Capability Negotiation

The basic motive of this process is to KNOW about the other node to which a node intended to communicate before establishing the connection, ie. whether other node contains the applications for which node wants to communicate. 

Technically speaking, It is the process where two diameter peer exchange their identity and its capabilities (such as protocol version number, supported diameter applications, security mechanism etc.). Peer share their capabilities by CER/CEA Message (Capability-Exchange-Request/Capability-Exchange-Answer).

If one peer sends a CER message to another Peer and receiver does not have support for 
 
1) any common application then it must return the CEA with Result-Code Avp set to DIAMETER_NO_COMMON_APPLICATION and should disconnect the transport layer connection.

2)no common security mechanism then it must return the CEA with Result-Code Avp set to DIAMETER_NO_COMMON_SECURITY and should disconnect the transport layer connection. (Only maintained to have backward compatibility Because in latest release Transport Level security is establish before diameter connection so CER/CEA message is also comes under TLS/DTLS for more Info Click Here)

3)If CER is received from any unknown peer then receiver should discard the message, or send the CEA with the Result-Code Avp set to DIAMETER_UNKNOWN_PEER.
 
If the local implementation policy permits to receive CER from unknown hosts,a successful CEA MAY be returned, and the life time of the peer entry in PEER-Table is equal to the lifetime of the transport connection. If in any case transport connection fails then all the pending transactions destined to the unknown peer can be discarded.

The CER and CEA messages MUST NOT be proxied, redirected or relayed. Since CER/CEA messages can not be proxied, but still it is possible that proxy will receive a CER message and proxy does not have any peer to handle the application requested in CER, in this case proxy set the E bit in CEA and set the Result-Code Avp to DIAMETER_UNABLE_TO_DELIVER, sends back to CER generator peer.

For Example:- consider two nodes A and B and Node-A contains three applications X,Y,Z and two security mechanism s1 and s2 while Node-B contains two applications A,X and s1 security mechanism. Now Node-A will send CER to Node-B. Node -B will process the request and will create and send the CEA showing success and the common application i.e. X and s1 security mechanism. Now Node-A become aware of the fact that it can communicate for X application and s1 security mechanism.

Probable CER And CEA would be:-
      ________          CER                     ________
     | Node-A | ------------------------------>| Node-B |
     |________| <------------------------------|________|
                                          CEA 
               
<CER> ::= < Diameter Header: 257, REQ >                          <CEA> ::= < Diameter Header: 257 >
    { Origin-Host }                                               { Result-Code =SUCCESS}
    { Origin-Realm }                                              { Origin-Host }
    { Host-IP-Address }                                           { Origin-Realm }
    { Vendor-Id }                                                
{ Host-IP-Address }  
    { Product-Name }                                              { Vendor-Id } 
    [ Inband-Security-Id =s1 ]                                    { Product-Name } 
    [ Inband-Security-Id =s2]                                     [ Inband-Security-Id =s1 ]   
    [ Vendor-Specific-Application-Id =X]                          [ Vendor-Specific-Application-Id =X]
    [ Vendor-Specific-Application-Id =Y]
 
    [ Vendor-Specific-Application-Id =Z]  
 
                 CER/CEA Message Exchange

  
Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.

67 comments:

  1. Hi ,

    Got good knowledge on diameter protocol.

    Can you please let me know if you know any free implementations for offline charging ?

    Thanks

    ReplyDelete
    Replies
    1. Please visit www.imszone.org for free Online and Offline Charging Systems

      Delete
  2. Super, thanks for share useful info.

    ReplyDelete
  3. May I know if Node-B can include all of the supported applications instead of only the intersection of the supported applications?

    ReplyDelete
    Replies
    1. Hi Vijay,

      Thanks for pointing out a very acute issue.
      YES, RFC-6733 says Node-B SHOULD send information about all supported Application-IDs.

      Delete
    2. Node-B May send all supported application ids

      Delete
    3. Node-B May send all supported application ids

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  4. May I know the difference between Vendor-Id AVP and the Supported-Vendor-Id AVPs sent in CER/CEA messages? How the diameter nodes will make use of the information sent in these AVPs? Can a diameter node sending its Vendor ID in the "Vendor-Id" AVP will again encode the same under the "Supported-Vendor-Id" AVP?

    ReplyDelete
    Replies
    1. Hi Vijay,

      I feel i am not diverting you,

      Vendor-ID AVP shall contain the ID given to vendor by IANA; E.g There are two vendors X and Y have given vendor id 111, 222 respectively and both have created a an Application App-A.

