1 Diameter Base Protocol (8-13)

Diameter Base Protocol
diameter \di-am-t-r\ - Any straight line segment

that passes through the center of the circle and
whose endpoints are on the circle.
iam
er
et
s
diu
Ra
For further information please contact:

Telecom Training Associates, Inc
21200 South LaGrange Road
Suite 317
Frankfort, IL 60423
Phone: 877-474-6951
Fax:
815-469-5747
www.telecomtrainers.com
Before We Start
Housekeeping
Introductions
Student Rosters
Overall Course Objectives
Course Outline
References / Manuals
Start / End Times
Cell Phones / Pagers
Diameter Protocol
Steve DeVries
skd@telecomtrainers.com
708-921-7972
Overall Course Objectives

During this course we will:
Describe Diameter base protocol
Explain the IETF applications
Examine how Diameter can be used in both the IP Multimedia
Subsystem (IMS) and LTE networks
Show how Diameter is used in Policy and Charging Control
(PCC)
Review how Diameter is transported using Stream Control
Transmission Protocol (SCTP)

iam
er
et
s
diu
Ra
Lesson Objectives
During this lesson, we will:
Explain how Authentication, Authorization & Accounting

(AAA) is done on an IP network
Understand the Diameter protocol stack
Describe Diameter clients, servers and agents
Define Attribute Value Pairs (AVP)
Show Diameter messages and their structure
Understand Diameter applications
What is AAA?
Authentication - verifying identity
Authorization - allowed access
Accounting - collecting information
MSC
PSTN
Switch
AAA Overview Example

Lightweight Directory Access Protocol (LDAP)
LD
AP
Pr
ot
oc
ol
4
Central
Office
Firewall
3
Secure
Router
AAA on an IP Network
Remote Authentication Dial In User Service (RADIUS)
RFC 2058 (1997)
RFC 2138 (mid 1997)
RFC 2865 (2000)
Network
Access
Servers
User has
internet
provider
PSTN
Switch
User
Profile
RADIUS protocol
AAA
Server
Circuit-switched
connection
2
established
3
4
Accounting
Authentication &
Authorization
RADIUS Shortcomings
Designed for small-scale configuration
(like dial-up access)
RADIUS is over UDP - no congestion
control
Lacks functionality needed in today's
internet access - the AAA server cannot
send an unsolicited message to the
access server
Network
Access
Servers
RADIUS protocol
AAA
Server
Newer Access More Demands on AAA

Need failover mechanism
Need reliable transport
Need agent support
Need server-initiated messages
Need capability negotiation
Need peer discovery & configuration
Need support for roaming
AAA
Server
MSC
From RADIUS to Diameter
RFC 2058 - RADIUS

RFC 2138 - RADIUS
RFC 2865 - RADIUS
RFC 3588 - Diameter Base (2003)
RFC 6733 - Diameter Base (2012)
Improvements over RADIUS

Failover Mechanism
Transmission Layer Security
Reliable Transport
Agent Support
RADIUS
Server-Initiated Messages
Diameter
Auditing
Support for Transition
Capability Negotiation
Peer Discovery and Configuration
Support for Roaming
Diameter Base Protocol Highlights
Peer-to-Peer protocol rather than client / server

Any peer can send a request to the other peer
Diameter messages are either requests or answers
Requests are always answered
Diameter is a binary-encoded protocol
AAA
Server
MSC
What Diameter Provides

It delivers Attribute Value Pairs (AVP)
It can negotiate capabilities
It can provide error notification
It is extensible through new commands & AVPs
It allows any node to initiate a request
AAA
Server
MSC
Diameters Extensibility
Diameter
Client
Define new Attribute Value Pairs (AVP)

Create new AVP values
Create new authentication applications
create new authorization applications
Create new accounting applications
Diameter
Server
RFC 3588 RFC 6733

Improvements
RFC 3588
RFC 6733
IPSec required for intra-Realm
TLS (TCP) & DTLS (SCTP)
Port 3868
3868 for TCP & SCTP; 5868 for TLS & DTLS
CER/CEA used Inband-Security AVP to establish

CER/CEA.
TLS
If security is applied, it is set up before the
Not clear about the use of Application-ID AVPs

within a session for application & base messages
Diameter messages (application & base) related to a

session must carry the Application-ID AVPs
No capability update without taking a session down
Capabilities-Update-Request/Answer (RFC 6737)
E2E-Sequence AVP used for end-to-end protection
E2E-Sequence AVP is deprecated
Loop Detection explained
Loop detection and recovery explained
Inband-Security AVP defined
Diameter Functionality
Basic Overview
Diameter Client
Diameter Server
Diameter
Client Application
Diameter
Client Application
Session Management
Session Management
Routing Management
Routing Management
Connection
Management
Connection
Management
Base Protocol
Base Protocol
Connection Management
Diameter Client
Diameter
Client Application
Diameter Server
Diameter
Client Application
Peer discovery
Session Management
Session Management
Transport
Capabilities negotiation
Keep alive & disconnect
Routing Management
Routing Management
Connection
Management
Connection
Management
Base Protocol
Base Protocol
Routing Management
Diameter Client
Diameter
Client Application
Diameter Server
Determined by node type

Loop detection
Failover & failback
Duplicate detection
Diameter
Client Application
Session Management
Session Management
Routing Management
Routing Management
Connection
Management
Connection
Management
Base Protocol
Base Protocol
Session Management
Diameter Client
Diameter Server
Diameter
Client Application
Diameter
Client Application
Session Management
Session Management
Routing Management
Connection
Management
Base Protocol
Session is related to
Routing Management
progression of events
Application provides
guidelines
Connection
Stateful or stateless
Management
Base Protocol
Diameter Base Protocol Stack

Applications
TCP or SCTP
IP
Network Access
Protocol
Physical
Credit Control Application

Network Access Server Application
Mobile IPv4 Application
SIP Application
Basic functionality
Implemented in all Diameter nodes
Application Independent
Reliable transport
Diameter messages are retransmitted
Heartbeat monitors the status of connection
Transmits datagrams
No end-to-end reliability
Interface IP layer to physical
Data link layer
MAC address
Electrical & functional characteristics
Binary transmission
What is Diameter Used For?

