diameter.pptx

IntroThe Diameter protocol is a next generation RADIUS protocol. It addresses the known RADIUS deficiencies, & is intended for use with the NASREQ, ROAMOPS and Mobile IP.The Mobile-IP WG has recently changed its focus to inter administrative domain mobility.The basic concept behind Diameter is to provide a base protocol that can be extended in order to provide AAA services to new access technologies such as Internet access.

Diameter Protocol OverviewDiameter Protocol Overview

Diameter Architecture

Base protocol Functionality common to all supported services. Defines message format, primitives, transport,

error reporting & security services.

Protocol Extensions Application specific functionality.

strong security Mobile IP NASREQ( commands for use in CHAP, PAP & EAP) accounting.


Diameter Base Protocol

Any node can initiate a request. Diameter is a peer to peer protocol.The base Diameter protocol is never used on its own. It is always extended for a particular application, which defines DIAMETER command codes NASREQ Mobile IP Strong Security Accounting


Mobile-IPExtension

NASREQExtension

AccountingExtension

Diameter Base Protocol Strong Security

Diameter Header

Flags 13 bits, EIR sequences denote command type (request, reply, indication).Hop-by-Hop IdentifierEnd-To-End IdentifierCommand CodeAVPs encapsulate relevant info to message.


Diameter AVP

AVP code uniquely identifies attribute.AVP Flags indicates how AVP should be handled r (reserved), P (protected), M (mandatory),

V (vendor-specific).



simply provide a secure transport for the messages defined in the various application-specific extensions.

data objects are encapsulated within the Attribute Value Pair (AVP).

Large AVP space to ensure future protocol extensibility is not limited by its size of the namespace, as in the RADIUS protocol.

Support for vendor specific AVPs and Commands for extensions.



A peer initiates communication by sending message. AVPs sent in messages are determined by Diameter extension.Initial message include a unique Session-Id AVP. A Session-Termination-Request frees the session.Peer-to-peer, allowing unsolicited messages to be sent to NASes. on-demand retrieval of accounting data. another, server-initiated session termination.


Message Forwarding

Diameter messages must include: Origin-FQDN AVP

identifies the endpoint which originated the Diameter message, i.e. the NAS, home server, or broker. Proxy servers do not modify this AVP.

Origin-Realm AVP contains the Realm of the originator of any

Diameter message Destination-FQDN AVP

MUST be used when the destination of the message is fixed.

Diameter Base ProtocolDiameter Base Protocol

Capabilities Exchange

When two Diameter peers establish a transport connection, they MUST send the Device-Reboot-Ind message. Peer’s identity Capabilities exchange. E.g. supported protocol

ver. Number, and locally supported extensions. Need to communicate compatible application specific Diameter commands.

MUST not be proxied or redirected. Device-Status-Ind used to notify sending node of

unrecognized Command Code.


Transport

Operates over SCTP (Stream Control Transmission Protocol) Provides reliability and a well defined

retransmission and timeout mechanism, allowing clients and servers to detect the reachability and state of peers for quick transmission to back up servers.

provides a windowing scheme allowing AAA servers to limit the flow of incoming packets and distribute traffic load to other severs.

fail-over strategy


Transport Failure Detection

Early detection of transport failures minimize sending message to unavailable servers and improve failure performance.Diameter Watchdog Requests sent after a period of idle communication between peers, w/ exponential back off.When a Diameter Watchdog Answer is obtained peer resumes activity.Failover/Failback Procedures When a transport failure is detected pending messages are

sent to an alternative server. There is a pending message queue for each pair, where

messages are identified by the Hop-by-Hop identifier. If can’t send to another server then a

DIAMETER_UNABLE_TO_DELIVER message is sent back to the original sender.


Error Signaling

Error Notification all messages acknowledged, either with a

successful response or one that contains an error code

Per-Hop Error Signaling There are many instances where error

conditions occur on a Diameter node, that needs to be signaled to the downstream server, and not necessarily to the Diameter client .

End-to-End Error Signaling.


DiameterClient or

Server

DiameterServer

DiameterServer

DiameterServer

RequestLink Broken

DSI (UnableTo Forward)

RequestRequest

Example of Per-Hop Error ConditionExample of Per-Hop Error Condition


Session Oriented

session-oriented One session per authentication/authorization flow Sessions are identified through a session

identifier, which is globally unique at any given time.

