The invention addresses routing of Diameter messages, for example for use in large Authentication, Authorization and Accounting (AAA) infrastructure deployments using overlay networks for dynamic agent discovery.
Large Diameter based AAA infrastructures are being deployed, for example, for 3GPP Rel-8 LTE (Long Term Evolution) roaming networks. Diameter based protocols are being used in the infrastructures, which are intended to provide an AAA framework for applications such as network access or IP mobility. Diameter node is also intended to work in local authentication, authorization & accounting and roaming situations. The detailed description of such protocol can be found from RFC 3588.
Large Diameter infrastructures normally consist of multiple Diameter nodes, providing various kinds of applications and spanning over multiple realms. They are hard to manage when using manual AAA routing configuration. Large manually administrated infrastructures are a big burden to maintain and are prone to configuration errors.
Prior art solution in RFC3588 already describes a Domain Name System (DNS) based solution for dynamic Diameter server discovery. However, such DNS-based approach has a few known issues:
The DNS-based discovery is not aware of applications, which makes the discovery inefficient if a queried realm has deployed multiple agents that have different sets of applications.
Geographical information of Diameter nodes can not be traced in the DNS-based agent discovery method. Such information may be useful when considering load balancing issues and optimizing routing path in view of billing scheme provided by operators. As stated before, maintaining up-to-date AAA routing information can be an issue for big operators, especially when the number of Diameter nodes and applications grow. Moreover, DNS-based server discovery method only works properly in inter-realm cases. It does not really work within one realm, for example, one Diameter node cannot find or even does not attempt to dynamically find another Diameter node located within the same realm.
An IETF draft (http://tools.ietf.org/html/draft-ietf-dime-extended-naptr-01#page-4) provides an extension to RFC3588 that allows embedding application information to the DNS-based agent discovery. The extended format of Name Authority Pointer (NAPTR) provides a mapping from a domain to the service (SRV) record for contacting a server supporting a specific transport protocol and Diameter application. The resource record will contain an empty regular expression and a replacement value, which points to a SRV record for that particular transport protocol. Alternatively the NAPTR points to a A/AAAA (A ==IPv4 address, AAAA ==IPv6 address) record naming specific agent. If a Diameter node supports multiple transport protocols, there will be multiple NAPTR records, each with a different service field value and potentially different list of supported Diameter applications. The pre-condition for this mechanism to work is that the DNS administrator of the queried domain has already provisioned the DNS with extended format NAPTR entries.
However this solution still requires the presence of DNS and also greatly increases the DNS administration tasks. Moreover, the said solution is still designed to work in inter-realm cases.
A solution to overcome these problems should ideally fulfill at least some of the following criteria. A Diameter based infrastructure should not be centrally managed; instead it should have the self-organizing capability. The solution should be independent of any existing or future Diameter application. It should be robust when infrastructure changes with minimum disruption in service and routing functionality. In particular, it is important that the network is resilient when constituent node dies or a new node joins the network.
Moreover, the network should not require bilateral updates between realms due to any update in a peer agent of other realm. The solution should function in both single realm and inter-realm situation.
It is an object of the invention to provide a solution to overcome the above-mentioned problems and also to fulfill the above requirements.
The present invention and its embodiments seek to address one or more of the above-described drawbacks and shortcomings.
According to a exemplary first aspect of the invention, there is provided a method for node discovery. The method comprises determining if an entry relating to a desired service is found in a table stored in a first node; performing a hash transform to a pair of data comprising a domain name and an application identifier relating to the desired service to obtain a key if the entry is not found in the table; sending a query comprising the obtained key to an overlay network, wherein the first node is either part of the overlay network or connected to the overlay network through a proxy or an agent; obtaining a data object associated with the key from the overlay network; and updating the table based on the data object.
According to further development or modification of the invention, said domain name in said pair of data comprises a realm of a second node that is able to provide the desired service, wherein the second node is either part of the overlay network or connected to the overlay network through a proxy or an agent and said data object comprises a fully qualified domain name of the second node.
According to one embodiment of the invention, said domain name in said pair of data comprises a fully qualified domain name of a second node that is able to provide the desired service, wherein the second node is either part of the overlay network or connected to the overlay network through a proxy or an agent and said data object comprises a realm of the second node.
Said data object may further comprises a list of application identifiers relating to the services the second node is able to provide, an IP address of the second node, geographical information of the second node and hop-by-hop security related information of the second node, wherein said list of application identifiers comprises at least one application identifier.
