Diameter Protocol Overview

Intro
The Diameter protocol is a next generation
RADIUS protocol. It addresses the known
RADIUS deficiencies, & is intended for use
with the NASREQ, ROAMOPS and Mobile IP.
The Mobile-IP WG has recently changed its
focus to inter administrative domain mobility.
The basic concept behind Diameter is to
provide a base protocol that can be extended
in order to provide AAA services to new
access technologies such as Internet access.

Diameter Protocol Overview

Diameter Architecture
Base protocol

Functionality common to all supported services.

Defines message format, primitives, transport,
error reporting & security services.

Protocol Extensions

Application specific functionality.

strong security
Mobile IP
NASREQ( commands for use in CHAP, PAP & EAP)
accounting.

Diameter Protocol Overview

Diameter Base Protocol

Any node can initiate a request. Diameter is a peer to
peer protocol.
The base Diameter protocol is never used on its own.
It is always extended for a particular application,
which defines DIAMETER command codes
Mobile-IP
NASREQ
Extension
NASREQ
Accounting
Mobile IP
Extension
Extension
Strong Security
Accounting
Diameter Base Protocol Strong Security

Diameter Protocol Overview

Diameter Header

Flags 13 bits, EIR sequences denote

command type (request, reply, indication).
Hop-by-Hop Identifier
End-To-End Identifier
Command Code
AVPs encapsulate relevant info to message.

Diameter Protocol Overview

Diameter AVP

AVP code uniquely identifies attribute.

AVP Flags indicates how AVP should
be handled

r (reserved), P (protected), M (mandatory),

V (vendor-specific).

Diameter Protocol Overview

Diameter Base Protocol

simply provide a secure transport for the messages
defined in the various application-specific extensions.
data objects are encapsulated within the Attribute
Value Pair (AVP).
Large AVP space to ensure future protocol
extensibility is not limited by its size of the
namespace, as in the RADIUS protocol.
Support for vendor specific AVPs and Commands for
extensions.

Diameter Protocol Overview

Diameter Base Protocol

A peer initiates communication by sending
message. AVPs sent in messages are
determined by Diameter extension.
Initial message include a unique Session-Id
AVP. A Session-Termination-Request frees
the session.
Peer-to-peer, allowing unsolicited messages
to be sent to NASes.

on-demand retrieval of accounting data.

another, server-initiated session termination.

Diameter Base Protocol

Message Forwarding
Diameter messages must include:

Origin-FQDN AVP

Origin-Realm AVP

identifies the endpoint which originated the Diameter

message, i.e. the NAS, home server, or broker. Proxy
servers do not modify this AVP.
contains the Realm of the originator of any Diameter
message

Destination-FQDN AVP

MUST be used when the destination of the message is

fixed.

Diameter Base Protocol

Capabilities Exchange
When two Diameter peers establish a
transport connection, they MUST send the
Device-Reboot-Ind message.

Peers identity
Capabilities exchange. E.g. supported protocol
ver. Number, and locally supported extensions.
Need to communicate compatible application
specific Diameter commands.
MUST not be proxied or redirected.
Device-Status-Ind used to notify sending node of
unrecognized Command Code.

Diameter Base Protocol

Transport
Operates over SCTP (Stream Control Transmission
Protocol)
Provides reliability and a well defined
retransmission and timeout mechanism, allowing
clients and servers to detect the reachability and
state of peers for quick transmission to back up
servers.
provides a windowing scheme allowing AAA
servers to limit the flow of incoming packets and
distribute traffic load to other severs.
fail-over strategy

Diameter Base Protocol

Transport Failure
Detection
Early detection of transport failures minimize sending message
to unavailable servers and improve failure performance.
Diameter Watchdog Requests sent after a period of idle
communication between peers, w/ exponential back off.
When a Diameter Watchdog Answer is obtained peer resumes
activity.
Failover/Failback Procedures
When a transport failure is detected pending messages are
sent to an alternative server.
There is a pending message queue for each pair, where
messages are identified by the Hop-by-Hop identifier.
If cant send to another server then a
DIAMETER_UNABLE_TO_DELIVER message is sent back
to the original sender.

