Internet Engineering Task Force (IETF)                      F. Brockners
Request for Comments: 6736                                   S. Bhandari
Category: Standards Track                                          Cisco
ISSN: 2070-1721                                                 V. Singh
        
Internet Engineering Task Force (IETF)                      F. Brockners
Request for Comments: 6736                                   S. Bhandari
Category: Standards Track                                          Cisco
ISSN: 2070-1721                                                 V. Singh
        

V. Fajardo Telcordia Technologies October 2012

V.Fajardo Telcordia Technologies 2012年10月

Diameter Network Address and Port Translation Control Application

Diameter网络地址和端口转换控制应用程序

Abstract

摘要

This document describes the framework, messages, and procedures for the Diameter Network address and port translation Control Application. This Diameter application allows per-endpoint control of Network Address Translators and Network Address and Port Translators, which are added to networks to cope with IPv4 address space depletion. This Diameter application allows external devices to configure and manage a Network Address Translator device -- expanding the existing Diameter-based Authentication, Authorization, and Accounting (AAA) and policy control capabilities with a Network Address Translator and Network Address and Port Translator control component. These external devices can be network elements in the data plane such as a Network Access Server, or can be more centralized control plane devices such as AAA-servers. This Diameter application establishes a context to commonly identify and manage endpoints on a gateway or server and a Network Address Translator and Network Address and Port Translator device. This includes, for example, the control of the total number of Network Address Translator bindings allowed or the allocation of a specific Network Address Translator binding for a particular endpoint. In addition, it allows Network Address Translator devices to provide information relevant to accounting purposes.

本文档介绍Diameter网络地址和端口转换控制应用程序的框架、消息和过程。此Diameter应用程序允许对网络地址转换器以及网络地址和端口转换器进行每端点控制,这些转换器添加到网络中以应对IPv4地址空间的耗尽。此Diameter应用程序允许外部设备配置和管理网络地址转换器设备——使用网络地址转换器以及网络地址和端口转换器控制组件扩展现有的基于Diameter的身份验证、授权和记帐(AAA)和策略控制功能。这些外部设备可以是数据平面中的网络元素(如网络访问服务器),也可以是更集中的控制平面设备(如AAA服务器)。此Diameter应用程序建立了一个上下文,用于共同识别和管理网关或服务器、网络地址转换器以及网络地址和端口转换器设备上的端点。例如,这包括控制允许的网络地址转换器绑定的总数,或者为特定端点分配特定的网络地址转换器绑定。此外,它允许网络地址转换器设备提供与记帐目的相关的信息。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6736.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6736.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................4
   2. Conventions .....................................................6
   3. Deployment Framework ............................................7
      3.1. Deployment Scenario ........................................7
      3.2. Diameter NAPT Control Application Overview .................9
      3.3. Deployment Scenarios for DNCA .............................10
   4. DNCA Session Establishment and Management ......................12
      4.1. Session Establishment .....................................13
      4.2. Session Update ............................................16
      4.3. Session and Binding Query .................................18
      4.4. Session Termination .......................................20
      4.5. Session Abort .............................................21
      4.6. Failure Cases of the DNCA Diameter Peers ..................22
   5. Use of the Diameter Base Protocol ..............................23
      5.1. Securing Diameter Messages ................................23
      5.2. Accounting Functionality ..................................24
      5.3. Use of Sessions ...........................................24
      5.4. Routing Considerations ....................................24
      5.5. Advertising Application Support ...........................24
   6. DNCA Commands ..................................................25
      6.1. NAT-Control-Request (NCR) Command .........................25
      6.2. NAT-Control-Answer (NCA) Command ..........................26
   7. NAT Control Application Session State Machine ..................26
   8. DNCA AVPs ......................................................29
      8.1. Reused Base Protocol AVPs .................................29
      8.2. Additional Result-Code AVP Values .........................30
           8.2.1. Success ............................................30
           8.2.2. Transient Failures .................................30
           8.2.3. Permanent Failures .................................31
        
   1. Introduction ....................................................4
   2. Conventions .....................................................6
   3. Deployment Framework ............................................7
      3.1. Deployment Scenario ........................................7
      3.2. Diameter NAPT Control Application Overview .................9
      3.3. Deployment Scenarios for DNCA .............................10
   4. DNCA Session Establishment and Management ......................12
      4.1. Session Establishment .....................................13
      4.2. Session Update ............................................16
      4.3. Session and Binding Query .................................18
      4.4. Session Termination .......................................20
      4.5. Session Abort .............................................21
      4.6. Failure Cases of the DNCA Diameter Peers ..................22
   5. Use of the Diameter Base Protocol ..............................23
      5.1. Securing Diameter Messages ................................23
      5.2. Accounting Functionality ..................................24
      5.3. Use of Sessions ...........................................24
      5.4. Routing Considerations ....................................24
      5.5. Advertising Application Support ...........................24
   6. DNCA Commands ..................................................25
      6.1. NAT-Control-Request (NCR) Command .........................25
      6.2. NAT-Control-Answer (NCA) Command ..........................26
   7. NAT Control Application Session State Machine ..................26
   8. DNCA AVPs ......................................................29
      8.1. Reused Base Protocol AVPs .................................29
      8.2. Additional Result-Code AVP Values .........................30
           8.2.1. Success ............................................30
           8.2.2. Transient Failures .................................30
           8.2.3. Permanent Failures .................................31
        
      8.3. Reused NASREQ Diameter Application AVPs ...................32
      8.4. Reused AVPs from RFC 4675 .................................33
      8.5. Reused AVPs from Diameter QoS Application .................33
      8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter
           Application ...............................................34
      8.7. DNCA-Defined AVPs .........................................35
           8.7.1. NC-Request-Type AVP ................................36
           8.7.2. NAT-Control-Install AVP ............................36
           8.7.3. NAT-Control-Remove AVP .............................37
           8.7.4. NAT-Control-Definition AVP .........................37
           8.7.5. NAT-Internal-Address AVP ...........................38
           8.7.6. NAT-External-Address AVP ...........................38
           8.7.7. Max-NAT-Bindings ...................................39
           8.7.8. NAT-Control-Binding-Template AVP ...................39
           8.7.9. Duplicate-Session-Id AVP ...........................39
           8.7.10. NAT-External-Port-Style AVP .......................39
   9. Accounting Commands ............................................40
      9.1. NAT Control Accounting Messages ...........................40
      9.2. NAT Control Accounting AVPs ...............................40
           9.2.1. NAT-Control-Record .................................41
           9.2.2. NAT-Control-Binding-Status .........................41
           9.2.3. Current-NAT-Bindings ...............................41
   10. AVP Occurrence Tables .........................................41
      10.1. DNCA AVP Table for NAT Control Initial and Update
            Requests .................................................42
      10.2. DNCA AVP Table for Session Query Requests ................43
      10.3. DNCA AVP Table for Accounting Messages ...................43
   11. IANA Considerations ...........................................44
      11.1. Application Identifier ...................................44
      11.2. Command Codes ............................................44
      11.3. AVP Codes ................................................44
      11.4. Result-Code AVP Values ...................................44
      11.5. NC-Request-Type AVP ......................................44
      11.6. NAT-External-Port-Style AVP ..............................45
      11.7. NAT-Control-Binding-Status AVP ...........................45
   12. Security Considerations .......................................45
   13. Examples ......................................................47
      13.1. DNCA Session Establishment Example .......................47
      13.2. DNCA Session Update with Port Style Example ..............50
      13.3. DNCA Session Query Example ...............................51
      13.4. DNCA Session Termination Example .........................53
   14. Acknowledgements ..............................................55
   15. References ....................................................55
      15.1. Normative References .....................................55
      15.2. Informative References ...................................56
        
      8.3. Reused NASREQ Diameter Application AVPs ...................32
      8.4. Reused AVPs from RFC 4675 .................................33
      8.5. Reused AVPs from Diameter QoS Application .................33
      8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter
           Application ...............................................34
      8.7. DNCA-Defined AVPs .........................................35
           8.7.1. NC-Request-Type AVP ................................36
           8.7.2. NAT-Control-Install AVP ............................36
           8.7.3. NAT-Control-Remove AVP .............................37
           8.7.4. NAT-Control-Definition AVP .........................37
           8.7.5. NAT-Internal-Address AVP ...........................38
           8.7.6. NAT-External-Address AVP ...........................38
           8.7.7. Max-NAT-Bindings ...................................39
           8.7.8. NAT-Control-Binding-Template AVP ...................39
           8.7.9. Duplicate-Session-Id AVP ...........................39
           8.7.10. NAT-External-Port-Style AVP .......................39
   9. Accounting Commands ............................................40
      9.1. NAT Control Accounting Messages ...........................40
      9.2. NAT Control Accounting AVPs ...............................40
           9.2.1. NAT-Control-Record .................................41
           9.2.2. NAT-Control-Binding-Status .........................41
           9.2.3. Current-NAT-Bindings ...............................41
   10. AVP Occurrence Tables .........................................41
      10.1. DNCA AVP Table for NAT Control Initial and Update
            Requests .................................................42
      10.2. DNCA AVP Table for Session Query Requests ................43
      10.3. DNCA AVP Table for Accounting Messages ...................43
   11. IANA Considerations ...........................................44
      11.1. Application Identifier ...................................44
      11.2. Command Codes ............................................44
      11.3. AVP Codes ................................................44
      11.4. Result-Code AVP Values ...................................44
      11.5. NC-Request-Type AVP ......................................44
      11.6. NAT-External-Port-Style AVP ..............................45
      11.7. NAT-Control-Binding-Status AVP ...........................45
   12. Security Considerations .......................................45
   13. Examples ......................................................47
      13.1. DNCA Session Establishment Example .......................47
      13.2. DNCA Session Update with Port Style Example ..............50
      13.3. DNCA Session Query Example ...............................51
      13.4. DNCA Session Termination Example .........................53
   14. Acknowledgements ..............................................55
   15. References ....................................................55
      15.1. Normative References .....................................55
      15.2. Informative References ...................................56
        
1. Introduction
1. 介绍

Internet service providers deploy Network Address Translators (NATs) and Network Address and Port Translators (NAPTs) [RFC3022] in their networks. A key motivation for doing so is the depletion of available public IPv4 addresses. This document defines a Diameter application allowing providers to control the behavior of NAT and NAPT devices that implement IPv4-to-IPv4 network address and port translation [RFC2663] as well as stateful IPv6-to-IPv4 address family translation as defined in [RFC2663], [RFC6145], and [RFC6146]. The use of a Diameter application allows for simple integration into the existing Authentication, Authorization, and Accounting (AAA) environment of a provider.

互联网服务提供商在其网络中部署网络地址转换器(NAT)和网络地址和端口转换器(NAPT)[RFC3022]。这样做的一个关键动机是耗尽可用的公共IPv4地址。本文档定义了一个Diameter应用程序,允许提供商控制实现IPv4到IPv4网络地址和端口转换[RFC2663]以及[RFC2663]、[RFC6145]和[RFC6146]中定义的有状态IPv6到IPv4地址族转换的NAT和NAPT设备的行为。使用Diameter应用程序可以简单地集成到提供商的现有身份验证、授权和记帐(AAA)环境中。

The Diameter Network address and port translation Control Application (DNCA) offers the following capabilities:

Diameter网络地址和端口转换控制应用程序(DNCA)提供以下功能:

1. Limits or defines the number of NAPT/NAT-bindings made available to an individual endpoint. The main motivation for restricting the number of bindings on a per-endpoint basis is to protect the service of the service provider against denial-of-service (DoS) attacks. If multiple endpoints share a single public IP address, these endpoints can share fate. If one endpoint would (either intentionally, or due to misbehavior, misconfiguration, malware, etc.) be able to consume all available bindings for a given single public IP address, service would be hampered (or might even become unavailable) for those other endpoints sharing the same public IP address. The efficiency of a NAPT deployment depends on the maximum number of bindings an endpoint could use. Given that the typical number of bindings an endpoint uses depends on the type of endpoint (e.g., a personal computer of a broadband user is expected to use a higher number of bindings than a simple mobile phone) and a NAPT device is often shared by different types of endpoints, it is desirable to actively manage the maximum number of bindings. This requirement is specified in REQ-3 of [CGN-REQS].

1. 限制或定义单个端点可用的NAPT/NAT绑定的数量。限制每个端点绑定数量的主要动机是保护服务提供商的服务免受拒绝服务(DoS)攻击。如果多个端点共享一个公共IP地址,则这些端点可以共享命运。如果一个端点(故意或由于行为不当、配置错误、恶意软件等)能够使用给定单个公共IP地址的所有可用绑定,则共享相同公共IP地址的其他端点的服务将受到阻碍(甚至可能变得不可用)。NAPT部署的效率取决于端点可以使用的最大绑定数。鉴于端点使用的绑定的典型数量取决于端点的类型(例如,宽带用户的个人计算机预期使用比简单移动电话更多的绑定),并且NAPT设备通常由不同类型的端点共享,因此需要主动管理最大数量的绑定。该要求在[CGN-REQS]的REQ-3中规定。

2. Supports the allocation of specific NAPT/NAT-bindings. Two types of specific bindings can be distinguished:

2. 支持分配特定的NAPT/NAT绑定。可以区分两种类型的特定绑定:

* Allocation of a predefined NAT-binding: The internal and external IP addresses as well as the port pair are specified within the request. Some deployment cases, such as access to a web-server within a user's home network with IP address and port, benefit from statically configured bindings.

* 预定义NAT绑定的分配:在请求中指定内部和外部IP地址以及端口对。某些部署案例(例如使用IP地址和端口访问用户家庭网络中的web服务器)受益于静态配置的绑定。

* Allocation of an external IP address for a given internal IP address: The allocated external IP address is reported back to the requester. In some deployment scenarios, the application requires immediate knowledge of the allocated binding for a given internal IP address but does not control the allocation of the external IP address; for example, SIP-proxy server deployments.

* 为给定的内部IP地址分配外部IP地址:将分配的外部IP地址报告给请求者。在某些部署场景中,应用程序需要立即了解为给定内部IP地址分配的绑定,但不控制外部IP地址的分配;例如,SIP代理服务器部署。

3. Defines the external address pool(s) to be used for allocating an external IP address: External address pools can be either pre-assigned at the NAPT/NAT device or specified within a request. If pre-assigned address pools are used, a request needs to include a reference to identify the pool. Otherwise, the request contains a description of the IP address pool(s) to be used, for example, a list of IP-subnets. Such external address pools can be used to select the external IP address in NAPT/NAT-bindings for multiple subscribers.

3. 定义用于分配外部IP地址的外部地址池:外部地址池可以在NAPT/NAT设备上预先分配,也可以在请求中指定。如果使用预先分配的地址池,则请求需要包含一个引用来标识该池。否则,请求包含要使用的IP地址池的描述,例如,IP子网的列表。此类外部地址池可用于为多个订阅者选择NAPT/NAT绑定中的外部IP地址。

4. Generates reports and accounting records: Reports established bindings for a particular endpoint. The collected information is used by accounting systems for statistical purposes.

4. 生成报告和记帐记录:报告为特定端点建立的绑定。会计系统将收集的信息用于统计目的。

5. Queries and retrieves details about bindings on demand: This feature complements the previously mentioned accounting functionality (see item 4). This feature can be used by an entity to find NAT-bindings belonging to one or multiple endpoints on the NAT device. The entity is not required to create a DNCA control session to perform the query but would, obviously, still need to create a Diameter session complying to the security requirements.

5. 查询和检索有关按需绑定的详细信息:此功能补充了前面提到的记帐功能(请参见第4项)。实体可以使用此功能查找NAT设备上属于一个或多个端点的NAT绑定。实体不需要创建DNCA控制会话来执行查询,但显然仍需要创建符合安全要求的Diameter会话。

6. Identifies a subscriber or endpoint on multiple network devices (NAT/NAPT device, the AAA-server, or the Network Access Server (NAS)): Endpoint identification is facilitated through a Global Endpoint ID. Endpoints are identified through a single classifier or a set of classifiers, such as IP address, Virtual Local Area Network (VLAN) identifier, or interface identifier that uniquely identify the traffic associated with a particular global endpoint.

6. 标识多个网络设备(NAT/NAPT设备、AAA服务器或网络访问服务器(NAS))上的订户或终结点:通过全局终结点ID方便进行终结点标识。终结点通过单个分类器或一组分类器进行标识,如IP地址、虚拟局域网(VLAN)标识符、,或唯一标识与特定全局端点关联的通信量的接口标识符。

With the above capabilities, DNCA qualifies as a Middlebox Communications (MIDCOM) protocol [RFC3303], [RFC3304], [RFC5189] for middleboxes that perform NAT. The MIDCOM protocol evaluation [RFC4097] evaluated Diameter as a candidate protocol for MIDCOM. DNCA provides the extensions to the Diameter base protocol [RFC6733] following the MIDCOM protocol requirements, such as the support of NAT-specific rule transport, support for oddity of mapped ports, as well as support for consecutive range port numbers. DNCA adds to the

通过上述功能,DNCA可作为执行NAT的中间盒的中间盒通信(MIDCOM)协议[RFC3303]、[RFC3304]、[RFC5189]。MIDCOM协议评估[RFC4097]将Diameter评估为MIDCOM的候选协议。DNCA根据MIDCOM协议要求,提供对Diameter基本协议[RFC6733]的扩展,例如支持NAT特定规则传输、支持映射端口的奇数以及支持连续范围端口号。DNCA增加了

MIDCOM protocol capabilities in that it allows the maintenance of the reference to an endpoint representing a user or subscriber in the control operation, enabling the control of the behavior of a NAT device on a per-endpoint basis. Following the requirements of different operators and deployments, different management protocols are employed. Examples include, for example, Simple Network Management Protocol (SNMP) [RFC3411] and Network Configuration (NETCONF) [RFC6241], which can both be used for device configuration. Similarly, DNCA complements existing MIDCOM implementations, offering a MIDCOM protocol option for operators with an operational environment that is Diameter focused that desire the use of Diameter to perform per-endpoint NAT control. Note that in case an operator uses multiple methods and protocols to configure a NAT device, such as, for example, command line interface (CLI), SNMP, NETCONF, or Port Control Protocol (PCP), along with DNCA specified in this document, the operator MUST ensure that the configurations performed using the different methods and protocols do not conflict in order to ensure a proper operation of the NAT service.

MIDCOM协议的功能在于,它允许在控制操作中维护对代表用户或订户的端点的引用,从而能够在每个端点的基础上控制NAT设备的行为。根据不同运营商和部署的要求,采用了不同的管理协议。例如,示例包括简单网络管理协议(SNMP)[RFC3411]和网络配置(NETCONF)[RFC6241],两者都可用于设备配置。类似地,DNCA补充了现有的MIDCOM实现,为运营商提供了MIDCOM协议选项,运营商的运营环境以DIAMER为中心,希望使用DIAMER执行每端点NAT控制。请注意,如果操作员使用多种方法和协议来配置NAT设备,例如命令行界面(CLI)、SNMP、NETCONF或端口控制协议(PCP),以及本文档中指定的DNCA,操作员必须确保使用不同方法和协议执行的配置不会冲突,以确保NAT服务的正确运行。

This document is structured as follows: Section 2 lists terminology, while Section 3 provides an introduction to DNCA and its overall deployment framework. Sections 3.2 to 8 cover DNCA specifics, with Section 3.2 describing session management, Section 5 the use of the Diameter base protocol, Section 6 new commands, Section 8 Attribute Value Pairs (AVPs) used, and Section 9 accounting aspects. Section 10 presents AVP occurrence tables. IANA and security considerations are addressed in Sections 11 and 12, respectively.

本文档的结构如下:第2节列出了术语,第3节介绍了DNCA及其总体部署框架。第3.2节至第8节介绍了DNCA细节,第3.2节描述了会话管理,第5节介绍了Diameter基本协议的使用,第6节介绍了新命令,第8节介绍了使用的属性值对(AVP),第9节介绍了记帐方面。第10节给出了AVP发生表。IANA和安全注意事项分别在第11节和第12节中讨论。

2. Conventions
2. 习俗

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

Abbreviations and terminology used in this document:

本文件中使用的缩写和术语:

AAA: Authentication, Authorization, Accounting

AAA:身份验证、授权、记帐

DNCA: Diameter Network address and port translation Control Application

DNCA:Diameter网络地址和端口转换控制应用程序

Endpoint: Managed entity of the DNCA. An endpoint represents a network element or device, associated with a subscriber, a user, or a group of users. An endpoint is represented by a single access-session on a NAS. DNCA assumes a 1:1 relationship between an endpoint, the access-session it represents, and the associated DNCA session.

端点:DNCA的托管实体。端点表示与订户、用户或用户组关联的网络元素或设备。端点由NAS上的单个访问会话表示。DNCA假定端点、它所代表的访问会话和关联的DNCA会话之间存在1:1的关系。

NAPT: Network Address and Port Translation, see also [RFC3022].

NAPT:网络地址和端口转换,另请参见[RFC3022]。

NAT: Network Address Translation (NAT and NAPT are used in this document interchangeably)

NAT:网络地址转换(NAT和NAPT在本文档中互换使用)

NAT-binding or binding: Association of two IP address/port pairs (with one IP address typically being private and the other one public) to facilitate NAT

NAT绑定:两个IP地址/端口对(一个IP地址通常是私有的,另一个是公共的)的关联,以促进NAT

NAT-binding predefined template: A policy template or configuration that is predefined at the NAT device. It may contain NAT-bindings, IP address pools for allocating the external IP address of a NAT-binding, the maximum number of allowed NAT-bindings for endpoints, etc.

NAT绑定预定义模板:在NAT设备上预定义的策略模板或配置。它可能包含NAT绑定、用于分配NAT绑定的外部IP地址的IP地址池、端点允许的最大NAT绑定数等。

NAT device: Network Address Translator or Network Address and Port Translator: An entity performing NAT or NAPT.

NAT设备:网络地址转换器或网络地址和端口转换器:执行NAT或NAPT的实体。

NAT controller: Entity controlling the behavior of a NAT device.

