3GPP Policy and Charging Control for Wireline Provisioning and Accounting
3GPP Policy and Charging Control Overview for Wireline Provisioning and Accounting
The 3rd Generation Partnership Project (3GPP) Policy and Charging Control (PCC) provides the unification of wireline provisioning and accounting for customers. Figure 1 shows the components of an overall 3GPP PCC architecture.
The four major components of the PCC architecture are:
Policy and Charging Rules Function (PCRF)—A centralized policy decision point that deploys business policy and charging rules to allocate broadband network resources and manages flow-based charges for subscribers and services. PCRF pushes the rules down to the Policy and Charging Enforcement Function (PCEF) using the 3GPP Gx protocol and online policy interface.
Policy and Charging Enforcement Function (PCEF)—A function that provides user traffic handling and QoS at the gateway, provides service data flow detection, and applies the rules received from the PCRF. PCEF optionally interacts with the Online Charging Function (OCF) within the Online Charging System (OCS) using the 3GPP Gy protocol to retrieve policy and charging authorization for quotas and credit control.
Online Charging System (OCS)—The component responsible for interacting with the PCEF. The PCEF optionally reports usage and receives additional authorizations from the OCS using the 3GPP Gy protocol. Broadband PCEF (BPCEF) interactions with the OCS use online session charging with centralized unit determination and centralized rating.
Offline Charging System (OFCS)—A process where charging information for network resource usage is collected concurrently with that resource usage. If credit-based authorization is not required, the PCEF applies policies and report usage to the OFCS using the 3GPP Gz protocol. You can also use the OCS as the primary accounting destination and use the OFCS as a backup.
Table 1 lists the functionality differences between PCRF and PCEF.
Functionality |
PCRF |
PCEF |
|---|---|---|
Charging policing implementation |
Involved at different levels; aggregates information inside the hosting network and is considered part of the PCC architecture. |
Involved at different levels; located at the gateway. |
Functions included |
Includes mainly policy control decision and flow-based control functions. |
Includes policy enforcement and flow-based charging functions. |
Predefined PCC rules |
Activation or deactivation of predefined PCC rules can only be done by the PCRF. |
Preconfigured by the PCEF. |
Online and offline charging interactions |
Not supported |
Supported |
The three other components that make up the PCC architecture in Figure 1 are:
Application Function (AP)—The Application Function interacts with applications or services that require dynamic PCC. The Application Function extracts session information from the application signalling and provides application session-related information to the PCRF using the Rx protocol.
Subscription Profile Repository (SPR)—SPR contains subscriber and subscription information on a per-packet data network (PDN) basis. The Sp protocol enables the PCRF to request subscription information related to a subscriber's service or session.
Bearer Binding and Event Reporting Function (BBERF)—The PCC rule needs to be mapped to a particular IP bearer to ensure the packets receive the appropriate QoS treatment. The association between a PCC rule and a bearer is referred to as bearer binding. The BBERF location depends on the access technology. For 3GPP, the BBERF is located in the serving gateway and uses the Gxx protocol.
Benefits of 3GPP Policy and Charging Control Architecture
Provides a unified framework for wireline subscriber provisioning and accounting.
Policy and Charging Enforcement Function Overview for Broadband Wireline Subscribers
The Policy and Charging Enforcement Function (PCEF) is one of four major components of the 3rd Generation Partnership Project (3GPP) Policy and Charging Control (PCC) architecture in Figure 2.
PCEF provides user traffic handling and quality of service (QoS) at the gateway, provides service data flow detection, and applies the rules received from the Policy Control and Charging Rules Function (PCRF). 3GPP defines Gx as the online policy protocol between the PCRF and the PCEF to provide control over policy and flow-based charges for subscribers. The PCRF is a centralized policy decision point that deploys business policy rules to allocate broadband network resources and manages flow-based charges for subscribers and services. Optionally, the PCEF interacts with the Online Charging System (OCS) using the 3GPP Gy protocol to retrieve policy and charging authorization for quotas and credit control.
PCEF provides support for the following environments:
Wireline Access Environment
For mobile subscribers, the user equipment requests services; for broadband wireline subscribers, the PCRF requests services. In the wireline environment, PCRF functions as the service requester, and the PCEF functions as the service receiver and enforcer.
Adapting the PCC model in a wireline environment provides these benefits:
Convenience
Advanced technology
Already implemented by the wireless branch of the carrier that often provides a much bigger business than the wireline branch
The PCRF controls the PCEF by pushing charging rules. Charging rules are reused as service (policy) rules to push policies. Charging rules may also have an associated rating group, or charging key. As a result, the PCEF configuration must define charging rules and mapping between credit control services (cc-services) and rating groups.
In many instances, both OCS and Offline Charging System (OFCS) 3GPP accounting services require Mobile Station International Subscriber Directory Number (MSISDN) be used for subscriber identification. The MSISDN is passed as the subscription ID. While each mobile user equipment device has an associated MSISDN, this information is not available for wireline subscribers. To enable the PCRF to dynamically pass subscription-ID parameters, and support a variety of authentication, authorization, and provisioning configuration, the Juniper attribute-value pairs (AVPs) in Table 2 have been allocated from the Juniper Vendor-ID space (2636) vendor-specific attribute (VSA).
If no dynamic-subscription ID is received, then neither OCS or OFCS communications are initiated.
AVP Name |
Vendor-ID |
AVP Type |
Diameter Type |
Diameter Flag |
|---|---|---|---|---|
Juniper-Dyn-Subscription-Indicator |
2636 |
10001 |
Enum |
V |
Juniper-Dyn-Subscription-Id |
2636 |
10002 |
Grouped |
VM |
Juniper-Dyn-Subscription-Id-Type |
2636 |
10003 |
Integer32 |
VM |
Juniper-Dyn-Subscription-Id-Data |
2636 |
10004 |
UTF8String |
VM |
The client system (router) sends the Juniper-Dyn-Subscription-Id-Indicator AVP to indicate support of the dynamic assignment of the subscription ID. The Juniper-Dyn-Subscription-Id-Indicator attribute has two values:
DYN_SUBSCRIPtION_NOT_SUPPORTED (0)
DYN_SUBSCRIPTION_SUPPORTED (1)
The server then sends the Juniper-Dyn-Subscription-Id AVP to the client that indicated support. This is a grouped AVP that contains the values to be sent as Subscription-Id-Type and Subscription-Id-Data.
The PCRF server may use standard Subscription-Id AVP to communicate the dynamic-subscription ID to the router.
If both Juniper-Dyn-Subscription-Id and Subscription-Id are sent by the PCRF, the Subscription-Id value is used.
In many cases, wireline subscribers support only one IP family, which is required information for both AAA service and PCRF. To indicate this information, the Juniper-Network-Family-Indicator AVP has been allocated from the Juniper Vendor-ID space (2636) VSA in Table 3.
