A Local Node is a local Diameter node that is specified with a realm and an FQDN. When used in conjunction with RADIUS connections, it represents either a RADIUS client or a RADIUS server.
You can perform these tasks on an Active System OAM (SOAM).
The Local Node identifies:
- Local Node Name
- Realm
- SCTP Listen Port Number
- TCP Listen Port Number
- DTLS/SCTP Listen Port
- TLS/TCP Listen Port
- Radius UDP Server Ports
- Enable Radius UDP Client Ports
- Radius Client UDP Port Range Start
- Radius Client UDP Port Range End
- Verification Mode
- Certificate Type
- Certificate Name
- Connection Configuration Set
- CEX Configuration Set
- A list of IP addresses available for establishing Diameter transport connections
After it is configured, a Local Node can be assigned to connections for use in Diameter routing. Select one of the following connection transport configurations:
- SCTP
- DLTS over SCTP
- TCP
- TLS over TCP
For each connection you can select, TCP, SCTP, TLS/TCP or DTLS/SCTP as the security mechanism used to establish that connection to the peer. DTLS is available only for SCTP connections and TLS is available only for TCP connections.
Note:
If you select TLS/DTLS, avoid using IPSec. Although IPsec is still supported, you must ensure that a connection does not implement both IPSec and TLS/DTLS, as this would have significant performance impacts.
TLS and DTLS are application layer security protocols that run over TCP and SCTP transport. TLS/DTLS provides tighter encryption via handshake mechanisms, and supports up to 1000 certificates for a node and across the network. TLS/DTLS requires pre-configured certificates/keys that are used during the handshake procedure after transport level connection is established, but before diameter capabilities are exchanged with the peers. The Local Node configuration uses imported certificates/keys and verification mode. If the handshake fails, the connection is not allowed to be established depending on the verification mode associated with the connection.
Note the following restrictions:
- If an attempt is made to edit a Connection and the specified Transport Protocol is DTLS, if the DTLS feature is not activated on the SOAM being used to edit the Connection, an error code is generated and the Connection information is not be updated in the configuration.
- Upon startup, the value of DtlsFeatureEnabled flag defined in DpiOption table is read, and depending on its value, the application does or does not send AUTH Extensions in SCTP_INIT and SCTP_INIT_ACK message while establishing SCTP or DTLS connections.
Note:
Any edits to DtlsFeatureEnabled flag defined in DpiOption table after startup do not take effect until the next diameter process restart.
- Client-side or server-side authentication for a TLS/DTLS connection is supported automatically when this is required by peer server or peer client.
- When TLS/DTLS is selected for a diameter-initiated connection, the TLS/DTLS parameters defined by the operator in the local node are applied. The application behavior is related to the local node Verification Mode selection.
- When TLS/DTLS is selected for a connection and TLS/DTLS cannot be established either due to a failed key exchange or because the peer does not support TLS/DTLS, the connection is not allowed.
- TLS/DTLS connections initiated by a Diameter peer are responded to. If TLS/DTLS cannot be established due to a failed key exchange, the connection is not allowed. A valid certificate and matching key are required, but you can set the Verification Mode to None to override this behavior.
- You cannot change the security mechanism selected for a connection while the connection is active.
On the page, you can perform the following actions:
- Filter the list of Local Nodes to display only the desired Local Nodes.
- Sort the list by a column in ascending or descending order by clicking the column heading (except IP Addresses). The default order is by Local Node Name in ascending ASCII order.
Click a field entry for a Local Node.
Click Insert.
On the page, you can add a new Local Node.
The page does not open if any of the following conditions exist:
- The maximum number of Local Nodes (32) has already been configured.
- There is no Signaling VIP Address available in the signaling Network Element (NE) that can be added to the Local Node.
Select a Local Node in the list and click Edit.
On the page, you can edit the selected Local Node.
Select a Local Node in the list and click Delete. You can delete the selected Local Node.
