Internet Engineering Task Force S. Donovan Internet-Draft B. Campbell Intended status: Informational Oracle Expires: January 4, 2015 July 3, 2014 Analysis of Agent Use Cases for Diameter Overload Information Conveyance (DOIC) draft-donovan-doic-agent-cases-00 Abstract The Diameter Overload Information Conveyance (DOIC) solution describes a mechanism for exchanging information about Diameter Overload among Diameter nodes. A DOIC node is a Diameter node that acts as either a reporting node are a reacting node. A reporting node originates overload reports, requesting reacting nodes to reduce the amount of traffic sent. DOIC allows Diameter agents to act as reporting nodes, reacting nodes, or both, but does not describe agent behavior. This document explores several use cases for agents to participate in overload control, and makes recommendations for certain agent behaviors to be added to DOIC. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 4, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Donovan & Campbell Expires January 4, 2015 [Page 1] Internet-Draft Abbreviated Title July 2014 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology and Abbreviations . . . . . . . . . . . . . . 3 2. Deployment Architectures . . . . . . . . . . . . . . . . . . 4 3. Diameter Routing . . . . . . . . . . . . . . . . . . . . . . 5 4. Overload Abatement Methods . . . . . . . . . . . . . . . . . 6 5. DOIC Use Cases . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Simple Agent . . . . . . . . . . . . . . . . . . . . . . 9 5.1.1. Capability Announcement . . . . . . . . . . . . . . . 9 5.1.2. Overload Report Handling . . . . . . . . . . . . . . 11 5.1.3. DOIC Specification Impacts . . . . . . . . . . . . . 17 5.2. Mixed Capabilities . . . . . . . . . . . . . . . . . . . 17 5.2.1. Capability Announcement . . . . . . . . . . . . . . . 17 5.2.2. Mixed Abatement Algorithms . . . . . . . . . . . . . 18 5.2.3. DOIC Specification Impacts . . . . . . . . . . . . . 20 5.3. Non-Supporting Nodes . . . . . . . . . . . . . . . . . . 20 5.3.1. Non-Supporting Transaction Client . . . . . . . . . . 20 5.3.2. Non-supporting Transaction Server . . . . . . . . . . 24 5.3.3. Non-Supporting Agent . . . . . . . . . . . . . . . . 26 5.3.4. DOIC Specification Impacts . . . . . . . . . . . . . 27 5.4. Inter Domain Authentication . . . . . . . . . . . . . . . 27 5.4.1. DOIC Specification Impacts . . . . . . . . . . . . . 29 6. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 29 6.1. General Recommendations . . . . . . . . . . . . . . . . . 30 6.2. Agent Behavior Recommendations . . . . . . . . . . . . . 30 6.2.1. Capabilites Exchange Behaviors . . . . . . . . . . . 30 6.2.2. Overload Report Behaviors . . . . . . . . . . . . . . 31 7. Security Considerations . . . . . . . . . . . . . . . . . . . 32 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 8.1. Normative References . . . . . . . . . . . . . . . . . . 33 8.2. Informative References . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 1. Introduction The Diameter Overload Information Conveyance (DOIC) [I-D.ietf-dime-ovli] solution describes a mechanism for exchanging diameter overload information among Diameter nodes. DOIC defines the concept of a DOIC endpoint (referred to as a "DOIC node" in this document.) A DOIC node is a Diameter node that acts as either a Donovan & Campbell Expires January 4, 2015 [Page 2] Internet-Draft Abbreviated Title July 2014 reporting node or a reacting node. A reporting node originates overload reports, requesting reacting nodes to reduce the offered load. An overload report has a "type". The type of overload report determines the scope of the request for traffic reduction, and possibly other semantics. DOIC nodes do not necessarily correspond to Diameter clients and servers. Any Diameter node that supports DOIC is a DOIC node. This includes Diameter agents, as well as Diameter clients and servers. However, DOIC does not currently describe how agents should behave as part of an overload control solution. This document explores several use cases for agents to participate in overload control, and makes recommendations for certain agent behaviors to be added to DOIC. 1.1. Terminology and Abbreviations Diameter Node: A Diameter client, agent or server. DOIC node: A Diameter node that supports DOIC. A DOIC node can simultaneously be both a reacting node and a reporting node. Reacting node: A DOIC node that can receive overload reports from a reporting node and ensures that the overload reports are honored. Reporting node: A DOIC node that can send overload reports, requesting overload abatement. Abating node: A reacting node that directly performs overload abatement. Transaction Client (TC) A diameter node that originates a Diameter request. This is distinct from "Diameter Client" as used in RFC 6733. Note that a Diameter Server acts as a TC if and when it originates a request towards a Diameter Client. TransactionServer (TS) A diameter node that consumes a Diameter request, and responds with a Diameter answer. This is distinct from "Diameter Server" as used in RFC 6733. Note that a Diameter Client acts as a TS if and when it answers a request sent by a Diameter Server. Client Application The application that uses Diameter for various Authentication, Authorization, and/or Accounting (AAA) functions. For example, a Network Access Server (NAS) performs certain network attachment services, detachment services, packet forwarding, etc. These are collectively the NAS client application, which depends on Diameter for AAA services. Donovan & Campbell Expires January 4, 2015 [Page 3] Internet-Draft Abbreviated Title July 2014 Overload Abatement: Actions taken by a reacting node to reduce the load offered to an overloaded Diameter node. The specific actions required to perform overload abatement are described by the DOIC algorithm. Overload abatement actions may involve local traffic reduction, or delegation of actions towards the client. Local traffic reduction can be achieved by either throttling a request or routing a request to a different destination. Throttling Overload abatement through the rejection of some number of requests. Throttling at an agent requires the agent to reject requests with appropriate error codes. Throttling at a transaction client requires the client to indicate appropriate errors to the client application Diversion Overload abatement through the routing of some number of requests away from an overloaded node towards one or more appropriate nodes that are less-overloaded. 