Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

DIAMETER Protocol

     

     

    Introduction

    Mobile network traffic is growing exponentially, and service providers must manage their networks efficiently to meet consumer demand. The technology evolution of radio access networks is limited by the laws of physics, and significant growth in radio frequency (RF) efficiency can no longer be expected. Long-Term Evolution (LTE) radio access is reaching the limits of Shannon's law, the spectrum available for mobile data applications is limited, and the only solution for increasing overall mobile network capacity is to increase the carrier-to-interference ratio while decreasing cell size and deploying small cell technologies.

    The most efficient way to use small cells is to position them in locations where significant amounts of data are generated (shopping malls, stadiums, university campuses, public transportation hubs, etc.) and where subscribers spend most of their time and therefore consume significant amounts of data (homes, offices, etc.).

    In this context we will discuss about the latest AAA protocol being deployed by SP's Worldwide for managing mobile traffic in both licensed and unlicensed spectrums .

    DIAMETER is a new framework in the Internet Engineering Task Force (IETF) for the next-generation AAA server.

    New RFC-6733 (Diameter Base Protocol)

    • The Diameter base protocol is intended to provide an Authentication,Authorization and Accounting (AAA) framework for
    • applications such asnetwork access or IP mobility.
    • Diameter is also intended to work in both local Authentication, Authorization & Accounting and roaming situations
    • It evolved from and replaces the much less capable RADIUS protocol that preceded it.
    • Diameter is a message based protocol, where AAA nodes exchange messages and receive Positive or
    • Negative acknowledgment for each message exchanged between nodes .
    • The name is a play on words, derived from the RADIUS protocol, which is the predecessor (a diameter is twice the radius).
    • Diameter is not directly backwards compatible but provides an upgrade path for RADIUS .
    • Diameter is Message (Packet) based protocol. There are two types of messages Request Messages and Answer Messages.

    And the Message structure is of following sort. .

    Lets quickly go through few major difference betweens RADIUS and DIAMETER in a nutshell .

    FeatureRADIUSDIAMETER

    Communications Ports1812- UDP ,1813- Accounting3686 for base protocol
    Error reporting scheme Not supported Supported
    Transport method UDPSCTP or TCP and optionally also use UDP
    Maximum size of attributes255 Bytes16MB
    Scalability PoorGood
    ReliabilityNot reliable Acknowledgement for packets ,

    Discarding of packets .

    Packets that do not contain the expected information,or that have errors, are silently discarded.

    Server can notify the client of problem by sending an error message

    Benefits of DIAMETER

    In this section we will discuss some the benefits of DIAMETER based on various characteristics required in AAA operations .

    Characteristic

    DIAMETER Support

    Failover Mechanism

    RADIUS does not have any kind of failover mechanism, even it can't have failover mechanism because it is UDP based .DIAMETER defines the Application layer acknowledgements and failover methods which we will define later.

    Transmission Layer Security

    RADIUS does not provide per packet confidentiality. RFC-3162 provide IPsec but it is not mandatory, while in diameter it is mandatory to apply per packet confidentiality with the help of IPSec (IP Security) and TLS (Transport Layer Security).

    Peer-to-peer bidirectional

    • Framework enables push and pull application models or architectures (RADIUS is unidirectional)

    Agent Support

    • RADIUS does not provide for explicit support for agents,including Proxies, Redirects and Relays .

    • Diameter defines agent behavior explicitly i.e. which agent will alter which part of Diameter message. For example Redirect agent will not alter any part of diameter message/ packet. Each agents behaviour is defined later.

    Server-initiated messages

    • Server-initiated messages implies; the messages that server initiates him self for the client. For ex :-If the established connection or session between server and client is disconnected due to some undesirable event, server sends a message to client for reconnect or reauthenticate himself.

    • RADIUS server-initiated messages are defined in [DYNAUTH]

    Auditability

    • RADIUS does not define data-object security mechanisms, and as a result, untrusted proxies may modify attributes or even packet headers without being detected. Combined with lack of support for capabilities negotiation, this makes it very difficult to determine what occurred in the event of a dispute.

    • In DIAMETER the implementation of data object security is not mandatory but supported .

    Transition support

    • Diameter does not share a common protocol data unit (PDU) with RADIUS,considerable

    • But currently it can be deployed in same network as RADIUS

    Capability negotiation .

    • RADIUS does not support error messages, capability negotiation, or a mandatory/non-mandatory flag for attributes.

    • Two diameter peers exchange their identity and its capabilities (such as protocol version number, supported diameter applications, security mechanism etc.).

    Peer discovery and Configuration

    • RADIUS deployment requires that the name or address of servers or clients be manually configured, along with the corresponding shared secrets.

    • Through DNS, SRV and NAPTR Diameter enables dynamic discovery of peers .

    Roaming Support

    • To improve scalability, the concept of proxy chaining is used via an intermediate server, facilitating roaming between providers .RADIUS does not provide explicit support for proxies, and lacks auditability and transmission-level security .

    • Diameter deals with this problem by providing secure and scalable roaming.

    Very efficient

    • Can support 32-bit VSAs which translates to efficiency (RADIUS = 8 bits)

    • Handles many more pending AAA requests .

    • 32-bit alignment takes advantage of new hardware processor technologies .

    Secure

    Authentication replay attack prevention through encryption

    DIAMETER AVP Structure

    Diameter AVPs are the basic unit inside the Diameter message that carries the Data(Authentication Data , Security Data , Data pertaining to Application etc). There must be at least one AVP inside Diameter message.

    The AVP Code, combined with the Vendor-Id field, identifies the attribute uniquely. AVP numbers 1 through 255 are reserved for backward compatibility with RADIUS, without setting the Vendor-Id field. AVP numbers 256 and above are used for Diameter, which are allocated by IANA .

    1. -All data is delivered in the form of AVP's .
    2. -Some of these AVP values are used by the Diameter protocol itself, while others deliver data
    3. -Ability to add new commands and AVP's .
    4. -AVP"s have mandatory/non-mandatory bit .
    5. -Supports for vendor spefici Attribute-Value-Pairs(AVP's) and commands .

    Reference

    http://en.wikipedia.org/wiki/Diameter_%28protocol%29

    http://tools.ietf.org/html/rfc6733

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-28-2017 12:46 AM
     
    Labels (1)
    Everyone's tags (2)