将foo=“bar”参数添加到该标头字段。
The SIP-Number-Auth-Items AVP (AVP Code 382) is of type Unsigned32 and indicates the number of authentication and/or authorization credentials that the Diameter server included in a Diameter message.
SIP Number Auth Items AVP(AVP代码382)的类型为Unsigned32,表示Diameter服务器包含在Diameter消息中的身份验证和/或授权凭据的数量。
When the AVP is present in a request, it indicates the number of SIP-Auth-Data-Items the Diameter client is requesting. This can be used, for instance, when the SIP server is requesting several pre-calculated authentication credentials. In the answer message, the SIP-Number-Auth-Items AVP indicates the actual number of items that the Diameter server included.
当AVP出现在请求中时,它指示Diameter客户端正在请求的SIP Auth数据项的数量。例如,当SIP服务器请求多个预先计算的身份验证凭据时,可以使用此选项。在应答消息中,SIP Number Auth Items AVP指示Diameter服务器包含的项目的实际数量。
The SIP-Deregistration-Reason AVP (AVP Code 383) is of type Grouped and indicates the reason for a deregistration operation.
SIP注销原因AVP(AVP代码383)属于分组类型,并指示注销操作的原因。
The SIP-Deregistration-Reason AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP注销原因AVP定义如下(根据RFC 3588[RFC3588]的分组AVP定义):
SIP-Deregistration-Reason ::= < AVP Header: 383 > { SIP-Reason-Code } [ SIP-Reason-Info ] * [ AVP ]
SIP-Deregistration-Reason ::= < AVP Header: 383 > { SIP-Reason-Code } [ SIP-Reason-Info ] * [ AVP ]
The SIP-Reason-Code AVP (AVP Code 384) is of type Enumerated and defines the reason for the network initiated deregistration. The following values are defined:
SIP原因代码AVP(AVP代码384)属于枚举类型,定义了网络发起注销的原因。定义了以下值:
o PERMANENT_TERMINATION (0) o NEW_SIP_SERVER_ASSIGNED (1) o SIP_SERVER_CHANGE (2) o REMOVE_SIP_SERVER (3)
o 永久终止(0)o新的\u SIP\u服务器\u分配(1)o SIP\u服务器\u更改(2)o删除\u SIP\u服务器(3)
The SIP-Reason-Info AVP (AVP Code 385) is of type UTF8String and contains textual information that can be rendered to the user, about the reason for a deregistration.
SIP原因信息AVP(AVP代码385)为UTF8String类型,包含可呈现给用户的关于注销原因的文本信息。
The SIP-AOR AVP is a RADIUS attribute imported from the RADIUS Extension for Digest Authentication [RFC4590] namespace, allowing a smooth transition between RADIUS and Diameter applications supporting SIP. The SIP-AOR AVP carries the URI of the intended user related to the SIP request (whose location in SIP may vary depending on the actual SIP request and whether the SIP server is acting on Diameter due to a SIP-originated or terminating requests).
SIP-AOR AVP是从RADIUS扩展导入的RADIUS属性,用于摘要身份验证[RFC4590]命名空间,允许在支持SIP的RADIUS和Diameter应用程序之间进行平滑转换。SIP-AOR AVP携带与SIP请求相关的预期用户的URI(其在SIP中的位置可能根据实际SIP请求以及SIP服务器是否由于SIP发起或终止请求而在Diameter上工作而变化)。
The Diameter client (SIP server) uses the value found in a SIP Request-URI or a header field value of the SIP request to construct the SIP-AOR AVP. The selection of a Request-URI or a particular header field to create the value of the SIP-AOR AVP depends on the semantics of the SIP message and whether the SIP server is acting for originating or terminating requests. For instance, when the SIP server receives an INVITE request addressed to the served user (e.g., the SIP server is receiving a terminating SIP request), it maps the SIP Request-URI of the SIP request to this AVP. However, when the SIP server receives an INVITE request originated by the served user, it can map either the P-Asserted-Identity or the From header field values to this AVP. If the SIP server is acting as a SIP registrar, then it maps the To header field of the REGISTER request to the SIP-AOR AVP.
Diameter客户端(SIP服务器)使用SIP请求URI中的值或SIP请求的头字段值来构造SIP-AOR AVP。选择请求URI或特定报头字段以创建SIP-AOR AVP的值取决于SIP消息的语义以及SIP服务器是否用于发起或终止请求。例如,当SIP服务器接收到发往被服务用户的INVITE请求(例如,SIP服务器正在接收终止SIP请求)时,它将SIP请求的SIP请求URI映射到此AVP。然而,当SIP服务器接收到由服务用户发起的INVITE请求时,它可以将P-Asserted-Identity或From报头字段值映射到此AVP。如果SIP服务器充当SIP注册器,那么它会将注册请求的To头字段映射到SIP-AOR AVP。
The SIP-Visited-Network-Id AVP (AVP Code 386) is of type UTF8String. This AVP contains an identifier that helps the home network identify the visited network (e.g., the visited network domain name), in order to authorize roaming to that visited network.
SIP访问的网络Id AVP(AVP代码386)为UTF8String类型。该AVP包含一个标识符,用于帮助家庭网络识别到访网络(例如,到访网络域名),以便授权漫游到该到访网络。
The SIP-User-Authorization-Type AVP (AVP Code 387) is of type Enumerated and indicates the type of user authorization being performed in a User Authorization operation, i.e., the Diameter User-Authorization-Request (UAR) command. The following values are defined:
SIP用户授权类型AVP(AVP代码387)是枚举的类型,并且指示在用户授权操作中执行的用户授权类型,即Diameter用户授权请求(UAR)命令。定义了以下值:
o REGISTRATION (0) This value is used for initial registration or re-registration. This is the default value.
o 注册(0)此值用于初始注册或重新注册。这是默认值。
o DEREGISTRATION (1) This value is used for deregistration.
o 注销(1)此值用于注销。
o REGISTRATION_AND_CAPABILITIES (2) This value is used for initial registration or re-registration when the SIP server explicitly requests the Diameter server to get capability information. This capability information helps the SIP server to allocate another SIP server to serve the user.
o 注册\和\功能(2)当SIP服务器明确请求Diameter服务器获取功能信息时,此值用于初始注册或重新注册。此功能信息有助于SIP服务器分配另一个SIP服务器为用户服务。
The SIP-Supported-User-Data-Type AVP (AVP Code 388) is of type UTF8String and contains a string that identifies the type of supported user data (user profile, see SIP-User-Data AVP (Section 9.12)) supported in the node. The AVP can be repeated, if the SIP server supports several user data types. In case of repetition, the Diameter client should order the different instances of this AVP according to its preferences.
