Metonymical Deflection

ゆるく日々のコト・たまにITインフラ

freeDiameterのビルドとインストール

CentOS6によるfree Daimeterのビルドとインストール方法について記載しました。
PCEFとPCRFの双方を構築しGxインターフェースの動きを確認します。

1.構成

1-1.環境
HostOS                           : Windows10pro Ver:1809 Build:17763.503
VMWare              : VMware(R) Workstation 15 Pro 15.1.0 build-13591040  
GuestOS              : CentOS6.10
Installed Environment Groups     : minimal
Kernel              : 2.6.32-754

上記GuestOS上でPCEFとPCRFを稼働させます。*1

1-2.構成概要

f:id:metonymical:20190608140611p:plain

1-3.全体の流れ

事前準備
ビルド&インストール
CAの構築
PCEFの設定
PCRFの設定
動作確認

2.事前準備

必要となるアプリなどのインストール

yum -y install gcc gcc-c++ cmake make flex bison lksctp-tools-devel gnutls-devel libidn-devel openssl libgcrypt-devel wget git

3.ビルド&インストール

freeDiameterのインストールを行います。

mkdir tmp
cd /root/tmp
wget http://www.freediameter.net/hg/freeDiameter/archive/1.2.0.tar.gz
tar zxvf 1.2.0.tar.gz
cd /root/tmp/freeDiameter-1.2.0
mkdir build
cd /root/tmp/freeDiameter-1.2.0/build

任意のPathにfreedaimeterのソースをDL
解凍後、ビルド用ディレクトリを作成してcd

cmake -D CMAKE_INSTALL_PREFIX:PATH=/opt/freeDiameter ..
make && make install

makeファイル作成後、ビルド&インストール

多少時間は掛かりますが、最後の方は以下のように出力されれば正常にインストールが完了しています。

cmake後の出力例
-- Generating done
-- Build files have been written to: /root/tmp/freeDiameter-1.2.0/build

make install後の出力例
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_eap.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_dcca.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_dcca_3gpp.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_dcca_starent.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_sip.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_mip6a.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_mip6i.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_nas_mipv6.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dict_rfc5777.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/rt_default.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/rt_redirect.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/rt_busypeers.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/rt_ignore_dh.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/rt_load_balance.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/acl_wl.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dbg_monitor.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dbg_msg_timings.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dbg_msg_dumps.fdx
-- Installing: /opt/freeDiameter/lib/freeDiameter/dbg_rt.fdx

4.CAの構築

freedaimeterは互いに証明書を使用して認証するためCAを構築します。

4-1.CAの構築前準備1
vi /etc/pki/tls/openssl.cnf

以下を修正
[ CA_default ]

#dir             = /etc/pki/CA           # Where everything is kept
dir             = .
4-2.CAの構築前準備2
mkdir -p /opt/CA
cd /opt/CA
mkdir certs private newcerts
echo '01' > serial
touch index.txt

ディレクトリ作成後にcd
各種ディレクトリ作成
シリアルファイル作成
indexファイル作成

4-3.CAの構築
openssl req -new -x509 -newkey rsa:512 -out cacert.pem -keyout private/cakey-pass.pem
openssl rsa < private/cakey-pass.pem > private/cakey.pem

CA証明書の作成
CA証明書の鍵からパスフレーズの除外

以下出力例

[root@c610diam01 CA]# openssl req -new -x509 -newkey rsa:512 -out cacert.pem -keyout private/cakey-pass.pem
Generating a 512 bit RSA private key
.++++++++++++
..++++++++++++
writing new private key to 'private/cakey-pass.pem'
Enter PEM pass phrase: 任意のパスワードを入力
Verifying - Enter PEM pass phrase: 任意のパスワードを入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) :Tokyo
Locality Name (eg, city) [Default City]:Minato-ku
Organization Name (eg, company) [Default Company Ltd]:local.jp
Organizational Unit Name (eg, section) :  空Enter
Common Name (eg, your name or your server's hostname) : ca.local.jp
Email Address :  空Enter

[root@c610diam01 CA]# openssl rsa < private/cakey-pass.pem > private/cakey.pem
Enter pass phrase: 上記のパスワードを入力
writing RSA key

5.PCEFの設定

5-1.PCEF用の証明書発行
cd /opt/CA
openssl req -new -newkey rsa:512 -keyout private/c610diam01-pass.key -out private/c610diam01.csr
openssl rsa < private/c610diam01-pass.key > private/c610diam01.key
openssl ca -in private/c610diam01.csr -out newcerts/c610diam01.crt

PCEF用CSR&鍵の作成
鍵からパスフレーズの除外
PCEF用CSRに署名

以下、出力例

[root@c610diam01 CA]# openssl req -new -newkey rsa:512 -keyout private/c610diam01-pass.key -out private/c610diam01.csr
Generating a 512 bit RSA private key
.++++++++++++
...........++++++++++++
writing new private key to 'private/c610diam01-pass.key'
Enter PEM pass phrase: 任意のパスワードを入力
Verifying - Enter PEM pass phrase: 任意のパスワードを入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) :Tokyo
Locality Name (eg, city) [Default City]:Minato-ku
Organization Name (eg, company) [Default Company Ltd]:local.jp
Organizational Unit Name (eg, section) :  空Enter
Common Name (eg, your name or your server's hostname) :c610diam01.local.jp
Email Address :  空Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :  空Enter
An optional company name :  空Enter