AVP Name |
Vendor-ID |
AVP Type |
Diameter Type |
Diameter Flag |
|---|---|---|---|---|
Juniper-Network-Family-Indicator |
2636 |
10010 |
Enum |
V |
The client system (router) sends the Juniper-Network-Family-Indicator AVP to indicate which network families are associated with the service request and supported by the subscriber. When you configure the Juniper-Network-Family-Indicator AVP to indicate the associated network family, the system sends the information to the PCRF. The Juniper-Network-Family-Indicator attribute has four values:
UNSPECIFIED (0)
IPV4_FAMILY (1)
IPV6_FAMILY (2)
IPV4_IPV6_FAMILY (3)
Wireline customers often control user services solely through
the PCRF and use the OCS as a convenient real-time usage monitoring
mechanism rather than as an enforcement unit. To decrease the number
of possible erroneous OCS configurations, include the force-continue statement at the [edit access ocs partition partition-name] hierarchy level to force the broadband
PCEF (BPCEF) to limit the impact of negative responses from the OCS
and quota expirations, and to prevent sending OCS notifications for
affected rating-groups. Whenever the PCEF receives a negative response
to any reported group, it stops reporting this group to the OCS.
Junos OS Environment
There are three categories of dynamic-profiles within the Junos OS environment:
client-dynamic-profiles
cos-service-dynamic-profiles
firewall-service-dynamic-profiles
Client-dynamic-profiles and cos-service-dynamic-profiles define bandwidth and other characteristics of the services provided to a subscriber; the firewall-service-profiles perform filtering and usage counting. For all of the dynamic-profiles’ categories, the service-dynamic-profile name is used as the value of a Charging-Rule-Name AVP.
When the service-dynamic-profile has no variables, or when defaults provided in service-dynamic-profile definition are requested, no additional elements are required. To provide custom values for a service-dynamic-profile, use the Charging-Rule-Definition AVP with additional VSAs.
The PCRF uses existing Juniper-Substitution VSAs (Vendor-ID 2636 and Type 2024) to supply attributes as a name-value pairs. The PCRF may also include parameters as positional notation for part of the rule name. The Redirect-Information AVP (Vendor-ID 10415 and Type 1085) supplies a value for the Redirect-URL parameter.
For every possible service-dynamic-profile parameter name requested by customers, a new Juniper-Parameter VSA is defined. Table 4 describes the initial set of fixed Juniper-Parameter VSAs.
Parameter |
VSA Name |
Vendor-ID |
Type |
Diameter Type |
|---|---|---|---|---|
Cos-Tcp |
Juniper-Param-Cos-Tcp |
2636 |
10005 |
UTF8String |
V4-Firewall-Input-Filter |
Juniper-Param-V4-Firewall-Input-Filter |
2636 |
10006 |
UTF8String |
V4-Firewall-Output-Filter |
Juniper-Param-V4-Firewall-Output-Filter |
2636 |
10007 |
UTF8String |
V6-Firewall-Input-Filter |
Juniper-Param-V6-Firewall-Input-Filter |
2636 |
10008 |
UTF8String |
V6-Firewall-Output-Filter |
Juniper-Param-V6-Firewall-Output-Filter |
2636 |
10009 |
UTF8String |
If parameters or the Service-Identifier and Rating-Group are required to be indicated by the PCRF, the Charging-Rule-Definition AVP is used; otherwise, the Charging-Rule-Name AVP is used.
Charging-Rule-Definition ::= < AVP Header: 1003 >
{ Charging-Rule-Name }
[ Service-Identifier ]
[ Rating-Group ]
[ Online ]
[ Precedence ]
[ Juniper-Param-VSA ]
[ AVPs ] – standard AVPs used as parameters
For instances when there is a Service-Identifier and Rating-Group combination, or when only the Service-Identifier or only the Rating-Group is specified, the combination must be unique among the rules installed for a subscriber. You configure the service-context-id on the router.
Understanding Gx Interactions Between the Router and the PCRF
The sequences of Diameter messages are exchanged by means of the 3rd Generation Partnership Project (3GPP) Gx protocol between the Policy Control and Rules Charging Function (PCRF) and the router acting as a Policy and Charging Enforcement Function (PCEF).
Starting in Junos OS Release 17.3R1, support for additional OCS and PCRF features are added using Gy and Gx protocols. The new statements:
accept-sdris added for PCRF partition at the hierarchy level[edit access pcrf partition partition-name].alternative-partition-nameis added for OCS partition at the hierarchy level[edit access ocs partition partition-name].
They interact to perform the following subscriber access tasks:
- Subscriber Login
- Subscriber Login Error Recovery
- Subscriber Update
- Subscriber Logout
- Subscriber Disconnect
- Connectivity Fault Recovery
Subscriber Login
The router sends a Diameter CCR request containing a fixed set
of required information to a policy manager (PCRF) and receives a
CCA response containing policies and other information. Gx provisioning
is enabled for subscribers when you include the provisioning-order pcrf statement at the [edit access profile profile-name] hierarchy level. When an application
requests AAA to activate the subscriber's session, the router sends
a CCR-GX-I (where I represents INITIAL_REQUEST) message to the PCRF
to request a fix set of provisioning information for the subscriber
session, and receives a CCA-GX-I response message containing policies
and other information, including the Result-Code AVP (AVP code 268).
When you configure the provisioning-order statement in
the access profile, the broadband PCEF (BPCEF) module sends a provisioning
request to the PCRF during the client activation. The following examples
show a CCR-GX-I and CCA-GX-I packet exchange:
CCR-GX-I Packet Example
CCR-GX-I ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Destination-Realm: <configurable-string> }
{ CC-Request-Type: INITIAL_REQUEST(1) }
{ CC-Request-Number: 0 }
{ Subscription-Id:
{ Subscription-Id-Type: <configurable-integer> }
{ Subscription-Id-Data: <configurable-string> }
}
}
[ Destination-Host: <configurable-string> ] -- if configured
[ Origin-State-Id: <u32> ] -- if configured to send
[ Framed-IP-Address: <ipv4-address-in-radius-encoding> ] -- if available
[ Framed-IPv6-Prefix: <ipv6-prefix-in-radius-encoding> ] -- if available
{ IP-CAN-Type: <configurable-integer> }
{ Online: ENABLE_ONLINE (1) }
[ User-Name: <string> ]
[ NAS-Port-Id: <string> ] -- if included by config
[ Juniper-Virtual-Router: <virtual-router-name> ] -- if included by config
[ Event-Timestamp: <timestamp> ] -- login timestamp, if included by config
{ Juniper-Dyn-Subscription-Indicator: DYN_SUBSCRIPTION_SUPPORTED(1) }
{ Juniper-Network-Family-Indicator: <subscriber-family> }The T (potentially retransmitted message) bit recalculates when the CCR-GX-I is resent. This flag is set after a link failover procedure to remove duplicate requests.
CCA-GX-I Packet Example
CCA-GX-I ::= <Diameter Header: 272, PXY, 16777238>
{ <Session-Id> }
{ Result-Code: <integer> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <string> } -- should match destination-host if configured
{ Origin-Realm: <string> } -- should match destination-realm
{ Result-Code: <integer> }
{ CC-Request-Type: INITIAL_REQUEST(1) }
{ CC-Request-Number: 0 }
[ Juniper-Dyn-Subscription-Id:
{Juniper-Dyn-Subscription-Id-Type: <value-to-be-used-for-ocs-interactions> }
{Juniper-Dyn-Subscription-Id-Data: <value-to-be-used-for-ocs-interactions> }
]
*[ Supported-Features ] -- ignored
[ Origin-State-Id: <u32> ] -- Indicates restart PCRF side
*[ Downstream data units ] If no rule-install AVP is defined in the CCA-GX-I, then the default rule is installed.