SIP支持的用户数据类型AVP(AVP代码388)为UTF8String类型,并包含一个字符串,该字符串标识节点中支持的支持用户数据类型(用户配置文件,请参阅SIP用户数据AVP(第9.12节))。如果SIP服务器支持多种用户数据类型,则可以重复AVP。如果重复,Diameter客户端应根据其偏好订购此AVP的不同实例。
When the Diameter client inserts this AVP in a SAR message, it allows the Diameter client to provide an indication to the Diameter server of the types of user data supported by the SIP server. The Diameter server, upon inspection of these AVPs, will return a suitable SIP-User-Data AVP (Section 9.12) of the type indicated in the SIP-User-Data-Type AVP (Section 9.12.1).
当Diameter客户端在SAR消息中插入此AVP时,它允许Diameter客户端向Diameter服务器提供SIP服务器支持的用户数据类型的指示。Diameter服务器在检查这些AVP后,将返回SIP用户数据类型AVP(第9.12.1节)中所示类型的适当SIP用户数据AVP(第9.12节)。
The SIP-User-Data AVP (AVP Code 389) is of type Grouped. This AVP allows the Diameter server to transport user-specific data, such as a user profile, to the SIP server (in the Diameter client). The Diameter server selects a type of user data that is understood by the SIP server in the Diameter client, and has been indicated in a SIP-Supported-User-Data-Type AVP. In case the Diameter client indicated support for several types of user data, the Diameter server SHOULD choose the first type supported by the client.
SIP用户数据AVP(AVP代码389)是分组的类型。此AVP允许Diameter服务器将特定于用户的数据(如用户配置文件)传输到SIP服务器(在Diameter客户端中)。Diameter服务器选择Diameter客户端中SIP服务器可以理解的用户数据类型,并且已在SIP支持的用户数据类型AVP中指示。如果Diameter客户端指示支持多种类型的用户数据,Diameter服务器应选择客户端支持的第一种类型。
The SIP-User-Data grouped AVP contains a SIP-User-Data-Type AVP that indicates the type of user data included in the SIP-User-Data-Contents-AVP.
SIP用户数据分组AVP包含指示包括在SIP用户数据内容AVP中的用户数据的类型的SIP用户数据类型AVP。
The SIP-User-Data AVP is defined as follows (per the grouped-avp-def of RFC 3588 [RFC3588]):
SIP用户数据AVP定义如下(根据RFC 3588[RFC3588]的分组AVP def):
SIP-User-Data ::= < AVP Header: 389 > { SIP-User-Data-Type } { SIP-User-Data-Contents } * [ AVP ]
SIP-User-Data ::= < AVP Header: 389 > { SIP-User-Data-Type } { SIP-User-Data-Contents } * [ AVP ]
The SIP-User-Data AVP (AVP Code 390) is of type UTF8String and contains a string that identifies the type of user data included in the SIP-User-Data AVP (Section 9.12).
SIP用户数据AVP(AVP代码390)为UTF8String类型,包含识别SIP用户数据AVP中包含的用户数据类型的字符串(第9.12节)。
This document does not specify a convention to characterize the type of user data contained in the SIP-User-Data AVP (Section 9.12). It is believed that in most cases this feature will be used in environments controlled by a network administrator who can configure both the client and server to assign the same value type at the client and server. It is also RECOMMENDED that organizations developing their own profile of SIP-User-Data AVP (Section 9.12) allocate a type based on their canonical DNS name. For instance, organization "example.com" can define several types of SIP-User-Data and allocate the types "type1.dsa.example.com", "type2.dsa.example.com", and so on. This convention will avoid a clash in the allocation of types of SIP-User-Data AVP (Section 9.12).
本文件未规定描述SIP用户数据AVP(第9.12节)中包含的用户数据类型的约定。一般认为,在大多数情况下,此功能将用于由网络管理员控制的环境,网络管理员可以配置客户端和服务器,以便在客户端和服务器上分配相同的值类型。还建议开发自己的SIP用户数据AVP配置文件(第9.12节)的组织根据其规范DNS名称分配类型。例如,组织“example.com”可以定义几种类型的SIP用户数据,并分配类型“type1.dsa.example.com”、“type2.dsa.example.com”等。此约定将避免SIP用户数据AVP类型分配中的冲突(第9.12节)。
The SIP-User-Data-Contents AVP (AVP Code 391) is of type OctetString. The Diameter peers do not need to understand the value of this AVP.
SIP用户数据内容AVP(AVP代码391)是OctetString类型。直径对等点不需要了解此AVP的值。
The AVP contains the user profile data required for a SIP server to give service to the user.
AVP包含SIP服务器向用户提供服务所需的用户配置文件数据。
The SIP-User-Data-Already-Available AVP (AVP Code 392) is of type Enumerated and gives an indication to the Diameter server about whether the Diameter client (SIP server) already received the portion of the user profile needed in order to serve the user. The following values are defined:
SIP用户数据已经可用AVP(AVP代码392)是枚举的类型,并且向Diameter服务器指示Diameter客户端(SIP服务器)是否已经接收到为用户服务所需的用户简档的部分。定义了以下值:
o USER_DATA_NOT_AVAILABLE (0) The Diameter client (SIP server) does not have the data that it needs to serve the user.
o 用户数据不可用(0)Diameter客户端(SIP服务器)没有为用户服务所需的数据。
o USER_DATA_ALREADY_AVAILABLE (1) The Diameter client (SIP server) already has received the data that it needs to serve the user.
o 用户数据已可用(1)Diameter客户端(SIP服务器)已收到为用户服务所需的数据。
The SIP-Method-AVP (AVP Code 393) is of type UTF8String and contains the method of the SIP request that triggered the Diameter message. The Diameter server MUST use this AVP solely for authorization of SIP requests, and MUST NOT use it to compute the Digest authentication. To compute the Digest authentication, the Diameter server MUST use the Digest-Method AVP instead.
SIP方法AVP(AVP代码393)为UTF8String类型,包含触发Diameter消息的SIP请求的方法。Diameter服务器必须仅将此AVP用于SIP请求的授权,并且不得将其用于计算摘要身份验证。要计算摘要身份验证,Diameter服务器必须改用摘要方法AVP。
This section defines new values that the Diameter SIP application extends to already existing AVPs.
