Diameter

DiameterProtocol
ProtocolOverview
Overview

Intro
The Diameter protocol is a next generation
RADIUS protocol. It addresses the known
RADIUS deficiencies, & is intended for use
with the NASREQ, ROAMOPS and Mobile IP.
The Mobile-IP WG has recently changed its
focus to inter administrative domain mobility.
The basic concept behind Diameter is to
provide a base protocol that can be extended
in order to provide AAA services to new
access technologies such as Internet access.

Diameter
DiameterProtocol
ProtocolOverview
Overview

Diameter Architecture
Base protocol
Functionality common to all supported services.
Defines message format, primitives, transport,
error reporting & security services.

Protocol Extensions

Application specific functionality.

strong security
Mobile IP
NASREQ( commands for use in CHAP, PAP & EAP)
accounting.

Diameter
DiameterProtocol
ProtocolOverview
Overview

Diameter Base Protocol

Any node can initiate a request. Diameter is a
peer to peer protocol.
The base Diameter protocol is never used on
its own. It is always extended for a particular
application, which defines DIAMETER
Mobile-IP
command codes
Extension
NASREQ
Accounting
NASREQ
Extension
Extension
Mobile IP
Strong Security
Accounting
Diameter Base Protocol Strong Security

Diameter
DiameterProtocol
ProtocolOverview
Overview

Diameter Header

Flags 13 bits, EIR sequences denote

command type (request, reply, indication).
Hop-by-Hop Identifier
End-To-End Identifier
Command Code
AVPs encapsulate relevant info to message.

Diameter
DiameterProtocol
ProtocolOverview
Overview

Diameter AVP

AVP code uniquely identifies attribute.

AVP Flags indicates how AVP should be
handled

r (reserved), P (protected), M (mandatory),

V (vendor-specific).

Diameter
DiameterProtocol
ProtocolOverview
Overview

Diameter Base Protocol

simply provide a secure transport for the messages
defined in the various application-specific extensions.
data objects are encapsulated within the Attribute
Value Pair (AVP).
Large AVP space to ensure future protocol
extensibility is not limited by its size of the
namespace, as in the RADIUS protocol.
Support for vendor specific AVPs and Commands for
extensions.

Diameter
DiameterProtocol
ProtocolOverview
Overview

Diameter Base Protocol

A peer initiates communication by sending
message. AVPs sent in messages are
determined by Diameter extension.
Initial message include a unique Session-Id
AVP. A Session-Termination-Request frees
the session.
Peer-to-peer, allowing unsolicited messages
to be sent to NASes.
on-demand retrieval of accounting data.
another, server-initiated session termination.

Diameter
DiameterBase
BaseProtocol
Protocol

Message Forwarding
Diameter messages must include:

Origin-FQDN AVP

Origin-Realm AVP

identifies the endpoint which originated the

Diameter message, i.e. the NAS, home server, or
broker. Proxy servers do not modify this AVP.
contains the Realm of the originator of any
Diameter message

Destination-FQDN AVP

MUST be used when the destination of the message is

fixed.

Diameter
DiameterBase
BaseProtocol
Protocol

Capabilities Exchange
When two Diameter peers establish a
transport connection, they MUST send
the Device-Reboot-Ind message.
Peers identity
Capabilities exchange. E.g. supported protocol
ver. Number, and locally supported extensions.
Need to communicate compatible application
specific Diameter commands.
MUST not be proxied or redirected.
Device-Status-Ind used to notify sending node of
unrecognized Command Code.

Diameter
DiameterBase
BaseProtocol
Protocol

Transport
Operates over SCTP (Stream Control Transmission
Protocol)
Provides reliability and a well defined
retransmission and timeout mechanism, allowing
clients and servers to detect the reachability and
state of peers for quick transmission to back up
servers.
provides a windowing scheme allowing AAA
servers to limit the flow of incoming packets and
distribute traffic load to other severs.
fail-over strategy

Diameter
DiameterBase
BaseProtocol
Protocol

Transport Failure
Detection
Early detection of transport failures minimize sending message
to unavailable servers and improve failure performance.
Diameter Watchdog Requests sent after a period of idle
communication between peers, w/ exponential back off.
When a Diameter Watchdog Answer is obtained peer resumes
activity.
Failover/Failback Procedures
When a transport failure is detected pending messages are
sent to an alternative server.
There is a pending message queue for each pair, where
messages are identified by the Hop-by-Hop identifier.
If cant send to another server then a
DIAMETER_UNABLE_TO_DELIVER message is sent back
to the original sender.

