S6a/S6d HSS Topology Hiding

S6a/S6d HSS Topology Hiding is concerned with hiding the identities of a Protected Network's HSS when it exchanges messages with Untrusted Networks. An HSS's host name is embedded in the Origin-Host and Session-Id AVPs sent in Request messages and the Origin-Host AVP sent in Answer messages. This capability is associated with the Diameter S6a/S6d application message set defined in 3GPP TS 29.272, Mobility Management Entity (MME) and Serving GPRS Support Node (SGSN) related interfaces based on Diameter protocol.

S6a/S6d HSS Topology Hiding determines which entity (HSS or MME/SGSN) initiated a message based on the Command Code in the message.

HSS identities are hidden by replacing the Hostname portion of the Origin-Host and Session-Id AVPs (Session-Id format: <host name><implementation portion>) with an operator-defined HSS Pseudo Hostname that is assigned to the Protected Network in the S6a/S6d HSS Topology Hiding Configuration Set.

Protected-HSS to Untrusted-MME/SGSN Transactions

For Protected-HSS to Untrusted-MME/SGSN Diameter transactions, S6a/S6d HSS Topology Hiding is concerned with the following topology information hiding and restoral issues:

• The AVPs containing an HSS's Actual Hostname in Request messages must be hidden with the single HSS Pseudo Hostname assigned to the Protected Network at TH Trigger Point RTH.
• The MME/SGSN sends an Answer response to the transaction with the Session-Id received in the Request (which also contains an HSS Pseudo Hostname). Because the Session-Id value returned in the Answer must match the value sent in the Request, the HSS Pseudo Hostnames in the Answer message Session-Id AVP must be restored with the HSS Hostname or Hostnames sent in the Request message.

  The Session-Id AVP values are restored at TH Trigger Point ATR, from the Hostname portion of the Session-Id AVP value that is saved in the Pending Transaction Record (PTR).

  The Hostname restoral procedure is not required for Answers initiated by internal nodes (Diameter Routing Function and applications) as these Answer responses are based upon the original Request message content and thus do not contain Pseudo Hostnames.

If a single S6a/S6d pseudo-hostname per S6a/S6d HSS TH Configuration Set is used, then that pseudo-hostname is used for hiding actual S6a/S6d host name. If multiple pseudo-names per actual host-name are used, then contents of User-Name AVP are used to select pseudo-host. In S6a/S6d, subscriber's IMSI is carried in the User-Name AVP. The content of the User-Name AVP content may be one of the following forms:

• IMSI
• IMSI@realm

It is not necessary to extract the IMSI portion from the User-Name AVP value. The User-Name AVP value content is the same in all transactions associated with subscriber. Therefore, the algorithm for mapping actual S6a/S6d HSS host name to one of the pseudo-names assigned to the S6a/S6d HSS is as follows:

• Pseudo-Host Name Selected = Function (User-Name AVP Content) MODULO (Number of Pseudo-Host Names assigned to this S6a/S6d HSS Host Name)

An example of a Protected-HSS to Untrusted-MME/SGSN Diameter transaction is shown in Figure 10-12.

Figure 10-12 S6a/S6d HSS TH Protected-HSS to Untrusted-MME/SGSN Diameter Transaction

For Protected-HSS to Untrusted-MME/SGSN transactions, S6a/S6d HSS topology information hiding is required only on Request messages that meet the following criteria:

• Message was a candidate for Topology Hiding as defined by TH Trigger Point RTH in Table 10-6
• S6a/S6d HSS Topology Hiding is enabled for the Protected Network (an S6a/S6d HSS Topology Hiding Configuration Set is assigned to the Protected Network)
• The Request message is a member of the S6a/S6d message set and was initiated by an HSS as determined from the Command Code in the message

For Protected-HSS to Untrusted-MME/SGSN transactions, S6a/S6d HSS topology information hiding is performed only on Answer messages that meet the following criterion:

• At TH Trigger Point ATR, the S6a/S6d HSS TH ATR flag in the PTR associated with the Answer message is set to Enabled.

