Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
iam
er
et
s
diu
Ra
Before We Start
Housekeeping
Introductions
Student Rosters
Course Outline
References / Manuals
Diameter Protocol
Steve DeVries
skd@telecomtrainers.com
708-921-7972
iam
er
et
s
diu
Ra
Lesson Objectives
During this lesson, we will:
What is AAA?
Authentication - verifying identity
Authorization - allowed access
Accounting - collecting information
MSC
PSTN
Switch
LD
AP
Pr
ot
oc
ol
4
Central
Office
Firewall
3
Secure
Router
AAA on an IP Network
Remote Authentication Dial In User Service (RADIUS)
RFC 2058 (1997)
RFC 2138 (mid 1997)
RFC 2865 (2000)
Network
Access
Servers
User has
internet
provider
PSTN
Switch
User
Profile
RADIUS protocol
AAA
Server
Circuit-switched
connection
2
established
3
4
Accounting
Authentication &
Authorization
RADIUS Shortcomings
Designed for small-scale configuration
(like dial-up access)
RADIUS is over UDP - no congestion
control
Lacks functionality needed in today's
internet access - the AAA server cannot
send an unsolicited message to the
access server
Network
Access
Servers
RADIUS protocol
AAA
Server
AAA
Server
MSC
RADIUS
Server-Initiated Messages
Diameter
Auditing
Support for Transition
Capability Negotiation
Peer Discovery and Configuration
Support for Roaming
AAA
Server
MSC
AAA
Server
MSC
Diameters Extensibility
Diameter
Client
Diameter
Server
RFC 3588
RFC 6733
Port 3868
3868 for TCP & SCTP; 5868 for TLS & DTLS
Diameter Functionality
Basic Overview
Diameter Client
Diameter Server
Diameter
Client Application
Diameter
Client Application
Session Management
Session Management
Routing Management
Routing Management
Connection
Management
Connection
Management
Base Protocol
Base Protocol
Diameter Functionality
Connection Management
Diameter Client
Diameter
Client Application
Diameter Server
Diameter
Client Application
Peer discovery
Session Management
Session Management
Transport
Capabilities negotiation
Keep alive & disconnect
Routing Management
Routing Management
Connection
Management
Connection
Management
Base Protocol
Base Protocol
Diameter Functionality
Routing Management
Diameter Client
Diameter
Client Application
Diameter Server
Diameter
Client Application
Session Management
Session Management
Routing Management
Routing Management
Connection
Management
Connection
Management
Base Protocol
Base Protocol
Diameter Functionality
Session Management
Diameter Client
Diameter Server
Diameter
Client Application
Diameter
Client Application
Session Management
Session Management
Routing Management
Connection
Management
Base Protocol
Session is related to
Routing Management
progression of events
Application provides
guidelines
Connection
Stateful or stateless
Management
Base Protocol
Basic functionality
Implemented in all Diameter nodes
Application Independent
Reliable transport
Diameter messages are retransmitted
Heartbeat monitors the status of connection
Transmits datagrams
No end-to-end reliability
Interface IP layer to physical
Data link layer
MAC address
Electrical & functional characteristics
Binary transmission
IP
Physical
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
IP
Physical
SIP
Apps
Diameter Addresses
DiameterIdentity & DiameterURI
Diameter
Client
Diameter
Server
Diameter Transport
Must support either
TCP or SCTP
