Upload File

diameter basics

19
Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from and replaces the much less capable RADIUS protocol that preceded it. Diameter Applications extend the base protocol by adding new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP). Comparison with RADIUS[edit ] The name is a play on words, derived from the RADIUS protocol, which is the predecessor (a diameter is twice the radius). Diameter is not directly backwards compatible but provides an upgrade path for RADIUS. The main features provided by Diameter but lacking in RADIUS are: Reliable transport protocols (TCP or SCTP , not UDP ) o The IETF is in the process of standardizing TCP Transport for RADIUS Network or transport layer security (IPsec or TLS ) o The IETF is in the process of standardizing Transport Layer Security for RADIUS Transition support for RADIUS , although Diameter is not fully compatible with RADIUS Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits) Client–server protocol, with exception of supporting some server-initiated messages as well Both stateful and stateless models can be used Dynamic discovery of peers (using DNS SRV and NAPTR ) Capability negotiation Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539 ) Error notification Better roaming support More easily extended; new commands and attributes can be defined Aligned on 32-bit boundaries Basic support for user-sessions and accounting

Upload: vinay-goyal

Post on 05-Sep-2015

222 views

Category:

Documents


0 download

Report

DESCRIPTION

Diameter Introduction

TRANSCRIPT

Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from and replaces the much less capable RADIUS protocol that preceded it.Diameter Applications extend the base protocol by adding new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP).Comparison with RADIUS[edit]The name is a play on words, derived from the RADIUS protocol, which is the predecessor (a diameter is twice the radius). Diameter is not directly backwards compatible but provides an upgrade path for RADIUS. The main features provided by Diameter but lacking in RADIUS are: Reliable transport protocols (TCP or SCTP, not UDP) The IETF is in the process of standardizing TCP Transport for RADIUS Network or transport layer security (IPsec or TLS) The IETF is in the process of standardizing Transport Layer Security for RADIUS Transition support for RADIUS, although Diameter is not fully compatible with RADIUS Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits) Clientserver protocol, with exception of supporting some server-initiated messages as well Both stateful and stateless models can be used Dynamic discovery of peers (using DNS SRV and NAPTR) Capability negotiation Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539) Error notification Better roaming support More easily extended; new commands and attributes can be defined Aligned on 32-bit boundaries Basic support for user-sessions and accountingApplications[edit]A Diameter Application is not a software application but is a protocol based on the Diameter base protocol defined in RFC 6733 (Obsoletes: RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory AVPs. Adding a new optional AVP does not require a new application.Examples of Diameter applications: Diameter Mobile IPv4 Application (MobileIP, RFC 4004) Diameter Network Access Server Application (NASREQ, RFC 4005) Diameter Extensible Authentication Protocol Application (RFC 4072) Diameter Credit-Control Application (DCCA, RFC 4006) Diameter Session Initiation Protocol Application (RFC 4740) Various applications in the 3GPP IP Multimedia SubsystemBoth the HSS and the SLF communicate using the Diameter protocol.(Generic Bootstrapping Architecture): Bootstrapping Server FunctionHistory[edit]The Diameter protocol was initially developed by Pat R. Calhoun, Glen Zorn, and Ping Pan in 1998 to provide a framework for authentication, authorization and accounting (AAA) that could overcome the limitations of RADIUS. RADIUS had issues with reliability, scalability, security and flexibility. RADIUS cannot deal effectively with remote access, IP mobility and policy control. The Diameter protocol defines a policy protocol used by clients to perform policy, AAA, and resource control. This allows a single server to handle policies for many services.[1]Like RADIUS, Diameter provides AAA functionality, but it is using TCP and SCTP instead of UDP, therefore logic for detection of communication problems is not included in the Diameter protocol itself. The Diameter protocol is enhanced further by the development of the 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS). The Cx, Dh, Dx, Rf, Ro, and Sh interfaces are supported by Diameter applications.[2] Through the use of extensions, the protocol was designed to be extensible to support proxies, brokers, strong security, mobile IP, network-access servers (NASREQ), accounting and resource management.Protocol description[edit]The Diameter base protocol is defined by RFC 6733 (Obsoletes: RFC 3588) and defines the minimum requirements for an AAA protocol. Diameter Applications can extend the base protocol by adding new commands, attributes, or both. Diameter security is provided by IPsec or TLS. The IANA has assigned TCP and SCTP port number 3868 to Diameter.Packet format[edit]The packet consists of a Diameter header and a variable number of Attribute-Value Pairs, or AVPs, for encapsulating information relevant to the Diameter message.Diameter Header

Bit offset012345678910111213141516171819202122232425262728293031

0versionmessage length

32RPETcommand code

64application ID

96hop-by-hop ID

128end-to-end ID

160...AVPs...

