Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Diameter Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Transport Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Transport Security How does it work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Application Security Topology Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Topology Hiding How does it work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Application Security Admission Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Admission Control How does it work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The Sonus Diameter Signaling Controller (DSC) Advantage. . . . . . . . . . . 7
About Sonus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Differences between RFC 6733 and RFC 3588 . . . . . . . . . .
Introduction
The Diameter protocol is closely linked with the evolution of IP Multimedia Subsystem (IMS) and mobile broadband network
architectures. Diameter was first introduced for communication over the interfaces between the IMS core and application servers,
charging systems and HSS databases. It was also specified by GSMA for Long Term Evolution (LTE) and Evolved Packet Core (EPC)
network interworking.
Diameter is the base protocol for authentication, authorization and accounting (AAA), enabling network access and IP mobility in
both home and roaming mobile LTE networks.
To simplify the roaming interface between peer networks, a functional entitythe Diameter Edge Agent (DEA)has been defined in
the LTE Roaming Guidelines (GSMA PRD IR.88). The DEA provides an entry point to provide efficient connection methodologies and
network security. The DEA hides the topology of the network behind it and advertises itself to roaming partners as a Diameter relay,
serving all Diameter applications in the network.
The DEA should be considered as a signaling firewall that protects the internal network from malformed messages, unauthorized
senders, and exposure of internal information to external networks. Figure 1 below shows this architecture.
As the use of Diameter is increasing exponentially and as mobile operators implement Diameter Edge Agent (DEA) functionality, it is
also important to consider how the DEA will scale while providing this important level of security.
This paper is focused on the security aspects of Diameter, why they exist and how they work.
Diameter Security
Any discussion of Diameter security needs to address three aspects:
Transport Security
To address the transport security needs, RFC 6733 clearly states, all Diameter base protocol implementations MUST support the
use of TLS/TCP and DTLS/SCTP, and the Diameter protocol MUST NOT be used without one of TLS, DTLS, or IPsec.
IP Security (IPSec)
The original Diameter Base Protocol specification (RFC 3588) stated, In order to provide universal support for transmission-level
security, and enable both intra and inter domain AAA deployments, IPsec support is mandatory in Diameter, and TLS support is
optional. However, one of the key updates in RFC 6733 modified this position. RFC 6733 states, The use of a secured transport
for exchanging Diameter messages remains mandatory. TLS/TCP and DTLS/SCTP have become the primary methods of securing
Diameter, with IPsec as a secondary alternative.
Port Numbers
As per RFC 6733, the base Diameter protocol is run on port 3868 for both TCP [RFC 0793] and SCTP [RFC 4960]. For TLS and DTLS,
a Diameter node that initiates a connection prior to any message exchanges MUST run on port 5658. It is assumed that TLS is run
on top of TCP when it is used, and DTLS is run on top of SCTP when it is used.
If the Diameter peer does not support receiving TLS/TCP and DTLS/SCTP connections on port 5658 (i.e., the peer complies only
with RFC 3588), then the initiator MAY revert to using TCP or SCTP on port 3868. Note that this scheme is kept only for the
purpose of backward compatibility, and that there are inherent security vulnerabilities when the initial CER/CEA messages are sent
unprotected.
A Diameter node MAY initiate connections from a source port other than the one that it declares it accepts incoming connections
on, and it MUST always be prepared to receive connections on port 3868 for TCP or SCTP and port 5658 for TLS/TCP and DTLS/
SCTP connections.
Peer Discovery
During the session establishment process, there are two possible mechanisms to discover the next hop, each of which has
advantages and disadvantages:
An amplification and/or reflection attack can overload (DoS) a victim DEA with a huge number of unsolicited DNS answers;
DNS Poisoning attack corrupts the association name/IP (i.e., Kaminsky attack). Once corrupted, the entry persists for a long
time (TTL value), resulting in the DEAs routing table becoming improperly altered.