All event triggers, including those not yet defined, are acceptable. However, only a few event triggers actually generate events when implemented.
The PCRF returns a CCA-GX-I message that includes the Result-Code AVP (AVP code 268) that maps to the result categories listed in Table 5.
Result-Code-AVP Value |
Result Category |
|---|---|
SUCCESS(2001), LIMITED_SUCCSS(2002), and valid message |
Grant |
AUTHENTICATION_REJECTED(4001), UNKNOWN_SESSION_ID(5002), AUTHORIZATION_REJECTED(5003), and USER_UNKNOWN(5030) |
Deny |
UNABLE_TO_DELIVER(3002), REALM_NOT_SERVED(3003), TOO_BUSY(3004), LOOP_DETECTED(3005), and REDIRECT_INDICATION(3006) |
Failure |
All other Diameter Permanent-failure Result-Code AVPs greater than and equal to 5000, and all Diameter protocol error Result-Code AVPs greater than and equal to 3000 and less than 4000 |
Permanent-failure |
Other Result-Code AVPs for invalid message or no-response |
Failure |
As shown in Table 6, the CCA-GX-I response processing depends on three factors:
Whether the local decision timeout has expired
The setting of the local decision
The result category
Table 6 also contains PCRF local decision timeout expiration actions.
PCRF Local Decision Timeout |
PCRF Local Decision |
Result Category |
Action |
|---|---|---|---|
Not-expired |
– |
Grant |
Clear the local decision timer, apply rules from the CCA-GX-I, notify the Online Charging System (OCS), and then acknowledge subscriber activation. |
Not-expired |
– |
Deny |
Clear the local decision timer and fail subscriber activation. |
Not-expired |
– |
Failure |
Retry the CCA-GX-I until the local decision time outs. |
Not-expired |
Grant |
Permanent-failure |
Clear the local decision timer, apply the default rule, acknowledge subscriber activation, and then keep retrying the CCA-GX-I. |
Not-expired |
Deny |
Permanent-failure |
Fail the subscriber activation and initiate the subscriber logout process. |
On-expiration |
Grant |
– |
Apply the default rule, keep retrying the CCA-GX-I indefinitely, and acknowledge subscriber activation. |
On-expiration |
Deny |
– |
Fail the subscriber activation and initiate the subscriber logout process. |
Expired |
Grant |
Grant |
If the CCA-GX-I contains rules, remove the default rules and install the received rules, and then notify the OCS and acknowledge subscriber activation. |
Expired |
Grant |
Deny |
Log out the client. |
Expired |
Grant |
Failure |
Keep retrying the CCA-GX-I indefinitely. |
Expired |
Grant |
Permanent-failure |
Take a long pause and then restart retrying the CCA-GX-I. |
Expired |
Deny |
Deny |
If subscriber still logging out, ignore subscriber; otherwise, no action required. |
A subscriber login initiates the following sequence of events:
A client application—such as DHCP, PPP, or static subscriber sessions—requests AAA to authenticate the subscriber.
Authentication begins if the subscriber access profile specifies RADIUS authentication. Login continues when the authentication is successful. Login fails when the
authentication-orderstatement in the profile does not specify RADIUS authentication or no authentication. Login also fails when authentication fails.Default services are activated for the subscriber. Any services that the authentication server includes in the authentication grant are activated. Additionally, a default service may have been configured for the client application.
If the subscriber access profile specifies Gx provisioning, the router initiates the Gx message exchange by sending a CCR-GX-I message to the PCRF. The router waits for the PCRF to respond with a CCA-GX-I message within a non-configurable timeout period.
When the PCRF responds within the timeout period and includes the Charging-Rule-Install AVP in the CCA-GX-I message, subscriber login is delayed while the router deactivates any default services and attempts to activate the specified services.
If all the specified services are activated, then the login completes.
If any of the services cannot be activated, the router sends the PCRF a CCR-GX-U (where U represents UPDATE_REQUEST) message with the status of the services (a rule report). The PCRF responds to this message with a CCA-GX-U that can contain a new set of services for activation.
The router ignores any default services, even If the CCA-GX-I message does not include any services. In this circumstance, no services are activated.
If the PCRF does not return a CCA-GX-I within the timeout period, subscriber login completes.
The router searches first for services returned from the authentication server and activates any it finds. If no such services are found, then the router activates any locally configured default services. Subscriber login completes when default service activation is successful, but fails when any default service fails to activate. Because default services are not required to be present, login also completes when no default services are found.
If login completes (with or without a default service), the router periodically resends the CCR-GX-I message to the PCRF. If the PCRF subsequently returns a CCA-GX-I, the router deactivates the default service, if any, and then activates any services included in the CCA-GX-I. If the message does not include any services, then no services are activated, not even a default service.
If any of the services contained in the CCA-GX-I cannot be activated, the router sends the PCRF a CCR-GX-U message with the status of the services (a rule report). The PCRF responds to this message with a CCA-GX-U that can contain a new set of services for activation.
Subscriber Login Error Recovery
Starting in Junos Release 20.1R1, you can configure the router to recover from certain PCRF server errors by reinitializing the subscriber session to resync the router and PCRF server states. Some PCRF servers might not properly handle a situation where the CCA-GX-I messages that it sent to the router are lost. When the router retries sending the CCR-GX-I to the PCRF, the server is out of sync with the router because it has already sent a reply and is not aware that the router did not receive the message. This mismatch in state can lead to either of the following errors:
The PCRF server responds to the retry with a CCA-GX-I that contains the Diameter Result Code AVP (Code 268) with a value of 5012 (DIAMETER UNABLE TO COMPLY). This is considered a permanent failure (Table 5).
The PCRF server sends a RAR. The server expects the session to be active because it sent the CCA-GX-I to the router and is unaware that the message was not received. The server might send any of the following RAR messages:
RAR-GX-D to disconnect the session because it considers the session to be bad
RAR-GX-A to read information about the bad session
RAR-GX-U to update the session because it considers the session to be operating normally.
You can use the PCRF local-decision configuration
to reinitialize the subscriber session in response to either or both
of those errors.
Include the
reinit-on-failureoption for the permanent failure error.Include
reinit-on-raroption for the RAR error.
The reinitialization operation has these additional configuration requirements:
You must configure the local decision
grantoption.You must configure the router to use an extended session ID so that it can maintain state for the original session and the new one tied to the same login event. To do so, configure the PCRF
use-session-stampoption.
The reinitialization operation consists of the following steps in both cases:
The router sends a session termination request, CCR-GX-T, to the PCRF to terminate the session. This is done in an attempt to get the router and PCRF server to have the same state for this session.