2. Deployment Architectures This section outlines the deployment architectures used to determine agent related Diameter DOIC requirements. These deployment architectures include the use of Diameter agents to route Diameter requests between Diameter clients and Diameter servers. In all cases, a small number of client and server nodes are shown for simplicity. Adding additional clients and/or servers does not change the fundamental characteristics of the deployments. Figure 1 shows an architecture with a single agent sitting between Diameter clients and Diameter servers. +--+ +--+ |C1|----- -----|S1| +--+ \+--+/ +--+ |A1| +--+ /+--+\ +--+ |C2|----- -----|S2| +--+ +--+ Figure 1 Donovan & Campbell Expires January 4, 2015 [Page 4] Internet-Draft Abbreviated Title July 2014 Figure 2 shows an architecture with multiple agents sitting between Diameter clients and Diameter servers. +--+ +--+ |C1|----- -----|S1| +--+ \+--+ +--+/ +--+ |A1|------|A2| +--+ /+--+ +--+\ +--+ |C2|----- -----|S2| +--+ +--+ Figure 2 This document focuses on use cases that involve agents, and does not therefore include scenarios with no agent(s) between the transaction client and transaction server. It is, however, important that any changes to the DOIC solution introduced to support networks that contain agents also work when there is no agent sitting between Diameter clients and servers. 3. Diameter Routing Diameter supports two primary methods [RFC6733] for nodes to select the next hop for a request . Normally, Diameter nodes base peer- selection on the Destination-Realm and Application-Id AVP values. That is, they select a next hop from their Diameter peer table entry that matches the realm and application of the request. For the sake of this analysis, we refer to requests routed by this method as "realm-routed requests" A Diameter TC may also control the final destination of a request by inserting a Destination-Host AVP. When a node forwards a request that includes Destination-Host, it checks to see if it has a matching Diameter identity in its peer table. If so, it forwards the request to that peer. Otherwise, it follows the normal peer-selection for the realm and application. We refer to requests routed this way as "host-routed requests". In general, throttling (Section 4) is the the only abatement technique that works for host-routed requests. Diversion (Section 4) is typically not possible, since only a single TS can handle any given request. There may be some exceptions to this rule. For example, a node might have multiple peer table entries that share the same Donovan & Campbell Expires January 4, 2015 [Page 5] Internet-Draft Abbreviated Title July 2014 Diameter Identity. A node might map Diameter identities in a way that results in multiple next-hop destinations for a given Destination-Host value. On the other hand, diversion is often useful for abating realm-routed traffic. Since realm-routed requests are not bound to a particular TS, it is often be possible to divert a number of them to other servers that are less overloaded. 4. Overload Abatement Methods When a Diameter node becomes overloaded, there often must be a reduction of the number of both realm-routed and host-routed requests, in order to have the desired reduction of the overall offered-load. We refer to this reductions as "Overload Abatement". There are two ways to perform overload abatement. The first is to reject some number of Diameter requests, also known as "throttling". When a TC throttles traffic, it rejects or defers certain client application requests, as appropriate for the client application. When an agent or TS throttles traffic, it rejects Diameter requests with an appropriate error code, so that the TC can behave correctly at the client application layer. The second way to abate overload is to move some number of requests from an overloaded node to one or more eligible nodes that are less overloaded. For the purposes of this draft, we refer to this abatement method as "Diversion". Either method, separately or in combination, continue over the duration of the overload condition. There are a few architectural principles that should be considered when building Diameter networks to be resilient to overload, or when deploying DOIC into existing Diameter network. All things being equal, diversion is better than throttling. Diversion potentially allows more requests to succeed, which will almost always have less negative impact on the client application. However, there are situations where diversion is not possible. For example, diversion is usually not possible for host-routed requests (see Section 3). Diversion may not be helpful if all potential destinations are overloaded. If proprietary load balancing mechanisms are in use, diversion for DOIC purposes may be redundant with those mechanisms. If diversion is performed, the diversion should occur as close as possible to the TS, but not at the TS itself (since this would defeat Donovan & Campbell Expires January 4, 2015 [Page 6] Internet-Draft Abbreviated Title July 2014 the point of overload abatement.) Diversion should optimally occur at an immediate peer to the TS; that is, a node that shares a direct transport connection with the TS. A directly connected peer will have the most knowledge of alternative destinations and their current loads. If nodes further from the TS attempt to diversion, topology knowledge and overload state knowledge must be pushed further down the chain. Even then, a node usually cannot control how a realm- routed request might be routed upstream of the immediate peer. Throttling should occur at, or as close as possible, to the TC. The TC has the best knowledge of the client application and its current state. The TC can choose to reject requests that have the lease impact on the client application, or provide the most effect for traffic reduction over time. Furthermore, throttling at the TC completely avoids Diameter overhead for rejected requests. Each additional hop traversed by requests that will eventually be rejected increases the impact of those requests. 5. DOIC Use Cases This section outlines example use cases involving agents. Each of these use cases is evaluated with the goal of identifying any required changes to [I-D.ietf-dime-ovli] needed to support the use case. The following is the list of use cases considered. This is not an exhaustive list of DOIC use cases but is rather a list of use cases identified by the authors as being impacted by the presence of agents in the deployment. o Simple Agent - Overload capability announcement and overload report handling in a deployment with a single agent as illustrated in Figure 1. In this case all Diameter nodes are assumed to support DOIC. This use case is discussed in Section 5.1. This use case includes four sub-cases: 1. OC Capability Announcement where the TC and Agent support the same OC capabilities. 2. Host overload report handling for host-routed requests. This case illustrates throttling of host-routed requests at the transaction client and throttling of realm-routed reqeusts at the agent. 