Applications
Can be used with applications

Can define new applications

Can be used for accounting only
TCP or SCTP
IP
Network Access Protocol
Physical
Diameter Example Applications

Mobile
IPv4
Apps
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps

TCP or SCTP
IP
Physical
SIP
Apps
Diameter Addresses
DiameterIdentity & DiameterURI
Diameter
Client
DiameterIdentity used to identify a node or a realm

DiameterIdentity = FQDN / Realm
DiameterURI follows URI (RFC 3986)
Has the form aaa[s]// FQDN [port] [transport] [protocol]
Diameter
Server
Diameter Transport
Must support either
TCP or SCTP
Diameter
Client
Diameter
Agent
Diameter
Agent
Diameter
Agent
Must support both

TCP or SCTP
Diameter
Server
Diameter Functional Entities

Clients, Servers & Agents
Diameter
Client
Diameter
Server
Proxy
Agent
Diameter
Nodes
Redirect
Agent
Relay
Agent
Translation
Agent
Diameter Nodes
Clients & Servers
Diameter
Client
Diameter
Server
Request and answer originators

Where applications normally reside
Must support base protocol (accounting)
Referred to as Diameter NASREQ if it supports NASREQ
Referred to As Diameter DIAMMIP if it supports IPv4
Referred to as Diameter Client (or Server) if it supports both
Diameter Nodes
Agents
Diameter
Agent
(Relay)
Diameter
Client
Diameter
Agent
(Proxy)
Diameter
Agent
(Redirect)
Diameter
Agent
(Translation)
Diameter
Server
Forward requests and answers

Add routing information to the message
Diameter Agents
Stateless
1
Diameter
Client
Ide Re
nt que
ifie
s
r= t
12
34
Ide An
s
nt
ifie wer
r=
12
8
34
Keep Identifier (Hop-by-Hop) 1234
Replace Identifier (Hop-by-Hop) with 5678
Diameter
Agent
Replace 5678 with 1234
Release transaction
4
Ide Re
nt que
ifie
s
r= t
56
78
Ide An
s
nt
ifie wer
r=
56
5
78
Diameter
Server
Diameter Agents
Stateful
Diameter
Client
1
Se
ss Re
q
i
Se on-T ues
t1
ss
i
ion meo
_ID ut
AV AVP
P2 1
An
sw
er
1
Keep Track of Session-ID AVP2
Diameter
Agent
6
3
R
sio eq
Se n-T ues
im t1
ss
ion eo
- ID ut A
AV VP
1
P2
An
sw
er
1
4
Se
s
Session 1 Expires
or
Receives Answer1
Diameter
Server
Diameter Nodes and Agents

Relay Agent
Diameter
Client/
Server
Diameter
Client/
Server
Re
Diameter
Client/
Server
Diameter
Client/
Server
s
An
er
Relay
Agent
Answe
r
Reque
st
Diameter
Client/
Server
t
es
u
q
Route based on information within messages

May be used to combine requests within a
common geographical area
Can not modify message content
Can modify routing information
Should not maintain session state (not stateful)
Must maintain transaction state (be stateless)
Diameter
Client/
Server

Proxy Agent
Lookup for example.com

Proxy Agent
1
Diameter
Client
Request
Answer
4

Local Process

Diameter Server
Diameter
Proxy
Agent
Request
Answer
Diameter
Server
Can modify message and AVP content

May maintain session state (may be stateful)
Must maintain the state of downstream peers
Must only advertise the Diameter applications they support

Redirect Agent
Proxy Agent
1
Diameter
Client
Diameter
Proxy
Agent
Request
Answer
Redirect
Notification
Useful for centralized routing

They do not relay messages
Do not modify messages
They cannot maintain session
state (not stateful)
Not required to maintain
transaction state (not stateless)
Request
Diameter
Redirect
Agent
Request
Answer
5

Local Process

Diameter Server
Diameter
Server

Translation Agent
RADIUS
Client
RADIUS Request
RADIUS Answer
4
Translation
Agent
Diameter Request
Diameter Answer
Diameter
Server
Provides translation between two protocols

Must maintain session state (be stateful)
Must only advertise the Diameter applications they support
Diameter Connections & Sessions
Diameter
Client
Relay
Agent
peer connection X
Diameter
Server
peer connection Y
user connection A
Session State & Transaction State

(Session_ID = 1234),
Request #1
Request #2
Answer #1 (Session_ID = 1234)
Diameter
Client
Answer #2 (Session_ID = 1234)
Session-Termination-Request
Session-Termination-Answer (Session_ID = 1234)

