Diameter ProtocolOverview

Maheshwar HaldarPGDipSci

Telecommunication

TELE 411

Presentation 1

IntroductionAAA protocol providing authentication,

authorization and accounting [2].

Initially developed by Pat R. Calhoun, Glen Zorn and Ping Pan in 1998.

Advantages over previous protocol RADIUS in terms of: reliability,security ,scalability and flexibility.

Successor to Radius.

What is Radius Protocol?Remote Authentication Dial in User Service

(RADIUS ) is a networking protocol.Provides AAA management for computers

to connect and use a network service.Developed by Livingston Enterprises, Inc.,

in 1991. An access server authentication and

accounting protocol.It is a client / server Protocol.Limited AAA functionality.

How did Diameter Protocol came into picture?Number of working groups: ROAMOPS NASREQ MOBILE IP of IETF specified their AAA

requirements Not satisfied by the Radius ProtocolThese requirements drove the design of

the Diameter Protocol.

Continuation…….

Designed to meet the requirements indicated by these various groups.

Improved version of the RADIUS protocol.Maximize compatibility .Migration from the RADIUS to Diameter

Server.

HistoryDeveloped to overcome Limitations of Radius

Protocol.Limitations of Radius Protocol in terms of: Transport Failure Confidentiality Reliability Agent Support Server Initiated Message Auitability Capability Negotiation Session Control Peer Configuration and Discovery

SECURITY in Diameter Protocol

SECURITYSECURITY

Hop By Hop Security End to End Security

Proxy Server Communication Server-Server

Communication

Server-Server

Communication

Policy Server 1

Proxy Server 2

Policy Server 3

Diameter Protocol ArchitectureDefined in terms of: Base protocol and a set of applications.Provides extensions to new access

technologies. Used in conjuction with Diameter

Application.Three major Diameter applications: CMS Security application Mobile IPV4 application NASREQ application [8].

Diameter Protocol Architecture

Diameter Protocol Stack

Diameter in IMS

IMS (IP Multimedia Subsystem ) is the service delivery environment for real - time multimedia services for the 3rd Generaton wireless networks.

3GPP standards has adopted Diameter as Primary signalling control for AAA and mobility management in IMS [3].

Illustration of Diameter in IMS network

Diameter Interfaces:

Diameter Cx interface used by S-CSCF. Diameter Dx interface used by the CSCF.Diameter Sh interface is used by the

Application Servers or OSA/Parlay Gateway.Diameter Ro and Rf interfaces forwards

Call Detail Records using Diameter protocol interface [2 – 6] .

Protocol DescriptionDiameter Packet Format:

AVP Header

Diameter Messages

Base unit to send a command or deliver a notification to other Diameter Nodes.

Message pairs shares the same command code.

Command code is to identify the intention of the message.

Actual data is carried by a set of Attribute Value Pairs( AVPs ).

Supports server initiated messages [7].

Messages in Diameter Base Protocol:

Message Name Abbreviation

Command Code

Abort - Session - Request ASR 274

Abort - Session - Answer ASA 274

Accounting - Request ACR 271

Accounting - Answer ACA 271

Capabilities - Exchanging - Request

CER 257

Capabilities - Exchanging - Answer

CEA 257

Device - Watchdog - Request DWR 280

Device - Watchdog - Answer DWA 280

Disconnect - Peer - Request DPR 282

Disconnect - Peer - Answer DPA 282

Re - Auth - Request RAR 258

Re - Auth - Answer RAA 258

Session - Termination - Request STR 275

Session - Termination - Answer STA 275

Message Flow Structure

Is transportation of Diameter messages robust to Failure? If yes,then HOW?

Supports Transport Failure Detection Feature.Supports Transport Failure Algorithm.Device-Watchdog-Request and Device-

Watchdog-Answer messages pro-actively detect transport failures.

Performs Failover Procedure.

Diameter Nodes

Diameter node is used to refer to a diameter client, diameter server or a diameter agent.

Network Access server is the Diameter Client in most of the cases.

Diameter Agent is a special Diameter Node.Diameter Server authenticates the user based

on the User’s credentials i . e . Username, password.

There are four kinds of Diameter agents:

Relay AgentProxy AgentRedirect Agent Translation Agent

Session and Connection in Diameter

Working involves three steps:

Session InitializationSession Re-AuthenticationSession Termination

AAA in DiameterAuthentication and Authorization:Not bound to a specific application running

on top of it. It focuses on general message exchanging

features. Base protocol doesn't define command

codes and AVPs specific to authentication and authorization.