3. Host overload report handling realm-routed requests when there is a second TS to which requests can be diverted when one of the servers is in an overload state. Donovan & Campbell Expires January 4, 2015 [Page 7] Internet-Draft Abbreviated Title July 2014 4. Multiple host overload reports resulting in a realm overload report. o Mixed Capabilities - Overload capability announcement and overload report handling in deployments where agents support capabilities that are not included in the set of capabilities advertised by reacting nodes. This use case is discussed in Section 5.2. This use case illustrates one scenario where an agent consumes an overload report and replaces it with a new overload report of a different type. o Non-supporting DOIC nodes - Agent behavior in the face of Diameter nodes that do not support the DOIC solution. These use cases are addressed in Section 5.3. There are four sub-use cases that are addressed: * Non-supporting TC. In this case a DOIC supporting agent handles overload abatement on behalf of the non-supporting TC. An agent or a reporting node can detect if there is a reacting node in the path of a request by the presence of the OC- Supported-Features AVP in the request message. This use case is discussed in Section 5.3.1. * Non-supporting TS. In this case a DOIC supporting agent may act as the reporting node on behalf of the TS. In this case a DOIC supporting agent can detect if there is a reporting node in the path of the transaction by the presence of the OC- Supported-Features AVP in the answer message for the transaction. This use case is discussed in Section 5.3.2. * Non-supporting agent between the TC and a supporting agent. * Non-supporting agent between a supporting agent and the TS. In this case, the agent that supports DOIC cannot reliably divert requests as a result of a host report. This use case is discussed in Section 5.3.3. This use case illustrates when this deployment scenario is not recommended. o Inter domain or untrusted node authorization. This use case illustrates one case where a node needs to know if an OC-S-F AVP came from a supported peer, or was forwarded by a non-supporting peer. This use case is discussed in Section 5.4. Donovan & Campbell Expires January 4, 2015 [Page 8] Internet-Draft Abbreviated Title July 2014 5.1. Simple Agent This section addresses overload capability announcement and overload report handling in a deployment with a single agent as illustrated in Figure 1. This use case assumes that all nodes support DOIC and that all nodes support the same set of overload features. This use case includes four sub-cases: 1. OC Capability Announcement where the TC and Agent support the same OC capabilities. 2. Host overload report handling for host-routed requests. This case illustrates throttling of host-routed requests at the transaction client and throttling of realm-routed reqeusts at the agent. 3. Host overload report handling realm-routed requests when there is a second TS to which requests can be diverted when one of the servers is in an overload state. 4. Multiple host overload reports resulting in a realm overload report. 5.1.1. Capability Announcement This section explores capability announcement for the simple agent use case. This use case assumes that the capabilities supported by the TC and those supported by the agent are the same. (A scenario with differing capabilities is supported in discussed in Section 5.2.) Figure 3 shows the message flow for this use case. The nomenclature OC-S-F:x is short for OC-Supported-Feature with the ":x" indicating the Diameter node that inserted the AVP into the message. Donovan & Campbell Expires January 4, 2015 [Page 9] Internet-Draft Abbreviated Title July 2014 +--+ +-+ +--+ |TC| |A| |TS| +--+ +-+ +--+ | | | 1> |-- xxR OC-S-F:C---------->| | | | | 2> | |-- xxR OC-S-F:C---------->| | | | 3> | |<---------- xxA OC-S-F:S--| | | | 4> |<-------- xxA OC-S-F:S----| | | | | Figure 3 1. The transaction client (TC) originates a request. The TC supports DOIC and, as such, includes the OC-Supported-Features AVP in all requests. The OC-S-F AVP contains the clients capabilities. 2. The agent inspects the OC-S-F AVP and determines that the agent supports the same set of OC features. The agent relays the request unchanged to the server. Note: It is an open question whether the agent needs to include an indication that it also supports DOIC or if attribution of the OC-S-F is needed. One could also question whether the agent forwarded OC-S-F:C unchanged, rather than consuming the OC-S-F, and inserted another identical one. This is likely a purely philosophical difference, but might impact the inter-domain authorization use case (Section 5.4). 3. The transaction server (TS), acting as the reporting node, inspects the OC-S-F AVP in the request and generates an OC-S-F to be included in the answer message. This is done according to the behavior defined in the DOIC specification [I-D.ietf-dime-ovli]. 4. The agent relays the answer message unchanged. The presence of the OC-S-F header in the answer message indicates to the TC that it needs to be prepared for overload reports in subsequent requests of the same type. With the loss algorithm defined in [I-D.ietf-dime-ovli] there is no explicit action required of the TC. Stateful abatement algorithms will likely require action to be taken by the TC to be able to handle subsequent overload reports. Donovan & Campbell Expires January 4, 2015 [Page 10] Internet-Draft Abbreviated Title July 2014 5.1.2. Overload Report Handling This section addresses overload report handling in a deployment with a single agent as illustrated in Figure 1. The following three scenarios are illustrated: o Figure 4 shows a message flow illustrating handling of host reports for host-routed requests and realm-routed requests when there is a single TS. o Figure 5 shows the handling of realm-routed requests when there is a second TS to which requests can be diverted when one of the servers is in an overload state. o Figure 6 illustrates the agents behavior when it has received a host report from all servers. In this case the agent generates a Realm report. This is only possible when the agent knows the overload state of all TSs for the given realm and application. In these message flows, "xxR" indicates a Diameter request, and "xxA" indicates an answer. "HR" under a request indicates that the request is host-routed. "RR" indicates the request is realm-routed. If neither is present for a request, then it can be either host or realm routed. "OLR:Host" indicates an overload report of type Host. "OLR:Realm" indicates an overload report of type Realm. +-+ +-+ +-+ |C| |A| |S| +-+ +-+ +-+ | | | 1> |-- xxR OC-S-F:C----->| | | | | 2> | |-- xxR OC-S-F:C----->| | | | 3> | |<----- xxA OC-S-F:S--| | | OLR:Host | 4> |<--- xxA OC-S-F:S----| | | OLR:Host | | | | | 5> |-- xxR OC-S-F:C---X | | | HR | | | | | 6> |-- xxR OC-S-F:C----->| | | HR | | | | | 7> | |-- xxR OC-S-F:C----->| Donovan & Campbell Expires January 4, 2015 [Page 11] Internet-Draft Abbreviated Title July 2014 | | | | | | 8> | |<----- xxA OC-S-F:S--| | | OLR:Host | | | | 9> |<--- xxA OC-S-F:S----| | | OLR:Host | | | | | 10>|-- xxR OC-S-F:C----->| | | RR | | 11>| |-- xxR OC-S-F:C---X | | | RR | | | | 12>|<--- xxA Throttled---| | | | | | | | 13>|-- xxR OC-S-F:C----->| | | RR | | | | | 14>| |-- xxR OC-S-F:C----->| | | RR | | | | 15>| |<----- xxA OC-S-F:S--| | | OLR:Host | | | | 16>|<--- xxA OC-S-F:S----| | | OLR:Host | | | | | Figure 4 1. Same as in Figure 3. 