Transaction State lasts one message - request & answer
Session state can last one or more messages
Session states are stateful and they include the same
Session_ID AVP value
Diameter
Server
Peer Table
Realm2.com
Translation
Agent I
Host
Identity
StatusT
Static or
Dynamic
NodeB.realm1.com
NodeC.realm1.com
NodeE.realm1.com
NodeG.realm2.com
Idle
Closing
Idle
Open
Dynamic
Static
Static
Dynamic
TLS/TCP
Expiration
DTLS/SCTP
Time
Enabled
800
600
False
False
True
True
Relay
Agent G
Application
Server H
Realm1.com
Diameter
Client A
Relay
Agent E
Application
Server F
Redirect
Agent B
Proxy
Agent C
Application
Server D
Realm-Based Routing
1
Diameter
Client/
Server
Relay
Agent
t
Reques
Diameter
Client/
Server
3
Diameter
Client/
Server
es
qu
t
Realm Name
Application Identifier
Local Action
- Local
- Relay
- Proxy
- Redirect
Server Identifier
Static or Dynamic
Expiration Time
4
Re
Diameter
Client/
Server
Diameter
Client/
Server
Diameter
Client/
Server
Realm-Routing Example
Host
Identity
StatusT
Static or
Dynamic
NodeB.realm1.com
NodeC.realm2.com
NodeF.realm3.com
Open
Open
Open
Dynamic
Dynamic
Dynamic
Expiration
Time
TLS/TCP
DTLS/SCTP
Enabled
True
True
True
Realm1.com
Diameter
Client A
App-ID 1, 2, 3, 4
Realm2.com
Application
Server D
App-ID 5
Relay
Agent C
Peer Table
Application
Server E
App-ID 2
Realm3.com
Application
Server B
App-ID 1 (Local)
Host
Identity
App-ID
Server-ID
Local
Action
Discovery
NodeB.realm1.com
NodeC.realm2.com
NodeF.realm3.com
NodeF.realm3.com
App-ID 1
App-ID 2
App-ID 3
App-ID 4
Node B
Node C
Node F
Node F
Local
Relay
Proxy
Proxy
Dynamic
Dynamic
Dynamic
Dynamic
Realm-Routing Table
Expiration
Time
Application
Server G
App-ID 3
Proxy
Agent F
Application
Server H
App-ID 4
Initiating a Diameter Message

Generates Diameter messages
to request AAA for the user
Proxy
Performs Authentication and

Authorization of the user
Can act as client or server
Supports some server-initiated
messages
Network
Access
Servers
Redirect
AAA
Server
(Diameter
Client)
Relay
(Diameter
Agents)
(Diameter
Server)
Diameter Requests & Answers
Request
Answer (containing a Result Code)
Diameter
Client
Diameter
Server
The request was a success!
Sorry, the request has failed
I need some more information before I tell you
whether it was successful or not
I dont have a clue what you want, but here is a
peers address who might be able to help you
Authorizing a Path
Diameter
Client
Realm A
Realm B
Relay/
Proxy
Agent
Relay/
Proxy
Agent
Diameter
Server
Request
Request
Request
Origin-Host = Client.com
Origin-Realm =
Client.Realm.com
Destination-Realm =
Server.Realm.com
Origin-Realm =
Client.Realm.com
Destination-Realm =
Server.Realm.com
Route-Record =
Proxy.RealmA.com
Origin-Realm =
Client.Realm.com
Destination-Realm =
Server.Realm.com
Route-Record =
Proxy.RealmA.com
Route-Record =
Proxy.RealmB.com
Answer
Answer
Answer
Origin-Host = Server.com
Origin-Realm =
Server.Realm.com
Origin-Realm =
Server.Realm.com
Origin-Realm =
Server.Realm.com
Diameter Basic Message Format

Diameter Header
AVP
Version
Length
Flags
Command Code
Application ID
Hop-by-Hop Identifier
End-to-End Identifier
AVP Header
Code
Flag
Length
Vendor ID (optional)
AVP Data
AVP
AVP
AVP
IP Packet Structure
1
2
3
01234567890123456789012345678901
Version
Length
Type of Service
Flags
Identification
Time To Live
Total Length
Fragment Offset
Header Checksum
Protocol
Source Address
Destination Address
Data
0 0 0 0 0 1 1 0 - TCP
1 0 0 0 0 1 0 0 - SCTP
User (e.g. Diameter)
TCP Packet Structure
IP Packet Structure
1
2
3
01234567890123456789012345678901
Source Port (3868)
Destination Port (3868)

Sequence Number
Acknowledgement Number
Data
Offset
Reserved
Window
Flags
Checksum
Urgent Pointer
Options
Data
SCTP Packets
IP Packet Structure (see IP Packet Structure Page)
Data
1
2
3
01234567890123456789012345678901
SCTP Common Header
Chunk Number 1
Chunk Number 2
Chunk Number n
SCTP Common Header Format

SCTP Common Header
Chunk Number 1
Chunk Number 2
Data
Chunk Number n
SCTP Packet Structure
IP Packet Structure
1
2
3
01234567890123456789012345678901
Source Port Number (3868)
Destination Port Number (3868)
Verification Tag
Checksum
SCTP - Payload Data (DATA)

SCTP Common Header
Chunk Number 1
Chunk Number 2
Data
Chunk Number n
IP Packet Structure
1
2
3
01234567890123456789012345678901
Source Port Number
Destination Port Number

Verification Tag
Checksum
Chunk Type = 0
Reserved U B E
Chunk Length
Transmission Sequence Number (TSN)

Stream Identifier S
Stream Sequence Number n
Payload Protocol Identifier (46 or 47)

User Data (Diameter Message)
Diameter Protocol Format
1
2
3
01234567890123456789012345678901
Version
Command Flags
Message Length
Command-Code
Application-ID
Attribute Value Pair (AVP) 1
Attribute Value Pair (AVP) n

Command Flags
Version
Message Length
Command Flags
Command-Code
Application-ID
reserved
Request
Proxiable
Error
Potentially re-transmitted

Command-Code
Version
Message Length
Command Flags
Command-Code
Application-ID
Command-Name
Abort-Session-Request
Abort-Session-Answer
Accounting-Request
Accounting-Answer
Capabilities-Exchange-Request
Capabilities-Exchange-Answer
Device-Watchdog-Request
Device-Watchdog-Answer
Disconnect-Peer-Request
Disconnect-Peer-Answer
Re-Auth-Request
Re-Auth-Answer
Session-Termination-Answer
Abbreviation
ASR
ASA
ACR
ACA
CER
CEA
DWR
DWA
DPR
DPA
RAR
RAA
STR
STA
Command-Code
274
274
271
271
257
257
280
280
282
282
258
258
275
275

Application-ID
Version
Message Length
Command Flags
Command-Code
Application-ID
Diameter Common Messages

NASREQ
Mobile-IP
Diameter Base Accounting
Relay
0
1 (RFC 3588)
2 (RFC 3588)
3
0xffffffff

Identifiers
Version
Message Length
Command Flags
Command-Code
Application-ID
Hop-by-Hop Identifier - unique across peer-to-peer connections

