Go to primary content
User Data Repository Diameter User's Guide
Release 12.4
E92984-01
Go To Table Of Contents
Contents
Previous
Previous 		Next
Next

S9 AF/pCSCF Topology Hiding

S9 AF/pCSCF Topology Hiding is concerned with hiding the identities of a Protected Network's AF/pCSCFs, as well as the number of AF/pCSCFs in the network, when it exchanges messages with Untrusted Networks. An AF/pCSCF identity is embedded in the Origins-Host and Session-ID AVPs sent in Request messages and the Origin-Host AVP sent in Answer messages. This capability is associated with the Diameter Rx application message set.

S9 AF/pCSCF topology hiding is concerned with Rx messages when AF/pCSCF is deployed in proxy mode. If PCRF is deployed in client/server mode for Rx messages, then S9 AF/pCSCF TH Configuration Set should be enabled for the protected network. If S9 AF/pCSCF TH is enabled (for example, if vPCRF is proxying AF/pCSCF messages to hPCRF), then only AAR/STR and RAA/ASA have S9 PCRF TH applied.

AF/pCSCF identities are hidden by replacing the actual host name portion of the Origin-Host and Session-ID AVPs with AF/pCSCF pseudo-host name. The Origin-Host and Session-ID AVPs may have different AF/pCSCF host names. A unique pseudo name must be created for each AF/pCSCF in a Protected Network. When the vAF/pCSCF initiates a transaction to the hPCRF, the hPCRF saves the vAF/pCSCF's identity for use in subsequent hPCRF-to-vAF/pCSCF transactions. This vAF/pCSCF's pseudo-host name must not only be unique, but the DEA must be able to convert the vAF/pCSCF's pseudo-name to an actual vAF/pCSCF host name for these subsequent hPCRF to vAF/pCSCF transactions.

To hide the number of AF/pCSCFs in a network, each AF/pCSCF is assigned either a random or fixed number of pseudo-host names (the maximum is defined by an S9 AF/pCSCF TH Configuration Set attribute called Maximum Pseudo-Host Names per AF/pCSCF). This procedure of creating randomized AF/pCSCF pseudo-host names and assigning them to actual pseudo-host names is performed by the GUI and used by DRL. The TH Host Names MO allows DRL to map a Protected-AF/pCSCF actual-host name to a set of AF/pCSCF pseudo-host names and map an AF/pCSCF pseudo-host name received from an Untrusted network to a Protected-AF/pCSCF actual-host name.

Protected-vAF/pCSCF to Untrusted-hPCRF Transactions

When AF/pCSCF and PCRF are in a Protected Network and AF/pCSCF uses vPCRF in proxy mode to communicate Rx messages initiated by vAF/pCSCF to hPCRF in Untrusted Network, then S9 AF/pCSCF TH is used to hide AF/pCSCF host names to Untrusted Network.

For Protected-vAF/pCSCF to Untrusted-hPCRF Rx Diameter transactions, S9 AF/pCSCF TH is concerned with the following topology information and restoral issues:
  • The AVPs containing an AF/pCSCF's actual-host name in Request message must be hidden with one of the pseudo-host names assigned to the AF/pCSCF at TH trigger point RTH
  • The Untrusted Network's PCRF (hPCRF in this case) saves the subscriber's location using the Origin-Host AVP contents containing a pseudo-host name. This action has the following impact:
    • In subsequent hPCRF-vAF/pCSCF transactions (for example, RAR/ASR), the vAF/pCSCFis addressed by on of its pseudo-host names requiring a pseudo-to-actual name restoral
    • All vAF/pCSCF-to-hPCRF transactions associated with a particular session must use the same vAF/pCSCF pseudo-host name. The Session is identified by Session-ID AVP, a mandatory AVP in all S9/RX messages.

      Note:

      Although the Origin-Host and Session-ID AVPs both have actual AF/pCSCF host names, the may be different. Because Rx is a session based application, actual AF/pCSCF host names must be restored in subsequent hPCRF-vAF/pCSCF transactions. Hence the Origin-Host and Session-ID AVPs must be selected from the Actual Host Names TH Host Names.
  • The hPCRF sends an Answer response to the transaction with the Session-ID received in the Request (containing an AF/pCSCF pseudo-host name). Because the Session-ID value returned in the Answer must match the Request, the AF/pCSCF pseudo-host name in the Session-ID AVP must be replaced with its corresponding value received in the Request message. This value is restored at TH trigger point ATR. This requires saving the host name portion of the Session-ID AVP value in the PTR. This host name restoral procedure is not required for Answers initiated by internal nodes as these Answer responses are based upon the original Request message content.
An example of a Protected-vAF/pCSCF to Untrusted-hPCRF Diameter transaction is shown in Figure 10-21.

Figure 10-21 Protected vAF/pCSCF to Untrusted-hPCRF Transaction

To ensure all Rx messages for the same session are modified using the same pseudo-name, Session-ID AVP can be used as a key to select a Pseudo Host Name for an Actual Host Name.