Diameter Base Protocol

Error Signaling
Error Notification

all messages acknowledged, either with a

successful response or one that contains an error
code

Per-Hop Error Signaling

There are many instances where error conditions

occur on a Diameter node, that needs to be
signaled to the downstream server, and not
necessarily to the Diameter client .

End-to-End Error Signaling.

Diameter Base Protocol

Request

Diameter
Server

Link Broken

DSI (Unable
To Forward)

Diameter
Client or
Server

Diameter
Server
Request

Diameter
Server

Example of Per-Hop Error Condition

Request

Diameter Base Protocol

Session Oriented
session-oriented

One session per authentication/authorization flow

Sessions are identified through a session
identifier, which is globally unique at any given
time.
A Session termination message exists in order to
end a Diameter session, and all sessions have a
timeout value in order to ensure that they can be
cleaned up properly.

Diameter Base Protocol

User Session
User asks NAS for service.
NAS issues AA-Request to local DIAMETER
server, containing user authentication info
and a unique Session-Id AVP.

Sender-FQDN, port, increasing 32-bit number.

After the Diameter server authorizes the user

it SHOULD add a Authorization-Lifetime AVP
to the response.
Base Protocol does not contain Authorization
Request messages as these are applicationspecific.

Diameter Base Protocol

Proxy Support
Every node in the network is responsible for it's own
retransmissions.
Allows each node to know a priori the reachability state of
each peer.
LOCAL
HOME
Latency reduced.
Reliability increased.

Primary
Proxy
Server

Primary
Proxy
Server

LOCAL
2nd
Proxy
Server

HOME
2nd
Proxy
Server

NAS

Diameter Base Protocol

Proxy Server
Before forwarding a message, check for
forwarding loop.

Route-Record AVP.

Check that sender is last one.

Check that its own address does not appear.

If applies policy then must not allow end-toend security and send a message to sender.
A proxy server MUST only process messages
of type Response whose last Route-Record
AVP matches one of its addresses. Last
Route-Record AVP is removed, and next hop
is identified by second to last Route-Record

Diameter Base Protocol

Message Routing
Routing done using realm portion of NAI or
realm encoded AVP (e.g. Origin-Realm,
Destination-Realm).
Domain Name Extension ID Local Action Server Identifier

Local Action

LOCAL process Authentication.

PROXY forward to next HOP server ID.
REDIRECT return to sender w/ DSI + DSI-Event
= Redirect + Redirect-Host AVP = server ID.

Diameter Base Protocol

DIA 1
mno.net
request

response

Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net

request

Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net

DIA 2
xyz.com
response

Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net
Route-Record=dia2.xyz.com

Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net
Route-Record=dia2.xyz.com

DIA 3
abc.com
Realm Based Routing

Diameter Base Protocol

Redirect Support
reduce the configuration information that
would otherwise be necessary on all servers
owned members of a roaming consortium.
When a request is received by a redirect
server, a redirect response is returned to the
initiator of the request with the information
necessary to communicate directly with
servers in the home domain.
May also provide Certificate Authority
services.

No long lived shared secrets.

Enables IPSEC.

Diameter Base Protocol

Diameter
Redirect Server

Request
Joe@xyz.com

DSI
DSI-Event = Redirect
Redirect-Host AVP(s)

abc.net
Diameter
Server

request
response

Diameter Redirect Server

xyz.net
Diameter
Server

Diameter Base Protocol

Security
integrity and confidentiality at the AVP level
The Diameter Strong Security Extension provides
authentication, confidentiality It is possible to secure portions of
a Diameter message, while other parts of the message are not
secured. Using Diameter, proxies can add, delete or modify
unprotected AVPs in a message.

Hop-By-Hop security

Client & server communication using IPSEC.

Server to Server communication using SSL.

DIAMETER NASREQ extension defines commands for use in

CHAP, PAP & EAP.
First 256 AVPs are reserved for RADIUS compatibility.