When the above criterion is met, Session-Id AVP restoral is performed using the HSS's Actual Hostname stored in the PTR.

Untrusted-MME/SGSN to Protected-HSS Transactions

For Untrusted-MME/SGSN to Protected-HSS Diameter transactions, S6a/S6d HSS TH is concerned with the following topology information hiding and restoral issue:

• The Destination-Host AVP contains an S6a/S6d HSS pseudo-host name. If a single pseudo-name is assigned in S6a/S6d HSS TH Configuration Set, then no restoral of the Destination-Host is done by TH (instead the operator can deploy host Resolution Application such as RBAR/FABR). If a single pseudo-name is not assigned per S6a/S6d HSS Configuration Set and instead a unique pseudo-name is assigned per actual S6a/S6d HSS name, then the pseudo-host name must be replaced with the S6a/S6d HSS actual-host name at TH trigger point RTR.

  An Untrusted-MME/SGSN to Protected-HSS Request message may not contain an S6a/S6d HSS pseudo-host name. If the Destination-Host AVP value does not match an entry in the TH Pseudo-Host Name, then no host name conversion is required and the Request message is routed as normal. The Destination-Host name conversion is performed to prevent the following problems:

  • Certain S6a/S6d HSSs do not accept messages that do not contain its actual host name
  • Diameter outing problems associated with pseudo-host names. For example, DRL Implicit Routing currently only works with actual host names (for example, the FQDN assigned to the Peer Node and used for the Capabilities Exchange procedure [CER/CEA])
• The S6a/S6d HSS-initiated Answer response contains an actual S6a/S6d HSS host name in the Origin-Host AVP. This must be hidden with the S6a/S6d HSS pseudo-host name assigned to the Protected Network at TH trigger point ATH.

For Untrusted-MME/SGSN to Protected-HSS transactions, S6a/S6d HSS topology information hiding is required only on Answer messages that meet the following criteria:

• Message was a candidate for Topology Hiding as defined by topology Trigger Point ATH in Table 10-6
• S6a/S6d HSS Topology Hiding is enabled for the Protected Network (an S6a/S6d HSS Topology Hiding Configuration Set is assigned to the Protected Network)
• The Answer message is a member of the S6a/S6d message set and was initiated by an HSS as determined from the Command Code in the message

Restoral of a Protected-HSS's actual-host name in the Untrusted-MME/SGSN to Protected-HSS Request message is not performed by topology hiding if a single pseudo-name is used in S6a/S6d HSS TH Configuration Set assigned to a protected network. Instead, this replacement function is required of a HSS Address Resolution application such as FABR or RBAR applications.

HSS

An example of an Untrusted-MME/SGSN to Protected-HSS Diameter transaction is shown in Figure 10-13 and when pseudo-name per S6a/S6d HSS host name in S6a/S6d HSS TH Configuration Set.

Figure 10-13 S6a/S6d HSS TH Untrusted-MME/SGSN to Protected-HSS Transaction

Figure 10-14 S6a/S6d HSS TH Untrusted-MME/SGSN to Protected-HSS Transaction

Restoral of a Protected-HSS's actual-host name in the Untrusted-MME/SGSN to Protected-HSS Request message is performed by topology hiding if a unique pseudo-name is assigned per S6a/S6d HSS host name in S6a/S6d HSS TH Configuration Set.

For Untrusted-HSS to Protected-MME/SGSN transactions, S6a/S6d HSS topology hiding is only invoked on Request messages which meet the following criteria:

• Message was a candidate for topology hiding as defined by topology trigger point RTR
• S6a/S6d HSS TH is enabled for the Protected Network (S6a/S6d HSS TH Configuration Set is assigned to the Protected Network)
• The Request message is a member of the S6a/S6d message set and was initiated by an MME/SGSN
• The Destination-Host AVP contains an S6a/S6d HSS pseudo-host name that is assigned to the Protected Network as determined from the internal S6a/S6d HSS TH Pseudo-Host Name