NAT控制器:控制NAT设备行为的实体。

NAS: Network Access Server

NAS:网络访问服务器

NCR: NAT-Control-Request

NCR:NAT控制请求

NCA: NAT-Control-Answer

NCA:NAT控制应答

NAT44: IPv4-to-IPv4 NAPT, see [RFC2663]

NAT44:IPv4到IPv4的NAPT,请参见[RFC2663]

NAT64: IPv6-to-IPv4 address family translation, see [RFC6145] and [RFC6146]

NAT64:IPv6到IPv4地址族转换,请参见[RFC6145]和[RFC6146]

PPP: Point-to-Point Protocol [RFC1661]

PPP:点对点协议[RFC1661]

3. Deployment Framework
3. 部署框架
3.1. Deployment Scenario
3.1. 部署场景

Figure 1 shows a typical network deployment for IPv4 Internet access. A user's IPv4 host (i.e., endpoint) gains access to the Internet though a NAS, which facilitates the authentication of the endpoint and configures the endpoint's connection according to the authorization and configuration data received from the AAA-server upon successful authentication. Public IPv4 addresses are used throughout the network. DNCA manages an endpoint that represents a network element or device or an IPv4 host, associated with a subscriber, a user or a group of users. An endpoint is represented

图1显示了IPv4 Internet访问的典型网络部署。用户的IPv4主机(即端点)通过NAS获得对Internet的访问权,这有助于端点的身份验证,并在成功身份验证后根据从AAA服务器接收的授权和配置数据配置端点的连接。公共IPv4地址在整个网络中使用。DNCA管理表示与订户、用户或用户组关联的网元或设备或IPv4主机的端点。表示一个端点

by a single access-session on a NAS. DNCA assumes a 1:1:1 relationship between an endpoint, the access-session it represents, and the associated DNCA session.

通过NAS上的单个访问会话。DNCA假定端点、它所代表的访问会话和关联的DNCA会话之间存在1:1:1的关系。

                         +---------+
                         |         |
                         |   AAA   |
                         |         |
                         +---------+
                              |
                              |
                              |
                              |
    +---------+          +---------+             +----------+
    |  IPv4   |          |         |             |  IPv4    |
    |  Host   |----------|   NAS   |-------------| Internet |
    |         |          |         |             |          |
    +---------+          +---------+             +----------+
        
                         +---------+
                         |         |
                         |   AAA   |
                         |         |
                         +---------+
                              |
                              |
                              |
                              |
    +---------+          +---------+             +----------+
    |  IPv4   |          |         |             |  IPv4    |
    |  Host   |----------|   NAS   |-------------| Internet |
    |         |          |         |             |          |
    +---------+          +---------+             +----------+
        
    <-------------------- Public IPv4 ---------------------->
        
    <-------------------- Public IPv4 ---------------------->
        

Figure 1: Typical Network Deployment for Internet Access

图1:Internet访问的典型网络部署

Figure 2 depicts the deployment scenario where a service provider places a NAT between the host and the public Internet. The objective is to provide the customer with connectivity to the public IPv4 Internet. The NAT device performs network address and port (and optionally address family) translation, depending on whether the access network uses private IPv4 addresses or public IPv6 addresses to public IPv4 addresses. Note that there may be more than one NAS, NAT device, or AAA-entity in a deployment, although the figures only depict one entity each for clarity.

图2描述了服务提供商在主机和公共Internet之间放置NAT的部署场景。目标是为客户提供与公共IPv4互联网的连接。NAT设备执行网络地址和端口(以及可选的地址系列)转换,具体取决于接入网络是使用专用IPv4地址还是使用公共IPv6地址转换为公共IPv4地址。请注意,部署中可能有多个NAS、NAT设备或AAA实体,尽管为了清楚起见,图中仅描述了每个实体。

If the NAT device would be put in place without any endpoint awareness, the service offerings of the service provider could be impacted as detailed in [CGN-REQS]. This includes cases like the following:

如果NAT设备在没有任何端点感知的情况下安装到位,则服务提供商的服务产品可能会受到影响,详见[CGN-REQS]。这包括以下情况:

o Provisioning static NAT-bindings for particular endpoints

o 为特定端点设置静态NAT绑定

o Using different public IP address pools for a different set of endpoints (for example, residential or business customers)

o 为不同的端点集(例如,住宅或商业客户)使用不同的公共IP地址池

o Reporting allocated bindings on a per-endpoint basis

o 基于每个端点报告分配的绑定

o Integrate control of the NAT device into the already existing per-endpoint management infrastructure of the service provider

o 将NAT设备的控制集成到服务提供商现有的每端点管理基础架构中

                   +---------+
                   |         |
                   |   AAA   |
                   |         |
                   +---------+
                        |
                        |
                        |
                        |
     +--------+    +---------+    +--------+    +----------+
     |  IPv4  |----|         |----|  NAT-  |----| IPv4     |
     |  Host  |    |   NAS   |    | device |    | Internet |
     |        |    |         |    |        |    |          |
     +--------+    +---------+    +--------+    +----------+
        
                   +---------+
                   |         |
                   |   AAA   |
                   |         |
                   +---------+
                        |
                        |
                        |
                        |
     +--------+    +---------+    +--------+    +----------+
     |  IPv4  |----|         |----|  NAT-  |----| IPv4     |
     |  Host  |    |   NAS   |    | device |    | Internet |
     |        |    |         |    |        |    |          |
     +--------+    +---------+    +--------+    +----------+
        
   For NAT44 deployments (IPv4 host):
        <----- Private IPv4 ----------><--- Public IPv4 --->
        
   For NAT44 deployments (IPv4 host):
        <----- Private IPv4 ----------><--- Public IPv4 --->
        
   For NAT64 deployments (IPv6 host):
        <----- Public  IPv6 ----------><--- Public IPv4 --->
        
   For NAT64 deployments (IPv6 host):
        <----- Public  IPv6 ----------><--- Public IPv4 --->
        

Figure 2: Access Network Deployment with NAT

图2:使用NAT的接入网部署

Figure 2 shows a typical deployment for IPv4 Internet access involving a NAT device within the service provider network. The figure describes two scenarios: one where an IPv4 host (with a private IPv4 address) accesses the IPv4 Internet, as well as one where an IPv6-host accesses the IPv4 Internet.

图2显示了服务提供商网络中涉及NAT设备的IPv4 Internet访问的典型部署。该图描述了两种场景:一种是IPv4主机(具有专用IPv4地址)访问IPv4 Internet,另一种是IPv6主机访问IPv4 Internet。

3.2. Diameter NAPT Control Application Overview
3.2. 直径NAPT控制应用概述

DNCA runs between two DNCA Diameter peers. One DNCA Diameter peer resides within the NAT device, the other DNCA Diameter peer resides within a NAT controller (discussed in Section 3.3). DNCA allows per-endpoint control and management of NAT within the NAT device. Based on Diameter, DNCA integrates well with the suite of Diameter applications deployed for per-endpoint authentication, authorization, accounting, and policy control in service provider networks.

DNCA在两个DNCA直径对等点之间运行。一个DNCA Diameter对等机位于NAT设备内,另一个DNCA Diameter对等机位于NAT控制器内(在第3.3节中讨论)。DNCA允许在NAT设备内对NAT进行每端点控制和管理。基于Diameter,DNCA与部署用于服务提供商网络中每端点身份验证、授权、记帐和策略控制的Diameter应用程序套件集成良好。

DNCA offers:

DNCA提供:

o Request and answer commands to control the allowed number of NAT-bindings per endpoint, to request the allocation of specific bindings for an endpoint, to define the address pool to be used for an endpoint.

o 请求和应答命令,用于控制每个端点允许的NAT绑定数量,请求为端点分配特定绑定,定义要用于端点的地址池。

o Per-endpoint reporting of the allocated NAT-bindings.

o 已分配NAT绑定的每端点报告。

o Unique identification of an endpoint on a NAT device, AAA-server, and NAS to simplify correlation of accounting data streams.

o NAT设备、AAA服务器和NAS上端点的唯一标识,以简化记帐数据流的关联。

DNCA allows controlling the behavior of a NAT device on a per-endpoint basis during initial session establishment and at later stages by providing an update procedure for already established sessions. Using DNCA, per-endpoint NAT-binding information can be retrieved using either accounting mechanisms or an explicit session query to the NAT.

DNCA通过为已经建立的会话提供更新过程,允许在初始会话建立期间和以后的阶段,在每个端点的基础上控制NAT设备的行为。使用DNCA,可以使用记帐机制或对NAT的显式会话查询来检索每端点NAT绑定信息。

3.3. Deployment Scenarios for DNCA
3.3. DNCA的部署场景

DNCA can be deployed in different ways. DNCA supports deployments with "n" NAT controllers and "m" NAT devices, with n and m equal to or greater than 1. From a DNCA perspective, an operator should ensure that the session representing a particular endpoint is atomic. Any deployment MUST ensure that, for any given endpoint, only a single DNCA NAT controller and is active at any point in time. This is to ensure that NAT devices controlled by multiple NAT controllers do not receive conflicting control requests for a particular endpoint or that they would not be unclear about to which NAT controller to send accounting information. Operational considerations MAY require an operator to use alternate control mechanisms or protocols such as SNMP or manual configuration via a CLI to apply per-endpoint NAT-specific configuration, for example, static NAT-bindings. For these cases, the NAT device MUST allow the operator to configure a policy on how configuration conflicts are resolved. Such a policy could specify, for example, that manually configured NAT-bindings using the CLI always take precedence over those configured using DNCA.

DNCA可以以不同的方式部署。DNCA支持部署“n”个NAT控制器和“m”个NAT设备,其中n和m等于或大于1。从DNCA的角度来看,操作员应该确保表示特定端点的会话是原子的。任何部署都必须确保,对于任何给定端点,只有一个DNCA NAT控制器,并且在任何时间点处于活动状态。这是为了确保由多个NAT控制器控制的NAT设备不会收到针对特定端点的冲突控制请求,或者它们不会不清楚向哪个NAT控制器发送记帐信息。操作注意事项可能要求操作员使用备用控制机制或协议,例如SNMP或通过CLI进行手动配置,以应用每个端点NAT特定的配置,例如静态NAT绑定。对于这些情况,NAT设备必须允许操作员配置关于如何解决配置冲突的策略。例如,这样的策略可以指定,使用CLI手动配置的NAT绑定始终优先于使用DNCA配置的NAT绑定。

Two common deployment scenarios are outlined in Figure 3 ("Integrated Deployment") and Figure 4 ("Autonomous Deployment"). Per the note above, multiple instances of NAT controllers and NAT devices could be deployed. The figures only show single instances for reasons of clarity. The two shown scenarios differ in which entity fulfills the role of the NAT controller. Within the figures, (C) denotes the network element performing the role of the NAT controller.

图3(“集成部署”)和图4(“自主部署”)概述了两种常见的部署场景。如上所述,可以部署多个NAT控制器和NAT设备实例。为了清楚起见,图中仅显示了单个实例。所示的两种场景在哪个实体履行NAT控制器的角色方面有所不同。在图中,(C)表示执行NAT控制器角色的网络元件。

The integrated deployment approach hides the existence of the NAT device from external servers, such as the AAA-server. It is suited for environments where minimal changes to the existing AAA deployment are desired. The NAS and the NAT device are Diameter peers supporting the DNCA. The Diameter peer within the NAS, performing the role of the NAT controller, initiates and manages sessions with the NAT device, exchanges NAT-specific configuration information, and handles reporting and accounting information. The NAS receives reporting and accounting information from the NAT device. With this

集成部署方法对外部服务器(如AAA服务器)隐藏NAT设备的存在。它适用于需要对现有AAA部署进行最小更改的环境。NAS和NAT设备都支持DNCA。NAS中的Diameter对等机执行NAT控制器的角色,启动和管理与NAT设备的会话,交换NAT特定的配置信息,并处理报告和记帐信息。NAS从NAT设备接收报告和记帐信息。用这个

information, the NAS can provide a single accounting record for the endpoint. A system correlating the accounting information received from the NAS and NAT device would not be needed.

信息,NAS可以为端点提供单个记帐记录。不需要将从NAS和NAT设备接收的记帐信息关联起来的系统。

An example network attachment for an integrated NAT deployment can be described as follows: an endpoint connects to the network, with the NAS being the point of attachment. After successful authentication, the NAS receives endpoint-related authorization data from the AAA-server. A portion of the authorization data applies to per-endpoint configuration on the NAS itself, another portion describes authorization and configuration information for NAT control aimed at the NAT device. The NAS initiates a DNCA session to the NAT device and sends relevant authorization and configuration information for the particular endpoint to the NAT device. This can comprise NAT-bindings, which have to be pre-established for the endpoint, or management-related configuration, such as the maximum number of NAT-bindings allowed for the endpoint. The NAT device sends its per-endpoint accounting information to the NAS, which aggregates the accounting information received from the NAT device with its local accounting information for the endpoint into a single accounting stream towards the AAA-server.

集成NAT部署的示例网络连接可以描述如下:端点连接到网络,NAS是连接点。成功身份验证后,NAS从AAA服务器接收与端点相关的授权数据。授权数据的一部分应用于NAS本身上的每端点配置,另一部分描述针对NAT设备的NAT控制的授权和配置信息。NAS向NAT设备发起DNCA会话,并向NAT设备发送特定端点的相关授权和配置信息。这可能包括必须为端点预先建立的NAT绑定,或与管理相关的配置,例如端点允许的最大NAT绑定数。NAT设备将其每个端点的记帐信息发送到NAS,NAS将从NAT设备接收的记帐信息与其端点的本地记帐信息聚合为一个朝向AAA服务器的记帐流。

                   +---------+
                   |         |
                   |   AAA   |
                   |         |
                   +---------+
                        |
                        |
                        |
     +--------+    +---------+    +--------+    +----------+
     |        |    |   (C)   |    |        |    |          |
     |  Host  |----|   NAS   |----|  NAT-  |----| IPv4     |
     |        |    |         |    | device |    | Internet |
     +--------+    +---------+    +--------+    +----------+
        
                   +---------+
                   |         |
                   |   AAA   |
                   |         |
                   +---------+
                        |
                        |
                        |
     +--------+    +---------+    +--------+    +----------+
     |        |    |   (C)   |    |        |    |          |
     |  Host  |----|   NAS   |----|  NAT-  |----| IPv4     |
     |        |    |         |    | device |    | Internet |
     +--------+    +---------+    +--------+    +----------+
        
   For NAT44 deployments (IPv4 host):
        <----- Private IPv4 ----------><--- Public IPv4 --->
        
   For NAT44 deployments (IPv4 host):
        <----- Private IPv4 ----------><--- Public IPv4 --->
        
   For NAT64 deployments (IPv6 host):
        <----- Public  IPv6 ----------><--- Public IPv4 --->
        
   For NAT64 deployments (IPv6 host):
        <----- Public  IPv6 ----------><--- Public IPv4 --->
        

Figure 3: NAT Control Deployment: Integrated Deployment

图3:NAT控制部署:集成部署

Figure 3 shows examples of integrated deployments. It illustrates two scenarios: one where an IPv4 host (with a private IPv4 address) accesses the IPv4 Internet and another where an IPv6 host accesses the IPv4 Internet.

图3显示了集成部署的示例。它演示了两种场景:一种是IPv4主机(具有专用IPv4地址)访问IPv4 Internet,另一种是IPv6主机访问IPv4 Internet。

The autonomous deployment approach decouples endpoint management on the NAS and NAT device. In the autonomous deployment approach, the AAA-system and the NAT device are the Diameter peers running the DNCA. The AAA-system also serves as NAT controller. It manages the connection to the NAT device, controls the per-endpoint configuration, and receives accounting and reporting information from the NAT device. Different from the integrated deployment scenario, the autonomous deployment scenario does not "hide" the existence of the NAT device from the AAA infrastructure. Here, two accounting streams are received by the AAA-server for one particular endpoint: one from the NAS and one from the NAT device.

自主部署方法将NAS和NAT设备上的端点管理解耦。在自主部署方法中,AAA系统和NAT设备是运行DNCA的Diameter对等点。AAA系统还充当NAT控制器。它管理与NAT设备的连接,控制每个端点的配置,并从NAT设备接收记帐和报告信息。与集成部署场景不同,自主部署场景不会对AAA基础设施“隐藏”NAT设备的存在。这里,AAA服务器为一个特定端点接收两个记帐流:一个来自NAS,另一个来自NAT设备。

                   +---------+
                   |   (C)   |
                   |   AAA   |---------
                   |         |         |
                   +---------+         |
                        |              |
                        |              |
                        |              |
     +--------+    +---------+    +---------+    +----------+
     |  IPv4/ |    |         |    |         |    |  IPv4    |
     |  IPv6  |----|   NAS   |----|  NAT-   |----| Internet |
     |  Host  |    |         |    | device  |    |          |
     +--------+    +---------+    +---------+    +----------+
        
                   +---------+
                   |   (C)   |
                   |   AAA   |---------
                   |         |         |
                   +---------+         |
                        |              |
                        |              |
                        |              |
     +--------+    +---------+    +---------+    +----------+
     |  IPv4/ |    |         |    |         |    |  IPv4    |
     |  IPv6  |----|   NAS   |----|  NAT-   |----| Internet |
     |  Host  |    |         |    | device  |    |          |
     +--------+    +---------+    +---------+    +----------+
        
   For NAT44 deployments (IPv4 host):
        <----- Private IPv4 ----------><--- Public IPv4 --->
        
   For NAT44 deployments (IPv4 host):
        <----- Private IPv4 ----------><--- Public IPv4 --->
        
   For NAT64 deployments (IPv6 host):
        <----- Public  IPv6 ----------><--- Public IPv4 --->
        
   For NAT64 deployments (IPv6 host):
        <----- Public  IPv6 ----------><--- Public IPv4 --->
        

Figure 4: NAT Control Deployment: Autonomous Deployment

图4:NAT控制部署:自主部署

Figure 4 shows examples of autonomous deployments. It illustrates two scenarios: one where an IPv4 host (with a private IPv4 address) accesses the IPv4 Internet and another where an IPv6 host accesses the IPv4 Internet.

图4显示了自主部署的示例。它演示了两种场景:一种是IPv4主机(具有专用IPv4地址)访问IPv4 Internet,另一种是IPv6主机访问IPv4 Internet。

4. DNCA Session Establishment and Management
4. DNCA会话的建立与管理

Note that from this section on, there are references to some of the commands and AVPs defined for DNCA. Please refer to Sections 6 and 8 for details. DNCA runs between a Diameter peer residing in a NAT controller and a Diameter peer residing in a NAT device. Note that, per what was already mentioned above, each DNCA session between Diameter peers in a NAT controller and a NAT device represents a single endpoint, with an endpoint being either a network element, a

请注意,从本节开始,将引用为DNCA定义的一些命令和AVP。有关详细信息,请参阅第6节和第8节。DNCA在NAT控制器中的Diameter对等机和NAT设备中的Diameter对等机之间运行。注意,如上所述,NAT控制器和NAT设备中的Diameter对等方之间的每个DNCA会话表示一个端点,端点可以是网元,也可以是

device, or an IPv4 host associated with a subscriber, a user, or a group of users. The Diameter peer within the NAT controller is always the control-requesting entity: it initiates, updates, or terminates the sessions. Sessions are initiated when the NAT controller learns about a new endpoint (i.e., host) that requires a NAT service. This could be due to, for example, the entity hosting the NAT controller receiving authentication, authorization, or accounting requests for or from the endpoint. Alternate methods that could trigger session setup include local configuration, receipt of a packet from a formerly unknown IP address, etc.

设备,或与订户、用户或用户组关联的IPv4主机。NAT控制器中的Diameter对等方始终是控制请求实体:它启动、更新或终止会话。当NAT控制器了解到需要NAT服务的新端点(即主机)时,会启动会话。这可能是由于,例如,承载NAT控制器的实体接收端点的身份验证、授权或记帐请求。可触发会话设置的替代方法包括本地配置、从以前未知的IP地址接收数据包等。

4.1. Session Establishment
4.1. 会议设立

The DNCA Diameter peer within the NAT controller establishes a session with the DNCA Diameter peer within the NAT device to control the behavior of the NAT function within the NAT device. During session establishment, the DNCA Diameter peer within the NAT controller passes along configuration information to the DNCA Diameter peer within the NAT device. The session configuration information comprises the maximum number of bindings allowed for the endpoint associated with this session, a set of predefined NAT-bindings to be established for this endpoint, or a description of the address pool, from which external addresses are to be allocated.

NAT控制器内的DNCA Diameter对等方与NAT设备内的DNCA Diameter对等方建立会话,以控制NAT设备内NAT功能的行为。在会话建立期间,NAT控制器内的DNCA Diameter对等方将配置信息传递给NAT设备内的DNCA Diameter对等方。会话配置信息包括与此会话关联的端点允许的最大绑定数、要为此端点建立的一组预定义NAT绑定,或要从中分配外部地址的地址池的描述。

The DNCA Diameter peer within the NAT controller generates a NAT-Control-Request (NCR) message to the DNCA Diameter peer within the NAT device with the NC-Request-Type AVP set to INITIAL_REQUEST to initiate a Diameter NAT control session. On receipt of an NCR, the DNCA Diameter peer within the NAT device sets up a new session for the endpoint associated with the endpoint classifier(s) contained in the NCR. The DNCA Diameter peer within the NAT device notifies its DNCA Diameter peer within the NAT controller about successful session setup using a NAT-Control-Answer (NCA) message with the Result-Code set to DIAMETER_SUCCESS. Figure 5 shows the initial protocol interaction between the two DNCA Diameter peers.

