| rfc3588.txt | | draft-ietf-dime-rfc3588bis-01.txt | |
|---|
| | | | |
|
| Network Working Group P. Calhoun | | DIME V. Fajardo, Ed. | |
| Request for Comments: 3588 Airespace, Inc. | | Internet-Draft Toshiba America Research | |
| Category: Standards Track J. Loughney | | Intended status: Standards Track J. Loughney | |
| Nokia | | Expires: August 2, 2007 Nokia Research Center | |
| E. Guttman | | January 29, 2007 | |
| Sun Microsystems, Inc. | | | |
| G. Zorn | | | |
| Cisco Systems, Inc. | | | |
| J. Arkko | | | |
| Ericsson | | | |
| September 2003 | | | |
| | | | |
| Diameter Base Protocol | | Diameter Base Protocol | |
|
| | | draft-ietf-dime-rfc3588bis-01.txt | |
| | | | |
| Status of this Memo | | Status of this Memo | |
| | | | |
|
| This document specifies an Internet standards track protocol for the | | By submitting this Internet-Draft, each author represents that any | |
| Internet community, and requests discussion and suggestions for | | applicable patent or other IPR claims of which he or she is aware | |
| improvements. Please refer to the current edition of the "Internet | | have been or will be disclosed, and any of which he or she becomes | |
| Official Protocol Standards" (STD 1) for the standardization state | | aware will be disclosed, in accordance with Section 6 of BCP 79. | |
| and status of this protocol. Distribution of this memo is unlimited. | | | |
| | | Internet-Drafts are working documents of the Internet Engineering | |
| | | Task Force (IETF), its areas, and its working groups. Note that | |
| | | other groups may also distribute working documents as Internet- | |
| | | Drafts. | |
| | | | |
| | | Internet-Drafts are draft documents valid for a maximum of six months | |
| | | and may be updated, replaced, or obsoleted by other documents at any | |
| | | time. It is inappropriate to use Internet-Drafts as reference | |
| | | material or to cite them other than as "work in progress." | |
| | | | |
| | | The list of current Internet-Drafts can be accessed at | |
| | | http://www.ietf.org/ietf/1id-abstracts.txt. | |
| | | | |
| | | The list of Internet-Draft Shadow Directories can be accessed at | |
| | | http://www.ietf.org/shadow.html. | |
| | | | |
| | | This Internet-Draft will expire on August 2, 2007. | |
| | | | |
| Copyright Notice | | Copyright Notice | |
| | | | |
|
| Copyright (C) The Internet Society (2003). All Rights Reserved. | | Copyright (C) The IETF Trust (2007). | |
| | | | |
| Abstract | | Abstract | |
| | | | |
| The Diameter base protocol is intended to provide an Authentication, | | The Diameter base protocol is intended to provide an Authentication, | |
| Authorization and Accounting (AAA) framework for applications such as | | Authorization and Accounting (AAA) framework for applications such as | |
| network access or IP mobility. Diameter is also intended to work in | | network access or IP mobility. Diameter is also intended to work in | |
| both local Authentication, Authorization & Accounting and roaming | | both local Authentication, Authorization & Accounting and roaming | |
| situations. This document specifies the message format, transport, | | situations. This document specifies the message format, transport, | |
| error reporting, accounting and security services to be used by all | | error reporting, accounting and security services to be used by all | |
| Diameter applications. The Diameter base application needs to be | | Diameter applications. The Diameter base application needs to be | |
| supported by all Diameter implementations. | | supported by all Diameter implementations. | |
| | | | |
|
| Conventions Used In This Document | | | |
| | | | |
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | | | |
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | | | |
| document are to be interpreted as described in BCP 14, RFC 2119 | | | |
| [KEYWORD]. | | | |
| | | | |
| Table of Contents | | Table of Contents | |
| | | | |
|
| 1. Introduction................................................. 6 | | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 | |
| 1.1. Diameter Protocol..................................... 9 | | 1.1. Diameter Protocol . . . . . . . . . . . . . . . . . . . . 10 | |
| 1.1.1. Description of the Document Set.............. 10 | | 1.1.1. Description of the Document Set . . . . . . . . . . 11 | |
| 1.2. Approach to Extensibility............................. 11 | | 1.1.2. Conventions Used in This Document . . . . . . . . . 12 | |
| 1.2.1. Defining New AVP Values...................... 11 | | 1.2. Approach to Extensibility . . . . . . . . . . . . . . . . 12 | |
| 1.2.2. Creating New AVPs............................ 11 | | 1.2.1. Defining New AVP Values . . . . . . . . . . . . . . 13 | |
| 1.2.3. Creating New Authentication Applications..... 11 | | 1.2.2. Creating New AVPs . . . . . . . . . . . . . . . . . 13 | |
| 1.2.4. Creating New Accounting Applications......... 12 | | 1.2.3. Creating New Authentication Applications . . . . . . 13 | |
| 1.2.5. Application Authentication Procedures........ 14 | | 1.2.4. Creating New Accounting Applications . . . . . . . . 14 | |
| 1.3. Terminology........................................... 14 | | 1.2.5. Application Authentication Procedures . . . . . . . 15 | |
| 2. Protocol Overview............................................ 18 | | 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 16 | |
| 2.1. Transport............................................. 20 | | 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 23 | |
| 2.1.1. SCTP Guidelines.............................. 21 | | 2.1. Transport . . . . . . . . . . . . . . . . . . . . . . . . 24 | |
| 2.2. Securing Diameter Messages............................ 21 | | 2.1.1. SCTP Guidelines . . . . . . . . . . . . . . . . . . 25 | |
| 2.3. Diameter Application Compliance....................... 21 | | 2.2. Securing Diameter Messages . . . . . . . . . . . . . . . 25 | |