Diameter
DiameterBase
BaseProtocol
Protocol

Error Signaling
Error Notification

all messages acknowledged, either with a

successful response or one that contains an error
code

Per-Hop Error Signaling

There are many instances where error

conditions occur on a Diameter node, that
needs to be signaled to the downstream
server, and not necessarily to the Diameter
client .

End-to-End Error Signaling.

Diameter
DiameterBase
BaseProtocol
Protocol

Request

Diameter
Server

Link Broken

DSI (Unable
To Forward)

Diameter
Client or
Server

Diameter
Server
Request

Diameter
Server
Example
ExampleofofPer-Hop
Per-HopError
ErrorCondition
Condition

Request

Diameter
DiameterBase
BaseProtocol
Protocol

Session Oriented
session-oriented
One session per authentication/authorization flow
Sessions are identified through a session
identifier, which is globally unique at any given
time.
A Session termination message exists in order to
end a Diameter session, and all sessions have a
timeout value in order to ensure that they can be
cleaned up properly.

Diameter
DiameterBase
BaseProtocol
Protocol

User Session
User asks NAS for service.
NAS issues AA-Request to local DIAMETER
server, containing user authentication info
and a unique Session-Id AVP.

Sender-FQDN, port, increasing 32-bit number.

After the Diameter server authorizes the user

it SHOULD add a Authorization-Lifetime
AVP to the response.
Base Protocol does not contain
Authorization Request messages as
these are application-specific.

Diameter
DiameterBase
BaseProtocol
Protocol

Proxy Support
Every node in the network is responsible for it's own
retransmissions.
Allows each node to know a priori the reachability state of
each peer.
LOCAL
HOME
Latency reduced.
Reliability increased.
NAS

Primary
Proxy
Server

Primary
Proxy
Server

LOCAL
2nd
Proxy
Server

HOME
2nd
Proxy
Server

Diameter
DiameterBase
BaseProtocol
Protocol

Proxy Server
Before forwarding a message, check for
forwarding loop.

Route-Record AVP.
Check that sender is last one.
Check that its own address does not appear.

If applies policy then must not allow end-toend security and send a message to sender.
A proxy server MUST only process
messages of type Response whose last
Route-Record AVP matches one of its
addresses. Last Route-Record AVP is
removed, and next hop is identified by

Diameter
DiameterBase
BaseProtocol
Protocol

Message Routing
Routing done using realm portion of NAI or
realm encoded AVP (e.g. Origin-Realm,
Destination-Realm).
Domain Name Extension ID Local Action Server Identifier

Local Action
LOCAL process Authentication.
PROXY forward to next HOP server ID.
REDIRECT return to sender w/ DSI + DSI-Event
= Redirect + Redirect-Host AVP = server ID.

Diameter
DiameterBase
BaseProtocol
Protocol

DIA 1
mno.net

request

response

Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net

Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net

DIA 2
xyz.com

request

response

Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net
Route-Record=dia2.xyz.com

Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net
Route-Record=dia2.xyz.com

DIA 3
abc.com
Realm
RealmBased
BasedRouting
Routing

Diameter
DiameterBase
BaseProtocol
Protocol

Redirect Support
reduce the configuration information that
would otherwise be necessary on all servers
owned members of a roaming consortium.
When a request is received by a redirect
server, a redirect response is returned to the
initiator of the request with the information
necessary to communicate directly with
servers in the home domain.
May also provide Certificate Authority
services.
No long lived shared secrets.
Enables IPSEC.

Diameter
DiameterBase
BaseProtocol
Protocol

Diameter
Redirect Server

Request
Joe@xyz.com

DSI
DSI-Event = Redirect
Redirect-Host AVP(s)

abc.net
Diameter
Server

request
response

Diameter
DiameterRedirect
RedirectServer
Server

xyz.net
Diameter
Server

Diameter
DiameterBase
BaseProtocol
Protocol

Security
integrity and confidentiality at the AVP level
The Diameter Strong Security Extension provides
authentication, confidentiality It is possible to secure portions of
a Diameter message, while other parts of the message are not
secured. Using Diameter, proxies can add, delete or modify
unprotected AVPs in a message.

Hop-By-Hop security
Client & server communication using IPSEC.
Server to Server communication using SSL.

DIAMETER NASREQ extension defines commands for use in

CHAP, PAP & EAP.
First 256 AVPs are reserved for RADIUS compatibility.