[root@c610diam01 CA]# openssl rsa < private/c610diam01-pass.key > private/c610diam01.key
Enter pass phrase: 上記のパスワードを入力
writing RSA key

[root@c610diam01 CA]# openssl ca -in private/c610diam01.csr -out newcerts/c610diam01.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  8 02:41:08 2019 GMT
            Not After : Jun  7 02:41:08 2020 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = local.jp
            commonName                = c610diam01.local.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                60:37:2C:A4:B6:7F:49:1D:A6:4C:22:D3:BE:BC:7F:88:1D:D4:D6:0C
            X509v3 Authority Key Identifier:
                keyid:8F:0F:1D:B8:82:F6:9F:84:26:2B:95:56:C5:7C:16:EB:55:F6:4E:DF

Certificate is to be certified until Jun  7 02:41:08 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5-2.PCEF用拡張モジュールの追加
cd /root/tmp
git clone https://github.com/kamome-e/fd_extensions.git
cd /root/tmp/fd_extensions/bin/
tar zxvf pcef.tar.gz
cd /root/tmp/fd_extensions/bin/pcef/
cp -p app_pcef.fdx dict_gx.fdx /opt/freeDiameter/lib/freeDiameter/
cp pcef-ctl.sh /opt/freeDiameter/bin/

任意のディレクトリ作成
git clone後にcd
解凍後にcd
fdx(拡張モジュール)ファイルのコピー
shファイルのコピー

5-3.freeDaimeter.confの設定
mkdir /opt/freeDiameter/etc
cd /opt/freeDiameter/etc/
vi freeDiameter.conf

#freeDiameter.conf

Identity =              "c610diam01.local.jp";
Realm =                 "local.jp";
TcTimer =               30;
TwTimer =               30;
AppServThreads =        4;

Port =                  3868;
SecPort =               5868;
SCTP_streams =          30;
ListenOn =              "0.0.0.0";

TLS_Cred =              "/opt/CA/newcerts/c610diam01.crt", "/opt/CA/private/c610diam01.key";
TLS_CA =                "/opt/CA/cacert.pem";

LoadExtension =         "/opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx";
LoadExtension =         "/opt/freeDiameter/lib/freeDiameter/dict_gx.fdx";
LoadExtension =         "/opt/freeDiameter/lib/freeDiameter/app_pcef.fdx" : "/opt/freeDiameter/etc/app_pcef.conf";

ConnectPeer =           "c610diam02.local.jp"{NO_TLS; No_SCTP; };

<補足>
最終行の

No_SCTP;

について。
本当はSCTPでやり取りしている様をPcapしたかったもののライブラリへのリンクが上手くいってないようでエラーが出力されたため、泣く泣く設定を入れました。*2

5-4.pcef.confの設定

destination_realmのみ変更してください。

cd /root/tmp/fd_extensions/bin/pcef/
cp -p app_pcef.conf /opt/freeDiameter/etc/
vi /opt/freeDiameter/etc/app_pcef.conf

signal = 10;
work_dir = "/tmp/freeDiameter";
destination_realm = "local.jp";
imsi = "017635273633";
default_charging_rule_name = "default-policy";
5-5.PCEF起動確認
export LD_LIBRARY_PATH=/opt/freeDiameter/lib
/opt/freeDiameter/bin/freeDiameterd -c /opt/freeDiameter/etc/freeDiameter.conf