| 2.4. Application Identifiers............................... 22 | | 2.3. Diameter Application Compliance . . . . . . . . . . . . . 25 | |
| 2.5. Connections vs. Sessions.............................. 22 | | 2.4. Application Identifiers . . . . . . . . . . . . . . . . . 26 | |
| 2.6. Peer Table............................................ 23 | | 2.5. Connections vs. Sessions . . . . . . . . . . . . . . . . 26 | |
| 2.7. Realm-Based Routing Table............................. 24 | | 2.6. Peer Table . . . . . . . . . . . . . . . . . . . . . . . 27 | |
| 2.8. Role of Diameter Agents............................... 25 | | 2.7. Realm-Based Routing Table . . . . . . . . . . . . . . . . 28 | |
| 2.8.1. Relay Agents................................. 26 | | 2.8. Role of Diameter Agents . . . . . . . . . . . . . . . . . 30 | |
| 2.8.2. Proxy Agents................................. 27 | | 2.8.1. Relay Agents . . . . . . . . . . . . . . . . . . . . 31 | |
| 2.8.3. Redirect Agents.............................. 28 | | 2.8.2. Proxy Agents . . . . . . . . . . . . . . . . . . . . 32 | |
| 2.8.4. Translation Agents........................... 29 | | 2.8.3. Redirect Agents . . . . . . . . . . . . . . . . . . 32 | |
| 2.9. End-to-End Security Framework......................... 30 | | 2.8.4. Translation Agents . . . . . . . . . . . . . . . . . 33 | |
| 2.10. Diameter Path Authorization........................... 30 | | 2.9. End-to-End Security Framework . . . . . . . . . . . . . . 34 | |
| 3. Diameter Header.............................................. 32 | | 2.10. Diameter Path Authorization . . . . . . . . . . . . . . . 35 | |
| 3.1. Command Codes......................................... 35 | | 3. Diameter Header . . . . . . . . . . . . . . . . . . . . . . . 37 | |
| 3.2. Command Code ABNF specification....................... 36 | | 3.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 40 | |
| 3.3. Diameter Command Naming Conventions................... 38 | | 3.2. Command Code ABNF specification . . . . . . . . . . . . . 41 | |
| 4. Diameter AVPs................................................ 38 | | 3.3. Diameter Command Naming Conventions . . . . . . . . . . . 43 | |
| 4.1. AVP Header............................................ 39 | | 4. Diameter AVPs . . . . . . . . . . . . . . . . . . . . . . . . 44 | |
| 4.1.1. Optional Header Elements..................... 41 | | 4.1. AVP Header . . . . . . . . . . . . . . . . . . . . . . . 44 | |
| 4.2. Basic AVP Data Formats................................ 41 | | 4.1.1. Optional Header Elements . . . . . . . . . . . . . . 46 | |
| 4.3. Derived AVP Data Formats.............................. 42 | | 4.2. Basic AVP Data Formats . . . . . . . . . . . . . . . . . 46 | |
| 4.4. Grouped AVP Values.................................... 49 | | 4.3. Derived AVP Data Formats . . . . . . . . . . . . . . . . 48 | |
| 4.4.1. Example AVP with a Grouped Data Type......... 50 | | 4.4. Grouped AVP Values . . . . . . . . . . . . . . . . . . . 56 | |
| 4.5. Diameter Base Protocol AVPs........................... 53 | | 4.4.1. Example AVP with a Grouped Data type . . . . . . . . 57 | |
| 5. Diameter Peers............................................... 56 | | 4.5. Diameter Base Protocol AVPs . . . . . . . . . . . . . . . 60 | |
| 5.1. Peer Connections...................................... 56 | | 5. Diameter Peers . . . . . . . . . . . . . . . . . . . . . . . 63 | |
| 5.2. Diameter Peer Discovery............................... 56 | | 5.1. Peer Connections . . . . . . . . . . . . . . . . . . . . 63 | |
| 5.3. Capabilities Exchange................................. 59 | | 5.2. Diameter Peer Discovery . . . . . . . . . . . . . . . . . 63 | |
| 5.3.1. Capabilities-Exchange-Request................ 60 | | 5.3. Capabilities Exchange . . . . . . . . . . . . . . . . . . 66 | |
| 5.3.2. Capabilities-Exchange-Answer................. 60 | | 5.3.1. Capabilities-Exchange-Request . . . . . . . . . . . 67 | |
| 5.3.3. Vendor-Id AVP................................ 61 | | 5.3.2. Capabilities-Exchange-Answer . . . . . . . . . . . . 68 | |
| 5.3.4. Firmware-Revision AVP........................ 61 | | 5.3.3. Vendor-Id AVP . . . . . . . . . . . . . . . . . . . 68 | |
| 5.3.5. Host-IP-Address AVP.......................... 62 | | 5.3.4. Firmware-Revision AVP . . . . . . . . . . . . . . . 69 | |
| 5.3.6. Supported-Vendor-Id AVP...................... 62 | | 5.3.5. Host-IP-Address AVP . . . . . . . . . . . . . . . . 69 | |
| 5.3.7. Product-Name AVP............................. 62 | | 5.3.6. Supported-Vendor-Id AVP . . . . . . . . . . . . . . 69 | |
| 5.4. Disconnecting Peer Connections........................ 62 | | 5.3.7. Product-Name AVP . . . . . . . . . . . . . . . . . . 69 | |
| 5.4.1. Disconnect-Peer-Request...................... 63 | | 5.4. Disconnecting Peer connections . . . . . . . . . . . . . 69 | |
| 5.4.2. Disconnect-Peer-Answer....................... 63 | | 5.4.1. Disconnect-Peer-Request . . . . . . . . . . . . . . 70 | |
| 5.4.3. Disconnect-Cause AVP......................... 63 | | 5.4.2. Disconnect-Peer-Answer . . . . . . . . . . . . . . . 70 | |
| 5.5. Transport Failure Detection........................... 64 | | 5.4.3. Disconnect-Cause AVP . . . . . . . . . . . . . . . . 71 | |
| 5.5.1. Device-Watchdog-Request...................... 64 | | 5.5. Transport Failure Detection . . . . . . . . . . . . . . . 71 | |
| 5.5.2. Device-Watchdog-Answer....................... 64 | | 5.5.1. Device-Watchdog-Request . . . . . . . . . . . . . . 71 | |
| 5.5.3. Transport Failure Algorithm.................. 65 | | 5.5.2. Device-Watchdog-Answer . . . . . . . . . . . . . . . 72 | |
| 5.5.4. Failover and Failback Procedures............. 65 | | 5.5.3. Transport Failure Algorithm . . . . . . . . . . . . 72 | |