A Session termination message exists in order to end a Diameter session, and all sessions have a timeout value in order to ensure that they can be cleaned up properly.


User Session

User asks NAS for service.NAS issues AA-Request to local DIAMETER server, containing user authentication info and a unique Session-Id AVP. Sender-FQDN, port, increasing 32-bit number.

After the Diameter server authorizes the user it SHOULD add a Authorization-Lifetime AVP to the response.Base Protocol does not contain Authorization Request messages as these are application-specific.


Proxy Support

Every node in the network is responsible for it's own retransmissions.

Allows each node to know a priori the reachability state of each peer.

Latency reduced.

Reliability increased.


NAS

LOCAL PrimaryProxy Server

LOCAL 2nd

Proxy Server

HOME2nd

Proxy Server

HOMEPrimaryProxy Server

Proxy Server

Before forwarding a message, check for forwarding loop. Route-Record AVP.

Check that sender is last one. Check that its own address does not appear.

If applies policy then must not allow end-to-end security and send a message to sender.A proxy server MUST only process messages of type Response whose last Route-Record AVP matches one of its addresses. Last Route-Record AVP is removed, and next hop is identified by second to last Route-Record AVP.


Message Routing

Routing done using realm portion of NAI or realm encoded AVP (e.g. Origin-Realm, Destination-Realm).

Local Action LOCAL – process Authentication. PROXY – forward to next HOP server ID. REDIRECT – return to sender w/ DSI + DSI-Event

= Redirect + Redirect-Host AVP = server ID.

Domain Name Extension ID Local Action Server Identifier


DIA 1mno.net

Origin-FQDN=dia1.mno.net Origin-Realm=mno.net

Destination-Realm=abc.com Route-Record=dia1.mno.net

Origin-FQDN=dia1.mno.net Origin-Realm=mno.net

Destination-Realm=abc.com Route-Record=dia1.mno.net

Route-Record=dia2.xyz.com

DIA 2xyz.com

DIA 3abc.com

Origin-Realm=abc.com Destination-FQDN=dia1.mno.net

Route-Record=dia2.xyz.com

Origin-Realm=abc.com Destination-FQDN=dia1.mno.net

request

request

response

response

Realm Based RoutingRealm Based Routing


Redirect Support

reduce the configuration information that would otherwise be necessary on all servers owned members of a roaming consortium. When a request is received by a redirect server, a redirect response is returned to the initiator of the request with the information necessary to communicate directly with servers in the home domain. May also provide Certificate Authority services. No long lived shared secrets. Enables IPSEC.


DiameterRedirect Server

abc.netDiameter

Server

xyz.netDiameter

Server

[email protected]

DSIDSI-Event = RedirectRedirect-Host AVP(s)

request

response


Diameter Redirect ServerDiameter Redirect Server

Security

integrity and confidentiality at the AVP levelThe Diameter Strong Security Extension provides authentication, confidentiality It is possible to secure portions of a Diameter message, while other parts of the message are not secured. Using Diameter, proxies can add, delete or modify unprotected AVPs in a message.

Hop-By-Hop security Client & server communication using IPSEC. Server to Server communication using SSL.

DIAMETER NASREQ extension defines commands for use in CHAP, PAP & EAP.First 256 AVPs are reserved for RADIUS compatibility.


Summary of Diameter Key Features

lightweight and simple to implement protocol Large AVP space Efficient encoding of attributes, similar to RADIUS Support for vendor specific AVPs and Commands Support for large number of simultaneous pending requests Reliability provided by underlying SCTP Well defined fail-over scheme

Summary of Diameter Key Features

Ability to quickly detect unreachable peersNo silent message discardsSupport of unsolicited messages to "clients" integrity and confidentiality at the AVP levelHop-by-Hop security One session per authentication/authorization flow Provide redirect (referral) services, to allow bypassing of broker

Mobile IP

Mobile Node issues Registration Request to Foreign Agent.

Foreign Agent creates AA-Mobile-Node-Request (AMR) message and forwards to AAAF. Extracts Home Address, Home Agent Address,

Mobile Node NAI into AVPs.

AAAF receives AMR and determines whether to forward it or process it locally.