以下出力例です。

[root@c610diam01 pcef]# /opt/freeDiameter/bin/freeDiameterd -c /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,11:52:45.172063  NOTI   libfdproto '1.2.0' initialized.
06/08/19,11:52:45.173929  NOTI   libgnutls '2.12.23' initialized.
06/08/19,11:52:45.174303  NOTI   libfdcore '1.2.0' initialized.
06/08/19,11:52:45.316111  NOTI   All extensions loaded.
06/08/19,11:52:45.316133  NOTI   freeDiameter configuration:
06/08/19,11:52:45.316136  NOTI     Default trace level .... : +3
06/08/19,11:52:45.316138  NOTI     Configuration file ..... : /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,11:52:45.316140  NOTI     Diameter Identity ...... : c610diam01.local.jp (l:19)
06/08/19,11:52:45.316142  NOTI     Diameter Realm ......... : local.jp (l:8)
06/08/19,11:52:45.316144  NOTI     Tc Timer ............... : 30
06/08/19,11:52:45.316146  NOTI     Tw Timer ............... : 30
06/08/19,11:52:45.316148  NOTI     Local port ............. : 3868
06/08/19,11:52:45.316150  NOTI     Local secure port ...... : 5868
06/08/19,11:52:45.316152  NOTI     Number of SCTP streams . : 30
06/08/19,11:52:45.316154  NOTI     Number of clients thr .. : 5
06/08/19,11:52:45.316156  NOTI     Number of app threads .. : 4
06/08/19,11:52:45.316158  NOTI     Local endpoints ........ : Default (use all available)
06/08/19,11:52:45.316160  NOTI     Local applications ..... : App: 16777238,AuAc,Vnd:0
06/08/19,11:52:45.316162  NOTI     Flags : - IP ........... : Enabled
06/08/19,11:52:45.316164  NOTI             - IPv6 ......... : Enabled
06/08/19,11:52:45.316184  NOTI             - Relay app .... : Enabled
06/08/19,11:52:45.316187  NOTI             - TCP .......... : Enabled
06/08/19,11:52:45.316189  NOTI             - SCTP ......... : Enabled
06/08/19,11:52:45.316191  NOTI             - Pref. proto .. : SCTP
06/08/19,11:52:45.316193  NOTI             - TLS method ... : Separate port
06/08/19,11:52:45.316195  NOTI     TLS :   - Certificate .. : /opt/CA/newcerts/c610diam01.crt
06/08/19,11:52:45.316197  NOTI             - Private key .. : /opt/CA/private/c610diam01.key
06/08/19,11:52:45.316199  NOTI             - CA (trust) ... : /opt/CA/cacert.pem (1 certs)
06/08/19,11:52:45.316201  NOTI             - CRL .......... : (none)
06/08/19,11:52:45.316203  NOTI             - Priority ..... : (default: 'NORMAL')
06/08/19,11:52:45.316205  NOTI             - DH bits ...... : 1024
06/08/19,11:52:45.316207  NOTI     Origin-State-Id ........ : 1559962365
06/08/19,11:52:45.316211  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx'[(no config file)], loaded
06/08/19,11:52:45.316213  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_gx.fdx'[(no config file)], loaded
06/08/19,11:52:45.316215  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/app_pcef.fdx'[/opt/freeDiameter/etc/app_pcef.conf], loaded
06/08/19,11:52:45.316219  NOTI   {signal:10}'app_pcef'->0x7f2921bcfa20
06/08/19,11:52:45.342450  NOTI   Local server address(es): 192.168.11.161{---L-}        192.168.30.161{---L-}
06/08/19,11:52:45.342506  NOTI   freeDiameterd daemon initialized.

6.PCRFの設定

6-1.PCRF用の証明書発行
cd /opt/CA
openssl req -new -newkey rsa:512 -keyout private/c610diam02-pass.key -out private/c610diam02.csr
openssl rsa < private/c610diam02-pass.key > private/c610diam02.key
openssl ca -in private/c610diam02.csr -out newcerts/c610diam02.crt

PCRF用CSR&鍵の作成
鍵からパスフレーズの除外
PCRF用CSRに署名

以下、出力例

[root@c610diam02 CA]# openssl req -new -newkey rsa:512 -keyout private/c610diam02-pass.key -out private/c610diam02.csr
Generating a 512 bit RSA private key
.....++++++++++++
...............................++++++++++++
writing new private key to 'private/c610diam02-pass.key'
Enter PEM pass phrase: 任意のパスワードを入力
Verifying - Enter PEM pass phrase: 任意のパスワードを入力
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) :Tokyo
Locality Name (eg, city) [Default City]:Minato-ku
Organization Name (eg, company) [Default Company Ltd]:local.jp
Organizational Unit Name (eg, section) :  空Enter
Common Name (eg, your name or your server's hostname) :c610diam02.local.jp
Email Address :  空Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :  空Enter
An optional company name :  空Enter

[root@c610diam02 CA]# openssl rsa < private/c610diam02-pass.key > private/c610diam02.key
Enter pass phrase: 上記のパスワードを入力
writing RSA key

[root@c610diam02 CA]# openssl ca -in private/c610diam02.csr -out newcerts/c610diam02.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jun  8 02:58:22 2019 GMT
            Not After : Jun  7 02:58:22 2020 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = local.jp
            commonName                = c610diam02.local.jp
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                58:48:A9:29:C0:63:60:17:EA:79:49:ED:3C:62:71:69:3C:E1:9D:92
            X509v3 Authority Key Identifier:
                keyid:8F:0F:1D:B8:82:F6:9F:84:26:2B:95:56:C5:7C:16:EB:55:F6:4E:DF

Certificate is to be certified until Jun  7 02:58:22 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6-2.PCRF用拡張モジュールの追加
cd /root/tmp/fd_extensions/bin/
tar zxvf pcrf.tar.gz
cd /root/tmp/fd_extensions/bin/pcrf/
cp -p app_pcrf.fdx dict_gx.fdx /opt/freeDiameter/lib/freeDiameter/

cd後にpcrfのtarファイル解凍
cd後にコピー*3

6-3.freeDaimeter.confの設定
vi /opt/freeDiameter/etc/freeDiameter.conf

[root@c610diam02 ~]# vi /opt/freeDiameter/etc/freeDiameter.conf
#freeDiameter.conf

Identity =              "c610diam02.local.jp";
Realm =                 "local.jp";
TcTimer =               30;
TwTimer =               30;
AppServThreads =        4;

Port =                  3868;
SecPort =               5868;
SCTP_streams =          30;
ListenOn =              "0.0.0.0";