End-to-End Identifier - Unique across end-to-end connection
Attribute Value Pairs (AVP)

Version
Message Length
Command Flags
Command-Code
Application-ID

AVP Code
M - Mandatory
P - Need for Encryption
V - Vendor-Specific
Flags
AVP-Length
Vendor-ID (optional)
Data
AVP Flags
Version
Message Length
Command Flags
Command-Code
Application-ID
AVP Code
Flags
AVP-Length

Data
Reserved (set to 0)
Need for end-to-end security (future)

Mandatory (receiver needs to understand it)
Vendor-Specific (Vendor-ID is header is present)
Diameter Base Protocol AVPs

Attribute Name
Acct-Interim-Interval
Acct-Multi-Session-Id
Accounting-Record-Type
Accounting-Sub-Session-Id
Auth-Application-Id
Authorization-Lifetime
Auth-Session-State
Class
Destination-Realm
E2E-Sequence AVP
Error-Reporting-Host
Experimental-Result
Failed-AVP
Host-IP-Address
Multi-Round-Time-Out
Origin-Realm
Product-Name
Proxy-Info
Redirect-Host
Redirect-Max-Cache-Time
Route-Record
Session-Timeout
Session-Server- Failover
Termination-Cause
Vendor-Id
AVP
Code
85
50
480
287
258
291
277
25
283
300
294
297
279
257
272
296
269
284
292
262
282
27
271
295
266
Attribute Name
Accounting-Realtime-Required
Accounting-Record-Number
Accounting-Session-Id
Acct-Application-Id
Auth-Request-Type
Auth-Grace-Period
Re-Auth-Request- Type
Destination-Host
Disconnect-Cause
Error-Message
Event-Timestamp
Experimental-Result-Code
Firmware-Revision
Inband-Security-Id
Origin-Host
Origin-State-Id
Proxy-Host
Proxy-State
Redirect-Host-Usage
Result-Code
Session-Id
Session-Binding
Supported-Vendor-Id
User-Name
Vendor-Specific-Application-Id
AVP
Code
483
485
44
259
274
276
285
293
273
281
55
298
267
299
264
278
280
33
261
268
263
270
265
1
260
* Defined in RFC 3588, deprecated in RFC 6733
AVP Basic Data Formats

Version
Message Length
Command Flags
Command-Code
AVP Code
Application-ID
AVP Length
Flags
Data

octetstring
integer32
integer64
unsigned32
unsigned64
float32
float64
grouped
derived
AVP Derived Data Formats

Version
Message Length
Command Flags
Command-Code
Application-ID
AVP Code
AVP Length
Flags
Data

Address
Time
UTF8String
DiameterIdentity
DiameterURI
Enumerated
IPFilterRule
QOSFilterRule *
octetstring
integer32
integer64
unsigned32
unsigned64
float32
float64
grouped
derived
Basic Data Formats
Derived Data Formats
* Defined in RFC 3588, not in RFC 6733
AVP Table
RFC 3588 - Section 4.5
AVP Flag Rules
AVP
Code
Section
Defined
Data Type
85
483
50
485
480
44
287
9.8.2
9.8.7
9.8.5
9.8.3
9.8.1
9.8.4
9.8.6
Unsigned32
Enumerated
UTF8String
Unsigned32
Enumerated
OctetString
Unsgned64
M
M
M
M
M
M
M
P
P
P
P
P
P
P
V
V
V
V
V
V
V
Y
Y
Y
Y
Y
Y
Y
Destination-Host
Destination-Realm
Disconnect-Cause
Firmware-Revision
Host-IP-Address
Inband-Security-Id
293
283
273
267
257
299
6.5
6.6
5.4.3
5.3.4
5.3.5
6.10
DiamIdent
DiamIdent
Enumerated
Unsigned32
Address
Unsigned32
M
M
M
P
P
P
M
M
P
P
V
V
V
P,V,M
V
V
N
N
N
N
N
N
Origin-Host
Origin-Realm
264
296
6.3
6.4
DiamIdent
DiamIdent
M
M
P
P
V
V
N
N
Vendor-Id
266
260
5.3.3
6.11
Unsigned32
Grouped
M
M
P
P
V
V
N
N
Attribute Name
MUST MAY
SHLD MUST MAY

NOT NOT Encr
M - Mandatory
P - Protected
V - Vendor-Specific
AVP Table
AVP
Flag
Rules
RFC 6733 - Section 4.5

AVP
Code
Section
Defined
Data Type
85
483
50
485
480
44
287
9.8.2
9.8.7
9.8.5
9.8.3
9.8.1
9.8.4
9.8.6
Unsigned32
Enumerated
UTF8String
Unsigned32
Enumerated
OctetString
Unsgned64
M
M
M
M
M
M
M
V
V
V
V
V
V
V
Destination-Host
Destination-Realm
Disconnect-Cause
Error-Message
Host-IP-Address
Inband-Security-Id
293
283
273
281
257
299
6.5
6.6
5.4.3
7.3
5.3.5
6.10
DiamIdent
DiamIdent
Enumerated
UTF8String
Address
Unsigned32
M
M
M
M
M
V
V
V
V,M
V
V
Origin-Host
Origin-Realm
264
296
6.3
6.4
DiamIdent
DiamIdent
M
M
V
V
Vendor-Id
266
260
5.3.3
6.11
Unsigned32
Grouped
M
M
V
V
Attribute Name
MUST
MUST NOT
M - Ma
V - Ve
AVP Occurrence Table

