Introduction To Diameter
Introduction To Diameter
to Diameter
www.interlinknetworks.com
Table of Contents
Introduction.............................................................................................................................. 2
The Case for Diameter ............................................................................................................. 3
Summary of Diameter advantages over RADIUS ................................................................... 5
Overview of Diameter.............................................................................................................. 6
A Brief Overview of SCTP...................................................................................................... 7
Types of Diameter Nodes ........................................................................................................ 8
Diameter Messages .................................................................................................................. 9
Diameter Peers ....................................................................................................................... 11
Accounting ............................................................................................................................. 12
The NASREQ Application..................................................................................................... 12
The Mobile IPv4 Application ................................................................................................ 13
The CMS Security Application.............................................................................................. 14
About Interlink Networks ...................................................................................................... 14
References.............................................................................................................................. 15
Introduction to the
Diameter Protocol
INTRODUCTION
The RADIUS protocol (Remote Access Dial In User Services) has been widely and
successfully deployed to provide authentication, authorization, and accounting (AAA)
services for dial-up PPP/IP and Mobile IP access. However, inherent shortcomings of
the RADIUS protocol have limited its ability to adapt to the ever-increasing
capabilities of routers and network access servers, and the ever-expanding set of
desired AAA services.
A number of working groups have specified their requirements for AAA protocols, and
these requirements drove the design of the Diameter protocol.
The Roaming Operations (ROAMOPS) Working Group of the IETF published a set of
requirements for roaming networks.
The NAS Requirements (NASREQ) Working Group of the IETF documented the next
generation NAS AAA requirements.
The Mobile IP Working Group of the IETF documented AAA requirements that
would help Mobile IP scale for Inter-Domain mobility.
The Telecommunication Industry Association (TIA) TR-45.6 Adjunct Wireless
Packet Data Technology working group documented the CDMA2000 Wireless Data
Requirements for AAA. Based on the work of TR-45.6, 3GPP2 has specified a twophased architecture for supporting Wireless IP networking based on IETF protocols;
the second phase requiring AAA functionality not supportable in RADIUS.
Diameter was specifically designed to meet the requirements indicated by these various
groups.
Diameter is currently focused on, and limited to, supporting access to IP networks.
The Diameter protocol was designed as an improved version of the RADIUS protocol.
A goal was to maximize compatibility and ease migration from RADIUS to Diameter.
For example, a Diameter message, like a RADIUS message, conveys a collection of
attribute value pairs.
Diameter is defined in terms of a base protocol and a set of applications. This design
allows the protocol to be extended to new access technologies. The base protocol
provides basic mechanisms for reliable transport, message delivery, and error handling.
2
The base protocol must be used in conjunction with a Diameter application. Each
application relies on the services of the base protocol to support a specific type of
network access. The two major applications are Mobile IPv4 and NASREQ (Network
Access Server REQuirements). The NASREQ application supports dial-in PPP/IP and
is the intended replacement for RADIUS.
RADIUS operates over UDP (User Datagram Protocol), a simple connectionless datagramdelivery transport protocol that lacks any mechanism for the receiving node to regulate the
data flow from the sending node.
Diameter operates over TCP (Transmission Control Protocol) or SCTP (Stream Control
Transmission Protocol). TCP and SCTP are connection-oriented transport protocols with
flow control and congestion avoidance mechanisms.
Limited server failure detection
There are many reasons why a NAS fails to receive a timely response to a given
RADIUS request. These include network congestion, a temporary network failure in
the path from the NAS to the home server, failure of the next-hop proxy server, failure
of the home server, etc. With RADIUS/UDP, the NAS cannot distinguish the cause of
3
the failure, assumes failure of the next-hop server and retransmits to an alternate nexthop server. This may be an inappropriate failover.
With a connection-oriented transport layer and Diameter keepalive messages, a
Diameter node can detect the local failure of a peer.
Silent discarding of packets
The RADIUS protocol specifies that messages are silently discarded for a variety of
error conditions. In such cases, the NAS will assume the home server did not receive
the message, and will engage in futile retransmissions before finally abandoning the
request.
The Diameter protocol returns a response for all but a few error conditions.
Inefficient Server Fail-Over
Most NAS implementations configure multiple RADIUS servers, a primary server and
a set of alternate servers. When failing over to an alternate, the NAS doesn't know if
the alternate server is even reachable. This can result in a lengthy delay of service to
users until a suitable alternate is found.
With a connection-oriented transport layer and Diameter keepalive messages, a
Diameter node can effectively failover. It can also fail back to the primary server
when it becomes available without having to time out real requests.
Inefficient use of RADIUS servers in proxy environments
Under RADIUS, all retransmissions are done by the NAS. Proxy servers do not
retransmit RADIUS requests. The NAS, not knowing whether the failure is local or
remote, may inappropriately retransmit to an alternate next-hop peer.
Under the Diameter protocol, each Diameter node that a message traverses on the path
from the origin node to the home server will detect a failure of his next-hop peer and
do failover and retransmission. Thus, failovers are locally performed at the place
where the failures occur.