For Protected-vAF/pCSCF to Untrusted-hPCRF Rx transactions, S9 Af/pCSCF topology hiding is only required on Request messages at topology hiding point RTH which meet the following criteria:
  • The message was a candidate for topology hiding as defined by topology trigger point RTH and
  • S9 AF/pCSCF TH is enabled for the Protected Network (S9 PCRF TH Configuration Set is assigned to the Protected Network) and
  • The Request message is a member of the Rx message set and was initiated by an AF/pCSCF and
  • The Origin-Host and/or Session-ID AVPs in the Request contain an actual AF/pCSCF host name assigned to the Protected Network via the S9 AF/pCSCF TH Configuration Set.
For Protected-vAF/pCSCF to Untrusted-hPCRF transactions, AF/pCSCF topology information restoral is only performed on Answer messages which meet the following criterion:
  • At TH Trigger Point ATR, the AF/pCSCF TH ATR flag in the PTR associated with the Answer message is set to Enabled.

Untrusted-hPCRF to Protected-vAf/pCSCF Transactions

When an Untrusted-hPCRF initiates a transaction to a Protected-vAF/pCSCF, it is most likely addressed to one of the vAF/pCSCF pseudo-host names that the hPCRF saved in a previous vAF/pCSCF-to-hPCRF transaction for which S9 AF/pCSCF TH was applied. For Untrusted-hPCRF to Protected-vAF/pCSCF Diameter transactions (RAR, ASR, and so on), S9 AF/pCSCF TH is concerned with the following topology information hiding and resotral issues:
  • The Destination-Host AVP contains a vAF/pCSCF pseudo-host name. This pseudo-host name must be replaced with the vAF/pCSCF's actual-host name at TH trigger point RTR. It's perfectly acceptable that an Untrusted-hPCRF to Protected-vAF/pCSCF Request message does not contain a vAF/pCSCF pseudo-host name. If the Destination-Host AVP value does not match a Pseudo-Host entry in the TH Host Name table , then no host name conversion is required and the Request message is routed as normal. Destination-Host name conversion is performed to prevent the following problems:
    • Certain vAF/pCSCFs do not accept messages that do not contain its actual host name
    • Diameter routing problems associated with pseudo-host names. For example, DRL Implicit Routing currently only works with actual host names (for example, the FQDN assigned to the Peer Node and used for the Capabilities Exchange procedure (CER/CEA)).
    • The host portion of Session-ID AVP containing a vAF/pCSCF pseudo-host name must be replaced back with vAF/pCSCF's actual host name at TH trigger point RTR
    • An Origin-Host AVP containing an vAF/pCSCF's actual-host name in the Answer response from the Protected- vAF/pCSCF must be hidden with one of the pseudo-host names assigned to that vAF/pCSCF. This is done at TH trigger point ATH.
    • Session-ID AVP containing an vAF/pCSCF's actual-host name in the Answer response from the Protected-vAF/pCSCF must be hidden with one of the pseudo-host names assigned to that vAF/pCSCF. This is done at TH trigger point ATH.
An example of an Untrusted-hPCRF to Protected- vAF/pCSCF Diameter transaction is shown in Figure 10-22.

Figure 10-22 Untrusted-hPCRF to Protected-vAF/pCSCF Transaction

For Untrusted-hPCRF to Protected-vAF/pCSCF transactions, S9 AF/pCSCF TH is only invoked on Request messages at topology trigger point RTR which meet the following criteria:
  • Message was a candidate for topology hiding as defined by topology trigger point RTR and
  • S9 AF/pCSCF TH is enabled for the Protected Network (S9 AF/pCSCF TH Configuration Set is assigned to the Protected Network) and
  • The Request message is a member of the Rx message set and was initiated by a AF/pCSCF and
  • The Destination-Host AVP or host portion of Session-ID AVP contains a AF/pCSCF pseudo-host name that is assigned to the Protected Network as determined from the internal AF/pCSCF TH Pseudo-Host Name
  • Message was a candidate for topology hiding as defined by topology trigger point ATH
  • S9 AF/pCSCF TH is enabled for the Protected Network (S9 AF/pCSCF TH Configuration Set is assigned to the Protected Network)
  • The Answer message is a member of the Rx message set and was initiated by a AF/pCSCF
  • The Origin-Host AVP or host portion of Session-ID AVP contains an actual AF/pCSCF host name that is assigned to the Protected Network via the S9 AF/pCSCF TH Configuration Set

Protected-hPCRF to Untrusted-vAF/pCSCF Transactions

When AF/pCSCF and PCRF are in untrusted network and AF/pCSCF uses vPCRF in proxy to communicate Rx messages initiated by vAF/pCSCF to hPCRF in protected network, then S9 PCRF TH is used to hide PCRF host names to untrusted network.

Untrusted-vAF/pCSCF to Protected-hPCRF Transactions

When AF/pCSCF and PCRF are in untrusted network and AF/pCSCF uses vPCRF in proxy to communicate Rx messages initiated by hPCRF in protected network to vAF/pCSCF, then S9 PCRF TH is used to hide PCRF host names to untrusted network.

Previous
Previous 		Next
Next
Go To Table Of Contents
Contents