The router waits a reinitialization timeout period to receive a CCA-GX-T. You can use the
reinit-timeoutoption to specify a period different than the default.If the router either receives a CCA-GX-T within the timeout period or a CCA-GX-T does not arrive before the timeout expires, then the router sends a CCR-GX-I to the PCRF with a new, extended session ID. The extended session ID is conveyed in the Diameter Session-ID AVP (AVP code 263).
The router forms the extended session ID by appending a session stamp that consists of the UTC time when the router creates the CCR-GX-I. For example, consider the following Diameter Session-Id AVP. The session ID is 23 and
use-session-stampis not configured:test-host1;0000000000;0000000023;
With
use-session-stampconfigured, the session timestamp is appended to the AVP value:test-host1;0000000000;0000000023;1557788595;
Table 7 provides details about how the router reacts to these errors based on the current local PCRF state.
Local State |
Action When PCRF Error Occurs |
|
The router does the following:
|
|
When the default provisioning completes, the router does the following:
|
|
The router does the following when no default services are configured:
The router does the following when default services are configured:
When the default provisioning completes, the router does the following:
|
Subscriber Update
Whenever a trigger event occurs on the router, an update request is sent to the PCRF. The following examples show a CCR-GX-U (where U represents UPDATE_REQUEST) and CCA-GX-U packet exchange:
CCR-GX-U Packet Example
CCR-GX-U ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Destination-Realm: <configurable-string> }
{ CC-Request-Type: UPDATE_REQUEST(2) }
{ CC-Request-Number: <u32> }
[ Destination-Host: <configurable-string> ] -- if configured
[ Origin-State-Id: <u32> ] -- if configured to send
*[ Upstream data units ] The T bit recalculates when the CCR-GX-U is resent.
CCA-GX-U Packet Example
CCA-GX-U ::= <Diameter Header: 272, PXY, 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <string> } -- should match destination-host if configured
{ Origin-Realm: <string> } -- should match destination-realm
{ Result-Code: <integer> }
{ CC-Request-Type: UPDATE_REQUEST(2) }
{ CC-Request-Number: <u32> }
[ Origin-State-Id: <u32> ] -- Indicates PCRF restart
*[ Downstream data units ] The PCRF returns a CCA-GX-U message that includes the Result-Code AVP (AVP code 268) that maps to the result categories listed in Table 8.
Result-Code-AVP Value |
Result Category |
|---|---|
SUCCESS(2001), LIMITED_SUCCSS(2002), and valid message |
Success |
UNABLE_TO_DELIVER(3002), REALM_NOT_SERVED(3003), TOO_BUSY(3004), LOOP_DETECTED(3005), and REDIRECT_INDICATION(3006) |
Failure |
All other Diameter Permanent-failure Result-Code AVPs greater than and equal to 5000, and all Diameter protocol error Result-Code AVPs greater than and equal to 3000 and less than 4000 |
Success |
Other Result-Code AVPs for invalid message or no-response |
Failure |
Subscriber Logout
When the client application sends a subscriber logout notice to AAA, Gx sends a CCR-GX-T (where T represents TERMINATION_REQUEST) message to notify the PCRF that the provisioned subscriber session is being terminated.
Whenever a trigger event occurs on the router, a terminate request is sent to the PCRF. The following examples show a CCR-GX-T and CCA-GX-T packet exchange:
CCR-GX-T Packet Example
CCR-GX-T ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Destination-Realm: <configurable-string> }
{ CC-Request-Type: TERMINATION_REQUEST(3) }
{ CC-Request-Number: <u32> }
[ Destination-Host: <configurable-string> ] -- if configured
{ Termination-Cause: DIAMETER_LOGOUT(1) }
[ Origin-State-Id: <u32> ] -- if configured to send
*[ Upstream data units ] The T bit recalculates when the CCR-GX-T is resent.
CCA-GX-T Packet Example
CCA-GX-T ::= <Diameter Header: 272, PXY, 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <string> } -- should match destination-host if configured
{ Origin-Realm: <string> } -- should match destination-realm
{ Result-Code: <integer> }
{ CC-Request-Type: TERMINATION_REQUEST(3) }
{ CC-Request-Number: <u32> }
[ Origin-State-Id: <u32> ] -- Indicates PCRF restart
*[ Downstream data units ] The PCRF returns a CCA-GX-T message that includes the Result-Code AVP (AVP code 268) that maps to the result categories listed in Table 9.
Result-Code-AVP Value |
Result Category |
|---|---|
SUCCESS(2001), LIMITED_SUCCSS(2002), and valid message |
Success |
UNABLE_TO_DELIVER(3002), REALM_NOT_SERVED(3003), TOO_BUSY(3004), LOOP_DETECTED(3005), and REDIRECT_INDICATION(3006) |
Failure |
All other Diameter Permanent-failure Result-Code AVPs greater than and equal to 5000, and all Diameter protocol error Result-Code AVPs greater than and equal to 3000 and less than 4000 |
Success |
Other Result-Code AVPs for invalid message or no-response |
Failure |
If the Result-Code value is Success, Gx notifies AAA, and AAA notifies the application that the logout is complete. If Gx does not receive a CCA-GX-T message, or if the Result-Code AVP has any other value or is missing, then the termination request is retried until the CCA-GX-T message is returned with Success. The router notifies the PCRF about subscriber logouts by sending another CCR request to be acknowledged by a CCA response. The PCRF may also use RAR requests to force subscriber logout or to change applied services.
If the Result-Code value is Failure, then the request is retried.
Subscriber Disconnect
To perform subscriber disconnects, the PCRF sends a RAR-GX-D (where D represents DISCONNECT) and the BPCEF responds with a RAA-GX-D message.
The following examples show a RAR-GX-D and RAA-GX-D packet exchange:
RAR-GX-D Packet Example
RAR-GX-D ::= <Diameter Header: 258, PXY, 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <string> } -- should match destination-host if configured
{ Origin-Realm: <string> } -- should match destination-realm
{ Destination-Realm: <string> } -- should match origin-realm
{ Destination-Host: <string> } -- should match origin-host
{ Re-Auth-Request-Type: AUTHORIZE_ONLY(0) }
[ Origin-State-Id: <u32> ] -- Indicates PCRF restart
{ Session-Release-Cause: <enum> }
*[ Downstream data units ] -- ignoredRAA-GX-D Packet Example
RAA-GX-D ::= <Diameter Header: 272, REQ, PXY, 16777238>
{ <Session-Id> }
{ Auth-Application-Id: 16777238 }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Result-Code: <integer> }
[ Origin-State-Id: <u32> ]
*[ Upstream data units ] The PCRF returns a RAA-GX-T message that includes the Result-Code AVP (AVP code 268) that maps to the result categories listed in Table 10.
Result-Code-AVP Value |
Result Category |
|---|---|
DIAMETER_SUCCESS(2001) |
Subscriber disconnect is in progress or the subscriber is not found |
DIAMETER_UNABLE_TO_COMPLY(5012) |
Subscriber is not removable |
DIAMETER_TOO_BUSY(3004) |
Too many outstanding disconnect requests |
The BPCEF contains buffering space for at least 512 RAR-GX-D or RAA-GX-D messages.
Connectivity Fault Recovery
Gx does not rely on the connection state between devices to detect router or PCRF outages, because some events do not affect the connection state and others are not detected when there is a Diameter relay or proxy between the devices.
