Ladder Diagrams » History » Version 7
laforge, 03/19/2022 11:24 AM
1 | 1 | laforge | h1. Ladder Diagrams |
---|---|---|---|
2 | |||
3 | 5 | laforge | Some ladder diagrams about the proposed OCTOI protocol. |
4 | |||
5 | 1 | laforge | |
6 | 7 | laforge | h2. Initial connection setup (success without redirect) |
7 | |||
8 | 4 | laforge | Note: we might want to do something for DoS mitigation at the very initial step? |
9 | |||
10 | 1 | laforge | {{mscgen_link() |
11 | msc { |
||
12 | hscale=2; |
||
13 | 7 | laforge | client [label="Client"], server [label="Server (main port)"], hlr [label="HLR (database)"]; |
14 | |||; |
||
15 | --- [label="Initial connection attempt from client to well-known server/port"]; |
||
16 | |||; |
||
17 | client => server [label="SERVICE_REQ (user_id)"]; |
||
18 | server <=> hlr [label="Obtain auth vectors"]; |
||
19 | client <= server [label="AUTH_REQ (rand, autn)"]; |
||
20 | client => server [label="AUTH_RESP (res)"]; |
||
21 | server box server [label="Verify res == xres?"]; |
||
22 | client <= server [label="SERVICE_ACK"]; |
||
23 | ...; |
||
24 | client <=> server [label="TDMoIP"]; |
||
25 | ...; |
||
26 | } |
||
27 | }} |
||
28 | |||
29 | h2. Initial connection setup (success with redirect) |
||
30 | |||
31 | Note: we might want to do something for DoS mitigation at the very initial step? |
||
32 | |||
33 | {{mscgen_link() |
||
34 | msc { |
||
35 | hscale=2; |
||
36 | 1 | laforge | client [label="Client"], server [label="Server (main port)"], worker [label="Server (worker port)"], hlr [label="HLR (database)"]; |
37 | |||; |
||
38 | --- [label="Initial connection attempt from client to well-known server/port"]; |
||
39 | |||; |
||
40 | 6 | laforge | client => server [label="SERVICE_REQ (user_id)"]; |
41 | 1 | laforge | server <=> hlr [label="Obtain auth vectors"]; |
42 | client <= server [label="AUTH_REQ (rand, autn)"]; |
||
43 | client => server [label="AUTH_RESP (res)"]; |
||
44 | server box server [label="Verify res == xres?"]; |
||
45 | server => worker [label="Create worker socket"]; |
||
46 | server note server [label="Server accepts client + redirects to worker IP+Port"]; |
||
47 | 6 | laforge | client <= server [label="REDIR_CMD (worker IP:Port, token)"]; |
48 | 1 | laforge | ...; |
49 | 6 | laforge | client => worker [label="SERVICE_REQ (user_id, token)"]; |
50 | worker box worker [label="Verify user_id + token, or\nperform AUTH_REQ/AUTH_CMD again"]; |
||
51 | client <= worker [label="SERVICE_ACK"]; |
||
52 | 1 | laforge | ...; |
53 | client <=> worker [label="TDMoIP"]; |
||
54 | 2 | laforge | ...; |
55 | 3 | laforge | } |
56 | }} |
||
57 | |||
58 | 1 | laforge | Both sides operate timeouts, if those occur, the entire procedure is aborted. |
59 | 7 | laforge | |
60 | h2. Initial connection setup (failure) |
||
61 | |||
62 | Note: we might want to do something for DoS mitigation at the very initial step? |
||
63 | |||
64 | {{mscgen_link() |
||
65 | msc { |
||
66 | hscale=2; |
||
67 | client [label="Client"], server [label="Server (main port)"], hlr [label="HLR (database)"]; |
||
68 | |||; |
||
69 | --- [label="Initial connection attempt from client to well-known server/port"]; |
||
70 | |||; |
||
71 | client => server [label="SERVICE_REQ (user_id)"]; |
||
72 | server <=> hlr [label="Obtain auth vectors"]; |
||
73 | client <= server [label="AUTH_REQ (rand, autn)"]; |
||
74 | client => server [label="AUTH_RESP (res)"]; |
||
75 | server box server [label="Verify res == xres?"]; |
||
76 | client <= server [label="SERVICE_REJ"]; |
||
77 | ...; |
||
78 | } |
||
79 | }} |
||
80 | 4 | laforge | |
81 | 3 | laforge | h2. subsequent re-authentication |
82 | |||
83 | {{mscgen_link() |
||
84 | msc { |
||
85 | hscale=2; |
||
86 | client [label="Client"], server [label="Server (main port)"], worker [label="Server (worker port)"], hlr [label="HLR (database)"]; |
||
87 | |||; |
||
88 | 2 | laforge | --- [label="At any later point in time, whenever the server wants"]; |
89 | worker <=> hlr [label="Obtain auth vectors"]; |
||
90 | client <= worker [label="AUTH_REQ (rand, autn)"]; |
||
91 | client => worker [label="AUTH_RESP (res)"]; |
||
92 | 1 | laforge | worker box worker [label="Verify res == xres?"]; |
93 | } |
||
94 | }} |
||
95 | 4 | laforge | |
96 | If there is no response to the AUTH_REQ within a timeout, up to three re-transmissions are attempted, before declaring the link as dead. |
||
97 | |||
98 | h2. dead peer detection |
||
99 | |||
100 | Procedure operates on on both sides: |
||
101 | |||
102 | * Every time a packet is received, a timer is re-started. If the timer expires, the link is declared dead, and no further TDMoIP packets are transmitted. |
||
103 | ** On the server side, a dead link means the worker port is closed. |
||
104 | ** On the client side, a dead link means the client needs to start like in an initial connection attempt by contacting the well-known server port with a HELLO_REQ. |