Professional Documents
Culture Documents
Diameter Training Session - Nov 2013 - v01 PDF
Diameter Training Session - Nov 2013 - v01 PDF
Auteurs:
Lionel Morand FT/ OLNC/ OLN/ CNC/ NCA/ A2M
Carlos Pereira FT/ OLNC/ OLN/ CNC/ GPC/ FMA
1 Introduction
2 Diameter Overview
5 Diameter Routing
7 Diameter Accounting
3 FT Group Confidential
Intro
Note:
” New RADIUS Extensions developed in IETF provide now most of these
functionalities but are foreseen only for legacy system
4 FT Group Confidential
Intro
History
1997: RADIUS as RFC (RFC 2058)
” originally developed by Livingston Enterprises for their PortMaster series of Network
Access Servers
2000: RADIUSv2 (RFC 2865)
” Closed some issues of the first version widely implemented
” Acknowledgement of issues when used in large scale systems
” Dedicated IETF's AAA working group to develop a successor
2000: Set of requirements for generic AAA architecture
” Main drivers: roaming, Network access requirement enhancements, Mobile IP
2001 (February): first draft of the Diameter base protocol
” Pushed by Sun Microsystems
2001 (June): Diameter selected as transport protocol
” Preferred to COPS. Other candidates: RADIUS++ and SNMP
2003: Diameter Base Protocol as RFC (RFC 3588)
2005 -2006: Feedback from first operational deployment (IMS, CDMA2000, etc.)
” and first IOT issues
2008: Diameter Extensibility and Diameter Routing Design teams
” Clarification of the rules for extensibility/routing
2012: new version of the Diameter base protocol RFC (RFC6733)
FT Group Confidential
Intro
6 FT Group Confidential
Intro
7 FT Group Confidential
Intro
Application IETF Diameter Application Application 3GPP Diameter Application 3GPP Diameter
identifier identifier Application identifier Application
0 Diameter common message 16777216 3GPP Cx/Px 16777236 3GPP Rx
1 NASREQ 16777217 3GPP Sh/Ph 16777238 3GPP Gx
3 Diameter base accounting 16777218 3GPP Re 16777250 3GPP STa
4 Diameter Credit Control 16777219 3GPP Wx 16777251 3GPP S6a
5 Diameter EAP 16777220 3GPP Zn 16777252 3GPP S13/S13’
7 Diameter Mobile IPv6 IKE (MIP6I) 16777221 3GPP Zh 16777255 3GPP SLg
8 Diameter Mobile IPv6 Auth
16777222 3GPP Gq 16777264 3GPP SWm
(MIP6A)
4294967295 Relay 16777223 3GPP Gmb 16777265 3GPP SWx
16777224 3GPP Gx 16777266 3GPP Gxx
16777225 3GPP Gx over Gy 16777267 3GPP S9
16777226 3GPP MM10 16777268 3GPP Zpn
16777229 3GPP Rx 16777272 3GPP S6b
16777230 3GPP Pr 16777291 3GPP SLh
16777308 3GPP S7a/S7d 16777292 3GPP SGmb
16777309 3GPP Tsp 16777310 3GPP S6m
16777311 3GPP T4 16777312 3GPP S6c
16777313 3GPP SGd
8 FT Group Confidential
1 2 3 4 5 6 7
Diameter Overview
9 FT Group Confidential
Overview
Data
Data
Data
Data
Data
Data
” A Transport layer …
– Reliable (TCP or SCTP) and secure (IPsec, TLS,
DTLS)
AVP
AVP
AVP
AVP
AVP
AVP
” A Base Protocol …
– Set of common commands and Attribute-Value-
Pairs (AVPs) supported by any Diameter peer
– used for: Command
” Dynamic peer discovery
DTLS/TLS
” Connectivity management
” Basic request routing base don realm
TCP/SCTP
” Session creation and termination
” accounting management IPSec
” Error handling management
Diameter Application
Diameter Extensibility
Diameter Agents
” In the path of the Diameter signaling between client and servers
” Request and Answer messages Forwarders
” Adds routing information to the message
” Types: Relay, Proxy, Redirect
Diameter Agents
Relay Agents
” Provides basic routing functionality to forward requests to the next hop
” Does not inspect content of the message other than Destination-Host
and/or Realm and AppIds
” Does not maintain session state
” By definition, a Relay supports all applications and advertises the Relay
application id ("0xffffffff")
Proxy Agents
” Same as Relay but…
” Inspects and possibly modifies contents of the request/answer
according to application rules and/or local policies.