If dynamic discovery is used, the DEA performs a Straightforward-Naming Authority Pointer (S-NAPTR) query for a server in a
particular realm. Diameter Straightforward-Naming Authority Pointer (S-NAPTR) Usage [RFC 6408] defines an extended format
for the S-NAPTR application service tag that allows for discovery of the supported applications without doing Diameter capability
exchange beforehand.
If no S-NAPTR records are found, the requester may directly query for an SRV record. Note, when DNS-based peer discovery is used,
the port numbers received from SRV records take precedence over the default ports (3868 and 5658).
Topology hiding is used to ensure that internal information of a Public Mobile Network (PMN), which is not required outside the
PMN, is NOT disclosed by changing or removing it from all egress messages.
Hiding Diameter names in Route-Record AVP and using generic names in their place;
Re-inserting the correct names if the request reenters the home network;
Hiding Diameter host names in other base Diameter AVPs, such as Session-ID and Proxy-Info.
To prevent other networks from discovering the number of HSS in the network and their identity, topology hiding should hide:
Hide Diameter name in Origin-Host AVP in requests from MME to foreign HSS;
Re-insert Host ID (Diameter name) in Destination-Host AVP in requests from foreign HSS to MME;
Hide Diameter name in Origin-Host in answer message from MME to foreign HSS
Compare all AVPs that identify the origin and the destination (that is Origin/Destination Realm/Host and Visited PMN ID) to
determine consistency between them;
Verify CER/CEA Diameter Messages against Diameter Servers and capabilities declared in IR.21 RAEX DB;
Check if Origin Realm/Host and/or Visited PMN ID is from a PMN which has a roaming agreement with ones own PMN.
Information related to this PMN is taken from IR.21 RAEX DB during provisioning of the ACLs in the DEA;
Check if the Route Record AVPs (if they exist) are sound in that the documented route is possible for the source and destination
given in the message;
Egress Diameter messages are received by the DEA from an internal network element. They are only sent to their destination if
all the AVPs which determine the origin are addressing a network element within the sending (i.e., ones own) PMN;
Ingress Diameter messages are received by the DEA from an external network element. They are only sent to their destination
if all the AVPs which determine the destination are addressing a recipient which is inside ones own PMN.
Conclusion
Diameter signaling is the lynchpin for successful 4G/LTE interconnection and roaming. IETF and GSMA have highlighted the
importance of Diameter security via their respective (RFC 6733 and IR.88) specifications.
Therefore Mobile Operators (MNO, GRX and IPX) must have the utmost confidence in their deployment decisions for Diameter
Edge Agent functionality in order to absolutely know their Diameter message exchange is secure at both the transport and
application level.
While this paper has shown how Diameter security is done at the transport and application level, it is still incumbent upon a
Mobile Operator to test and verify the compliance of their DEA suppliers to these two key specifications in real world conditions.
Specifically, Diameter message use is exponentially increasing, but many Diameter architectures cannot scale to perform securely at
high message rates.
Deprecated the use of the Inband-Security AVP for negotiating Transport Layer
Security (TLS) [RFC 5246].
It has been generally considered that bootstrapping of TLS via Inband-Security AVP creates certain security risks because it does
not completely protect the information carried in the CER/CEA ((Capabilities-Exchange-Request/Capabilities-Exchange-Answer). RFC
6733 adopts the common approach of defining a well-known secured port that peers should use when communicating via TLS/TCP
and DTLS/SCTP. This new approach augments the existing in-band security negotiation, but it does not completely replace it. The
old method is kept for backward compatibility reasons.
Sonus Networks
North American
Headquarters
4 Technology Park Drive
Westford, MA 01886
U.S.A.
Tel: +1-855-GO-SONUS
Sonus Networks
APAC Headquarters
Sonus Networks
EMEA Headquarters
Sonus Networks
CALA Headquarters
Edison House
Edison Road
Dorcan, Swindon
Wiltshire
SN3 5JX
Tel: +44-14-0378-8114
DS-1501 6/3