Diameter
Client
Diameter
Agent
Diameter
Agent
Diameter
Agent
Diameter
Server
Redirect
Agent
Relay
Agent
Translation
Agent
Diameter Nodes
Clients & Servers
Diameter
Client
Diameter
Server
Diameter Nodes
Agents
Diameter
Agent
(Relay)
Diameter
Client
Diameter
Agent
(Proxy)
Diameter
Agent
(Redirect)
Diameter
Agent
(Translation)
Diameter
Server
Diameter Agents
Stateless
1
Diameter
Client
Ide Re
nt que
ifie
s
r= t
12
34
Ide An
s
nt
ifie wer
r=
12
8
34
Diameter
Agent
Release transaction
4
Ide Re
nt que
ifie
s
r= t
56
78
Ide An
s
nt
ifie wer
r=
56
5
78
Diameter
Server
Diameter Agents
Stateful
Diameter
Client
1
Se
ss Re
q
i
Se on-T ues
t1
ss
i
ion meo
_ID ut
AV AVP
P2 1
An
sw
er
1
Diameter
Agent
6
3
R
sio eq
Se n-T ues
im t1
ss
ion eo
- ID ut A
AV VP
1
P2
An
sw
er
1
4
Se
s
Session 1 Expires
or
Receives Answer1
Diameter
Server
Diameter
Client/
Server
Re
Diameter
Client/
Server
Diameter
Client/
Server
s
An
er
Relay
Agent
Answe
r
Reque
st
Diameter
Client/
Server
t
es
u
q
Diameter
Client/
Server
Diameter
Client
Request
Answer
4
Diameter
Proxy
Agent
Request
Answer
Diameter
Server
Diameter
Client
Diameter
Proxy
Agent
Request
Answer
Redirect
Notification
Request
Diameter
Redirect
Agent
Request
Answer
5
Diameter
Server
RADIUS
Client
RADIUS Request
RADIUS Answer
4
Translation
Agent
Diameter Request
Diameter Answer
Diameter
Server
Diameter
Client
Relay
Agent
peer connection X
Diameter
Server
peer connection Y
user connection A
Request #1
(Session_ID = 1234),
Request #2
Diameter
Client
Answer #2 (Session_ID = 1234)
(Session_ID = 1234),
Session-Termination-Request
Diameter
Server
Peer Table
Realm2.com
Translation
Agent I
Host
Identity
StatusT
Static or
Dynamic
NodeB.realm1.com
NodeC.realm1.com
NodeE.realm1.com
NodeG.realm2.com
Idle
Closing
Idle
Open
Dynamic
Static
Static
Dynamic
TLS/TCP
Expiration
DTLS/SCTP
Time
Enabled
800
600
False
False
True
True
Relay
Agent G
Application
Server H
Realm1.com
Diameter
Client A
Relay
Agent E
Application
Server F
Redirect
Agent B
Proxy
Agent C
Application
Server D
Realm-Based Routing
1
Diameter
Client/
Server
Relay
Agent
t
Reques
Diameter
Client/
Server
3
Diameter
Client/
Server
es
qu
t
Realm Name
Application Identifier
Local Action
- Local
- Relay
- Proxy
- Redirect
Server Identifier
Static or Dynamic
Expiration Time
4
Re
Diameter
Client/
Server
Diameter
Client/
Server
Diameter
Client/
Server
Realm-Routing Example
Host
Identity
StatusT
Static or
Dynamic
NodeB.realm1.com
NodeC.realm2.com
NodeF.realm3.com
Open
Open
Open
Dynamic
Dynamic
Dynamic
Expiration
Time
TLS/TCP
DTLS/SCTP
Enabled
True
True
True
Realm1.com
Diameter
Client A
App-ID 1, 2, 3, 4
Realm2.com
Application
Server D
App-ID 5
Relay
Agent C
Peer Table
Application
Server E
App-ID 2
Realm3.com
Application
Server B
App-ID 1 (Local)
Host
Identity
App-ID
Server-ID
Local
Action
Discovery
NodeB.realm1.com
NodeC.realm2.com
NodeF.realm3.com
NodeF.realm3.com
App-ID 1
App-ID 2
App-ID 3
App-ID 4
Node B
Node C
Node F
Node F
Local
Relay
Proxy
Proxy
Dynamic
Dynamic
Dynamic
Dynamic
Realm-Routing Table
Expiration
Time
Application
Server G
App-ID 3
Proxy
Agent F
Application
Server H
App-ID 4
Proxy
Network
Access
Servers
Redirect
AAA
Server
(Diameter
Client)
Relay
(Diameter
Agents)
(Diameter
Server)
Request
Diameter
Client
Diameter
Server
The request was a success!