| 5.6. Peer State Machine.................................... 66 | | 5.5.4. Failover and Failback Procedures . . . . . . . . . . 72 | |
| 5.6.1. Incoming connections......................... 68 | | 5.6. Peer State Machine . . . . . . . . . . . . . . . . . . . 73 | |
| 5.6.2. Events....................................... 69 | | 5.6.1. Incoming connections . . . . . . . . . . . . . . . . 75 | |
| 5.6.3. Actions...................................... 70 | | 5.6.2. Events . . . . . . . . . . . . . . . . . . . . . . . 76 | |
| 5.6.4. The Election Process......................... 71 | | 5.6.3. Actions . . . . . . . . . . . . . . . . . . . . . . 77 | |
| 6. Diameter Message Processing.................................. 71 | | 5.6.4. The Election Process . . . . . . . . . . . . . . . . 79 | |
| 6.1. Diameter Request Routing Overview..................... 71 | | 5.6.5. Capabilities Update . . . . . . . . . . . . . . . . 79 | |
| 6.1.1. Originating a Request........................ 73 | | 6. Diameter message processing . . . . . . . . . . . . . . . . . 80 | |
| 6.1.2. Sending a Request............................ 73 | | 6.1. Diameter Request Routing Overview . . . . . . . . . . . . 80 | |
| 6.1.3. Receiving Requests........................... 73 | | 6.1.1. Originating a Request . . . . . . . . . . . . . . . 81 | |
| 6.1.4. Processing Local Requests.................... 73 | | 6.1.2. Sending a Request . . . . . . . . . . . . . . . . . 82 | |
| 6.1.5. Request Forwarding........................... 74 | | 6.1.3. Receiving Requests . . . . . . . . . . . . . . . . . 82 | |
| 6.1.6. Request Routing.............................. 74 | | 6.1.4. Processing Local Requests . . . . . . . . . . . . . 82 | |
| 6.1.7. Redirecting Requests......................... 74 | | 6.1.5. Request Forwarding . . . . . . . . . . . . . . . . . 82 | |
| 6.1.8. Relaying and Proxying Requests............... 75 | | 6.1.6. Request Routing . . . . . . . . . . . . . . . . . . 83 | |
| 6.2. Diameter Answer Processing............................ 76 | | 6.1.7. Predictive Loop Avoidance . . . . . . . . . . . . . 83 | |
| 6.2.1. Processing Received Answers.................. 77 | | 6.1.8. Redirecting requests . . . . . . . . . . . . . . . . 83 | |
| 6.2.2. Relaying and Proxying Answers................ 77 | | 6.1.9. Relaying and Proxying Requests . . . . . . . . . . . 84 | |
| 6.3. Origin-Host AVP....................................... 77 | | 6.2. Diameter Answer Processing . . . . . . . . . . . . . . . 85 | |
| 6.4. Origin-Realm AVP...................................... 78 | | 6.2.1. Processing received Answers . . . . . . . . . . . . 86 | |
| 6.5. Destination-Host AVP.................................. 78 | | 6.2.2. Relaying and Proxying Answers . . . . . . . . . . . 86 | |
| 6.6. Destination-Realm AVP................................. 78 | | 6.3. Origin-Host AVP . . . . . . . . . . . . . . . . . . . . . 86 | |
| 6.7. Routing AVPs.......................................... 78 | | 6.4. Origin-Realm AVP . . . . . . . . . . . . . . . . . . . . 87 | |
| 6.7.1. Route-Record AVP............................. 79 | | 6.5. Destination-Host AVP . . . . . . . . . . . . . . . . . . 87 | |
| 6.7.2. Proxy-Info AVP............................... 79 | | 6.6. Destination-Realm AVP . . . . . . . . . . . . . . . . . . 87 | |
| 6.7.3. Proxy-Host AVP............................... 79 | | 6.7. Routing AVPs . . . . . . . . . . . . . . . . . . . . . . 88 | |
| 6.7.4. Proxy-State AVP.............................. 79 | | 6.7.1. Route-Record AVP . . . . . . . . . . . . . . . . . . 88 | |
| 6.8. Auth-Application-Id AVP............................... 79 | | 6.7.2. Proxy-Info AVP . . . . . . . . . . . . . . . . . . . 88 | |
| 6.9. Acct-Application-Id AVP............................... 79 | | 6.7.3. Proxy-Host AVP . . . . . . . . . . . . . . . . . . . 88 | |
| 6.10. Inband-Security-Id AVP................................ 79 | | 6.7.4. Proxy-State AVP . . . . . . . . . . . . . . . . . . 88 | |
| 6.11. Vendor-Specific-Application-Id AVP.................... 80 | | 6.8. Auth-Application-Id AVP . . . . . . . . . . . . . . . . . 88 | |
| 6.12. Redirect-Host AVP..................................... 80 | | 6.9. Acct-Application-Id AVP . . . . . . . . . . . . . . . . . 89 | |
| 6.13. Redirect-Host-Usage AVP............................... 80 | | 6.10. Inband-Security-Id AVP . . . . . . . . . . . . . . . . . 89 | |
| 6.14. Redirect-Max-Cache-Time AVP........................... 81 | | 6.11. Vendor-Specific-Application-Id AVP . . . . . . . . . . . 89 | |
| 6.15. E2E-Sequence AVP...................................... 82 | | 6.12. Redirect-Host AVP . . . . . . . . . . . . . . . . . . . . 90 | |
| 7. Error Handling............................................... 82 | | 6.13. Redirect-Host-Usage AVP . . . . . . . . . . . . . . . . . 90 | |
| 7.1. Result-Code AVP....................................... 84 | | 6.14. Redirect-Max-Cache-Time AVP . . . . . . . . . . . . . . . 91 | |
| 7.1.1. Informational................................ 84 | | 6.15. E2E-Sequence AVP . . . . . . . . . . . . . . . . . . . . 91 | |
| 7.1.2. Success...................................... 84 | | 7. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 93 | |
| 7.1.3. Protocol Errors.............................. 85 | | 7.1. Result-Code AVP . . . . . . . . . . . . . . . . . . . . . 95 | |
| 7.1.4. Transient Failures........................... 86 | | 7.1.1. Informational . . . . . . . . . . . . . . . . . . . 95 | |
| 7.1.5. Permanent Failures........................... 86 | | 7.1.2. Success . . . . . . . . . . . . . . . . . . . . . . 96 | |
| 7.2. Error Bit............................................. 88 | | 7.1.3. Protocol Errors . . . . . . . . . . . . . . . . . . 96 | |
| 7.3. Error-Message AVP..................................... 89 | | 7.1.4. Transient Failures . . . . . . . . . . . . . . . . . 97 | |