No unsolicited server messages
The RADIUS protocol does not allow a server to send unsolicited messages to the
NAS. Where server initiated actions are needed, vendors are forced into solutions
outside of the RADIUS protocol (e.g. SNMP) or solutions involving proprietary
extensions to the RADIUS protocol in ways that often compromise interoperability.
Diameter, a peer-to-peer rather than a client/server protocol, allows server-initiated
messages. The base protocol defines two server-initiated messages, one requesting that
the Diameter client terminate a specific user session, another requesting that the
Diameter client re-authenticate and/or reauthorize a specific user.
Replay Attacks
The RADIUS protocol does not offer replay attack prevention. An old packet can be
replayed without detection by a malicious NAS impersonator. This can result in denial of
service if the server limits concurrent sessions for a user. Duplicate accounting messages can
also create havoc.
Only Hop-by-Hop security; no End-to-End security
The RADIUS protocol offers only hop-by-hop security and has no facility for securing
AVPs between the NAS and the home server. This offers proxy servers the opportunity
to collect confidential information or modify messages (e.g. accounting information)
without detection by the endpoints.
The Diameter protocol offers end-to-end security in addition to hop-by-hop security.
Digital signatures can ensure the integrity of selected AVPs, and the confidentiality of
selected AVPs can be ensured by encryption.
No support for vendor-specific commands
The RADIUS protocol requires that a shared secret exist between two peers, even if IP
Security is employed over a local communication.
The Diameter protocol can secure communications between peers with either IP
Security or Transport Layer Security (TLS).
Better Proxying
OVERVIEW OF DIAMETER
The Diameter model is a base protocol and a set of applications. The base protocol
provides common functionality to the supported applications. The following figure
depicts the Diameter architecture.
NASREQ
Application
Mobile IPv4
Application
CMS Security
SCTP provides multiple data streams between the two endpoints. Within each data
stream, messages are delivered in order without loss or duplication. Independent data
exchanges may be delivered over different streams; message loss in any one stream
does not affect data delivery within other streams. TCP provides a single stream of
data, where a message loss delays delivery of all subsequent messages. This is
sometimes referred to as the head-of-line blocking problem. Minimizing the head-ofline blocking problem is the SCTP feature of greatest benefit to Diameter.
SCTP is message oriented; that is, SCTP maintains message boundaries and delivers
complete messages (PDUs), which SCTP calls chunks, between the upper layer
protocols employing SCTP. TCP is byte oriented; that is, TCP does not preserve data
units within a transmitted byte stream, requiring the upper layer protocol to count and
accumulate the bytes of each message.
SCTP understands, and makes use of, the notion of multi-homed hosts. A multihomed host is one with more than one IP interface. At initialization time, SCTP peers
exchange lists of their IP interface addresses. An SCTP message requiring
retransmission can be sent to an alternate IP address, which increases the
survivability of an SCTP session in the event of network failures. SCTP uses multihoming for redundancy, not for load-sharing. In contrast, a TCP session involves a
single IP address at each endpoint, resulting in session failure should that single IP
interface become unreachable.
A Diameter Client is a device at the edge of the network that performs access control.
Examples of Diameter clients are Network Access Servers (NAS) and mobility agents
(Foreign Agent).
Server
A Relay Agent routes Diameter messages based on information found in the messages.
This routing decision is performed using a list of supported realms and known peers.
Relay agents are largely transparent. A Relay Agent may modify Diameter messages
only by inserting and/or removing routing information but may not modify any other
portion of a message.
Proxy Agent
A Proxy agent also routes Diameter messages. However, a proxy agent may modify
messages to implement policy decisions, such as controlling resource usage, providing
admission control, and provisioning.
Redirect Agent
A Translation Agent translates between two protocols, such as RADIUS and Diameter.
In this case, the translation agent supports a RADIUS to Diameter migration, allowing
server conversions to Diameter, for example, while permitting the NASes to be converted at
a slower pace.
DIAMETER MESSAGES
Diameter Message Format
The Diameter message header contains two 32-bit message identifiers, a Hop-by-Hop
Identifier and an End-to-End Identifier.
The Hop-by-Hop Identifier aids in matching requests and replies. In requests, the Hopby-Hop Identifier is replaced at each hop as the Diameter message is relayed to its final
destination. The sender of an Answer message returns the same value that was found in
the corresponding request
The End-to-End Identifier, in conjunction with the origin host's identity, is used to
detect duplicate request messages. The End-to-End Identifier is unmodified as a
request is forwarded to its final destination. The originator of an Answer message
returns the same value that was found in the corresponding request.
Diameter AVP Format
The AVP Code plus the Vendor-Id field uniquely identify the attribute. The first 256
AVP numbers, with the Vendor-Id set to zero, are reserved for backward compatibility with
RADIUS.
The AVP Data field is zero or more octets and contains information specific to the
Attribute. The AVP Code and AVP Length fields determine the format and length of
the Data field. Diameter defines data types of Integer32, Unsigned32, Integer64,
Unsigned64, Float32, Float64, Float128, OctetString, and Grouped.
