Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from the earlier RADIUS protocol. It belongs to the application layer protocols in the internet protocol suite. Diameter Applications extend the base protocol by adding new commands The Diameter base protocol is defined by RFC (Obsoletes: RFC ). Canonical URL: ; File formats: Plain Text PDF; Status: PROPOSED STANDARD; Obsoleted by: RFC ; Updated by. Diameter is specified primarily as a base protocol by the IETF in RFC and then DIAMETER base protocol must be used in conjunction with DIAMETER.
|Published (Last):||11 December 2008|
|PDF File Size:||11.7 Mb|
|ePub File Size:||1.54 Mb|
|Price:||Free* [*Free Regsitration Required]|
Loughney Nokia Research Center G. This document specifies the message format, transport, error reporting, accounting, and security services used by all Diameter applications. It represents the consensus of the IETF community.
Information about the current status of this document, any errata, and how to provide feedback on it doameter be obtained at http: Please review these documents carefully, as they describe dia,eter rights and restrictions with respect to this document.
Without obtaining an adequate license from the person s controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the Diametter Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1.
RFC – part 2 of 5
Description of the Document Set Conventions Used in This Document Changes from RFC Creating New Diameter Applications Proocol of Diameter Agents Command Code Format Specification Diameter Command Naming Conventions Failover and Failback Procedures Diameter Request Routing Overview Relaying and Proxying Requests Relaying and Proxying Answers Authorization Session State Machine Accounting Session State Machine Accounting Application Extension and Requirements Correlation of Accounting Records Diameter Protocol-Related Configurable Parameters This led to ciameter demands on AAA protocols.
Network access requirements for AAA protocols are summarized in Aboba, et al. Failover [ RFC basse does not define failover mechanisms and, as a result, failover behavior differs between implementations. In order to provide well-defined failover behavior, Diameter supports application-layer acknowledgements bse defines failover algorithms and the associated state machine. While attribute hiding is supported, [ RFC ] does not provide support for per- packet confidentiality.
In accounting, [ RFC ] assumes that replay protection prtoocol provided by the backend billing server rather than within the protocol itself. Security is discussed in Section As described in [ RFC ], this is a major issue in accounting, where packet loss may translate directly into revenue loss.
Since the expected behavior is not defined, it varies between implementations. Diameter defines agent behavior explicitly; this is described in Section 2. To address this issue, support for server-initiated messages is mandatory in Diameter. Initially, it is expected that Diameter will be deployed within new network devices, as well as within gateways enabling communication between legacy RADIUS devices and Diamdter agents.
In addition to addressing the above requirements, Diameter also provides support for the following: Since RADIUS clients and servers are not aware of each other’s capabilities, they may not be able to successfully negotiate a mutually acceptable service or, in some cases, even be aware of basse service has been implemented. Diameter includes support for error handling Section 7capability negotiation Section 5.
Peer discovery and configuration RADIUS implementations typically require that the name or address of servers or clients be manually configured, along with the corresponding shared secrets.
This results in a large administrative burden and creates the temptation to reuse the RADIUS shared secret, which can result in major security vulnerabilities if the Request Authenticator is not globally and temporally unique as required in [ RFC ]. Derivation of dynamic session keys is enabled via transmission-level security. As a result, while Diameter is a considerably more sophisticated protocol than RADIUS, it remains feasible to implement it within embedded devices.
Diameter Protocol The Diameter base protocol provides the following facilities: Some of these AVP values are used by the Diameter protocol itself, while others deliver data associated with particular applications that employ Diameter.
AVPs are used by the base Diameter protocol to support the following required features: It is also possible for the base protocol to be extended for use in new applications, via the addition of new commands or AVPs. The initial focus of Diameter was network access and accounting applications. A truly generic AAA protocol used by many applications might provide functionality not provided by Diameter. Therefore, it is imperative that the designers of new applications understand their requirements before using Diameter.
Any node can initiate a request. In that sense, Diameter is a peer- to-peer protocol. A Diameter client generates Diameter messages to request authentication, authorization, and accounting services for the user.