2. Same as in Figure 3. 3. S, acting as a reporting node, has determined that it needs to request a reduction in traffic. S includes the OC-S-F AVP per [I-D.ietf-dime-ovli], and selects the loss algorithm for the included report. S also includes the OC-OLR AVP to indicate the requested reduction in traffic. 4. A saves the overload state of S based on the OC-OLR AVP. A will use this overload state for handling of future realm routed requests. This behavior is not yet specified in the DOIC specification. It is based on the principle that only nodes with a direct Donovan & Campbell Expires January 4, 2015 [Page 12] Internet-Draft Abbreviated Title July 2014 transport connection to an overloaded host should throttle those requests as other nodes earlier in the requests path do not have the topology knowledge to know if diversion of the request would have been successful. A relays the answer message without change to OC-S-F or OC-OLR. Upon receipt of the answer, C saves overload state based on the overload report. 5. C invokes the "loss" algorithm on host-routed requests. This step illustrates a host-routed request that is rejected locally by C due to throttling. C gives application appropriate feedback to the client application. 6. This step represents a Host-routed requests that survived abatement. Such requests are handled the same as if there where no overload report for the host to which the request is routed. 7. A relays the request based on the included Destination-Host AVP. 8. A generates an answer which includes the OC-S-F AVP and OC-OLR AVP. 9. If the OC-OLR is new, then A updates the overload state associated with the report. A relays the answer without change to OC-S-F or OC-OLR. C determines if the OC-OLR is new. If so, C updates its locally stored overload state for S. 10. C originates a realm-routed request. C does not apply abatement to this request since it does not match any locally stored overload state (in this scenario, a realm overload report has not yet been sent.) 11. A determines that there is overload state associated with this request (the host report received from S). A uses this overload state as input to routing decisions for the request. In this case it is assumed that there is no alternative route to divert request toward and, as such, A applies throttling, and rejects the request. 12. A generates an error response indicating that the request was throttled and should not be retried. 13. C originates another realm-routed request. Donovan & Campbell Expires January 4, 2015 [Page 13] Internet-Draft Abbreviated Title July 2014 14. A determines that there is overload state associated with this request (the host report received from S). A uses this overload state as input to routing decisions for the request. This request survives abatement and is routed to S. 15. S generates an answer message. 16. A relays the answer. The following shows the case of host overload report handling of realm-routed requests when there is a second TS to which requests can be diverted when one of the servers is in an overload state. +-+ +-+ +--+ +--+ |C| |A| |S1| |S2| +-+ +-+ +--+ +--+ | | | | 1> |-- xxR OC-S-F:C----->| | | | | | | 2> | |-- xxR OC-S-F:C----->| | | | | | 3> | |<----- xxA OC-S-F:S--| | | | OLR:Host | | 4> |<--- xxA OC-S-F:S----| | | | OLR:Host | | | | | | | 5> |-- xxR OC-S-F:C----->| | | | RR | | | 6> | |-- xxR OC-S-F:C--------------------------->| | | RR | | | | | | 7> | |<--------------------------- xxA OC-S-F:S--| | | | | 8> |<--- xxA OC-S-F:S----| | | | | | | Figure 5 1. Same as in Figure 3. 2. Same as in Figure 3. 3. Same as in Figure 4. 4. Same as in Figure 4. Donovan & Campbell Expires January 4, 2015 [Page 14] Internet-Draft Abbreviated Title July 2014 5. C originates a realm-routed request. C does not apply overload abatement to this request as it does not match any locally stored overload state (the assumption for this scenario is that a realm overload report has not yet been sent.) 6. A determines that there is overload state associated with this request (the host report received from S1). A uses this overload state as input to routing decisions for the request. In this case, it is assumed that the request would have been normally routed to S1 but is instead routed to S2 as a result of the overload report. 7. S2 generates an answer message. 8. A relays the answer. The following illustrates the agents behavior when it has received a host report from all servers. In this case the agent generates a Realm report. This is only possible when the agent knows the overload state of all TSs for the given realm and application. Donovan & Campbell Expires January 4, 2015 [Page 15] Internet-Draft Abbreviated Title July 2014 +-+ +-+ +--+ +--+ |C| |A| |S1| |S2| +-+ +-+ +--+ +--+ | | | | 1> |-- xxR OC-S-F:C----->| | | | | | | 2> | |-- xxR OC-S-F:C----->| | | | | | | | | | 3> | |<----- xxA OC-S-F:S--| | | | OLR:Host | | 4> |<--- xxA OC-S-F:S----| | | | OLR:Host | | | | | | | 5> |-- xxR OC-S-F:C----->| | | | RR | | | | | | | 6> | |-- xxR OC-S-F:C--------------------------->| | | | | 7> | |<--------------------------- xxA OC-S-F:S--| | | | OLR:Host | 8> |<--- xxA OC-S-F:S----| | | | OLR:Host | | | | OLR:Realm | | | | | | | Figure 6 1. Same as in Figure 4. 2. Same as in Figure 4. 3. Same as in Figure 4. 4. Same as in Figure 4. 5. Same as in Figure 4. 6. Same as in Figure 4. 7. Same as in Figure 4, with the addition that S2 also includes an overload report in the answer message. 8. A determines that the available capacity of all servers in the realm has been reduced to the degree that it must generate a realm report. A adds this report to the answer message, in Donovan & Campbell Expires January 4, 2015 [Page 16] Internet-Draft Abbreviated Title July 2014 addition to the existing host report from S2 . C saves overload state associated with the new Realm overload report. For the duration of the realm report the client performs the requested abatement on realm-routed requests. 5.1.3. DOIC Specification Impacts The following is a list of behavior that needs to be reflected in the DOIC specification. o There can be multiple abating nodes for a single overload report. In this use case, A TC handles abatement of host-routed requests. An agent with a direct transport connection to an overloaded node handles abatement of realm-routed requests that would normally be routed to that node. o Note: It is also possible that an agent will handle abatement of host-routed requests, as illustrated in Section 5.3.1. o Syntax for the OC-OLR AVP must support multiple OC-OLR AVPs in answer messages. o The working group must define a Diameter-Throttled error response that indicates that the request was rejected due to overload and that the request should not be retried. 