Mobile-IP ExtensionMobile-IP Extension

Mobile IP …

Note that it is not required that the foreign agent invoke AAA services every time a Registration Request is received from the mobile, but rather only when the prior authorization from the AAAH expires, as indicated in Authorization-Lifetime AVP in the AA- Mobile-Node-Answer.Foreign agent MAY provide challenge, giving it protection of replay attacks. The mobile node includes the Challenge and MN-AAA authentication extension to enable authorization by AAAH. If the authentication data supplied in the MN-AAA extension is invalid, AAAH returns the response (AMA) with the Result-Code AVP set to DIAMETER_ERROR_AUTH_FAILURE .


Mobile IP …

AAAHMN authentictated.

Check for MIP-Home-Agent-Address AVP. If authorized Home-Agent-MIP-Request (HAR)

If MIP-Home-Agent-Address not recognized then don’t send a MIP-Reg-Reply AVP .

If MIP-Home-Agent-Address AVP not specified then allocate one w/ load balance in mind. MIP-Feature-Vector has the Home-Agent-Requested flag set and policy allows.


Mobile IP …

Home Agent Receive HAR, if invalid send HAA with Result-

Code AVP set to DIAMETER_ERROR_BAD_HAR.

Process MIP-Reg-Request AVP and create Registration Reply, encapsulating it within the MIP-Reg-Reply AVP. If a home address is needed, the Home Agent MUST assign one and include the address in both the Registration Reply and within the MIP-Mobile-Node-Address AVP. The Diameter response is then forwarded to the AAAH.


Mobile IP …

AAAHAfter receiving HAA, set CommandCode to

AA- Mobile-Node-Answer (AMA) and forwards the message to the AAAF.


MN

FA

AAAF AAAH

HA

RegistrationRequest

AMRIncludes:MN Home AddressHA addressMN NAI

Determines to send AMR To AAAH

AMR

HAR

Authenticates MNAnd forwards HAR to HA

Process HARCreate Reply RequestIncluding home address.

HAA

AMA

AMA

RegistrationReply

Inter-Domain MobilityInter-Domain Mobility

AA-Mobile-Node-Request (AMR) Command

Extension-Id

User-Name

Destination-Realm

Origin-FQDN

Origin-Realm

MIP-Reg-Request

MIP-MN-AAA-Auth

* MIP-Mobile-Node-Address

* MIP-Home-Agent-Address

* MIP-Feature-Vector

* Authorization-Lifetime

* MIP-FA-MN-Preferred-SPI

* MIP-FA-HA-Preferred-SPI

* MIP-Previous-FA-FQDN

* MIP-Previous-FA-Addr

* MIP-FA-Challenge

* Route-Record

AA-Mobile-Node-Answer (AMA) Command

Session-IdExtension-IdSession-TimeoutAuthorization-LifetimeResult-CodeOrigin-FQDNOrigin-Realm* Error-Reporting-FQDN* MIP-Reg-Reply* Route Record

* MIP-FA-to-MN-Key* MIP-FA-to-HA-Key* MIP-MN-to-HA-Key* MIP-HA-to-MN-Key* MIP-Home-Agent-Address* MIP-Mobile-Node-Address* Original-Session-Id* Filter-Rule

Home-Agent-MIP-Request (HAR) Command

Session-IdExtension-IdSession-TimeoutAuthorization-LifetimeMIP-Reg-RequestOrigin-FQDNOrigin-RealmUser-NameDestination-Realm* Route-Record

* MIP-MN-to-HA-Key* MIP-MN-to-FA-Key* MIP-HA-to-MN-Key* MIP-HA-to-FA-Key* MIP-FA-to-MN-Key* MIP-FA-to-HA-Key* MIP-Mobile-Node-Address* MIP-Home-Agent-Address* Filter-Rule

Home-Agent-MIP-Answer (HAA) Command

Session-Id

Extension-Id

Session-Timeout

Authorization-Lifetime

Result-Code

Origin-FQDN

Origin-Realm

* Route-Record

* Error-Reporting-FQDN* MIP-Reg-Reply* MIP-Home-Agent-Address* MIP-Mobile-Node-Address* MIP-FA-to-MN-Key* MIP-FA-to-HA-Key* Filter-Rule

diameter.pptx

Documents

base diameter protocol

diameter peers

diameter extension

peer protocol

diameter base protocolsimply

diameter base protocol9transpo

supported protocol

diameter avpavp code