Sorry, the request has failed
I need some more information before I tell you
whether it was successful or not
I dont have a clue what you want, but here is a
peers address who might be able to help you
Authorizing a Path
Diameter
Client
Realm A
Realm B
Relay/
Proxy
Agent
Relay/
Proxy
Agent
Diameter
Server
Request
Request
Request
Origin-Host = Client.com
Origin-Realm =
Client.Realm.com
Destination-Realm =
Server.Realm.com
Origin-Host = Client.com
Origin-Realm =
Client.Realm.com
Destination-Realm =
Server.Realm.com
Route-Record =
Proxy.RealmA.com
Origin-Host = Client.com
Origin-Realm =
Client.Realm.com
Destination-Realm =
Server.Realm.com
Route-Record =
Proxy.RealmA.com
Route-Record =
Proxy.RealmB.com
Answer
Answer
Answer
Origin-Host = Server.com
Origin-Realm =
Server.Realm.com
Origin-Host = Server.com
Origin-Realm =
Server.Realm.com
Origin-Host = Server.com
Origin-Realm =
Server.Realm.com
AVP
Version
Length
Flags
Command Code
Application ID
Hop-by-Hop Identifier
End-to-End Identifier
AVP Header
Code
Flag
Length
Vendor ID (optional)
AVP Data
AVP
AVP
AVP
IP Packet Structure
1
2
3
01234567890123456789012345678901
Version
Length
Type of Service
Flags
Identification
Time To Live
Total Length
Fragment Offset
Header Checksum
Protocol
Source Address
Destination Address
Data
0 0 0 0 0 1 1 0 - TCP
1 0 0 0 0 1 0 0 - SCTP
IP Packet Structure
1
2
3
01234567890123456789012345678901
Source Port (3868)
Data
Offset
Reserved
Window
Flags
Checksum
Urgent Pointer
Options
Data
SCTP Packets
IP Packet Structure (see IP Packet Structure Page)
Data
1
2
3
01234567890123456789012345678901
SCTP Common Header
Chunk Number 1
Chunk Number 2
Chunk Number n
Chunk Number n
SCTP Packet Structure
IP Packet Structure
1
2
3
01234567890123456789012345678901
Source Port Number (3868)
Verification Tag
Checksum
Chunk Number n
SCTP Packet Structure
IP Packet Structure
1
2
3
01234567890123456789012345678901
Source Port Number
Chunk Type = 0
Reserved U B E
Chunk Length
1
2
3
01234567890123456789012345678901
Version
Command Flags
Message Length
Command-Code
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
Attribute Value Pair (AVP) 1
Version
Message Length
Command Flags
Command-Code
Application-ID
Hop-by-Hop Identifier
reserved
End-to-End Identifier
Attribute Value Pair (AVP) 1
Attribute Value Pair (AVP) 2
Attribute Value Pair (AVP) n
Request
Proxiable
Error
Potentially re-transmitted
Message Length
Command Flags
Command-Code
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
Attribute Value Pair (AVP) 1
Attribute Value Pair (AVP) 2
Attribute Value Pair (AVP) n
Command-Name
Abort-Session-Request
Abort-Session-Answer
Accounting-Request
Accounting-Answer
Capabilities-Exchange-Request
Capabilities-Exchange-Answer
Device-Watchdog-Request
Device-Watchdog-Answer
Disconnect-Peer-Request
Disconnect-Peer-Answer
Re-Auth-Request
Re-Auth-Answer
Session-Termination-Request
Session-Termination-Answer
Abbreviation
ASR
ASA
ACR
ACA
CER
CEA
DWR
DWA
DPR
DPA
RAR
RAA
STR
STA
Command-Code
274
274
271
271
257
257
280
280
282
282
258
258
275
275
Message Length
Command Flags
Command-Code
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
Attribute Value Pair (AVP) 1
Attribute Value Pair (AVP) 2
Attribute Value Pair (AVP) n
0
1 (RFC 3588)
2 (RFC 3588)
3
0xffffffff
Message Length
Command Flags
Command-Code
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
Attribute Value Pair (AVP) 1
Attribute Value Pair (AVP) 2
Attribute Value Pair (AVP) n
Message Length
Command Flags
Command-Code
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
AVP Code
M - Mandatory
P - Need for Encryption
