diameter.pptx
TRANSCRIPT
IntroThe Diameter protocol is a next generation RADIUS protocol. It addresses the known RADIUS deficiencies, & is intended for use with the NASREQ, ROAMOPS and Mobile IP.The Mobile-IP WG has recently changed its focus to inter administrative domain mobility.The basic concept behind Diameter is to provide a base protocol that can be extended in order to provide AAA services to new access technologies such as Internet access.
Diameter Protocol OverviewDiameter Protocol Overview
Diameter Architecture
Base protocol Functionality common to all supported services. Defines message format, primitives, transport,
error reporting & security services.
Protocol Extensions Application specific functionality.
strong security Mobile IP NASREQ( commands for use in CHAP, PAP & EAP) accounting.
Diameter Protocol OverviewDiameter Protocol Overview
Diameter Base Protocol
Any node can initiate a request. Diameter is a peer to peer protocol.The base Diameter protocol is never used on its own. It is always extended for a particular application, which defines DIAMETER command codes NASREQ Mobile IP Strong Security Accounting
Diameter Protocol OverviewDiameter Protocol Overview
Mobile-IPExtension
NASREQExtension
AccountingExtension
Diameter Base Protocol Strong Security
Diameter Header
Flags 13 bits, EIR sequences denote command type (request, reply, indication).Hop-by-Hop IdentifierEnd-To-End IdentifierCommand CodeAVPs encapsulate relevant info to message.
Diameter Protocol OverviewDiameter Protocol Overview
Diameter AVP
AVP code uniquely identifies attribute.AVP Flags indicates how AVP should be handled r (reserved), P (protected), M (mandatory),
V (vendor-specific).
Diameter Protocol OverviewDiameter Protocol Overview
Diameter Base Protocol
simply provide a secure transport for the messages defined in the various application-specific extensions.
data objects are encapsulated within the Attribute Value Pair (AVP).
Large AVP space to ensure future protocol extensibility is not limited by its size of the namespace, as in the RADIUS protocol.
Support for vendor specific AVPs and Commands for extensions.
Diameter Protocol OverviewDiameter Protocol Overview
Diameter Base Protocol
A peer initiates communication by sending message. AVPs sent in messages are determined by Diameter extension.Initial message include a unique Session-Id AVP. A Session-Termination-Request frees the session.Peer-to-peer, allowing unsolicited messages to be sent to NASes. on-demand retrieval of accounting data. another, server-initiated session termination.
Diameter Protocol OverviewDiameter Protocol Overview
Message Forwarding
Diameter messages must include: Origin-FQDN AVP
identifies the endpoint which originated the Diameter message, i.e. the NAS, home server, or broker. Proxy servers do not modify this AVP.
Origin-Realm AVP contains the Realm of the originator of any
Diameter message Destination-FQDN AVP
MUST be used when the destination of the message is fixed.
Diameter Base ProtocolDiameter Base Protocol
Capabilities Exchange
When two Diameter peers establish a transport connection, they MUST send the Device-Reboot-Ind message. Peer’s identity Capabilities exchange. E.g. supported protocol
ver. Number, and locally supported extensions. Need to communicate compatible application specific Diameter commands.
MUST not be proxied or redirected. Device-Status-Ind used to notify sending node of
unrecognized Command Code.
Diameter Base ProtocolDiameter Base Protocol
Transport
Operates over SCTP (Stream Control Transmission Protocol) Provides reliability and a well defined
retransmission and timeout mechanism, allowing clients and servers to detect the reachability and state of peers for quick transmission to back up servers.
provides a windowing scheme allowing AAA servers to limit the flow of incoming packets and distribute traffic load to other severs.
fail-over strategy
Diameter Base ProtocolDiameter Base Protocol
Transport Failure Detection
Early detection of transport failures minimize sending message to unavailable servers and improve failure performance.Diameter Watchdog Requests sent after a period of idle communication between peers, w/ exponential back off.When a Diameter Watchdog Answer is obtained peer resumes activity.Failover/Failback Procedures When a transport failure is detected pending messages are
sent to an alternative server. There is a pending message queue for each pair, where
messages are identified by the Hop-by-Hop identifier. If can’t send to another server then a
DIAMETER_UNABLE_TO_DELIVER message is sent back to the original sender.
Diameter Base ProtocolDiameter Base Protocol
Error Signaling
Error Notification all messages acknowledged, either with a
successful response or one that contains an error code
Per-Hop Error Signaling There are many instances where error
conditions occur on a Diameter node, that needs to be signaled to the downstream server, and not necessarily to the Diameter client .
End-to-End Error Signaling.