NAT控制器内的DNCA Diameter对等方生成NAT控制请求(NCR)消息,发送给NAT设备内的DNCA Diameter对等方,NC请求类型AVP设置为INITIAL_Request,以启动Diameter NAT控制会话。收到NCR后,NAT设备内的DNCA直径对等方为与NCR中包含的端点分类器相关联的端点建立新会话。NAT设备内的DNCA Diameter对等方使用NAT控制应答(NCA)消息通知NAT控制器内的DNCA Diameter对等方会话设置成功,结果代码设置为Diameter_SUCCESS。图5显示了两个DNCA Diameter对等方之间的初始协议交互。

The initial NAT-Control-Request MAY contain configuration information for the session, which specifies the behavior of the NAT device for the session. The configuration information that MAY be included, comprises:

初始NAT控制请求可能包含会话的配置信息,该信息指定会话的NAT设备的行为。可以包括的配置信息包括:

o A list of NAT-bindings, which should be pre-allocated for the session; for example, in case an endpoint requires a fixed external IP address/port pair for an application.

o NAT绑定列表,应为会话预先分配;例如,在端点需要应用程序的固定外部IP地址/端口对的情况下。

o The maximum number of NAT-bindings allowed for an endpoint.

o 端点允许的最大NAT绑定数。

o A description of the external IP address pool(s) to be used for the session.

o 用于会话的外部IP地址池的说明。

o A reference to a NAT-binding Predefined template on the NAT device, which is applied to the session. Such a NAT-binding Predefined template on the NAT device may contain, for example, the name of the IP address pool from which external IP addresses should be allocated, the maximum number of bindings permitted for the endpoint, etc.

o NAT设备上NAT绑定预定义模板的引用,该模板应用于会话。NAT设备上的这种NAT绑定预定义模板可以包含,例如,应从中分配外部IP地址的IP地址池的名称、端点允许的最大绑定数量等。

In certain cases, the NAT device may not be able to perform the tasks requested within the NCR. These include the following:

在某些情况下,NAT设备可能无法执行NCR中请求的任务。这些措施包括:

o If a DNCA Diameter peer within the NAT device receives an NCR from a DNCA Diameter peer within a NAT controller with the NC-Request-Type AVP set to INITIAL_REQUEST that identifies an already existing session, that is, the endpoint identifier matches an already existing session, the DNCA Diameter peer within the NAT device MUST return an NCA with the Result-Code set to SESSION_EXISTS and provide the Session-Id of the existing session in the Duplicate-Session-Id AVP.

o 如果NAT设备内的DNCA Diameter对等方从NAT控制器内的DNCA Diameter对等方接收到NCR,NC请求类型AVP设置为识别已存在会话的初始_请求,即端点标识符匹配已存在会话,NAT设备内的DNCA Diameter对等方必须返回一个NCA,其结果代码设置为SESSION_EXISTS,并在复制会话Id AVP中提供现有会话的会话Id。

o If a DNCA Diameter peer within the NAT device receives an NCR from a DNCA Diameter peer within a NAT controller with the NC-Request-Type AVP set to INITIAL_REQUEST that matches more than one of the already existing sessions, that is, the DNCA Diameter peer and endpoint identifier match already existing sessions, the DNCA Diameter peer within the NAT device MUST return an NCA with the Result-Code set to INSUFFICIENT-CLASSIFIERS. In case a DNCA Diameter peer receives an NCA that reports Insufficient-Classifiers, it MAY choose to retry establishing a new session using additional or more specific classifiers.

o 如果NAT设备内的DNCA Diameter对等方从NAT控制器内的DNCA Diameter对等方接收到NCR,NC请求类型AVP设置为初始_请求,该请求匹配多个已存在会话,即DNCA Diameter对等方和端点标识符匹配已存在会话,NAT设备内的DNCA直径对等方必须返回一个NCA,其结果代码设置为-CLASSIFIERS。如果DNCA Diameter对等方收到NCA报告分类器不足,它可以选择使用其他或更具体的分类器重试建立新会话。

o If the NCR contains a NAT-binding Predefined template not defined on the NAT device, the DNCA Diameter peer within the NAT device MUST return an NCA with the Result-Code AVP set to UNKNOWN_BINDING_TEMPLATE_NAME.

o 如果NCR包含NAT设备上未定义的NAT绑定预定义模板,则NAT设备内的DNCA直径对等方必须返回一个NCA,结果代码AVP设置为UNKNOWN_binding_template_NAME。

o In case the NAT device is unable to establish all of the bindings requested in the NCR, the DNCA Diameter peer MUST return an NCA with the Result-Code set to BINDING_FAILURE. A DNCA Diameter peer within a NAT device MUST treat an NCR as an atomic operation; hence, none of the requested bindings will be established by the NAT device. Either all requested actions within an NCR MUST be completed successfully or the entire request fails.

o 如果NAT设备无法建立NCR中请求的所有绑定,DNCA直径对等方必须返回一个NCA,结果代码设置为BINDING_FAILURE。NAT设备内的DNCA直径对等机必须将NCR视为原子操作;因此,NAT设备不会建立任何请求的绑定。NCR中所有请求的操作必须成功完成,否则整个请求将失败。

o If a NAT device cannot conform to a request to set the maximum number of NAT-bindings allowed for a session, the DNCA Diameter peer in the NAT device MUST return an NCA with the Result-Code AVP set to MAX_BINDINGS_SET_FAILURE. Such a condition can, for example, occur if the operator specified the maximum number of NAT-bindings through another mechanism, which, per the operator's policy, takes precedence over DNCA.

o 如果NAT设备无法符合设置会话允许的最大NAT绑定数的请求,则NAT设备中的DNCA Diameter对等方必须返回NCA,结果代码AVP设置为MAX_bindings_set_FAILURE。例如,如果操作员通过另一种机制指定了NAT绑定的最大数量,则可能出现这种情况,根据操作员的策略,这种机制优先于DNCA。

o If a NAT device does not have sufficient resources to process a request, the DNCA Diameter peer MUST return an NCA with the Result-Code set to RESOURCE_FAILURE.

o 如果NAT设备没有足够的资源来处理请求,DNCA Diameter对等方必须返回NCA,结果代码设置为RESOURCE_FAILURE。

o In the case where Max-NAT-Bindings, NAT-Control-Definition, and NAT-Control-Binding-Template are included in the NCR, and the values in Max-NAT-Bindings and NAT-Control-Definition contradict those specified in the pre-provisioned template on the NAT device that NAT-Control-Binding-Template references, Max-NAT-Bindings and NAT-Control-Definition MUST override the values specified in the template to which NAT-Control-Binding-Template refers.

o 如果NCR中包括最大NAT绑定、NAT控制定义和NAT控制绑定模板,并且最大NAT绑定和NAT控制定义中的值与NAT控制绑定模板引用的NAT设备上预配置模板中指定的值相矛盾,最大NAT绑定和NAT控件定义必须覆盖NAT控件绑定模板引用的模板中指定的值。

   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                           |
               |                                           |
               |                                           |
            Trigger                                        |
               |                                           |
               |                   NCR                     |
               |------------------------------------------>|
               |                                           |
               |                                           |
               |                                           |
               |                                           |
               |                                 If able to comply
               |                                 with request, then
               |                                 create session state
               |                                           |
               |                                           |
               |                     NCA                   |
               |<------------------------------------------|
               |                                           |
               |                                           |
        
   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                           |
               |                                           |
               |                                           |
            Trigger                                        |
               |                                           |
               |                   NCR                     |
               |------------------------------------------>|
               |                                           |
               |                                           |
               |                                           |
               |                                           |
               |                                 If able to comply
               |                                 with request, then
               |                                 create session state
               |                                           |
               |                                           |
               |                     NCA                   |
               |<------------------------------------------|
               |                                           |
               |                                           |
        

Figure 5: Initial NAT-Control-Request and Session Establishment

图5:初始NAT控制请求和会话建立

Note: The DNCA Diameter peer within the NAT device creates session state only if it is able to comply with the NCR. On success, it will reply with an NCA with the Result-Code set to DIAMETER_SUCCESS.

注意:NAT设备中的DNCA直径对等方仅在能够符合NCR的情况下创建会话状态。成功后,它将使用NCA回复,结果代码设置为DIAMETER_success。

4.2. Session Update
4.2. 会话更新

A session update is performed if the NAT controller desires to change the behavior of the NAT device for an existing session. A session update could be used, for example, to change the number of allowed bindings for a particular session or establish or remove a predefined binding.

如果NAT控制器希望为现有会话更改NAT设备的行为,则执行会话更新。例如,会话更新可用于更改特定会话允许的绑定数,或建立或删除预定义绑定。

The DNCA Diameter peer within the NAT controller generates an NCR message to the DNCA Diameter peer within the NAT device with the NC-Request-Type AVP set to UPDATE_REQUEST upon receiving a trigger signal. If the session is updated successfully, the DNCA Diameter peer within the NAT device notifies the DNCA Diameter peer within the NAT controller about the successful session update using a NAT-Control-Answer (NCA) message with the Result-Code set to DIAMETER_SUCCESS. Figure 6 shows the protocol interaction between the two DNCA Diameter peers.

NAT控制器内的DNCA Diameter对等机向NAT设备内的DNCA Diameter对等机生成NCR消息,NC请求类型AVP设置为在接收到触发信号时更新_请求。如果会话更新成功,NAT设备内的DNCA Diameter对等方将使用NAT控制应答(NCA)消息通知NAT控制器内的DNCA Diameter对等方会话更新成功,结果代码设置为Diameter_SUCCESS。图6显示了两个DNCA Diameter对等方之间的协议交互。

In certain cases, the NAT device may not be able to perform the tasks requested within the NCR. These include the following:

在某些情况下,NAT设备可能无法执行NCR中请求的任务。这些措施包括:

o If a DNCA Diameter peer within a NAT device receives an NCR update or query request for a non-existent session, it MUST set the Result-Code in the answer to DIAMETER_UNKNOWN_SESSION_ID.

o 如果NAT设备内的DNCA Diameter对等方收到不存在会话的NCR更新或查询请求,则必须在Diameter\u UNKNOWN\u session\u ID的答案中设置结果代码。

o If the NCR contains a NAT-binding Predefined template not defined on the NAT device, an NCA with the Result-Code AVP set to UNKNOWN_BINDING_TEMPLATE_NAME MUST be returned.

o 如果NCR包含NAT设备上未定义的NAT绑定预定义模板,则必须返回结果代码AVP设置为UNKNOWN_binding_template_NAME的NCA。

o If the NAT device cannot establish the requested binding because the maximum number of allowed bindings has been reached for the endpoint classifier, an NCA with the Result-Code AVP set to MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT MUST be returned to the DNCA Diameter peer.

o 如果NAT设备无法建立请求的绑定,因为端点分类器已达到允许的最大绑定数,则必须将结果代码AVP设置为\u endpoint的最大\u bindings\u reacted\u的NCA返回给DNCA Diameter对等方。

o If the NAT device cannot establish some or all of the bindings requested in an NCR, but has not yet reached the maximum number of allowed bindings for the endpoint, an NCA with the Result-Code set to BINDING_FAILURE MUST be returned. As already noted, the DNCA Diameter peer in a NAT device MUST treat an NCR as an atomic operation. Hence, none of the requested bindings will be established by the NAT device in case of failure. Actions requested within an NCR are either all successful or all fail.

o 如果NAT设备无法建立NCR中请求的部分或全部绑定,但尚未达到端点允许的最大绑定数,则必须返回结果代码设置为BINDING_FAILURE的NCA。如前所述,NAT设备中的DNCA直径对等体必须将NCR视为原子操作。因此,如果发生故障,NAT设备不会建立任何请求的绑定。NCR中请求的操作要么全部成功,要么全部失败。

o If the NAT device cannot conform to a request to set the maximum number of bindings allowed for a session as specified by the Max-NAT-Bindings, the DNCA Diameter peer in the NAT device MUST return an NCA with the Result-Code AVP set to MAX_BINDINGS_SET_FAILURE.

o 如果NAT设备无法符合设置最大NAT绑定指定的会话允许的最大绑定数的请求,则NAT设备中的DNCA直径对等方必须返回一个NCA,结果代码AVP设置为Max_bindings_set_FAILURE。

o If the NAT device does not have sufficient resources to process a request, an NCA with the Result-Code set to RESOURCE_FAILURE MUST be returned.

o 如果NAT设备没有足够的资源来处理请求,则必须返回结果代码设置为RESOURCE_FAILURE的NCA。

o If an NCR changes the maximum number of NAT-bindings allowed for the endpoint defined through an earlier NCR, the new value MUST override any previously defined limit on the maximum number of NAT-bindings set through the DNCA. Note that, prior to overwriting an existing value, the NAT device MUST check whether the overwrite action conforms to the locally configured policy. Deployment dependent, an existing value could have been set by a protocol or mechanism different from DNCA and with higher priority. In which case, the NAT device will refuse the change and the DNCA Diameter peer in the NAT device MUST return an NCA with the Result-Code AVP set to MAX_BINDINGS_SET_FAILURE. It depends on the implementation of the NAT device on how the NAT device copes with a case where the new value is lower than the actual number of allocated bindings. The NAT device SHOULD refrain from enforcing the new limit immediately (that is, actively remove bindings), but rather disallows the establishment of new bindings until the current number of bindings is lower than the newly established maximum number of allowed bindings.

o 如果NCR更改了通过早期NCR定义的端点所允许的NAT绑定最大数量,则新值必须覆盖先前定义的通过DNCA设置的NAT绑定最大数量限制。请注意,在覆盖现有值之前,NAT设备必须检查覆盖操作是否符合本地配置的策略。依赖于部署,现有值可以由不同于DNCA且具有更高优先级的协议或机制设置。在这种情况下,NAT设备将拒绝更改,并且NAT设备中的DNCA直径对等方必须返回一个NCA,结果代码AVP设置为MAX_BINDINGS_set_FAILURE。它取决于NAT设备的实现,取决于NAT设备如何处理新值低于实际分配绑定数的情况。NAT设备应避免立即强制执行新限制(即主动删除绑定),而是在当前绑定数低于新建立的最大允许绑定数之前,不允许建立新绑定。

o If an NCR specifies a new NAT-binding Predefined template on the NAT device, the NAT-binding Predefined template overrides any previously defined rule for the session. Existing NAT-bindings SHOULD NOT be impacted by the change of templates.

o 如果NCR在NAT设备上指定了新的NAT绑定预定义模板,则NAT绑定预定义模板将覆盖先前为会话定义的任何规则。现有NAT绑定不应受到模板更改的影响。

o In case Max-NAT-Bindings, NAT-Control-Definition, and NAT-Control-Binding-Template are included in the NCR, and the values in Max-NAT-Bindings and NAT-Control-Definition contradict those specified in the pre-provisioned template on the NAT device that NAT-Control-Binding-Template references, Max-NAT-Bindings and NAT-Control-Definition MUST override the values specified in the template to which the NAT-Control-Binding-Template refers.

o 如果NCR中包含最大NAT绑定、NAT控制定义和NAT控制绑定模板,并且最大NAT绑定和NAT控制定义中的值与NAT控制绑定模板引用的NAT设备上预配置模板中指定的值相矛盾,最大NAT绑定和NAT控件定义必须覆盖NAT控件绑定模板引用的模板中指定的值。

Note: Already established bindings for the session SHOULD NOT be affected in case the tasks requested within the NCR cannot be completed.

注意:如果NCR中请求的任务无法完成,则会话的已建立绑定不应受到影响。

   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                           |
               |                                           |
               |                                           |
        Change of session                                  |
           attributes                                      |
               |                                           |
               |                   NCR                     |
               |------------------------------------------>|
               |                                           |
               |                                           |
               |                                   If able to comply
               |                                   with the request:
               |                                  update session state
               |                                           |
               |                                           |
               |                     NCA                   |
               |<------------------------------------------|
               |                                           |
        
   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                           |
               |                                           |
               |                                           |
        Change of session                                  |
           attributes                                      |
               |                                           |
               |                   NCR                     |
               |------------------------------------------>|
               |                                           |
               |                                           |
               |                                   If able to comply
               |                                   with the request:
               |                                  update session state
               |                                           |
               |                                           |
               |                     NCA                   |
               |<------------------------------------------|
               |                                           |
        

Figure 6: NAT-Control-Request for Session Update

图6:会话更新的NAT控制请求

4.3. Session and Binding Query
4.3. 会话和绑定查询

A session and NAT-binding query MAY be used by the DNCA Diameter peer within the NAT controller either to retrieve information on the current bindings for a particular session at the NAT device or to discover the session identifier for a particular external IP address/ port pair.

NAT控制器内的DNCA Diameter对等方可以使用会话和NAT绑定查询来检索NAT设备上特定会话的当前绑定信息,或者发现特定外部IP地址/端口对的会话标识符。

A DNCA Diameter peer within the NAT controller starts a session query by sending an NCR message with NC-Request-Type AVP set to QUERY_REQUEST. Figure 7 shows the protocol interaction between the DNCA Diameter peers.

NAT控制器内的DNCA Diameter对等方通过发送NC请求类型AVP设置为query_请求的NCR消息来启动会话查询。图7显示了DNCA Diameter对等方之间的协议交互。

Two types of query requests exist. The first type of query request uses the Session-Id as input parameter to the query. It is to allow the DNCA Diameter peer within the NAT controller to retrieve the current set of bindings for a specific session. The second type of query request is used to retrieve the session identifiers, along with the associated bindings, matching a criteria. This enables the DNCA Diameter peer within the NAT controller to find those sessions, which utilize a specific external or internal IP address.

存在两种类型的查询请求。第一种类型的查询请求使用会话Id作为查询的输入参数。它允许NAT控制器内的DNCA Diameter对等方检索特定会话的当前绑定集。第二种类型的查询请求用于检索会话标识符以及与条件匹配的关联绑定。这使NAT控制器内的DNCA Diameter对等方能够找到利用特定外部或内部IP地址的会话。

1. Request a list of currently allocated NAT-bindings for a particular session: On receiving an NCR, the NAT device SHOULD look up the session information for the Session-Id contained in the NCR and report all currently active NAT-bindings for the

1. 请求特定会话当前分配的NAT绑定列表:收到NCR后,NAT设备应查找NCR中包含的会话Id的会话信息,并报告当前活动的所有NAT绑定

session using an NCA message with the Result-Code set to DIAMETER_SUCCESS. In this case, the NCR MUST NOT contain a NAT-Control-Definition AVP. Each NAT-binding is reported in a NAT-Control-Definition AVP. In case the Session-Id is unknown, the DNCA Diameter peer within the NAT device MUST return an NCA message with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID.

会话使用NCA消息,结果代码设置为DIAMETER_SUCCESS。在这种情况下,NCR不得包含NAT控制定义AVP。每个NAT绑定都在NAT控制定义AVP中报告。如果会话Id未知,NAT设备内的DNCA Diameter对等方必须返回NCA消息,结果代码设置为Diameter_unknown_Session_Id。

2. Retrieve Session-Ids and bindings for internal IP address or one or multiple external IP address/port pairs: If the DNCA Diameter peer within the NAT controller wishes to retrieve the Session-Id(s) for an internal IP address or one or multiple external IP address/port pairs, it MUST include the internal IP address as part of the Framed-IP-Address AVP or external IP address/port pair(s) as part of the NAT-External-Address AVP of the NCR. The external IP address/port pair(s) are known in advance by the controller via configuration, AAA interactions, or other means. The Session-Id is not included in the NCR or the NCA for this type of a query. The DNCA Diameter peer within the NAT device SHOULD report the NAT-bindings and associated Session-Ids corresponding to the internal IP address or external IP address/ port pairs in an NCA message using one or multiple instances of the NAT-Control-Definition AVP. The Result-Code is set to DIAMETER_SUCCESS. In case an external IP address/port pair has no associated existing NAT-binding, the NAT-Control-Definition AVP contained in the reply just contains the NAT-External-Address AVP.

2. 检索内部IP地址或一个或多个外部IP地址/端口对的会话Id和绑定:如果NAT控制器内的DNCA Diameter对等方希望检索内部IP地址或一个或多个外部IP地址/端口对的会话Id,它必须包括内部IP地址作为帧IP地址AVP的一部分,或外部IP地址/端口对作为NCR NAT外部地址AVP的一部分。控制器通过配置、AAA交互或其他方式预先知道外部IP地址/端口对。对于此类查询,NCR或NCA中不包括会话Id。NAT设备内的DNCA Diameter对等方应使用NAT控制定义AVP的一个或多个实例报告与NCA消息中的内部IP地址或外部IP地址/端口对相对应的NAT绑定和相关会话ID。结果代码设置为“成功”。如果外部IP地址/端口对没有关联的现有NAT绑定,则应答中包含的NAT控制定义AVP仅包含NAT外部地址AVP。

   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                           |
               |                                           |
               |                                           |
     DNCA Session Established                              |
               |                                           |
               |                   NCR                     |
               |------------------------------------------>|
               |                                           |
               |                                           |
               |                                           |
               |                                           |
               |                          Look up corresponding session
               |                            and associated NAT-bindings
               |                                           |
               |                   NCA                     |
               |<------------------------------------------|
               |                                           |
               |                                           |
               |                                           |
        
   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                           |
               |                                           |
               |                                           |
     DNCA Session Established                              |
               |                                           |
               |                   NCR                     |
               |------------------------------------------>|
               |                                           |
               |                                           |
               |                                           |
               |                                           |
               |                          Look up corresponding session
               |                            and associated NAT-bindings
               |                                           |
               |                   NCA                     |
               |<------------------------------------------|
               |                                           |
               |                                           |
               |                                           |
        

Figure 7: Session Query

图7:会话查询

4.4. Session Termination
4.4. 会话终止

Similar to session initiation, session tear down MUST be initiated by the DNCA Diameter peer within the NAT controller. The DNCA Diameter peer sends a Session-Termination-Request (STR) message to its peer within the NAT device upon receiving a trigger signal. The source of the trigger signal is outside the scope of this document. As part of STR-message processing, the DNCA Diameter peer within the NAT device MAY send an accounting stop record reporting all bindings. All the NAT-bindings belonging to the session MUST be removed, and the session state MUST be cleaned up. The DNCA Diameter peer within the NAT device MUST notify its DNCA Diameter peer in the NAT controller about successful session termination using a Session-Termination-Answer (STA) message with Result-Code set to DIAMETER_SUCCESS. Figure 8 shows the protocol interaction between the two DNCA Diameter peers.

与会话启动类似,会话中断必须由NAT控制器内的DNCA Diameter对等方启动。DNCA Diameter对等方在接收到触发信号后,向NAT设备内的对等方发送会话终止请求(STR)消息。触发信号的来源不在本文件的范围内。作为STR消息处理的一部分,NAT设备内的DNCA Diameter对等方可以发送一个记帐停止记录,报告所有绑定。必须删除属于会话的所有NAT绑定,并且必须清除会话状态。NAT设备内的DNCA Diameter对等方必须使用会话终止应答(STA)消息通知NAT控制器中的DNCA Diameter对等方会话终止成功,结果代码设置为Diameter_SUCCESS。图8显示了两个DNCA Diameter对等方之间的协议交互。

If a DNCA Diameter peer within a NAT device receives an STR and fails to find a matching session, the DNCA Diameter peer MUST return an STA with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID.