According to another aspect of the invention, there is provided a node for discovering another node. Said node comprises a table configured to store at least an entry relating to any service that any other node is able to provide;
a processor configured to determine if an entry relating to a desired service is found in said table, perform a hash transform to a pair of data comprising a domain name and an application identifier relating to the desired service to obtain a key if the entry is not found in the table; through a unit, send a query comprising the obtained key to an overlay network, through said unit, obtain a data object associated with the key from the overlay network; and update the table based on the data object; wherein said node being a first node and connected to the overlay network.
According to yet another aspect of the invention, there is provided a node for discovering another node. Said node comprises a table for storing at least an entry relating to any service that any other node is able to provide; a processing means for determining if an entry relating to a desired service is found in said table, performing a hash transform to a pair of data comprising a domain name and an application identifier relating to the desired service to obtain a key if the entry is not found in the table; through a unit, sending a query comprising the obtained key to an overlay network, through said unit, obtaining a data object associated with the key from the overlay network; and updating the table based on the data object; wherein said node being a first node and connected to the overlay network.
According to further development or modification of the invention, said domain name in said pair of data comprises a realm of a second node that is able to provide the desired service, wherein the second node is either part of the overlay network or connected to the overlay network through a proxy or an agent and said data object comprises a fully qualified domain name of the second node.
According to one embodiment of the invention, said domain name in said pair of data comprises a fully qualified domain name of a second node that is able to provide the desired service, wherein the second node is either part of the overlay network or connected to the overlay network through a proxy or an agent and said data object comprises a realm of the second node.
According to one embodiment of the invention, said data object further comprises a list of application identifiers relating to the services the second node is able to provide, an IP address of the second node, geographical information of the second node and hop-by-hop security related information of the second node, wherein said list of application identifiers comprises at least one application identifier.
The first node may further comprise said unit. Alternatively, the said unit may be located outside of the first node.
According to one aspect of the invention, there is provided an overlay network comprising a plurality of nodes described above, wherein each of said plurality of nodes is either a constituent node of said overlay network or connected to said overlay network through a proxy or an agent.
According to one aspect of the invention, there is provided a computer program comprising: code (or some other means) for determining if an entry relating to a desired service is found in a table stored in a first node; code (or some other means) for performing a hash transform to a pair of data comprising a domain name and an application identifier relating to the desired service to obtain a key if the entry is not found in the table; code (or some other means) for sending a query comprising the obtained key to an overlay network, wherein the first node is either part of the overlay network or connected to the overlay network through a proxy or an agent; code (or some other means) for obtaining a data object associated with the key from the overlay network; and code (or some other means) for updating the table based on the data object. The computer program may be a computer program product comprising a computer-readable medium bearing computer program code embodied therein for use with a computer.
The invention takes the advantage of overlay network which fulfils most of the requirements mentioned above.
An overlay network is a virtual network of nodes and logical links that is built on top of an existing network with the purpose to implement a network service that is not available in the existing network.
An overlay network is uniquely identified by an overlay identifier, called Overlay ID. Each overlay network is associated with a set of attributes which specify the properties of the node constituting the overlay network.
An overlay network is created by generating a unique overlay ID and by specifying the attributes of the overlay network that are associated with the overlay ID. To join an existing overlay network, a node must obtain the overlay ID and the attributes of the overlay network. The attributes of an overlay network must be known at the time when an overlay socket is created.
The overlay ID is a string that identifies an overlay network. It can be used as a key to look up the attributes of an overlay network. The overlay ID should be a globally unique identifier.
For example, many peer-to-peer networks are overlay networks because they run on top of the Internet. A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts). Peers are both suppliers and consumers of resources, in contrast to the traditional client-server model where only servers supply, and clients consume.
Often, Distributed Hash Tables (DHTs) are used in an overlay network for routing messages. DHTs are a class of decentralized distributed systems that provide a lookup service similar to a hash table: (key, value) pairs are stored in the DHT, and any participating node can efficiently retrieve the value associated with a given key.
Responsibility for maintaining the mapping from keys to values is distributed among the nodes, in such a way that a change in the set of participants causes a minimal amount of disruption. This allows DHTs to scale to extremely large numbers of nodes and to handle continual node arrivals, departures, and failures. DHTs form an infrastructure that can be used to build peer-to-peer networks.