Attribute Name
CER CEA DPR DPA DWR DWA RAR RAA ASR ASA STR STA
Accounting-Interim-Interval
Acct-Realtime-Required
Acct-Application-ID
0
0
0+
0
0
0+
0
0
0
0
0
0
0
0
0
0
0
0
0-1
0-1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Destination-Host
Destination-Realm
Destination-Cause
Error-Message
0
0
0
0
0
0
0
0-1
0
0
1
0
0
0
0
0-1
0
0
0
0
0
0
0
0-1
1
1
0
0
0
0
0
0-1
1
1
0
0
0
0
0
0-1
0-1
1
0
0
0
0
0
0-1
Firmware-Revision
Host-IP-Address
0-1
1+
0-1
1+
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Origin-Host
Origin-Realm
Origin-State-ID
Product-Name
1
1
0-1
1
1
1
0-1
1
1
1
0
0
1
1
0
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
Result-Code
Re-Auth-Request-Type
Route-Record
Session-Binding
Session-ID
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0+
0
1
1
0
0
0
1
0
0
0+
0
1
1
0
0
0
1
0
0
0+
0
1
1
0
0
0
1
Termination-Cause
User-Name
Vendor-ID
Vendor-Specific-Appl-ID
0
0
1
0+
0
0
1
0+
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0-1
0
0
0
0-1
0
0
0
0-1
0
0
0
0-1
0
0
1
0-1
0
0
0
0-1
0
0
Protocol Structure Review

SCTP Common Header
Chunk Number 1
Chunk Number 2
1
Data
Chunk Number n
IP Packet Structure
Version
Message Length
Command Flags
Command-Code
Application-ID
Source Port Number
Destination Port Number

Verification Tag
Checksum
Chunk Type = 0
Flags
Chunk Length
Transmission Sequence Number
Stream Identifier
Stream Sequence Number
Payload Protocol Identifier

User Data Diameter Message
AVP Code
AVP Length
Flags
Data
Payload Data Chunk
Negotiating Capabilities
Capabilities-Exchange-Request (CER)
Diameter
Node
Application 33
Application 44
Application 55
Inband Security 1 (3588)
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Inband Security-ID 1
Inband-Security-ID 2
Vendor-Specific-Application-ID 33
Capabilities-Exchange-Answer (CEA)
Result-Code = SUCCESS
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Inband Security-ID 1
Diameter
Node
Application 33
Application 44
Establishing the Connection

Transport & Application
Applications
Applications
CER/CEA
TCP or SCTP
TCP or SCTP
SYN
IP
TCP
INIT_ACK
SCTP
Diameter Node
ACK
INIT
Physical
SYN ACK
IP
COOKIE_ECHO
COOKIE_ACK
Physical
Diameter Node
Diameter Commands
Capabilities Exchange Request and Answer (CER , CEA)
Diameter
Node
Diameter
Node
Command-Code 257
First messages that nodes exchange once the
transport connection is established
Messages carry the nodes identity and capability
(protocol version, supported Diameter applications,
supported security mechanism, etc.
RFC 6733, section 5.3.1 & 5.3.2
CER & CEA AVPs

Result-Code
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Origin-State-ID
Error-Message
Failed-AVP
Supported-Vendor-ID
Auth-Application-ID
Inband-Security-ID
Acct-Application-ID
Vendor-Specific-Application-ID
Firmware-Revision
{ }
1* { }
[ ]
*[ ]
- required AVP, occurrence 1

- required AVP, occurrence 1 +
- optional AVP, occurrence 0 or 1
- optional AVP, occurrence 0 +
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Origin-State-ID
Supported-Vendor-ID
Auth-Application-ID
Inband-Security-ID
Acct-Application-ID
Firmware-Revision
Diameter
Node
Diameter
Node
CER AVP
Sample Data
AVP
Code
Data
Type
Origin-Host
264
DiamIdent
sdctor001-03.sdc.4g.tta.net
Origin-Realm
296
DiamIdent
sdc.4g.tta.net
Host-IP-Address
257
Address
182.168.53.6
Vendor-ID
266
Unsigned32
Telecom Training Associates (12345)
Product-Name
269
UTF8String
Supported-Vendor-ID
265
Unsigned32
98765
Auth-Application-ID
258
Unsigned32
3GPP S6a (16777251)
Inband-Security-ID
299
Unsigned32
NO_INBAND_SECURITY (0)
Acct-Application-ID
259
Unsigned32
260
Grouped
Firmware-Revision
267
Unsigned32
Attribute Name
Flags
TTA Control Plane Function
0000010a4000000c000..
1
Diameter
Node
Diameter
Node
Updating Capabilities
RFC 6737
Diameter
Node
In RFC 3588, once a connection is established, there is no way for one node
to tell its peer about updated features
Need to close the application down and bring it back up
CER / CEA is the only mechanism to advertise which applications are
supported and it is only sent once
A second CER would tell the peer that this is a restart.
Diameter
Node
(Application ID 10) Capabilities-Exchange-Request (CER)

Capabilities-Exchange-Answer (CEA) (Application ID 10)
Diameter
Node
Capabilities-Update-Request (CUR)
Capabilities-Update-Answer (CUA)
RFC 6733 allows for exchanging capabilities in the open state, but it
references another specification - RFC 6737
RFC 6737 introduces Capabilities-Exchange-Update (CUR) and CapabilitiesExchange-Answer (CUA); Command Code is 328
In the original CER/CEA, Application-ID 10 tells the peers that they support
this feature
Diameter
Node
Message Processing
Diameter Request Message
Diameter
Node
Diameter
Node
Message contains neither the Destination-Host nor the Destination-Realm AVP

Message contains a Destination-Realm but not a Destination-Host AVP
Message contains both the Destination-Host and the Destination-Realm AVP
Transport Failure
Diameter Message (primary route)
Diameter
Node
How long should it wait for an answer?