To mitigate connectivity faults with the PCRF, the router uses the following fault recovery procedures:
If the PCRF is not available, and if you installed and configured a default service, the subscriber login proceeds accordingly.
Unacknowledged provisioning requests replay indefinitely or until the subscriber logs out.
Logout requests wait for the final OCS interrogation to complete, and then any unacknowledged logout requests replay for 24 hours.
The router uses standard Diameter transport redundancy to communicate with redundant PCRFs.
An important aspect of Gx fault tolerance is that subscriber
login and termination requests are retried (replayed) 24 hours until
a satisfactory response is received from the PCRF. You can issue the clear network-access pcrf subscribers command to clear all
PCRF subscribers.
Understanding Gy Interactions Between the Router and the OCS
Information or interrogations are exchanged by means of the 3rd Generation Partnership Project (3GPP) Gy protocol between the Online Charging System (OCS), and the router acting as a Policy and Charging Enforcement Function (PCEF). Broadband PCEF (BPCEF) interactions with the OCS use online session charging with centralized unit determination and centralized rating. PCEF optionally reports usage and receives additional authorizations from the OCS using the Gy protocol.
Starting in Junos OS Release 17.3R1, support for additional OCS and PCRF features are added using Gy and Gx protocols. The new statements:
accept-sdris added for PCRF partition at the hierarchy level[edit access pcrf partition partition-name].alternative-partition-nameis added for OCS partition at the hierarchy level[edit access ocs partition partition-name].
Starting in Junos OS Release 18.1R1, broadband PCEF provides
the file backup for OCS data when both primary and alternative paths
to the OCS are not available. The CCR-GY-T frames are stored in the
files on remote location. The backup is supported at the hierarchy [edit access ocs partition partition-name].
After subscriber provisioning has been completed between the Policy Control and Rules Charging Function (PCRF) and PCEF, the router begins sending the following interrogations between the OCS and PCEF:
- First Interrogation to the OCS
- Intermediate Interrogation to the OCS
- Final Interrogation to the OCS
- Connectivity Fault Recovery
- Abort Session Requests
First Interrogation to the OCS
During the first interrogation, the router sends a Diameter CCR request containing a fixed set of required information to the OCS charging server. The OCS charging server then replies with validity-time, rating groups, and usage-quotas.
For this implementation phase, the router allows subscriber access without waiting for the OCS to respond, and the OCS always grants necessary quotas.
To configure a list of charging services to communicate information
with the OCS over the Gy protocol, configure the charging-service-list ocs statement at the [edit access profile profile-name] hierarchy level. The following examples show a CCR-GY-I and
CCA-GY-I packet exchange:
The T (potentially retransmitted message) bit recalculates when the CCR-GY-I is resent. This flag is set after a link failover procedure to aid the removal of duplicate requests.
CCR-GY-I Packet Example
CCR-GY-I ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Destination-Realm: <configurable-string> }
{ Auth-Application-Id: 4 }
{ Service-Context-Id: 98924@customer.com }
{ CC-Request-Type: INITIAL_REQUEST(1) }
{ CC-Request-Number: 0 }
[ Destination-Host: <configurable-string> ] -- if configured
[ User-Name: <string> ]
[ Origin-State-Id: <u32> ] -- if configured to send
[ Event-Timestamp: <timestamp> ] -- login timestamp, if included by config
{ Subscription-Id:
{ Subscription-Id-Type: <received-from-pcrf> }
{ Subscription-Id-Data: <received-from-pcrf> }
}
{ Multiple-Services-Indicator: MULTIPLE_SERVICES_SUPPORTED(1) }
{ Multiple-Services-CC:
{ Service-Identifier: 7 }
{ Rating-group: 292 }
}
{ Multiple-Services-CC:
{ Service-Identifier: 7 }
{ Rating-group: 293 }
}
{ Multiple-Services-CC:
{ Service-Identifier: 7 }
{ Rating-group: 292 }
}
{ Multiple-Services-CC:
{ Service-Identifier: 1 }
{ Rating-group: 17 }
}
CCA-GY-I Packet Example
CCA-GY-I ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Result-Code: DIAMETER_SUCCESS(2001) }
{ Origin-Host: <string> } -- should match dest-host if configured
{ Origin-Realm: <string> } -- should match dest-realm
{ Auth-Application-Id: 4 }
{ CC-Request-Type: INITIAL_REQUEST(1) }
{ CC-Request-Number: 0 }
{ CC-Session-Failover: FAILOVER_NOT_SUPPORTED(0) } -– ignored
}
{ Multiple-Services-CC:
{ Granted-Service-Unit:
{ CC-Time: 123456 }
{ CC-Total-Octets: 123455999000 }
}
{ Service-Identifier: 7 }
{ Rating-group: 292 }
{ Validity-Time: 7200 }
{ Result-Code: DIAMETER_SUCCESS(2001) }
}
{ Multiple-Services-CC:
{ Service-Identifier: 7 }
{ Rating-group: 293 }
{ Result-Code: DIAMETER_CREDIT_CONTROL_NOT_APPLICABLE(4011) }
}
{ Multiple-Services-CC:
{ Service-Identifier: 7 }
{ Rating-group: 292 }
{ Result-Code: DIAMETER_CREDIT_CONTROL_NOT_APPLICABLE(4011) }
}
{ Multiple-Services-CC:
{ Granted-Service-Unit:
{ CC-Time: 123456 }
{ CC-Total-Octets: 123455999000 }
}
{ Service-Identifier: 1 }
{ Rating-group: 17 }
{ Result-Code: DIAMETER_SUCCESS(2001) }
}
{ CC-Failure-Handling: TERMINATE(0) }Intermediate Interrogation to the OCS
After the router has sent a fixed set of required information to the OCS charging server, the OCS charging server replies with validity-time, rating groups, and usage-quotas. Validity-time and quota expirations trigger intermediate interrogation events.