A Diameter agent is a node that does not provide local user authentication or authorization services; agents bae proxies, redirects, and relay agents. A Diameter node may act as an agent proocol certain requests while acting as a server for others. The Diameter protocol also supports server-initiated messages, such as a request to abort service to a particular user. Description of the Document Set The Diameter specification consists of an updated version of the base protocol specification this document and the Transport Profile [ RFC ].
A summary of the base protocol updates included in this document can be found in Section 1. This document defines the base protocol specification for AAA, which includes support for accounting.
There are also a myriad of applications documents describing applications that use this base specification for Authentication, Authorization, and Accounting. These application documents specify how to use the Diameter protocol within the context of their application. The Transport Profile document [ RFC ] discusses transport layer issues that arise with AAA protocols and recommendations on how to overcome these issues.
This document also defines the Diameter failover algorithm and state machine. The changes introduced in this document focus on fixing issues that have surfaced during the implementation of Diameter RFC An overview of some the major changes are given below.
Diameter (protocol) – Wikipedia
This new approach augments the existing in-band security negotiation, but it does not completely replace it. The old method is kept for backward compatibility reasons. This bzse was implied in the peer state machine table of RFCbut it was not clearly defined anywhere else in that document.
Capabilities diametsr in the open state has been re-introduced in a separate specification [ RFC ], which clearly defines new commands for this feature. The use of a secured transport for exchanging Diameter messages remains mandatory. See Section 13 for details. This includes fixes to the Diameter extensibility description Section 1.
Clarify the proper use of Application Id information, which can be found in multiple places within a Diameter message. Basse document more clearly specifies what information AVPs and Application Ids can be used for making general routing decisions. A rule for the prioritization of redirect diamdter criteria when multiple route entries are found via redirects has also been added see Section 6.
The Diameter discovery process now supports only widely used discovery schemes; the rest have been deprecated see Section 5. There are many other miscellaneous fixes that have been introduced in this document that may not be considered significant, but they have value nonetheless.
Examples are removal of obsolete types, fixes to the state machine, clarification of the election process, message validation, fixes to Failed-AVP and Result-Code AVP values, etc. All of the errata filed against RFC prior prohocol the publication of this document have been addressed.
A comprehensive list of changes is not shown here for practical reasons. A metalanguage with its own formal syntax and rules. It is based on the Backus-Naur Form and is used to define message exchanges in a bi-directional communications protocol. Accounting The act of collecting information on resource usage for the purpose of capacity planning, auditing, billing, or cost allocation.
Accounting Record An accounting record represents a summary of the resource protpcol of a user over the entire session. Accounting servers creating the accounting record may do so by diaketer interim accounting events or accounting events from several devices serving the same user. Authentication The act of verifying the identity of an entity subject.
Authorization The act of determining whether a requesting entity subject will be allowed access to a resource object. An AVP includes a header and is used to encapsulate protocol-specific data e. Diameter Agent A Diameter Agent is a Diameter node that provides relay, proxy, redirect, or translation services. Dlameter Client A Diameter client is a Diameter node that supports Diameter client applications as well as the base protocol.
Diameter clients are often implemented in devices situated at the edge of a network and provide access control services for that network. Diameter Node A Diameter node is a host process that implements the Diameter protocol and acts as either a client, an agent, or a server. Diameter Server A Diameter server is a Diameter node that handles authentication, authorization, and accounting requests for rgc particular realm.
By its very nature, a Diameter server must support Diameter server applications in addition protoco, the base protocol. Downstream Downstream is used to identify the direction of a particular Diameter message from the home server towards the Diameter client. Home Realm A Home Protlcol is the administrative domain with which the user maintains an account relationship.
Interim Accounting An interim accounting message provides a snapshot of usage during a user’s session.
Typically, it is implemented in order to provide for partial accounting of a user’s session in case a device reboot or other network problem prevents the delivery of a session summary message or session record. Local Realm A local realm is the administrative domain providing services to a user.
An administrative domain may act portocol a local realm for certain users while being a home realm for others.