Should it retry?
How many times should it retry?
Use DWR & DWA to detect transport failure
RFC 3539 specifies transport failure mechanisms
Pending messages are sent on a secondary path
Diameter
Node
(alt
ern
ate
r
out
e)
Diameter
Node
Diameter Commands
Device Watchdog Request and Answer (DWR, DWA)
Diameter
Node
Device-Watchdog-Request (DWR)
Device-Watchdog-Answer (DWA)
Diameter
Node
Command-Code 280
Sent by a Diameter node to its peer
Used to detect transport & application layer failures
Sent during periods of no regular traffic
Not sent if transport failure is detected
RFC 6733, section 5.5.1 & 5.5.2
DWR & DWA AVPs
Origin-Host
Origin-Realm
Origin-State-ID
Device-Watchdog-Request (DWR)
Diameter
Node
Device-Watchdog-Answer (DWA)
Diameter
Node
Result-Code
Origin-Host
Origin-Realm
Error-Message
Failed-AVP
Original-State-ID
Diameter Commands
Disconnect Peer Request and Answer (DPR, DPA)
Diameter
Node
Disconnect-Peer-Request (DPR)
Disconnect-Peer-Answer (DPA)
Diameter
Node
Command-Code 282
Used to shutdown a transport connection once one
has been established
The DPR tells its peer not to re-establish a
connection unless it is absolutely essential
Not sent if transport failure is detected
RFC 6733, section 5.4.1 & 5.4.2
DPR & DPA AVPs
Origin-Host
Origin-Realm
Disconnect-Cause
Disconnect-Peer-Request (DPR)
Diameter
Node
Disconnect-Peer-Answer (DPA)
Diameter
Node
Result-Code
Origin-Host
Origin-Realm
Error-Message
Failed-AVP
Diameter Commands
Re-Auth Request and Answer (RAR, RAA)
Diameter
Server
Re-Auth-Request (RAR)
Re-Auth-Answer (RAA)
Diameter
Client
Command-Code 258
Sent by any server to access device providing session
service
Sent to re-authenticate the user
Security reasons; make sure there is no fraud
RFC 6733, section 8.3.1 & 8.3.2
RAR & RAA AVPs
Origin-Host
Origin-Realm
Destination-Realm
Destination-Host
Auth-Application-ID
User-Name
Origin-State-ID
Proxy-Info
Route-Record
Re-Auth-Request (RAR)
Diameter
Client
Re-Auth-Answer (RAA)
Diameter
Server
Result-Code
Origin-Host
Origin-Realm
User-Name
Origin-State-ID
Error-Message
Failed-AVP
Redirect-Host
Redirect-Host-Usage
Redirect-Host-Cache-Time
Proxy-Info
Diameter Commands
Session Termination Request and Answer (STR, STA)
Diameter
Client or Proxy
Session-Termination-Request (STR)
Session-Termination-Answer (STA)
Diameter
Server
Command-Code 275
Client or proxy telling server that it no longer needs
the service
Includes
Logoffs
Administrative actions
Timeouts
RFC 6733, section 8.4.1 & 8.4.2
STR & STA AVPs

Origin-Host
Origin-Realm
Destination-Realm
Destination-Host
Auth-Application-ID
Termination-Causes
Class
Origin-State-ID
Proxy-Info
Route-Record
Session-Termination-Request (STR)
Session-Termination-Answer (STA)
Diameter
Client or Proxy
Result-Code
Origin-Host
Origin-Realm
User-Name
Origin-State-ID
Error-Message
Failed-AVP
Redirect-Host
Redirect-Host-Usage
Proxy-Info
Diameter
Node
Diameter Commands
Abort Session Request and Answer (ASR, ASA)
Diameter
Server or Proxy
Abort-Session-Request (ASR)
Diameter
Access Device
Abort-Session-Answer (ASA)
Command-Code 274
Sent by any server or proxy to the access device
providing the session service
Request session identified by Session-ID be stopped
Could be for lack of credit, security reasons, or
administrative order
RFC 6733, section 8.5.1 & 8.5.2
ASR & ASA AVPs

Origin-Host
Origin-Realm
Destination-Realm
Destination-Host
Auth-Application-ID
User-Name
Origin-State-ID
Proxy-Info
Route-Record
Abort-Session-Request (ASR)
Abort-Session-Answer (ASA)
Diameter
Access Device
Result-Code
Origin-Host
Origin-Realm
User-Name
Origin-State-ID
Error-Message
Failed-AVP
Redirect-Host
Redirect-Host-Usage
Proxy-Info
Diameter
Server or Proxy
Diameter Commands
Accounting Request and Answer (ACR, ACA)
Diameter
Node (acting as
a client)
Accounting-Request (ACR)
Accounting-Answer (ACA)
Diameter
Peer
Command-Code 271
Sent by a Diameter node acting as a client, to
exchange accounting information with a peer
Diameter node reports an accounting event
ACR includes information that helps the server record
the event
RFC 6733, section 9.7.1 & 9.7.2
ACR & ACA AVPs

Accounting-Request (ACR)
Accounting-Answer (ACA)
Diameter
Peer
Diameter
Node (acting as
a client)
Result-Code
Origin-Host
Origin-Realm
Acct-Application-ID
User-Name
Accounting-Sub-Session-ID
Acct-Session-ID
Acct-Multi-Session-ID
Origin-State-ID
Event-Timestamp
Proxy-Info
Origin-Host
Origin-Realm
Destination-Realm
Acct-Application-ID
User-Name
Accounting-Sub-Session-ID
Acct-Session-ID
Origin-State-ID
Event-Timestamp
Proxy-Info
Route-Record
Diameter Errors
Protocol & Application Examples
Relay
Agent B
Relay
Agent A
2
Home Server
Relay
Agent C
Access
Device A
1
Request
Answer
2
Request
Relay
Agent B
Answer
3
Home Server
Result Code AVPs

Client A
Request
Answer
Request
Relay
Agent B
Answer
Server C
All Answer messages must contain one Result-Code AVP

Successful Result-Code AVPs are:
2xxx value
3006 DIAMETER_REDIRECT_INDICATION
A non-successful Result-Code AVP must include the Error-Reporting-Host AVP
Result-Code AVPs are:
1xxx - Informational
2xxx - Success
3xxx Protocol Errors
4xxx Transient Failures
5xxx Permanent Failure
Diameter Security Overview

RFC 3588
Diameter
Client
Diameter
Server
Diameter Client MUST support Internet Protocol Security