本节定义Diameter SIP应用程序扩展到现有AVP的新值。
The Result-Code AVP is already defined in RFC 3588 [RFC3588]. In addition to the values already defined in RFC 3588 [RFC3588], the Diameter SIP application defines the following new Result-Code AVP values:
结果代码AVP已在RFC 3588[RFC3588]中定义。除了RFC 3588[RFC3588]中已经定义的值外,Diameter SIP应用程序还定义了以下新的结果代码AVP值:
A Diameter peer uses Result-Code AVP values that fall into the success category to inform the remote peer that a request has been successfully completed.
Diameter对等机使用属于成功类别的结果代码AVP值通知远程对等机请求已成功完成。
o DIAMETER_FIRST_REGISTRATION 2003 The user was not previously registered. The Diameter server has now authorized the registration.
o DIAMETER_FIRST_REGISTRATION 2003用户以前未注册。Diameter服务器现在已授权注册。
o DIAMETER_SUBSEQUENT_REGISTRATION 2004 The user is already registered. The Diameter server has now authorized the re-registration.
o DIAMETER\u后续注册2004用户已注册。Diameter服务器现在已授权重新注册。
o DIAMETER_UNREGISTERED_SERVICE 2005 The user is not currently registered, but the requested service can still be granted to the user.
o DIAMETER_Unregisted_SERVICE 2005用户当前未注册,但仍可将请求的服务授予该用户。
o DIAMETER_SUCCESS_SERVER_NAME_NOT_STORED 2006 The request operation was successfully processed. The Diameter server does not keep a record of the SIP server address assigned to the user.
o DIAMETER\u SUCCESS\u SERVER\u NAME\u NOT\u请求操作已成功处理。Diameter服务器不保留分配给用户的SIP服务器地址的记录。
o DIAMETER_SERVER_SELECTION 2007 The Diameter server has authorized the registration. The user has already been assigned a SIP server, but it may be necessary to select a new SIP server for the user.
o DIAMETER_SERVER_SELECTION 2007 DIAMETER服务器已授权注册。已为用户分配了SIP服务器,但可能需要为用户选择新的SIP服务器。
o DIAMETER_SUCCESS_AUTH_SENT_SERVER_NOT_STORED 2008 The requested operation was successfully executed. The Diameter server is sending a number of authentication credentials in the answer message. The Diameter server does not keep a record of the SIP server.
o DIAMETER\u SUCCESS\u AUTH\u SENT\u SERVER\u NOT\u 2008请求的操作已成功执行。Diameter服务器正在应答消息中发送大量身份验证凭据。Diameter服务器不保留SIP服务器的记录。
A Diameter peer uses a Result-Code AVP value that falls in the transient failures category to inform the remote peer that a request could not be satisfied at the time it was received, but it MAY be satisfied by the Diameter peer in the future.
Diameter对等机使用属于瞬态故障类别的结果代码AVP值通知远程对等机在接收请求时无法满足该请求,但Diameter对等机将来可能会满足该请求。
o DIAMETER_USER_NAME_REQUIRED 4013 The Diameter request did not contain a User-Name AVP, which is required to complete the transaction. The Diameter peer MAY include a User-Name AVP and attempt the request again.
o DIAMETER\u USER\u NAME\u REQUIRED 4013 DIAMETER请求不包含完成事务所需的用户名AVP。Diameter对等方可以包括用户名AVP并再次尝试该请求。
A Diameter peer uses a Result-Code AVP value that falls into the permanent failure category to inform the remote peer that the request failed and should not be attempted again.
Diameter对等机使用属于永久故障类别的结果代码AVP值通知远程对等机请求失败,不应再次尝试。
o DIAMETER_ERROR_USER_UNKNOWN 5032 The SIP-AOR AVP value does not belong to a known user in this realm.
o DIAMETER_ERROR_USER_UNKNOWN 5032 SIP-AOR AVP值不属于此域中的已知用户。
o DIAMETER_ERROR_IDENTITIES_DONT_MATCH 5033 The value in one of the SIP-AOR AVPs is not allocated to the user specified in the User-Name AVP.
o 直径\u错误\u标识\u不匹配5033其中一个SIP-AOR AVP中的值未分配给用户名AVP中指定的用户。
o DIAMETER_ERROR_IDENTITY_NOT_REGISTERED 5034 A query for location information is received for a SIP AOR that has not been registered before. The user to which this identity belongs cannot be given service in this situation.
o DIAMETER\u ERROR\u IDENTITY\u NOT\u registed 5034接收到以前未注册的SIP AOR的位置信息查询。在这种情况下,无法为该标识所属的用户提供服务。
o DIAMETER_ERROR_ROAMING_NOT_ALLOWED 5035 The user is not allowed to roam to the visited network.
o DIAMETER\u ERROR\u ROAMING\u NOT \u ALLOWED 5035不允许用户漫游到访问的网络。
o DIAMETER_ERROR_IDENTITY_ALREADY_REGISTERED 5036 The identity being registered has already been assigned a server and the registration status does not allow that it is overwritten.
o DIAMETER\u错误\u标识\u已注册5036正在注册的标识已分配给服务器,并且注册状态不允许覆盖该标识。
o DIAMETER_ERROR_AUTH_SCHEME_NOT_SUPPORTED 5037 The authentication scheme indicated in an authentication request is not supported.
o DIAMETER\u ERROR\u AUTH\u SCHEME\u NOT \u SUPPORTED 5037不支持身份验证请求中指示的身份验证方案。
o DIAMETER_ERROR_IN_ASSIGNMENT_TYPE 5038 The SIP server address sent in the SIP-Server-URI AVP value of the Diameter Server-Assignment-Request (SAR) command is the same SIP server address that is currently assigned to the user name, but the SIP-Server-Assignment-Type AVP is not allowed. For example, the user is registered and the Server-Assignment-Request indicates the assignment for an unregistered user.
o DIAMETER_ERROR_IN_ASSIGNMENT_TYPE 5038在DIAMETER server ASSIGNMENT Request(SAR)命令的SIP server URI AVP值中发送的SIP server address与当前分配给用户名的SIP server address相同,但不允许使用SIP server ASSIGNMENT TYPE AVP。例如,用户已注册,服务器分配请求指示未注册用户的分配。
o DIAMETER_ERROR_TOO_MUCH_DATA 5039 The Diameter peer in the SIP server receives more data than it can accept. The SIP server cannot overwrite the already stored data.
o DIAMETER\u ERROR\u TOO\u many\u DATA 5039 SIP服务器中的DIAMETER对等方接收到的数据超过其可接受的数量。SIP服务器无法覆盖已存储的数据。
o DIAMETER_ERROR_NOT SUPPORTED_USER_DATA 5040 The SIP server informs the Diameter server that the received subscription data contained information that was not recognized or supported.
o DIAMETER\u错误\u不支持\u用户\u数据5040 SIP服务器通知DIAMETER服务器接收到的订阅数据包含无法识别或不支持的信息。
Authenticating a user can occur through various mechanisms. Currently HTTP Digest authentication is supported. The actual authentication is performed in either the SIP server or the Diameter server.