5.2. Mixed Capabilities This use case explores the impact of having a different set of DOIC capabilities supported by the TC and one or more agents in the path of the request. 5.2.1. Capability Announcement Figure 7 illustrates the case. In this figure, "OC-S-F:C" indicates it carries the set of capabilities supported by C. "OC-S-FC:AC" indicates the set of capabilities that A declares to S. "OC-S-FC:S" indicates S's response to the AC set of capabilities. OC-S-FC:AS indicates A's modification to the capabilities selected by S. This is needed in the case where S's capabilities are not compatible with C's. "OC-S-FC:AC" could indicate the merged capabilities of C and A, based on local policies at A. For example, A could indicate a union or intersection of the its local capabilities with those of C. Alternately, it A could declare an entirely different set of Donovan & Campbell Expires January 4, 2015 [Page 17] Internet-Draft Abbreviated Title July 2014 capabilities towards S. If the capabilites selected between A and S differ from those selected between C and A, A becomes responsible for mapping any overload information it receives from S to fit the capabilities it negotiated with C. +-+ +-+ +-+ |C| |A| |S| +-+ +-+ +-+ | | | 1> |-- xxR OC-S-F:C---------->| | | | | 2> | |-- xxR OC-S-F:AC--------->| | | | 3> | |<---------- xxA OC-S-F:S--| | | | 4> |<-------- xxA OC-S-F:AS---| | | | | Figure 7 1. C originates a request including OC-S-F:C, indicating the DOIC features supported by C. 2. A inspects OC-S-F:C and determines that A supports features not included. A relays the request, replacing OC-S-F:C APV with an OC-S-F:AC. 3. S responds to the set of advertised features with the OC-S-F:S AVP. There is no change in S's behavior beyond what is specified in [I-D.ietf-dime-ovli] and any other extensions documenting the features in the received OC-S-F AVP. 4. A inspects OC-S-F:S. If necessary A replaces OC-S-F:S with OC- S-F:AS'. Section 5.2.2 illustrates one example were A needs to OC-S-F:S with OC-S-F:AS'. 5.2.2. Mixed Abatement Algorithms Figure 8 illustrates one specific type of mixed capabilities. In this case, C only supports the loss abatement algorithm, A supports both loss and rate and S selects rate. Donovan & Campbell Expires January 4, 2015 [Page 18] Internet-Draft Abbreviated Title July 2014 +-+ +-+ +-+ |C| |A| |S| +-+ +-+ +-+ | | | 1> |-- xxR OC-S-F:C---------->| | | loss | | | | | 2> | |-- xxR OC-S-F:AC--------->| | | loss, rate | | | | 3> | |<---------- xxA OC-S-F:S--| | | rate | | | OC-OLR:S | | | rate | | | | 4> |<-------- xxA OC-S-F:AS---| | | loss | | | OC-OLR:A | | | loss | | Figure 8 1. C originates a request with OC-S-F:C, indicating support for only the "loss" algorithm. 2. A inspects OC-S-F:C and determines it needs to advertise support for additional capabilities. A removes OC-S-F:C and inserts OC- S-F:AC, indicating support for both the "loss" and "rate" algorithms. A stores the state from OC-S-F:C to be referenced when it receives the associated answer. 3. S responds with OC-S-F:S, indicating that the rate algorithm will be used for overload reports, and OC-OLR:rate, indicating an overload condition with a specific requested rate-limit. 4. A recalls that C did not indicate support the rate algorithm and replaces OC-S-F:S with OC-S-F:AS, which indicates that the loss abatement algorithm will be used for overload reports sent to C. A must enforce the rate limit locally, so it removes OC-OLR:rate. If C's offered load exceeds what A can handle without violating the requested rate-limit, it inserts OC-OLR:A, requesting a traffic reduction using the "loss" algorithm. This flow assumes that A is able to handle rate-based overload reports, even though the TC cannot. How this is done in practice is implementation specific. In this example, A applies local rate- Donovan & Campbell Expires January 4, 2015 [Page 19] Internet-Draft Abbreviated Title July 2014 limiting, but send loss-based OLRs to C if A cannot handle C's offered load without violating the rate-limit. If A chose to apply local throttling to enforce the rate limit, instead of sending load-based OLRs back to the TC, the scenario would be closer to that for a TC that did not support DOIC (Section 5.3.1). 5.2.3. DOIC Specification Impacts An agent must have the ability to replace the OC-S-F AVP in request messages. An agent must have the ability to remove or replace the OC-S-F AVP in answer messages. An agent must have the ability to remove or replace the OC-OLR AVP in answer messages. 5.3. Non-Supporting Nodes This section outlines the impact of agent based scenarios where there is a node that does not support DOIC in the path of a request. There are five variations of this use case: 1. Non-supporting TC. 2. Non-supporting TS. 3. Non-supporting agent between the TC and a DOIC agent. 4. Non-supporting agent between a DOIC agent and the TS. 5. Non-supporting agent between DOIC agents. 5.3.1. Non-Supporting Transaction Client This section outlines the handling of non-supporting transaction client. This use case is illustrated in Figure 9. In this case assume that C1 supports DOIC and C2 does not. Donovan & Campbell Expires January 4, 2015 [Page 20] Internet-Draft Abbreviated Title July 2014 +--+ +--+ |C1|----- -----|S1| +--+ \+--+/ +--+ |A1| **** /+--+\ +--+ *C2*----- -----|S2| **** +--+ Figure 9 Figure 10 illustrates capability announcement for both the supporting and non-supporting client. This scenario assumes that the capabilities supported by C1 and A are the same. There is no change from the simple agent use case for transactions originated by C1. For transactions originated by the non-supporting reacting node C2, A1 determines that C2 does not support DOIC by the absence of an OC- S-F AVP and inserts an OC-S-F AVP indicating the OC features supported by A1. +--+ **** +-+ +-+ |C1| *C2* |A| |S| +--+ **** +-+ +-+ | | | | 1> |-- xxR OC-S-F:C--------------------------->|-- xxR OC-S-F:C----->| | | | | 2> |<---------------------------xxA OC-S-F:S---|<-----xxA OC-S-F:S---| | | | | 3> | |-- xxR ------------->| | | | | | 4> | | |-- xxR OC-S-F:A----->| | | | | 5> | | |<-----xxA OC-S-F:S---| | | | | 6> | |<------------- xxA---| | | | | | Figure 10 Donovan & Campbell Expires January 4, 2015 [Page 21] Internet-Draft Abbreviated Title July 2014 1. C1 supports DOIC and, as such, includes the OC-S-F AVP in all request messages sent. A relays the request to S based on normal request handling. 2. S supports DOIC and, as such, includes the OC-S-F AVP in all response messages sent. A relays the answer to C1 based on normal answer handling. 3. C2 does not support DOIC and, as such, does not insert the OC-S-F AVP into request messages. 4. A recognizes that C2 does not support DOIC, since the request does not contain the OC-S-F AVP. A inserts an OC-S-F AVP that reflects the OC capabilities of A. 5. S does normal DOIC capability announcement handling, inserting the OC-S-F AVP in the answer. 