Canonical URL: ; File formats: Plain Text PDF; Status: PROPOSED STANDARD; Obsoleted by: RFC ; Updated by. Diameter is the protocol used within EPS/IMS architectures for AAA ( Authentication, Diameter is specified primarily as a base protocol by the IETF in RFC Diameter is an authentication, authorization, and accounting protocol for computer networks. The Diameter base protocol is defined by RFC ( Obsoletes: RFC ) and defines the minimum requirements for an AAA protocol. Diameter.
|Published (Last):||12 October 2010|
|PDF File Size:||9.55 Mb|
|ePub File Size:||4.47 Mb|
|Price:||Free* [*Free Regsitration Required]|
Role of Diameter Agents In addition to client and servers, the Diameter protocol introduces relay, proxy, redirect, and translation agents, each protoco which is defined in Section 1. These Diameter agents are useful for several reasons: The Diameter protocol requires that agents maintain transaction state, which is used for failover purposes.
Transaction state implies that upon forwarding a request, its Hop-by-Hop identifier is saved; the field is replaced with a locally unique identifier, which is restored to its original value when the corresponding answer is received. The request’s state is released upon receipt of the answer.
A stateless agent is one that only maintains transaction state. The Proxy-Info AVP allows stateless agents to add local state to a Diameter request, with the guarantee that the same state will be present in the answer. However, the protocol’s failover procedures require that agents maintain a copy of pending requests.
A stateful agent is one that maintains session state information; by keeping track of all authorized active sessions. Each authorized session is bound to a particular service, and its state is considered active either until it is notified otherwise, or by expiration.
Maintaining session state MAY be useful in certain applications, such as: A Diameter implementation MAY act as one type of agent for some requests, and as another type of agent for others.
Relay Agents Relay Agents are Diameter agents that accept requests and route messages to other Diameter nodes based on information found in the messages e. This routing decision is performed using a list of supported realms, and known peers.
This is known as the Realm Routing Table, as is defined further in Section 2. The use of Relays is advantageous since it eliminates the need for NASes to be configured with the necessary security information they would otherwise require to communicate with Diameter servers in other realms. Likewise, this reduces the configuration load on Diameter servers that would otherwise be necessary when NASes are added, changed or deleted.
Relays modify Diameter messages by inserting and removing routing information, but do not modify any other portion of a message. Relaying of Diameter messages The example provided in Figure 2 depicts a request issued from NAS, which is an access device, for the user bob example.
Prior to issuing the request, NAS performs a Diameter route lookup, using “example. Since Relays do not perform any application level processing, they provide relaying services for all Diameter applications, and therefore MUST advertise the Relay Application Identifier. However, they differ since they modify messages to implement policy enforcement.
This requires that proxies maintain the state of their downstream peers e. It is important to note that although proxies MAY provide a value-add function for NASes, they do not allow access devices to use end-to- end security, since modifying messages breaks authentication. Proxies MAY be used in call control centers or access ISPs that provide outsourced connections, they can monitor the number and types of ports in use, and make allocation and admission decisions according to their configuration.
Proxies that wish to limit resources MUST maintain session state.
Diameter (protocol) – Wikipedia
All proxies MUST maintain transaction state. Since enforcing policies requires an understanding of the service being provided, Proxies MUST only advertise the Diameter applications they support. Redirect Agents Redirect agents are useful in scenarios where the Diameter routing configuration needs to be centralized. An example is a redirect agent that provides services to all members of a consortium, but does not wish to be burdened with relaying all messages between realms.
This scenario is advantageous since it does not require that the consortium provide routing updates to its members when changes are made to a member’s infrastructure. Since redirect agents do not relay messages, and only return an answer with the information necessary for Diameter agents to communicate directly, they do not modify messages. Since redirect agents do not receive answer messages, they cannot maintain session state.
Further, since redirect agents never relay requests, they are not dia,eter to maintain transaction state. The example provided in Figure 3 depicts a request issued from the access device, NAS, for the user bob example. Upon receipt of the prootocol notification, DRL establishes a transport connection with HMS, if one doesn’t protocil exist, and forwards the request to it.
Redirecting a Frc Message Since redirect agents do not perform any application rgc processing, they provide relaying services for all Diameter applications, and therefore MUST advertise the Relay Application Identifier. Translation Agents A translation agent is a device that provides translation between two protocols e. Translation agents are likely to be used as aggregation servers to communicate with a Diameter infrastructure, while allowing for the embedded systems to be migrated at a slower pace.