The "R" (Request) bit If set, the message is a request. If cleared, the message is an answer.The "P" (Proxiable) bit If set, the message MAY be proxied, relayed or redirected. If cleared, the message MUST be locally processed.The "E" (Error) bit If set, the message contains a protocol error, and the message will not conform to the ABNF described for this command. Messages with the "E" bit set are commonly referred to as error messages. This bit MUST NOT be set in request messages.The "T" (Potentially re-transmitted message) bit This flag is set after a link failover procedure, to aid the removal of duplicate requests. It is set when resending requests not yet acknowledged as an indication of a possible duplicate due to a link failure.Commands[edit]Each command is assigned a command code, which is used for both Requests and Answers.The values 0-255 are reserved for RADIUS backward compatibility. The values 256-16777213 are for permanent, standard commands allocated by IANA. The values 16777214 and 16777215 (hex 0xFFFFFE and 0xFFFFFF) are reserved for experimental and testing purposes.Some common Diameter commands are:Command-NameAbbr.Code

AA-RequestAAR265

AA-AnswerAAA265

Diameter-EAP-RequestDER268

Diameter-EAP-AnswerDEA268

Abort-Session-RequestASR274

Abort-Session-AnswerASA274

Accounting-RequestACR271

Accounting-AnswerACA271

Credit-Control-RequestCCR272

Credit-Control-AnswerCCA272

Capabilities-Exchange-RequestCER257

Capabilities-Exchange-AnswerCEA257

Device-Watchdog-RequestDWR280

Device-Watchdog-AnswerDWA280

Disconnect-Peer-RequestDPR282

Disconnect-Peer-AnswerDPA282

Re-Auth-RequestRAR258

Re-Auth-AnswerRAA258

Session-Termination-RequestSTR275

Session-Termination-AnswerSTA275

User-Authorization-RequestUAR300

User-Authorization-AnswerUAA300

Server-Assignment-RequestSAR301

Server-Assignment-AnswerSAA301

Location-Info-RequestLIR302

Location-Info-AnswerLIA302

Multimedia-Auth-RequestMAR303

Multimedia-Auth-AnswerMAA303

Registration-Termination-RequestRTR304

Registration-Termination-AnswerRTA304

Push-Profile-RequestPPR305

Push-Profile-AnswerPPA305

User-Data-RequestUDR306

User-Data-AnswerUDA306

Profile-Update-RequestPUR307

Profile-Update-AnswerPUA307

Subscribe-Notifications-RequestSNR308

Subscribe-Notifications-AnswerSNA308

Push-Notification-RequestPNR309

Push-Notification-AnswerPNA309

Bootstrapping-Info-RequestBIR310

Bootstrapping-Info-AnswerBIA310

Message-Process-RequestMPR311

Message-Process-AnswerMPA311

Update-Location-RequestULR316

Update-Location-AnswerULA316

Authentication-Information-RequestAIR318

Authentication-Information-AnswerAIA318

Notify-RequestNR323

Notify-AnswerNA323

This section requires expansion. (December 2009)

Attribute-Value Pairs (AVP)[edit]AVP Header

Bit offset012345678910111213141516171819202122232425262728293031

0AVP code

32VMPAVP length

64vendor ID (optional)

96...data...