可以通过各种机制对用户进行身份验证。目前支持HTTP摘要身份验证。实际身份验证在SIP服务器或Diameter服务器中执行。
If the Diameter server wants to assure that authentication will take place in the Diameter server (as opposed to a delegated authentication taking place in the SIP server), it MUST NOT include a Digest-HA1 AVP (part of the grouped SIP-Authenticate AVP, which in turn is part of the SIP-Auth-Data-Item AVP) in a MAA message. The Diameter server MAY include a pre-calculated Digest-HA1 AVP in the MAA message if it wants to delegate authentication of the user to the SIP server.
如果Diameter服务器希望确保身份验证将在Diameter服务器中进行(与SIP服务器中进行的委托身份验证相反),则其不得在MAA消息中包含Digest-HA1 AVP(分组SIP Authenticate AVP的一部分,而分组SIP Authenticate AVP又是SIP Auth数据项AVP的一部分)。如果Diameter服务器想要将用户的认证委托给SIP服务器,那么它可以在MAA消息中包括预先计算的Digest-HA1 AVP。
Note that on systems where the SIP User Agent is using HTTP Digest authentication [RFC2617] inside of Transport Layer Security (TLS) [RFC4346], where only the SIP proxy server has a certificate, delegating authentication to the SIP server (by making Digest-HA1 available to the SIP server) might reduce the load on the Diameter server.
注意,在SIP服务器上,仅使用SIP代理将SIP传输到SIP服务器上的安全摘要(RF617),其中SIP代理将证书摘要(RF616)传输到SIP服务器上。
When requesting authentication, the Diameter client indicates in the SIP-Number-Auth-Items AVP value of a Diameter MAR message how many authentication credentials are being requested. In the Diameter MAA message, the Diameter server MAY include more than one SIP-Auth-Data-Item AVP, but it is only useful for the Diameter client if the Digest-QoP AVP was set to 'auth-int' (in the MAR message), and if future authentications will have the same realm. When including more than one SIP-Auth-Data-Item AVP, the Diameter server SHOULD
请求身份验证时,Diameter客户端在Diameter MAR消息的SIP Number Auth Items AVP值中指示正在请求多少身份验证凭据。在Diameter MAA消息中,Diameter服务器可能包含多个SIP Auth数据项AVP,但只有当摘要QoP AVP设置为“Auth int”(在MAR消息中)并且将来的身份验证将具有相同的域时,它才对Diameter客户端有用。当包含多个SIP Auth数据项AVP时,Diameter服务器应
indicate how many instances of SIP-Auth-Data-Item AVPs are present with the SIP-Number-Auth-Items AVP. This number may be different from the one requested in the Diameter MAR message. If multiple SIP-Auth-Data-Item AVPs are present, and their ordering is significant, the Diameter server MUST include a SIP-Item-Number AVP in each grouping to indicate the order. The SIP-Authentication-Scheme AVP indicates "Digest" and the SIP-Authenticate AVP contains data (typically a challenge of some kind) that the user can use for her authentication. The grouped SIP-Authorization AVP contains the AVPs that conform to the response expected from the user.
指示有多少SIP Auth Data Item AVP实例与SIP Number Auth Item AVP一起出现。此号码可能与Diameter MAR消息中请求的号码不同。如果存在多个SIP Auth数据项AVP,并且它们的顺序非常重要,则Diameter服务器必须在每个分组中包含SIP项目编号AVP,以指示顺序。SIP认证方案AVP指示“摘要”,SIP认证AVP包含用户可用于其认证的数据(通常是某种质询)。分组的SIP授权AVP包含符合用户预期响应的AVP。
If the Diameter server performs the authentication of the user, the Diameter MAR message that the Diameter client sends to the Diameter server MUST include all the authentication credentials supplied by the SIP UA (there might be more than one credential, e.g., different realms, authentication of proxies, etc.). Each credential is inserted in a grouped SIP-Authorization AVP (part of the grouped SIP-Auth-Data-Item AVP). The Diameter client MUST insert a SIP-Number-Auth-Items AVP with the value set to the number of credentials enclosed. If necessary, the Digest-Entity-Body-Hash AVP will contain a hash of the body, needed to perform the authentication. If the authentication is successful, the Diameter MAA message will contain a Result-Code AVP indicating success, and if necessary, the Diameter server MAY include one or more SIP-Auth-Data-Item AVPs to provide further authentication credentials to the SIP server. If the authentication is unsuccessful due to missing credentials, the Diameter MAA message will include a SIP-Auth-Data-Item AVP with the SIP-Authentication-Scheme and SIP-Authenticate AVPs containing data (typically a challenge of some kind) that the user can use to authenticate itself.
如果Diameter服务器执行用户身份验证,Diameter客户端发送给Diameter服务器的Diameter MAR消息必须包括SIP UA提供的所有身份验证凭据(可能有多个凭据,例如,不同领域、代理身份验证等)。每个凭证都插入到分组SIP授权AVP(分组SIP授权数据项AVP的一部分)中。Diameter客户端必须插入SIP编号Auth Items AVP,其值设置为随附的凭据数。如有必要,摘要实体体散列AVP将包含执行身份验证所需的实体散列。如果认证成功,Diameter MAA消息将包含指示成功的结果代码AVP,并且如果需要,Diameter服务器可以包括一个或多个SIP Auth数据项AVP,以向SIP服务器提供进一步的认证凭证。如果认证由于缺少凭据而失败,Diameter MAA消息将包括具有SIP认证方案的SIP Auth数据项AVP和包含用户可用于自身认证的数据(通常是某种质询)的SIP Authenticate AVP。
There are situations where a SIP request traverses several proxies, and each of the proxies requests to authenticate the SIP UA. In this situation, it is a valid scenario that a SIP request received at a SIP server contains several sets of credentials. The 'realm' directive in HTTP is the key that the Diameter client can use to determine which credential is applicable. Also, none of the realms may be of interest to the Diameter client, in which case the Diameter client MUST consider that no credentials (of interest) were sent. In any case, a Diameter client MUST send zero or exactly one credential to the Diameter server. The Diameter client MUST choose the credential based on the 'realm' directive in the Authorization/Proxy-Authorization header field, and it MUST match the realm of the Diameter client.
