Introduction to DIAMETER
0 likes939 views
Diameter is an authentication, authorization, and accounting (AAA) protocol that was developed as a successor to RADIUS. Some key points: - Diameter was developed to address limitations in RADIUS such as reliability, security, failover support, and extensibility. - It uses TCP or SCTP for reliable transport and supports features like transport layer security, failover mechanisms, and more flexible extensions compared to RADIUS. - Diameter is composed of a base protocol and applications that allow it to be extended for different services. The base protocol specifies the message format, transport, and peer connections while applications define additional messages and service logic.
Introduction to DIAMETER
- 1. SENATELECOM www.senatelecom.com 1 Introduction to DIAMETER پروتکل معرفیDIAMETER
- 3. VoIP Solutions Provider Since 2005 3
- 4. Background • Why Diameter was developed? – Authentication, Authorization, Accounting • Authentication – Identify User • Authorization – What user is allowed to do • Accounting – Accounting, monitoring, limiting user’s usage 4
- 5. What did it replace? • Was founded in 1998 • A successor to RADIUS • RADIUS was most widely used to control dial-up modems • Limitation within RADIUS: – Reliability (UDP) – Security (transparent layer security) – Failover ( no indication of state of server) – Agent Support (assumes direct connection) 5
- 6. What did it replace? (cont.) • Protocol in contention: – SNMP – COPS (Common Open Policy Service) – RADIUS++ – DIAMETER, Then next generation AAA protocol 6
- 7. Protocol Overview • Protocol improvements over RADIUS: – Reliable transport (TCP/SCTP) – Transport layer security (TLS/DTLS) – Failover Mechanism – 32 bit protocol boundaries instead of 8 bit – Peer discovery and configuration – Session binding – Server / Client relationship – More easily extended 7
- 8. Protocol Overview (cont.) • Diameter is composed of a base protocol and set of applications. • Applications allow it to extend it services • Application specifications defined through RFC and 3GPP as well as proprietary • Specifications adds additional messages and parameters and define service logic above the base protocol 8
- 9. Specification• Base Protocol RFC 6733 specifies: – Protocol format – Transport – Peer connection (Connection is establishment of transport) – User sessions (Session is the exchange of diameter messages) – Accounting • Applications: – Identified by identifiers / application identifiers (ID) 9
- 10. Specification (cont.) • Application ID: – A peer identifies through the capability exchange mechanism the applications it can support either directly or through routing onto another node – A Diameter message contains the application ID that this message set belongs to 10
- 12. Message Format (cont.) 12 • Command Flags: The following bits are assigned: 0 1 2 3 4 5 6 7 +-+-+-+-+-+-+-+-+ |R P E T r r r r| +-+-+-+-+-+-+-+-+ R(Request): If set, the message is a request. If cleared, the message is an answer. P(Proxiable): If set, the message MAY be proxied, relayed or redirected. If cleared, the message MUST be locally processed. E(Error): If set, the message contains a protocol error, This bit MUST NOT be set in request messages. T(Potentially re-transmitted message): This flag is set after a link Failover procedures to aid the removal of duplicate requests. r(reserved): these flag bits are reserved for future use, and MUST be set to zero, and ignored by the receiver.
- 13. Message Format (cont.) 13 • Command-Code : To uniquely identify the each diameter message • Application-ID : to uniquely identify the each application • Hop-by-Hop Identifier : is an unsigned 32-bit integer field and aids in matching requests and replies • End-to-End Identifier : is an unsigned 32-bit integer field and is used to detect duplicate messages
- 14. Nodes • Diameter node is used to refer to a Diameter client, a Diameter server, or a Diameter agent – Clients (performs AAA access control) – Server (handles AAA requests) – a node acting as the Diameter server for some requests might actually act as a Diameter client in some situations • RFC specifies different agents: – RELAY (route a message without changing message) – PROXY (route a message and can change message, stateful) – REDIRECT (act as a redirect server, stateless) – Translation (converts to another protocol) 14
- 15. Nodes (cont.) 15 The Diameter Proxy Agent
- 16. Nodes (cont.) 16 The Diameter Redirect Agent
- 18. Nodes (cont.) • IMS specifies additional nodes: – DEA (Diameter Edge Agent) : sits on border of network for security – DRA (Diameter Routing Agent) : sits in core network and providing single routing and normalization point for Diameter network – IWF : converts to another protocol – DSC (Diameter Signaling Controller) : groups DEA/DRA/IWF into single product 18
- 19. Peer Connection Vs. Session • Connection: a physical link between two Diameter nodes • Session: – a logical connection between two Diameter nodes, and can cross multiple connections – Each session has a Session-Id 19
- 20. Peer Connection• Transport Layer – Client / Server connection – TCP / SCTP / TLS / DTLS • Transport client connection request – Connection to peer can be tried using different layers until one is successful – Use DNS to get available transport layers for peer connection – Only one transport connection is allowed for a peer to peer connection 20
- 21. Peer Connection (cont.) • Peer FSM (Finite State Machine) defined in base protocol • Base protocol defines basis of peer table resource for management of peers – Host identity: contains the node identity of the peer (node1.realm.com) – Status T: contains the state of peer FSM (Closed, I- Open, R-Open, etc) – Static or Dynamic: defines if a peer was discovered or misconfigured – Expiration Time: if dynamically discovered specifies the refresh time. – TLS enabled specifies if TLS is for connection. 21
- 22. Peer Table 22 Table Entry Host Identity Status Static or Dynamic Expiration Time Connection type
- 23. Peer Routing 23 • Base protocol specifies basis of realm based on routing table for requests realm name • Name of realm that the incoming message is targeted to • Contained in incoming messages Destination-Realm AVP • Application Identifier: contained in message header’s application ID • Local action: – Local, message processed on node – Relay, message routed to next hop without modifying any non- routing AVP’s – Proxy, message routed to next hop and may modify non-routing AVP – Redirect, return answer with routing information back to originating peer
- 24. Peer Routing (cont.) 24 • Server Identity: – Specifies peer that the message should be forwarded to • Static or Dynamic: – Specifies if route entry is statically or dynamically added (i.e. via redirect) • Expiration time: – Expiration time of dynamically added route entry
- 25. Peer Routing Table 25 Table Entry Realm Name Application ID Local Action Server ID Static or Dynamic Expiration Time
- 26. Session • Session Initiation: – starts by issuing a request message from the client to the server, an auth-request – containing a unique Session-Id – the AVPs to be used for authentication and authorization are application-specific – Diameter server may include an Authorization-Lifetime AVP in the response messaging – after the timeout and acceptable Auth-Grace-Period have passed, server will remove the session from its session list and release all resources allocated – a Diameter server might initiate a re-authentication or re- authorization request during the session 26
- 27. Session (cont.) • Session termination: – Session termination messages are only used in the context of authentication and authorization – only when the session state was maintained – Session can be terminated by either the client or the server – The Termination-Clause AVP is included in this request telling the Diameter server the reason why the session should be closed 27
- 28. Error Handling • Errors in the Diameter: protocol errors and application errors • Protocol errors: – refer to something being wrong with the underlying protocol used to carry Diameter messages, perhaps incorrect routing information or temporary network failure • Application errors: – result from the failure of the Diameter protocol itself, and plenty of sources that will cause application errors Fail-Over: forwards all pending messages to an alternative Diameter node Return-Code AVP The Error-Message AVP 28
- 29. Error Handling (cont.) 29 Client Relay Relay Server 1. Request 4. Answer 2. Request T-bit set 3. Request T-bit set 4. Answer 5. Answer 2. Request 3. AnswerRequest Queue Request Queue Request Queue