Given that the Diameter protocol introduces the concept of long-lived authorized sessions, translation agents MUST be session stateful and MUST maintain transaction state. Translation of messages can only occur if the agent recognizes the application of a particular request, and therefore translation agents MUST only advertise their locally supported applications. End-to-End Security Framework End-to-end security services include confidentiality and message origin authentication.
These services are provided by supporting AVP integrity and confidentiality between two peers, communicating through agents. The protocoo requiring the use of end-to-end security are determined by policy on each of the peers. Security policies, which are not the subject of standardization, may be diaemter by next hop Diameter peer or by destination realm.
For example, where TLS or IPsec transmission- level security is sufficient, there may be no need for end-to-end security. End-to-end security policies include: Which AVPs are sensitive is determined by service provider policy. AVPs containing keys and passwords should be considered sensitive.
Accounting AVPs may be considered sensitive. Any AVP for which the P bit may be set or which may be encrypted may be considered sensitive. Diameter Path Authorization As noted in Section 2. Therefore, each connection is authenticated, replay and integrity protected and confidential on a per-packet basis. In addition to authenticating each connection, each connection as well as the entire session MUST also be authorized. For example, a Diameter peer may be authentic, but that does not mean that it is authorized to act as a Diameter Server advertising a set of Diameter applications.
Prior to bringing up a connection, authorization checks are performed at each connection along the path. Diameter sessions MUST be routed only through authorized nodes that have advertised support for the Diameter application required by the session.
As noted in Section 6. The AVP contains the identity of the peer the request was received from. For example, administrators within the home realm may not wish to honor requests that have been routed through an untrusted protoxol. By authorizing a request, the home Diameter server is implicitly indicating its willingness to engage in the business transaction as specified by the contractual relationship between the server and the previous hop. A home realm may also wish to check that each accounting request message corresponds to a Diameter response authorizing the session.
Accounting requests without corresponding authorization responses SHOULD be subjected to further scrutiny, as should accounting requests indicating a difference between the requested and provided service. duameter
At each step, forwarding of an authorization response is considered evidence of a willingness to take on financial risk relative to the session. A local realm may wish to limit this exposure, for example, by establishing credit limits for intermediate realms and refusing to accept responses which would violate those limits. By issuing an accounting request corresponding to the authorization response, the local realm implicitly indicates its agreement to provide the service indicated in the authorization response.
Diameter Header A summary of the Diameter header format is shown below. The fields are transmitted in network byte order. Message Length The Message Length field is three octets and indicates the length of the Diameter message including the header fields. Command Flags The Command Flags field is eight bits.
The following bits are assigned: If cleared, the message is an answer.
P roxiable – If set, the message MAY be proxied, relayed or redirected. If cleared, the message MUST be locally processed. E rror – If set, the message contains a protocol error, and the message will not conform to the 388 described for this command. Messages with the ‘E’.
T Potentially re-transmitted message – This flag is set after a link failover procedure, to aid the removal of duplicate requests. It is set when resending requests not yet acknowledged, as an indication of a possible duplicate due to a link failure. Diameter agents only need to be concerned about the number of requests they send based on a single received request; retransmissions by other entities need not be tracked.
It can be set only in cases where no answer has been received from the server for a request and the request is sent again. Command-Code The Command-Code field is three octets, and is used in order to communicate the command associated with the message.
Application-ID Application-ID is four octets and is used to identify to which application the message is applicable for. The application can be an authentication application, an accounting application or a vendor specific application. Hop-by-Hop Identifier The Hop-by-Hop Identifier is an unsigned bit integer field in network byte order and aids in matching requests and replies. The sender MUST ensure that the Hop-by-Hop identifier in a request is unique on a given connection at any given time, and MAY attempt to ensure that the number is unique across reboots.
The Hop-by-Hop identifier is normally a monotonically increasing number, whose start value was randomly generated.
End-to-End Identifier The End-to-End Identifier is an unsigned bit integer field in network byte order and is used to detect duplicate messages. Upon reboot implementations MAY set the high order 12 bits to contain the low order 12 bits of current time, and the low order 20 bits to a random value.
Senders of request messages MUST insert a unique identifier on each message. The identifier MUST remain locally unique for a period of at least 4 minutes, even across reboots. The originator of an Answer message MUST ensure that the End-to-End Identifier field contains the same value that was found in the corresponding request.
The combination of the Origin-Host see Section 6. Duplicate answer messages that are to be locally consumed see Section 6. See Section 4 for more information on AVPs.
Every Diameter message MUST contain a command code in its header’s Command-Code field, which is used to determine the action that is to be taken for a particular message. The following Command Codes are defined in the Diameter base protocol: The following format is used in the definition: The AVP can ; appear anywhere in the message. If an optional rule has no ; qualifier, then 0 or 1 such AVP may be ; present.