| 7.4. Error-Reporting-Host AVP.............................. 89 | | 7.1.5. Permanent Failures . . . . . . . . . . . . . . . . . 98 | |
| 7.5. Failed-AVP AVP........................................ 89 | | 7.2. Error Bit . . . . . . . . . . . . . . . . . . . . . . . . 101 | |
| 7.6. Experimental-Result AVP............................... 90 | | 7.3. Error-Message AVP . . . . . . . . . . . . . . . . . . . . 101 | |
| 7.7. Experimental-Result-Code AVP.......................... 90 | | 7.4. Error-Reporting-Host AVP . . . . . . . . . . . . . . . . 102 | |
| 8. Diameter User Sessions....................................... 90 | | 7.5. Failed-AVP AVP . . . . . . . . . . . . . . . . . . . . . 102 | |
| 8.1. Authorization Session State Machine................... 92 | | 7.6. Experimental-Result AVP . . . . . . . . . . . . . . . . . 103 | |
| 8.2. Accounting Session State Machine...................... 96 | | 7.7. Experimental-Result-Code AVP . . . . . . . . . . . . . . 103 | |
| 8.3. Server-Initiated Re-Auth.............................. 101 | | 8. Diameter User Sessions . . . . . . . . . . . . . . . . . . . 104 | |
| 8.3.1. Re-Auth-Request.............................. 102 | | 8.1. Authorization Session State Machine . . . . . . . . . . . 105 | |
| 8.3.2. Re-Auth-Answer............................... 102 | | 8.2. Accounting Session State Machine . . . . . . . . . . . . 109 | |
| 8.4. Session Termination................................... 103 | | 8.3. Server-Initiated Re-Auth . . . . . . . . . . . . . . . . 115 | |
| 8.4.1. Session-Termination-Request.................. 104 | | 8.3.1. Re-Auth-Request . . . . . . . . . . . . . . . . . . 115 | |
| 8.4.2. Session-Termination-Answer................... 105 | | 8.3.2. Re-Auth-Answer . . . . . . . . . . . . . . . . . . . 116 | |
| 8.5. Aborting a Session.................................... 105 | | 8.4. Session Termination . . . . . . . . . . . . . . . . . . . 117 | |
| 8.5.1. Abort-Session-Request........................ 106 | | 8.4.1. Session-Termination-Request . . . . . . . . . . . . 118 | |
| 8.5.2. Abort-Session-Answer......................... 106 | | 8.4.2. Session-Termination-Answer . . . . . . . . . . . . . 118 | |
| 8.6. Inferring Session Termination from Origin-State-Id.... 107 | | 8.5. Aborting a Session . . . . . . . . . . . . . . . . . . . 119 | |
| 8.7. Auth-Request-Type AVP................................. 108 | | 8.5.1. Abort-Session-Request . . . . . . . . . . . . . . . 120 | |
| 8.8. Session-Id AVP........................................ 108 | | 8.5.2. Abort-Session-Answer . . . . . . . . . . . . . . . . 120 | |
| 8.9. Authorization-Lifetime AVP............................ 109 | | 8.6. Inferring Session Termination from Origin-State-Id . . . 121 | |
| 8.10. Auth-Grace-Period AVP................................. 110 | | 8.7. Auth-Request-Type AVP . . . . . . . . . . . . . . . . . . 122 | |
| 8.11. Auth-Session-State AVP................................ 110 | | 8.8. Session-Id AVP . . . . . . . . . . . . . . . . . . . . . 122 | |
| 8.12. Re-Auth-Request-Type AVP.............................. 110 | | 8.9. Authorization-Lifetime AVP . . . . . . . . . . . . . . . 123 | |
| 8.13. Session-Timeout AVP................................... 111 | | 8.10. Auth-Grace-Period AVP . . . . . . . . . . . . . . . . . . 124 | |
| 8.14. User-Name AVP......................................... 111 | | 8.11. Auth-Session-State AVP . . . . . . . . . . . . . . . . . 124 | |
| 8.15. Termination-Cause AVP................................. 111 | | 8.12. Re-Auth-Request-Type AVP . . . . . . . . . . . . . . . . 125 | |
| 8.16. Origin-State-Id AVP................................... 112 | | 8.13. Session-Timeout AVP . . . . . . . . . . . . . . . . . . . 125 | |
| 8.17. Session-Binding AVP................................... 113 | | 8.14. User-Name AVP . . . . . . . . . . . . . . . . . . . . . . 126 | |
| 8.18. Session-Server-Failover AVP........................... 113 | | 8.15. Termination-Cause AVP . . . . . . . . . . . . . . . . . . 126 | |
| 8.19. Multi-Round-Time-Out AVP.............................. 114 | | 8.16. Origin-State-Id AVP . . . . . . . . . . . . . . . . . . . 127 | |
| 8.20. Class AVP............................................. 114 | | 8.17. Session-Binding AVP . . . . . . . . . . . . . . . . . . . 128 | |
| 8.21. Event-Timestamp AVP................................... 115 | | 8.18. Session-Server-Failover AVP . . . . . . . . . . . . . . . 128 | |
| 9. Accounting................................................... 115 | | 8.19. Multi-Round-Time-Out AVP . . . . . . . . . . . . . . . . 129 | |
| 9.1. Server Directed Model................................. 115 | | 8.20. Class AVP . . . . . . . . . . . . . . . . . . . . . . . . 129 | |
| 9.2. Protocol Messages..................................... 116 | | 8.21. Event-Timestamp AVP . . . . . . . . . . . . . . . . . . . 130 | |
| 9.3. Application Document Requirements..................... 116 | | 9. Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 131 | |
| 9.4. Fault Resilience...................................... 116 | | 9.1. Server Directed Model . . . . . . . . . . . . . . . . . . 131 | |
| 9.5. Accounting Records.................................... 117 | | 9.2. Protocol Messages . . . . . . . . . . . . . . . . . . . . 132 | |
| 9.6. Correlation of Accounting Records..................... 118 | | 9.3. Application document requirements . . . . . . . . . . . . 132 | |
| 9.7. Accounting Command-Codes.............................. 119 | | 9.4. Fault Resilience . . . . . . . . . . . . . . . . . . . . 132 | |
| 9.7.1. Accounting-Request........................... 119 | | 9.5. Accounting Records . . . . . . . . . . . . . . . . . . . 133 | |
| 9.7.2. Accounting-Answer............................ 120 | | 9.6. Correlation of Accounting Records . . . . . . . . . . . . 134 | |
| 9.8. Accounting AVPs....................................... 121 | | 9.7. Accounting Command-Codes . . . . . . . . . . . . . . . . 135 | |