6. A removes the OC-S-F AVP from the answer given that C2 does not support DOIC. Figure 11 illustrates overload report handling for this scenario. There is no change in overload handling for requests originated by C1. C1 is responsible for abatement of host routed requests and A is responsible for abatement of realm-routed requests. For requests originated by C2, it becomes the responsibility of A to handle overload abatement requested by S. In this case A is responsible for abatement of both host-routed and realm-routed requests, as A has a direct transport connection to S. The way an agent handles this in practice is implementation specific. Depending on the algorithm, an agent might be able to treat requests from all non-supporting clients as a pool. More complex implementations might maintain (and certain algorithms might require) the agent to maintain an overload control state machine for each known non-supporting client. If there were an upstream DOIC agent between A and S then A would no longer have a direct transport connection and would not be able to do abatement of realm-routed requests. It would become the responsibility of the upstream DOIC agent with the transport connection to handle abatement of realm-routed requests. Donovan & Campbell Expires January 4, 2015 [Page 22] Internet-Draft Abbreviated Title July 2014 +--+ **** +-+ +-+ |C1| *C2* |A| |S| +--+ **** +-+ +-+ | | | | 1> |-- xxR OC-S-F:C--------------------------->|-- xxR OC-S-F:C----->| | | | | 2> |<---------------------------xxA OC-S-F:S---|<-----xxA OC-S-F:S---| | | OLR | OLR | | | | | |HR abatement handled by C1 |RR abatement handled by A | | | | 3> | |-- xxR ------------->|-- xxR OC-S-F:A----->| | | | | 4> | |<------------- xxA---|<-----xxA OC-S-F:S---| | | | OLR | | | | | | | | HR and RR abatement | | | | handled by A | | | | | 5> | |-- xxR ------------->|-- xxR OC-S-F:A----->| | | | | 6> | |<------------- xxA---|<-----xxA OC-S-F:S---| | | | OLR | | | | | 7> | |-- xxR ------------->| | | | | | 8> | |<------------- xxA---| | | | Diameter-Throttled | | | | | Figure 11 1. Request from C1, a supporting TC. 2. Response indicating S is requesting a reduction in traffic sent due to an overload condition. C1 becomes responsible for abatement of host-routed requests and A becomes responsible for abatement of realm-routed requests. 3. Request from C2, a non-supporting TC. A inserts an OC-S-F AVP. 4. Response indicating that S is overloaded. A stores overload state based on the content of the overload report. A also removed the OC-S-F and OC-OLR AVPs from the answer message. A becomes responsible for abatement handling of all requests originated by C2. Donovan & Campbell Expires January 4, 2015 [Page 23] Internet-Draft Abbreviated Title July 2014 5. Request from non-supporting node originated after the overload report is received. This request survives abatement by A. 6. Response for message that survived abatement by A. 7. Request from non-supporting node originated after the overload report is received. This request does not survive abatement and is rejected by A. 8. Response for request that did not survive abatement by A, with an appropriate error code to indicate the request was throttled and should not be retried. 5.3.2. Non-supporting Transaction Server This section shows the case where there is a mix of transaction servers that support DOIC and those that do not support DOIC. In this case, it becomes the responsibility of a DOIC agent to become the reporting node for the non-supporting transaction server. The method the agent uses to determine if abatement of traffic is required for the non-supporting node is implementation specific. (For example, an agent may infer that a TS is overloaded by observing Diameter or transport errors, or it may have some proprietary, out- of-band mechanism for learning about TS overload.) +--+ +--+ |C1|----- -----|S1| +--+ \+--+/ +--+ |A1| +--+ /+--+\ **** |C2|----- -----*S2* +--+ **** Figure 12 Donovan & Campbell Expires January 4, 2015 [Page 24] Internet-Draft Abbreviated Title July 2014 +-+ --- +--+ **** |C| |A| |S1| *S2* +-+ --- +--+ **** | | | | 1> |-- xxR OC-S-F:C----->|-- xxR OC-S-F:C----->| | | | | | 2> |<-----xxA OC-S-F:S---|<-----xxA OC-S-F:S---| | | | OLR | | | | | | 3> |-- xxR OC-S-F:C----->| | | | | | | 4> | |-- xxR OC-S-F:C--------------------------->| | | | | 5> | |<-----------------------------------xxA ---| | | | | 6> |<-----xxA OC-S-F:A---| | | | OLR | | | | | | | Figure 13 1. Normal DOIC processing resulting in the request being routed to S1. 2. Normal DOIC processing. 3. Normal DOIC processing 4. Normal DOIC processing resulting in the request being routed to S2. The agent doesn't know yet that S2 doesn't support DOIC. 5. S2 does not support DOIC and, as a result, does not insert the OC-S-F AVP in the answer message. 6. A takes on responsibility for becoming the reporting node for S2, and inserts an OC-S-F AVP. In this case A has determined that S2 is in an overload condition and inserts an OC-OLR AVP in the answer message. C handles the OC-OLR overload report in the same way it handles all OC-OLR reports. Donovan & Campbell Expires January 4, 2015 [Page 25] Internet-Draft Abbreviated Title July 2014 5.3.3. Non-Supporting Agent There are two sub-cases for non-supporting agents. Figure 14 illustrates the first non-supporting agent case, where the first agent in a chain of agents does not support DOIC. In this case, A2 picks up the responsibility of handling overload abatement in the case that either C1 or C2 do not support DOIC. A2 is also responsible for abating realm-routed requests for host reports received from S1 or S2. +--+ +--+ |C1|----- -----|S1| +--+ \**** +--+/ +--+ *A1*------|A2| +--+ /**** +--+\ +--+ |C2|----- -----|S2| +--+ +--+ Figure 14 Figure 15 illustrates the second non-supporting agent case, where the last agent in the chain does not support DOIC. In this scenario, there is no DOIC node that has a direct transport connection with S1 and S2. As a result, there is no DOIC node that can correctly handle abatement of realm-routed requests resulting. In the example, A1 cannot perform diversion, because it cannot control whether any given request goes to S1 or S2. And it cannot correctly determine how much to throttle unless it has advance knowledge of the topology behind A2, which is currently out of scope for DOIC. As a result, this deployment scenario should be avoided. Donovan & Campbell Expires January 4, 2015 [Page 26] Internet-Draft Abbreviated Title July 2014 +--+ +--+ |C1|----- -----|S1| +--+ \+--+ ****/ +--+ |A1|------*A2* +--+ /+--+ ****\ +--+ |C2|----- -----|S2| +--+ +--+ Figure 15 5.3.4. DOIC Specification Impacts o Agents must be allowed to insert OC-S-F AVPs into request and answer messages. o Agents must be allowed to remove OC-S-F AVPs from request and answer messages. o Agents must be able to insert OC-OLR AVPs of type "Host Report" into answer messages. (The ability to insert OC-ORL AVPs of type "Realm Report" is already assumed.) o Agents must be allowed to remove OC-OLR AVPs from answer messages. o Agents must be allowed to abate host-routed requests. 