Documente Academic
Documente Profesional
Documente Cultură
Intro
The Diameter protocol is a next generation
RADIUS protocol. It addresses the known
RADIUS deficiencies, & is intended for use
with the NASREQ, ROAMOPS and Mobile IP.
The Mobile-IP WG has recently changed its
focus to inter administrative domain mobility.
The basic concept behind Diameter is to
provide a base protocol that can be extended
in order to provide AAA services to new
access technologies such as Internet access.
Diameter Architecture
Base protocol
Protocol Extensions
strong security
Mobile IP
NASREQ( commands for use in CHAP, PAP & EAP)
accounting.
Diameter Header
Diameter AVP
Message Forwarding
Diameter messages must include:
Origin-FQDN AVP
Origin-Realm AVP
Destination-FQDN AVP
Capabilities Exchange
When two Diameter peers establish a
transport connection, they MUST send the
Device-Reboot-Ind message.
Peers identity
Capabilities exchange. E.g. supported protocol
ver. Number, and locally supported extensions.
Need to communicate compatible application
specific Diameter commands.
MUST not be proxied or redirected.
Device-Status-Ind used to notify sending node of
unrecognized Command Code.
Transport
Operates over SCTP (Stream Control Transmission
Protocol)
Provides reliability and a well defined
retransmission and timeout mechanism, allowing
clients and servers to detect the reachability and
state of peers for quick transmission to back up
servers.
provides a windowing scheme allowing AAA
servers to limit the flow of incoming packets and
distribute traffic load to other severs.
fail-over strategy
Transport Failure
Detection
Early detection of transport failures minimize sending message
to unavailable servers and improve failure performance.
Diameter Watchdog Requests sent after a period of idle
communication between peers, w/ exponential back off.
When a Diameter Watchdog Answer is obtained peer resumes
activity.
Failover/Failback Procedures
When a transport failure is detected pending messages are
sent to an alternative server.
There is a pending message queue for each pair, where
messages are identified by the Hop-by-Hop identifier.
If cant send to another server then a
DIAMETER_UNABLE_TO_DELIVER message is sent back
to the original sender.
Error Signaling
Error Notification
Request
Diameter
Server
Link Broken
DSI (Unable
To Forward)
Diameter
Client or
Server
Diameter
Server
Request
Diameter
Server
Request
Session Oriented
session-oriented
User Session
User asks NAS for service.
NAS issues AA-Request to local DIAMETER
server, containing user authentication info
and a unique Session-Id AVP.
Proxy Support
Every node in the network is responsible for it's own
retransmissions.
Allows each node to know a priori the reachability state of
each peer.
LOCAL
HOME
Latency reduced.
Reliability increased.
Primary
Proxy
Server
Primary
Proxy
Server
LOCAL
2nd
Proxy
Server
HOME
2nd
Proxy
Server
NAS
Proxy Server
Before forwarding a message, check for
forwarding loop.
Route-Record AVP.
If applies policy then must not allow end-toend security and send a message to sender.
A proxy server MUST only process messages
of type Response whose last Route-Record
AVP matches one of its addresses. Last
Route-Record AVP is removed, and next hop
is identified by second to last Route-Record
Message Routing
Routing done using realm portion of NAI or
realm encoded AVP (e.g. Origin-Realm,
Destination-Realm).
Domain Name Extension ID Local Action Server Identifier
Local Action
DIA 1
mno.net
request
response
Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net
request
Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net
DIA 2
xyz.com
response
Origin-FQDN=dia1.mno.net
Origin-Realm=mno.net
Destination-Realm=abc.com
Route-Record=dia1.mno.net
Route-Record=dia2.xyz.com
Origin-Realm=abc.com
Destination-FQDN=dia1.mno.net
Route-Record=dia2.xyz.com
DIA 3
abc.com
Realm Based Routing
Redirect Support
reduce the configuration information that
would otherwise be necessary on all servers
owned members of a roaming consortium.
When a request is received by a redirect
server, a redirect response is returned to the
initiator of the request with the information
necessary to communicate directly with
servers in the home domain.
May also provide Certificate Authority
services.
Diameter
Redirect Server
Request
Joe@xyz.com
DSI
DSI-Event = Redirect
Redirect-Host AVP(s)
abc.net
Diameter
Server
request
response
xyz.net
Diameter
Server
Security
integrity and confidentiality at the AVP level
The Diameter Strong Security Extension provides
authentication, confidentiality It is possible to secure portions of
a Diameter message, while other parts of the message are not
secured. Using Diameter, proxies can add, delete or modify
unprotected AVPs in a message.