| 9.8.1. Accounting-Record-Type AVP................... 121 | | 9.7.1. Accounting-Request . . . . . . . . . . . . . . . . . 135 | |
| 9.8.2. Acct-Interim-Interval AVP.................... 122 | | 9.7.2. Accounting-Answer . . . . . . . . . . . . . . . . . 136 | |
| 9.8.3. Accounting-Record-Number AVP................. 123 | | 9.8. Accounting AVPs . . . . . . . . . . . . . . . . . . . . . 137 | |
| 9.8.4. Acct-Session-Id AVP.......................... 123 | | 9.8.1. Accounting-Record-Type AVP . . . . . . . . . . . . . 137 | |
| 9.8.5. Acct-Multi-Session-Id AVP.................... 123 | | 9.8.2. Acct-Interim-Interval . . . . . . . . . . . . . . . 138 | |
| 9.8.6. Accounting-Sub-Session-Id AVP................ 123 | | 9.8.3. Accounting-Record-Number AVP . . . . . . . . . . . . 138 | |
| 9.8.7. Accounting-Realtime-Required AVP............. 123 | | 9.8.4. Acct-Session-Id AVP . . . . . . . . . . . . . . . . 139 | |
| 10. AVP Occurrence Table......................................... 124 | | 9.8.5. Acct-Multi-Session-Id AVP . . . . . . . . . . . . . 139 | |
| 10.1. Base Protocol Command AVP Table....................... 124 | | 9.8.6. Accounting-Sub-Session-Id AVP . . . . . . . . . . . 139 | |
| 10.2. Accounting AVP Table.................................. 126 | | 9.8.7. Accounting-Realtime-Required AVP . . . . . . . . . . 139 | |
| 11. IANA Considerations.......................................... 127 | | 10. AVP Occurrence Table . . . . . . . . . . . . . . . . . . . . 141 | |
| 11.1. AVP Header............................................ 127 | | 10.1. Base Protocol Command AVP Table . . . . . . . . . . . . . 141 | |
| 11.1.1. AVP Code..................................... 127 | | 10.2. Accounting AVP Table . . . . . . . . . . . . . . . . . . 142 | |
| 11.1.2. AVP Flags.................................... 128 | | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 144 | |
| 11.2. Diameter Header....................................... 128 | | 11.1. AVP Header . . . . . . . . . . . . . . . . . . . . . . . 144 | |
| 11.2.1. Command Codes................................ 128 | | 11.1.1. AVP Codes . . . . . . . . . . . . . . . . . . . . . 144 | |
| 11.2.2. Command Flags................................ 129 | | 11.1.2. AVP Flags . . . . . . . . . . . . . . . . . . . . . 145 | |
| 11.3. Application Identifiers............................... 129 | | 11.2. Diameter Header . . . . . . . . . . . . . . . . . . . . . 145 | |
| 11.4. AVP Values............................................ 129 | | 11.2.1. Command Codes . . . . . . . . . . . . . . . . . . . 145 | |
| 11.4.1. Result-Code AVP Values....................... 129 | | 11.2.2. Command Flags . . . . . . . . . . . . . . . . . . . 146 | |
| 11.4.2. Accounting-Record-Type AVP Values............ 130 | | 11.3. Application Identifiers . . . . . . . . . . . . . . . . . 146 | |
| 11.4.3. Termination-Cause AVP Values................. 130 | | 11.4. AVP Values . . . . . . . . . . . . . . . . . . . . . . . 146 | |
| 11.4.4. Redirect-Host-Usage AVP Values............... 130 | | 11.4.1. Result-Code AVP Values . . . . . . . . . . . . . . . 147 | |
| 11.4.5. Session-Server-Failover AVP Values........... 130 | | 11.4.2. Accounting-Record-Type AVP Values . . . . . . . . . 147 | |
| 11.4.6. Session-Binding AVP Values................... 130 | | 11.4.3. Termination-Cause AVP Values . . . . . . . . . . . . 147 | |
| 11.4.7. Disconnect-Cause AVP Values.................. 130 | | 11.4.4. Redirect-Host-Usage AVP Values . . . . . . . . . . . 147 | |
| 11.4.8. Auth-Request-Type AVP Values................. 130 | | 11.4.5. Session-Server-Failover AVP Values . . . . . . . . . 147 | |
| 11.4.9. Auth-Session-State AVP Values................ 130 | | 11.4.6. Session-Binding AVP Values . . . . . . . . . . . . . 147 | |
| 11.4.10. Re-Auth-Request-Type AVP Values.............. 131 | | 11.4.7. Disconnect-Cause AVP Values . . . . . . . . . . . . 147 | |
| 11.4.11. Accounting-Realtime-Required AVP Values...... 131 | | 11.4.8. Auth-Request-Type AVP Values . . . . . . . . . . . . 147 | |
| 11.5. Diameter TCP/SCTP Port Numbers........................ 131 | | 11.4.9. Auth-Session-State AVP Values . . . . . . . . . . . 148 | |
| 11.6. NAPTR Service Fields.................................. 131 | | 11.4.10. Re-Auth-Request-Type AVP Values . . . . . . . . . . 148 | |
| 12. Diameter Protocol Related Configurable Parameters............ 131 | | 11.4.11. Accounting-Realtime-Required AVP Values . . . . . . 148 | |
| 13. Security Considerations...................................... 132 | | 11.4.12. Inband-Security-Id AVP (code 299) . . . . . . . . . 148 | |
| 13.1. IPsec Usage........................................... 133 | | 11.5. Diameter TCP/SCTP Port Numbers . . . . . . . . . . . . . 148 | |
| 13.2. TLS Usage............................................. 134 | | 11.6. NAPTR Service Fields . . . . . . . . . . . . . . . . . . 148 | |
| 13.3. Peer-to-Peer Considerations........................... 134 | | 12. Diameter protocol related configurable parameters . . . . . . 150 | |
| 14. References................................................... 136 | | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 151 | |
| 14.1. Normative References.................................. 136 | | 13.1. IPsec Usage . . . . . . . . . . . . . . . . . . . . . . . 151 | |
| 14.2. Informative References................................ 138 | | 13.2. TLS Usage . . . . . . . . . . . . . . . . . . . . . . . . 152 | |
| 15. Acknowledgements............................................. 140 | | 13.3. Peer-to-Peer Considerations . . . . . . . . . . . . . . . 153 | |
| Appendix A. Diameter Service Template........................... 141 | | 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 155 | |
| Appendix B. NAPTR Example....................................... 142 | | 14.1. Normative References . . . . . . . . . . . . . . . . . . 155 | |