TLS_Cred =              "/opt/CA/newcerts/c610diam02.crt", "/opt/CA/private/c610diam02.key";
TLS_CA =                "/opt/CA/cacert.pem";

LoadExtension =         "/opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx";
LoadExtension =         "/opt/freeDiameter/lib/freeDiameter/dict_gx.fdx";
LoadExtension =         "/opt/freeDiameter/lib/freeDiameter/app_pcrf.fdx" : "/opt/freeDiameter/etc/app_pcrf.conf";

ConnectPeer =           "c610diam01.local.jp"{NO_TLS; No_SCTP; };
6-4.pcrf.confの設定

特に変更する箇所はありません。

cd /root/tmp/fd_extensions/bin/pcrf/
cp app_pcrf.conf /opt/freeDiameter/etc/
vi /opt/freeDiameter/etc/app_pcrf.conf

[root@c610diam02 pcrf]# vi /opt/freeDiameter/etc/app_pcrf.conf

monitoring_key = "test-monitoring-key";
initial_charging_rule_name = "high-speed-policy";
restricted_charging_rule_name = "low-speed-policy";
total_octets_threshold = 20;
input_octets_threshold = 10;
output_octets_threshold = 10;
6-5.PCRF起動確認
export LD_LIBRARY_PATH=/opt/freeDiameter/lib
/opt/freeDiameter/bin/freeDiameterd -c /opt/freeDiameter/etc/freeDiameter.conf

以下、出力例です。

[root@c610diam02 pcrf]# /opt/freeDiameter/bin/freeDiameterd -c /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,12:04:05.801044  NOTI   libfdproto '1.2.0' initialized.
06/08/19,12:04:05.801570  NOTI   libgnutls '2.12.23' initialized.
06/08/19,12:04:05.801772  NOTI   libfdcore '1.2.0' initialized.
06/08/19,12:04:05.911066  NOTI   All extensions loaded.
06/08/19,12:04:05.911114  NOTI   freeDiameter configuration:
06/08/19,12:04:05.911120  NOTI     Default trace level .... : +3
06/08/19,12:04:05.911122  NOTI     Configuration file ..... : /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,12:04:05.911124  NOTI     Diameter Identity ...... : c610diam02.local.jp (l:19)
06/08/19,12:04:05.911126  NOTI     Diameter Realm ......... : local.jp (l:8)
06/08/19,12:04:05.911128  NOTI     Tc Timer ............... : 30
06/08/19,12:04:05.911130  NOTI     Tw Timer ............... : 30
06/08/19,12:04:05.911132  NOTI     Local port ............. : 3868
06/08/19,12:04:05.911134  NOTI     Local secure port ...... : 5868
06/08/19,12:04:05.911136  NOTI     Number of SCTP streams . : 30
06/08/19,12:04:05.911138  NOTI     Number of clients thr .. : 5
06/08/19,12:04:05.911140  NOTI     Number of app threads .. : 4
06/08/19,12:04:05.911142  NOTI     Local endpoints ........ : Default (use all available)
06/08/19,12:04:05.911144  NOTI     Local applications ..... : App: 16777238,AuAc,Vnd:0
06/08/19,12:04:05.911147  NOTI     Flags : - IP ........... : Enabled
06/08/19,12:04:05.911149  NOTI             - IPv6 ......... : Enabled
06/08/19,12:04:05.911151  NOTI             - Relay app .... : Enabled
06/08/19,12:04:05.911153  NOTI             - TCP .......... : Enabled
06/08/19,12:04:05.911155  NOTI             - SCTP ......... : Enabled
06/08/19,12:04:05.911157  NOTI             - Pref. proto .. : SCTP
06/08/19,12:04:05.911159  NOTI             - TLS method ... : Separate port
06/08/19,12:04:05.911161  NOTI     TLS :   - Certificate .. : /opt/CA/newcerts/c610diam02.crt
06/08/19,12:04:05.911163  NOTI             - Private key .. : /opt/CA/private/c610diam02.key
06/08/19,12:04:05.911165  NOTI             - CA (trust) ... : /opt/CA/cacert.pem (1 certs)
06/08/19,12:04:05.911168  NOTI             - CRL .......... : (none)
06/08/19,12:04:05.911170  NOTI             - Priority ..... : (default: 'NORMAL')
06/08/19,12:04:05.911172  NOTI             - DH bits ...... : 1024
06/08/19,12:04:05.911174  NOTI     Origin-State-Id ........ : 1559963045
06/08/19,12:04:05.911178  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx'[(no config file)], loaded
06/08/19,12:04:05.911180  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_gx.fdx'[(no config file)], loaded
06/08/19,12:04:05.911182  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/app_pcrf.fdx'[/opt/freeDiameter/etc/app_pcrf.conf], loaded
06/08/19,12:04:05.938652  NOTI   Local server address(es): 192.168.11.162{---L-}        192.168.30.162{---L-}
06/08/19,12:04:05.938693  NOTI   freeDiameterd daemon initialized.