– Useful in scenarios such policy enforcement, admission control,
provisioning, etc.
– Can maintain session state, depending of requirements
” Advertises only the (set of) application(s) supported
1. Request 2. Request
Relay/Proxy
Client Server
Agent
4. Answer 3. Answer
realmA.com realmB.com
Orange Labs - Research & Development
Overview
Diameter Agents
Redirect Agents
” Does not forward messages but notifies the previous hop of the new
next-hop to use.
” Advertises the Relay application id ("0xffffffff")
Redirect
Agent
3. Request
Client Server
4. Answer
realmA.com realmB.com
Diameter Agents
Translation agent
” Provides translation between two protocols
– (e.g., RADIUS<->Diameter, MAP<->Diameter).
” Mainly used as gateway between Diameter infrastructure and legacy
systems
” Must be defined along the application allowing this translation
– e.g. IWF between S6a/S6d and MAP Gr interfaces
4. MAP Operation
1. Diameter Request
Translation
Client Server
Agent
Relay/Proxy
Client Server
Connection A Agent Connection B
All the Diameter nodes in a Domain are peers i.e. sharing a least one
connection
Each Diameter node maintains two tables used for Routing:
” A Peer table that lists the Diameter peers with which the node has a direct
connection
” A Routing table that indicates which nodes to use for request sent to a
domain for a given application I-d.
Routing between two Diameter nodes based on hop-by-hop approach
” “if I can answer to a message, I try to forward the request to someone that
may know what to do with it”.
the Routing table is used to identify the next Peer to which to forward the
request
the Peer table is used to select the connection to use to forward the
request
The answer follows the request path i.e. no routing look-up
Diameter Framework
Connection Connection
Management Management
Base Protocol Base Protocol
As a summary
FT Group Confidential
Format
AVP Code
V M P r r r r AVP Length
Vendor-Id (optional)
Data…
The Vendor-ID field present if the 'V' bit is set in the AVP Flags field.
AVP Flags:
•The 'M' Bit, known as the Mandatory bit, indicates whether the receiver of the AVP MUST parse and
understand the semantic of the AVP including its content.
•The 'V' bit, known as the Vendor-Specific bit, indicates whether the optional Vendor-ID field is present in the
AVP header. When set the AVP Code belongs to the specific vendor code address space.
•The 'P' bit has been reserved in RFC 6733 for future usage of end-to-end security
Orange Labs - Research & Development
Format
When set in an AVP, the receiver of the AVP MUST parse and
understand the semantics of the AVP including its content.
” The receiving entity MUST return an appropriate error message if it
receives an AVP that has the M-bit except Relay and Redirect Agents
When cleared in an AVP, the AVP is informational and the receiver can
simply it if not supported.
Setting of the 'M' bit defined in the application specification that
introduces or reuses this AVP, either for all command types or for
each command type.
Data Type
The format of the Data field MUST be one of the following base data
types:
” OctetString, Integer32 or Interger64, Unsigned32 or Unsigned64,
Float32 or Float64
FT Group Confidential
33 France Telecom Group confidential
Diameter
FT Group Confidential
46 France Telecom Group confidential
Diameter
Request forwarding :
” done using the Diameter Realm routing table and Diameter peer table.
” The Diameter peer table contains all of the peers with which the local
node is able to directly communicate.
Answer Routing
Hop-By-Hop ID
Matching requests and replies.
In requests, it is replaced at each hop as
the Diameter message is relayed to its
final destination.
End-To-End ID
In conjunction with the Origin-Host, it is
used to detect duplicate request messages.
It is unmodified as a request is forwarded to
its final destination. Only the T flag is set in
retransmitted requests.
The originator of an Answer message
returns the same value that was found in
the corresponding request.
Error Handling
Result-Code AVP
The Result-Code AVP indicates whether a particular request was
completed successfully or an error occurred.
The Result-Code data field contains an IANA-managed 32-bit
address space representing errors.