Whenever a trigger event occurs on the router, an update request is sent to the OCS. The following examples show a CCR-GY-U (where U represents UPDATE_REQUEST) and CCA-GY-U packet exchange:
CCR-GY-U Packet Example
CCR-GY-U ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Destination-Realm: <configurable-string> }
{ Auth-Application-Id: 4 }
{ Service-Context-Id: 98924@customer.com }
{ CC-Request-Type: UPDATE_REQUEST(2) }
{ CC-Request-Number: <integer> }
[ Destination-Host: <configurable-string> ] -- if configured
[ User-Name: <string> ]
[ Origin-State-Id: <u32> ] -- if configured to send
[ Event-Timestamp: <timestamp> ] -- change timestamp, if included by config
{ Multiple-Services-Indicator: MULTIPLE_SERVICES_SUPPORTED(1) }
{ Multiple-Services-CC:
{ Used-Service-Unit:
{ Reporting-Reason: VALIDITY_TIME(4) }
{ CC-Time: 7200 }
{ CC-Total-Octets: 12345 }
{ CC-Input-Octets: 10000 }
{ CC-Output-Octets: 2345 }
}
{ Service-Identifier: 7 }
{ Rating-group: 292 }
}
{ Multiple-Services-CC:
{ Used-Service-Unit:
{ Reporting-Reason: FINAL(2) }
{ CC-Time: 334556 }
{ CC-Total-Octets: 12345 }
{ CC-Input-Octets: 10000 }
{ CC-Output-Octets: 2345 }
}
{ Service-Identifier: 1 }
{ Rating-group: 17 }
}
*[ More Multiple-Services-CC]
CCA-GY-U Packet Example
CCA-GY-U ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Result-Code: DIAMETER_SUCCESS(2001) }
{ Origin-Host: <string> } -- should match dest-host if configured
{ Origin-Realm: <string> } -- should match dest-realm
{ Auth-Application-Id: 4 }
{ CC-Request-Type: UPDATE_REQUEST(1) }
{ CC-Request-Number: <integer> }
{ Multiple-Services-CC:
{ Granted-Service-Unit:
{ CC-Time: 123456 }
{ CC-Total-Octets: 123455999000 }
}
{ Service-Identifier: 7 }
{ Rating-group: 292 }
{ Validity-Time: 7200 }
{ Result-Code: DIAMETER_SUCCESS(2001) }
}
*[ More Multiple-Services-CC]
Final Interrogation to the OCS
When the client application sends a subscriber logout notice to AAA, Gy sends a CCR-GY-T (where T represents TERMINATION_REQUEST) message to notify the OCS that the provisioned subscriber is being terminated.
Whenever a trigger event occurs on the router, a terminate request is sent to the OCS. The following examples show a CCR-GY-T and CCA-GY-T packet exchange:
CCR-GY-T Packet Example
CCR-GY-T ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Origin-Host: <configurable-string> }
{ Origin-Realm: <configurable-string> }
{ Destination-Realm: <configurable-string> }
{ Auth-Application-Id: 4 }
{ Service-Context-Id: 98924@customer.com }
{ CC-Request-Type: TERMINATE_REQUEST(2) }
{ CC-Request-Number: <integer> }
[ Destination-Host: <configurable-string> ] -- if configured
[ User-Name: <string> ]
[ Origin-State-Id: <u32> ] -- if configured to send
[ Event-Timestamp: <timestamp> ] -- logout timestamp, if included by config
{ Termination-Cause: DIAMETER_LOGOUT(1) }
{ Multiple-Services-CC:
{ Used-Service-Unit:
{ Reporting-Reason: FINAL(2) }
{ CC-Total-Octets: 12345 }
{ CC-Input-Octets: 10000 }
{ CC-Output-Octets: 2345 }
}
{ Service-Identifier: 7 }
{ Rating-group: 292 }
}
*[ More Multiple-Services-CC]
CCA-GY-T Packet Example
CCA-GY-T ::= <Diameter Header: 272, REQ, PXY 16777238>
{ <Session-Id> }
{ Result-Code: DIAMETER_SUCCESS(2001) }
{ Origin-Host: <string> } -- should match dest-host if configured
{ Origin-Realm: <string> } -- should match dest-realm
{ Auth-Application-Id: 4 }
{ CC-Request-Type: TERMINATE_REQUEST(1) }
{ CC-Request-Number: <integer> }
Connectivity Fault Recovery
Gy does not rely on the connection state between devices to detect router or OCS outages, because some events do not affect the connection state and others are not detected when there is a Diameter relay or proxy between the devices.
To mitigate connectivity faults with the OCS, the router uses the following fault recovery procedures:
If the OCS is not available, you can configure to allow subscriber traffic by setting the
force-continuestatement at the[edit access ocs partition partition-name]hierarchy level.Note:The
force-continuestatement is a required configuration statement.Unacknowledged first and intermediate interrogations replay indefinitely or until the subscriber logs out.
Unacknowledged final interrogations replay for up to 24 hours.
The router uses standard Diameter transport redundancy to communicate with redundant OCSs.
You can configure transport redundancy events to trigger failures in application traffic.
An important aspect of Gy fault tolerance is that subscriber
login and termination requests are retried (replayed) 24 hours until
a satisfactory response is received from the OCS. You can issue the clear network-access ocs statistics command to clear all OCS
statistics.
Abort Session Requests
The OCS may issue an ASR (Abort-Session-Request) when the receiving MX Series router collects final data and posts the final interrogation. After the MX Series router receives the response, it stops updating the OCS for the session involved.
Gy File Backup Overview
The Gy protocol, also known as OCS, is based on incremental usage reporting while retaining the intermediate data. Therefore, the OCS server includes multiple failure protection mechanisms such as diameter transport redundancy, alternative path to OCS, and file backup. Starting in Junos OS Release 18.1R1, broadband PCEF provides the file backup when neither primary nor alternative paths are available. The CCR-GY-T frames are stored in the files on remote location.
The OCS backup comes into effect when the OCS final-response-timeout expires. The data is queued for backup process and subscriber logout proceeds to pcrf session termination. In all cases, the backup operations are controlled by the following configuration parameters:
backup-limit—limit on the total number of backup entries. After the limit is reached, new subscriber’s login fails or oldest backup entries are dropped depending upon backup-overflow settings.
backup-timeout— timeout for backup operation.
backup-overflow—controls action when number of backup entries exceeds backup-limit.
OCS SFTP-Backup
The stfp-backup is the first backup mechanism implemented. The operations are controlled by the following parameters:
accumulation-timeout – The files are written after the file accumulation time of the first CCR-GY-T submission.
accumulation-count – The files are written after the number of requests are fulfilled for the file-account-count.
accumulation-size – The files are written after its size is reaches the accumulation size limit.
retry-interval – Every failed write operation is retried after this interval until backup-timeout is accumulated.
response-timeout – The timeout on individual sftp command response.
The OCS SFTP-Backup server is configured by its address, login, password, directory and file-prefix. A target directory exists by default, if not, the directory is created. If a target file with the same name already exists it will be overwritten.
Benefits of Gy File Backup
Provides yet another way to deal with instability of internal network.
Understanding Interactions Between the PCRF, PCEF, and OCS
The Policy and Charging Rules Function (PCRF), Policy and Charging Enforcement Function (PCEF), and Online Charging System (OCS) interact to provide and charge for subscriber services. These interactions include subscriber login, service updates to existing sessions, connection and monitoring, and subscriber termination and logout.
Figure 3 shows the components of an overall 3rd Generation Partnership Project (3GPP) Policy and Charging Control (PCC) architecture. The PCRF pushes the rules down to the PCEF on the MX Series router using the 3GPP Gx protocol. The PCEF provides service data flow detection, and applies the rules received from the PCRF. Optionally, the PCEF interacts with the OCS using the 3GPP Gy protocol to retrieve policy and charging authorization for quotas and credit control. Broadband PCEF (BPCEF) interactions with the OCS use online session charging with centralized unit determination and centralized rating.
The PCRF can also push changes to rules applied to an existing
session. However, modifications to rating groups is not supported.
You are also required to set the force-continue statement
at the [edit access ocs partition partition-name] hierarchy level.