既にPCEFが起動中であれば、接続が開始されると思いますが、上記の出力例はPCEFが起動していない状態での出力となります。

7.動作確認

7-1.PCRF起動
[root@c610diam02 ~]# /opt/freeDiameter/bin/freeDiameterd -c /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,12:08:49.011248  NOTI   libfdproto '1.2.0' initialized.
06/08/19,12:08:49.011937  NOTI   libgnutls '2.12.23' initialized.
06/08/19,12:08:49.012197  NOTI   libfdcore '1.2.0' initialized.
06/08/19,12:08:49.114938  NOTI   All extensions loaded.
06/08/19,12:08:49.114959  NOTI   freeDiameter configuration:
06/08/19,12:08:49.114963  NOTI     Default trace level .... : +3
06/08/19,12:08:49.114965  NOTI     Configuration file ..... : /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,12:08:49.114967  NOTI     Diameter Identity ...... : c610diam02.local.jp (l:19)
06/08/19,12:08:49.114969  NOTI     Diameter Realm ......... : local.jp (l:8)
06/08/19,12:08:49.114971  NOTI     Tc Timer ............... : 30
06/08/19,12:08:49.114973  NOTI     Tw Timer ............... : 30
06/08/19,12:08:49.114975  NOTI     Local port ............. : 3868
06/08/19,12:08:49.114977  NOTI     Local secure port ...... : 5868
06/08/19,12:08:49.114979  NOTI     Number of SCTP streams . : 30
06/08/19,12:08:49.114981  NOTI     Number of clients thr .. : 5
06/08/19,12:08:49.114983  NOTI     Number of app threads .. : 4
06/08/19,12:08:49.114985  NOTI     Local endpoints ........ : Default (use all available)
06/08/19,12:08:49.114987  NOTI     Local applications ..... : App: 16777238,AuAc,Vnd:0
06/08/19,12:08:49.114989  NOTI     Flags : - IP ........... : Enabled
06/08/19,12:08:49.114991  NOTI             - IPv6 ......... : Enabled
06/08/19,12:08:49.114993  NOTI             - Relay app .... : Enabled
06/08/19,12:08:49.114995  NOTI             - TCP .......... : Enabled
06/08/19,12:08:49.114997  NOTI             - SCTP ......... : Enabled
06/08/19,12:08:49.114999  NOTI             - Pref. proto .. : SCTP
06/08/19,12:08:49.115001  NOTI             - TLS method ... : Separate port
06/08/19,12:08:49.115003  NOTI     TLS :   - Certificate .. : /opt/CA/newcerts/c610diam02.crt
06/08/19,12:08:49.115005  NOTI             - Private key .. : /opt/CA/private/c610diam02.key
06/08/19,12:08:49.115007  NOTI             - CA (trust) ... : /opt/CA/cacert.pem (1 certs)
06/08/19,12:08:49.115010  NOTI             - CRL .......... : (none)
06/08/19,12:08:49.115011  NOTI             - Priority ..... : (default: 'NORMAL')
06/08/19,12:08:49.115014  NOTI             - DH bits ...... : 1024
06/08/19,12:08:49.115016  NOTI     Origin-State-Id ........ : 1559963329
06/08/19,12:08:49.115019  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx'[(no config file)], loaded
06/08/19,12:08:49.115021  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_gx.fdx'[(no config file)], loaded
06/08/19,12:08:49.115023  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/app_pcrf.fdx'[/opt/freeDiameter/etc/app_pcrf.conf], loaded
06/08/19,12:08:49.115728  NOTI   Local server address(es): 192.168.11.162{---L-}        192.168.30.162{---L-}
06/08/19,12:08:49.115774  NOTI   freeDiameterd daemon initialized.