(IPSec)
Diameter Client MAY support Transport Layer Security
(TLS)
Diameter Servers MUST support IPSec
Diameter Servers MUST support TLS
IPSec is used primarily for intra-domain traffic
TLS is used primarily for inter-domain traffic
Diameter Security Overview

RFC 6733
Diameter
Client
Diameter
Server
Diameter protocol MUST be secured by TLS or DTLS

Diameter protocol MAY support IPSec
TLS / DTLS / IPSec should begin before any Diameter
message exchange
TLS / DTLS / IPSec parameters are exchanged independent
of the Diameter protocol
Diameter Security - IPSec
Realm2.com
Translation
Agent I
Defined in RFC 3588 but not in RFC 6733

Primarily used for intra-domain traffic
Encrypts & authenticates at the IP level
Transport Mode - only payload is
authenticated and/or encrypted
Tunnel Mode - entire IP packet is
authenticated and/or encrypted
All Diameter deployments must support
Transport Mode.
Relay
Agent G
Application
Server H
Realm1.com
Diameter
Client A
Relay
Agent E
Application
Server F
Redirect
Agent B
Proxy
Agent C
Application
Server D
Diameter Security - TLS
Realm2.com
Translation
Agent I
Primarily used for inter-domain traffic

Originator is TLS Client
Receiver is TLS Server
Both client and server exchange
information and agree on a common
cipher suite
Successor to Secure Socket Layer
(SSL).
Relay
Agent G
Application
Server H
Realm1.com
Diameter
Client A
Relay
Agent E
Application
Server F
Redirect
Agent B
Proxy
Agent C
Application
Server D
Diameter Applications - (MOBILEIP)

Mobile IPv4
Mobile
IPv4
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
TCP or SCTP
Allows Mobile Node to change a

point of attachment while
maintaining a fixed home address.
Uses Home Agent or Foreign Agent
Supports Mobile Security
Association (MSA)
Supports Handoff
Not used for IPv6
IP
Physical
SIP
Apps
Mobile IPv4 Entities

Foreign AAA Server
(AAAF)
Mobile
Node (MN)
Mo
bi
le
IP
v4
Home AAA Server

(AAAH)
Diameter
Foreign Agent (FA)

(Client)
Home Agent (HA)

(Client)
Visited Administrative Domain
Home Administrative Domain
Inter-Realm Mobile IPv4

Foreign AAA Server
(AAAF)
Home AAA Server

(AAAH)
AMR
HAR
AMA
Mobile
Node (MN)
M
ist obil
e
ra
tio IPv
4
n
Re
qu
es
AMR
Re
g
HAA
AMA
Foreign Agent (FA)

(Client)
Home Agent (HA)

(Client)
Mobile IP Commands
AA-Mobile-Node-Request and Answer (AMR & AMA)
Foreign AAA Server
(AAAF)
Home AAA Server

(AAAH)
AA-Mobile-Node-Request (AMR)
AMR
HAA
AA-Mobile-Node-Answer (AMA)
Foreign Agent (FA)

(Client)
HAR
AMA
Command-Code 261
Requesting Authentication & Authorization
AAAF (or AAAH) uses info in the mobiles
request to construct the AVPs
RFC 4004, section 5.1 & 5.2
Home Agent (HA)

(Client)
AMR & AMA AVPs

Foreign AAA Server
(AAAF)
Home AAA Server

(AAAH)
AA-Mobile-Node-Request (AMR)
HAR
AMA
Foreign Agent (FA)
(Client)
Auth-Application-ID
Result-Code
Origin-Host
Origin-Realm
User-Name
Auth-Session-State
Error-Message
MIP-Feature-Vector
MIP-Reg-Reply
MIP-MN-to-FA-MSA
MIP-MN-to-HA-MSA
MIP-FA-to-MN-MSA
MIP-FA-to-HA-MSA
MIP-HA-to-MN-MSA
MIP-MSA-Lifetime
MIP-Home-Agent-Address
MIP-Mobile-Node-Address
MIP-Filter-Rule
Auth-Application-ID
User-Name
Destination-Realm
Origin-Host
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth
Destination-Host
Origin-State-ID
MIP-Feature-Vector
MIP-Originating-Foreign-AAA
Auth-Session-State
MIP-FA-Challenge
MIP-Candidate-Home-Agent-Host
MIP-Home-Agent-Host
MIP-HA-to-FA-SPI
Proxy-Info
Route-Record
HAA
AMR
AA-Mobile-Node-Answer (AMA)
Home Agent (HA)

(Client)
Mobile IP Commands
Home-Agent-MIP-Request and Answer (HAR & HAA)
Foreign AAA Server
(AAAF)
Home AAA Server

(AAAH)
AMR
Foreign Agent (FA)

(Client)
HAR
AMA
Command-Code 262
Requesting Authentication & Authorization
AAAF (or AAAH) uses info in the mobiles
request to construct the AVPs
RFC 4004, section 5.1 & 5.2
HAA
AMR
AMA
Home Agent (HA)

(Client)
HAR & HAA AVPs
AMR
AMA
Auth-Application-ID
Auth-Session-State
MIP-Reg-Request
Origin-Host
Origin-Realm
User-Name
Destination-Realm
MIP-Feature-Vector
Destination-Host
MIP-MN-to-HA-MSA
MIP-MN-to-FA-MSA
MIP-HA-to-MN-MSA
MIP-HA-to-FA-MSA
MIP-MSA-Lifetime
MIP-Originating-Foreign-AAA
Home Agent (HA)
(Client)
MIP-Filter-Rule
Origin-State-ID
Proxy-Info
Record-Route
HAR
AMA
Foreign Agent (FA)
(Client)
Home AAA Server