如果NAT设备内的DNCA Diameter对等方接收到STR并未能找到匹配的会话,则DNCA Diameter对等方必须返回一个STA,其结果代码设置为Diameter_UNKNOWN_session_ID。

   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                            |
               |                                            |
            Trigger                                         |
               |                                            |
               |                   STR                      |
               |------------------------------------------->|
               |                                            |
               |                                            |
               |                                            |
               |                                            |
               |                                            |
               |           Send accounting stop             |
               |<-------------------------------------------|
               |       reporting all session bindings       |
               |                                            |
               |                                            |
               |                                  Remove NAT-bindings
               |                                       of session
               |                                            |
               |                                  Terminate session /
               |                                 Remove session state
               |                                            |
               |                                            |
               |                                            |
               |                  STA                       |
               |<-------------------------------------------|
               |                                            |
               |                                            |
        
   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                            |
               |                                            |
            Trigger                                         |
               |                                            |
               |                   STR                      |
               |------------------------------------------->|
               |                                            |
               |                                            |
               |                                            |
               |                                            |
               |                                            |
               |           Send accounting stop             |
               |<-------------------------------------------|
               |       reporting all session bindings       |
               |                                            |
               |                                            |
               |                                  Remove NAT-bindings
               |                                       of session
               |                                            |
               |                                  Terminate session /
               |                                 Remove session state
               |                                            |
               |                                            |
               |                                            |
               |                  STA                       |
               |<-------------------------------------------|
               |                                            |
               |                                            |
        

Figure 8: Terminate NAT Control Session

图8:终止NAT控制会话

4.5. Session Abort
4.5. 会话终止

An Abort-Session-Request (ASR) message is sent from the DNCA Diameter peer within the NAT device to the DNCA Diameter peer within the NAT controller when it is unable to maintain a session due to resource limitations. The DNCA Diameter peer within the NAT controller MUST acknowledge a successful session abort using an Abort-Session-Answer (ASA) message with the Result-Code set to DIAMETER_SUCCESS. Figure 9 shows the protocol interaction between the DNCA Diameter peers. The DNCA Diameter peers will start a session termination procedure as described in Section 4.4 following an ASA with the Result-Code set to DIAMETER_SUCCESS.

由于资源限制无法维护会话时,NAT设备内的DNCA Diameter对等方将向NAT控制器内的DNCA Diameter对等方发送中止会话请求(ASR)消息。NAT控制器内的DNCA Diameter对等方必须使用中止会话应答(ASA)消息确认会话中止成功,结果代码设置为Diameter_SUCCESS。图9显示了DNCA Diameter对等方之间的协议交互。DNCA Diameter对等方将在ASA之后启动第4.4节所述的会话终止程序,结果代码设置为Diameter_SUCCESS。

If the DNCA Diameter peer within a NAT controller receives an ASR but fails to find a matching session, it MUST return an ASA with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID. If the DNCA Diameter

如果NAT控制器内的DNCA Diameter对等方收到ASR,但未能找到匹配的会话,则必须返回ASA,其结果代码设置为Diameter\u UNKNOWN\u session\u ID。如果DNCA Diameter

peer within the NAT controller is unable to comply with the ASR for any other reason, an ASA with the Result-Code set to DIAMETER_UNABLE_TO_COMPLY MUST be returned.

NAT控制器内的对等方由于任何其他原因无法遵守ASR,必须返回结果代码设置为DIAMETER_Canable_to_Compliance的ASA。

   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                            |
               |                                            |
               |                                         Trigger
               |                                            |
               |                   ASR                      |
               |<-------------------------------------------|
               |                                            |
               |                                            |
               |                                            |
               |                  ASA                       |
               |------------------------------------------->|
               |                                            |
               |                                            |
               |                                            |
               |           On successful ASA                |
               |<------Session Termination Procedure------->|
        
   NAT controller (DNCA Diameter peer)   NAT device (DNCA Diameter peer)
               |                                            |
               |                                            |
               |                                         Trigger
               |                                            |
               |                   ASR                      |
               |<-------------------------------------------|
               |                                            |
               |                                            |
               |                                            |
               |                  ASA                       |
               |------------------------------------------->|
               |                                            |
               |                                            |
               |                                            |
               |           On successful ASA                |
               |<------Session Termination Procedure------->|
        

Figure 9: Abort NAT Control Session

图9:中止NAT控制会话

4.6. Failure Cases of the DNCA Diameter Peers
4.6. DNCA直径传感器的失效案例

This document does not specify the behavior in case the NAT device and NAT controller, or their respective DNCA Diameter peers, are out of sync or lose state. This could happen, for example, if one of the entities restarts, in case of a (temporary) loss of network connectivity, etc. Example failure cases include the following:

本文档未指定NAT设备和NAT控制器或其各自的DNCA Diameter对等方不同步或丢失状态时的行为。例如,如果其中一个实体重新启动,在(临时)网络连接丢失等情况下,可能会发生这种情况。示例故障情况包括:

o NAT controller and the DNCA Diameter peer within the NAT controller lose state (e.g., due to a restart). In this case:

o NAT控制器和NAT控制器内的DNCA直径对等方处于丢失状态(例如,由于重新启动)。在这种情况下:

* the DNCA Diameter peer within the NAT device MAY receive an NCR with the NC-Request-Type AVP set to INITIAL_REQUEST that matches an existing session of the DNCA Diameter peer within the NAT device. The DNCA Diameter peer within the NAT device MUST return a Result-Code that contains a Duplicate-Session-Id AVP to report the Session-Id of the existing session. The DNCA Diameter peer within the NAT controller MAY send an explicit Session-Termination-Request (STR) for the older session, which was lost.

* NAT设备内的DNCA直径对等方可接收NCR,其NC请求类型AVP设置为初始_请求,该初始_请求与NAT设备内的DNCA直径对等方的现有会话相匹配。NAT设备内的DNCA Diameter对等方必须返回包含重复会话Id AVP的结果代码,以报告现有会话的会话Id。NAT控制器内的DNCA Diameter对等方可以为丢失的旧会话发送显式会话终止请求(STR)。

* a DNCA Diameter peer MAY receive accounting records for a session that does not exist. The DNCA Diameter peer sends an accounting answer with the Result-Code set to

* DNCA Diameter对等方可能会接收不存在的会话的记帐记录。DNCA直径对等方发送一个会计应答,结果代码设置为

DIAMETER_UNKNOWN_SESSION_ID in response. On receiving the response, the DNCA Diameter peer SHOULD clear the session and remove associated session state.

响应中的直径\u未知\u会话\u ID。收到响应后,DNCA Diameter对等方应清除会话并删除关联的会话状态。

o The NAT device and the DNCA Diameter peer within NAT device lose state. In such a case, the DNCA Diameter peer MAY receive an NCR with the NC-Request-Type AVP set to UPDATE_REQUEST for a non-existent session. The DNCA Diameter peer MUST return an NCA with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID. When a DNCA application within a NAT controller receives this NCA with the Result-Code set to DIAMETER_UNKNOWN_SESSION_ID, it MAY try to re-establish DNCA session or disconnect corresponding access session.

o NAT设备和NAT设备内的DNCA直径对等方处于丢失状态。在这种情况下,DNCA Diameter对等方可能会收到NC请求类型AVP设置为更新不存在会话的_请求的NCR。DNCA Diameter对等方必须返回结果代码设置为Diameter_UNKNOWN_SESSION_ID的NCA。当NAT控制器内的DNCA应用程序收到结果代码设置为Diameter_UNKNOWN_SESSION_ID的NCA时,它可能会尝试重新建立DNCA会话或断开相应的访问会话。

o The DNCA Diameter peer within the NAT controller is unreachable, for example, it is detected by Diameter device watchdog messages (as defined in Section 5.5 of [RFC6733]) or accounting requests from the DNCA Diameter peer fail to get a response, NAT-bindings and NAT device state pertaining to that session MUST be cleaned up after a grace period that is configurable on the NAT device. The grace period can be configured as zero or higher, depending on operator preference.

o NAT控制器内的DNCA Diameter对等点不可访问,例如,Diameter设备看门狗消息(如[RFC6733]第5.5节所定义)检测到该对等点,或者来自DNCA Diameter对等点的记帐请求无法获得响应,与该会话相关的NAT绑定和NAT设备状态必须在NAT设备上可配置的宽限期后清除。宽限期可配置为零或更高,具体取决于操作员偏好。

o The DNCA Diameter peer within the NAT device is unreachable or down and the NCR fails to get a response. Handling of this case depends on the actual service offering of the service provider. The service provider could, for example, choose to stop offering connectivity service.

o NAT设备内的DNCA直径对等点无法访问或关闭,NCR无法获得响应。此案件的处理取决于服务提供商的实际服务。例如,服务提供商可以选择停止提供连接服务。

o A discussion of the mechanisms used for a NAT device to clean up state in case the DNCA Diameter peer within the NAT device crashes is outside the scope of this document. Implementers of NAT devices could choose from a variety of options such as coupling the state (e.g., NAT-bindings) to timers that require periodic refresh, or time out otherwise, operating system watchdogs for applications, etc.

o 关于NAT设备内的DNCA直径对等机崩溃时,NAT设备清除状态所用机制的讨论超出了本文档的范围。NAT设备的实现者可以从多种选项中进行选择,例如将状态(例如NAT绑定)耦合到需要定期刷新的计时器,或者超时,或者应用程序的操作系统看门狗等。

5. Use of the Diameter Base Protocol
5. Diameter基本协议的使用

The Diameter base protocol [RFC6733] applies with the clarifications listed in the present specification.

Diameter base协议[RFC6733]适用于本规范中列出的澄清。

5.1. Securing Diameter Messages
5.1. 保护直径消息

For secure transport of Diameter messages, the recommendations in [RFC6733] apply.

对于Diameter消息的安全传输,[RFC6733]中的建议适用。

DNCA Diameter peers SHOULD verify their identity during the Capabilities Exchange Request procedure.

DNCA Diameter对等方应在能力交换请求过程中验证其身份。

A DNCA Diameter peer within the NAT device SHOULD verify that a DNCA Diameter peer that issues an NCR command is allowed to do so based on:

NAT设备内的DNCA直径对等机应根据以下情况验证是否允许发出NCR命令的DNCA直径对等机执行此操作:

o The identity of the DNCA Diameter peer

o DNCA直径对等体的标识

o The type of NCR Command

o NCR命令的类型

o The content of the NCR Command

o NCR命令的内容

o Any combination of the above

o 上述各项的任意组合

5.2. Accounting Functionality
5.2. 会计功能

Accounting functionality (the accounting session state machine, related Command Codes and AVPs) is defined in Section 9.

记帐功能(记帐会话状态机、相关命令代码和AVP)在第9节中定义。

5.3. Use of Sessions
5.3. 会话的使用

Each DNCA session MUST have a globally unique Session-Id, as defined in [RFC6733], which MUST NOT be changed during the lifetime of the DNCA session. The Diameter Session-Id serves as the global endpoint identifier. The DNCA Diameter peers maintain state associated with the Session-Id. This globally unique Session-Id is used for updating, accounting, and terminating the session. A DNCA session MUST NOT have more than one outstanding request at any given time. A DNCA Diameter peer sends an Abort-Session-Request as defined in [RFC6733] if it is unable to maintain sessions due to resource limitation.

每个DNCA会话必须具有全局唯一的会话Id,如[RFC6733]中所定义,在DNCA会话的生存期内不得更改该Id。Diameter会话Id用作全局端点标识符。DNCA Diameter对等方维护与会话Id关联的状态。此全局唯一会话Id用于更新、记帐和终止会话。DNCA会话在任何给定时间不得有多个未完成的请求。如果由于资源限制无法维护会话,DNCA Diameter对等机将发送[RFC6733]中定义的中止会话请求。

5.4. Routing Considerations
5.4. 路由考虑

It is assumed that the DNCA Diameter peer within a NAT controller knows the DiameterIdentity of the Diameter peer within a NAT device for a given endpoint. Both the Destination-Realm and Destination-Host AVPs are present in the request from a DNCA Diameter peer within a NAT controller to a DNCA Diameter peer within a NAT device.

假设NAT控制器内的DNCA直径对等体知道NAT设备内给定端点的直径对等体的直径。从NAT控制器内的DNCA Diameter对等方到NAT设备内的DNCA Diameter对等方的请求中都存在目标域和目标主机AVP。

5.5. Advertising Application Support
5.5. 广告应用支持

Diameter nodes conforming to this specification MUST advertise support for DNCA by including the value of 12 in the Auth-Application-Id of the Capabilities-Exchange-Request and Capabilities-Exchange-Answer commands [RFC6733].

符合本规范的Diameter节点必须通过在功能交换请求和功能交换应答命令[RFC6733]的身份验证应用程序Id中包含值12来公布对DNCA的支持。

6. DNCA Commands
6. DNCA命令

The following commands are used to establish, maintain, and query NAT-bindings.

以下命令用于建立、维护和查询NAT绑定。

6.1. NAT-Control-Request (NCR) Command
6.1. NAT控制请求(NCR)命令

The NAT-Control-Request (NCR) command, indicated by the command field set to 330 and the 'R' bit set in the Command Flags field, is sent from the DNCA Diameter peer within the NAT controller to the DNCA Diameter peer within the NAT device in order to install NAT-bindings.

NAT控制请求(NCR)命令由设置为330的命令字段和命令标志字段中设置的“R”位指示,从NAT控制器内的DNCA直径对等方发送到NAT设备内的DNCA直径对等方,以便安装NAT绑定。

User-Name, Logical-Access-Id, Physical-Access-ID, Framed-IP-Address, Framed-IPv6-Prefix, Framed-Interface-Id, EGRESS-VLANID, NAS-Port-ID, Address-Realm, and Calling-Station-ID AVPs serve as identifiers for the endpoint.

用户名、逻辑访问Id、物理访问Id、框架IP地址、框架IPv6前缀、框架接口Id、出口VLANID、NAS端口Id、地址域和呼叫站Id AVP用作端点的标识符。

   Message format:
      < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                       { Auth-Application-Id }
                       { Origin-Host }
                       { Origin-Realm }
                       { Destination-Realm }
                       { Destination-Host }
                       { NC-Request-Type }
                       [ Session-Id ]
                       [ Origin-State-Id ]
                    *1 [ NAT-Control-Remove ]
                    *1 [ NAT-Control-Install ]
                       [ NAT-External-Address ]
                       [ User-Name ]
                       [ Logical-Access-Id ]
                       [ Physical-Access-ID ]
                       [ Framed-IP-Address ]
                       [ Framed-IPv6-Prefix ]
                       [ Framed-Interface-Id ]
                       [ EGRESS-VLANID]
                       [ NAS-Port-ID]
                       [ Address-Realm ]
                       [ Calling-Station-ID ]
                     * [ Proxy-Info ]
                     * [ Route-Record ]
                     * [ AVP ]
        
   Message format:
      < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                       { Auth-Application-Id }
                       { Origin-Host }
                       { Origin-Realm }
                       { Destination-Realm }
                       { Destination-Host }
                       { NC-Request-Type }
                       [ Session-Id ]
                       [ Origin-State-Id ]
                    *1 [ NAT-Control-Remove ]
                    *1 [ NAT-Control-Install ]
                       [ NAT-External-Address ]
                       [ User-Name ]
                       [ Logical-Access-Id ]
                       [ Physical-Access-ID ]
                       [ Framed-IP-Address ]
                       [ Framed-IPv6-Prefix ]
                       [ Framed-Interface-Id ]
                       [ EGRESS-VLANID]
                       [ NAS-Port-ID]
                       [ Address-Realm ]
                       [ Calling-Station-ID ]
                     * [ Proxy-Info ]
                     * [ Route-Record ]
                     * [ AVP ]
        
6.2. NAT-Control-Answer (NCA) Command
6.2. NAT控制应答(NCA)命令

The NAT-Control-Answer (NCA) command, indicated by the Command Code field set to 330 and the 'R' bit cleared in the Command Flags field, is sent by the DNCA Diameter peer within the NAT device in response to the NAT-Control-Request command.

NAT控制应答(NCA)命令由NAT设备内的DNCA直径对等方发送,以响应NAT控制请求命令,该命令由设置为330的命令代码字段和命令标志字段中清除的“R”位指示。

   Message format:
      <NC-Answer> ::= < Diameter Header: 330, PXY >
                      { Origin-Host }
                      { Origin-Realm }
                      { Result-Code }
                      [ Session-Id ]
                      [ NC-Request-Type ]
                    * [ NAT-Control-Definition ]
                      [ Current-NAT-Bindings ]
                      [ Origin-State-Id ]
                      [ Error-Message ]
                      [ Error-Reporting-Host ]
                    * [ Failed-AVP ]
                    * [ Proxy-Info ]
                      [ Duplicate-Session-Id ]
                    * [ Redirect-Host]
                      [ Redirect-Host-Usage ]
                      [ Redirect-Max-Cache-Time ]
                    * [ Proxy-Info ]
                    * [ Route-Record ]
                    * [ Failed-AVP ]
                    * [ AVP ]
        
   Message format:
      <NC-Answer> ::= < Diameter Header: 330, PXY >
                      { Origin-Host }
                      { Origin-Realm }
                      { Result-Code }
                      [ Session-Id ]
                      [ NC-Request-Type ]
                    * [ NAT-Control-Definition ]
                      [ Current-NAT-Bindings ]
                      [ Origin-State-Id ]
                      [ Error-Message ]
                      [ Error-Reporting-Host ]
                    * [ Failed-AVP ]
                    * [ Proxy-Info ]
                      [ Duplicate-Session-Id ]
                    * [ Redirect-Host]
                      [ Redirect-Host-Usage ]
                      [ Redirect-Max-Cache-Time ]
                    * [ Proxy-Info ]
                    * [ Route-Record ]
                    * [ Failed-AVP ]
                    * [ AVP ]
        
7. NAT Control Application Session State Machine
7. NAT控制应用程序会话状态机

This section contains a set of finite state machines, representing the life cycle of a DNCA session, which MUST be observed by all implementations of the DNCA Diameter application. The DNCA Diameter peers are stateful and the state machine maintained is similar to the stateful client and server authorization state machine described in [RFC6733]. When a session is moved to the Idle state, any resources that were allocated for the particular session must be released. Any event not listed in the state machines MUST be considered an error condition, and an answer, if applicable, MUST be returned to the originator of the message.

本节包含一组有限状态机,表示DNCA会话的生命周期,DNCA Diameter应用程序的所有实现都必须遵守该生命周期。DNCA Diameter对等点是有状态的,维护的状态机类似于[RFC6733]中描述的有状态客户端和服务器授权状态机。当会话移动到空闲状态时,必须释放为特定会话分配的所有资源。任何未在状态机中列出的事件都必须视为错误情况,并且如果适用,必须将答案返回给消息的发起人。

In the state table, the event "Failure to send NCR" means that the DNCA Diameter peer within the NAT controller is unable to send the NCR command to the desired destination. This could be due to the

在状态表中,“发送NCR失败”事件表示NAT控制器内的DNCA Diameter对等方无法将NCR命令发送到所需的目标。这可能是由于

peer being down or due to the peer sending back the transient failure or temporary protocol error notification DIAMETER_TOO_BUSY or DIAMETER_LOOP_DETECTED in the Result-Code AVP of an NCA.

对等机停机或由于对等机发回瞬态故障或临时协议错误通知DIAMETER\u太忙或在NCA的结果代码AVP中检测到DIAMETER\u LOOP\u。

In the state table, "FAILED NCA" means that the DNCA Diameter peer within the NAT device was not able to honor the corresponding NCR. This can happen due to any transient or permanent error at the NAT device or its associated DNCA Diameter peer within indicated by the following error Result-Code values: RESOURCE_FAILURE, UNKNOWN_BINDING_TEMPLATE_NAME, MAX_BINDINGS_SET_FAILURE, BINDING_FAILURE, MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT, SESSION_EXISTS, INSUFFICIENT_CLASSIFIERS.

在状态表中,“失败的NCA”表示NAT设备内的DNCA直径对等方无法遵守相应的NCR。这可能是由于以下错误结果代码值指示的NAT设备或其相关DNCA直径对等点处的任何暂时或永久错误造成的:资源\u故障、未知\u绑定\u模板\u名称、最大\u绑定\u集\u故障、绑定\u故障、达到\u端点的最大\u绑定\u、存在会话\u、分类器不足。

The following state machine is observed by a DNCA Diameter peer within a NAT controller. The state machine description uses the term "access session" to describe the connectivity service offered to the endpoint or host. "Access session" should not be confused with the Diameter session.

以下状态机由NAT控制器内的DNCA直径对等方观察。状态机描述使用术语“访问会话”来描述提供给端点或主机的连接服务。“访问会话”不应与Diameter会话混淆。

             DNCA Diameter peer within a NAT controller
      State     Event                          Action     New State
      -------------------------------------------------------------
      Idle      New endpoint detected that     Send        Pending
                requires NAT control           NCR
                                               Initial
                                               Request
        
             DNCA Diameter peer within a NAT controller
      State     Event                          Action     New State
      -------------------------------------------------------------
      Idle      New endpoint detected that     Send        Pending
                requires NAT control           NCR
                                               Initial
                                               Request
        

Idle ASR received Send ASA Idle for unknown session with Result-Code = UNKNOWN_ SESSION_ID

Idle ASR接收发送ASA Idle用于未知会话,结果代码=未知会话ID

Pending Successful NCA Setup Open received complete

等待成功的NCA设置打开已收到完成

Pending Successful NCA Send STR Discon received, but peer unable to provide service

已收到等待成功的NCA发送STR Discon,但对等方无法提供服务

Pending Error processing successful Send STR Discon NCA

处理成功发送STR Discon NCA的挂起错误

Pending Failed Clean up Idle NCA received

接收到挂起失败的清除空闲NCA

Open NAT control Send Open update required NCR update request Open Successful Open NCA received

打开NAT控制发送打开更新所需NCR更新请求打开成功收到打开NCA

Open Failed Clean up Idle NCA received

接收到打开失败的清除空闲NCA

Open Access session end detected Send STR Discon

打开访问会话结束检测到发送STR Discon

Open ASR received, Send ASA Discon access session will be with terminated Result-Code = SUCCESS, Send STR

打开接收到的ASR,发送ASA Discon访问会话,终止结果代码=成功,发送STR

Open ASR received, Send ASA Open access session will not with be terminated Result-Code != SUCCESS

接收到打开ASR,发送ASA打开访问会话将不会终止,结果代码!=成功

Discon ASR Received Send ASA Idle

Discon ASR接收发送ASA空闲

Discon STA Received Discon. Idle endpoint

Discon STA收到Discon。空闲端点

The following state machine is observed by a DNCA Diameter peer within a NAT device.

