View
215
Download
0
Category
Tags:
Preview:
Citation preview
Diameter Session #1 1
Diameter Base Protocol (RFC6733)
Session #1Author: Victor I. Fajardo
Date: Sept. 25, 2013
Diameter Session #1 2
AgendaHistory of the Diameter Protocol
How did it evolveMajor Features
Protocol DetailsOverview
Base protocolDiameter applications
Protocol FramingHeaderAVPs
Diameter Session #1 3
Diameter PeersConnection State machineTransportCapabilities exchange
Message ProcessingRequest RoutingAnswer processing
User Session State machinesStateful and Stateless
Error Handling
Questions
Diameter Session #1 4
History of the Diameter Protocol
EvolutionDeveloped in 1998 to overcome the limitations of
RADIUSEvolution of true AAA frameworkDiverged from RADIUS compatibility as protocol
was being developed RFC3588 - initial versionRFC6733 – current version
Diameter Session #1 5
Major Features
Reliable transport protocols (TCP or SCTP, not UDP)
Network or transport layer security (IPsec or TLS)
Transition support for RADIUS, although Diameter is not fully compatible with RADIUS
Larger address space for attribute-value pairs (AVPs) and identifiers (32 bits instead of 8 bits)
Client-Server protocol, with the exception of supporting some server-initiated messages as well
Both stateful and stateless models can be used
Dynamic discovery of peers (using DNS SRV and NAPTR)
Capability negotiation
Diameter Session #1 6
Major Features - Continued
Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539)
Error notification
Better roaming support
More easily extended; new commands and attributes can be defined
Aligned on 32-bit boundaries
Basic support for user-sessions and accounting
Diameter Session #1 7
Protocol DetailsBase protocol
TransportTransport Profile in RFC3539Mandatory support for TLS and TCP (port 3868) on
server nodes. TCP for client nodes.Connector MUST run on port 5658Security - TLSGuidelines on SCTP
Application IDGlobally unique ID to identify applications and
associated messagesMUST have an accompanying RFC
Connections vs. SessionConnection is establishment of transportSession is the exchange of diameter messages
Diameter Session #1 8
Peer TableList of known diameter adjacent peersMaintains connectivity state peer known peer
Table Entry Description
Host Identity FQDN (Fully qualified domain name) of the diameter peer/node
Status Current state of the connection. Peer state machine state.
Static or Dynamic Is the peer dynamically (via DNS) or statically configured
Expiration Time For dynamically discovered peer, how long before refreshing the connection
Connection type TLS/TCP and DTLS/SCTP
Diameter Session #1 9
Topology of Diameter Peer
ServerA ServerBServerC
ServerD
ServerE
• Message Request Routing• Destination-Realm = companyB.com• Destination-Host=ServerD.companyB.com
• Red Line - Peer connectivity• Blue Line – Session connectivity
companyA.comcompanyB.com
Diameter Session #1 10
Routing TableTable Entry Description
Realm Name Realm being serviced by this diameter node. Longest match during lookup.
Application ID Application ID supported by this route
Local Action Dictates how the request message will be by the node (LOCAL, PROXY, RELAY or REDIRECT)
Server ID FQDN of the server servicing the request
Static or Dynamic Whether this route was dynamically discovered or not
Expiration Time For dynamically discovered routes. How long before refresh.
Diameter Session #1 11
Role of Diameter Agents
Agent Functions Relay Agent
General request routing Proxy Agent
Stateful processing Redirect Agent
Stateless processing
NAS AgentHome Server
A
Home Server
B
Relay and/or Proxy functions
Redirect function
Diameter Session #1 12
Diameter Header Format
Key Fields:• Command Code – Specific command of this
application• Application ID – The Diameter application this
message belongs to• Hop-by-Hop ID – Used to match replies for a previous
request
Diameter Session #1 13
Diameter Message
Diameter Message FormatDiameter Message is composed of • A diameter Header• Followed by one or more Diameter AVP’s• Defined by a a an ABNF
HeaderFixed AVP(s)
Mandatory AVP(s)
Optional AVP(s)
Diameter Session #1 14
Diameter AVP Format
Definition of an AVP• AVP – Attribute Value Pair• Makes up the message body of a diameter messge
Key Fields:• AVP Code – Unique AVP number• Flags – Tells whether this is vendor specific or part of
the standard. It also indicates whether this is a mandatory AVP or not.