      In this case whenever App-A shall interact with it's peer (say Relay) then Relay can identify App-A with vendor ID. I.e Message came from Application App-A of X vendor.

      Vendor-Id is used to identify the Product Vendor. Product vendor can create/use an application of other vendor as well. That is why there is one more AVP Vendor-Specific-Application ID. In this AVP Vendor Id avp shall contain the ID of Application Vendor. Such as s6a/s6d application belongs to 3gpp, But vendor-X that has created the software implementation of that shall publish Vendor-ID 111 and Vendor-ID inside Vendor-Specific-Application ID AVP shall be 10415 (3gpp application vendor -ID)

      There is one concept that a vendor can created a new AVP for it's application usage; and this new AVP shall be given AVP Code and Vendor ID by IANA which is to be filled in AVP structure.

      If any of the application uses some other vendor's created AVP then this vendor id shall be published in Supported-Vendor-ID AVP.

      Delete
    2. Thanks for the detailed explaination. Suppose Vendor-X implemented an application (not related to Accounting) App-X, along with other 3gpp defined applications.
      1. Will the diameter node send this support in Auth-Application-Id or Vendor-Specific-Application-Id of CER message?
      2. Do the diameter node of Vendor-X will also include Vendor-X in "Supported-Vendor-Id" AVP along with 3GPP vendor id as below in the CEA messages?
      + Vendor-Id=Vendor-X
      + Supported-Vendor-Id=10415
      + Supported-Vendor-Id=Vendor-X
      + Vendor-Specific-Application-Id
      -- Vendor-Id=3GPP(10415)
      -- Auth-Application-Id=3GPP S6a(16777251)
      + Vendor-Specific-Application-Id
      -- Vendor-Id=3GPP(10415)
      -- Auth-Application-Id=3GPP Sh(16777217)
      + Vendor-Specific-Application-Id
      -- Vendor-Id=Vendor-X
      -- Auth-Application-Id=App-X

      Delete
    3. Hi Vijay,

      No need to add following
      1. + Supported-Vendor-Id=Vendor-X
      2. + Vendor-Specific-Application-Id
      -- Vendor-Id=Vendor-X
      -- Auth-Application-Id=App-X

      In Supported Vendor Applocation Ids you can put Vendor-Id value among {+ Vendor-Id=Vendor-X , + Supported-Vendor-Id=10415}

      So CER will be as

      + Vendor-Id=Vendor-X
      + Supported-Vendor-Id=10415
      + Vendor-Specific-Application-Id
      -- Vendor-Id=3GPP(10415)
      -- Auth-Application-Id=3GPP S6a(16777251)
      + Vendor-Specific-Application-Id
      -- Vendor-Id=3GPP(10415)
      -- Auth-Application-Id=3GPP Sh(16777217)

      Delete
    4. Thank you for the clarification. Could you also please answer my first query: Will the diameter node send the support of App-X in Auth-Application-Id or Vendor-Specific-Application-Id of CER message?
      What are the consequences at the peer diameter node if the diameter node-X sends its support of App-X in Vendor-Specific-Application-Id AVP instead of Auth-Application-Id AVP?

      Delete
  5. This comment has been removed by the author.

    ReplyDelete
  6. When a diameter node returns DIAMETER_NO_COMMON_APPLICATION error, should it also include the optional AVPs (Vendor-Specific-Application-Id, Firmware-Revision, Supported-Vendor-Id AVPs) in the CEA response?

    ReplyDelete
  7. Implementation Specific. (Generally only mandatory AVP are sent in Error response)

    RFC-6733 says peer should close the transport connection.

    Thanks for your query.

    Happy to help you again.
    Team-Diameter

    ReplyDelete
  8. great article!! good place to start

    ReplyDelete
  9. great article!! good place to start

    ReplyDelete
  10. How is the version number of a particular protocol taken care of in CER/CEA?
    Assuming that I have a protocol and I know 1.0 version and the other entity is updated to 2.0 version of same protocol. how will I make sure that we communicate in Protocol "p" version 1.0 to be on the same page. Assuming that "p" Application Id 167XXX1.

    ReplyDelete
    Replies
    1. Hi Karan,

      RFC-6733 does not tell any thing about Version negotiation in CER-CEA. Currently this field remain set to 1.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  11. Great,I learned a lot from this article.