A Grouped AVP is an AVP whose data is a sequence of AVPs. The other types are
self-explanatory. Derived data formats are also defined, including enumerated
(derived from integer32), DiameterIdentity (derived from octetstring), and time
(derived from unsigned32), and UTF8String (derived from octetstring), IPFilterRule
(derived from octetstring), and QosFilterRule (derived from octetstring).
The Diameter Identity
Since the identity carries the host's FQDN, and since multiple Diameter processes on a
single host cannot listen for incoming connections on the same port on a given
protocol, the DiameterIdentity of any process is guaranteed to be unique.
Diameter Message Content and Routing
DIAMETER PEERS
Diameter peers the set of Diameter nodes with which a given Diameter node will directly
communicate may be statically configured or may be dynamically discovered using
SLPv2 or DNS SRV RRs.
Capabilities Exchange
The first Diameter messages exchanged between two Diameter peers, after establishing
the transport connection, are Capabilities Exchange messages. A Capabilities
Exchange message carries a peer's identity and its capabilities (protocol version
number, supported Diameter applications, etc.). A Diameter node only transmits
commands to peers that have advertised support for the Diameter application
associated with the given command.
11
In the event that a transport failure is detected with a peer, a Diameter node attempts to
failover to an alternate peer, which means that all pending request messages sent to the
failed peer will be forwarded to the alternate peer.
A Diameter node periodically attempts to re-establish the transport connection with a
failed peer. Should connection be re-established, a node can failback to this peer, i.e.
messages can once again be forwarded to this peer.
A failover to an alternate proxy agent may result in the reception of duplicate request
messages by the home server.
ACCOUNTING
Accounting support and accounting messages are defined as part of the base protocol.
The accounting protocol is based on a server directed model that supports real-time
delivery of accounting information. The server directed model means that the Diameter
client generating the accounting data receives direction from the (authorization or
accounting) server regarding accounting record timeliness requirements.
Batch accounting is not a requirement and is currently not supported by Diameter.
CMS security may be applied to Diameter accounting messages, providing strong
authentication and integrity protection for accounting data.
The base protocol defines some AVPs that must be present in accounting request
messages, such as the Session-Id AVP and the User-Name AVP. Each Diameter
application (e.g. NASREQ, Mobile IPv4), additionally defines application-specific
AVPs required in the Accounting-Request.
The Session-Id AVP can be used to correlate multiple accounting messages for a user
session. Additionally, for applications that require multiple accounting sub-sessions, an
Accounting-Sub-Session-Id AVP has been defined. Furthermore, for applications
where a user receives service from different access devices (each with distinct SessionIds), such as Mobile IPv4, the Accounting-Multi-Session-Id AVP, carried over from
RADIUS, can be used for correlation.
RADIUS servers to Diameter. This also reduces the protocol conversion work required
for a server that acts as a RADIUS/Diameter gateway.
RFC 3169, Criteria for Evaluating Network Access Server Protocols, defines a number
of requirements for AAA protocols used by Network Access Servers (NASes),
addressing transport requirements, scalability, server failover, AVP requirements,
security, authentication, authorization, policy, resource management, accounting, and
more. RFC 2477, Criteria for Evaluating Roaming Protocols, similarly addresses the
needs of AAA protocols supporting a roaming environment. The Diameter NASREQ
application (combined with the base protocol) satisfies the requirements of both
specifications.
The NASREQ application, with native Extensible Authentication Protocol (EAP),
offers secure authentication. The NASREQ application defines the Diameter-EAPRequest and Diameter-EAP-Answer messages, which allow the EAP payload to be
encapsulated within the Diameter protocol.
The NASREQ application's AA-Request message corresponds to the RADIUS AccessRequest. The AA-Answer message corresponds to the RADIUS Access-Accept and
Access-Reject messages.
The NASREQ application also suggests some basic guidelines to be used by a server
that acts as a RADIUSDiameter protocol gateway, i.e. a server that receives a
RADIUS message that is to be translated and transmitted as a Diameter message, and
vice versa.
13
For more information on Interlink Networks and our products and services, please visit
http://www.interlinknetworks.com, email [email protected] or call (734)
821-1228.
REFERENCES
Diameter Protocol Drafts.
15
Wireless IP Network Standard, 3GPP2 P.S0001-A, Version 3.0.0, July 16, 2001.
http://www.3gpp2.org/Public_html/specs/P.S0001-A_v3.0.pdf .
Stream Control Transmission Protocol, http://www.ietf.org/rfc/rfc2960.txt, Stewart,
Xie, et al, RFC 2960, October 2000.
Authentication, Authorization and Accounting (AAA) Transport Profile, Internet draftietf-aaa-transport-05.txt, B. Aboba, J. Wood, IETF Work in Progress, June 2001.
Service Location Protocol, Version 2, http://www.ietf.org/rfc/rfc2165.txt, E. Guttman,
C. Perkins, J. Veizades, M. Day. RFC 2165, June 1999.
A DNS RR for specifying the location of services (DNS SRV), http:
//www.ietf.org/rfc/rfc2782.txt, A. Gulbrandsen, P. Vixie, L. Esibov, RFC 2782,
February 2000.
16