Summary of Diameter
Key Features
lightweight and simple to implement
protocol
Large AVP space
Efficient encoding of attributes, similar
to RADIUS
Support for vendor specific AVPs and
Commands
Support for large number of
simultaneous pending requests
Reliability provided by underlying SCTP
Well defined fail-over scheme

Summary of Diameter
Key Features
Ability to quickly detect unreachable
peers
No silent message discards
Support of unsolicited messages to
"clients"
integrity and confidentiality at the AVP
level
Hop-by-Hop security
One session per
authentication/authorization flow

Mobile-IP
Mobile-IPExtension
Extension

Mobile IP
Mobile Node issues Registration Request to
Foreign Agent.
Foreign Agent creates AA-Mobile-NodeRequest (AMR) message and forwards to
AAAF.

Extracts Home Address, Home Agent Address,

Mobile Node NAI into AVPs.

AAAF receives AMR and determines whether

to forward it or process it locally.

Mobile-IP
Mobile-IPExtension
Extension

Mobile IP
Note that it is not required that the foreign agent invoke
AAA services every time a Registration Request is
received from the mobile, but rather only when the prior
authorization from the AAAH expires, as indicated in
Authorization-Lifetime AVP in the AA- Mobile-NodeAnswer.
Foreign agent MAY provide challenge, giving it
protection of replay attacks.
The mobile node includes the Challenge and MN-AAA
authentication extension to enable authorization by
AAAH. If the authentication data supplied in the MN-AAA
extension is invalid, AAAH returns the response (AMA)
with the Result-Code AVP set to
DIAMETER_ERROR_AUTH_FAILURE .

Mobile-IP
Mobile-IPExtension
Extension

Mobile IP
AAAH
MN

authentictated.

for MIP-Home-Agent-Address AVP. If

authorized Home-Agent-MIP-Request (HAR)
If MIP-Home-Agent-Address not recognized
then dont send a MIP-Reg-Reply AVP .
If MIP-Home-Agent-Address AVP not
specified then allocate one w/ load balance in
mind. MIP-Feature-Vector has the HomeAgent-Requested flag set and policy allows.
Check

Mobile-IP
Mobile-IPExtension
Extension

Mobile IP
Home Agent
Receive HAR, if invalid send HAA with ResultCode AVP set to
DIAMETER_ERROR_BAD_HAR.
Process MIP-Reg-Request AVP and create
Registration Reply, encapsulating it within
the MIP-Reg-Reply AVP. If a home address is
needed, the Home Agent MUST assign one
and include the address in both the
Registration Reply and within the MIPMobile-Node-Address AVP. The Diameter
response is then forwarded to the AAAH.

Mobile-IP
Mobile-IPExtension
Extension

Mobile IP
AAAH
After

receiving HAA, set CommandCode to

AA- Mobile-Node-Answer (AMA) and
forwards the message to the AAAF.

Determines to send
AMR To AAAH

AMR

Authenticates MN
And forwards HAR to HA

AAAF

AAAH
AMA

AMR
Includes:
MN Home Address
HA address
MN NAI

AMA

FA
Registration
Request

HAA

HAR

HA
Registration
Reply

MN
Inter-Domain
Inter-DomainMobility
Mobility

Process HAR
Create Reply Request
Including home address.

AA-Mobile-Node-Request
(AMR) Command
Extension-Id
User-Name
Destination-Realm
Origin-FQDN
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth

* MIP-Mobile-Node-Address
* MIP-Home-Agent-Address
* MIP-Feature-Vector
* Authorization-Lifetime
* MIP-FA-MN-Preferred-SPI
* MIP-FA-HA-Preferred-SPI
* MIP-Previous-FA-FQDN
* MIP-Previous-FA-Addr
* MIP-FA-Challenge
* Route-Record

AA-Mobile-Node-Answer
(AMA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Error-Reporting-FQDN
* MIP-Reg-Reply
* Route Record

* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-MN-to-HA-Key
* MIP-HA-to-MN-Key
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* Original-Session-Id
* Filter-Rule

Home-Agent-MIP-Request
(HAR) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
MIP-Reg-Request
Origin-FQDN
Origin-Realm
User-Name
Destination-Realm
* Route-Record

* MIP-MN-to-HA-Key
* MIP-MN-to-FA-Key
* MIP-HA-to-MN-Key
* MIP-HA-to-FA-Key
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-Mobile-NodeAddress
* MIP-Home-AgentAddress
* Filter-Rule

Home-Agent-MIP-Answer
(HAA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Route-Record

* Error-ReportingFQDN
* MIP-Reg-Reply
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* Filter-Rule