以下状态机由NAT设备内的DNCA直径对等机观察。

             DNCA Diameter peer within a NAT device
      State     Event                          Action     New State
      -------------------------------------------------------------
      Idle      NCR query request              Send       Idle
                received, and                  successful
                able to provide requested      NCA
                NAT-binding report
        
             DNCA Diameter peer within a NAT device
      State     Event                          Action     New State
      -------------------------------------------------------------
      Idle      NCR query request              Send       Idle
                received, and                  successful
                able to provide requested      NCA
                NAT-binding report
        

Idle NCR received Send Open and able to successful provide requested NCA NAT control service

空闲NCR接收发送打开,能够成功提供请求的NCA NAT控制服务

Idle NCR request Send Idle received, and failed unable to provide requested NCA NAT control service

收到空闲NCR请求发送空闲接收,失败无法提供请求的NCA NAT控制服务

Open NCR request Send Open received, and successful able to provide requested NCA NAT control service

打开NCR请求发送打开接收,并成功提供请求的NCA NAT控制服务

Open NCR request Send Idle received, and failed unable to provide requested NCA, NAT control service Clean up

打开NCR请求发送空闲接收,失败无法提供请求的NCA、NAT控制服务清理

Open Unable to continue Send ASR Discon providing requested NAT control service

Open无法继续发送ASR Discon以提供请求的NAT控制服务

Open Unplanned loss of session/ Clean up Idle connection to DNCA Diameter peer in NAT controller detected (e.g., due to Diameter watchdog notification)

检测到NAT控制器中与DNCA Diameter对等机的打开计划外会话丢失/清理空闲连接(例如,由于Diameter监视器通知)

Discon Failure to send ASR Wait, Discon resend ASR

Discon发送ASR等待失败,Discon重新发送ASR

Discon ASR successfully sent and Clean up Idle ASA received with Result-Code

Discon ASR成功发送并清除接收到的空闲ASA,结果代码为

Not ASA received None No change Discon

非ASA未收到任何变更Discon

Any STR received Send STA, Idle Clean up

收到任何STR发送STA,空闲清理

8. DNCA AVPs
8. DNCA AVPs
8.1. Reused Base Protocol AVPs
8.1. 可重用的基本协议AVPs

The following table describes the AVPs reused from the Diameter base protocol [RFC6733]; their AVP Code values, types, and possible flag values and whether the AVP MAY be encrypted. [RFC6733] specifies the AVP Flag rules for AVPs in Section 4.5. The Diameter AVP rules are defined in [RFC6733], Section 4.

下表描述了从Diameter基本协议[RFC6733]重用的AVP;他们的AVP代码值、类型和可能的标志值,以及AVP是否可以加密。[RFC6733]在第4.5节中规定了AVP的AVP标志规则。[RFC6733]第4节定义了直径AVP规则。

                                                   +---------+
                                                   |  AVP    |
                                                   |  Flag   |
                                                   |  rules  |
   +-----------------------------------------------|-----+---+---------+
   |                           AVP                 |     |   |         |
   | Attribute Name            Code     Data Type  |MUST |MAY|   Encr  |
   +-----------------------------------------------+-----+---+---------+
   |Acct-Interim-Interval      85       Unsigned32 | M   | P |    Y    |
   |Auth-Application-Id        258      Unsigned32 | M   | P |    N    |
   |Destination-Host           293      DiamIdent  | M   | P |    N    |
   |Destination-Realm          283      DiamIdent  | M   | P |    N    |
   |Error-Message              281      UTF8String | M   | P |    N    |
   |Error-Reporting-Host       294      DiamIdent  | M   | P |    N    |
   |Failed-AVP                 279      Grouped    | M   | P |    N    |
   |Origin-Host                264      DiamIdent  | M   | P |    N    |
   |Origin-Realm               296      DiamIdent  | M   | P |    N    |
   |Origin-State-Id            278      Unsigned32 | M   | P |    N    |
   |Proxy-Info                 284      Grouped    | M   | P |    N    |
   |Result-Code                268      Unsigned32 | M   | P |    N    |
   |Route-Record               282      DiamIdent  | M   |   |    N    |
   |Session-Id                 263      UTF8String | M   | P |    Y    |
   |User-Name                  1        UTF8String | M   | P |    Y    |
   +-----------------------------------------------+-----+---+---------+
   Table 1: DIAMETER AVPs from the Diameter Base Protocol
        
                                                   +---------+
                                                   |  AVP    |
                                                   |  Flag   |
                                                   |  rules  |
   +-----------------------------------------------|-----+---+---------+
   |                           AVP                 |     |   |         |
   | Attribute Name            Code     Data Type  |MUST |MAY|   Encr  |
   +-----------------------------------------------+-----+---+---------+
   |Acct-Interim-Interval      85       Unsigned32 | M   | P |    Y    |
   |Auth-Application-Id        258      Unsigned32 | M   | P |    N    |
   |Destination-Host           293      DiamIdent  | M   | P |    N    |
   |Destination-Realm          283      DiamIdent  | M   | P |    N    |
   |Error-Message              281      UTF8String | M   | P |    N    |
   |Error-Reporting-Host       294      DiamIdent  | M   | P |    N    |
   |Failed-AVP                 279      Grouped    | M   | P |    N    |
   |Origin-Host                264      DiamIdent  | M   | P |    N    |
   |Origin-Realm               296      DiamIdent  | M   | P |    N    |
   |Origin-State-Id            278      Unsigned32 | M   | P |    N    |
   |Proxy-Info                 284      Grouped    | M   | P |    N    |
   |Result-Code                268      Unsigned32 | M   | P |    N    |
   |Route-Record               282      DiamIdent  | M   |   |    N    |
   |Session-Id                 263      UTF8String | M   | P |    Y    |
   |User-Name                  1        UTF8String | M   | P |    Y    |
   +-----------------------------------------------+-----+---+---------+
   Table 1: DIAMETER AVPs from the Diameter Base Protocol
        

The Auth-Application-Id AVP (AVP Code 258) is assigned by IANA to Diameter applications. The value of the Auth-Application-Id for the Diameter NAT Control Application is 12. Please refer to [RFC6733] for the definition of the Diameter AVP flag rules and the associated abbreviations used in the table.

IANA将身份验证应用程序Id AVP(AVP代码258)分配给Diameter应用程序。直径NAT控制应用程序的身份验证应用程序Id的值为12。请参考[RFC6733]了解直径AVP标志规则的定义以及表中使用的相关缩写。

8.2. Additional Result-Code AVP Values
8.2. 附加结果代码AVP值

This section defines new values for the Result-Code AVP that SHALL be supported by all Diameter implementations that conform to the present document.

本节定义了结果代码AVP的新值,所有符合本文件的Diameter实施应支持该值。

8.2.1. Success
8.2.1. 成功

No new Result-Code AVP value is defined within this category.

此类别中未定义新的结果代码AVP值。

8.2.2. Transient Failures
8.2.2. 瞬时故障

Result-Code AVP values that fall within the transient failures category are those used to inform a peer that the request could not be satisfied at the time that it was received. The request may be able to be satisfied in the future.

属于瞬态故障类别的结果代码AVP值用于通知对等方在收到请求时无法满足请求。这项要求将来可能会得到满足。

The following new values of the Result-Code AVP are defined:

定义了结果代码AVP的以下新值:

RESOURCE_FAILURE (4014)

资源单元故障(4014)

The DNCA Diameter peer within the NAT device indicates that the binding could not be installed or a new session could not be created due to resource shortage.

NAT设备中的DNCA Diameter对等表示由于资源短缺,无法安装绑定或无法创建新会话。

8.2.3. Permanent Failures
8.2.3. 永久性故障

The Result-Code AVP values, which fall within the permanent failures category are used to inform the peer that the request failed and should not be attempted again. The request may be able to be satisfied in the future.

结果代码AVP值属于永久故障类别,用于通知对等方请求失败,不应再次尝试。这项要求将来可能会得到满足。

The following new values of the Result-Code AVP are defined:

定义了结果代码AVP的以下新值:

UNKNOWN_BINDING_TEMPLATE_NAME (5042)

未知的\u绑定\u模板\u名称(5042)

The DNCA Diameter peer within the NAT device indicates that the binding could not be installed or a new session could not be created because the specified NAT-Control-Binding-Template AVP, which refers to a predefined policy template in the NAT device, is unknown.

NAT设备内的DNCA Diameter对等表示无法安装绑定或无法创建新会话,因为指定的NAT控制绑定模板AVP(指NAT设备中的预定义策略模板)未知。

BINDING_FAILURE (5043)

绑定失败(5043)

The DNCA Diameter peer within the NAT device indicates that the requested binding(s) could not be installed. For example, Requested ports are already in use.

NAT设备内的DNCA直径对等表示无法安装请求的绑定。例如,请求的端口已在使用中。

MAX_BINDINGS_SET_FAILURE (5044)

最大绑定集失败(5044)

The DNCA Diameter peer within the NAT device indicates that it failed to conform to a request to configure the maximum number of bindings for a session. For example, an operator defined the maximum number of bindings on the NAT device using a method or protocol that takes precedence over DNCA.

NAT设备中的DNCA Diameter对等方表示它未能符合为会话配置最大绑定数的请求。例如,操作员使用优先于DNCA的方法或协议定义NAT设备上的最大绑定数。

MAXIMUM_BINDINGS_REACHED_FOR_ENDPOINT (5045)

已达到\u端点的最大\u绑定\u(5045)

The DNCA Diameter peer within the NAT device denies the request because the maximum number of allowed bindings has been reached for the specified endpoint classifier.

NAT设备内的DNCA Diameter对等方拒绝该请求,因为已达到指定端点分类器允许的最大绑定数。

SESSION_EXISTS (5046)

会话_存在(5046)

The DNCA Diameter peer within the NAT device denies a request to initialize a new session, if it already has a DNCA session that uses the same set of classifiers as indicated by the DNCA Diameter peer within the NAT controller in the new session initialization request.

NAT设备内的DNCA Diameter对等方拒绝初始化新会话的请求,如果它已经有一个DNCA会话,该会话使用与NAT控制器内的DNCA Diameter对等方在新会话初始化请求中指示的相同分类器集。

INSUFFICIENT_CLASSIFIERS (5047)

分类器不足(5047)

The DNCA Diameter peer within the NAT device requests to initialize a new session, if the classifiers in the request match more than one of the existing sessions on the DNCA Diameter peer within the NAT device.

如果请求中的分类器与NAT设备内DNCA Diameter对等机上的多个现有会话匹配,则NAT设备内的DNCA Diameter对等机请求初始化新会话。

8.3. Reused NASREQ Diameter Application AVPs
8.3. 重用的NASREQ直径应用程序AVPs
   The following table describes the AVPs reused from the Diameter
   Network Access Server Application [RFC4005]; their AVP Code values,
   types, and possible flag values; and whether the AVP MAY be
   encrypted.  The [RFC6733] specifies the AVP Flag rules for AVPs in
   Section 4.5.  The Diameter AVP rules are defined in the [RFC6733],
   Section 4.
                                          +---------------------+
                                          |    AVP Flag Rules   |
   +------------------+------+------------|----+-----+----+-----|----+
   |                  | AVP  |            |    |     |SHLD| MUST|    |
   | Attribute Name   | Code |  Value Type|MUST| MAY | NOT|  NOT|Encr|
   |------------------|------|------------|----+-----+----+-----|----|
   | NAS-Port         |   5  | Unsigned32 | M  |  P  |    |  V  | Y  |
   | NAS-Port-Id      |  87  | UTF8String | M  |  P  |    |  V  | Y  |
   | Calling-Station- |  31  | UTF8String | M  |  P  |    |  V  | Y  |
   |   Id             |      |            |    |     |    |     |    |
   | Framed-IP-Address|   8  | OctetString| M  |  P  |    |  V  | Y  |
   | Framed-Interface-|  96  | Unsigned64 | M  |  P  |    |  V  | Y  |
   |   Id             |      |            |    |     |    |     |    |
   | Framed-IPv6-     |  97  | OctetString| M  |  P  |    |  V  | Y  |
   |  Prefix          |      |            |    |     |    |     |    |
   +------------------+------+------------|----+-----+----+-----|----+
   Table 2: Reused NASREQ Diameter application AVPs.  Please refer to
   [RFC6733] for the definition of the Diameter AVP Flag rules and the
   associated abbreviations used in the table.
        
   The following table describes the AVPs reused from the Diameter
   Network Access Server Application [RFC4005]; their AVP Code values,
   types, and possible flag values; and whether the AVP MAY be
   encrypted.  The [RFC6733] specifies the AVP Flag rules for AVPs in
   Section 4.5.  The Diameter AVP rules are defined in the [RFC6733],
   Section 4.
                                          +---------------------+
                                          |    AVP Flag Rules   |
   +------------------+------+------------|----+-----+----+-----|----+
   |                  | AVP  |            |    |     |SHLD| MUST|    |
   | Attribute Name   | Code |  Value Type|MUST| MAY | NOT|  NOT|Encr|
   |------------------|------|------------|----+-----+----+-----|----|
   | NAS-Port         |   5  | Unsigned32 | M  |  P  |    |  V  | Y  |
   | NAS-Port-Id      |  87  | UTF8String | M  |  P  |    |  V  | Y  |
   | Calling-Station- |  31  | UTF8String | M  |  P  |    |  V  | Y  |
   |   Id             |      |            |    |     |    |     |    |
   | Framed-IP-Address|   8  | OctetString| M  |  P  |    |  V  | Y  |
   | Framed-Interface-|  96  | Unsigned64 | M  |  P  |    |  V  | Y  |
   |   Id             |      |            |    |     |    |     |    |
   | Framed-IPv6-     |  97  | OctetString| M  |  P  |    |  V  | Y  |
   |  Prefix          |      |            |    |     |    |     |    |
   +------------------+------+------------|----+-----+----+-----|----+
   Table 2: Reused NASREQ Diameter application AVPs.  Please refer to
   [RFC6733] for the definition of the Diameter AVP Flag rules and the
   associated abbreviations used in the table.
        
8.4. Reused AVPs from RFC 4675
8.4. 重复使用RFC 4675中的AVP
   The following table describes the AVPs reused from "RADIUS Attributes
   for Virtual LAN and Priority Support" [RFC4675]; their AVP Code
   values, types, and possible flag values; and whether the AVP MAY be
   encrypted.  [RFC6733] specifies the AVP Flag rules for AVPs in
   Section 4.5.  The Diameter AVP rules are defined in [RFC6733],
   Section 4.
                                          +---------------------+
                                          |    AVP Flag Rules   |
   +------------------+------+------------|----+-----+----+-----|----+
   |                  | AVP  |            |    |     |SHLD| MUST|    |
   | Attribute Name   | Code |  Value Type|MUST| MAY | NOT|  NOT|Encr|
   |------------------|------|------------|----+-----+----+-----|----|
   | Egress-VLANID    |  56  | OctetString| M  |  P  |    |  V  | Y  |
   +------------------+------+------------|----+-----+----+-----|----+
   Table 3: Reused attributes from [RFC4675].  Please refer to [RFC6733]
   for the definition of the Diameter AVP Flag rules and the associated
   abbreviations used in the table.
        
   The following table describes the AVPs reused from "RADIUS Attributes
   for Virtual LAN and Priority Support" [RFC4675]; their AVP Code
   values, types, and possible flag values; and whether the AVP MAY be
   encrypted.  [RFC6733] specifies the AVP Flag rules for AVPs in
   Section 4.5.  The Diameter AVP rules are defined in [RFC6733],
   Section 4.
                                          +---------------------+
                                          |    AVP Flag Rules   |
   +------------------+------+------------|----+-----+----+-----|----+
   |                  | AVP  |            |    |     |SHLD| MUST|    |
   | Attribute Name   | Code |  Value Type|MUST| MAY | NOT|  NOT|Encr|
   |------------------|------|------------|----+-----+----+-----|----|
   | Egress-VLANID    |  56  | OctetString| M  |  P  |    |  V  | Y  |
   +------------------+------+------------|----+-----+----+-----|----+
   Table 3: Reused attributes from [RFC4675].  Please refer to [RFC6733]
   for the definition of the Diameter AVP Flag rules and the associated
   abbreviations used in the table.
        
8.5. Reused AVPs from Diameter QoS Application
8.5. 从Diameter QoS应用程序重用AVP
   The following table describes the AVPs reused from the "Traffic
   Classification and Quality of Service (QoS) Attributes for Diameter"
   [RFC5777]; their AVP Code values, types, and possible flag values;
   and whether the AVP MAY be encrypted.  [RFC6733] specifies the AVP
   Flag rules for AVPs in Section 4.5.  The Diameter AVP rules are
   defined in [RFC6733], Section 4.
                                                   +---------+
                                                   |  AVP    |
                                                   |  Flag   |
                                                   |  Rules  |
   +-----------------------------------------------|-----+---+---------+
   |                           AVP                 |     |   |         |
   | Attribute Name            Code     Data Type  |MUST |MAY|   Encr  |
   +-----------------------------------------------+-----+---+---------+
   |Port                       530     Integer32   |  M  | P |    Y    |
   |Protocol                   513     Enumerated  |  M  | P |    Y    |
   |Direction                  514     Enumerated  |  M  | P |    Y    |
   +-----------------------------------------------+-----+---+---------+
        
   The following table describes the AVPs reused from the "Traffic
   Classification and Quality of Service (QoS) Attributes for Diameter"
   [RFC5777]; their AVP Code values, types, and possible flag values;
   and whether the AVP MAY be encrypted.  [RFC6733] specifies the AVP
   Flag rules for AVPs in Section 4.5.  The Diameter AVP rules are
   defined in [RFC6733], Section 4.
                                                   +---------+
                                                   |  AVP    |
                                                   |  Flag   |
                                                   |  Rules  |
   +-----------------------------------------------|-----+---+---------+
   |                           AVP                 |     |   |         |
   | Attribute Name            Code     Data Type  |MUST |MAY|   Encr  |
   +-----------------------------------------------+-----+---+---------+
   |Port                       530     Integer32   |  M  | P |    Y    |
   |Protocol                   513     Enumerated  |  M  | P |    Y    |
   |Direction                  514     Enumerated  |  M  | P |    Y    |
   +-----------------------------------------------+-----+---+---------+
        

Table 4: Reused QoS-attributes. Please refer to [RFC6733] for the definition of the Diameter AVP Flag rules and the associated abbreviations used in the table.

表4:重用的QoS属性。请参考[RFC6733]了解直径AVP标志规则的定义以及表中使用的相关缩写。

8.6. Reused AVPs from ETSI ES 283 034, e4 Diameter Application
8.6. 从ETSI ES 283 034,e4直径应用重新使用的AVP

The following table describes the AVPs reused from the Diameter e4 Application [ETSIES283034]; their AVP Code values, types, and possible flag values; and whether the AVP MAY be encrypted. [RFC6733] specifies the AVP Flag rules for AVPs in Section 4.5. The Diameter AVP rules are defined in [RFC6733], Section 4. The Vendor-ID field in these AVP header will be set to ETSI (13019).

下表描述了从Diameter e4应用程序[ETSIE283034]中重新使用的AVP;其AVP代码值、类型和可能的标志值;以及AVP是否可以被加密。[RFC6733]在第4.5节中规定了AVP的AVP标志规则。[RFC6733]第4节定义了直径AVP规则。这些AVP标头中的供应商ID字段将设置为ETSI(13019)。

                                                   +---------+
                                                   |  AVP    |
                                                   |  Flag   |
                                                   |  Rules  |
   +-----------------------------------------------|-----+---+---------+
   |                           AVP                 |     |   |         |
   | Attribute Name            Code     Data Type  |MUST |MAY|   Encr  |
   +-----------------------------------------------+-----+---+---------+
   |Address-Realm              301     OctetString | M,V |   |    Y    |
   |Logical-Access-Id          302     OctetString |   V | M |    Y    |
   |Physical-Access-ID         313     UTF8String  |   V | M |    Y    |
   +-----------------------------------------------+-----+---+---------+
        
                                                   +---------+
                                                   |  AVP    |
                                                   |  Flag   |
                                                   |  Rules  |
   +-----------------------------------------------|-----+---+---------+
   |                           AVP                 |     |   |         |
   | Attribute Name            Code     Data Type  |MUST |MAY|   Encr  |
   +-----------------------------------------------+-----+---+---------+
   |Address-Realm              301     OctetString | M,V |   |    Y    |
   |Logical-Access-Id          302     OctetString |   V | M |    Y    |
   |Physical-Access-ID         313     UTF8String  |   V | M |    Y    |
   +-----------------------------------------------+-----+---+---------+
        

Table 5: Reused AVPs from the Diameter e4 application. Please refer to [RFC6733] for the definition of the Diameter AVP Flag rules and the associated abbreviations used in the table.

表5:Diameter e4应用中重复使用的AVP。请参考[RFC6733]了解直径AVP标志规则的定义以及表中使用的相关缩写。

8.7. DNCA-Defined AVPs
8.7. DNCA定义的AVP

The following table describes the new Diameter AVPs defined in this document; their AVP Code values, types, and possible flag values; and whether the AVP MAY be encrypted. [RFC6733] specifies the AVP Flag rules for AVPs in Section 4.5. The Diameter AVP rules are defined in [RFC6733], Section 4. The AVPs defined here MUST NOT have the 'V' bit in the AVP Flags field set.

下表描述了本文件中定义的新直径AVP;其AVP代码值、类型和可能的标志值;以及AVP是否可以被加密。[RFC6733]在第4.5节中规定了AVP的AVP标志规则。[RFC6733]第4节定义了直径AVP规则。此处定义的AVP不得在AVP标志字段中设置“V”位。

                                                      +---------+
                                                      |  AVP    |
                                                      |  Flag   |
                                                      |  Rules  |
   +--------------------------------------------------|-----+---+------+
   |                       AVP                        |     |   |      |
   | Attribute Name        Code    Sect.   Data Type  |MUST |MAY| Encr |
   +--------------------------------------------------+-----+---+------+
   |NC-Request-Type        595     8.7.1   Enumerated | M   | P |  Y   |
   |NAT-Control-Install    596     8.7.2   Grouped    | M   | P |  Y   |
   |NAT-Control-Remove     597     8.7.3   Grouped    | M   | P |  Y   |
   |NAT-Control-Definition 598     8.7.4   Grouped    | M   | P |  Y   |
   |NAT-Internal-Address   599     8.7.5   Grouped    | M   | P |  Y   |
   |NAT-External-Address   600     8.7.6   Grouped    | M   | P |  Y   |
   |Max-NAT-Bindings       601     8.7.7   Unsigned32 | M   | P |  Y   |
   |NAT-Control-           602     8.7.8   OctetString| M   | P |  Y   |
   | Binding-Template                                 |     |   |      |
   |Duplicate-             603     8.7.9   UTF8String | M   | P |  Y   |
   | Session-Id                                       |     |   |      |
   |NAT-External-Port-     604     8.7.10  Enumerated | M   | P |  Y   |
   | Style                                            |     |   |      |
   |NAT-Control-Record     605     9.2.1   Grouped    | M   | P |  Y   |
   |NAT-Control-           606     9.2.2   Enumerated | M   | P |  Y   |
   | Binding-Status                                   |     |   |      |
   |Current-NAT-Bindings   607     9.2.3   Unsigned32 | M   | P |  Y   |
   +--------------------------------------------------+-----+---+------+
        
                                                      +---------+
                                                      |  AVP    |
                                                      |  Flag   |
                                                      |  Rules  |
   +--------------------------------------------------|-----+---+------+
   |                       AVP                        |     |   |      |
   | Attribute Name        Code    Sect.   Data Type  |MUST |MAY| Encr |
   +--------------------------------------------------+-----+---+------+
   |NC-Request-Type        595     8.7.1   Enumerated | M   | P |  Y   |
   |NAT-Control-Install    596     8.7.2   Grouped    | M   | P |  Y   |
   |NAT-Control-Remove     597     8.7.3   Grouped    | M   | P |  Y   |
   |NAT-Control-Definition 598     8.7.4   Grouped    | M   | P |  Y   |
   |NAT-Internal-Address   599     8.7.5   Grouped    | M   | P |  Y   |
   |NAT-External-Address   600     8.7.6   Grouped    | M   | P |  Y   |
   |Max-NAT-Bindings       601     8.7.7   Unsigned32 | M   | P |  Y   |
   |NAT-Control-           602     8.7.8   OctetString| M   | P |  Y   |
   | Binding-Template                                 |     |   |      |
   |Duplicate-             603     8.7.9   UTF8String | M   | P |  Y   |
   | Session-Id                                       |     |   |      |
   |NAT-External-Port-     604     8.7.10  Enumerated | M   | P |  Y   |
   | Style                                            |     |   |      |
   |NAT-Control-Record     605     9.2.1   Grouped    | M   | P |  Y   |
   |NAT-Control-           606     9.2.2   Enumerated | M   | P |  Y   |
   | Binding-Status                                   |     |   |      |
   |Current-NAT-Bindings   607     9.2.3   Unsigned32 | M   | P |  Y   |
   +--------------------------------------------------+-----+---+------+
        

Table 6: New Diameter AVPs. Please refer to [RFC6733] for the definition of the Diameter AVP Flag rules and the associated abbreviations used in the table.