New AVP’s can be derived from existing AVP
Diameter Session #1 15
Diameter AVP FormatData formats for AVP are defined by the base protocol
All AVP’s MUST conform to this format
Important data formats DiameterIdentity
Used for identifying a diameter nodeFQDN/Realm of a node
DiameterURIAlso used for identifying a diameter node with extra information"aaa://" FQDN [ port ] [ transport ] [ protocol ]"aaas://" FQDN [ port ] [ transport ] [ protocol ]
transport-protocol = ( "tcp" / "sctp" / "udp" ) aaa-protocol = ( "diameter" / "radius" / "tacacs+" )
Example: aaa://host.example.com:6666;transport=tcp
Diameter Session #1 16
Diameter AVP Format Grouped-AVPs
Session-Id AVPS
Other important AVP’sDestination-HostDestination-RealmOrigin-HostOrigin- Realm
Diameter Session #1 17
Base Protocol Command Codes• Commands for Peer connection maintenance• Commands for User connection maintenance
Diameter Session #1 18
Diameter Peer State Machine Peer Discovery
Use of DNS and NAPTR records
Capabilities exchange Use CER/CEA to exchange node capability Negotiate security between diameter nodes Negotiate common diameter applications Announce Firmware-Revision of a diameter node Declares all Host-IP address to be used for SCTP multi-homing
Exchange of keep-alive test Watch-Dog exchange
Allow for election Two(2) peers can negotiate who will initiate a connection
between them
Diameter Session #1 19
Diameter Peer State Machine
Diameter Session #1 20
Diameter Peer State Machine
Diameter Session #1 21
Diameter Request Routing Done via Realms and Application ID’s
Request that can be forwarded uses Destination-Realm
In case of NAS’s the realm can be retrieved in the User-Name AVP (NAI)
Predictive-Loop avoidance Each node that forwards a request will add its identity to a Route-Record
AVP
Redirecting request Built-in load balancer Stateless method to tell the sender of the request to forward the message
to another node
Relaying and Proxy Relay is basic request forwarding Proxy provides extra processing prior to forwarding
Can keep state
Answer Processing Route answers via Hop-by-Hop identifier Validation of Session-Id
Diameter Session #1 22
Diameter Request Routing RulesRequest that cannot be forwarded MUST not have
Destination-Realm and Destination-HostRequest used to establish connectivity
Request sent to the home realm but not a specific serverCan be re-routed by a redirect agentUse Destination-RealmNo Destination-Host
Request sent to a specific home serverUse Destination-Host
Validation of shared keys if any
Diameter Session #1 23
Special Note on Relay and Redirection
Diameter Session #1 24
Diameter User State Machine
Applications define the state machine
Base protocol definesAuthorization state machineAccounting state machineBoth are historical models for AAA frameworks
Contemporary diameter application defines stateless models with single request/response exchanges
Diameter Session #1 25
Diameter Client Stateless Session
Diameter Session #1 26
Diameter Server Stateful Session
Diameter Session #1 27
Diameter Server Stateful Session
Diameter Session #1 28
Diameter Error HandlingResult-Code error types
Informational – can be used as a hint or warning of impending severe errors
Protocol – indication of a problem with implementationMessage validation errors
Transient and Permanent – Indication of environmental/system issuesConnection errorsRouting errorsApplication specific errorsMessage validation errors
Fail-Over and Fail-back
Diameter Session #1 29
Questions ?
Recommended