    ReplyDelete
  12. Hi team, great job. One question about the CER/CEA, when the client initiate it with DRA then what kind of application ids will be there and what app id DRA is suppose to check to have success in the diameter connection?

    thanks

    ReplyDelete
    Replies
    1. Hi Tejas,

      Ideally, client should advertise all application ids supported by client to DRA, and DRA shall reply back with common application ids, DRA should advertise all application ids supported by it.

      In practical implementation both entities show only limited application IDs on which they suppose to interact. Sharing unused information is just a burden.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
    2. I am using seagull diameter on s6 interface. MME -> DRA -> HSS .
      In CLR/CLA case HSS/DRA initiates CLR always. so Can HSS/DRA send CER to MME.

      Delete
    3. Hi Vipula,

      I am doing a similar thing. I need to send a IDR to MME.
      The MME is implemented in such a way that it can send CER but it cannot receive CER. But seagull doesnt allow to receive CER in init and then send IDR in traffic. Did you face any similar problem ?

      Thanks,
      Bhanu

      Delete
    4. Hi Bhanu/Vipula

      In context to above discussion, we would like to highlight following points that shall help you

      1) CER/CEA is used only once just to establish connection. If CER is initiated by any node (Peers) on a already eshtablished connection then it is shall be treated as fresh connection implying peer node might have rebooted.


      2)In case of CLR/IDR (Deployment/Practically), CER shall not be triggered neither by HSS nor by MME because DIAMETER connection is already established with peer DRA/MME as HSS has received AIR/ULR messages from MME/DRA on that DIAMETER connection.

      3)In case of Seagull, it is a testing tool doesn't keep connection establish with node(HSS/DRA/MME) so therefore need to send CER before sending IDR/CLR to MME during functional testing if seagull acts as HSS.

      Following link might help you

      http://diameter-protocol.blogspot.in/2016/01/diameter-routing-agent-dra_17.html

      http://diameter-protocol.blogspot.in/2013/08/diameter-connection-establishment.html

      Hope above suffice your query.

      Happy to help you again.
      Team-Diameter

      Delete
  13. Thanks for the reply team-diameter. Just to bring some more clarity if the DRA is suppose to work as just relay agent then what kind of App id it's suppose to support?

    ReplyDelete
  14. By mistake If initiate connection is configured in both client and server side,let's say both are trying to send CER message towards another peer means ( both acts as client )what should happen ideally ..My assumption is the node which CER message first in time wise will get priority and link get established.....for the CER sent by another peer will be rejected ...am I right ?

    ReplyDelete
    Replies
    1. I read here in the same blog somewhere that for such cases,the alphabetic order comparison will be done for the host-id.host with higher order( xyz>abc) win and terminate the connection initiated by it and send the CEA to peer.

      Delete
    2. Hi Anand

      Following link shall help you.
      http://diameter-protocol.blogspot.in/2013/09/election-process.html

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  15. Hi,

    What if the transport layer connection lost after successfully CER/CEA and exchanging some CC messages, and we re-establish the connection again, here, should we send CER or the first one is enough?

    ReplyDelete
    Replies
    1. Hi Mohamed Yacout,


      Ideally, CER/CEA shall be exchanged.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  16. What's the real purpose of CER/ CEA when they can't be proxied/ relayed? Since a client will never be able to know the exact capabilities of a server to which it wishes to communicate?

    ReplyDelete
  17. Can anyone tell me that why UDP protocol is not used in transporting Diameter messages..Why TCP
    andSCTP are used.?

    ReplyDelete
    Replies
    1. Reliable transport
      RADIUS runs over UDP, and does not define retransmission behavior;
      as a result, reliability varies between implementations. As
      described in [ACCMGMT], this is a major issue in accounting, where
      packet loss may translate directly into revenue loss. In order to
      provide well defined transport behavior, Diameter runs over
      reliable transport mechanisms (TCP, SCTP) as defined in
      [AAATRANS].

      Delete
  18. Why CER/CEA messages cannot be proxied or relayed.

    ReplyDelete
  19. Hi,

    Can multiple CER/CEAs exchanged between 2 nodes? if yes, then in which scenario.

    ReplyDelete
    Replies
    1. Hi Subhalaxmi behera,

      No, ideally CER-CEA shall exchanged once and that only at the time of diameter connection establishment.

      If another CER is received on existing connection then it is treated as Fresh connection implying peer(other) node is restarted. All data(Sessions) pertaining to previous connection shall be flushed.


      Thanks for your query.
      Happy to help you.
      Team-Diameter

      Delete
  20. This comment has been removed by the author.