Diameter Base ProtocolDiameter Base Protocol
DiameterClient or
Server
DiameterServer
DiameterServer
DiameterServer
RequestLink Broken
DSI (UnableTo Forward)
RequestRequest
Example of Per-Hop Error ConditionExample of Per-Hop Error Condition
Diameter Base ProtocolDiameter Base Protocol
Session Oriented
session-oriented One session per authentication/authorization flow Sessions are identified through a session
identifier, which is globally unique at any given time.
A Session termination message exists in order to end a Diameter session, and all sessions have a timeout value in order to ensure that they can be cleaned up properly.
Diameter Base ProtocolDiameter Base Protocol
User Session
User asks NAS for service.NAS issues AA-Request to local DIAMETER server, containing user authentication info and a unique Session-Id AVP. Sender-FQDN, port, increasing 32-bit number.
After the Diameter server authorizes the user it SHOULD add a Authorization-Lifetime AVP to the response.Base Protocol does not contain Authorization Request messages as these are application-specific.
Diameter Base ProtocolDiameter Base Protocol
Proxy Support
Every node in the network is responsible for it's own retransmissions.
Allows each node to know a priori the reachability state of each peer.
Latency reduced.
Reliability increased.
Diameter Base ProtocolDiameter Base Protocol
NAS
LOCAL PrimaryProxy Server
LOCAL 2nd
Proxy Server
HOME2nd
Proxy Server
HOMEPrimaryProxy Server
Proxy Server
Before forwarding a message, check for forwarding loop. Route-Record AVP.
Check that sender is last one. Check that its own address does not appear.
If applies policy then must not allow end-to-end security and send a message to sender.A proxy server MUST only process messages of type Response whose last Route-Record AVP matches one of its addresses. Last Route-Record AVP is removed, and next hop is identified by second to last Route-Record AVP.
Diameter Base ProtocolDiameter Base Protocol
Message Routing
Routing done using realm portion of NAI or realm encoded AVP (e.g. Origin-Realm, Destination-Realm).
Local Action LOCAL – process Authentication. PROXY – forward to next HOP server ID. REDIRECT – return to sender w/ DSI + DSI-Event
= Redirect + Redirect-Host AVP = server ID.
Domain Name Extension ID Local Action Server Identifier
Diameter Base ProtocolDiameter Base Protocol
DIA 1mno.net
Origin-FQDN=dia1.mno.net Origin-Realm=mno.net
Destination-Realm=abc.com Route-Record=dia1.mno.net
Origin-FQDN=dia1.mno.net Origin-Realm=mno.net
Destination-Realm=abc.com Route-Record=dia1.mno.net
Route-Record=dia2.xyz.com
DIA 2xyz.com
DIA 3abc.com
Origin-Realm=abc.com Destination-FQDN=dia1.mno.net
Route-Record=dia2.xyz.com
Origin-Realm=abc.com Destination-FQDN=dia1.mno.net
request
request
response
response
Realm Based RoutingRealm Based Routing
Diameter Base ProtocolDiameter Base Protocol
Redirect Support
reduce the configuration information that would otherwise be necessary on all servers owned members of a roaming consortium. When a request is received by a redirect server, a redirect response is returned to the initiator of the request with the information necessary to communicate directly with servers in the home domain. May also provide Certificate Authority services. No long lived shared secrets. Enables IPSEC.
Diameter Base ProtocolDiameter Base Protocol
DiameterRedirect Server
abc.netDiameter
Server
xyz.netDiameter
Server
DSIDSI-Event = RedirectRedirect-Host AVP(s)
request
response
Diameter Base ProtocolDiameter Base Protocol
Diameter Redirect ServerDiameter Redirect Server
Security
integrity and confidentiality at the AVP levelThe Diameter Strong Security Extension provides authentication, confidentiality It is possible to secure portions of a Diameter message, while other parts of the message are not secured. Using Diameter, proxies can add, delete or modify unprotected AVPs in a message.
Hop-By-Hop security Client & server communication using IPSEC. Server to Server communication using SSL.
DIAMETER NASREQ extension defines commands for use in CHAP, PAP & EAP.First 256 AVPs are reserved for RADIUS compatibility.
Diameter Base ProtocolDiameter Base Protocol
Summary of Diameter Key Features
lightweight and simple to implement protocol Large AVP space Efficient encoding of attributes, similar to RADIUS Support for vendor specific AVPs and Commands Support for large number of simultaneous pending requests Reliability provided by underlying SCTP Well defined fail-over scheme
Summary of Diameter Key Features
Ability to quickly detect unreachable peersNo silent message discardsSupport of unsolicited messages to "clients" integrity and confidentiality at the AVP levelHop-by-Hop security One session per authentication/authorization flow Provide redirect (referral) services, to allow bypassing of broker
Mobile IP
Mobile Node issues Registration Request to Foreign Agent.