V - Vendor-Specific
Flags
AVP-Length
Vendor-ID (optional)
Data
AVP Flags
Version
Message Length
Command Flags
Command-Code
Application-ID
AVP Code
Hop-by-Hop Identifier
Flags
End-to-End Identifier
AVP-Length
Vendor-ID (optional)
Data
Reserved (set to 0)
AVP
Code
85
50
480
287
258
291
277
25
283
300
294
297
279
257
272
296
269
284
292
262
282
27
271
295
266
Attribute Name
Accounting-Realtime-Required
Accounting-Record-Number
Accounting-Session-Id
Acct-Application-Id
Auth-Request-Type
Auth-Grace-Period
Re-Auth-Request- Type
Destination-Host
Disconnect-Cause
Error-Message
Event-Timestamp
Experimental-Result-Code
Firmware-Revision
Inband-Security-Id
Origin-Host
Origin-State-Id
Proxy-Host
Proxy-State
Redirect-Host-Usage
Result-Code
Session-Id
Session-Binding
Supported-Vendor-Id
User-Name
Vendor-Specific-Application-Id
AVP
Code
483
485
44
259
274
276
285
293
273
281
55
298
267
299
264
278
280
33
261
268
263
270
265
1
260
Message Length
Command Flags
Command-Code
AVP Code
Application-ID
AVP Length
Flags
Hop-by-Hop Identifier
Vendor-ID (optional)
End-to-End Identifier
Data
octetstring
integer32
integer64
unsigned32
unsigned64
float32
float64
grouped
derived
Message Length
Command Flags
Command-Code
Application-ID
AVP Code
AVP Length
Flags
Hop-by-Hop Identifier
Vendor-ID (optional)
End-to-End Identifier
Data
Address
Time
UTF8String
DiameterIdentity
DiameterURI
Enumerated
IPFilterRule
QOSFilterRule *
octetstring
integer32
integer64
unsigned32
unsigned64
float32
float64
grouped
derived
AVP Table
RFC 3588 - Section 4.5
AVP
Code
Section
Defined
Data Type
Acct-Interim-Interval
Accounting-Realtime-Required
Acct-Multi-Session-Id
Accounting-Record-Number
Accounting-Record-Type
Accounting-Session-Id
Accounting-Sub-Session-Id
85
483
50
485
480
44
287
9.8.2
9.8.7
9.8.5
9.8.3
9.8.1
9.8.4
9.8.6
Unsigned32
Enumerated
UTF8String
Unsigned32
Enumerated
OctetString
Unsgned64
M
M
M
M
M
M
M
P
P
P
P
P
P
P
V
V
V
V
V
V
V
Y
Y
Y
Y
Y
Y
Y
Destination-Host
Destination-Realm
Disconnect-Cause
Firmware-Revision
Host-IP-Address
Inband-Security-Id
293
283
273
267
257
299
6.5
6.6
5.4.3
5.3.4
5.3.5
6.10
DiamIdent
DiamIdent
Enumerated
Unsigned32
Address
Unsigned32
M
M
M
P
P
P
M
M
P
P
V
V
V
P,V,M
V
V
N
N
N
N
N
N
Origin-Host
Origin-Realm
264
296
6.3
6.4
DiamIdent
DiamIdent
M
M
P
P
V
V
N
N
Vendor-Id
Vendor-Specific-Application-Id
266
260
5.3.3
6.11
Unsigned32
Grouped
M
M
P
P
V
V
N
N
Attribute Name
MUST MAY
M - Mandatory
P - Protected
V - Vendor-Specific
AVP Table
AVP
Flag
Rules
Section
Defined
Data Type
Acct-Interim-Interval
Accounting-Realtime-Required
Acct-Multi-Session-Id
Accounting-Record-Number
Accounting-Record-Type
Accounting-Session-Id
Accounting-Sub-Session-Id
85
483
50
485
480
44
287
9.8.2
9.8.7
9.8.5
9.8.3
9.8.1
9.8.4
9.8.6
Unsigned32
Enumerated
UTF8String
Unsigned32
Enumerated
OctetString
Unsgned64
M
M
M
M
M
M
M
V
V
V
V
V
V
V
Destination-Host
Destination-Realm
Disconnect-Cause
Error-Message
Host-IP-Address
Inband-Security-Id
293
283
273
281
257
299
6.5
6.6
5.4.3
7.3
5.3.5
6.10
DiamIdent
DiamIdent
Enumerated
UTF8String
Address
Unsigned32
M
M
M
M
M
V
V
V
V,M
V
V
Origin-Host
Origin-Realm
264
296
6.3
6.4
DiamIdent
DiamIdent
M
M
V
V
Vendor-Id
Vendor-Specific-Application-Id
266
260
5.3.3
6.11
Unsigned32
Grouped
M
M
V
V
Attribute Name
MUST
MUST NOT
M - Ma
V - Ve
CER CEA DPR DPA DWR DWA RAR RAA ASR ASA STR STA
Accounting-Interim-Interval
Acct-Realtime-Required
Acct-Application-ID
0
0
0+
0
0
0+
0
0
0
0
0
0
0
0
0
0
0
0
0-1
0-1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Destination-Host
Destination-Realm
Destination-Cause
Error-Message
0
0
0
0
0
0
0
0-1
0
0
1
0
0
0
0
0-1