7-2.PCEF起動
[root@c610diam01 ~]# /opt/freeDiameter/bin/freeDiameterd -c /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,12:09:04.765012  NOTI   libfdproto '1.2.0' initialized.
06/08/19,12:09:04.765733  NOTI   libgnutls '2.12.23' initialized.
06/08/19,12:09:04.766007  NOTI   libfdcore '1.2.0' initialized.
06/08/19,12:09:04.949999  NOTI   All extensions loaded.
06/08/19,12:09:04.950020  NOTI   freeDiameter configuration:
06/08/19,12:09:04.950023  NOTI     Default trace level .... : +3
06/08/19,12:09:04.950026  NOTI     Configuration file ..... : /opt/freeDiameter/etc/freeDiameter.conf
06/08/19,12:09:04.950028  NOTI     Diameter Identity ...... : c610diam01.local.jp (l:19)
06/08/19,12:09:04.950030  NOTI     Diameter Realm ......... : local.jp (l:8)
06/08/19,12:09:04.950032  NOTI     Tc Timer ............... : 30
06/08/19,12:09:04.950034  NOTI     Tw Timer ............... : 30
06/08/19,12:09:04.950036  NOTI     Local port ............. : 3868
06/08/19,12:09:04.950038  NOTI     Local secure port ...... : 5868
06/08/19,12:09:04.950040  NOTI     Number of SCTP streams . : 30
06/08/19,12:09:04.950042  NOTI     Number of clients thr .. : 5
06/08/19,12:09:04.950044  NOTI     Number of app threads .. : 4
06/08/19,12:09:04.950046  NOTI     Local endpoints ........ : Default (use all available)
06/08/19,12:09:04.950048  NOTI     Local applications ..... : App: 16777238,AuAc,Vnd:0
06/08/19,12:09:04.950050  NOTI     Flags : - IP ........... : Enabled
06/08/19,12:09:04.950052  NOTI             - IPv6 ......... : Enabled
06/08/19,12:09:04.950055  NOTI             - Relay app .... : Enabled
06/08/19,12:09:04.950057  NOTI             - TCP .......... : Enabled
06/08/19,12:09:04.950058  NOTI             - SCTP ......... : Enabled
06/08/19,12:09:04.950061  NOTI             - Pref. proto .. : SCTP
06/08/19,12:09:04.950062  NOTI             - TLS method ... : Separate port
06/08/19,12:09:04.950065  NOTI     TLS :   - Certificate .. : /opt/CA/newcerts/c610diam01.crt
06/08/19,12:09:04.950067  NOTI             - Private key .. : /opt/CA/private/c610diam01.key
06/08/19,12:09:04.950069  NOTI             - CA (trust) ... : /opt/CA/cacert.pem (1 certs)
06/08/19,12:09:04.950071  NOTI             - CRL .......... : (none)
06/08/19,12:09:04.950073  NOTI             - Priority ..... : (default: 'NORMAL')
06/08/19,12:09:04.950075  NOTI             - DH bits ...... : 1024
06/08/19,12:09:04.950077  NOTI     Origin-State-Id ........ : 1559963344
06/08/19,12:09:04.950080  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_nasreq.fdx'[(no config file)], loaded
06/08/19,12:09:04.950083  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/dict_gx.fdx'[(no config file)], loaded
06/08/19,12:09:04.950085  NOTI   Loaded extensions: '/opt/freeDiameter/lib/freeDiameter/app_pcef.fdx'[/opt/freeDiameter/etc/app_pcef.conf], loaded
06/08/19,12:09:04.950089  NOTI   {signal:10}'app_pcef'->0x7f641a9f5a20
06/08/19,12:09:04.950797  NOTI   Local server address(es): 192.168.11.161{---L-}        192.168.30.161{---L-}
06/08/19,12:09:04.950838  NOTI   freeDiameterd daemon initialized.
以下はPCRFへの接続時に出力されます。
06/08/19,12:09:04.953215  NOTI   Connected to 'c610diam02.local.jp' (TCP,soc#16), remote capabilities:
06/08/19,12:09:04.953224  NOTI      'Capabilities-Exchange-Answer'
06/08/19,12:09:04.953245  NOTI        Version: 0x01
06/08/19,12:09:04.953247  NOTI        Length: 236
06/08/19,12:09:04.953249  NOTI        Flags: 0x00 (----)
06/08/19,12:09:04.953251  NOTI        Command Code: 257
06/08/19,12:09:04.953253  NOTI        ApplicationId: 0
06/08/19,12:09:04.953255  NOTI        Hop-by-Hop Identifier: 0x40404F68
06/08/19,12:09:04.953257  NOTI        End-to-End Identifier: 0x6D04E4B6
06/08/19,12:09:04.953259  NOTI         {internal data}: src:c610diam02.local.jp(19) rwb:(nil) rt:2 cb:(nil),(nil)(nil) qry:0x7f6420000ba0 asso:0 sess:(nil)
06/08/19,12:09:04.953262  NOTI         AVP: 'Result-Code'(268) l=12 f=-M val='DIAMETER_SUCCESS' (2001 (0x7d1))
06/08/19,12:09:04.953264  NOTI         AVP: 'Origin-Host'(264) l=27 f=-M val="c610diam02.local.jp"
06/08/19,12:09:04.953266  NOTI         AVP: 'Origin-Realm'(296) l=16 f=-M val="local.jp"
06/08/19,12:09:04.953268  NOTI         AVP: 'Origin-State-Id'(278) l=12 f=-M val=1559963329 (0x5cfb26c1)
06/08/19,12:09:04.953271  NOTI         AVP: 'Host-IP-Address'(257) l=14 f=-M val=192.168.11.162
06/08/19,12:09:04.953273  NOTI         AVP: 'Host-IP-Address'(257) l=14 f=-M val=192.168.30.162
06/08/19,12:09:04.953275  NOTI         AVP: 'Vendor-Id'(266) l=12 f=-M val=0 (0x0)
06/08/19,12:09:04.953277  NOTI         AVP: 'Product-Name'(269) l=20 f=-- val="freeDiameter"
06/08/19,12:09:04.953279  NOTI         AVP: 'Firmware-Revision'(267) l=12 f=-- val=10200 (0x27d8)
06/08/19,12:09:04.953281  NOTI         AVP: 'Auth-Application-Id'(258) l=12 f=-M val=16777238 (0x1000016)
06/08/19,12:09:04.953284  NOTI         AVP: 'Acct-Application-Id'(259) l=12 f=-M val=16777238 (0x1000016)
06/08/19,12:09:04.953286  NOTI         AVP: 'Auth-Application-Id'(258) l=12 f=-M val=4294967295 (0xffffffff)
06/08/19,12:09:04.953288  NOTI         AVP: 'Supported-Vendor-Id'(265) l=12 f=-M val=5535 (0x159f)
06/08/19,12:09:04.953290  NOTI         AVP: 'Supported-Vendor-Id'(265) l=12 f=-M val=10415 (0x28af)
06/08/19,12:09:04.953292  NOTI         AVP: 'Supported-Vendor-Id'(265) l=12 f=-M val=13019 (0x32db)
06/08/19,12:09:04.953299  NOTI   No TLS protection negotiated with peer 'c610diam02.local.jp'.
06/08/19,12:09:04.953396  NOTI   'STATE_WAITCEA'        -> 'STATE_OPEN' 'c610diam02.local.jp'