For simplicity, "V" bit Means Vendor Specific; "M" bit means Mandatory; "P" bit means Protected.The "V" bit, known as the Vendor-Specific bit, indicates whether the optional Vendor-ID field is present in the AVP header. When set the AVP Code belongs to the specific vendor code address space.The "M" bit, known as the Mandatory bit, indicates whether support of the AVP is required. If an AVP with the "M" bit set is received by a Diameter client, server, proxy, or translation agent and either the AVP or its value is unrecognized, the message MUST be rejected. Diameter Relay and redirect agents MUST NOT reject messages with unrecognized AVPs.The "P" bit indicates the need for encryption for end-to-end security.Attribute-NameCodeData Type

Acct-Interim-Interval85Unsigned32

Accounting-Realtime-Required483Enumerated

Acct-Multi-Session-Id50UTF8String

Accounting-Record-Number485Unsigned32

Accounting-Record-Type480Enumerated

Accounting-Session-Id44OctetString

Accounting-Sub-Session-Id287Unsigned64

Acct-Application-Id259Unsigned32

Auth-Application-Id258Unsigned32

Auth-Request-Type274Enumerated

Authorization-Lifetime291Unsigned32

Auth-Grace-Period276Unsigned32

Auth-Session-State277Enumerated

Re-Auth-Request-Type285Enumerated

Class25OctetString

Destination-Host293DiamIdent

Destination-Realm283DiamIdent

Disconnect-Cause273Enumerated

E2E-Sequence300Grouped

Error-Message281UTF8String

Error-Reporting-Host294DiamIdent

Event-Timestamp55Time

Experimental-Result297Grouped

Experimental-Result-Code298Unsigned32

Failed-AVP279Grouped

Firmware-Revision267Unsigned32

Host-IP-Address257Address

Inband-Security-Id299Unsigned32

Multi-Round-Time-Out272Unsigned32

Origin-Host264DiamIdent

Origin-Realm296DiamIdent

Origin-State-Id278Unsigned32

Product-Name269UTF8String

Proxy-Host280DiamIdent

Proxy-Info284Grouped

Proxy-State33OctetString

Redirect-Host292DiamURI

Redirect-Host-Usage261Enumerated

Redirect-Max-Cache-Time262Unsigned32

Result-Code268Unsigned32

Route-Record282DiamIdent

Session-Id263UTF8String

Session-Timeout27Unsigned32

Session-Binding270Unsigned32

Session-Server-Failover271Enumerated

Supported-Vendor-Id265Unsigned32

Termination-Cause295Enumerated

User-Name1UTF8String

Vendor-Id266Unsigned32

Vendor-Specific-Application-Id260Grouped

Message flows[edit]

The communication between two diameter peers starts with the establishment of a transport connection (TCP or SCTP). The initiator then sends a Capabilities-Exchange-Request (CER) to the other peer, which responds with a Capabilities-Exchange-Answer (CEA). For RFC3588 compliant peers TLS (Transport Layer Security) may optionally be negotiated. For RFC6733 compliant peers TLS negotiation may optionally happen before the CER/CEA.The connection is then ready for exchanging application messages.If no messages have been exchanged for some time either side may send a Device-Watchdog-Request (DWR) and the other peer must respond with Device-Watchdog-Answer.Either side may terminate the communication by sending a Disconnect-Peer-Request (DPR) which the other peer must respond to with Disconnect-Peer-Answer. After that the transport connection can be disconnected.RFCs[edit]The Diameter protocol is currently defined in the following IETF RFCs: Obsolete RFCs are indicated with strikethrough text.Diameter Credit-Control Application, is a networking protocol for Diameter application used to implement real-time credit-control for a variety of end user services.It is an IETF standard defined in RFC 4006.Purpose[edit]The purpose of the diameter credit control application is to provide a framework for real-time charging, primarily meant for the communication between gateways/control-points and the back-end account/balance systems (typically an Online Charging System).The application specifies methods for: Quota management (Reserve, Reauthorize, Abandon) Simple Debit/Credit Balance checks Price inquiriesThe diameter credit control application does not specify which type units are bought/used and which items are charged. This is left to the service context that have to be specified separately, as is some of the semantics.Examples of units used/bought: Time Upload/Download bytes SMS (Text Messages)Examples of items charged: Money Points Units (e.g. if the balance is kept in the same units as what is being used)Diameter credit control also specifies how to handle the fairly complex issue of multiple unit types used/charged against a single user balance. For instance, a user may pay for both online time and download bytes but has only a single account balance.Session-based charging[edit]A session-based credit control process uses several interrogations which may include first, intermediate and last interrogation. During interrogation money is reserved from the user account. Session-based charging is typically used for scenarios where the charged units are continuously consumed, e.g. charging for bytes upload/download.Event-based charging[edit]An event-based credit control process uses events as charging mechanism. Event-based charging is typically used when units are not continuously consumed, e.g. a user sending an MMS.Command Codes[edit]In order to support Credit Control via Diameter, there are two Diameter messages, the CCR (Credit Control Request) and the CCA (Credit Control Answer). Command Code for CCR/CCA is 272, as defined in RFC 4006For quota management the client sends CCR to the server requesting units and reporting consumption. The server grants units and charges the user. For simple debit/credit the client sends a CCR asking the server to credit/debit the user's account. For price inquiries the client ask the server what the price for a unit is, and the server responds with the price.Message flows[edit]The message flows are in general driven by the control-point asking for units and the server granting them. The message may also be generated by other diameter applications, such as NASREQ (RFC4005) for sessions that are time/usage-limited.The following diagram shows a simplified message flow for a session using quota grants.