0
0
0
0
0
0
0
0-1
1
1
0
0
0
0
0
0-1
1
1
0
0
0
0
0
0-1
0-1
1
0
0
0
0
0
0-1
Firmware-Revision
Host-IP-Address
0-1
1+
0-1
1+
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Origin-Host
Origin-Realm
Origin-State-ID
Product-Name
1
1
0-1
1
1
1
0-1
1
1
1
0
0
1
1
0
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
1
1
0-1
0
Result-Code
Re-Auth-Request-Type
Route-Record
Session-Binding
Session-ID
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
0+
0
1
1
0
0
0
1
0
0
0+
0
1
1
0
0
0
1
0
0
0+
0
1
1
0
0
0
1
Termination-Cause
User-Name
Vendor-ID
Vendor-Specific-Appl-ID
0
0
1
0+
0
0
1
0+
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0-1
0
0
0
0-1
0
0
0
0-1
0
0
0
0-1
0
0
1
0-1
0
0
0
0-1
0
0
1
Data
Chunk Number n
SCTP Packet Structure
IP Packet Structure
Version
Message Length
Command Flags
Command-Code
Application-ID
Source Port Number
Hop-by-Hop Identifier
End-to-End Identifier
Checksum
Chunk Type = 0
Flags
Chunk Length
Stream Identifier
AVP Code
AVP Length
Flags
Vendor-ID (optional)
Data
Negotiating Capabilities
Capabilities-Exchange-Request (CER)
Diameter
Node
Application 33
Application 44
Application 55
Inband Security 1 (3588)
Inband Security 2 (3588)
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Inband Security-ID 1
Inband-Security-ID 2
Vendor-Specific-Application-ID 33
Vendor-Specific-Application-ID 44
Vendor-Specific-Application-ID 55
Capabilities-Exchange-Answer (CEA)
Result-Code = SUCCESS
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Inband Security-ID 1
Vendor-Specific-Application-ID 33
Vendor-Specific-Application-ID 44
Diameter
Node
Application 33
Application 44
Inband Security 1 (3588)
Applications
CER/CEA
TCP or SCTP
TCP or SCTP
SYN
IP
TCP
INIT_ACK
SCTP
Diameter Node
ACK
INIT
Physical
SYN ACK
IP
COOKIE_ECHO
COOKIE_ACK
Physical
Diameter Node
Diameter Commands
Capabilities Exchange Request and Answer (CER , CEA)
Diameter
Node
Capabilities-Exchange-Request (CER)
Capabilities-Exchange-Answer (CEA)
Diameter
Node
Command-Code 257
First messages that nodes exchange once the
transport connection is established
Messages carry the nodes identity and capability
(protocol version, supported Diameter applications,
supported security mechanism, etc.
RFC 6733, section 5.3.1 & 5.3.2
{ }
1* { }
[ ]
*[ ]
Origin-Host
Origin-Realm
Host-IP-Address
Vendor-ID
Product-Name
Origin-State-ID
Supported-Vendor-ID
Auth-Application-ID
Inband-Security-ID
Acct-Application-ID
Vendor-Specific-Application-ID
Firmware-Revision
Capabilities-Exchange-Request (CER)
Diameter
Node
Capabilities-Exchange-Answer (CEA)
Diameter
Node
CER AVP
Sample Data
AVP
Code
Data
Type
Origin-Host
264
DiamIdent
sdctor001-03.sdc.4g.tta.net
Origin-Realm
296
DiamIdent
sdc.4g.tta.net
Host-IP-Address
257
Address
182.168.53.6
Vendor-ID
266
Unsigned32
Product-Name
269
UTF8String
Supported-Vendor-ID
265
Unsigned32
98765
Auth-Application-ID
258
Unsigned32
Inband-Security-ID
299
Unsigned32
NO_INBAND_SECURITY (0)
Acct-Application-ID
259
Unsigned32
Vendor-Specific-Application-ID
260
Grouped
Firmware-Revision
267
Unsigned32
Attribute Name
Flags
0000010a4000000c000..
1
Capabilities-Exchange-Request (CER)
Diameter
Node
Diameter
Node
Updating Capabilities
RFC 6737
Capabilities-Exchange-Request (CER)
Capabilities-Exchange-Answer (CEA)
Diameter
Node
In RFC 3588, once a connection is established, there is no way for one node
to tell its peer about updated features
Need to close the application down and bring it back up
CER / CEA is the only mechanism to advertise which applications are
supported and it is only sent once
A second CER would tell the peer that this is a restart.