As depicted in step 21 in
According to one embodiment of the invention, the domain name in the pair of data is the realm of the node. In this case, the data object may comprise a list of application identifiers relating to the services the node is able to provide, the FQDN and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node.
With the help of geographical information of a Diameter node, it is possible to identify the Diameter node(s) located within the same region (e.g. country, state, city, or even town). So a Diameter node may take the advantage of this information to optimize the choice of routing path based on the billing scheme provided by operators, for example.
According to another embodiment of the invention, the domain name in the pair of data is the FQDN of the node. In this case, the data object may comprise a list of application identifiers relating to the services the node is able to provide, the realm and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node.
Normally the realm of a Diameter node can be derived from the FQDN (i.e. the DiameterIdentity of the Diameter node) of the Diameter node. Both are piggybacked on the administration of the DNS namespace. Diameter makes use of the realm, also loosely refers it to as its domain. However, there is no strict rule in Diameter based protocols that the domain part of the DiameterIdentity should be equal to the realm where the Diameter node is located. The only practical requirement is that both DiameterIdentity and realm are under the same DNS administration. In other words, sometimes, the realm of a Diameter node may not be derived from the FQDN. For example, a node with FQDN (server2.company.net) may be located in the realm (company.com)
The pair (i.e. key, data object) may be stored in one of the other Diameter nodes, which is also called peer node, constituting or connecting to the overlay network. As stated before, the peer node may communicate with the overlay network through a proxy/agent, it is not mandatory that the peer node itself has to be a part of overlay network.
In this way, the overlay network is aware of the existence of a Diameter node, no matter if it joins the overlay network by itself or via a proxy/agent, and its corresponding application identifiers relating to services that the node is able to provide.
Assuming a Diameter node wants to find another Diameter node in order to obtain a desired service,
In step 31 of
The overlay network takes care of the routing of the query message automatically. The query message may travel from one node to another until it reaches a peer node storing the data object associated with the key. A detailed explanation will be given in
However, the data object may not be obtained if the key and the associated data object pair have not been stored in any of the nodes constituting or connecting to the overlay network. In this case the query to the overlay network would fail to obtain the associated data object, instead, zero data object is returned to the node sending the request, which indicates that an data object corresponding to the key does not exist. An appropriate error code (such as DIAMETER_UNABLE_TO_DELIVER, DIAMETRE_REALM_NOT_SERVED or DIAMETER_APPLICATION_UNSUPPORTED) may also be propagated to Diameter node sending the query message.
Assuming that the pair (key, data object) have been stored in the overlay network (i.e. in some node(s) constituting or connecting to the overlay network), the node sending the query message may receive the data object as shown in step 35. The data object may comprise a list of application identifiers relating to the desired service a Diameter node is able to provide, the domain name and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node. The domain name may be either the realm or FQDN of the Diameter node providing the desired service.
Based on the obtained data object, the Diameter node sending the query message may update its realm-based routing table and also the peer table. The realm name field in realm-based routing table may be updated by the realm, either known (from the pair of data being hashed) or obtained from the data object. The
Diameter application identifier field in realm-based routing table may be updated by the application identifier already known and also by the list of application identifiers from the data object. Host identity field in peer table may be updated by the FQDN, either already known (from the pair of data being hashed) or obtained from the data object. The additional security information field in peer table may be updated by the hop-by-hop security related information obtained from the data object. The IP address and geographical information may be added to the peer table. Then, an entry in the realm-based routing table may be set up to associate with the peer table. With the updated realm-based routing table and the peer table, the node sending the query message may request the desired service from the node providing such service.
According to one embodiment as depicted in
According to another embodiment as depicted in
Through the unit (43), the processor (42) may communicate to the overlay network, to which the node (A or B) is connected, so that the node performs as a constituent node of the overlay network no matter if the node itself is part of the overlay network. The processor (42) may inform the overlay that the obtained key is associated with a data object, i.e. (key, data object) (i.e. step 22 in
According to one embodiment of the invention, the domain name in the pair of data is the realm of the node (A or B) (40). In this case, the data object may comprise a list of application identifiers relating to the services the node is able to provide, the FQDN and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node.
According to another embodiment of the invention, the domain name in the pair of data is the FQDN of the node (A or B) (40). In this case, the data object may comprise a list of application identifiers relating to the services the node is able to provide, the realm and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node.
When the node, either A or B (40), in
If the requested data object is available from the overlay network, it may also be received by the processor (42) through the unit (43).