| Appendix C. Duplicate Detection................................. 143 | | 14.2. Informational References . . . . . . . . . . . . . . . . 157 | |
| Appendix D. Intellectual Property Statement..................... 145 | | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 160 | |
| Authors' Addresses............................................... 146 | | Appendix B. Diameter Service Template . . . . . . . . . . . . . 161 | |
| Full Copyright Statement......................................... 147 | | Appendix C. NAPTR Example . . . . . . . . . . . . . . . . . . . 163 | |
| | | Appendix D. Duplicate Detection . . . . . . . . . . . . . . . . 164 | |
| | | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 166 | |
| | | Intellectual Property and Copyright Statements . . . . . . . . . 167 | |
| | | | |
| 1. Introduction | | 1. Introduction | |
| | | | |
| Authentication, Authorization and Accounting (AAA) protocols such as | | Authentication, Authorization and Accounting (AAA) protocols such as | |
|
| TACACS [TACACS] and RADIUS [RADIUS] were initially deployed to | | TACACS [RFC1492] and RADIUS [RFC2865] were initially deployed to | |
| provide dial-up PPP [PPP] and terminal server access. Over time, | | provide dial-up PPP [RFC1661] and terminal server access. Over time, | |
| with the growth of the Internet and the introduction of new access | | with the growth of the Internet and the introduction of new access | |
| technologies, including wireless, DSL, Mobile IP and Ethernet, | | technologies, including wireless, DSL, Mobile IP and Ethernet, | |
| routers and network access servers (NAS) have increased in complexity | | routers and network access servers (NAS) have increased in complexity | |
| and density, putting new demands on AAA protocols. | | and density, putting new demands on AAA protocols. | |
| | | | |
| Network access requirements for AAA protocols are summarized in | | Network access requirements for AAA protocols are summarized in | |
|
| [AAAREQ]. These include: | | [RFC2989]. These include: | |
| | | | |
| Failover | | Failover | |
|
| [RADIUS] does not define failover mechanisms, and as a result, | | | |
| | | [RFC2865] does not define failover mechanisms, and as a result, | |
| failover behavior differs between implementations. In order to | | failover behavior differs between implementations. In order to | |
| provide well defined failover behavior, Diameter supports | | provide well defined failover behavior, Diameter supports | |
| application-layer acknowledgements, and defines failover | | application-layer acknowledgements, and defines failover | |
| algorithms and the associated state machine. This is described in | | algorithms and the associated state machine. This is described in | |
|
| Section 5.5 and [AAATRANS]. | | Section 5.5 and [RFC3539]. | |
| | | | |
| Transmission-level security | | Transmission-level security | |
|
| [RADIUS] defines an application-layer authentication and integrity | | | |
| scheme that is required only for use with Response packets. While | | [RFC2865] defines an application-layer authentication and | |
| [RADEXT] defines an additional authentication and integrity | | integrity scheme that is required only for use with Response | |
| mechanism, use is only required during Extensible Authentication | | packets. While [RFC2869] defines an additional authentication and | |
| Protocol (EAP) sessions. While attribute-hiding is supported, | | integrity mechanism, use is only required during Extensible | |
| [RADIUS] does not provide support for per-packet confidentiality. | | Authentication Protocol (EAP) sessions. While attribute-hiding is | |
| In accounting, [RADACCT] assumes that replay protection is | | supported, [RFC2865] does not provide support for per-packet | |
| provided by the backend billing server, rather than within the | | confidentiality. In accounting, [RFC2866] assumes that replay | |
| protocol itself. | | protection is provided by the backend billing server, rather than | |
| | | within the protocol itself. | |
| | | | |
| While [RFC3162] defines the use of IPsec with RADIUS, support for | | While [RFC3162] defines the use of IPsec with RADIUS, support for | |
|
| IPsec is not required. Since within [IKE] authentication occurs | | IPsec is not required. Since within [RFC2409] authentication | |
| only within Phase 1 prior to the establishment of IPsec SAs in | | occurs only within Phase 1 prior to the establishment of IPsec SAs | |
| Phase 2, it is typically not possible to define separate trust or | | in Phase 2, it is typically not possible to define separate trust | |
| authorization schemes for each application. This limits the | | or authorization schemes for each application. This limits the | |
| usefulness of IPsec in inter-domain AAA applications (such as | | usefulness of IPsec in inter-domain AAA applications (such as | |
| roaming) where it may be desirable to define a distinct | | roaming) where it may be desirable to define a distinct | |
| certificate hierarchy for use in a AAA deployment. In order to | | certificate hierarchy for use in a AAA deployment. In order to | |
| provide universal support for transmission-level security, and | | provide universal support for transmission-level security, and | |
| enable both intra- and inter-domain AAA deployments, IPsec support | | enable both intra- and inter-domain AAA deployments, IPsec support | |
| is mandatory in Diameter, and TLS support is optional. Security | | is mandatory in Diameter, and TLS support is optional. Security | |
| is discussed in Section 13. | | is discussed in Section 13. | |
| | | | |
| Reliable transport | | Reliable transport | |
|
| | | | |
| RADIUS runs over UDP, and does not define retransmission behavior; | | RADIUS runs over UDP, and does not define retransmission behavior; | |