Diameter
Node
Capabilities-Update-Request (CUR)
Capabilities-Update-Answer (CUA)
RFC 6733 allows for exchanging capabilities in the open state, but it
references another specification - RFC 6737
RFC 6737 introduces Capabilities-Exchange-Update (CUR) and CapabilitiesExchange-Answer (CUA); Command Code is 328
In the original CER/CEA, Application-ID 10 tells the peers that they support
this feature
Diameter
Node
Message Processing
Diameter Request Message
Diameter
Node
Diameter
Node
Transport Failure
Diameter Message (primary route)
Diameter
Node
Diameter
Node
(alt
ern
ate
r
out
e)
Diameter
Node
Diameter Commands
Device Watchdog Request and Answer (DWR, DWA)
Diameter
Node
Device-Watchdog-Request (DWR)
Device-Watchdog-Answer (DWA)
Diameter
Node
Command-Code 280
Sent by a Diameter node to its peer
Used to detect transport & application layer failures
Sent during periods of no regular traffic
Not sent if transport failure is detected
RFC 6733, section 5.5.1 & 5.5.2
Origin-Host
Origin-Realm
Origin-State-ID
Device-Watchdog-Request (DWR)
Diameter
Node
Device-Watchdog-Answer (DWA)
Diameter
Node
Result-Code
Origin-Host
Origin-Realm
Error-Message
Failed-AVP
Original-State-ID
Diameter Commands
Disconnect Peer Request and Answer (DPR, DPA)
Diameter
Node
Disconnect-Peer-Request (DPR)
Disconnect-Peer-Answer (DPA)
Diameter
Node
Command-Code 282
Used to shutdown a transport connection once one
has been established
The DPR tells its peer not to re-establish a
connection unless it is absolutely essential
Not sent if transport failure is detected
RFC 6733, section 5.4.1 & 5.4.2
Origin-Host
Origin-Realm
Disconnect-Cause
Disconnect-Peer-Request (DPR)
Diameter
Node
Disconnect-Peer-Answer (DPA)
Diameter
Node
Result-Code
Origin-Host
Origin-Realm
Error-Message
Failed-AVP
Diameter Commands
Re-Auth Request and Answer (RAR, RAA)
Diameter
Server
Re-Auth-Request (RAR)
Re-Auth-Answer (RAA)
Diameter
Client
Command-Code 258
Sent by any server to access device providing session
service
Sent to re-authenticate the user
Security reasons; make sure there is no fraud
RFC 6733, section 8.3.1 & 8.3.2
Origin-Host
Origin-Realm
Destination-Realm
Destination-Host
Auth-Application-ID
Re-Auth-Request-Type
User-Name
Origin-State-ID
Proxy-Info
Route-Record
Re-Auth-Request (RAR)
Diameter
Client
Re-Auth-Answer (RAA)
Diameter
Server
Result-Code
Origin-Host
Origin-Realm
User-Name
Origin-State-ID
Error-Message
Error-Reporting-Host
Failed-AVP
Redirect-Host
Redirect-Host-Usage
Redirect-Host-Cache-Time
Proxy-Info
Diameter Commands
Session Termination Request and Answer (STR, STA)
Diameter
Client or Proxy
Session-Termination-Request (STR)
Session-Termination-Answer (STA)
Diameter
Server
Command-Code 275
Client or proxy telling server that it no longer needs
the service
Includes
Logoffs
Administrative actions
Timeouts
RFC 6733, section 8.4.1 & 8.4.2
Session-Termination-Request (STR)
Session-Termination-Answer (STA)
Diameter
Client or Proxy
Result-Code
Origin-Host
Origin-Realm
User-Name
Origin-State-ID
Error-Message
Error-Reporting-Host
Failed-AVP
Redirect-Host
Redirect-Host-Usage
Redirect-Host-Cache-Time
Proxy-Info
Diameter
Node
Diameter Commands
Abort Session Request and Answer (ASR, ASA)
Diameter
Server or Proxy
Abort-Session-Request (ASR)
Diameter
Access Device
Abort-Session-Answer (ASA)
Command-Code 274
