Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from the earlier RADIUS protocol. It belongs to the application layer protocols in the internet protocol suite. Diameter Applications extend the base protocol by adding new commands The Diameter base protocol is defined by RFC (Obsoletes: RFC ). Canonical URL: ; File formats: Plain Text PDF; Status: PROPOSED STANDARD; Obsoleted by: RFC ; Updated by. Diameter is specified primarily as a base protocol by the IETF in RFC and then DIAMETER base protocol must be used in conjunction with DIAMETER.
|Published (Last):||2 August 2011|
|PDF File Size:||20.30 Mb|
|ePub File Size:||10.48 Mb|
|Price:||Free* [*Free Regsitration Required]|
Auditability RADIUS does not define data-object security mechanisms, and as a result, untrusted proxies may modify attributes or even packet headers without being detected.
This feature was implied in the peer state machine table of RFCbut it was not clearly defined anywhere else in that document. Since a new EAP authentication method can be supported within Diameter without requiring new AVPs, addition of EAP methods does not require the creation of a new authentication application.
In order to provide well defined failover behavior, Diameter supports application-layer acknowledgements, and defines failover algorithms and the associated state machine. However, the protocol’s failover procedures require that agents maintain a copy of pending requests. The supported ICMP types are: If the M-bit is set by the sender and the receiver does not understand the AVP or the values carried within that AVP, then a failure is generated see Section 7. Translation of messages can only occur if the agent recognizes the application of a particular request, and therefore translation agents MUST only advertise their locally supported applications.
As a result, proxies need to understand the semantics of the messages passing through them, and may not support all Diameter applications. Guttman Sun Microsystems, Inc.
Diameter sessions MUST be routed only through authorized nodes that have advertised support for the Diameter application required by the session. Description of vase Document Set Relaying of Diameter diameeter The example provided in Figure 2 depicts a request issued from NAS, which is an access device, for the user bob example. Relaying and Proxying Requests Obsolete RFCs are indicated with strikethrough text.
The AVP can ; appear anywhere in the message. This MAY require that new AVP values be assigned to represent the new authentication transform, or any other scheme that produces similar results.
Diameter implementations are required to support all Mandatory AVPs which are allowed by the message’s formal syntax and defined either in the base Diameter standard or in one of the Diameter Application specifications governing the message. Transaction state implies that upon forwarding a request, bzse Hop-by-Hop Rffc is saved; the field is replaced with a locally unique identifier, which is restored to its original value when the corresponding answer is received. Diameter connections and sessions In the example provided in Figure 1peer connection A is established between the Client and its local Relay.
A home realm may also wish to check that each accounting request message corresponds to a Diameter response authorizing the session.
In that sense, Diameter is a peer- to-peer protocol. Accounting Session State Machine Creating New Diameter Applications This field is only present if the respective bit-flag is enabled. When relays or proxy are involved, this hop-by-hop security does not protect the entire Diameter user session.
This routing decision is performed using a list of supported realms, and known peers. If no rule matches, the packet is treated as best effort. See Section 13 for details. Archived from the original on 4 July There are many other miscellaneous fixes that have been introduced in this document that may not be considered significant, but they have value nonetheless.
An access device that is unable to interpret protoocol apply a deny rule MUST terminate the session.
It is suggested that IPsec can be used primarily at the edges and in intra-domain traffic, such as using pre-shared keys between a NAS a local AAA proxy. Diameter includes support for error handling Section 7capability negotiation Section 5. The following Application Identifier values are defined: The default value is infinity. This limits the usefulness of IPsec in inter-domain AAA applications such as roaming where it may be desirable to define a distinct certificate hierarchy for use in a AAA deployment.
The Rf defines an authorization and an accounting state machine.
It is important to note that although proxies MAY provide a dia,eter function for NASes, they do not allow access devices to use end-to- end security, since modifying messages breaks authentication. A metalanguage with its own formal syntax and rules. Due to space constraints, the short form DiamIdent is used to represent DiameterIdentity. There is one kind of packet that the access protoocol MUST always discard, that is an IP fragment with a fragment offset of one.