表6:新直径平均值。请参考[RFC6733]了解直径AVP标志规则的定义以及表中使用的相关缩写。

8.7.1. NC-Request-Type AVP
8.7.1. NC请求类型AVP

The NC-Request-Type AVP (AVP Code 595) is of type Enumerated and contains the reason for sending the NAT-Control-Request command. It shall be present in all NAT-Control-Request messages.

NC请求类型AVP(AVP代码595)为枚举类型,包含发送NAT控制请求命令的原因。它应出现在所有NAT控制请求消息中。

The following values are defined:

定义了以下值:

INITIAL_REQUEST (1)

初始请求(1)

An Initial Request is to initiate a Diameter NAT control session between the DNCA Diameter peers.

初始请求是在DNCA Diameter对等方之间启动Diameter NAT控制会话。

UPDATE_REQUEST (2)

更新请求(2)

An Update Request is used to update bindings previously installed on a given access session, to add new binding on a given access session, or to remove one or several binding(s) activated on a given access session.

更新请求用于更新以前安装在给定访问会话上的绑定、在给定访问会话上添加新绑定或删除在给定访问会话上激活的一个或多个绑定。

QUERY_REQUEST (3)

查询请求(3)

Query Request is used to query a NAT device about the currently installed bindings for an endpoint classifier.

查询请求用于向NAT设备查询端点分类器当前安装的绑定。

8.7.2. NAT-Control-Install AVP
8.7.2. NAT控制安装AVP

The NAT-Control-Install AVP (AVP code 596) is of type Grouped, and it is used to activate or install NAT-bindings. It also contains Max-NAT-Bindings that defines the maximum number of NAT-bindings allowed for an endpoint and the NAT-Control-Binding-Template that references a predefined template on the NAT device that may contain static binding, a maximum number of bindings allowed, an IP address pool from which external binding addresses should be allocated, etc. If the NAT-External-Port-Style AVP is present, then the NAT device MUST select the external ports for the NAT-bindings, per the style specified. The NAT-External-Port-Style is applicable for NAT-bindings defined by the NAT-Control-Definition AVPs whose NAT-External-Address or Port AVPs within the NAT-External-Address are unspecified.

NAT控制安装AVP(AVP代码596)属于分组类型,用于激活或安装NAT绑定。它还包含最大NAT绑定(定义端点允许的最大NAT绑定数)和NAT控制绑定模板(引用NAT设备上可能包含静态绑定的预定义模板)、允许的最大绑定数、应从中分配外部绑定地址的IP地址池,等等。如果存在NAT外部端口样式AVP,则NAT设备必须根据指定的样式为NAT绑定选择外部端口。NAT外部端口样式适用于NAT控制定义AVP定义的NAT绑定,这些AVP的NAT外部地址或NAT外部地址内的端口AVP未指定。

   AVP format:
     NAT-Control-Install ::= < AVP Header: 596 >
                              * [ NAT-Control-Definition ]
                                [ NAT-Control-Binding-Template ]
                                [ Max-NAT-Bindings ]
                                [ NAT-External-Port-Style ]
                              * [ AVP ]
        
   AVP format:
     NAT-Control-Install ::= < AVP Header: 596 >
                              * [ NAT-Control-Definition ]
                                [ NAT-Control-Binding-Template ]
                                [ Max-NAT-Bindings ]
                                [ NAT-External-Port-Style ]
                              * [ AVP ]
        
8.7.3. NAT-Control-Remove AVP
8.7.3. NAT控制删除AVP

The NAT-Control-Remove AVP (AVP code 597) is of type Grouped, and it is used to deactivate or remove NAT-bindings. At least one of the two AVPs (NAT-Control-Definition AVP or NAT-Control-Binding-Template AVP) SHOULD be present in the NAT-Control-Remove AVP.

NAT控件Remove AVP(AVP代码597)属于Grouped类型,用于停用或删除NAT绑定。NAT控件移除AVP中应至少存在两个AVP(NAT控件定义AVP或NAT控件绑定模板AVP)中的一个。

   AVP format:
     NAT-Control-Remove ::= < AVP Header: 597 >
                             * [ NAT-Control-Definition ]
                               [ NAT-Control-Binding-Template ]
                             * [ AVP ]
        
   AVP format:
     NAT-Control-Remove ::= < AVP Header: 597 >
                             * [ NAT-Control-Definition ]
                               [ NAT-Control-Binding-Template ]
                             * [ AVP ]
        
8.7.4. NAT-Control-Definition AVP
8.7.4. NAT控制定义AVP

The NAT-Control-Definition AVP (AVP code 598) is of type Grouped, and it describes a binding.

NAT控制定义AVP(AVP代码598)属于分组类型,它描述了绑定。

The NAT-Control-Definition AVP uniquely identifies the binding between the DNCA Diameter peers.

NAT控制定义AVP唯一标识DNCA直径对等方之间的绑定。

If both the NAT-Internal-Address and NAT-External-Address AVP(s) are supplied, it is a predefined binding.

如果同时提供NAT内部地址和NAT外部地址AVP,则它是预定义的绑定。

If the NAT-External-Address AVP is not specified, then the NAT device MUST select the external port as per the NAT-External-Port-Style AVP, if present in the NAT-Control-Definition AVP.

如果未指定NAT外部地址AVP,则NAT设备必须根据NAT外部端口样式AVP(如果NAT控制定义AVP中存在)选择外部端口。

The Protocol AVP describes the transport protocol for the binding. The NAT-Control-Definition AVP can contain either zero or one Protocol AVP. If the Protocol AVP is omitted and if both internal and external IP addresses are specified, then the binding reserves the IP addresses for all transport protocols.

协议AVP描述了绑定的传输协议。NAT控制定义AVP可以包含零个或一个协议AVP。如果省略协议AVP,并且指定了内部和外部IP地址,则绑定会保留所有传输协议的IP地址。

The Direction AVP is of type Enumerated. It specifies the direction for the binding. The values of the enumeration applicable in this context are: "IN","OUT". If Direction AVP is OUT or absent, the NAT-Internal-Address refers to the IP address of the endpoint that needs to be translated. If Direction AVP is "IN", NAT-Internal-Address is the destination IP address that has to be translated.

方向AVP为枚举类型。它指定绑定的方向。在此上下文中适用的枚举值为:“in”、“OUT”。如果方向AVP不在或不在,NAT内部地址指需要转换的端点的IP地址。如果方向AVP为“IN”,则NAT内部地址是必须转换的目标IP地址。

   AVP format:
     NAT-Control-Definition ::= < AVP Header: 598 >
                                 { NAT-Internal-Address }
                                 [ Protocol ]
                                 [ Direction ]
                                 [ NAT-External-Address ]
                                 [ Session-Id ]
                               * [ AVP ]
        
   AVP format:
     NAT-Control-Definition ::= < AVP Header: 598 >
                                 { NAT-Internal-Address }
                                 [ Protocol ]
                                 [ Direction ]
                                 [ NAT-External-Address ]
                                 [ Session-Id ]
                               * [ AVP ]
        
8.7.5. NAT-Internal-Address AVP
8.7.5. NAT内部地址

The NAT-Internal-Address AVP (AVP code 599) is of type Grouped. It describes the internal IP address and port for a binding. Framed-IPV6-Prefix and Framed-IP-Address AVPs are mutually exclusive. The endpoint identifier Framed-IP-Address, Framed-IPv6-Prefix, and the internal address in this NAT-Internal-Address AVP to install NAT-bindings for the session MUST match.

NAT内部地址AVP(AVP代码599)属于分组类型。它描述绑定的内部IP地址和端口。带框IPV6前缀和带框IP地址AVP是互斥的。端点标识符Framed IP Address、Framed-IPv6-Prefix和此NAT内部地址AVP中的内部地址必须匹配,以便为会话安装NAT绑定。

   AVP format:
     NAT-Internal-Address ::= < AVP Header: 599 >
                               [ Framed-IP-Address ]
                               [ Framed-IPv6-Prefix ]
                               [ Port]
                             * [ AVP ]
        
   AVP format:
     NAT-Internal-Address ::= < AVP Header: 599 >
                               [ Framed-IP-Address ]
                               [ Framed-IPv6-Prefix ]
                               [ Port]
                             * [ AVP ]
        
8.7.6. NAT-External-Address AVP
8.7.6. NAT外部地址AVP

The NAT-External-Address AVP (AVP code 600) is of type Grouped, and it describes the external IP address and port for a binding. The external IP address specified in this attribute can be reused for multiple endpoints by specifying the same address in the respective NAT-External-Address AVPs. If the external IP address is not specified and the NAT-External-Port-Style AVP is specified in the NAT-Control-Definition AVP, then the NAT device MUST select an external port as per the NAT-External-Port-Style AVP.

NAT外部地址AVP(AVP代码600)属于分组类型,它描述了绑定的外部IP地址和端口。通过在相应的NAT外部地址AVP中指定相同的地址,可以将此属性中指定的外部IP地址重新用于多个端点。如果未指定外部IP地址,且NAT控制定义AVP中指定了NAT外部端口样式AVP,则NAT设备必须根据NAT外部端口样式AVP选择外部端口。

   AVP format:
     NAT-External-Address ::= < AVP Header: 600 >
                               [ Framed-IP-Address ]
                               [ Port ]
                             * [ AVP ]
        
   AVP format:
     NAT-External-Address ::= < AVP Header: 600 >
                               [ Framed-IP-Address ]
                               [ Port ]
                             * [ AVP ]
        
8.7.7. Max-NAT-Bindings
8.7.7. 最大NAT绑定数

The Max-NAT-Bindings AVP (AVP code 601) is of type Unsigned32. It indicates the maximum number of NAT-bindings allowed for a particular endpoint.

最大NAT绑定AVP(AVP代码601)的类型为Unsigned32。它指示特定端点允许的最大NAT绑定数。

8.7.8. NAT-Control-Binding-Template AVP
8.7.8. NAT控制绑定模板AVP

The NAT-Control-Binding-Template AVP (AVP code 602) is of type OctetString. It defines a name for a policy template that is predefined at the NAT device. Details on the contents and structure of the template and configuration are outside the scope of this document. The policy to which this AVP refers may contain NAT-bindings, an IP address pool for allocating the external IP address of a NAT-binding, and a maximum number of allowed NAT-bindings. Such a policy template can be reused by specifying the same NAT-Control-Binding-Template AVP in the corresponding NAT-Control-Install AVPs of multiple endpoints.

NAT控制绑定模板AVP(AVP代码602)的类型为OctetString。它定义了在NAT设备上预定义的策略模板的名称。有关模板和配置的内容和结构的详细信息不在本文档的范围内。此AVP引用的策略可能包含NAT绑定、用于分配NAT绑定的外部IP地址的IP地址池以及允许的最大NAT绑定数。通过在多个端点的相应NAT控制安装AVP中指定相同的NAT控制绑定模板AVP,可以重用这样的策略模板。

8.7.9. Duplicate-Session-Id AVP
8.7.9. 重复会话Id AVP

The Duplicate-Session-Id AVP (AVP Code 603) is of type UTF8String. It is used to report errors and contains the Session-Id of an existing session.

重复会话Id AVP(AVP代码603)的类型为UTF8String。它用于报告错误,并包含现有会话的会话Id。

8.7.10. NAT-External-Port-Style AVP
8.7.10. NAT外部端口式AVP

The NAT-External-Port-Style AVP (AVP Code 604) is of type Enumerated and contains the style to be followed while selecting the external port for a NAT-binding relative to the internal port.

NAT外部端口样式AVP(AVP代码604)属于枚举类型,并且包含为NAT绑定选择相对于内部端口的外部端口时要遵循的样式。

The following values are defined:

定义了以下值:

FOLLOW_INTERNAL_PORT_STYLE (1)

遵循内部端口样式(1)

External port numbers selected MUST follow the same sequence and oddity as the internal ports of the NAT-bindings. The port oddity is required to support protocols like RTP and RTCP as defined in [RFC3550]. If for example the internal port in a requested NAT-binding is odd numbered, then the external port allocated MUST also be odd numbered, and vice versa for an even numbered port. In addition, the sequence of port numbering is maintained: if internal ports are consecutive, then the NAT device MUST choose consecutive external ports for the NAT-bindings.

所选的外部端口号必须与NAT绑定的内部端口遵循相同的顺序和奇数。如[RFC3550]中所定义,需要端口奇点来支持RTP和RTCP等协议。例如,如果请求的NAT绑定中的内部端口是奇数编号的,则分配的外部端口也必须是奇数编号的,反之亦然,对于偶数编号的端口。此外,保持端口编号的顺序:如果内部端口是连续的,则NAT设备必须为NAT绑定选择连续的外部端口。

9. Accounting Commands
9. 会计指令

The DNCA reuses session-based accounting as defined in the Diameter base protocol [RFC6733] to report the bindings per endpoint. This reporting is achieved by sending Diameter Accounting-Request (ACR) commands [Start, Interim, and Stop] from the DNCA Diameter peer within the NAT device to its associated DNCA Diameter peer within the NAT controller.

DNCA重用Diameter基本协议[RFC6733]中定义的基于会话的记帐来报告每个端点的绑定。该报告通过从NAT设备内的DNCA Diameter对等方向NAT控制器内的相关DNCA Diameter对等方发送Diameter Accounting Request(ACR)命令[启动、临时和停止]来实现。

The DNCA Diameter peer within the NAT device sends an ACR Start on receiving an NCR with NC-Request-Type AVP set to INITIAL_REQUEST for a session or on creation of the first binding for a session requested in an earlier NCR. DNCA may send ACR Interim updates, if required, either due to a change in bindings resulting from an NCR with NC-Request-Type AVP set to UPDATE_REQUEST, periodically as specified in Acct-Interim-Interval by the DNCA Diameter peer within the NAT controller, or when it creates or tears down bindings. An ACR Stop is sent by the DNCA Diameter peer within the NAT device on receiving an STR message.

NAT设备内的DNCA Diameter对等方在收到NCR时发送ACR启动,NC请求类型AVP设置为会话的初始_请求,或在为先前NCR中请求的会话创建第一个绑定时发送ACR启动。如果需要,DNCA可以发送ACR临时更新,这可能是由于NCR(NC请求类型AVP设置为UPDATE_请求)导致的绑定更改,或者是在NAT控制器内DNCA Diameter对等方在Acct临时间隔中指定的周期性更新,或者是在创建或删除绑定时。收到STR消息后,NAT设备内的DNCA Diameter对等方将发送ACR停止。

The function of correlating the multiple bindings used by an endpoint at any given time is relegated to the post processor.

将端点在任何给定时间使用的多个绑定关联起来的功能降级到后处理器。

The DNCA Diameter peer within the NAT device may trigger an Interim accounting record when the maximum number of bindings, if received in an NCR, is reached.

当达到NCR中接收的最大绑定数时,NAT设备内的DNCA直径对等方可能会触发临时记帐记录。

9.1. NAT Control Accounting Messages
9.1. NAT控制记帐消息

The ACR and ACA messages are reused as defined in the Diameter base protocol [RFC6733] for exchanging endpoint NAT-binding details between the DNCA Diameter peers. The DNCA Application ID is used in the accounting commands. The ACR contains one or more optional NAT-Control-Record AVPs to report the bindings. The NAT device indicates the number of allocated NAT-bindings to the NAT controller using the Current-NAT-Bindings AVP. This number needs to match the number of bindings identified as active within the NAT-Control-Record AVP.

ACR和ACA消息按照Diameter基本协议[RFC6733]中的定义重用,用于在DNCA Diameter对等方之间交换端点NAT绑定详细信息。DNCA应用程序ID用于记帐命令。ACR包含一个或多个可选NAT控制记录AVP以报告绑定。NAT设备指示使用当前NAT绑定AVP分配给NAT控制器的NAT绑定数。此数量需要与NAT控制记录AVP中标识为活动的绑定数量匹配。

9.2. NAT Control Accounting AVPs
9.2. NAT控制会计AVPs

In addition to AVPs for ACR specified in [RFC6733], the DNCA Diameter peer within the NAT device must add the NAT-Control-Record AVP.

除了[RFC6733]中规定的ACR的AVP外,NAT设备内的DNCA直径对等体必须添加NAT控制记录AVP。

9.2.1. NAT-Control-Record
9.2.1. NAT控制记录
   The NAT-Control-Record AVP (AVP code 605) is of type Grouped.  It
   describes a binding and its status.  If NAT-Control-Binding-Status is
   set to Created, Event-Timestamp indicates the binding creation time.
   If NAT-Control-Binding-Status is set to Removed, Event-Timestamp
   indicates the binding removal time.  If NAT-Control-Binding-Status is
   active, Event-Timestamp need not be present; if a value is present,
   it indicates that binding is active at the given time.
     NAT-Control-Record ::= < AVP Header: 605 >
                            { NAT-Control-Definition }
                            { NAT-Control-Binding-Status }
                            [ Event-Timestamp ]
        
   The NAT-Control-Record AVP (AVP code 605) is of type Grouped.  It
   describes a binding and its status.  If NAT-Control-Binding-Status is
   set to Created, Event-Timestamp indicates the binding creation time.
   If NAT-Control-Binding-Status is set to Removed, Event-Timestamp
   indicates the binding removal time.  If NAT-Control-Binding-Status is
   active, Event-Timestamp need not be present; if a value is present,
   it indicates that binding is active at the given time.
     NAT-Control-Record ::= < AVP Header: 605 >
                            { NAT-Control-Definition }
                            { NAT-Control-Binding-Status }
                            [ Event-Timestamp ]
        
9.2.2. NAT-Control-Binding-Status
9.2.2. NAT控制绑定状态

The NAT-Control-Binding-Status AVP (AVP code 606) is of type enumerated. It indicates the status of the binding: created, removed, or active.

NAT控制绑定状态AVP(AVP代码606)是枚举的类型。它指示绑定的状态:已创建、已删除或活动。

The following values are defined:

定义了以下值:

Created (1)

创建(1)

NAT-binding is created.

NAT绑定已创建。

Active (2)

现行(2)

NAT-binding is active.

NAT绑定处于活动状态。

Removed (3)

已删除(3)

NAT-binding was removed.

NAT绑定被移除。

9.2.3. Current-NAT-Bindings
9.2.3. 当前NAT绑定

The Current-NAT-Bindings AVP (AVP code 607) is of type Unsigned32. It indicates the number of NAT-bindings active on the NAT device.

当前NAT绑定AVP(AVP代码607)的类型为Unsigned32。它指示NAT设备上活动的NAT绑定数。

10. AVP Occurrence Tables
10. AVP发生表

The following sections present the AVPs defined in this document and specify the Diameter messages in which they can be present. Note: AVPs that can only be present within a Grouped AVP are not represented in this table.

以下各节介绍了本文档中定义的AVP,并指定了它们可以出现的Diameter消息。注:本表不表示只能在分组AVP中出现的AVP。

The table uses the following symbols:

该表使用以下符号:

0 The AVP MUST NOT be present in the message.

0消息中不得出现AVP。

0+ Zero or more instances of the AVP can be present in the message.

消息中可以出现0+零个或多个AVP实例。

0-1 Zero or one instance of the AVP can be present in the message. It is considered an error if there is more than one instance of the AVP.

0-1消息中可能存在零个或一个AVP实例。如果AVP有多个实例,则视为错误。

1 One instance of the AVP MUST be present in the message.

1消息中必须有一个AVP实例。

1+ At least one instance of the AVP MUST be present in the message.

1+消息中必须至少存在一个AVP实例。

10.1. DNCA AVP Table for NAT Control Initial and Update Requests
10.1. NAT控制初始和更新请求的DNCA AVP表

The following table lists DNCA-specific AVPs that have to be present in NCRs and NCAs with the NC-Request-Type set to INITIAL_REQUEST or UPDATE_REQUEST.

下表列出了NCR和NCA中必须存在的DNCA特定AVP,其NC请求类型设置为初始请求或更新请求。

                                       +-------------------+
                                       |  Command Code     |
   +-----------------------------------+-------------------+
   | Attribute Name                        NCR    NCA      |
   +-------------------------------------------------------+
   |NC-Request-Type                         1      1       |
   |NAT-Control-Install                    0-1     0       |
   |NAT-Control-Remove                     0-1     0       |
   |NAT-Control-Definition                  0      0       |
   |Current-NAT-Bindings                    0      0       |
   |Duplicate-Session-Id                    0     0-1      |
   +-------------------------------------------------------+
        
                                       +-------------------+
                                       |  Command Code     |
   +-----------------------------------+-------------------+
   | Attribute Name                        NCR    NCA      |
   +-------------------------------------------------------+
   |NC-Request-Type                         1      1       |
   |NAT-Control-Install                    0-1     0       |
   |NAT-Control-Remove                     0-1     0       |
   |NAT-Control-Definition                  0      0       |
   |Current-NAT-Bindings                    0      0       |
   |Duplicate-Session-Id                    0     0-1      |
   +-------------------------------------------------------+
        

Note that any combination of NAT-Control-Install and NAT-Control-Remove AVPs could be present in an update or initial requests. Consider the following examples:

请注意,NAT Control Install和NAT Control Remove AVP的任何组合都可能出现在更新或初始请求中。考虑下面的例子:

Neither the NAT-Control-Install AVP nor the NAT-Control-Remove AVP is present: This could, for example, be the case if the NAT controller would only want to receive accounting information but not control NAT-bindings.