Sent by any server or proxy to the access device
providing the session service
Request session identified by Session-ID be stopped
Could be for lack of credit, security reasons, or
administrative order
RFC 6733, section 8.5.1 & 8.5.2
Abort-Session-Request (ASR)
Abort-Session-Answer (ASA)
Diameter
Access Device
Result-Code
Origin-Host
Origin-Realm
User-Name
Origin-State-ID
Error-Message
Error-Reporting-Host
Failed-AVP
Redirect-Host
Redirect-Host-Usage
Redirect-Host-Cache-Time
Proxy-Info
Diameter
Server or Proxy
Diameter Commands
Accounting Request and Answer (ACR, ACA)
Diameter
Node (acting as
a client)
Accounting-Request (ACR)
Accounting-Answer (ACA)
Diameter
Peer
Command-Code 271
Sent by a Diameter node acting as a client, to
exchange accounting information with a peer
Diameter node reports an accounting event
ACR includes information that helps the server record
the event
RFC 6733, section 9.7.1 & 9.7.2
Diameter
Node (acting as
a client)
Result-Code
Origin-Host
Origin-Realm
Accounting-Record-Type
Accounting-Record-Number
Acct-Application-ID
Vendor-Specific-Application-ID
User-Name
Accounting-Sub-Session-ID
Acct-Session-ID
Acct-Multi-Session-ID
Error-Reporting-Host
Acct-Interim-Interval
Accounting-Realtime-Required
Origin-State-ID
Event-Timestamp
Proxy-Info
Origin-Host
Origin-Realm
Destination-Realm
Accounting-Record-Type
Accounting-Record-Number
Acct-Application-ID
Vendor-Specific-Application-ID
User-Name
Accounting-Sub-Session-ID
Acct-Session-ID
Acct-Multi-Session-ID
Acct-Interim-Interval
Accounting-Realtime-Required
Origin-State-ID
Event-Timestamp
Proxy-Info
Route-Record
Diameter Errors
Protocol & Application Examples
Relay
Agent B
Relay
Agent A
2
Home Server
Relay
Agent C
Access
Device A
1
Request
Answer
2
Request
Relay
Agent B
Answer
3
Home Server
Request
Answer
Request
Relay
Agent B
Answer
Server C
Diameter
Client
Diameter
Server
Diameter
Client
Diameter
Server
Realm2.com
Translation
Agent I
Relay
Agent G
Application
Server H
Realm1.com
Diameter
Client A
Relay
Agent E
Application
Server F
Redirect
Agent B
Proxy
Agent C
Application
Server D
Realm2.com
Translation
Agent I
Relay
Agent G
Application
Server H
Realm1.com
Diameter
Client A
Relay
Agent E
Application
Server F
Redirect
Agent B
Proxy
Agent C
Application
Server D
Mobile
IPv4
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
TCP or SCTP
IP
Physical
SIP
Apps
Mobile
Node (MN)
Mo
bi
le
IP
v4
Diameter
AMR
HAR
AMA
Mobile
Node (MN)
M
ist obil
e
ra
tio IPv
4
n
Re
qu
es
AMR
Re
g
HAA
AMA
Mobile IP Commands
AA-Mobile-Node-Request and Answer (AMR & AMA)
Foreign AAA Server
(AAAF)
AA-Mobile-Node-Request (AMR)
AMR
HAA
AA-Mobile-Node-Answer (AMA)
HAR
AMA
Command-Code 261
Requesting Authentication & Authorization
AAAF (or AAAH) uses info in the mobiles
request to construct the AVPs
RFC 4004, section 5.1 & 5.2
AA-Mobile-Node-Request (AMR)
HAR
AMA
Foreign Agent (FA)
(Client)
Auth-Application-ID
Result-Code
Origin-Host
Origin-Realm
Acct-Multi-Session-ID
User-Name
Authorization-Lifetime
Auth-Session-State
Error-Message
Error-Reporting-Host
Re-Auth-Request-Type
MIP-Feature-Vector
MIP-Reg-Reply
MIP-MN-to-FA-MSA
MIP-MN-to-HA-MSA
MIP-FA-to-MN-MSA
MIP-FA-to-HA-MSA
MIP-HA-to-MN-MSA
MIP-MSA-Lifetime
MIP-Home-Agent-Address
MIP-Mobile-Node-Address
MIP-Filter-Rule
Auth-Application-ID
User-Name
Destination-Realm
Origin-Host