Summary of Diameter
Key Features
lightweight and simple to implement protocol
Large AVP space
Efficient encoding of attributes, similar to
RADIUS
Support for vendor specific AVPs and
Commands
Support for large number of simultaneous
pending requests
Reliability provided by underlying SCTP
Well defined fail-over scheme

Summary of Diameter
Key Features
Ability to quickly detect unreachable peers
No silent message discards
Support of unsolicited messages to "clients"
integrity and confidentiality at the AVP level
Hop-by-Hop security
One session per authentication/authorization
flow
Provide redirect (referral) services, to allow
bypassing of broker

Mobile-IP Extension

Mobile IP
Mobile Node issues Registration Request to
Foreign Agent.
Foreign Agent creates AA-Mobile-NodeRequest (AMR) message and forwards to
AAAF.

Extracts Home Address, Home Agent Address,

Mobile Node NAI into AVPs.

AAAF receives AMR and determines whether

to forward it or process it locally.

Mobile-IP Extension

Mobile IP
Note that it is not required that the foreign agent invoke AAA
services every time a Registration Request is received from the
mobile, but rather only when the prior authorization from the
AAAH expires, as indicated in Authorization-Lifetime AVP in the
AA- Mobile-Node-Answer.
Foreign agent MAY provide challenge, giving it protection of
replay attacks.
The mobile node includes the Challenge and MN-AAA
authentication extension to enable authorization by AAAH. If the
authentication data supplied in the MN-AAA extension is invalid,
AAAH returns the response (AMA) with the Result-Code AVP
set to DIAMETER_ERROR_AUTH_FAILURE .

Mobile-IP Extension

Mobile IP
AAAH

MN authentictated.
Check for MIP-Home-Agent-Address AVP. If
authorized Home-Agent-MIP-Request (HAR)
If MIP-Home-Agent-Address not recognized
then dont send a MIP-Reg-Reply AVP .
If MIP-Home-Agent-Address AVP not specified
then allocate one w/ load balance in mind. MIPFeature-Vector has the Home-AgentRequested flag set and policy allows.

Mobile-IP Extension

Mobile IP
Home Agent
Receive HAR, if invalid send HAA with ResultCode AVP set to DIAMETER_ERROR_BAD_HAR.
Process MIP-Reg-Request AVP and create
Registration Reply, encapsulating it within the
MIP-Reg-Reply AVP. If a home address is
needed, the Home Agent MUST assign one and
include the address in both the Registration Reply
and within the MIP-Mobile-Node-Address AVP.
The Diameter response is then forwarded to the
AAAH.

Mobile-IP Extension

Mobile IP
AAAH

After receiving HAA, set CommandCode to

AA- Mobile-Node-Answer (AMA) and
forwards the message to the AAAF.

Determines to send
AMR To AAAH

AMR

Authenticates MN
And forwards HAR to HA

AAAF

AAAH
AMA

AMR
Includes:
MN Home Address
HA address
MN NAI

AMA

FA
Registration
Request

HAA

HAR

HA
Registration
Reply

MN
Inter-Domain Mobility

Process HAR
Create Reply Request
Including home address.

AA-Mobile-Node-Request
(AMR) Command
Extension-Id
User-Name
Destination-Realm
Origin-FQDN
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth

* MIP-Mobile-Node-Address
* MIP-Home-Agent-Address
* MIP-Feature-Vector
* Authorization-Lifetime
* MIP-FA-MN-Preferred-SPI
* MIP-FA-HA-Preferred-SPI
* MIP-Previous-FA-FQDN
* MIP-Previous-FA-Addr
* MIP-FA-Challenge
* Route-Record

AA-Mobile-Node-Answer
(AMA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Error-Reporting-FQDN
* MIP-Reg-Reply
* Route Record

* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-MN-to-HA-Key
* MIP-HA-to-MN-Key
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* Original-Session-Id
* Filter-Rule

Home-Agent-MIP-Request
(HAR) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
MIP-Reg-Request
Origin-FQDN
Origin-Realm
User-Name
Destination-Realm
* Route-Record

* MIP-MN-to-HA-Key
* MIP-MN-to-FA-Key
* MIP-HA-to-MN-Key
* MIP-HA-to-FA-Key
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-Mobile-NodeAddress
* MIP-Home-AgentAddress
* Filter-Rule

Home-Agent-MIP-Answer
(HAA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Route-Record

* Error-ReportingFQDN
* MIP-Reg-Reply
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* Filter-Rule