5.4. Inter Domain Authentication Figure 16 shows three administrative domains, Dom 1, Dom 2, and Dom 3. Dom 3 does not wish information about the condition of it's network to be shared with Dom 1, but is willing to share overload information with Dom 2 in order to optimize inter-domain traffic. Donovan & Campbell Expires January 4, 2015 [Page 27] Internet-Draft Abbreviated Title July 2014 +--------------------+ +-----------+ +--------------------+ | Dom 1 | | Dom 2 | | Dom 3 | | +--+ | | | | +--+ | | |C1|----- | | +---+ | | -----|S1| | | +--+ \+--+--------|A2A|---------+--+/ +--+ | | |A1| | | +---+ | | |A3| | | +--+ /| | | | ***** | | | |\ +--+ | | |C2|----- +--+--------*A2B*---------+--+ -----|S2| | | +--+ | | ***** | | +--+ | | | | | | | +--------------------+ +-----------+ +--------------------+ Figure 16 Dom 2 in in the process of incremental deployment of DOIC. Agent A2A supports DOIC, but A2B does not. A1 and A3 are configured so that Diameter requests between them may traverse either A2A or A2B. Figure 17 shows a Diameter message exchange for each potential route. The originating TC and selected TS are not relevant for the example, so they are omitted from the diagram. +--+ +---+ ***** +--+ |A1| |A2A| *A2B* |A3| +--+ +---+ ***** +--+ | | | | 1> |-- xxR OC-S-F:A1---->|------xxR OC-S-F:A1----------------------->| | | | | 2> |<---------------xxA--|<---------------------------xxA OC-S-F:A3--| | | | | 3> |---xxR OC-S-F:A1-------------------------->|-xxR OC-S-F:A1------>| | | | | 4> |<---------------------------xxA OC-S-F:A3--|<-----xxA OC-S-F:A3--| | | | | Figure 17 1. A1 sends a request that contains OC-S-F:A1 to A2A. A2A supports the same DOIC capabilities, so it forwards the request with OC- S-F:A1 unchanged. 2. A3 receives the answer from the TC. It forwards the response to A2A, including it's capabilities in OC-S-F:A3. A2A is configured to enforce Dom 3's wishes that it's overload information not be Donovan & Campbell Expires January 4, 2015 [Page 28] Internet-Draft Abbreviated Title July 2014 sent to Dom 1, so it strips the AVP before forwarding the response back to A1. 3. A1 again sends a request including OC-S-F:A1, but this one traverses A2B. Since A2B does not support DOIC at all, it treats the AVP as an unknown AVP and forwards it unchanged to A3. Note that the OC-S-F AVP observed by A3 is identical to that from step 1. 4. A3 receives the answer from the TC. It mistakenly believes A2B supports DOIC, and therefore forwards the response with it's DOIC capabilities in OC-S-F:A3. Since A2B does not recognize the AVP, it forwards it back to A1 without change. This is a somewhat contrived example, but it shows a case where Dom 3 leaked information to an untrusted domain, because it could not tell the difference between an OC-S-F AVP received from a trusted peer that supports DOIC, or one forwarded from downstream by a non- supporting peer. 5.4.1. DOIC Specification Impacts A DOIC supporting node must be able to distinguish between an OC-S-F AVP sent by a peer that supports DOIC, and one sent by a non-adjacent node and forwarded by a non-supporting peer. That is not possible in DOIC at the time of this writing. The ability to limit overload information to nodes that are authorized to receive it may require the ability to fully attribute a given OC-S-F AVP to the node that included the AVP. Whether this is required, and how an AVP that is forwarded by a DOIC supporting relay is for further study. 6. Recommendations This section summarizes the recommendations made in previous sections. These recommendations are presented without normative language, but the authors expect that some of the recommendations will require new normative language in [I-D.ietf-dime-ovli]. Others may result in non-normative guidance. As noted earlier, nothing in this draft should imply that relays are required to deploy DOIC. The majority of these recommendations should be interpreted to allow certain relay behaviors, but not to require them, and to offer architectural guidance on how an operator can best utilize relays in a DOIC deployment if they choose to do so. Donovan & Campbell Expires January 4, 2015 [Page 29] Internet-Draft Abbreviated Title July 2014 6.1. General Recommendations This section describes recommendations that apply to the DOIC mechanism in general: The working group should define a "Diameter-Throttled" error code, that indicates a request has failed due to overload, and should not be retried.[Section 5.1.3] TCs need to recognize the Diameter- Throttled error code, and interpret it as a final failure for the transaction. The OC-OLR AVP syntax must allow multiple occurrences in the same Diameter answer message. [Section 5.1.3] 6.2. Agent Behavior Recommendations The discussion in Section 4, Section 3, and Section 5 suggest certain recommendations for DOIC supporting Diameter relay behavior. The authors recommend that language be added to [I-D.ietf-dime-ovli] to the general effect of the following sections: 6.2.1. Capabilites Exchange Behaviors This section describes recommended Agent behaviors with respect to the OC-Supported-Features AVP. A DOIC supporting agent may act as a reporting-node, a reacting-node, or both. An agent may act as a reporting node on behalf of a non-supporting TS, an abating node on behalf of a non-supporting TC.[Section 5.3] An agent that acts as a reacting node must include an OC-Supported- Features in each Diameter request that it forwards in that role. If the inbound request included an OC-Supported-Features AVP, the relay may copy its content to the one in the outbound request, or may replace the contents if it wishes to indicate different DOIC capabilities to upstream nodes. If an inbound request does not contain an OC-Supported-Features AVP, the agent must insert one into the outbound request, indicating the DOIC capabilities of the agent itself. An agent that acts as a reporting node must include an OC-Supported- Features AVP in each Diameter answer that it forwards in that role. If the agent modified the OC-Supported-Features AVP in the associated request, it must perform a reciprocal modification of the OC- Supported-Features AVP in the response. Donovan & Campbell Expires January 4, 2015 [Page 30] Internet-Draft Abbreviated Title July 2014 An agent that does not support the DOIC mechanism is likely to forward an OC-Supported-Features AVP without modification. A DOIC node must be able to tell between an OC-Supported-Features AVP that was forwarded by such a non-supporting agent, and one inserted or copied by a DOIC-supporting node.