Académique Documents
Professionnel Documents
Culture Documents
DiameterProtocol
ProtocolOverview
Overview
Intro
The Diameter protocol is a next generation
RADIUS protocol. It addresses the known
RADIUS deficiencies, & is intended for use
with the NASREQ, ROAMOPS and Mobile IP.
The Mobile-IP WG has recently changed its
focus to inter administrative domain mobility.
The basic concept behind Diameter is to
provide a base protocol that can be extended
in order to provide AAA services to new
access technologies such as Internet access.
Diameter
DiameterProtocol
ProtocolOverview
Overview
Diameter Architecture
Base protocol
Functionality common to all supported services.
Defines message format, primitives, transport,
error reporting & security services.
Protocol Extensions
Diameter
DiameterProtocol
ProtocolOverview
Overview
Diameter
DiameterProtocol
ProtocolOverview
Overview
Diameter Header
Diameter
DiameterProtocol
ProtocolOverview
Overview
Diameter AVP
Diameter
DiameterProtocol
ProtocolOverview
Overview
Diameter
DiameterProtocol
ProtocolOverview
Overview
Diameter
DiameterBase
BaseProtocol
Protocol
Message Forwarding
Diameter messages must include:
Origin-FQDN AVP
Origin-Realm AVP
Destination-FQDN AVP
Diameter
DiameterBase
BaseProtocol
Protocol
Capabilities Exchange
When two Diameter peers establish a
transport connection, they MUST send
the Device-Reboot-Ind message.
Peers identity
Capabilities exchange. E.g. supported protocol
ver. Number, and locally supported extensions.
Need to communicate compatible application
specific Diameter commands.
MUST not be proxied or redirected.
Device-Status-Ind used to notify sending node of
unrecognized Command Code.
Diameter
DiameterBase
BaseProtocol
Protocol
Transport
Operates over SCTP (Stream Control Transmission
Protocol)
Provides reliability and a well defined
retransmission and timeout mechanism, allowing
clients and servers to detect the reachability and
state of peers for quick transmission to back up
servers.
provides a windowing scheme allowing AAA
servers to limit the flow of incoming packets and
distribute traffic load to other severs.
fail-over strategy
Diameter
DiameterBase
BaseProtocol
Protocol
Transport Failure
Detection
Early detection of transport failures minimize sending message
to unavailable servers and improve failure performance.
Diameter Watchdog Requests sent after a period of idle
communication between peers, w/ exponential back off.
When a Diameter Watchdog Answer is obtained peer resumes
activity.
Failover/Failback Procedures
When a transport failure is detected pending messages are
sent to an alternative server.
There is a pending message queue for each pair, where
messages are identified by the Hop-by-Hop identifier.
If cant send to another server then a
DIAMETER_UNABLE_TO_DELIVER message is sent back
to the original sender.
Diameter
DiameterBase
BaseProtocol
Protocol
Error Signaling
Error Notification
Diameter
DiameterBase
BaseProtocol
Protocol
Request
Diameter
Server
Link Broken
DSI (Unable
To Forward)
Diameter
Client or
Server
Diameter
Server
Request
Diameter
Server
Example
ExampleofofPer-Hop
Per-HopError
ErrorCondition
Condition
Request
Diameter
DiameterBase
BaseProtocol
Protocol
Session Oriented
session-oriented
One session per authentication/authorization flow
Sessions are identified through a session
identifier, which is globally unique at any given
time.
A Session termination message exists in order to
end a Diameter session, and all sessions have a
timeout value in order to ensure that they can be
cleaned up properly.
Diameter
DiameterBase
BaseProtocol
Protocol
User Session
User asks NAS for service.
NAS issues AA-Request to local DIAMETER
server, containing user authentication info
and a unique Session-Id AVP.
Diameter
DiameterBase
BaseProtocol
Protocol
Proxy Support
Every node in the network is responsible for it's own
retransmissions.
Allows each node to know a priori the reachability state of
each peer.
LOCAL
HOME
Latency reduced.
Reliability increased.
NAS
Primary
Proxy
Server
Primary
Proxy
Server
LOCAL
2nd
Proxy
Server
HOME
2nd
Proxy
Server
Diameter
DiameterBase
BaseProtocol
Protocol
Proxy Server
Before forwarding a message, check for
forwarding loop.
Route-Record AVP.
Check that sender is last one.
Check that its own address does not appear.
If applies policy then must not allow end-toend security and send a message to sender.
A proxy server MUST only process
messages of type Response whose last
Route-Record AVP matches one of its
addresses. Last Route-Record AVP is
removed, and next hop is identified by
Diameter
DiameterBase
BaseProtocol
Protocol
Message Routing
Routing done using realm portion of NAI or
realm encoded AVP (e.g. Origin-Realm,
Destination-Realm).
Domain Name Extension ID Local Action Server Identifier
Local Action
LOCAL process Authentication.
PROXY forward to next HOP server ID.
REDIRECT return to sender w/ DSI + DSI-Event
= Redirect + Redirect-Host AVP = server ID.