7-3.PCEF起動後のPCRF側の出力
06/08/19,12:09:05.045712  NOTI   Connected to 'c610diam01.local.jp' (TCP,soc#12), remote capabilities:
06/08/19,12:09:05.045726  NOTI      'Capabilities-Exchange-Request'
06/08/19,12:09:05.045729  NOTI        Version: 0x01
06/08/19,12:09:05.045731  NOTI        Length: 236
06/08/19,12:09:05.045733  NOTI        Flags: 0x80 (R---)
06/08/19,12:09:05.045735  NOTI        Command Code: 257
06/08/19,12:09:05.045737  NOTI        ApplicationId: 0
06/08/19,12:09:05.045739  NOTI        Hop-by-Hop Identifier: 0x40404F68
06/08/19,12:09:05.045741  NOTI        End-to-End Identifier: 0x6D04E4B6
06/08/19,12:09:05.045743  NOTI         {internal data}: src:(nil)(0) rwb:(nil) rt:0 cb:(nil),(nil)(nil) qry:(nil) asso:1 sess:(nil)
06/08/19,12:09:05.045746  NOTI         AVP: 'Origin-Host'(264) l=27 f=-M val="c610diam01.local.jp"
06/08/19,12:09:05.045748  NOTI         AVP: 'Origin-Realm'(296) l=16 f=-M val="local.jp"
06/08/19,12:09:05.045750  NOTI         AVP: 'Origin-State-Id'(278) l=12 f=-M val=1559963344 (0x5cfb26d0)
06/08/19,12:09:05.045752  NOTI         AVP: 'Host-IP-Address'(257) l=14 f=-M val=192.168.11.161
06/08/19,12:09:05.045754  NOTI         AVP: 'Host-IP-Address'(257) l=14 f=-M val=192.168.30.161
06/08/19,12:09:05.045756  NOTI         AVP: 'Vendor-Id'(266) l=12 f=-M val=0 (0x0)
06/08/19,12:09:05.045758  NOTI         AVP: 'Product-Name'(269) l=20 f=-- val="freeDiameter"
06/08/19,12:09:05.045761  NOTI         AVP: 'Firmware-Revision'(267) l=12 f=-- val=10200 (0x27d8)
06/08/19,12:09:05.045763  NOTI         AVP: 'Inband-Security-Id'(299) l=12 f=-M val='NO_INBAND_SECURITY' (0 (0x0))
06/08/19,12:09:05.045765  NOTI         AVP: 'Auth-Application-Id'(258) l=12 f=-M val=16777238 (0x1000016)
06/08/19,12:09:05.045767  NOTI         AVP: 'Acct-Application-Id'(259) l=12 f=-M val=16777238 (0x1000016)
06/08/19,12:09:05.045769  NOTI         AVP: 'Auth-Application-Id'(258) l=12 f=-M val=4294967295 (0xffffffff)
06/08/19,12:09:05.045771  NOTI         AVP: 'Supported-Vendor-Id'(265) l=12 f=-M val=5535 (0x159f)
06/08/19,12:09:05.045774  NOTI         AVP: 'Supported-Vendor-Id'(265) l=12 f=-M val=10415 (0x28af)
06/08/19,12:09:05.045776  NOTI         AVP: 'Supported-Vendor-Id'(265) l=12 f=-M val=13019 (0x32db)
06/08/19,12:09:05.045858  NOTI   No TLS protection negotiated with peer 'c610diam01.local.jp'.
06/08/19,12:09:05.046000  NOTI   'STATE_CLOSED' -> 'STATE_OPEN' 'c610diam01.local.jp'
7-4.PCEF側のテストコマンド

以下のコマンドは全てPCEF側で投入します。
Daimeterサービスはフォアグラウンドで起動するため、以下のコマンドを打つためには、PCEF側でもう一つターミナル画面を出してください。

/opt/freeDiameter/bin/pcef-ctl.sh dump
/opt/freeDiameter/bin/pcef-ctl.sh init
/opt/freeDiameter/bin/pcef-ctl.sh update-input
/opt/freeDiameter/bin/pcef-ctl.sh update-output
7-5.状態確認

コマンドを打つと、Daimeterサービスがフォアグラウンドで起動しているターミナル画面に以下の出力が出ます。
何もポリシーが当たっていない状態です。

/opt/freeDiameter/bin/pcef-ctl.sh dump


06/08/19,12:10:02.779425  NOTI   -------------- User session state dump --------------
06/08/19,12:10:02.779452  NOTI   IMSI:                      017635273633
06/08/19,12:10:02.779456  NOTI   Charging rule name:        default-policy
06/08/19,12:10:02.779458  NOTI   Used total octets:         0
06/08/19,12:10:02.779460  NOTI   Used input octets:         0
06/08/19,12:10:02.779480  NOTI   Used output octets:        0
06/08/19,12:10:02.779482  NOTI   =================== Dump complete ===================
7-6.初期化

以下のコマンドにて初期のポリシーを当てます。

/opt/freeDiameter/bin/pcef-ctl.sh init
06/08/19,12:11:22.635425  NOTI   Sending initial request...
06/08/19,12:11:22.636343  NOTI   Received initial answer.