The client starts by requesting 10 units from the server. The server verifies that the user/subscriber has enough balance for it. In this example the server grants the client all the units it requested. if the subscriber had insufficient balance it could have granted less units or rejected it completely.When or before the subscriber session has used the granted units the client sends an update to the server telling it how many units have been used and how many it would like granted this time. The client is allowed to request units before the previous grant is completely used, in order to avoid suspending the subscriber session while talking to the server. In this example the client sends the request when 7 units of the 10 previously granted units have been used; and ask for 10 more units, which the server grants. The server can use the used-units count for debiting the subscriber balance (granting units does not indicate that they will be used. The Used-Units AVP contains the actual usage). It is also possible for the server to tell the client how long the grant is valid, in which case the client is expected to send an update when the grant timer expires.There can be many update messages during a session.Finally, the subscriber has ended the session, and the client sends a termination message to the server containing the last Used-Units. The server can use the termination message to clear any related reservations made in the back-end balance management system. If the subscriber did not terminate the session himself but instead depleted his balance then the server would have responded earlier with reject to an update message, possibly telling the client/control-point to redirect traffic (this normally only makes sense for HTTP/WAP traffic).AVP matrix[edit]AVPs for new command codes[edit]The new Command codes, CCA and CCR, may require some AVPs as indicated below. Bold AVPs are new to DCCA.Command Code

Attribute NameCCRCCA

Acct-Multi-Session-Id0-10-1

Auth-Application-Id11

CC-Correlation-Id0-10

CC-Session-Failover00-1

CC-Request-Number11

CC-Request-Type11

CC-Sub-Session-Id0-10-1

Check-Balance-Result00-1

Cost-Information00-1

Credit-Control-Failure-Handling00-1

Destination-Host0-10

Destination-Realm10

Direct-Debiting-Failure-Handling00-1

Event-Timestamp0-10-1

Failed-AVP00+

Final-Unit-Indication00-1

Granted-Service-Unit00-1

Multiple-Services-Credit-Control0+0+

Multiple-Services-Indicator0-10

Origin-Host11

Origin-Realm11

Origin-State-Id0-10-1

Proxy-Info0+0+

Redirect-Host00+

Redirect-Host-Usage00-1

Redirect-Max-Cache-Time00-1

Requested-Action0-10

Requested-Service-Unit0-10

Route-Record0+0+

Result-Code01

Service-Context-Id10

Service-Identifier0-10

Service-Parameter-Info0+0

Session-Id11

Subscription-Id0+0

Termination-Cause0-10

User-Equipment-Info0-10

Used-Service-Unit0+0

User-Name0-10-1

Validity-Time00-1

New AVPs for base protocol command codes[edit]Command Code

Attribute NameRARRAA

CC-Sub-Session-Id0-10-1

G-S-U-Pool-Identifier0-10-1

Service-Identifier0-10-1

Rating-Group0-10-1

The table uses the following symbols: 0 The AVP MUST NOT be present in the message 0+ Zero or more instances of the AVP MAY be present in the message 0-1 Zero or one instance of the AVP MAY be present in the message. It is considered an error if there is more than one instance of the AVP 1 One instance of the AVP MUST be present in the message 1+ At least one instance of the AVP MUST be present in the message


Diameter - cisco.com · Diameter EAP application is based on the Diameter Network Access Server Application [NASREQ] and is intended for environments similar to NASREQ. In the Diameter