    ReplyDelete
  21. Hi Team,

    In CER message,Only this parameters are mandatory:
    { Origin-Host }
    { Origin-Realm }
    1* { Host-IP-Address }
    { Vendor-Id }
    { Product-Name }

    How the server will know the what are application supported by client ?

    ReplyDelete
    Replies
    1. Hi Naresh

      You are right. CER must include at-least one of the following AVPs Auth-Application-Id, Acct-Application-Id, Vendor-Specific-Application-Id and Supported-Vendor-Id, but in current given notations({Mandatory} ,[Optional]) there is no way to represent at-least feature that why it shows as [].

      There is one more notation[Conditional] means optional AVPs that become mandatory in specific situation shall be called as conditional and shall be represented as[].

      Below statement shall help you.

      " The receiver of the Capabilities-Exchange-Request (CER) MUST
      determine common applications by computing the intersection of its
      own set of supported Application Ids against all of the
      Application-Id AVPs (Auth-Application-Id, Acct-Application-Id, and
      Vendor-Specific-Application-Id) present in the CER."

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  22. Hello...

    I just started a Diameter application and learning the protocol. In my application I see CER/CEA exchange happening all the time, as I read this happens if CEA does not contain "Diameter Success" Result-Code, but in my case the CEA contains that. Can you help me find out another reason for this? I am using TCP connection without any TLS.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Hi Diego Quevedo

      There could be multiple reasons of it. First check TCP connection is successfully up.

      on linux
      netstat -apn | grep [ listen port ]

      Kindly share wireshark trace or logfiles.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
    3. Thank you very much for your reply. I did find the problem being the "Origin-Host" in the CEA, the client did not accept this value and then tear up the TCP connection to restart, after setting the appropriate value, it was all ok.

      Delete
    4. Thanks for choosing us as your help.
      Team-Diameter

      Delete
  23. I am having a long delay (more than 20 seconds) to receive CEA for a particular CER. Sometime there is no CEA corresponding to CER. I am new to diameter and unable to figure out what is wrong?

    ReplyDelete
    Replies
    1. Hi Zainul Abedin,

      Kindly check TCP or SCTP connection between Client and Server. If still fails kindly share some more details and logs.


      Thanks for your query.
      Happy to help you again.
      Team-Dimeter

      Delete
  24. Hello.
    I'd like to clarify some details about message flow for an application which uses diameter protocol.
    I'm working on a client software which communicates with diameter application with Application-Id=App-X. There is three request messages I need to implement - CER (capability-exchange-request), DWR (device-watchdog-request) and NFR (this is a custom request message defined by the application).
    1. Which Application-Id should I insert into diameter header of CER message - 0 (common applications) or App-X?
    2. Which AVP should I insert App-X id into to inform the server that I'm going to communicate with this application - Auth-Application-Id, Acct-Application-Id, Vendor-Specific-Application-Id.Auth-Application-Id or Vendor-Specific-Application-Id.Acct-Application-Id? What is the difference between Auth-Application-Id and Vendor-Specific-Application-Id.Auth-Application-Id?
    3. Which Application-Id should I insert into diameter header of DWR message - 0 (common applications) or App-X?
    4. In NFR header Application-Id has to be App-X, correct?

    ReplyDelete
    Replies
    1. Hello,
      As per your client configuration use below configuration.

      1. CER
      Auth-Application-Id" value=X
      Acct-Application-Id value=0
      Vendor-Specific-Application-Id
      Vendor-Id value = 3GPP_ID/Vendor_id
      Auth-Application-Id value=X

      2&4. NFR: Use only Vendor-Specific-Application-Id in application.
      Vendor-Specific-Application-Id
      Vendor-Id value = 3GPP_ID/Vendor_id
      Auth-Application-Id value=X

      3. No Application id in DWR

      Ask more if you require more information.

      Delete
  25. Hi Team,
    I have two questions below on Diameter Connection Establishment

    1.If 2 Diameter nodes configured with both TCP and SCTP connection,which one will take higher priority? What is the reason?

    2.If 5 Diameter Servers configured with same Host name and Realm name and listening on port 3868.How to make client to connect to one of these servers?How connection will be chosen ?

    Thanks,
    Vinayak

    ReplyDelete
    Replies
    1. Dear Vinayak,

      1. Any Diameter node can use TCP & SCTP both. There is nothing like priority. Its depends upon your client which transport it want to use.

      2. I have a question for you. How can you configure multiple servers having same Hostname & Realm on a single lan ?
      Rather use different identity for each.