Foreign Agent creates AA-Mobile-Node-Request (AMR) message and forwards to AAAF. Extracts Home Address, Home Agent Address,
Mobile Node NAI into AVPs.
AAAF receives AMR and determines whether to forward it or process it locally.
Mobile-IP ExtensionMobile-IP Extension
Mobile IP …
Note that it is not required that the foreign agent invoke AAA services every time a Registration Request is received from the mobile, but rather only when the prior authorization from the AAAH expires, as indicated in Authorization-Lifetime AVP in the AA- Mobile-Node-Answer.Foreign agent MAY provide challenge, giving it protection of replay attacks. The mobile node includes the Challenge and MN-AAA authentication extension to enable authorization by AAAH. If the authentication data supplied in the MN-AAA extension is invalid, AAAH returns the response (AMA) with the Result-Code AVP set to DIAMETER_ERROR_AUTH_FAILURE .
Mobile-IP ExtensionMobile-IP Extension
Mobile IP …
AAAHMN authentictated.
Check for MIP-Home-Agent-Address AVP. If authorized Home-Agent-MIP-Request (HAR)
If MIP-Home-Agent-Address not recognized then don’t send a MIP-Reg-Reply AVP .
If MIP-Home-Agent-Address AVP not specified then allocate one w/ load balance in mind. MIP-Feature-Vector has the Home-Agent-Requested flag set and policy allows.
Mobile-IP ExtensionMobile-IP Extension
Mobile IP …
Home Agent Receive HAR, if invalid send HAA with Result-
Code AVP set to DIAMETER_ERROR_BAD_HAR.
Process MIP-Reg-Request AVP and create Registration Reply, encapsulating it within the MIP-Reg-Reply AVP. If a home address is needed, the Home Agent MUST assign one and include the address in both the Registration Reply and within the MIP-Mobile-Node-Address AVP. The Diameter response is then forwarded to the AAAH.
Mobile-IP ExtensionMobile-IP Extension
Mobile IP …
AAAHAfter receiving HAA, set CommandCode to
AA- Mobile-Node-Answer (AMA) and forwards the message to the AAAF.
Mobile-IP ExtensionMobile-IP Extension
MN
FA
AAAF AAAH
HA
RegistrationRequest
AMRIncludes:MN Home AddressHA addressMN NAI
Determines to send AMR To AAAH
AMR
HAR
Authenticates MNAnd forwards HAR to HA
Process HARCreate Reply RequestIncluding home address.
HAA
AMA
AMA
RegistrationReply
Inter-Domain MobilityInter-Domain Mobility
AA-Mobile-Node-Request (AMR) Command
Extension-Id
User-Name
Destination-Realm
Origin-FQDN
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth
* MIP-Mobile-Node-Address
* MIP-Home-Agent-Address
* MIP-Feature-Vector
* Authorization-Lifetime
* MIP-FA-MN-Preferred-SPI
* MIP-FA-HA-Preferred-SPI
* MIP-Previous-FA-FQDN
* MIP-Previous-FA-Addr
* MIP-FA-Challenge
* Route-Record
AA-Mobile-Node-Answer (AMA) Command
Session-IdExtension-IdSession-TimeoutAuthorization-LifetimeResult-CodeOrigin-FQDNOrigin-Realm* Error-Reporting-FQDN* MIP-Reg-Reply* Route Record
* MIP-FA-to-MN-Key* MIP-FA-to-HA-Key* MIP-MN-to-HA-Key* MIP-HA-to-MN-Key* MIP-Home-Agent-Address* MIP-Mobile-Node-Address* Original-Session-Id* Filter-Rule
Home-Agent-MIP-Request (HAR) Command
Session-IdExtension-IdSession-TimeoutAuthorization-LifetimeMIP-Reg-RequestOrigin-FQDNOrigin-RealmUser-NameDestination-Realm* Route-Record
* MIP-MN-to-HA-Key* MIP-MN-to-FA-Key* MIP-HA-to-MN-Key* MIP-HA-to-FA-Key* MIP-FA-to-MN-Key* MIP-FA-to-HA-Key* MIP-Mobile-Node-Address* MIP-Home-Agent-Address* Filter-Rule
Home-Agent-MIP-Answer (HAA) Command
Session-Id
Extension-Id
Session-Timeout
Authorization-Lifetime
Result-Code
Origin-FQDN
Origin-Realm
* Route-Record
* Error-Reporting-FQDN* MIP-Reg-Reply* MIP-Home-Agent-Address* MIP-Mobile-Node-Address* MIP-FA-to-MN-Key* MIP-FA-to-HA-Key* Filter-Rule