Diameter Transaction Rate KPIs · Diameter Transaction Rate KPIs ThischapterdescribestheoverviewandimplementationofTransactionRateKPIfeatureonperDiameter interfacesconfiguredintheStarOSsoftware

Ratio between stone diameter and nominal diameter - TU Delft

Diameter protocol

TekelecWP1557 - Diameter

code inside diameter outside diameter working pressure ... · code inside diameter outside diameter working pressure burst pressure weight nominal bending radius vacuum length max

Deploying the BIG-IP System for Diameter Traffic … Deployment Guide 3 Diameter Traffic Management About Diameter The Diameter base protocol is intended to provide an Authentication,

Diameter Rfc4006

Gaging Basics - AMI - Automation and · PDF file-Gaging Basics – ... The 6-step plain taper pipe plug gage, consisting of one member, checks the minor diameter of an internally threaded

Diameter Distributions

Oven with generator on the left middle (vessels in the center) 11mm diameter 11mm diameter 33mm diameter 33mm diameter

Temper: Hard Diameter Thickness Tolerance: +15% Diameter

Diameter User's Guide · Validating Diameter Connection Capacity2-23. Using Application IDs to Identify Diameter Applications2-26. Diameter Application IDs Elements2-27. Adding an

Understanding Centrifugal Pumping...Book 1: Understanding Centrifugal Pumping - Classroom Basics We have a centrifugal pump that is spinning at 1800 RPM. What impeller diameter would

Diameter Overview

Algebra Basics ALGEBRA BASICS ALGEBRA BASICS ALGEBRA BASICS

Robot Control Basics - cs.gmu.edukosecka/cs485/lec04-control.pdf · Mobile robot kinematics • Differential drive mobile robot • Two wheels, with diameter , point P centered •

Diameter Conceps

Esbee Machinery Pvt. Ltd. - Conveyor ChainsANSI Roller Chain Sprocket Diameters (ANSI B29.1-1975) Outside Diameter Pitch Diameter Caliper Factor No. Teeth* Outside Diameter Pitch Diameter

Wind Power - CMU · Wind Turbine basics. 2 Contemporary wind turbines NEG Micon 2MW 72m diameter rotor, 68m tower Vestas V39 500kW 39m diameter rotor, 43m tower ... gas, transmission,

Module 5 PCB Fabrication Process and Layout Basics 5 PCB Fabrication Process and Layout Basics. Outline ... Typical PCB fabrication tolerances Drills: +5/-3 mils diameter, ... and

Major Diameter: The largest diameter of the thread Minor Diameter: The smallest diameter of the thread Pitch: Distance between two threads (mm) or no

Diameter - erlang.org

PROPELLER BASICS - Homepage // Michigan Wheel · PDF filePROPELLER BASICS Diameter ... propeller, and has implications with respect to boat performance. ... design pitch. The amount

code inside diameter outside diameter working pressure

Circles diameter

Diameter RFC3588

Global importance of large-diameter treesMartínez, 2009; Das, Stephenson, & Davis, 2016). Large-diameter trees (and large-diameter snags and large-diameter fallen woody debris) make

The Fluid Structure Interaction of a Peristaltic Pump: Basics and …12)/S05120155166.pdf · 2016-12-13 · performance are pump speed, inner tube diameter, tube material, degree

Diameter - Erlang

The Eliminator - Tank Cribbing Home Page...90’ Diameter 139,000 100’ Diameter 174,000 110’ Diameter 217,000 120’ Diameter 246,000 ... Adjustable 4.0 – 7.0 Risers 50,000 Pounds

Degree Diameter

Diameter - Erlangerlang.org/doc/apps/diameter/diameter.pdf · 1.1 Introduction 2 | Ericsson AB. All Rights Reserved.: Diameter 1 Diameter Users Guide The diameter application is a

A HEIGHT-DIAMETER MODEL FOR BRUTIAN PINE … · in the plots: stand basal area, quadratic mean diameter, maximum diameter, dominant diameter, dominant height, stand mean height, stand

OUTSIDE DIAMETER ROPE DIAMETER BORE RIM WIDTH HUB …sheavesource.com/wp-content/themes/sheavesource/_img/data-shee… · outside diameter rope diameter bore rim width hub width hub