      Delete
  26. I would like what would be possible impact if both peers initiates connection with each other i.e. sends INIT and once the transport layer connection established, sends CER to each other. Is that a good solution or ideally only one peer should initiate connection and the other should respond ?

    ReplyDelete
    Replies
    1. Hi

      Theoritically CER-Election process shall be initiated and only one tranport is used

      Following link shall help you to explain in detail

      http://diameter-protocol.blogspot.in/2013/09/election-process.html



      Thanks for your query

      Delete
  27. Hi Team ,


    Suppose Vendor-y implemented an application App-y, along with other 3gpp defined applications (like auth application).

    1. Will the diameter node should send this support in Auth-Application-Id or Vendor-Specific-Application-Id of CER message?

    2.What is the need of supported vendor id avp ?

    ReplyDelete
  28. Can multiple vendor specific application ids be sent with requests other than CER ? Also I dont understand when when the following three are to be used-
    Acct Application id AVP, vendor specific application id AVP and Auth Application id

    ReplyDelete
  29. Hi Team,
    Is there any change to have Auth-Application-Id 0 in CER? I know that ApplicationId 0 is in Diameter message header of CER. Does it causes any error if I set Auth-Application-Id 0 besides Vendor-Specific-Application-Id with correct Auth-Application-Id X inside?
    Many thanks!

    ReplyDelete
    Replies
    1. Hi Khang Tran

      RFC-6733 Says
      "The base protocol does not require an Application Id since its
      support is mandatory." therefore advertising Auth-Application-Id 0 does not make any sense.


      Hope suffice your query.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  30. Hi,

    I wanted to understand Host-IP-Address in CER message which is of type address. Can we send FQDN in host-IP address avp?

    RFC gives reference to below one where 16 (DNS) can be added.
    .

    But if we see address, it talks about only ipv4 and ipv6
    Address

    The Address format is derived from the OctetString Basic AVP
    Format. It is a discriminated union representing, for example, a
    32-bit (IPv4) [RFC0791] or 128-bit (IPv6) [RFC4291] address, most
    significant octet first. The first two octets of the Address AVP
    represent the AddressType, which contains an Address Family,
    defined in [IANAADFAM]. The AddressType is used to discriminate
    the content and format of the remaining octets.
    br,
    Neeraj Surana

    ReplyDelete
  31. Hi,


    Can a diameter node send FQDN in host-ip address field of CER

    br,
    Neeraj Surana

    ReplyDelete
    Replies
    1. Hi Neeraj Surana

      We have not found any refence in RFC-6733 to used FQDN instead of IP address Host-IP-Address AVP.

      The Host-IP-Address AVP (AVP Code 257) is of type Address, IP addresses (IPv4, IPv6) would be passed.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  32. What is the difference between the services advertised during peer discovery and negotiating for compatible applications via Capability Negotiation.

    ReplyDelete
  33. How CER/CEA exchange happens in case of a DRA? Given that CER/CEA are not proxied/relayed, therefore we should assume that the DRA opens two separate connections with the two ends (i.e. two "stacks"), right? The question is how the end-to-end negotiation of supported applications will actually be done.
    I understand that the DRA had better support at least as many applications as the client & server and always setup the connections happily with both ends, but how the client will know that the server does not support some certain application?

    ReplyDelete
    Replies
    1. I have got same question. For example if PCRF and P-Gateway are connected via DRA,how the capabilities are exchanged,since DRA will have independent SCTP session between each nodes?

      Delete
  34. Hi,

    My question is regarding the origin-host M bit in the CER message. Is it mandatory to set the M-bit to SET for a CER message?

    One remote peer sends the CER message origin-host AVP with M-bit not set. Our diameter node rejects with CEA diameter error code 3009 Invalid_AVP Bit.

    Regards
    Ebru

    ReplyDelete
    Replies
    1. According to RFC-6733 Origin-Host must follow as share below:
      +----------+
      | AVP Flag |
      | rules |
      |----+-----|
      AVP Section | |MUST |
      Attribute Name Code Defined Data Type |MUST| NOT |
      -----------------------------------------|----+-----|
      Origin-Host 264 6.3 DiamIdent | M | V |

      So M-bit must set for Origin-Host AVP.

      Delete
  35. Is CER-CEA allowed with duplicate peer (host/realm etc are same for 2 or more clients) ?

    ReplyDelete
  36. Is there any blog which talks about prior messages for LDAP links establishment between HSS FE and BE Database UDR ?

    ReplyDelete