Message Definition and corresponding attributes based on the application's characteristics [3 -7] .

Example:

AA-Request message is used to carry authentication and authorization information in the NAS application, while in the SIP application the message is called User-Authorization-Request.

Accounting:

Accounting behaviour is clearly defined.

Follows a server directed model.

Expected accounting behaviour is requested [3 -7].

Prevent Duplication of Accounting Records

Errors in Diameter ProtocolThere are two categories of Diameter

Errors: ( 1 ). Protocol error ( 2 ). Application Error

(1). Protocol Error: Indicates something being wrong with the underlying protocol used to carry Diameter messages.

(2). Application Error: Results from the failure of the Diameter protocol itself.

How Diameter provides effective Error Handling?

Uses Return Code AVP.

Easy Identification of Return Status of messages.

Use of Error-Message AVP.

Use of Error-Reporting Host AVP.

Implementation

Circumference is an open-source implementation to showcase the Diameter WebAuth subprotocol, also called a Diameter application [2].

Open BiOX: An open source Java implementation of Diameter Protocol Stack [4].

ConclusionThe purpose of developing Diameter Protocol

has proved to be successful in overcoming the limitations of Radius Protocol.

In addition to SIP, Diameter is the other core protocol used in the IP Multimedia Subsystem (IMS) architecture, both in the service plane and the control plane.

As IMS continues to evolve, we believe there will be more Diameter applications to come, as well as Diameter-related implementations.

References and Links[1]. Network Convergence – Services, Applications, Transport and

Operations Support..By Hu Hanrahan

[2]. http: // en . Wikipedia. org / wiki / Diameter _ Protocol)

[3]. http: // www.ibm. com / developerworks / wireless / library /wi-diameter

[4]. http:// diameterprotocol.blogspot.com / search / label / Diameter%20protocol

[5]. http:// images.google.co.in

[6]. http:// www.rfc-editor.org / rfc / rfc 3588.txt

[7]. http: // docs.hp.com / en / T1428-90011 /

[8]. http: // tools.ietf.org / html /draft – calhoun – diameter –framework – 01

[9]. Aboba, Zorn, "Roaming Requirements", draft-ietf-roamops-roamreq-08.txt, March 1998.

Diameter ApplicationsNot a software Applicaton.Application based on Diameter Base

Protocol ( defined in RFC 3588 ).Each Application is defined by an

Application Finder .Can add new command codes and / or new

mandatory AVPs.Adding new optional AVP does not require a

new application [9].

Why not LDAP provides functionality required by AAA protocol?A Server may wish to access policies using

LDAP, but the use of LDAP between the client and the server is not possible.

The use of LDAP in this case would require that all routers have write access to the directory.

In the case of roaming, customers would have to open up their directory so outside routers have writeable access.

Finally, LDAP does not provide server initiated messages which is a requirement for an AAA protocol.

Home subscriber Server ( HSS ) : Master database within the IMS. Maintains subscriber information including user

identification, control information for user authentication and authorization, location information, and user profile data.

Call Session Control Functon ( CSCF ) :performs SIP session management for a user (or SIP client) requesting access to IMS services.SIP signaling is used to register with the Serving

CSCF in the home network of the user.

Relay AgentUsed to forward a message to the

appropriate destination depending on information contained in the message.

Aggregates requests from different regions to a specific region.

Eliminates burdensome configurations of network access servers for every diameter server exchange [3].

Proxy AgentModifies the message content. Provides Value added services. Enforce rules on different messages or

perform administrative tasks .Figure [5] below shows how a Proxy Agent

is used to forward a message to another domain.

Redirect AgentActs as Centralized configuration

Repository for other Diameter Nodes. On receiving a message, it checks its

routing table, and returns a response message along with redirection information to its original sender.

Determine address of Contacting Node. Figure [5] below illustrates how a Redirect

Agent works.

Translation AgentConverts message from one AAA protocol

to another.Useful for company or service provider.Figure [5] below illustrates how one agent

translates the RADIUS protocol into the Diameter protocol

Other kinds of protocol translation (for example, Diameter to RADIUS, Diameter to TACACS+) are also possible [3].