Skip to main content

6.1.9. Relaying and Proxying Requests

6.1.9. Relaying and Proxying Requests

A relay or proxy agent MUST append a Route-Record AVP to all requests forwarded. The AVP contains the identity of the peer from which the request was received.

The Hop-by-Hop Identifier in the request is saved and replaced with a locally unique value. The source of the request is also saved, which includes the IP address, port, and protocol.

A relay or proxy agent MAY include the Proxy-Info AVP in requests if it requires access to any local state information when the corresponding response is received. The Proxy-Info AVP has security implications as state information is distributed to other entities. As such, it is RECOMMENDED that the content of the Proxy-Info AVP be protected with cryptographic mechanisms, for example, by using a keyed message digest such as HMAC-SHA1 [RFC2104]. Such a mechanism, however, requires the management of keys, although only locally at the Diameter server. Still, a full description of the management of the keys used to protect the Proxy-Info AVP is beyond the scope of this document. Below is a list of common recommendations:

  • The keys should be generated securely following the randomness recommendations in [RFC4086].

  • The keys and cryptographic protection algorithms should be at least 128 bits in strength.

  • The keys should not be used for any other purpose than generating and verifying instances of the Proxy-Info AVP.

  • The keys should be changed regularly.

  • The keys should be changed if the AVP format or cryptographic protection algorithms change.

The message is then forwarded to the next hop, as identified in the routing table.

Figure 6 provides an example of message routing using the procedures listed in these sections.

(Origin-Host=nas.example.net) (Origin-Host=nas.example.net)
(Origin-Realm=example.net) (Origin-Realm=example.net)
(Destination-Realm=example.com) (Destination-Realm=example.com)
(Route-Record=nas.example.net)
+------+ ------> +------+ ------> +------+
| | (Request) | | (Request) | |
| NAS +-------------------+ DRL +-------------------+ HMS |
| | | | | |
+------+ <------ +------+ <------ +------+
example.net (Answer) example.net (Answer) example.com
(Origin-Host=hms.example.com) (Origin-Host=hms.example.com)
(Origin-Realm=example.com) (Origin-Realm=example.com)

Figure 6: Routing of Diameter messages

Relay and proxy agents are not required to perform full inspection of incoming messages. At a minimum, validation of the message header and relevant routing AVPs has to be done when relaying messages. Proxy agents may optionally perform more in-depth message validation for applications in which it is interested.

Last updated on