- Login Interactions
- Update Interactions
- Quota Expiration and Validity-Time Interactions
- Connection and Monitoring Interactions
- Logout Interactions
Login Interactions
This login sequence of events is triggered by detection of service data flow on the PCEF. This is typically a DHCP DISCOVER or PPPoE PADI packet sent by the subscriber (the CPE):
The PCEF sends a CCR-GX-I to the PCRF with information identifying the subscriber.
The PCRF replies with a CCA-GX-I to the PCEF with instructions on which rules to apply for the subscriber.
The PCEF installs the requested services/rules for the subscriber.
If OCS is being used, the PCEF sends the first interrogation to the OCS using a CCR-GY-I message, and the OCS sends applicable reports to the PCRF using a CCA-GY-I message.
If configured, the PCEF sends a notification by means of a CCR-GX-U message to the PCRF after the requested services/rules are processed.
The rule is reported to the PCRF as inactive when both of the following are true:
The service-dynamic-profile instantiation fails.
Resource-Allocation-Notification (ENABLE_NOTIFICATION) is set for the charging rule.
When the rule is reported as inactive, it does not affect subscriber login or other rules.
The rule is reported to the PCRF as active when all of the following are true:
The service-dynamic-profile instantiation succeeds.
Resource-Allocation-Notification (ENABLE_NOTIFICATION) is set for the charging rule.
The SUCCESSFUL_RESOURCE_ALLOCATION event trigger is set in the request.
The report is not sent when there are no rules to report.
The PCRF replies back with a CCA-GX-U message.
The PCEF activates the services for the subscriber.
Update Interactions
This update sequence of events is triggered by an RAR-GX-U message received by the PCEF from the PCRF.
If the update request contains any installation or modification of rules with rating groups, then the PCEF rejects the request; otherwise, it acknowledges the request by sending an RAA-GX-U message to the PCRF.
The PCEF starts the service removal and installation process.
The PCEF waits for the service removal and installation process to complete, and if applicable, starts the final data collection process for reporting to the OCS. When the final statistics are collected, the PCEF sends a CCR-GY-U request to notify the OCS. This is a part of the removal process for an existing service in each of the following cases:
When the service being removed has a rating group.
When a new rule with a rating group was added.
When rules with a rating group were both removed and added.
The PCEF sends applicable reports to the PCRF using a CCR-GX-U message.
The rule is reported to the PCRF as inactive when both of the following are true:
The service-dynamic-profile instantiation fails.
Resource-Allocation-Notification (ENABLE_NOTIFICATION) is set for the charging rule.
When the rule is reported as inactive, it does not affect the update or other rules.
The rule is reported to the PCRF as active when all of the following are true:
The service-dynamic-profile instantiation succeeds.
Resource-Allocation-Notification (ENABLE_NOTIFICATION) is set for the charging rule.
The SUCCESSFUL_RESOURCE_ALLOCATION event trigger is set in the request.
The report is not sent when there are no rules to report.
Quota Expiration and Validity-Time Interactions
For quota expirations and validity-time interactions, the router sends an intermediate interrogation to the OCS using a CCR-GY-U message and processes the OCS response.
Connection and Monitoring Interactions
When establishing a connection with the PCRF, OCS, or Diameter Relay/Proxy server, the Diameter daemon performs a standard Capability Exchange Request (CER)/Capability Exchange Answer (CEA) transaction. You use existing Junos OS Diameter infrastructure to configure an appropriate topology with the necessary redundancy features. Additionally, you can use the same Diameter connection for both PCRF and OCS communications, and other applications.
The following examples show two different communication connection scenarios:
CER Example with a Dedicated Connection Used to Communicate with the PCRF
CER ::= <Diameter Header: 257, REQ>
{ Origin-Realm: CSim.PCRF.net }
{ Origin-Host: MX-GWR3 }
{ Host-IP-Address: 10.8.52.91 }
{ Vendor-Id: 2636 }
{ Product-Name: JUNOS }
[ Origin-State-Id: 7777 ] -- if configured
{ Supported-Vendor-Id: 10415 }
{ Supported-Vendor-Id: 2636 } -- have Juniper VSAs
{ Auth-Application-Id: 16777238 }
{ Vendor-Specific-Application-Id {
{ Vendor-Id: 10415 }
{ Auth-Application-Id: 16777238 }
{ Acct-Application-Id: 16777238 }
}If you set the send-origin-state-id statement
for the router at either the [edit access pcrf partition partition-name] or [edit access ocs partition partition-name] hierarchy level, then the Origin-State-Id
is included in Diameter level messages such as: CER, Device Watchdog
Request (DWR)/Device Watchdog Answer (DWA), and Disconnect Peer Request
(DPR)/Disconnect Peer Answer (DPA).
CER Example with a Dedicated Connection Used to Communicate with Both PCRF and OCS
CER ::= <Diameter Header: 257, REQ>
{ Origin-Realm: CSim.PCRF.net }
{ Origin-Host: MX-GWR3 }
{ Host-IP-Address: 10.8.52.91 }
{ Vendor-Id: 2636 }
{ Product-Name: JUNOS }
[ Origin-State-Id: 7777 ] -- if configured
{ Supported-Vendor-Id: 10415 }
{ Supported-Vendor-Id: 2636 } -- have Juniper VSAs
{ Auth-Application-Id: 4 } -- this is the difference with previous
{ Auth-Application-Id: 16777238 }
{ Vendor-Specific-Application-Id {
{ Vendor-Id: 10415 }
{ Auth-Application-Id: 16777238 }
{ Acct-Application-Id: 16777238 }
}The Auth-Application-Id: 4 field and value is the authentication application ID for the OCS. This is the difference between the first and second examples.
You monitor and manage connections using standard DWR/DWA and DPR/DPA messages.
Logout Interactions
This logout sequence of events is triggered by either of the following:
A subscriber logout request, such as a DHCP RELEASE or PPPoE PADT packet.
The PCEF receives a RAR from the PCRF with a request to terminate a subscriber session.
The following sequence occurs when the logout is triggered:
The system infrastructure notifies the OCS that the subscriber logout has started.
If applicable, the OCS starts the final data collection process.
If the service being removed has a rating group, final data for this service is required to be reported. The OCS starts final data collection as necessary.
Both the PCRF and the PCEF wait for the final interrogation process to complete.
The PCEF sends a termination request (CCR-GX-T message) to the PCRF and then waits for the answer (CCA-GX-T message) from the PCRF.
The PCEF completes the subscriber logout process.
Understanding Upstream and Downstream Messages for the PCRF
The MX Series router implements a number of measures to protect against data overload for both downstream and upstream transactions. Downstream transactions are protected by throttling input from the network under overload conditions. The upstream transactions are protected by limiting both the number of outstanding requests and using slow retries of the first unacknowledged message for a reliable recovery.
Built-in features of the Policy and Charging Enforcement Function (PCEF) environment provide protection from overload resulting from an excessive subscriber login rate. If there are too many rule changes and disconnect operations due to Reauthorization Request (RAR-GX) messages, the router sends a Reauthorization Answer (RAA-GX) response with the result-code: DIAMETER_TOO_BUSY (3004).
Within the router’s AAA component, a session represents a subscriber (client) session entry in the Session Database (SDB).
This is a representation of subscriber session only; it is not a connection-independent permanent identifier similar to a phone number. If subscriber disconnects and reconnects, and it receives a different session ID for the second connection.
