Ladder Diagrams » History » Version 8
laforge, 04/21/2022 05:36 PM
1 | 1 | laforge | h1. Ladder Diagrams |
---|---|---|---|
2 | |||
3 | 5 | laforge | Some ladder diagrams about the proposed OCTOI protocol. |
4 | |||
5 | 7 | laforge | h2. Initial connection setup (success without redirect) |
6 | |||
7 | 4 | laforge | Note: we might want to do something for DoS mitigation at the very initial step? |
8 | |||
9 | 1 | laforge | {{mscgen_link() |
10 | msc { |
||
11 | hscale=2; |
||
12 | 7 | laforge | client [label="Client"], server [label="Server (main port)"], hlr [label="HLR (database)"]; |
13 | |||; |
||
14 | --- [label="Initial connection attempt from client to well-known server/port"]; |
||
15 | |||; |
||
16 | client => server [label="SERVICE_REQ (user_id)"]; |
||
17 | server <=> hlr [label="Obtain auth vectors"]; |
||
18 | client <= server [label="AUTH_REQ (rand, autn)"]; |
||
19 | client => server [label="AUTH_RESP (res)"]; |
||
20 | server box server [label="Verify res == xres?"]; |
||
21 | client <= server [label="SERVICE_ACK"]; |
||
22 | ...; |
||
23 | client <=> server [label="TDMoIP"]; |
||
24 | ...; |
||
25 | } |
||
26 | }} |
||
27 | |||
28 | h2. Initial connection setup (success with redirect) |
||
29 | |||
30 | Note: we might want to do something for DoS mitigation at the very initial step? |
||
31 | |||
32 | {{mscgen_link() |
||
33 | msc { |
||
34 | hscale=2; |
||
35 | 1 | laforge | client [label="Client"], server [label="Server (main port)"], worker [label="Server (worker port)"], hlr [label="HLR (database)"]; |
36 | |||; |
||
37 | --- [label="Initial connection attempt from client to well-known server/port"]; |
||
38 | |||; |
||
39 | 6 | laforge | client => server [label="SERVICE_REQ (user_id)"]; |
40 | 1 | laforge | server <=> hlr [label="Obtain auth vectors"]; |
41 | client <= server [label="AUTH_REQ (rand, autn)"]; |
||
42 | client => server [label="AUTH_RESP (res)"]; |
||
43 | server box server [label="Verify res == xres?"]; |
||
44 | server => worker [label="Create worker socket"]; |
||
45 | server note server [label="Server accepts client + redirects to worker IP+Port"]; |
||
46 | 6 | laforge | client <= server [label="REDIR_CMD (worker IP:Port, token)"]; |
47 | 1 | laforge | ...; |
48 | 6 | laforge | client => worker [label="SERVICE_REQ (user_id, token)"]; |
49 | worker box worker [label="Verify user_id + token, or\nperform AUTH_REQ/AUTH_CMD again"]; |
||
50 | client <= worker [label="SERVICE_ACK"]; |
||
51 | 1 | laforge | ...; |
52 | client <=> worker [label="TDMoIP"]; |
||
53 | 2 | laforge | ...; |
54 | 3 | laforge | } |
55 | }} |
||
56 | |||
57 | 1 | laforge | Both sides operate timeouts, if those occur, the entire procedure is aborted. |
58 | 7 | laforge | |
59 | h2. Initial connection setup (failure) |
||
60 | |||
61 | Note: we might want to do something for DoS mitigation at the very initial step? |
||
62 | |||
63 | {{mscgen_link() |
||
64 | msc { |
||
65 | hscale=2; |
||
66 | client [label="Client"], server [label="Server (main port)"], hlr [label="HLR (database)"]; |
||
67 | |||; |
||
68 | --- [label="Initial connection attempt from client to well-known server/port"]; |
||
69 | |||; |
||
70 | client => server [label="SERVICE_REQ (user_id)"]; |
||
71 | server <=> hlr [label="Obtain auth vectors"]; |
||
72 | client <= server [label="AUTH_REQ (rand, autn)"]; |
||
73 | client => server [label="AUTH_RESP (res)"]; |
||
74 | server box server [label="Verify res == xres?"]; |
||
75 | client <= server [label="SERVICE_REJ"]; |
||
76 | ...; |
||
77 | } |
||
78 | }} |
||
79 | 4 | laforge | |
80 | 3 | laforge | h2. subsequent re-authentication |
81 | |||
82 | {{mscgen_link() |
||
83 | msc { |
||
84 | hscale=2; |
||
85 | client [label="Client"], server [label="Server (main port)"], worker [label="Server (worker port)"], hlr [label="HLR (database)"]; |
||
86 | |||; |
||
87 | 2 | laforge | --- [label="At any later point in time, whenever the server wants"]; |
88 | worker <=> hlr [label="Obtain auth vectors"]; |
||
89 | client <= worker [label="AUTH_REQ (rand, autn)"]; |
||
90 | client => worker [label="AUTH_RESP (res)"]; |
||
91 | 1 | laforge | worker box worker [label="Verify res == xres?"]; |
92 | } |
||
93 | }} |
||
94 | 4 | laforge | |
95 | If there is no response to the AUTH_REQ within a timeout, up to three re-transmissions are attempted, before declaring the link as dead. |
||
96 | |||
97 | h2. dead peer detection |
||
98 | |||
99 | Procedure operates on on both sides: |
||
100 | |||
101 | * Every time a packet is received, a timer is re-started. If the timer expires, the link is declared dead, and no further TDMoIP packets are transmitted. |
||
102 | ** On the server side, a dead link means the worker port is closed. |
||
103 | ** On the client side, a dead link means the client needs to start like in an initial connection attempt by contacting the well-known server port with a HELLO_REQ. |