存在这样的情况:一个SIP请求遍历多个代理,每个代理请求对SIP UA进行身份验证。在这种情况下,在SIP服务器上接收的SIP请求包含多组凭据是一种有效的方案。HTTP中的“realm”指令是Diameter客户端可以用来确定哪个凭据适用的密钥。而且,没有一个领域可能对直径客户机感兴趣,在这种情况下,直径客户机必须考虑没有发送任何证书(感兴趣的)。在任何情况下,Diameter客户端必须向Diameter服务器发送零个或正好一个凭据。Diameter客户端必须根据Authorization/Proxy Authorization标头字段中的'realm'指令选择凭据,并且必须与Diameter客户端的域匹配。
It must be noted that nonces are always generated in the Diameter server.
必须注意的是,nonce总是在Diameter服务器中生成的。
RADIUS offers support for HTTP Digest authentication in the RADIUS Extension for Digest Authentication [RFC4590]. A number of AVPs (the Digest-* AVPs) of this Diameter SIP application are imported from the RADIUS attributes namespace, thus making the migration from RADIUS to Diameter smooth.
RADIUS在RADIUS摘要身份验证扩展[RFC4590]中支持HTTP摘要身份验证。此Diameter SIP应用程序的许多AVP(摘要-*AVP)都是从RADIUS属性名称空间导入的,从而使从RADIUS到Diameter的迁移变得平滑。
Note that the RADIUS Extension for Digest Authentication [RFC4590] provides a more limited scope than this Diameter SIP application. Specifically, the RADIUS extension for Digest Authentication merely provides support for HTTP Digest authentication, whereas the Diameter SIP application provides support for user location, profile downloading and update, etc.
请注意,摘要身份验证的RADIUS扩展[RFC4590]提供的范围比Diameter SIP应用程序更为有限。具体地说,用于摘要身份验证的RADIUS扩展仅提供对HTTP摘要身份验证的支持,而Diameter SIP应用程序提供对用户位置、配置文件下载和更新等的支持。
The following sections discuss several configurations in which a gateway translates RADIUS to Diameter and vice versa.
以下各节将讨论几种配置,其中网关将半径转换为直径,反之亦然。
The gateway maps Access-Request messages to MAR request. If a RADIUS Access-Request message contains at least one Digest-* attribute, the gateway maps all Digest-* attributes to the AVPs of a Diameter SIP-Authorization AVP, constructs a MAR message, and sends it to the Diameter server. If the RADIUS Access-Request message does not contain any Digest-* attribute, then the RADIUS client does not want to apply HTTP Digest authentication, in which case, actions at the gateway are outside the scope of this document.
网关将访问请求消息映射到MAR请求。如果RADIUS访问请求消息至少包含一个Digest-*属性,则网关将所有Digest-*属性映射到Diameter SIP授权AVP的AVP,构造MAR消息,并将其发送到Diameter服务器。如果RADIUS访问请求消息不包含任何摘要-*属性,则RADIUS客户端不希望应用HTTP摘要身份验证,在这种情况下,网关上的操作不在本文档的范围内。
The Diameter server responds with a MAA message. If the MAA message contains a Result-Code AVP set to the value DIAMETER_MULTI_ROUND_AUTH and contains challenge parameters in a SIP-Authenticate AVP, then the gateway translates the AVPs of SIP-Authenticate AVP and puts the resulting RADIUS attributes into an Access-Challenge message. It sends the Access-Challenge message to the RADIUS client.
Diameter服务器以MAA消息进行响应。如果MAA消息包含设置为值DIAMETER\u MULTI\u ROUND\u AUTH的结果代码AVP,并且在SIP Authenticate AVP中包含质询参数,则网关将SIP Authenticate AVP的AVP转换为结果RADIUS属性,并将其放入访问质询消息中。它将访问质询消息发送到RADIUS客户端。
If the MAA message contains a SIP-Authentication-Info and a Digest-Response AVP, the gateway converts these AVPs to the corresponding RADIUS attributes and constructs a RADIUS message. If the Result-Code AVP is DIAMETER_SUCCESS, an Access-Accept is sent. In all other cases, an Access-Reject is sent.
如果MAA消息包含SIP身份验证信息和摘要响应AVP,则网关将这些AVP转换为相应的RADIUS属性并构造RADIUS消息。如果结果代码AVP为DIAMETER\u SUCCESS,则发送访问接受。在所有其他情况下,将发送访问拒绝。
The Diameter client sends a Diameter MAR message to the gateway. If the MAR message does not contain SIP-Auth-Data-Item AVPs, the gateway constructs an Access-Request message and maps the SIP-AOR and SIP-Method AVPs to RADIUS attributes. The gateway sends the
Diameter客户端向网关发送Diameter MAR消息。如果MAR消息不包含SIP Auth数据项AVP,网关将构造访问请求消息,并将SIP-AOR和SIP方法AVP映射到RADIUS属性。网关发送
Access-Request message to the RADIUS server, which will respond with an Access-Challenge. The gateway creates a MAA message with a Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH and maps the Digest-* attributes to Diameter AVPs in a SIP-Authenticate AVP. The gateway sends the resulting MAA to the Diameter client, which will respond with a new MAR.
向RADIUS服务器发送访问请求消息,该服务器将以访问质询进行响应。网关创建一条MAA消息,结果代码AVP设置为DIAMETER_MULTI_ROUND_AUTH,并将摘要-*属性映射到SIP Authenticate AVP中的DIAMETER AVP。网关将生成的MAA发送给Diameter客户端,后者将以新的MAR进行响应。
The gateway checks the SIP-Auth-Data-Item AVPs of this MAR for an AVP where the Digest-Realm AVP matches the locally configured realm value. It takes the AVPs from this SIP-Auth-Data-Item AVP, converts them into the corresponding RADIUS attributes and constructs a RADIUS Access-Request message. The gateway sends the Access-Request message to the RADIUS server. If the RADIUS server responds with an Access-Accept message, the gateway converts the RADIUS attributes to Diameter AVPs, constructs a MAA message with a Result-Code AVP set to DIAMETER_SUCCESS and sends this message to the Diameter client. If the RADIUS server responds with an Access-Reject message, the gateway converts the RADIUS attributes to Diameter AVPs, constructs a MAA message with a Result-Code AVP set to DIAMETER_ERROR_IDENTITIES_DONT_MATCH, and sends this message to the Diameter client.