Diameter provides the following classes of errors, all identified by the
thousands digit in the decimal notation:
” 1xxx (Informational)
” 2xxx (Success)
” 3xxx (Protocol Errors)
” 4xxx (Transient Failures)
” 5xxx (Permanent Failure)
Any application supports the result-codes defined in the base
protocol
Any application can defined its own set of result codes when
more appropriate, using in the Experimental-Result AVP
instead of the Result-Code AVP when defined for a vendor-
specific application
56 Orange Labs - Research & Development France Telecom Group confidential
Diameter
FT Group Confidential
58 France Telecom Group confidential
Diameter
Server-Initiated re-auth
<RAR> ::= < Diameter Header: 258, REQ, PXY > <RAA> ::= < Diameter Header: 258, PXY >
< Session-Id > < Session-Id >
{ Origin-Host } { Result-Code }
{ Origin-Realm } { Origin-Host }
{ Destination-Realm } { Origin-Realm }
{ Destination-Host } [ User-Name ]
{ Auth-Application-Id } [ Origin-State-Id ]
{ Re-Auth-Request-Type } [ Error-Message ]
[ User-Name ] [ Error-Reporting-Host ]
[ Origin-State-Id ] [ Failed-AVP ]
* [ Proxy-Info ] * [ Redirect-Host ]
* [ Route-Record ] [ Redirect-Host-Usage ]
* [ AVP ] [ Redirect-Max-Cache-Time ]
* [ Proxy-Info ]
62 Orange Labs - Research & Development * [ AVP ] France Telecom Group confidential
Diameter
Session Termination
Client-initiated:
” When a user session that required Diameter authorization terminates, the
client issues a Session-Termination-Request (STR) message to the Diameter
server that authorized the service, to notify it that the session is no longer
active.
” A Diameter server that receives an STR message cleans up
resources (e.g., session state) associated with the Session-Id
specified in the STR and returns a Session-Termination-Answer
(STA).
Server-initiated:
” A Diameter server may request that the access device stop
providing service for a particular session by issuing an Abort-
Session-Request (ASR).
” The client that receives the ASR may accept the termination
request, answer back with Abort-Session-Answer (ASA) and initiate
an STR
63 Orange Labs - Research & Development France Telecom Group confidential
Diameter
<ASR> ::= < Diameter Header: 274, REQ, PXY > <ASA> ::= < Diameter Header: 274, PXY >
< Session-Id > < Session-Id >
{ Origin-Host } { Result-Code }
{ Origin-Realm } { Origin-Host }
{ Destination-Realm } { Origin-Realm }
{ Destination-Host } [ User-Name ]
{ Auth-Application-Id } [ Origin-State-Id ]
[ User-Name ] [ Error-Message ]
[ Origin-State-Id ] [ Error-Reporting-Host ]
* [ Proxy-Info ] [ Failed-AVP ]
* [ Route-Record ] * [ Redirect-Host ]
* [ AVP ] [ Redirect-Host-Usage ]
[ Redirect-Max-Cache-Time ]
* [ Proxy-Info ]
65 Orange Labs - Research & Development * [ AVP ] France Telecom Group confidential
1 2 3 4 5 6 7
Accounting
FT Group Confidential
66 France Telecom Group confidential
Diameter
Accounting Session
The Diameter base protocol provides basic functionality for offline
accounting
” Application-Id ‚3‛ is used for accouting messages (instead of ‚0‛)
” Diameter Credit Control Application (RFC 4006) used of online
The device generating the accounting data gets information from either
the authorization server (if contacted) or the accounting server regarding
the way accounting data shall be forwarded.
The Accounting-Request (ACR) message is used by the client to transmit
the accounting information to the Diameter server, which replies with the
Accounting-Answer (ACA) message to confirm reception.
The server (or agents) uses the Acct-Interim-Interval and Accounting-
Realtime-Required AVPs to control the operation of the Diameter peer
operating as a client.
” The Acct-Interim-Interval AVP instructs the Diameter node acting as a client
to produce accounting records continuously even during a session.
” Accounting-Realtime-Required AVP is used to control the behavior of the
client when the transfer of accounting records from the Diameter client is
delayed or unsuccessful.
67 Orange Labs - Research & Development France Telecom Group confidential
Diameter
Accounting-Record-Type AVP:
” type of accounting record
Acct-Interim-Interval AVP:
” how/when to generate accounting records
Accounting-Record-Number AVP:
” identify accounting record
Acct-Session-Id AVP:
” used for RADIUS/Diameter translation
Acct-Multi-Session-Id AVP:
” co-relates multiple accounting sessions
Acct-Sub-Session-Id:
” sub-divides an accounting session
Accounting-Realtime-Required AVP:
” specifies realtime accounting behavior
interne
OrangeGroupe
Labs -France Télécom
Research & Development - presentation title – date
Ongoing Works
FT Group Confidential
Diameter
Ongoing works
FT Group Confidential
Diameter