(AAAH)
AMR
HAA
Foreign AAA Server

(AAAF)
Auth-Application-ID
Result-Code
Origin-Host
Origin-Realm
User-Name
Error-Message
MIP-Reg-Reply
MIP-FA-to-HA-SPI
MIP-FA-to-MN-SPI
Origin-State-ID
Proxy-Info
Diameter Applications
3GPP Applications
SIP-AS
OSA-SCS
Mobile
IPv4
S-CSCF
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
HSS

SLF
I-CSCF
TCP or SCTP
HPCRF
EIR
SGSN
IP
HSS/
AAA
VPCRF
AS
MME
Physical
Online
Charging
System
PCEF
Offline
Charging
System
SIP
Apps
Diameter Applications
Credit Control
Mobile
IPv4
(Diameter
Client)
3GPP
Apps
Credit
Control
NASREQ
Apps
TCP or SCTP
Diameter
Node
IP
Implement real-time credit control

Builds on the success of GSM Pre-Paid services
Checks balances prior to allowing service
Can inform user of charges to be levied
Need to credit and debit
Physical
SIP
Apps
Credit Control Architecture
Diameter
AAA
Server
(CC
R) C
re
Diameter
Credit Control
Client
Cred
it
dit-C
o
ntro
l-Re
que
st
-Con
trolAns
w
e r (C
CA)
Diameter
Credit Control
Server
Service Element
Can be one host
Business
Support
System
Diameter Applications - (NASREQ)

Network Access Server
Mobile
IPv4
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
Diameter Sessions
TCP or SCTP
NAS
IP
AAA in the Network Access Server
(NAS) environment.
Initial deployments expected to be
legacy systems
Backward compatible with RADIUS
Physical
SIP
Apps
NAS Messages
Version
Message Length
Command-Code
Application-ID
Command Flags
Command-Name
AA-Request
AA-Answer
Abort-Session-Request
Abort-Session-Answer
Accounting-Request
Accounting-Answer
Re-Auth-Request
Re-Auth-Answer
Session-Termination-Answer
Abbreviation Command-Code
AAR
AAA
ASR
ASA
ACR
ACA
RAR
RAA
STR
STA
265
265
258
258
271
271
258
258
275
275
NAS
IETF Summary
RFC 6733
ASR & ASA

ACR & ACA
CER & CEA
DWR & DWA
DPR & DPA
RAR & RAA
STR & STA
274
271
257
280
282
258
275
Abort-Session
Accounting
Capabilities-Exchange
Device-Watchdog
Disconnect-Peer
Re-Auth
Session-Termination
Mobile IPv4
RFC 4004
AMR & AMA

HAR & HAA
261
262
AA-Mobile-Node
Home-Agent-MIP
Credit Control
RFC 4006
CCR & CCA
272
Credit-Control
RFC 4005
AAR & AAA

ASR & ASA
ACR & ACA
RAR & RAA
STR & STA
265
274*
271*
258*
275*
Authentication Authorization (AA)

Same as Diameter Base
Extensible Authentication Protocol
RFC 4072
DER & DEA
268
Diameter EAP
Mobile IPv6
RFC 5447
No New Messages
RFC 4740
UAR & UAA

SAR & SAA
LIR & LIA
MAR & MAA
RTR & RTA
PPR & PPA
283
284
285
286
287
288
User-Authorization
Server-Assignment
Location-Info
Multimedia-Auth
Registration-Termination
Push-Profile
RFC 6737
CUR & CUA
328
Capabilities-Update
Diameter Base
Network Access Server (NAS)
SIP Application
Diameter Capabilities Update
Lesson Summary
In this lesson, we have:
Explained how Authentication, Authorization & Accounting

(AAA) is done on a IP network
Understood the Diameter protocol stack
Described Diameter clients, servers and agents
Defined Attribute Value Pairs (AVP)
Shown Diameter messages and their structure
Understood Diameter applications

iam
er
et
s
diu
Ra

1 Diameter Base Protocol (8-13)

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

1 Diameter Base Protocol (8-13)

Caricato da

Copyright:

Formati disponibili

Diameter Base Protocol

diameter \di-am-t-r\ - Any straight line segment

For further information please contact:

Overall Course Objectives

Start / End Times

Cell Phones / Pagers

Overall Course Objectives

Diameter Base Protocol

diameter \di-am-t-r\ - Any straight line segment

Explain how Authentication, Authorization & Accounting

Understand the Diameter protocol stack

Describe Diameter clients, servers and agents

Define Attribute Value Pairs (AVP)

Show Diameter messages and their structure

Understand Diameter applications

AAA Overview Example

Newer Access More Demands on AAA

From RADIUS to Diameter

RFC 2058 - RADIUS

Improvements over RADIUS

Diameter Base Protocol Highlights

Peer-to-Peer protocol rather than client / server

What Diameter Provides

Define new Attribute Value Pairs (AVP)

RFC 3588 RFC 6733

IPSec required for intra-Realm

TLS (TCP) & DTLS (SCTP)

CER/CEA used Inband-Security AVP to establish

If security is applied, it is set up before the

Not clear about the use of Application-ID AVPs

Diameter messages (application & base) related to a

No capability update without taking a session down

Capabilities-Update-Request/Answer (RFC 6737)

E2E-Sequence AVP used for end-to-end protection

E2E-Sequence AVP is deprecated

Loop Detection explained

Loop detection and recovery explained

Inband-Security AVP defined

Determined by node type

Diameter Base Protocol Stack

Credit Control Application

What is Diameter Used For?

Can be used with applications

Diameter Base Protocol

Network Access Protocol

Diameter Example Applications

Diameter Base Protocol

Network Access Protocol

DiameterIdentity used to identify a node or a realm

Must support both

Diameter Functional Entities

Request and answer originators

Forward requests and answers

Keep Identifier (Hop-by-Hop) 1234

Replace Identifier (Hop-by-Hop) with 5678

Replace 5678 with 1234

Keep Track of Session-ID AVP2

Diameter Nodes and Agents

Route based on information within messages

Diameter Nodes and Agents

Lookup for example.com

Lookup for example.com

Lookup for example.com

Can modify message and AVP content