网关检查此MAR的SIP Auth数据项AVPs是否存在AVP,其中摘要领域AVP与本地配置的领域值匹配。它从SIP Auth数据项AVP获取AVP,将其转换为相应的RADIUS属性,并构造RADIUS访问请求消息。网关将访问请求消息发送到RADIUS服务器。如果RADIUS服务器响应Access Accept消息,则网关将RADIUS属性转换为Diameter AVP,构建结果代码AVP设置为Diameter_SUCCESS的MAA消息,并将此消息发送给Diameter客户端。如果RADIUS服务器响应访问拒绝消息,则网关将RADIUS属性转换为Diameter AVP,构造结果代码AVP设置为Diameter\u ERROR\u Identifications\u Not\u MATCH的MAA消息,并将此消息发送给Diameter客户端。
As mentioned earlier, there is not a 100% match between the Diameter SIP application and the RADIUS Extension for Digest Authentication [RFC4590]. In particular, the RADIUS Extension for Digest Authentication [RFC4590] does not offer equivalent functionality to the Diameter UAR/UAA, SAR/SAA, LIR/LIA, RTR/RTA, and PPR/PPA messages defined by this specification.
如前所述,Diameter SIP应用程序与用于摘要身份验证的RADIUS扩展之间没有100%的匹配[RFC4590]。特别是,摘要认证的RADIUS扩展[RFC4590]没有提供与本规范定义的Diameter UAR/UAA、SAR/SAA、LIR/LIA、RTR/RTA和PPR/PPA消息等效的功能。
This document serves as IANA registration request for a number of items that should be registered in the AAA parameters registry.
本文件作为IANA注册请求,用于一些应在AAA参数注册中心注册的项目。
This document defines a standards-track Application-ID that falls into the Application Identifier standards-track address space defined by RFC 3588 [RFC3588] Section 11.3. This Application-ID has been registered in the Application IDs sub-registry of the AAA parameters registry with the following data:
本文件定义了标准轨道应用程序ID,该ID属于RFC 3588[RFC3588]第11.3节定义的应用程序标识符标准轨道地址空间。此应用程序ID已使用以下数据在AAA参数注册表的应用程序ID子注册表中注册:
ID values Name Reference ----------- ------------------------ --------- 6 Diameter Session Initiation RFC 4740 Protocol (SIP) Application
ID values Name Reference ----------- ------------------------ --------- 6 Diameter Session Initiation RFC 4740 Protocol (SIP) Application
This document defines new standard commands whose Command Codes are to be allocated within the standard permanent Command Codes address space defined in RFC 3588 [RFC3588] Section 11.2.1. These command codes should be registered in the Command Codes sub-registry of the AAA parameters registry.
本文件定义了新的标准命令,其命令代码将在RFC 3588[RFC3588]第11.2.1节中定义的标准永久命令代码地址空间内分配。这些命令代码应在AAA参数注册表的命令代码子注册表中注册。
Table 1 in Section 8 contains the detailed list of Command Code names and values that are part of this Diameter application.
第8节中的表1包含作为此Diameter应用程序一部分的命令代码名和值的详细列表。
This document defines new standard AVPs, whose AVP Codes are to be allocated within the AVP Codes address space defined in RFC 3588 [RFC3588] Section 11.4. These AVP codes have been registered in the AVP Codes sub-registry of the AAA parameters registry.
本文件定义了新的标准AVP,其AVP代码将在RFC 3588[RFC3588]第11.4节中定义的AVP代码地址空间内分配。这些AVP代码已在AAA参数注册表的AVP代码子注册表中注册。
Table 2 in Section 9 contains the detailed list of AVP names and AVP codes that are part of this Diameter application.
第9节中的表2包含本直径应用程序中的AVP名称和AVP代码的详细列表。
This document defines new standard Result-Code AVP values to be allocated within the Result-Code AVP address space defined in RFC 3588 [RFC3588] Section 14.4.1. These values are listed in the Result-Code AVP values section of the AVP Specific Values sub-registry of the AAA parameters registry.
本文件定义了在RFC 3588[RFC3588]第14.4.1节中定义的结果代码AVP地址空间内分配的新标准结果代码AVP值。这些值列在AAA参数注册表的AVP特定值子注册表的结果代码AVP值部分。
Section 10.1.1 lists the new Result-Code AVP values that fall into the success category, according to RFC 3588 [RFC3588] Section 7.1.2.
根据RFC 3588[RFC3588]第7.1.2节,第10.1.1节列出了属于成功类别的新结果代码AVP值。
Section 10.1.2 lists the new Result-Code AVP values that fall into the transient failures category, according to RFC 3588 [RFC3588] Section 7.1.4.
根据RFC 3588[RFC3588]第7.1.4节,第10.1.2节列出了属于瞬态故障类别的新结果代码AVP值。
Section 10.1.3 lists the new Result-Code AVP values that fall into the permanent failures category, according to RFC 3588 [RFC3588] Section 7.1.5.
根据RFC 3588[RFC3588]第7.1.5节,第10.1.3节列出了属于永久性故障类别的新结果代码AVP值。
13.5. Creation of the SIP-Server-Assignment-Type Section in the AAA Registry
13.5. 在AAA注册表中创建SIP服务器分配类型部分
This document defines a new SIP-Server-Assignment-Type AVP (see Section 9.4). This AVP is of type Enumerated. We define an initial set of values that should be registered by IANA. IANA should create a new "SIP-Sever-Assignment-Type AVP values" section under the AVP Specific Values sub-registry of the AAA parameters registry. The initial list of values is listed in Section 9.4.
本文件定义了一种新的SIP服务器分配类型AVP(见第9.4节)。此AVP属于枚举类型。我们定义了一组初始值,这些值应该由IANA注册。IANA应在AAA参数注册表的AVP特定值子注册表下创建一个新的“SIP服务器分配类型AVP值”部分。第9.4节列出了初始值列表。
13.6. Creation of the SIP-Authentication-Scheme Section in the AAA Registry
13.6. 在AAA注册表中创建SIP身份验证方案部分
This document defines a new SIP-Authentication-Scheme AVP (see Section 9.5.1). This AVP is of type Enumerated. We currently define a single value that should be registered by IANA. IANA should create a new "SIP-Authentication-Scheme AVP values" section under the AVP Specific Values sub-registry of the AAA parameters registry. The initial list of values is included in Section 9.5.1.