NAT控件安装AVP和NAT控件删除AVP都不存在:例如,如果NAT控制器只希望接收记帐信息,而不希望控制NAT绑定,则可能会出现这种情况。

Only NAT-Control-Install AVP is present: This could, for example, be the case if a new NAT-binding is installed for an existing session.

仅存在NAT控制安装AVP:例如,如果为现有会话安装了新的NAT绑定,则可能会出现这种情况。

Only NAT-Control-Remove AVP is present: This could, for example, be the case if a new NAT-binding is removed from an existing session.

仅存在NAT控制删除AVP:例如,如果从现有会话中删除新的NAT绑定,则可能出现这种情况。

Both, NAT-Control-Install AVP and NAT-Control-Remove AVP are present: This could, for example. be the case if a formerly created NAT-binding is removed and a new NAT-binding is established within the same request.

NAT Control Install AVP和NAT Control Remove AVP都存在:例如,这可能存在。如果删除了以前创建的NAT绑定,并且在同一请求中建立了新的NAT绑定,则会出现这种情况。

10.2. DNCA AVP Table for Session Query Requests
10.2. 会话查询请求的DNCA AVP表

The following table lists DNCA-specific AVPs that have to be present in NCRs and NCAs with the NC-Request-Type set to QUERY_REQUEST.

下表列出了NCR和NCA中必须存在的DNCA特定AVP,其NC请求类型设置为查询请求。

                                       +-------------------+
                                       |  Command Code     |
   +-----------------------------------+-------------------+
   | Attribute Name                        NCR    NCA      |
   +-------------------------------------------------------+
   |NC-Request-Type                         1      1       |
   |NAT-Control-Install                     0      0       |
   |NAT-Control-Remove                      0      0       |
   |NAT-Control-Definition                  0      0+      |
   |NAT-External-Address                    0+     0       |
   |Current-NAT-Bindings                    0      1       |
   |Duplicate-Session-Id                    0      0       |
   +-------------------------------------------------------+
        
                                       +-------------------+
                                       |  Command Code     |
   +-----------------------------------+-------------------+
   | Attribute Name                        NCR    NCA      |
   +-------------------------------------------------------+
   |NC-Request-Type                         1      1       |
   |NAT-Control-Install                     0      0       |
   |NAT-Control-Remove                      0      0       |
   |NAT-Control-Definition                  0      0+      |
   |NAT-External-Address                    0+     0       |
   |Current-NAT-Bindings                    0      1       |
   |Duplicate-Session-Id                    0      0       |
   +-------------------------------------------------------+
        
10.3. DNCA AVP Table for Accounting Messages
10.3. 用于记帐消息的DNCA AVP表
   The following table lists DNCA-specific AVPs, which may or may not be
   present in ACR and ACA messages.
                                       +-------------------+
                                       |  Command Code     |
   +-----------------------------------+-------------------+
   | Attribute Name                        ACR    ACA      |
   +-------------------------------------------------------+
   |NAT-Control-Record                      0+     0       |
   |Current-NAT-Bindings                    1      0       |
   +-------------------------------------------------------+
        
   The following table lists DNCA-specific AVPs, which may or may not be
   present in ACR and ACA messages.
                                       +-------------------+
                                       |  Command Code     |
   +-----------------------------------+-------------------+
   | Attribute Name                        ACR    ACA      |
   +-------------------------------------------------------+
   |NAT-Control-Record                      0+     0       |
   |Current-NAT-Bindings                    1      0       |
   +-------------------------------------------------------+
        
11. IANA Considerations
11. IANA考虑

This section contains either the namespaces that have been created in this specification or the values assigned to existing namespaces managed by IANA.

本节包含在本规范中创建的名称空间或分配给IANA管理的现有名称空间的值。

In the subsections below, when we speak about review by a Designated Expert [RFC5226], please note that the Designated Expert will be assigned by the IESG. Initially, such Expert discussions take place on the AAA WG mailing list.

在下面的小节中,当我们谈到指定专家的审查[RFC5226]时,请注意,指定专家将由IESG指定。最初,此类专家讨论在AAA工作组邮件列表上进行。

11.1. Application Identifier
11.1. 应用标识符

This specification assigns the value 12, 'Diameter NAT Control Application', to the Application Identifier namespace defined in [RFC6733]. See Section 4 for more information.

本规范将值12“Diameter NAT Control Application”(直径NAT控制应用程序)分配给[RFC6733]中定义的应用程序标识符命名空间。更多信息请参见第4节。

11.2. Command Codes
11.2. 命令代码

This specification uses the value 330 from the Command code namespace defined in [RFC6733] for the NAT-Control-Request (NCR) and NAT-Control-Answer (NCA) commands. See Section 6.1 and Section 6.2 for more information on these commands.

本规范使用[RFC6733]中为NAT控制请求(NCR)和NAT控制应答(NCA)命令定义的命令代码命名空间中的值330。有关这些命令的更多信息,请参见第6.1节和第6.2节。

11.3. AVP Codes
11.3. AVP码

This specification assigns the values 595-607 from the AVP Code namespace defined in [RFC6733]. See Section 8.7 for the assignment of the namespace in this specification.

本规范从[RFC6733]中定义的AVP代码命名空间中分配值595-607。有关本规范中名称空间的分配,请参见第8.7节。

11.4. Result-Code AVP Values
11.4. 结果代码AVP值

This specification assigns the values 4014 and 5042-5047 from the Result-Code AVP value namespace defined in [RFC6733]. See Section 8.2 for the assignment of the namespace in this specification.

本规范从[RFC6733]中定义的结果代码AVP值命名空间中分配值4014和5042-5047。有关本规范中名称空间的分配,请参见第8.2节。

11.5. NC-Request-Type AVP
11.5. NC请求类型AVP

As defined in Section 8.7.1, the NC-Request-Type AVP includes Enumerated type values 1-3. IANA has created and is maintaining a namespace for this AVP. All remaining values are available for assignment by a Designated Expert [RFC5226].

如第8.7.1节所定义,NC请求类型AVP包括枚举类型值1-3。IANA已创建并正在维护此AVP的命名空间。所有剩余值可由指定专家分配[RFC5226]。

11.6. NAT-External-Port-Style AVP
11.6. NAT外部端口式AVP

As defined in Section 8.7.10, the NAT-External-Port-Style AVP includes Enumerated type value 1. IANA has created and is maintaining a namespace for this AVP. All remaining values are available for assignment by a Designated Expert [RFC5226].

如第8.7.10节所定义,NAT外部端口类型AVP包括枚举类型值1。IANA已创建并正在维护此AVP的命名空间。所有剩余值可由指定专家分配[RFC5226]。

11.7. NAT-Control-Binding-Status AVP
11.7. NAT控制绑定状态AVP

As defined in Section 8.7.1, the NAT-Control-Binding-Status AVP includes Enumerated type values 1-3. IANA has created and is maintaining a namespace for this AVP. All remaining values are available for assignment by a Designated Expert [RFC5226].

如第8.7.1节所定义,NAT控制绑定状态AVP包括枚举类型值1-3。IANA已创建并正在维护此AVP的命名空间。所有剩余值可由指定专家分配[RFC5226]。

12. Security Considerations
12. 安全考虑

This document describes procedures for controlling NAT-related attributes and parameters by an entity, which is non-local to the device performing NAT. This section discusses security considerations for DNCA. This includes the interactions between the Diameter peers within a NAT controller and a NAT device as well as general considerations for a NAT-control in a service provider network.

本文档描述了通过实体控制NAT相关属性和参数的过程,该实体对于执行NAT的设备来说不是本地的。本节讨论DNCA的安全注意事项。这包括NAT控制器内的Diameter对等方与NAT设备之间的交互以及服务提供商网络中NAT控制的一般考虑。

Security between a NAT controller and a NAT device has a number of components: authentication, authorization, integrity, and confidentiality.

NAT控制器和NAT设备之间的安全性有许多组件:身份验证、授权、完整性和机密性。

"Authentication" refers to confirming the identity of an originator for all datagrams received from the originator. Lack of authentication of Diameter messages between the Diameter peers can jeopardize the fundamental service of the peering network elements. A consequence of not authenticating the message sender by the recipient would be that an attacker could spoof the identity of a "legitimate" authorizing entity in order to change the behavior of the receiver. An attacker could, for example, launch a DoS attack by setting the maximum number of bindings for a session on the NAT device to zero; provisioning bindings on a NAT device that includes IP addresses already in use in other parts of the network; or requesting session termination of the Diameter session and hampering an endpoint's (i.e., a user's) connectivity. Lack of authentication of a NAT device to a NAT controller could lead to situations where the NAT device could provide a wrong view of the resources (i.e., NAT-bindings). In addition, a NAT-binding Predefined template on the NAT device could be configured differently than expected by the NAT controller. If either of the two DNCA Diameter peers fail to provide the required credentials, the failure should be subject to logging. The corresponding logging infrastructure of the operator SHOULD be

“认证”是指确认从发端人接收的所有数据报的发端人身份。Diameter对等方之间缺少Diameter消息的身份验证可能会危及对等网络元素的基本服务。接收方未对消息发送方进行身份验证的结果是,攻击者可以伪造“合法”授权实体的身份,以改变接收方的行为。例如,攻击者可以通过将NAT设备上会话的最大绑定数设置为零来发起DoS攻击;在NAT设备上提供绑定,该设备包括已在网络其他部分中使用的IP地址;或者请求Diameter会话的会话终止并妨碍端点(即,用户)的连接。缺少NAT设备到NAT控制器的身份验证可能会导致NAT设备提供错误的资源视图(即NAT绑定)的情况。此外,NAT设备上的NAT绑定预定义模板的配置可能与NAT控制器预期的不同。如果两个DNCA Diameter对等方中的任何一个未能提供所需的凭据,则应记录该故障。操作员的相应日志记录基础设施应为

built in a way that it can mitigate potential DoS attacks resulting from large amounts of logging events. This could include proper dimensioning of the logging infrastructure combined with policing the maximum amount of logging events accepted by the logging system to a threshold which the system is known to be able to handle.

它的构建方式可以减轻由大量日志事件导致的潜在DoS攻击。这可能包括对日志基础结构进行适当的尺寸标注,并将日志系统接受的日志事件的最大数量控制在已知系统能够处理的阈值。

"Authorization" refers to whether a particular authorizing entity is authorized to signal a network element request for one or more applications, adhering to a certain policy profile. Failing the authorization process might indicate a resource theft attempt or failure due to administrative and/or credential deficiencies. In either case, the network element should take the proper measures to log such attempts.

“授权”是指特定授权实体是否有权根据特定的策略配置文件向一个或多个应用程序发出网元请求信号。授权过程失败可能表示由于管理和/或凭据缺陷而导致资源盗窃企图或失败。在任何一种情况下,网元都应采取适当措施记录此类尝试。

Integrity is required to ensure that a Diameter message exchanged between the Diameter peers has not been maliciously altered by intermediate devices. The result of a lack of data integrity enforcement in an untrusted environment could be that an impostor will alter the messages exchanged between the peers. This could cause a change of behavior of the peers, including the potential of a DoS.

需要完整性,以确保Diameter对等方之间交换的Diameter消息未被中间设备恶意更改。在不受信任的环境中缺乏数据完整性强制的结果可能是冒名顶替者会改变对等方之间交换的消息。这可能会导致对等方行为的改变,包括拒绝服务的可能性。

Confidentiality protection of Diameter messages ensures that the signaling data is accessible only to the authorized entities. When signaling messages between the DNCA Diameter peers traverse untrusted networks, lack of confidentiality will allow eavesdropping and traffic analysis.

Diameter消息的机密性保护确保只有授权实体才能访问信令数据。当DNCA Diameter对等方之间的信令消息穿越不受信任的网络时,缺乏机密性将允许窃听和流量分析。

Diameter offers security mechanisms to deal with the functionality demanded above. DNCA makes use of the capabilities offered by Diameter and the underlying transport protocols to deliver these requirements (see Section 5.1). If the DNCA communication traverses untrusted networks, messages between DNCA Diameter peers SHOULD be secured using either IPsec or TLS. Please refer to [RFC6733], Section 13 for details. DNCA Diameter peers SHOULD perform bilateral authentication, authorization, as well as procedures to ensure integrity and confidentiality of the information exchange. In addition, the Session-Id chosen for a particular Diameter session SHOULD be chosen in a way that it is hard to guess in order to mitigate issues through potential message replay.

Diameter提供了安全机制来处理上述功能。DNCA利用Diameter提供的功能和底层传输协议来满足这些要求(见第5.1节)。如果DNCA通信穿越不受信任的网络,则应使用IPsec或TLS保护DNCA Diameter对等方之间的消息。有关详细信息,请参考[RFC6733],第13节。DNCA Diameter对等方应执行双边身份验证、授权以及程序,以确保信息交换的完整性和机密性。此外,为特定Diameter会话选择的会话Id应以难以猜测的方式选择,以便通过潜在的消息重播缓解问题。

DNCA Diameter peers SHOULD have a mutual trust setup. This document does not specify a mechanism for authorization between the DNCA Diameter peers. The DNCA Diameter peers SHOULD be provided with sufficient information to make an authorization decision. The information can come from various sources, for example, the peering devices could store local authentication policy, listing the identities of authorized peers.

DNCA直径对等方应具有相互信任设置。本文档未指定DNCA直径对等方之间的授权机制。应向DNCA直径对等方提供足够的信息,以做出授权决策。信息可以来自各种来源,例如,对等设备可以存储本地身份验证策略,列出授权对等的身份。

Any mechanism or protocol providing control of a NAT device, and DNCA is an example of such a control mechanism, could allow for misuse of the NAT device given that it enables the definition of per-destination or per-source rules. Misuse could include anti-competitive practices among providers, censorship, crime, etc. NAT-control could be used as a tool for preventing or redirecting access to particular sites. For instance, by controlling the NAT-bindings, one could ensure that endpoints aren't able to receive particular flows, or that those flows are redirected to a relay that snoops or tampers with traffic instead of directly forwarding the traffic to the intended endpoint. In addition, one could set up a binding in a way that the source IP address used is one of a relay so that traffic coming back can be snooped on or interfered with. The operator also needs to consider security threats resulting from unplanned termination of the DNCA session. Unplanned session termination, which could happen due to, e.g., an attacker taking down the NAT controller, leads to the NAT device cleaning up the state associated with this session after a grace period. If the grace period is set to zero, the endpoint will experience an immediate loss of connectivity to services reachable through the NAT device following the termination of the DNCA session.The protections on DNCA and its Diameter protocol exchanges don't prevent such abuses of NAT-control. Prevention of misuse or misconfiguration of a NAT device by an authorized NAT controller is beyond the scope of this protocol specification. A service provider deploying DNCA needs to make sure that higher-layer processes and procedures are put in place that allow them to detect and mitigate misuses.

提供对NAT设备控制的任何机制或协议(DNCA是此类控制机制的一个示例)都可能允许误用NAT设备,因为它允许定义每个目的地或每个源规则。滥用可能包括提供商之间的反竞争行为、审查、犯罪等。NAT控制可作为防止或重定向特定网站访问的工具。例如,通过控制NAT绑定,可以确保端点无法接收特定流,或者这些流被重定向到监视或篡改流量的中继,而不是直接将流量转发到预期端点。此外,可以设置一个绑定,使所使用的源IP地址是一个中继地址,以便可以窥探或干扰返回的流量。操作员还需要考虑DNCA会话意外终止导致的安全威胁。由于攻击者关闭NAT控制器等原因可能发生的计划外会话终止会导致NAT设备在宽限期后清除与此会话相关的状态。如果宽限期设置为零,则在DNCA会话终止后,端点将立即失去与可通过NAT设备访问的服务的连接。DNCA及其Diameter协议交换上的保护无法防止此类NAT控制滥用。防止授权NAT控制器误用或错误配置NAT设备超出了本协议规范的范围。部署DNCA的服务提供商需要确保建立更高层的流程和程序,以便能够检测和减少误用。

13. Examples
13. 例子

This section shows example DNCA message content and exchange.

本节显示DNCA消息内容和交换示例。

13.1. DNCA Session Establishment Example
13.1. DNCA会话建立示例

Figure 15 depicts a typical call flow for DNCA session establishment.

图15描述了DNCA会话建立的典型调用流。

In this example, the NAT controller does the following:

在此示例中,NAT控制器执行以下操作:

a. requests a maximum of 100 NAT-bindings for the endpoint.

a. 为终结点请求最多100个NAT绑定。

b. defines a static binding for a TCP connection that associates the internal IP Address:Port 192.0.2.1:80 with the external IP Address:Port 198.51.100.1:80 for the endpoint.

b. 定义TCP连接的静态绑定,该绑定将端点的内部IP地址:端口192.0.2.1:80与外部IP地址:端口198.51.100.1:80相关联。

c. requests the use of a preconfigured template called "local-policy" while creating NAT-bindings for the endpoint.

c. 在为端点创建NAT绑定时,请求使用名为“本地策略”的预配置模板。

   endpoint             NAT controller (within NAS)           NAT device
      |                            |                               |
      |                            |                               |
      |      1. Trigger            |                               |
      |--------------------------->|                               |
      |       +-------------------------------------+              |
      |       |  2. Determine that NAT control      |              |
      |       |     is required for the endpoint    |              |
      |       +-------------------------------------+              |
      |                            |                               |
      |                            |                               |
      |                           ...................................
      |                           .|   3. Diameter Base CER/CEA    |.
      |                           .|<----------------------------->|.
      |                           ...................................
      |                            |                               |
      |                            |                               |
      |                            |         4.  NCR               |
      |                            |------------------------------>|
      |                            |                               |
      |                            |                     5. DNCA session
      |                            |                        established
      |                            |                               |
      |                            |         6.  NCA               |
      |                            |<------------------------------|
      |                            |                               |
      |                            |                               |
      |                  7. Data traffic                           |
      |----------------------------------------------------------->|
      |                            |                               |
      |                            |                               |
      |                            |                    8. NAT-bindings
      |                            |                     created as per
      |                            |                   directives in the
      |                            |                       DNCA session
      |                            |                               |
        
   endpoint             NAT controller (within NAS)           NAT device
      |                            |                               |
      |                            |                               |
      |      1. Trigger            |                               |
      |--------------------------->|                               |
      |       +-------------------------------------+              |
      |       |  2. Determine that NAT control      |              |
      |       |     is required for the endpoint    |              |
      |       +-------------------------------------+              |
      |                            |                               |
      |                            |                               |
      |                           ...................................
      |                           .|   3. Diameter Base CER/CEA    |.
      |                           .|<----------------------------->|.
      |                           ...................................
      |                            |                               |
      |                            |                               |
      |                            |         4.  NCR               |
      |                            |------------------------------>|
      |                            |                               |
      |                            |                     5. DNCA session
      |                            |                        established
      |                            |                               |
      |                            |         6.  NCA               |
      |                            |<------------------------------|
      |                            |                               |
      |                            |                               |
      |                  7. Data traffic                           |
      |----------------------------------------------------------->|
      |                            |                               |
      |                            |                               |
      |                            |                    8. NAT-bindings
      |                            |                     created as per
      |                            |                   directives in the
      |                            |                       DNCA session
      |                            |                               |
        

Figure 15: Initial NAT-Control-Request and Session Establishment Example

图15:初始NAT控制请求和会话建立示例

Detailed description of the steps shown in Figure 15:

图15所示步骤的详细说明:

1. The NAT controller (co-located with the NAS here) creates state for an endpoint based on a trigger. This could, for example, be the successful establishment of a Point-to-Point Protocol (PPP) [RFC1661] access session.

1. NAT控制器(此处与NAS位于同一位置)基于触发器为端点创建状态。例如,这可以是成功建立点对点协议(PPP)[RFC1661]访问会话。

2. Based on the configuration of the DNCA Diameter peer within the NAT controller, the NAT controller determines that NAT-control is required and is to be enforced at a NAT device.

2. 基于NAT控制器内DNCA Diameter对等的配置,NAT控制器确定需要NAT控制,并且将在NAT设备上实施NAT控制。

3. If there is no Diameter session already established with the DNCA Diameter peer within NAT device, a Diameter connection is established and Diameter Base CER/CEA are exchanged.

3. 如果NAT设备内没有与DNCA Diameter对等方建立Diameter会话,则建立Diameter连接并交换Diameter Base CER/CEA。

4. The NAT-Controller creates an NCR message (see below) and sends it to the NAT device. This example shows IPv4 to IPv4 address and port translation. For IPv6 to IPv4 translation, the Framed-IP-Address AVP would be replaced by the Framed-IPv6-Address AVP with the value set to the IPv6 address of the endpoint.