/opt/freeDiameter/bin/pcef-ctl.sh dump
06/08/19,12:11:57.275226  NOTI   -------------- User session state dump --------------
06/08/19,12:11:57.275234  NOTI   IMSI:                      017635273633
06/08/19,12:11:57.275236  NOTI   Charging rule name:        default-policy
06/08/19,12:11:57.275239  NOTI   Charging rule name:        high-speed-policy
06/08/19,12:11:57.275241  NOTI   Monitoring key:            test-monitoring-key
06/08/19,12:11:57.275243  NOTI     Total octets threshold:  20
06/08/19,12:11:57.275245  NOTI     Input octets threshold:  10
06/08/19,12:11:57.275246  NOTI     Output octets threshold: 10
06/08/19,12:11:57.275248  NOTI   Used total octets:         0
06/08/19,12:11:57.275250  NOTI   Used input octets:         0
06/08/19,12:11:57.275252  NOTI   Used output octets:        0
06/08/19,12:11:57.275254  NOTI   =================== Dump complete ===================
7-7.アップデート

以下のコマンドにてアップデートしていきます。
例えるなら、PGWやDPI装置にパケットが流れることにより、データ量がカウントされているようなイメージです。*4

/opt/freeDiameter/bin/pcef-ctl.sh update-input

06/08/19,12:12:24.735514  NOTI   Updated used input octets. [0->1]

上記コマンドを繰り返し打つと以下のように閾値(Input octets threshold: 10)に近づいていきます。

06/08/19,12:12:24.735514  NOTI   Updated used input octets. [0->1]
06/08/19,12:12:48.084391  NOTI   Updated used input octets. [1->2]
06/08/19,12:12:48.668832  NOTI   Updated used input octets. [2->3]
06/08/19,12:12:49.141213  NOTI   Updated used input octets. [3->4]
06/08/19,12:12:49.624475  NOTI   Updated used input octets. [4->5]
06/08/19,12:12:50.142395  NOTI   Updated used input octets. [5->6]
06/08/19,12:12:50.669159  NOTI   Updated used input octets. [6->7]
06/08/19,12:12:51.189578  NOTI   Updated used input octets. [7->8]
06/08/19,12:12:51.743437  NOTI   Updated used input octets. [8->9]
06/08/19,12:12:52.278174  NOTI   Updated used input octets. [9->10]
06/08/19,12:12:52.278194  NOTI   Sending update request...
06/08/19,12:12:52.278843  NOTI   Received update answer.

閾値に到達した後、状態確認をすると、新しいルールが適用されています。

/opt/freeDiameter/bin/pcef-ctl.sh dump

06/08/19,12:13:18.653228  NOTI   -------------- User session state dump --------------
06/08/19,12:13:18.653236  NOTI   IMSI:                      017635273633
06/08/19,12:13:18.653239  NOTI   Charging rule name:        default-policy
06/08/19,12:13:18.653241  NOTI   Charging rule name:        low-speed-policy
06/08/19,12:13:18.653243  NOTI   Used total octets:         10
06/08/19,12:13:18.653245  NOTI   Used input octets:         10
06/08/19,12:13:18.653247  NOTI   Used output octets:        0
06/08/19,12:13:18.653249  NOTI   =================== Dump complete ===================

以上です。

8.最後に

以下の書籍を参考にさせて頂きました。
O'Reilly Japan - Diameterプロトコルガイド
以下のサイトを参考にさせて頂きました。
freeDiameterdのインストール記録 第1回:ITエンジニア兼きもの屋のフリーライフ:エンジニアライフ

上記の書籍は、Diameterプロトコルや機能拡張に関するアーキテクチャについて理解するという点では、大変よくまとまっているため本当にお勧めです。

また、最近出版された以下の書籍もちょっと気になっています。
Diameter: New Generation AAA Protocol - Design, Practice and Applications

つい先日(6/2)、freeDiameterの1.3.2がリリースされていましたので、ちょっとキャッチアップしていこうかなと考えています。

*1:CentOS7系で試したところSegmentation Faultが出てしまったので、CentOS6系になっています。。

*2:SCTP自体は、eNodeB-MME間やCiscoのBox-to-Box NATなどでも使用されているため、そこまでニッチなプロトコルではないかと思います。

*3:dict_gx.fdxの上書き確認メッセージが表示されたらyでOKです

*4:通常、通信量の管理はGyインターフェースにてOCSが行いますので、あくまでもイメージとして捉えてください。通常、通信ポリシーの管理(ルールの適用など)はGxインターフェースにてPCRFが行います。