The session ID is conveyed in the Session-Id (AVP Code 263). There is a one-to-one correspondence between a session and the Session-Id value. The session ID is globally and eternally unique because it is bound to the unique router identity and used to identify a user session without any reference to other information. The same subscriber could be mapped to several sessions, such as one from a disconnect and reconnect event. However, the session is always associated with a single subscriber. The Session-Id AVP has the following default format:
Session-Id AVP ::=<DiameterIdentity>;
<upper 32 bits of the AAA COMPONENT session-id>;
<lower 32 bits of the AAA COMPONENT session-id>;
The DiameterIdentity field is the value you configure for the Diameter origin-host. Internal Session-Ids are 64-bit integers assigned in ascending order. Both numeric parts of the Session-Id string are generated using %010u format, which guarantees that Session-Id AVP values are in the same order lexicographically as internal 64-bit sessions.
You can also configure the router to use an extended session ID, where it appends a session stamp to the ID. The session stamp consists of the UTC time when the router creates the CCR-GX-I. In this case, the Session-Id AVP has the following format:
Session-Id AVP ::=<DiameterIdentity>;
<upper 32 bits of the AAA COMPONENT session-id>;
<lower 32 bits of the AAA COMPONENT session-id>;
<32 bits of UTC time>;
The first 64 bits of the AVP remain unchanged, enabling the PCRF to trace reinitializations.
You always configure the router to use the extended session ID when it reinitializes the session in response to PCRF server errors. See Understanding Gx Interactions Between the Router and the PCRF for more information.
The Policy and Charging Rules Function (PCRF) pushes rules and messages down to the PCEF using the 3GPP Gx protocol and online policy interface. The PCRF and Gx protocol include the following messages:
Common Upstream Messages
The upstream messages for Credit Control Response for Initiation, Update, and Termination (CCR-GX-I, CCR-GX-U, and CCR-GX-T) and RAA-GX may include the following rules, parameters and data:
Event-Timestamp AVP
The following shows an AVP for CCR-GX-I, CCR-GX-U, and CCR-GX-T, and RAA-GX messages between the PCRF and Gx:
{ Event-Timestamp: <timestamp> }If you configure the Event-Timestamp AVP, it is included in the downstream message. The message definition in Table 11 varies depending on the transaction.
Message |
Definition |
|---|---|
CCR-GX-I |
Subscriber login timestamp |
Charging Rules Installation Notifications
The following notifications show a failed installation example and a successful installation example of charging rules installation for CCR-GX-U messages between the PCRF and Gx:
If unacknowledged reports are still pending at the time of the client logout, these charging rules are included in CCR-GX-T messages.
Notification Reporting a Rule Installation Failure
{ Charging-Rule-Report
{ Charging-Rule-Name: <string> }
{ Charging-Rule-Name: <string> }
{ PCC-Rule-Status: INACTIVE(1) }
{ Rule-Failure-Code: UNKNOWN_RULE_NAME(1) }
}Notification Reporting a Rule Installation Success
{ Charging-Rule-Report
{ Charging-Rule-Name: <string> }
{ Charging-Rule-Name: <string> }
{ PCC-Rule-Status: ACTIVE(0) }
}Event Trigger Commands
The following shows a predefined event trigger command for CCR-GX and RAA-GX messages between the PCRF and Gx:
{ Event-Trigger: SUCCESSFUL_RESOURCE_ALLOCATION(22) }Common Downstream Messages
The downstream messages for Credit Control Answer for Initiation and Update (CCA-GX-I and CCA-GX-U) and RAR-GX may include the following predefined rules with parameters and data:
The CCA-GX-T (Termination) message is not included as a downstream message.
Charging Rule Installation Commands
The following example shows predefined rule installation commands for CCA-GX and RAR-GX messages between the PCRF and Gx:
{ Charging-Rule-Install
{ Charging-Rule-Name: “fixed-cos” }
{ Charging-Rule-Definition:
{ Charging-Rule-Name: “firewall” }
{ Service-Identifier: 10 }
{ Rating-Group: 292 }
{ Juniper-Param-V4-Input-Filter: “my_input_filter” }
{ Juniper-Param-V4-Output-Filter: “my_output_filter” }
}
[ Resource-Allocation-Notification: ENABLE_NOTIFICATION(0) ]
}Some PCRFs may be unable to generate a Resource-Allocation-Notification
AVP. As a result, the report-resource-allocation statement
at the [edit access pcrf partition partition-name] hierarchy level provides generated reports by default.
Charging Rule Removal Commands
The following example shows predefined rule removal commands for CCA-GX and RAR-GX messages between the PCRF and Gx:
{ Charging-Rule-Remove
{ Charging-Rule-Name: “predefined-ftp” }
{ Charging-Rule-Name: “firewall” }
}The router processes all rule removal operations before any rule installation operations enabling you to simultaneously request both removal of an existing rule and installation of a rule having the same base name in a single transaction.
Event Trigger Commands
The following shows a predefined event trigger command for CCA-GX and RAR-GX messages between the PCRF and Gx:
{ Event-Trigger: SUCCESSFUL_RESOURCE_ALLOCATION(22) }If the SUCCESSFUL_RESOURCE_ALLOCATION (22) trigger value exists in the downstream data, the Broadband PCEF reports successful installations of rules marked with Resource-Allocation-Notification AVP in the Charging-Rule-Install AVP.
Some PCRFs may be unable to generate this event trigger. As
a result, the report-successful-resource-allocation statement
at the [edit access pcrf partition partition-name] hierarchy level provides generated reports by default.
Configuring the OCS Partition
The Online Charging System (OCS) works within a specific logical system:routing instance context, called a partition.
Currently, only a single partition is supported; you must configure it within the default logical system:routing instance context.
Before you configure the OCS partition, perform the following task:
Configure the Diameter instance at the
[edit diameter]hierarchy level. See Configuring Diameter.
Configuration for the OCS partition consists of naming the partition and then defining or associating a numerous parameters to define the characteristics of the partition.
To configure the OCS partition:
Configuring the PCRF Partition
The Policy Control and Rules Charging Function (PCRF) works within a specific logical system:routing instance context, called a partition.
Currently, only a single partition is supported; you must configure it within the default logical system:routing instance context.
Before you configure the PCRF partition, perform the following task:
Configure the Diameter instance at the
[edit diameter]hierarchy level. See Configuring Diameter.
Configuration for the PCRF partition consists of naming the partition and then defining or associating numerous parameters to define the characteristics of the partition.
To configure the PCRF partition:
Configuring OCS Global Parameters
You can configure global attributes of the 3rd Generation Partnership Project (3GPP) Diameter credit control service charging system for the Online Charging System (OCS), which interacts with the Policy and Charging Enforcement Function (PCEF).
Currently, the only configurable global attribute is the service context identifier allocated by the service provider or operator. This value corresponds to the Service-Context-Id AVP, which together with the Service-Identifier-AVP uniquely and globally identifies the Diameter credit control service.
To configure the OCS global parameters:
Configure the service context identifier.
[edit access ocs global] user@host# set service-context-id service-context