Hop-By-Hop security
Summary of Diameter
Key Features
lightweight and simple to implement protocol
Large AVP space
Efficient encoding of attributes, similar to
RADIUS
Support for vendor specific AVPs and
Commands
Support for large number of simultaneous
pending requests
Reliability provided by underlying SCTP
Well defined fail-over scheme
Summary of Diameter
Key Features
Ability to quickly detect unreachable peers
No silent message discards
Support of unsolicited messages to "clients"
integrity and confidentiality at the AVP level
Hop-by-Hop security
One session per authentication/authorization
flow
Provide redirect (referral) services, to allow
bypassing of broker
Mobile-IP Extension
Mobile IP
Mobile Node issues Registration Request to
Foreign Agent.
Foreign Agent creates AA-Mobile-NodeRequest (AMR) message and forwards to
AAAF.
Mobile-IP Extension
Mobile IP
Note that it is not required that the foreign agent invoke AAA
services every time a Registration Request is received from the
mobile, but rather only when the prior authorization from the
AAAH expires, as indicated in Authorization-Lifetime AVP in the
AA- Mobile-Node-Answer.
Foreign agent MAY provide challenge, giving it protection of
replay attacks.
The mobile node includes the Challenge and MN-AAA
authentication extension to enable authorization by AAAH. If the
authentication data supplied in the MN-AAA extension is invalid,
AAAH returns the response (AMA) with the Result-Code AVP
set to DIAMETER_ERROR_AUTH_FAILURE .
Mobile-IP Extension
Mobile IP
AAAH
MN authentictated.
Check for MIP-Home-Agent-Address AVP. If
authorized Home-Agent-MIP-Request (HAR)
If MIP-Home-Agent-Address not recognized
then dont send a MIP-Reg-Reply AVP .
If MIP-Home-Agent-Address AVP not specified
then allocate one w/ load balance in mind. MIPFeature-Vector has the Home-AgentRequested flag set and policy allows.
Mobile-IP Extension
Mobile IP
Home Agent
Receive HAR, if invalid send HAA with ResultCode AVP set to DIAMETER_ERROR_BAD_HAR.
Process MIP-Reg-Request AVP and create
Registration Reply, encapsulating it within the
MIP-Reg-Reply AVP. If a home address is
needed, the Home Agent MUST assign one and
include the address in both the Registration Reply
and within the MIP-Mobile-Node-Address AVP.
The Diameter response is then forwarded to the
AAAH.
Mobile-IP Extension
Mobile IP
AAAH
Determines to send
AMR To AAAH
AMR
Authenticates MN
And forwards HAR to HA
AAAF
AAAH
AMA
AMR
Includes:
MN Home Address
HA address
MN NAI
AMA
FA
Registration
Request
HAA
HAR
HA
Registration
Reply
MN
Inter-Domain Mobility
Process HAR
Create Reply Request
Including home address.
AA-Mobile-Node-Request
(AMR) Command
Extension-Id
User-Name
Destination-Realm
Origin-FQDN
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth
* MIP-Mobile-Node-Address
* MIP-Home-Agent-Address
* MIP-Feature-Vector
* Authorization-Lifetime
* MIP-FA-MN-Preferred-SPI
* MIP-FA-HA-Preferred-SPI
* MIP-Previous-FA-FQDN
* MIP-Previous-FA-Addr
* MIP-FA-Challenge
* Route-Record
AA-Mobile-Node-Answer
(AMA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Error-Reporting-FQDN
* MIP-Reg-Reply
* Route Record
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-MN-to-HA-Key
* MIP-HA-to-MN-Key
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* Original-Session-Id
* Filter-Rule
Home-Agent-MIP-Request
(HAR) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
MIP-Reg-Request
Origin-FQDN
Origin-Realm
User-Name
Destination-Realm
* Route-Record
* MIP-MN-to-HA-Key
* MIP-MN-to-FA-Key
* MIP-HA-to-MN-Key
* MIP-HA-to-FA-Key
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* MIP-Mobile-NodeAddress
* MIP-Home-AgentAddress
* Filter-Rule
Home-Agent-MIP-Answer
(HAA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Route-Record
* Error-ReportingFQDN
* MIP-Reg-Reply
* MIP-Home-AgentAddress
* MIP-Mobile-NodeAddress
* MIP-FA-to-MN-Key
* MIP-FA-to-HA-Key
* Filter-Rule