| as a result, reliability varies between implementations. As | | as a result, reliability varies between implementations. As | |
|
| described in [ACCMGMT], this is a major issue in accounting, where | | described in [RFC2975], this is a major issue in accounting, where | |
| packet loss may translate directly into revenue loss. In order to | | packet loss may translate directly into revenue loss. In order to | |
| provide well defined transport behavior, Diameter runs over | | provide well defined transport behavior, Diameter runs over | |
|
| reliable transport mechanisms (TCP, SCTP) as defined in | | reliable transport mechanisms (TCP, SCTP) as defined in [RFC3539]. | |
| [AAATRANS]. | | | |
| | | | |
| Agent support | | Agent support | |
|
| [RADIUS] does not provide for explicit support for agents, | | | |
| | | [RFC2865] does not provide for explicit support for agents, | |
| including Proxies, Redirects and Relays. Since the expected | | including Proxies, Redirects and Relays. Since the expected | |
| behavior is not defined, it varies between implementations. | | behavior is not defined, it varies between implementations. | |
| Diameter defines agent behavior explicitly; this is described in | | Diameter defines agent behavior explicitly; this is described in | |
| Section 2.8. | | Section 2.8. | |
| | | | |
| Server-initiated messages | | Server-initiated messages | |
|
| While RADIUS server-initiated messages are defined in [DYNAUTH], | | | |
| | | While RADIUS server-initiated messages are defined in [RFC3576], | |
| support is optional. This makes it difficult to implement | | support is optional. This makes it difficult to implement | |
|
| features such as unsolicited disconnect or | | features such as unsolicited disconnect or reauthentication/ | |
| reauthentication/reauthorization on demand across a heterogeneous | | reauthorization on demand across a heterogeneous deployment. | |
| deployment. Support for server-initiated messages is mandatory in | | Support for server-initiated messages is mandatory in Diameter, | |
| Diameter, and is described in Section 8. | | and is described in Section 8. | |
| | | | |
| Auditability | | Auditability | |
|
| | | | |
| RADIUS does not define data-object security mechanisms, and as a | | RADIUS does not define data-object security mechanisms, and as a | |
| result, untrusted proxies may modify attributes or even packet | | result, untrusted proxies may modify attributes or even packet | |
| headers without being detected. Combined with lack of support for | | headers without being detected. Combined with lack of support for | |
| capabilities negotiation, this makes it very difficult to | | capabilities negotiation, this makes it very difficult to | |
| determine what occurred in the event of a dispute. While | | determine what occurred in the event of a dispute. While | |
| implementation of data object security is not mandatory within | | implementation of data object security is not mandatory within | |
| Diameter, these capabilities are supported, and are described in | | Diameter, these capabilities are supported, and are described in | |
| [AAACMS]. | | [AAACMS]. | |
| | | | |
| Transition support | | Transition support | |
| | | | |
| skipping to change at page 7, line 40 | | skipping to change at page 8, line 43 | |
|---|
| RADIUS does not define data-object security mechanisms, and as a | | RADIUS does not define data-object security mechanisms, and as a | |
| result, untrusted proxies may modify attributes or even packet | | result, untrusted proxies may modify attributes or even packet | |
| headers without being detected. Combined with lack of support for | | headers without being detected. Combined with lack of support for | |
| capabilities negotiation, this makes it very difficult to | | capabilities negotiation, this makes it very difficult to | |
| determine what occurred in the event of a dispute. While | | determine what occurred in the event of a dispute. While | |
| implementation of data object security is not mandatory within | | implementation of data object security is not mandatory within | |
| Diameter, these capabilities are supported, and are described in | | Diameter, these capabilities are supported, and are described in | |
| [AAACMS]. | | [AAACMS]. | |
| | | | |
| Transition support | | Transition support | |
|
| | | | |
| While Diameter does not share a common protocol data unit (PDU) | | While Diameter does not share a common protocol data unit (PDU) | |
| with RADIUS, considerable effort has been expended in enabling | | with RADIUS, considerable effort has been expended in enabling | |
| backward compatibility with RADIUS, so that the two protocols may | | backward compatibility with RADIUS, so that the two protocols may | |
| be deployed in the same network. Initially, it is expected that | | be deployed in the same network. Initially, it is expected that | |
| Diameter will be deployed within new network devices, as well as | | Diameter will be deployed within new network devices, as well as | |
| within gateways enabling communication between legacy RADIUS | | within gateways enabling communication between legacy RADIUS | |
| devices and Diameter agents. This capability, described in | | devices and Diameter agents. This capability, described in | |
|
| [NASREQ], enables Diameter support to be added to legacy networks, | | [RFC4005], enables Diameter support to be added to legacy | |
| by addition of a gateway or server speaking both RADIUS and | | networks, by addition of a gateway or server speaking both RADIUS | |
| Diameter. | | and Diameter. | |
| | | | |
| In addition to addressing the above requirements, Diameter also | | In addition to addressing the above requirements, Diameter also | |
| provides support for the following: | | provides support for the following: | |
