Diameter is an AAA (Authentication, Authorization and Accounting) protocol for network access and IP mobility applications. It is widely used across all-IP networks and in next generation telecom networks such as IMS. It is a base foundation protocol to provide AAA services like Delivery of AVPs (attribute value pairs), Negotiation Capabilities, Routing Capabilities and Error Handling to new access technologies.

Many organizations are trying to open up their networks to support new methods of doing business that are enabled by Information and communications technology. Supporting these business scenarios without compromising security requires the use of very critical networking technologies. Rate limiting is a technology which helps to monitor the rate of traffic associated with the network entity and take preventive action, in real time, based on the traffic rate. Rate limiting is particularly useful when the network is under attack from a hostile client that is sending the appliance a flood of requests. As the Diameter protocol is widely used in today’s networks, it is very critical to secure and prioritize the Diameter Traffic. It can be done using stream selector and limit identifier setting in NetScaler.


A DIAMETER traffic stream selector is the filter for identifying DIAMETER traffic and throttle access. The selector is applied to a request or a response and selects data points that can be analysed by a rate limit identifier. These data points can be based on almost any characteristic of the traffic, including IP addresses, subnets and domain names. A stream selector consists of individual default syntax expressions called selectlets. Each selectlet is considered to be in an AND relationship with the other expressions.

A rate limit identifier measures the rate of incoming traffic and drops packets that exceed the maximum allowed rate within a particular time interval.
 

Instructions

To configure rate limiting for Diameter messages:

1. Configure a Diameter traffic selectors.
2. Configure Limit identifiers to be applied on the Diameter traffic.

1. Go to AppExpert > Rate Limiting > Selectors
   

2. Click “Add” to initiate the creation of new Selector 
   

3. Give a name to the selector and click Insert to create the selector expression
   

4. Click “Expression Editor” to add the selectlets
   
   Note: There is also a provision to type the whole expression manually in the text box below “Expression”

5. Select DIAMETER to create expression (combination of selectlets) for DIAMETER traffic
   

6. Select the next selectlet from the drop down and continue adding selectlets which will be used to analyse the traffic.
   

7. Click Done to complete the creation of Expression.
   

8. Click “Insert” to insert the expression into Selector.
   

9. Click “Create” to create the selector
   

10. Go to Rate Limiting > Limit Identifiers.
    

11. Click “Add” to start creation of Limit Identifier.
    

12. Select the Diameter selector which was created in the earlier step and fill the other required information (Name, mode, limit type etc) and click create to create the limit identifier which will be applied on the selector.

Modes:

REQUEST_RATE - Tracks requests/timeslice.
CONNECTION - Tracks active transactions.

Limit Type:

SMOOTH - When you want the permitted number of requests in a given interval of time to be spread evenly across the timeslice
BURSTY - When you want the permitted number of requests to exhaust the quota anytime within the timeslice. This argument is needed only when the mode is set to REQUEST_RATE

Threshhold:

Maximum number of requests that are allowed in the given timeslice when requests (mode is set as REQUEST_RATE) are tracked per timeslice. When connections (mode is set as CONNECTION) are tracked, it is the total number of connections that would be let through.

Time Slice(msec)

Time interval, in milliseconds, specified in multiples of 10, during which requests are tracked to check if they cross the threshold. This argument is needed only when the mode is set to REQUEST_RATE.

Traps:
Number of traps to be sent in the timeslice configured. A value of 0 indicates that traps are disabled.
Example

To permit 20 requests in 10 ms and 2 traps in 10 ms:
add limitidentifier limit_req -mode request_rate -limitType smooth -timeslice 1000 -Threshold 2000 -trapsInTimeSlice 200

Note: For information on the parameters, please click on   which appears when the pointer is moved on to the fields.

To create stream selector and limit identifier using command line interface

At the command prompt, type:

• add stream selector <name> <rule>….

• add ns limitIdentifier <limitIdentifiername> -threshold <positive_integer> -timeSlice <positive_integer> -mode <mode> -limitType ( BURSTY | SMOOTH ) -selectorName <string> -maxBandwidth <positive_integer> -trapsInTimeSlice <positive_integer>

Example:

References

Citrix Documentation - Examples of Rate-Based Policies.

Refer to "NetScaler: How Do I?" page for more easy to implement articles on commonly used features of NetScaler.