4. NAT控制器创建NCR消息(见下文)并将其发送到NAT设备。此示例显示IPv4到IPv4的地址和端口转换。对于IPv6到IPv4的转换,帧化IP地址AVP将替换为帧化IPv6地址AVP,其值设置为端点的IPv6地址。

     < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                      Session-Id =  "natC.example.com:33041;23432;"
                      Auth-Application-Id = <DNCA Application ID>
                      Origin-Host = "natC.example.com"
                      Origin-Realm = "example.com"
                      Destination-Realm = "example.com"
                      Destination-Host = "nat-device.example.com"
                      NC-Request-Type = INITIAL_REQUEST
                      User-Name = "subscriber_example1"
                      Framed-IP-Address = "192.0.2.1"
                      NAT-Control-Install = {
                           NAT-Control-Definition = {
                              Protocol = TCP
                              Direction = OUT
                              NAT-Internal-Address = {
                                   Framed-IP-Address = "192.0.2.1"
                                   Port = 80
                              }
                              NAT-External-Address = {
                                   Framed-IP-Address = "198.51.100.1"
                                   Port = 80
                              }
                           }
                           Max-NAT-Bindings = 100
                           NAT-Control-Binding-Template = "local-policy"
                      }
        
     < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                      Session-Id =  "natC.example.com:33041;23432;"
                      Auth-Application-Id = <DNCA Application ID>
                      Origin-Host = "natC.example.com"
                      Origin-Realm = "example.com"
                      Destination-Realm = "example.com"
                      Destination-Host = "nat-device.example.com"
                      NC-Request-Type = INITIAL_REQUEST
                      User-Name = "subscriber_example1"
                      Framed-IP-Address = "192.0.2.1"
                      NAT-Control-Install = {
                           NAT-Control-Definition = {
                              Protocol = TCP
                              Direction = OUT
                              NAT-Internal-Address = {
                                   Framed-IP-Address = "192.0.2.1"
                                   Port = 80
                              }
                              NAT-External-Address = {
                                   Framed-IP-Address = "198.51.100.1"
                                   Port = 80
                              }
                           }
                           Max-NAT-Bindings = 100
                           NAT-Control-Binding-Template = "local-policy"
                      }
        

5. The NAT device establishes a DNCA session as it is able to comply with the request.

5. NAT设备建立DNCA会话,因为它能够满足请求。

6. The NAT device sends an NCA to indicate the successful completion of the request.

6. NAT设备发送NCA以指示请求成功完成。

      <NC-Answer> ::= < Diameter Header: 330, PXY >
                       Session-Id =  "natC.example.com:33041;23432;"
                       Origin-Host = "nat-device.example.com"
                       Origin-Realm = "example.com"
                       NC-Request-Type = INITIAL_REQUEST
                       Result-Code = DIAMETER_SUCCESS
        
      <NC-Answer> ::= < Diameter Header: 330, PXY >
                       Session-Id =  "natC.example.com:33041;23432;"
                       Origin-Host = "nat-device.example.com"
                       Origin-Realm = "example.com"
                       NC-Request-Type = INITIAL_REQUEST
                       Result-Code = DIAMETER_SUCCESS
        

7. The endpoint sends packets that reach the NAT device.

7. 端点发送到达NAT设备的数据包。

8. The NAT device performs NAT for traffic received from the endpoint with source address 192.0.2.1. Traffic with source IP address 192.0.2.1 and port 80 are translated to the external IP address 198.51.100.1 and port 80. Traffic with source IP address 192.0.2.1 and a source port different from 80 will be translated to IP address 198.51.100.1 and a port chosen by the NAT device. Note that this example assumes that the NAT device follows typical binding allocation rules for endpoints, in that only a single external IP address is used for all traffic received from a single IP address of an endpoint. The NAT device will allow a maximum of 100 NAT-bindings be created for the endpoint.

8. NAT设备对从源地址为192.0.2.1的端点接收的流量执行NAT。具有源IP地址192.0.2.1和端口80的通信量被转换为外部IP地址198.51.100.1和端口80。源IP地址为192.0.2.1且源端口不同于80的流量将被转换为IP地址198.51.100.1以及NAT设备选择的端口。请注意,此示例假定NAT设备遵循端点的典型绑定分配规则,因为只有单个外部IP地址用于从端点的单个IP地址接收的所有流量。NAT设备最多允许为端点创建100个NAT绑定。

13.2. DNCA Session Update with Port Style Example
13.2. 带有端口样式示例的DNCA会话更新

This section gives an example for a DNCA session update: A new set of NAT-bindings is requested for an existing session. The request contains a directive ( the "NAT-External-Port-Style" AVP set to FOLLOW_INTERNAL_PORT_STYLE) that directs the NAT device to maintain port-sequence and port-oddity for the newly created NAT-bindings. In the example shown, the internal ports are UDP port 1036 and 1037. The NAT device follows the directive selects the external ports accordingly. The NAT device would, for example, create a mapping of 192.0.2.1:1036 to 198.51.100.1:5056 and 192.0.2.1:1037 to 198.51.100.1:5057, thereby maintaining port oddity (1036->5056, 1037->5057) and sequence ( the consecutive internal ports 1036 and 1037 map to the consecutive external ports 5056 and 5057).

本节给出了DNCA会话更新的示例:为现有会话请求一组新的NAT绑定。该请求包含一个指令(“NAT外部端口样式”AVP设置为遵循_INTERNAL_Port_样式),该指令指示NAT设备为新创建的NAT绑定维护端口序列和端口奇数。在所示示例中,内部端口为UDP端口1036和1037。NAT设备遵循该指令相应地选择外部端口。例如,NAT设备将创建192.0.2.1:1036到198.51.100.1:5056和192.0.2.1:1037到198.51.100.1:5057的映射,从而保持端口奇数(1036->5056,1037->5057)和顺序(连续的内部端口1036和1037映射到连续的外部端口5056和5057)。

      < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                       Session-Id =  "natC.example.com:33041;23432;"
                       Auth-Application-Id = <DNCA Application ID>
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Destination-Realm = "example.com"
                       Destination-Host = "nat-device.example.com"
                       NC-Request-Type = UPDATE_REQUEST
                       NAT-Control-Install = {
                           NAT-Control-Definition = {
                               Protocol = UDP
                               Direction = OUT
                               NAT-Internal-Address = {
                                    Framed-IP-Address = "192.0.2.1"
                                    Port = 1035
                               }
                           }
                           NAT-Control-Definition = {
                               Protocol = UDP
                               Direction = OUT
                               NAT-Internal-Address = {
                                    Framed-IP-Address = "192.0.2.1"
                                    Port = 1036
                               }
                           }
                           NAT-External-Port-
                                  Style = FOLLOW_INTERNAL_PORT_STYLE
                       }
        
      < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                       Session-Id =  "natC.example.com:33041;23432;"
                       Auth-Application-Id = <DNCA Application ID>
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Destination-Realm = "example.com"
                       Destination-Host = "nat-device.example.com"
                       NC-Request-Type = UPDATE_REQUEST
                       NAT-Control-Install = {
                           NAT-Control-Definition = {
                               Protocol = UDP
                               Direction = OUT
                               NAT-Internal-Address = {
                                    Framed-IP-Address = "192.0.2.1"
                                    Port = 1035
                               }
                           }
                           NAT-Control-Definition = {
                               Protocol = UDP
                               Direction = OUT
                               NAT-Internal-Address = {
                                    Framed-IP-Address = "192.0.2.1"
                                    Port = 1036
                               }
                           }
                           NAT-External-Port-
                                  Style = FOLLOW_INTERNAL_PORT_STYLE
                       }
        
13.3. DNCA Session Query Example
13.3. DNCA会话查询示例
   This section shows an example for DNCA session query for a subscriber
   whose internal IP Address is 192.0.2.1.
      < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                       Auth-Application-Id = <DNCA Application ID>
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Destination-Realm = "example.com"
                       Destination-Host = "nat-device.example.com"
                       NC-Request-Type = QUERY_REQUEST
                       Framed-IP-Address = "192.0.2.1"
        
   This section shows an example for DNCA session query for a subscriber
   whose internal IP Address is 192.0.2.1.
      < NC-Request > ::= < Diameter Header: 330, REQ, PXY>
                       Auth-Application-Id = <DNCA Application ID>
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Destination-Realm = "example.com"
                       Destination-Host = "nat-device.example.com"
                       NC-Request-Type = QUERY_REQUEST
                       Framed-IP-Address = "192.0.2.1"
        

The NAT device constructs an NCA to report all currently active NAT-bindings whose internal address is 192.0.2.1.

NAT设备构造一个NCA来报告所有当前活动的NAT绑定,其内部地址为192.0.2.1。

      <NC-Answer> ::= < Diameter Header: 330, PXY >
                    Origin-Host = "nat-device.example.com"
                    Origin-Realm = "example.com"
                    NC-Request-Type = QUERY_REQUEST
                    NAT-Control-Definition = {
                            Protocol = TCP
                            Direction = OUT
                            NAT-Internal-Address = {
                                Framed-IP-Address = "192.0.2.1"
                                Port = 80
                               }
                            NAT-External-Address = {
                                 Framed-IP-Address = "198.51.100.1"
                                 Port = 80
                               }
                            Session-Id = "natC.example.com:33041;23432;"
                    }
                    NAT-Control-Definition = {
                            Protocol = TCP
                            Direction = OUT
                            NAT-Internal-Address = {
                                Framed-IP-Address = "192.0.2.1"
                                Port = 1036
                               }
                            NAT-External-Address = {
                                 Framed-IP-Address = "198.51.100.1"
                                 Port = 5056
                               }
                            Session-Id = "natC.example.com:33041;23432;"
                    }
                    NAT-Control-Definition = {
                            Protocol = TCP
                            Direction = OUT
                            NAT-Internal-Address = {
                                Framed-IP-Address = "192.0.2.1"
                                Port = 1037
                               }
                            NAT-External-Address = {
                                 Framed-IP-Address = "198.51.100.1"
                                 Port = 5057
                               }
                            Session-Id = "natC.example.com:33041;23432;"
                       }
        
      <NC-Answer> ::= < Diameter Header: 330, PXY >
                    Origin-Host = "nat-device.example.com"
                    Origin-Realm = "example.com"
                    NC-Request-Type = QUERY_REQUEST
                    NAT-Control-Definition = {
                            Protocol = TCP
                            Direction = OUT
                            NAT-Internal-Address = {
                                Framed-IP-Address = "192.0.2.1"
                                Port = 80
                               }
                            NAT-External-Address = {
                                 Framed-IP-Address = "198.51.100.1"
                                 Port = 80
                               }
                            Session-Id = "natC.example.com:33041;23432;"
                    }
                    NAT-Control-Definition = {
                            Protocol = TCP
                            Direction = OUT
                            NAT-Internal-Address = {
                                Framed-IP-Address = "192.0.2.1"
                                Port = 1036
                               }
                            NAT-External-Address = {
                                 Framed-IP-Address = "198.51.100.1"
                                 Port = 5056
                               }
                            Session-Id = "natC.example.com:33041;23432;"
                    }
                    NAT-Control-Definition = {
                            Protocol = TCP
                            Direction = OUT
                            NAT-Internal-Address = {
                                Framed-IP-Address = "192.0.2.1"
                                Port = 1037
                               }
                            NAT-External-Address = {
                                 Framed-IP-Address = "198.51.100.1"
                                 Port = 5057
                               }
                            Session-Id = "natC.example.com:33041;23432;"
                       }
        
13.4. DNCA Session Termination Example
13.4. DNCA会话终止示例

In this example the NAT controller decides to terminate the previously established DNCA session. This could, for example, be the case as a result of an access session (e.g., a PPP session) associated with an endpoint having been torn down.

在此示例中,NAT控制器决定终止先前建立的DNCA会话。例如,这可能是与端点相关联的接入会话(例如,PPP会话)被拆除的结果。

       NAT controller                            NAT device
             |                                       |
             |                                       |
    +--------------+                                 |
    |  1. Trigger  |                                 |
    +--------------+                                 |
             |                                       |
             |                                       |
             |             2.  STR                   |
             |-------------------------------------->|
             |                                       |
             |                             3. DNCA session
             |                                   lookup
             |             4.  ACR                   |
             |<--------------------------------------|
             |                                       |
             |             5.  ACA                   |
             |-------------------------------------->|
             |                                       |
             |                                       |
             |                             6. DNCA bindings
             |                            and session cleanup
             |                                       |
             |             7.  STA                   |
             |<--------------------------------------|
             |                                       |
        
       NAT controller                            NAT device
             |                                       |
             |                                       |
    +--------------+                                 |
    |  1. Trigger  |                                 |
    +--------------+                                 |
             |                                       |
             |                                       |
             |             2.  STR                   |
             |-------------------------------------->|
             |                                       |
             |                             3. DNCA session
             |                                   lookup
             |             4.  ACR                   |
             |<--------------------------------------|
             |                                       |
             |             5.  ACA                   |
             |-------------------------------------->|
             |                                       |
             |                                       |
             |                             6. DNCA bindings
             |                            and session cleanup
             |                                       |
             |             7.  STA                   |
             |<--------------------------------------|
             |                                       |
        

Figure 20: NAT Control Session Termination Example

图20:NAT控制会话终止示例

The following steps describe the sequence of events for tearing down the DNCA session in the example above:

以下步骤描述了上述示例中用于中断DNCA会话的事件序列:

1. The NAT controller receives a trigger that a DNCA session associated with a specific endpoint should be terminated. An example event could be the termination of the PPP [RFC1661] access session to an endpoint in a NAS. The NAS correspondingly triggers the NAT controller request to tear down the associated DNCA session.

1. NAT控制器接收到一个触发器,该触发器指示应终止与特定端点关联的DNCA会话。一个示例事件可能是终止NAS中端点的PPP[RFC1661]访问会话。NAS相应地触发NAT控制器请求以中断相关的DNCA会话。

2. The NAT controller creates the required NCR message and sends it to the NAT device:

2. NAT控制器创建所需的NCR消息并将其发送到NAT设备:

      < STR >     ::= < Diameter Header: 275, REQ, PXY>
                       Session-Id =  "natC.example.com:33041;23432;"
                       Auth-Application-Id = <DNCA Application ID>
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Destination-Realm = "example.com"
                       Destination-Host = "nat-device.example.com"
                       Termination-Cause = DIAMETER_LOGOUT
        
      < STR >     ::= < Diameter Header: 275, REQ, PXY>
                       Session-Id =  "natC.example.com:33041;23432;"
                       Auth-Application-Id = <DNCA Application ID>
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Destination-Realm = "example.com"
                       Destination-Host = "nat-device.example.com"
                       Termination-Cause = DIAMETER_LOGOUT
        

3. The NAT device looks up the DNCA session based on the Session-Id AVP and finds a previously established active session.

3. NAT设备根据会话Id AVP查找DNCA会话,并找到先前建立的活动会话。

4. The NAT device reports all NAT-bindings established for that subscriber using an ACR: < ACR > ::= < Diameter Header: 271, REQ, PXY> Session-Id = "natC.example.com:33041;23432;" Auth-Application-Id = <DNCA Application ID> Origin-Host = "nat-device.example.com" Origin-Realm = "example.com" Destination-Realm = "example.com" Destination-Host = "natC.example.com" Accounting-Record-Type = STOP_RECORD Accounting-Record-Number = 1 NAT-Control-Record = { NAT-Control-Definition = { Protocol = TCP Direction = OUT NAT-Internal-Address = { Framed-IP-Address = "192.0.2.1" Port = 5001 } NAT-External-Address = { Framed-IP-Address = "198.51.100.1" Port = 7777 } } NAT-Control-Binding-Status = Removed }

4. NAT设备使用ACR报告为该订阅服务器建立的所有NAT绑定:<ACR>::=<Diameter Header:271,REQ,PXY>会话Id=“natC.example.com:33041;23432;”Auth Application Id=<DNCA Application Id>Origin Host=“NAT device.example.com”Origin Realm=“example.com”Destination Realm=“example.com”Destination Host=“natC.example.com”记帐记录类型=STOP_Record记帐记录编号=1 NAT控制记录={NAT控制定义={Protocol=TCP方向=OUT NAT内部地址={Framed IP Address=“192.0.2.1”Port=5001}NAT外部地址={Framed IP Address=“198.51.100.1”Port=7777}NAT控件绑定状态=已删除}

5. The NAT controller receives and processes the ACR as per its configuration. It responds with an ACA to the NAT device.

5. NAT控制器根据其配置接收和处理ACR。它通过ACA响应NAT设备。

      <ACA>      ::= < Diameter Header: 271, PXY >
                       Session-Id =  "natC.example.com:33041;23432;"
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Result-Code = DIAMETER_SUCCESS
                       Accounting-Record-Type = STOP_RECORD
                       Accounting-Record-Number = 1
        
      <ACA>      ::= < Diameter Header: 271, PXY >
                       Session-Id =  "natC.example.com:33041;23432;"
                       Origin-Host = "natC.example.com"
                       Origin-Realm = "example.com"
                       Result-Code = DIAMETER_SUCCESS
                       Accounting-Record-Type = STOP_RECORD
                       Accounting-Record-Number = 1
        

6. On receipt of the ACA the NAT device cleans up all NAT-bindings and associated session state for the endpoint.

6. 收到ACA后,NAT设备将清除端点的所有NAT绑定和相关会话状态。

7. NAT device sends an STA. On receipt of the STA the NAT controller will clean up the corresponding session state. <STA> ::= < Diameter Header: 275, PXY > Session-Id = "natC.example.com:33041;23432;" Origin-Host = "nat-device.example.com" Origin-Realm = "example.com" Result-Code = DIAMETER_SUCCESS

7. NAT设备发送STA。收到STA后,NAT控制器将清除相应的会话状态<STA>::=<Diameter Header:275,PXY>会话Id=“natC.example.com:33041;23432;”Origin Host=“nat device.example.com”Origin Realm=“example.com”结果代码=Diameter\u成功

14. Acknowledgements
14. 致谢

The authors would like to thank Jari Arkko, Wesley Eddy, Stephen Farrell, Miguel A. Garcia, David Harrington, Jouni Korhonen, Matt Lepinski, Avi Lior, Chris Metz, Pallavi Mishra, Lionel Morand, Robert Sparks, Martin Stiemerling, Dave Thaler, Hannes Tschofenig, Sean Turner, Shashank Vikram, Greg Weber, and Glen Zorn for their input on this document.

The authors would like to thank Jari Arkko, Wesley Eddy, Stephen Farrell, Miguel A. Garcia, David Harrington, Jouni Korhonen, Matt Lepinski, Avi Lior, Chris Metz, Pallavi Mishra, Lionel Morand, Robert Sparks, Martin Stiemerling, Dave Thaler, Hannes Tschofenig, Sean Turner, Shashank Vikram, Greg Weber, and Glen Zorn for their input on this document.translate error, please retry

15. References
15. 工具书类
15.1. Normative References
15.1. 规范性引用文件

[ETSIES283034] ETSI, "Telecommunications and Internet Converged Services and Protocols for Advanced Networks (TISPAN), Network Attachment Sub-System (NASS), e4 interface based on the Diameter protocol.", September 2008.

[ETSIE283034]ETSI,“先进网络的电信和互联网融合服务和协议(TISPAN),网络连接子系统(NASS),基于Diameter协议的e4接口”,2008年9月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005.

[RFC4005]Calhoun,P.,Zorn,G.,Spence,D.,和D.Mitton,“Diameter网络访问服务器应用”,RFC 4005,2005年8月。

[RFC4675] Congdon, P., Sanchez, M., and B. Aboba, "RADIUS Attributes for Virtual LAN and Priority Support", RFC 4675, September 2006.

[RFC4675]Congdon,P.,Sanchez,M.,和B.Aboba,“虚拟LAN和优先级支持的RADIUS属性”,RFC 4675,2006年9月。

[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.

[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。

[RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M., and A. Lior, "Traffic Classification and Quality of Service (QoS) Attributes for Diameter", RFC 5777, February 2010.

[RFC5777]Korhonen,J.,Tschofenig,H.,Arumaithurai,M.,Jones,M.,和A.Lior,“直径的流量分类和服务质量(QoS)属性”,RFC 57772010年2月。

[RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, "Diameter Base Protocol", RFC 6733, October 2012.

[RFC6733]Fajardo,V.,Arkko,J.,Loughney,J.,和G.Zorn,“直径基准协议”,RFC 67332012年10月。

15.2. Informative References
15.2. 资料性引用

[CGN-REQS] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common requirements for Carrier Grade NATs (CGNs)", Work in Progress, September 2012.

[CGN-REQS]Perreault,S.,Yamagata,I.,Miyakawa,S.,Nakagawa,A.,和H.Ashida,“载体级NAT(CGN)的通用要求”,在建工程,2012年9月。

[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.

[RFC1661]辛普森,W.“点对点协议(PPP)”,标准51,RFC1661,1994年7月。

[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.

[RFC2663]Srisuresh,P.和M.Holdrege,“IP网络地址转换器(NAT)术语和注意事项”,RFC 2663,1999年8月。

[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001.

[RFC3022]Srisuresh,P.和K.Egevang,“传统IP网络地址转换器(传统NAT)”,RFC 3022,2001年1月。

[RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and A. Rayhan, "Middlebox communication architecture and framework", RFC 3303, August 2002.

[RFC3303]Srisuresh,P.,Kuthan,J.,Rosenberg,J.,Molitor,A.,和A.Rayhan,“中间箱通信架构和框架”,RFC 33032002年8月。

[RFC3304] Swale, R., Mart, P., Sijben, P., Brim, S., and M. Shore, "Middlebox Communications (midcom) Protocol Requirements", RFC 3304, August 2002.

[RFC3304]Swale,R.,Mart,P.,Sijben,P.,Brim,S.,和M.Shore,“中间箱通信(midcom)协议要求”,RFC 33042002年8月。

[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.

[RFC3411]Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。

[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003.

[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 35502003年7月。

[RFC4097] Barnes, M., "Middlebox Communications (MIDCOM) Protocol Evaluation", RFC 4097, June 2005.

[RFC4097]巴恩斯,M.,“中间盒通信(MIDCOM)协议评估”,RFC4097,2005年6月。

[RFC5189] Stiemerling, M., Quittek, J., and T. Taylor, "Middlebox Communication (MIDCOM) Protocol Semantics", RFC 5189, March 2008.

[RFC5189]Stieemerling,M.,Quittek,J.,和T.Taylor,“中间盒通信(MIDCOM)协议语义”,RFC 5189,2008年3月。

[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation Algorithm", RFC 6145, April 2011.

[RFC6145]Li,X.,Bao,C.,和F.Baker,“IP/ICMP翻译算法”,RFC 61452011年4月。

[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011.

[RFC6146]Bagnulo,M.,Matthews,P.,和I.van Beijnum,“有状态NAT64:从IPv6客户端到IPv4服务器的网络地址和协议转换”,RFC 61462011年4月。

[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011.

[RFC6241]Enns,R.,Bjorklund,M.,Schoenwaeld,J.,和A.Bierman,“网络配置协议(NETCONF)”,RFC 62412011年6月。

Authors' Addresses

作者地址

Frank Brockners Cisco Hansaallee 249, 3rd Floor Duesseldorf, Nordrhein-Westfalen 40549 Germany

德国北莱茵威斯特法伦40549杜塞尔多夫3楼Frank Brockners Cisco Hansaallee 249

   EMail: fbrockne@cisco.com
        
   EMail: fbrockne@cisco.com
        

Shwetha Bhandari Cisco Cessna Business Park, Sarjapura Marathalli Outer Ring Road Bangalore, Karnataka 560 087 India

印度卡纳塔克邦班加罗尔Sarjapura Maratalli外环路Shwetha Bhandari Cisco Cessna商业园560087

   EMail: shwethab@cisco.com
        
   EMail: shwethab@cisco.com
        

Vaneeta Singh 18, Cambridge Road Bangalore 560008 India

印度班加罗尔剑桥路18号瓦尼塔·辛格560008

   EMail: vaneeta.singh@gmail.com
        
   EMail: vaneeta.singh@gmail.com
        

Victor Fajardo Telcordia Technologies 1 Telcordia Drive #1S-222 Piscataway, NJ 08854 USA

Victor Fajardo Telcordia Technologies 1 Telcordia Drive#1S-222 Piscataway,NJ 08854美国

   EMail: vf0213@gmail.com
        
   EMail: vf0213@gmail.com