[Section 5.4] 6.2.2. Overload Report Behaviors When a DOIC-supporting relay inserts an OC-Supported-Features AVP (or passes through one received from downstream), it becomes responsible for ensuring that any OLRs it receives from upstream nodes are honored. It can honor an OLR by locally performing overload abatement, delegating abatement to downstream nodes, or a combination of both. If a relay can honor the OLR by locally diverting traffic, it should do so before resorting to throttling. For example, if a relay receives a realm report from its upstream peer, and has other less- overloaded peers that are valid for the realm and application, it diverts traffic to the less overloaded peers as needed. The relay should apply any knowledge it has of the peers' relative load and capacity in determining how to divert traffic. Note that only a relay that has a direct peer relationship with the servers in question can effectively perform diversion, since a Diameter node cannot directly control how upstream relays will route requests.[Section 5.1] When an overload condition requires throttling of traffic, an agent should delegate that throttling to downstream nodes if at all possible. Depending on local policy and the nature of the overload condition, this means the agent either originates a new OLR to send downstream, or forwards an OLR received from upstream. For example, if a relay receives a host report (which usually requires traffic throttling), the relay typically forwards that report downstream. The relay may modify the report based on local policy. If an agent needs to perform local throttling, it must explicitly reject each throttled request with a "Diameter-Throttled" error code.[Section 5.1] There may be circumstances where an agent must perform local throttling. An obvious example is when downstream nodes do not support DOIC, that is, requests from downstream nodes do not contain OC-Supported-Features AVPs. Mismatched upstream and downstream capabilities may require local throttling. For example, if a relay uses a rate-limiting abatement algorithm upstream, but downstream devices do not support rate-limiting, it may have to locally throttle traffic to meet its upstream Donovan & Campbell Expires January 4, 2015 [Page 31] Internet-Draft Abbreviated Title July 2014 abatement commitment. It might still invoke the "loss" algorithm downstream in order to reduce the amount of traffic that must be locally throttled.[Section 5.2, Section 5.3] A relay should apply all the information at hand to determine upstream overload. For example, if a relay receives a host-report from a directly attached TS, that relay can reasonable infer that the overload condition applies to all traffic for the realm, and perform local abatement by diverting realm-routed traffic to other servers. If there is insufficient capacity to do so, then it can generate realm-reports downstream. A relay might also have knowledge of the overload or load state of other nodes through some non-DOIC mechanism.[Section 5.1] Finally, a relay should not generate or forward OLRs in a way likely to cause redundant abatement. For example, if a relay locally throttles traffic due to a "loss" algorithm OLR, it should not forward the OLR downstream where other nodes will also apply abatement to the same traffic. [Section 5.3] The idea of redundant abatement is at least somewhat specific to the algorithm. For example, a rate-limiting algorithm might allow both local and delegated abatement, since the algorithm creates a maximum rate limit. On the other hand, the "loss" algorithm requests a percentage reduction. If a relay receives an OLR for a 10 percentage reduction, applies local throttling, and also forwards the OLR downstream, the 10% reduction may be applied twice. 7. Security Considerations Several use cases in this document involve Agents inserting, removing, or modifying DOIC related AVPs. [RFC6733] does not allow "relay" agents to modify any part of a Diameter message except for routing information. This has one of two implications; either relay agents cannot take an active role in DOIC, or the DOIC AVPs should be designated as "routing AVPs". The authors recommend the second. But regardless of whether a relay is allowed to modify DOIC AVPs, proxy agents will almost certainly need to do so. Diameter currently only offers hop-by-hop integrity protection of message contents, but the DIME working group is considering requirements for end-to-end protection [I-D.ietf-dime-e2e-sec-req] at the time of this writing. Those requirements currently recognize that different AVPs may require different security treatments. The working group should carefully consider how DOIC will interact with end-to-end security when it is completed. Donovan & Campbell Expires January 4, 2015 [Page 32] Internet-Draft Abbreviated Title July 2014 Until such end-to-end protection is deployed, Diameter follows a fundamentally transitive trust model. Adjacent nodes can authenticate each other's identity, and protect exchanged messages from tampering or eavesdropping. But Diameter nodes have no way of authenticating message content received from non-adjacent nodes, other than trusting the immediate peer to do the right thing. DOIC related information may be sensitive, and could be destructive if forged or modified by unauthorized parties. DOIC nodes must trust DOIC supporting peers to ensure that no unauthorized parties insert overload reports, and to ensure that reports are not delivered to unauthorized parties. Peers that do not support DOIC cannot be expected to enforce such policies. At the time of this writing, DOIC provides no way for a supporting node to distinguish between a DOIC AVP from a immediate peer that supports DOIC, and one forwarded by a non-supporting peer. This issue needs to be addressed before DOIC can meet requirements 27, 28, and 29 of [RFC7068] 8. References 8.1. Normative References [DOIC-rate] Donovan, S. and E. Noel, "Diameter Agent Overload", February 2014. [I-D.ietf-dime-ovli] Korhonen, J., Donovan, S., Campbell, B., and L. Morand, "Diameter Overload Indication Conveyance", draft-ietf- dime-ovli-02 (work in progress), March 2014. [RFC4006] Hakala, H., Mattila, L., Koskinen, J-P., Stura, M., and J. Loughney, "Diameter Credit-Control Application", RFC 4006, August 2005. [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, "Diameter Base Protocol", RFC 6733, October 2012. [agent-overload] Donovan, S., "Diameter Agent Overload", March 2014. 8.2. Informative References Donovan & Campbell Expires January 4, 2015 [Page 33] Internet-Draft Abbreviated Title July 2014 [I-D.ietf-dime-e2e-sec-req] Tschofenig, H., Korhonen, J., Zorn, G., and K. Pillay, "Diameter AVP Level Security: Scenarios and Requirements", draft-ietf-dime-e2e-sec-req-01 (work in progress), October 2013. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003. [RFC7068] McMurry, E. and B. Campbell, "Diameter Overload Control Requirements", RFC 7068, November 2013. Authors' Addresses Steve Donovan Oracle Frisco, Texas USA Phone: +1 Email: srdonovan@usdonovans.com Ben Campbell Oracle Frisco, Texas USA Phone: +1 Email: ben@nostrum.com Donovan & Campbell Expires January 4, 2015 [Page 34]