本文件定义了一个新的SIP认证方案AVP(见第9.5.1节)。此AVP属于枚举类型。我们目前定义了一个应该由IANA注册的值。IANA应在AAA参数注册表的AVP特定值子注册表下创建一个新的“SIP认证方案AVP值”部分。初始值列表包含在第9.5.1节中。
This document defines a new SIP-Reason-Code AVP (see Section 9.7.1). This AVP is of type Enumerated. We define an initial set of values that should be registered by IANA. IANA should create a new "SIP-Reason-Code AVP values" section under the AVP Specific Values sub-registry of the AAA parameters registry. The initial list of values is listed in Section 9.7.1.
本文件定义了一个新的SIP原因码AVP(见第9.7.1节)。此AVP属于枚举类型。我们定义了一组初始值,这些值应该由IANA注册。IANA应在AAA参数注册表的AVP特定值子注册表下创建一个新的“SIP原因码AVP值”部分。第9.7.1节列出了初始值列表。
13.8. Creation of the SIP-User-Authorization-Type Section in the AAA Registry
13.8. 在AAA注册表中创建SIP用户授权类型部分
This document defines a new SIP-User-Authorization-Type AVP (see Section 9.10). This AVP is of type Enumerated. We define an initial set of values that should be registered by IANA. IANA should create a new "SIP-User-Authorization-Type AVP values" section under the AVP Specific Values sub-registry of the AAA parameters registry. The initial list of values is listed in Section 9.10.
本文件定义了一种新的SIP用户授权类型AVP(见第9.10节)。此AVP属于枚举类型。我们定义了一组初始值,这些值应该由IANA注册。IANA应在AAA参数注册表的AVP特定值子注册表下创建一个新的“SIP用户授权类型AVP值”部分。第9.10节列出了初始值列表。
13.9. Creation of the SIP-User-Data-Already-Available Section in the AAA Registry
13.9. 在AAA注册表中创建SIP用户数据已可用部分
This document defines a new SIP-User-Data-Already-Available AVP (see Section 9.13). This AVP is of type Enumerated. We define an initial set of values which should be registered by IANA. IANA should create a new "SIP-User-Data-Already-Available AVP values" section under the AVP Specific Values sub-registry of the AAA parameters registry. The initial list of values is listed in Section 9.13.
本文件定义了一个新的SIP用户数据,该数据已可用AVP(见第9.13节)。此AVP属于枚举类型。我们定义了一组初始值,这些值应该由IANA注册。IANA应在AAA参数注册表的AVP特定值子注册表下创建一个新的“SIP用户数据已可用AVP值”部分。第9.13节列出了初始值列表。
This memo does not describe a stand-alone protocol, but a particular application for the Diameter protocol [RFC3588]. Consequently, all the security considerations applicable to Diameter automatically apply to this memo. In particular, Section 13 of RFC 3588 applies to this memo.
本备忘录不描述独立协议,而是描述Diameter协议[RFC3588]的特定应用。因此,适用于Diameter的所有安全注意事项自动适用于此备忘录。具体而言,RFC 3588第13节适用于本备忘录。
This Diameter SIP application allows a Diameter client to use the properties of HTTP Digest authentication [RFC2617] by evaluating or sending to the Diameter server the credentials supplied by a user. The discussion of HTTP Digest authentication in Section 4 of RFC 2617 [RFC2617] is also applicable to this memo.
此Diameter SIP应用程序允许Diameter客户端通过评估或向Diameter服务器发送用户提供的凭据来使用HTTP摘要身份验证[RFC2617]的属性。RFC 2617[RFC2617]第4节中对HTTP摘要认证的讨论也适用于本备忘录。
This Diameter SIP application also allows a Diameter client to use the properties of HTTP Digest authentication using AKA [RFC3310] by evaluating or sending to the Diameter server the credentials supplied by a user. Section 5 of RFC 3310 [RFC3310] is also applicable to this memo.
此Diameter SIP应用程序还允许Diameter客户端通过评估或向Diameter服务器发送用户提供的凭据,使用AKA[RFC3310]使用HTTP摘要身份验证的属性。RFC 3310[RFC3310]第5节也适用于本备忘录。
The Diameter SIP application can be configured to operate in a scenario where the final authentication check is performed in the Diameter client (SIP server). There are a number of security considerations associated to it; all of them are consequences of the requirement to transfer H(A1) from the Diameter server to the Diameter client:
Diameter SIP应用程序可以配置为在Diameter客户端(SIP服务器)中执行最终身份验证检查的场景中运行。有许多与之相关的安全注意事项;所有这些都是要求将H(A1)从Diameter服务器传输到Diameter客户端的结果:
o Both Diameter client and server must trust each other, such as when both client and server belong to the same administrative domain.
o Diameter客户端和服务器都必须相互信任,例如当客户端和服务器都属于同一管理域时。
o To avoid eavesdroppers, the transport protocol between the Diameter client and server MUST be secured. RFC 3588 [RFC3588] specifies TLS [RFC4346] and IPsec as possible transport protection mechanisms for Diameter.
o 为了避免窃听者,必须保护Diameter客户端和服务器之间的传输协议。RFC 3588[RFC3588]指定TLS[RFC4346]和IPsec作为Diameter的可能传输保护机制。
Due to these security considerations, it is RECOMMENDED to configure the Diameter SIP application to operate in the mode where the final authentication check is performed in the Diameter server.
出于这些安全考虑,建议将Diameter SIP应用程序配置为在Diameter服务器中执行最终身份验证检查的模式下运行。
The authors would like to thank the following contributors who made substantial contributions to this work:
作者要感谢为这项工作做出重大贡献的以下贡献者:
Pete McCann Lucent
皮特·麦肯·朗讯
Jaakko Rajaniemi Nokia
诺基亚雅可拉贾尼米
Wolfgang Beck (Deutsche Telekom AG) provided the text in Section 12, "Migration from RADIUS".
Wolfgang Beck(德国电信公司)在第12节“从RADIUS迁移”中提供了文本。
The authors would like to thank Tony Johansson and Kevin Purser for their invaluable contribution to the start-up of this application and the continuous progress. The authors would like to thank Daniel Warren, Jayshree Bharatia, Kuntal Chowdhury, Jari Arkko, Avi Lior, Wolfgang Beck, Ulrich Wiehe, Cullen Jennings, Anu Leinonen, Glen Zorn, German Blanco, Mikko Aittola, Bert Wijnen, and Sam Hartman for their reviews and valuable comments.