Origin-Realm
MIP-Reg-Request
MIP-MN-AAA-Auth
Acct-Multi-Session-ID
Destination-Host
Origin-State-ID
MIP-Mobile-Node-Address
MIP-Home-Agent-Address
MIP-Feature-Vector
MIP-Originating-Foreign-AAA
Authorization-Lifetime
Auth-Session-State
MIP-FA-Challenge
MIP-Candidate-Home-Agent-Host
MIP-Home-Agent-Host
MIP-HA-to-FA-SPI
Proxy-Info
Route-Record
HAA
AMR
AA-Mobile-Node-Answer (AMA)
Mobile IP Commands
Home-Agent-MIP-Request and Answer (HAR & HAA)
Foreign AAA Server
(AAAF)
HAR
AMA
Command-Code 262
Requesting Authentication & Authorization
AAAF (or AAAH) uses info in the mobiles
request to construct the AVPs
RFC 4004, section 5.1 & 5.2
HAA
AMR
AMA
AMR
AMA
Auth-Application-ID
Authorization-Lifetime
Auth-Session-State
MIP-Reg-Request
Origin-Host
Origin-Realm
User-Name
Destination-Realm
MIP-Feature-Vector
Destination-Host
MIP-MN-to-HA-MSA
MIP-MN-to-FA-MSA
MIP-HA-to-MN-MSA
MIP-HA-to-FA-MSA
MIP-MSA-Lifetime
MIP-Originating-Foreign-AAA
Home Agent (HA)
MIP-Mobile-Node-Address
(Client)
MIP-Home-Agent-Address
Home Administrative Domain
MIP-Filter-Rule
Origin-State-ID
Proxy-Info
Record-Route
HAR
AMA
Foreign Agent (FA)
(Client)
HAA
Auth-Application-ID
Result-Code
Origin-Host
Origin-Realm
Acct-Multi-Session-ID
User-Name
Error-Reporting-Host
Error-Message
MIP-Reg-Reply
MIP-Home-Agent-Address
MIP-Mobile-Node-Address
MIP-FA-to-HA-SPI
MIP-FA-to-MN-SPI
Origin-State-ID
Proxy-Info
Diameter Applications
3GPP Applications
SIP-AS
OSA-SCS
Mobile
IPv4
S-CSCF
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
HSS
TCP or SCTP
HPCRF
EIR
SGSN
IP
HSS/
AAA
VPCRF
AS
MME
Physical
Online
Charging
System
PCEF
Offline
Charging
System
SIP
Apps
Diameter Applications
Credit Control
Mobile
IPv4
(Diameter
Client)
3GPP
Apps
Credit
Control
NASREQ
Apps
TCP or SCTP
Diameter
Node
IP
Physical
SIP
Apps
Diameter
AAA
Server
(CC
R) C
re
Diameter
Credit Control
Client
Cred
it
dit-C
o
ntro
l-Re
que
st
-Con
trolAns
w
e r (C
CA)
Diameter
Credit Control
Server
Service Element
Business
Support
System
Mobile
IPv4
3GPP
Apps
Credit
Control
Apps
NASREQ
Apps
Diameter Sessions
TCP or SCTP
NAS
IP
(NAS) environment.
Initial deployments expected to be
legacy systems
Backward compatible with RADIUS
Physical
SIP
Apps
NAS Messages
Version
Message Length
Command-Code
Application-ID
Command Flags
Hop-by-Hop Identifier
End-to-End Identifier
Attribute Value Pair (AVP) 1
Attribute Value Pair (AVP) 2
Attribute Value Pair (AVP) n
Command-Name
AA-Request
AA-Answer
Abort-Session-Request
Abort-Session-Answer
Accounting-Request
Accounting-Answer
Re-Auth-Request
Re-Auth-Answer
Session-Termination-Request
Session-Termination-Answer
Abbreviation Command-Code
AAR
AAA
ASR
ASA
ACR
ACA
RAR
RAA
STR
STA
265
265
258
258
271
271
258
258
275
275
NAS
IETF Summary
RFC 6733
274
271
257
280
282
258
275
Abort-Session
Accounting
Capabilities-Exchange
Device-Watchdog
Disconnect-Peer
Re-Auth
Session-Termination
Mobile IPv4
RFC 4004
261
262
AA-Mobile-Node
Home-Agent-MIP
Credit Control
RFC 4006
272
Credit-Control
RFC 4005
265
274*
271*
258*
275*
RFC 4072
268
Diameter EAP
Mobile IPv6
RFC 5447
No New Messages
RFC 4740
283
284
285
286
287
288
User-Authorization
Server-Assignment
Location-Info
Multimedia-Auth
Registration-Termination
Push-Profile
RFC 6737
328
Capabilities-Update
Diameter Base
SIP Application
Lesson Summary
In this lesson, we have:
iam
er
et
s
diu
Ra