The data object may comprise a list of application identifiers relating to the desired services another node is able to provide, the domain name and the IP address of the node, the geographical information of the node, and the hop-by-hop security related information of the node. The domain name may be either the realm or FQDN of the node.
According to one embodiment of the invention, the domain name in the pair of data is the realm of the node that is able to provide the desired service. In this case, the data object may comprise a list of application identifiers relating to the services the node is able to provide, the FQDN and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node.
According to another embodiment of the invention, the domain name in the pair of data is the FQDN of the node that is able to provide the desired service. In this case, the data object may comprise a list of application identifiers relating to the services the node is able to provide, the realm and the IP address of the node, the geographical information of the node and the hop-by-hop security related information of the node.
Based on the obtained data object, the processor (42) may update its realm-based routing table (411) and peer table (412).
The realm name field in realm-based routing table may be updated by the realm, either known (from the pair of data being hashed) or obtained from the data object. The Diameter application identifier field in realm-based routing table may be updated by the application identifier already known and also the list of application identifiers from the data object. Host identity field in peer table may be updated by the FQDN, either already known (from the pair of data being hashed) or obtained from the data object. The additional security information field in peer table may be updated by the hop-by-hop security related information obtained from the data object. The IP address and geographical information may be added to the peer table.
Then, the processor (42) may set up an entry in the realm-based routing table so as to associate with the peer table. With the updated realm-based routing table and the peer table, the processor may request the desired service from the node that is able to provide such service.
However, as stated before, it is not mandatory that every Diameter node has to join the overlay network. Some Diameter nodes, especially those that act as “clients” or “servers” deep in operator's core network may just use the information available in the overlay network through some local relay/proxy agent which is part of the overlay. The intention is that not all Diameter nodes have to be upgraded to be aware of overlay network. The nodes A and B illustrate these two arrangements.
Yet, according to another embodiment of the invention, Realm H (51) does not have an edge node. A Diameter node Ag in Realm H (51) may also be part of the overlay, and thus it is also called P9.
Upon joining the overlay network (50), each Diameter node may advertise service it may provide and the corresponding Diameter application identifier if any as being described in
Let's assume, P9 wants to request a desired service from a Diameter node in Realm E (54). If the Ag/P9 can find an entry in its realm-based routing table regarding the desired service, it may contact the node Ag in Realm E (54) via P5 directly as indicated by the dotted line.
However, if no entry is found, Ag/P9 may perform Hash transform to a pair of data comprising a domain name (in this case, it can be the realm of Realm E (54)) and an application identifier associated with the desired service (i.e. step 32 in
The overlay network takes care of the query message automatically. In the example illustrated in
Through the edge node P4 in Realm D (53), the Diameter node Ag in Realm D (53) may receive the forwarded query message. Assuming the Diameter node Ag in Realm D (53) is aware of the key, it may provide the data object associated with the key and send it back to the Diameter node Ag in Realm A (52). Upon receiving the data object, the Diameter node Ag in Realm A may forward it to the node Ag/P9 in Realm H (51).
Based on the received data object, Ag/P9 in Realm H (51) may update its realm-based routing table (411) and peer table (412). Then it may contact in the node Ag in Realm E (54) via P5 directly as indicated by the dotted line to request the desired service.
Only the servers directly connected to the overlay network need to be upgraded to be overlay compatible. Others may still be legacy Diameter nodes and communicate with overlay network via proxy/agent.
As the matter of fact, the realm/ FQDN+application is the fundamental information where the Diameter AAA routing is based. The invention fulfils the requirements for Diameter servers mentioned above and with the advantages that there is no need to rely on centralized DNS infrastructure for discovering Diameter peers. The overlay network is typically resilient to changes (e.g. nodes joining and leaving the network) and does not need centralized management. Thus it is much easier to implement and administrate than any DNS-based system.
Moreover, the invention also provides other useful information such as geographical location that can be used to select a closer peer server if several responses are received.
Another advantage of overlay network is that it can be deployed internally within a realm and that network does not need to be visible to the global roaming infrastructure.
For the purpose of the present invention as described above, it should be noted that
It is to be understood that the above description is illustrative of the invention and is not to be construed as limiting the invention. Various modifications and applications may occur to those skilled in the art without departing from the true spirit and scope of the invention as defined by the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
PCT/EP2010/059909 | Jul 2010 | EP | regional |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2011/059322 | 6/7/2011 | WO | 00 | 1/9/2013 |