作者要感谢Tony Johansson和Kevin Purser,感谢他们为本应用程序的启动和持续进展做出的宝贵贡献。作者要感谢Daniel Warren、Jayshre Bharatia、Kuntal Chowdhury、Jari Arkko、Avi Lior、Wolfgang Beck、Ulrich Wiehe、Cullen Jennings、Anu Leinonen、Glen Zorn、German Blanco、Mikko Aittola、Bert Wijnen和Sam Hartman的评论和宝贵意见。
The Diameter SIP application is based on the Diameter application for the Cx interface of the 3GPP IP Multimedia Subsystem [3GPP.29.229]. The authors would like to thank 3GPP Working Group CN4 for this work.
Diameter SIP应用程序基于用于3GPP IP多媒体子系统的Cx接口的Diameter应用程序[3GPP.29.229]。作者要感谢3GPP工作组CN4的这项工作。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999.
[RFC2617]Franks,J.,Hallam Baker,P.,Hostetler,J.,Lawrence,S.,Leach,P.,Lootonen,A.,和L.Stewart,“HTTP认证:基本和摘要访问认证”,RFC 26171999年6月。
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.
[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。
[RFC3310] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)", RFC 3310, September 2002.
[RFC3310]Niemi,A.,Arkko,J.,和V.Torvinen,“使用身份验证和密钥协议(AKA)的超文本传输协议(HTTP)摘要身份验证”,RFC 331102002年9月。
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3588]Calhoun,P.,Loughney,J.,Guttman,E.,Zorn,G.,和J.Arkko,“直径基础协议”,RFC 3588,2003年9月。
[RFC4590] Sterman, B., Sadolevsky, D., Schwartz, D., Williams, D., and W. Beck, "RADIUS Extension for Digest Authentication", RFC 4590, July 2006.
[RFC4590]Sterman,B.,Sadolevsky,D.,Schwartz,D.,Williams,D.,和W.Beck,“摘要认证的半径扩展”,RFC 45902006年7月。
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4346]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.1”,RFC 4346,2006年4月。
[RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol (SIP): Locating SIP Servers", RFC 3263, June 2002.
[RFC3263]Rosenberg,J.和H.Schulzrinne,“会话启动协议(SIP):定位SIP服务器”,RFC 3263,2002年6月。
[RFC3680] Rosenberg, J., "A Session Initiation Protocol (SIP) Event Package for Registrations", RFC 3680, March 2004.
[RFC3680]Rosenberg,J.,“用于注册的会话启动协议(SIP)事件包”,RFC3680,2004年3月。
[RFC3880] Lennox, J., Wu, X., and H. Schulzrinne, "Call Processing Language (CPL): A Language for User Control of Internet Telephony Services", RFC 3880, October 2004.
[RFC3880]Lennox,J.,Wu,X.,和H.Schulzrinne,“呼叫处理语言(CPL):互联网电话服务的用户控制语言”,RFC 3880,2004年10月。
[RFC4004] Calhoun, P., Johansson, T., Perkins, C., Hiller, T., and P. McCann, "Diameter Mobile IPv4 Application", RFC 4004, August 2005.
[RFC4004]Calhoun,P.,Johansson,T.,Perkins,C.,Hiller,T.,和P.McCann,“Diameter移动IPv4应用”,RFC 40042005年8月。
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005.
[RFC4005]Calhoun,P.,Zorn,G.,Spence,D.,和D.Mitton,“Diameter网络访问服务器应用”,RFC 4005,2005年8月。
[RFC4006] Hakala, H., Mattila, L., Koskinen, J-P., Stura, M., and J. Loughney, "Diameter Credit-Control Application", RFC 4006, August 2005.
[RFC4006]Hakala,H.,Mattila,L.,Koskinen,J-P.,Stura,M.,和J.Loughney,“直径信用控制应用”,RFC 4006,2005年8月。
[3GPP.29.229] 3GPP, "Cx and Dx interfaces based on the Diameter protocol; Protocol details", 3GPP TS 29.229 5.12.0, June 2006.
[3GPP.29.229]3GPP,“基于Diameter协议的Cx和Dx接口;协议详细信息”,3GPP TS 29.229 5.12.012006年6月。
[JSR-000116] Java Community Process, "SIP Servlet API Specification 1.0 Final Release", JSR 000116, March 2003.
[JSR-000116]Java社区流程,“SIPServlet API规范1.0最终版本”,JSR 000116,2003年3月。
Authors' Addresses
作者地址
Miguel A. Garcia-Martin (Editor) Nokia P.O. Box 407 NOKIA GROUP, FIN 00045 Finland
Miguel A.Garcia Martin(编辑)芬兰芬兰诺基亚集团407号诺基亚邮政信箱00045
Phone: +358 50 480 4586 EMail: miguel.an.garcia@nokia.com
Phone: +358 50 480 4586 EMail: miguel.an.garcia@nokia.com
Maria-Carmen Belinchon Ericsson Via de los Poblados 13 Madrid 28033 Spain
Maria Carmen Belinchon Ericsson Via de los Poblados 13马德里28033西班牙
Phone: +34 91 339 3535 EMail: maria.carmen.belinchon@ericsson.com
Phone: +34 91 339 3535 EMail: maria.carmen.belinchon@ericsson.com
Miguel A. Pallares-Lopez Ericsson Via de los Poblados 13 Madrid 28033 Spain
Miguel A.Pallares Lopez Ericsson Via de los Poblados 13马德里28033西班牙
Phone: +34 91 339 4222 EMail: miguel-angel.pallares@ericsson.com
Phone: +34 91 339 4222 EMail: miguel-angel.pallares@ericsson.com
Carolina Canales-Valenzuela Ericsson Via de los Poblados 13 Madrid 28033 Spain
卡罗莱纳运河瓦伦苏埃拉爱立信途经德洛斯波布拉多斯13马德里28033西班牙
Phone: +34 91 339 2680 EMail: carolina.canales@ericsson.com
Phone: +34 91 339 2680 EMail: carolina.canales@ericsson.com
Kalle Tammi Nokia P.O.Box 785 Tampere 33101 Finland
芬兰Tammi诺基亚邮政信箱785坦佩雷33101
Phone: +358 40 505 8670 EMail: kalle.tammi@nokia.com
Phone: +358 40 505 8670 EMail: kalle.tammi@nokia.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2006).
版权所有(C)IETF信托基金(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST, AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。