Diameter
DiameterBase
BaseProtocol
Protocol
DIA 1
mno.net
request
response
Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net
Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net
DIA 2
xyz.com
request
response
Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net
Route-Record=dia2.xyz.com
Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net
Route-Record=dia2.xyz.com
DIA 3
abc.com
Realm
RealmBased
BasedRouting
Routing
Diameter
DiameterBase
BaseProtocol
Protocol
Redirect Support
reduce the configuration information that
would otherwise be necessary on all servers
owned members of a roaming consortium.
When a request is received by a redirect
server, a redirect response is returned to the
initiator of the request with the information
necessary to communicate directly with
servers in the home domain.
May also provide Certificate Authority
services.
No long lived shared secrets.
Enables IPSEC.
Diameter
DiameterBase
BaseProtocol
Protocol
Diameter
Redirect Server
Request
Joe@xyz.com
DSI
DSI-Event = Redirect
Redirect-Host AVP(s)
abc.net
Diameter
Server
request
response
Diameter
DiameterRedirect
RedirectServer
Server
xyz.net
Diameter
Server
Diameter
DiameterBase
BaseProtocol
Protocol
Security
integrity and confidentiality at the AVP level
The Diameter Strong Security Extension provides
authentication, confidentiality It is possible to secure portions of
a Diameter message, while other parts of the message are not
secured. Using Diameter, proxies can add, delete or modify
unprotected AVPs in a message.
Hop-By-Hop security
Client & server communication using IPSEC.
Server to Server communication using SSL.
Summary of Diameter
Key Features
lightweight and simple to implement
protocol
Large AVP space
Efficient encoding of attributes, similar
to RADIUS
Support for vendor specific AVPs and
Commands
Support for large number of
simultaneous pending requests
Reliability provided by underlying SCTP
Well defined fail-over scheme
Summary of Diameter
Key Features
Ability to quickly detect unreachable
peers
No silent message discards
Support of unsolicited messages to
"clients"
integrity and confidentiality at the AVP
level
Hop-by-Hop security
One session per
authentication/authorization flow
Mobile-IP
Mobile-IPExtension
Extension
Mobile IP
Mobile Node issues Registration Request to
Foreign Agent.
Foreign Agent creates AA-Mobile-NodeRequest (AMR) message and forwards to
AAAF.
Mobile-IP
Mobile-IPExtension
Extension
Mobile IP
Note that it is not required that the foreign agent invoke
AAA services every time a Registration Request is
received from the mobile, but rather only when the prior
authorization from the AAAH expires, as indicated in
Authorization-Lifetime AVP in the AA- Mobile-NodeAnswer.
Foreign agent MAY provide challenge, giving it
protection of replay attacks.
The mobile node includes the Challenge and MN-AAA
authentication extension to enable authorization by
AAAH. If the authentication data supplied in the MN-AAA
extension is invalid, AAAH returns the response (AMA)
with the Result-Code AVP set to
DIAMETER_ERROR_AUTH_FAILURE .
Mobile-IP
Mobile-IPExtension
Extension
Mobile IP
AAAH
MN
authentictated.
Mobile-IP
Mobile-IPExtension
Extension
Mobile IP
Home Agent
Receive HAR, if invalid send HAA with ResultCode AVP set to
DIAMETER_ERROR_BAD_HAR.
Process MIP-Reg-Request AVP and create
Registration Reply, encapsulating it within
the MIP-Reg-Reply AVP. If a home address is
needed, the Home Agent MUST assign one
and include the address in both the
Registration Reply and within the MIPMobile-Node-Address AVP. The Diameter
response is then forwarded to the AAAH.
Mobile-IP
Mobile-IPExtension
Extension
Mobile IP
AAAH
After
Determines to send
AMR To AAAH
AMR
Authenticates MN
And forwards HAR to HA
AAAF
AAAH
AMA
AMR
Includes:
MN Home Address
HA address
MN NAI
AMA
FA
Registration
Request
HAA
HAR
HA
Registration
Reply
MN
Inter-Domain
Inter-DomainMobility
Mobility
Process HAR
Create Reply Request
Including home address.
AA-Mobile-Node-Request
(AMR) Command
Extension-Id
User-Name
Destination-Realm
Origin-FQDN
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth
* MIP-Mobile-Node-Address
* MIP-Home-Agent-Address
* MIP-Feature-Vector
* Authorization-Lifetime
* MIP-FA-MN-Preferred-SPI
* MIP-FA-HA-Preferred-SPI
* MIP-Previous-FA-FQDN
* MIP-Previous-FA-Addr
* MIP-FA-Challenge
* Route-Record
AA-Mobile-Node-Answer
(AMA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Error-Reporting-FQDN
* MIP-Reg-Reply
* Route Record
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-MN-to-HA-Key
* MIP-HA-to-MN-Key
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* Original-Session-Id
* Filter-Rule
Home-Agent-MIP-Request
(HAR) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
MIP-Reg-Request
Origin-FQDN
Origin-Realm
User-Name
Destination-Realm
* Route-Record
* MIP-MN-to-HA-Key
* MIP-MN-to-FA-Key
* MIP-HA-to-MN-Key
* MIP-HA-to-FA-Key
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-Mobile-NodeAddress
* MIP-Home-AgentAddress
* Filter-Rule
Home-Agent-MIP-Answer
(HAA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Route-Record
* Error-ReportingFQDN
* MIP-Reg-Reply
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* Filter-Rule