| | | | |
| Capability negotiation | | Capability negotiation | |
|
| | | | |
| RADIUS does not support error messages, capability negotiation, or | | RADIUS does not support error messages, capability negotiation, or | |
| a mandatory/non-mandatory flag for attributes. Since RADIUS | | a mandatory/non-mandatory flag for attributes. Since RADIUS | |
| clients and servers are not aware of each other's capabilities, | | clients and servers are not aware of each other's capabilities, | |
| they may not be able to successfully negotiate a mutually | | they may not be able to successfully negotiate a mutually | |
| acceptable service, or in some cases, even be aware of what | | acceptable service, or in some cases, even be aware of what | |
| service has been implemented. Diameter includes support for error | | service has been implemented. Diameter includes support for error | |
| handling (Section 7), capability negotiation (Section 5.3), and | | handling (Section 7), capability negotiation (Section 5.3), and | |
| mandatory/non-mandatory attribute-value pairs (AVPs) (Section | | mandatory/non-mandatory attribute-value pairs (AVPs) (Section | |
| 4.1). | | 4.1). | |
| | | | |
| | | | |
| skipping to change at page 8, line 20 | | skipping to change at page 9, line 27 | |
|---|
| a mandatory/non-mandatory flag for attributes. Since RADIUS | | a mandatory/non-mandatory flag for attributes. Since RADIUS | |
| clients and servers are not aware of each other's capabilities, | | clients and servers are not aware of each other's capabilities, | |
| they may not be able to successfully negotiate a mutually | | they may not be able to successfully negotiate a mutually | |
| acceptable service, or in some cases, even be aware of what | | acceptable service, or in some cases, even be aware of what | |
| service has been implemented. Diameter includes support for error | | service has been implemented. Diameter includes support for error | |
| handling (Section 7), capability negotiation (Section 5.3), and | | handling (Section 7), capability negotiation (Section 5.3), and | |
| mandatory/non-mandatory attribute-value pairs (AVPs) (Section | | mandatory/non-mandatory attribute-value pairs (AVPs) (Section | |
| 4.1). | | 4.1). | |
| | | | |
| Peer discovery and configuration | | Peer discovery and configuration | |
|
| | | | |
| RADIUS implementations typically require that the name or address | | RADIUS implementations typically require that the name or address | |
| of servers or clients be manually configured, along with the | | of servers or clients be manually configured, along with the | |
| corresponding shared secrets. This results in a large | | corresponding shared secrets. This results in a large | |
| administrative burden, and creates the temptation to reuse the | | administrative burden, and creates the temptation to reuse the | |
| RADIUS shared secret, which can result in major security | | RADIUS shared secret, which can result in major security | |
| vulnerabilities if the Request Authenticator is not globally and | | vulnerabilities if the Request Authenticator is not globally and | |
|
| temporally unique as required in [RADIUS]. Through DNS, Diameter | | temporally unique as required in [RFC2865]. Through DNS, Diameter | |
| enables dynamic discovery of peers. Derivation of dynamic session | | enables dynamic discovery of peers. Derivation of dynamic session | |
| keys is enabled via transmission-level security. | | keys is enabled via transmission-level security. | |
| | | | |
| Roaming support | | Roaming support | |
|
| | | | |
| The ROAMOPS WG provided a survey of roaming implementations | | The ROAMOPS WG provided a survey of roaming implementations | |
|
| [ROAMREV], detailed roaming requirements [ROAMCRIT], defined the | | [RFC2194], detailed roaming requirements [RFC2477], defined the | |
| Network Access Identifier (NAI) [NAI], and documented existing | | Network Access Identifier (NAI)[RFC4282], and documented existing | |
| implementations (and imitations) of RADIUS-based roaming | | implementations (and imitations) of RADIUS-based roaming | |
|
| [PROXYCHAIN]. In order to improve scalability, [PROXYCHAIN] | | [RFC2607]. In order to improve scalability, [RFC2607] introduced | |
| introduced the concept of proxy chaining via an intermediate | | the concept of proxy chaining via an intermediate server, | |
| server, facilitating roaming between providers. However, since | | facilitating roaming between providers. However, since RADIUS | |
| RADIUS does not provide explicit support for proxies, and lacks | | does not provide explicit support for proxies, and lacks | |
| auditability and transmission-level security features, RADIUS- | | auditability and transmission-level security features, RADIUS- | |
| based roaming is vulnerable to attack from external parties as | | based roaming is vulnerable to attack from external parties as | |
| well as susceptible to fraud perpetrated by the roaming partners | | well as susceptible to fraud perpetrated by the roaming partners | |
| themselves. As a result, it is not suitable for wide-scale | | themselves. As a result, it is not suitable for wide-scale | |
|
| deployment on the Internet [PROXYCHAIN]. By providing explicit | | deployment on the Internet [RFC2607]. By providing explicit | |
| support for inter-domain roaming and message routing (Sections 2.7 | | support for inter-domain roaming and message routing (Sections 2.7 | |
| and 6), auditability [AAACMS], and transmission-layer security | | and 6), auditability [AAACMS], and transmission-layer security | |
| (Section 13) features, Diameter addresses these limitations and | | (Section 13) features, Diameter addresses these limitations and | |
| provides for secure and scalable roaming. | | provides for secure and scalable roaming. | |
| | | |