diameter

最新推荐文章于 2024-08-22 10:05:52 发布

避趋之

最新推荐文章于 2024-08-22 10:05:52 发布

阅读量4.5k

点赞数

分类专栏：协议

协议专栏收录该内容

13 篇文章

订阅专栏

本文深入探讨了Diameter协议，作为计算机网络中的一种高级认证、授权和计费机制，它取代了功能有限的RADIUS协议。文章详细介绍了与RADIUS的比较、应用程序扩展、历史背景、协议描述、包格式、状态机和消息流等内容，旨在提供全面的技术指南。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

http://en.wikipedia.org/wiki/Diameter_(protocol)

Diameter (protocol)

From Wikipedia, the free encyclopedia

Internet protocol suite
Application layer
DHCP DHCPv6 DNS FTP HTTP IMAP IRC LDAP MGCP NNTP BGP NTP POP RPC RTP RTSP RIP SIP SMTP SNMP SOCKS SSH Telnet TLS/SSL XMPP more...
Transport layer
TCP UDP DCCP SCTP RSVP more...
Internet layer
IP IPv4 IPv6 OSPF ICMP ICMPv6 ECN IGMP IPsec more...
Link layer
ARP/InARP NDP Tunnels L2TP PPP Media access control Ethernet DSL ISDN FDDI more...
v t e

Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from and replaces the much less capable RADIUS protocol that preceded it.

Diameter Applications extend the base protocol by adding new commands and/or attributes, such as those for use of the Extensible Authentication Protocol (EAP).

[hide]

Comparison with RADIUS[edit source | editbeta]

The name is a play on words, derived from the RADIUS protocol, which is the predecessor (a diameter is twice the radius). Diameter is not directly backwards compatible but provides an upgrade path for RADIUS. The main differences are the following:

Reliable transport protocols (TCP or SCTP, not UDP)----------- 客户端可以支持TCP或者SCTP；而服务端和中继必须二者都支持。
- The IETF is in the process of standardizing TCP Transport for RADIUS
Network or transport layer security (IPsec or TLS)---------- IPSec必须支持，TLS可选。
- The IETF is in the process of standardizing Transport Layer Security for RADIUS
Transition support for RADIUS, although Diameter is not fully compatible with RADIUS
Larger address space for attribute-value pairs (AVPs) and identifiers(32 bits instead of 8 bits)
Client–server protocol, with exception of supporting some server-initiated messages as well(服务器端主动发起消息，如RAR，DPR，DWR消息)
Both stateful and stateless models can be used
Dynamic discovery of peers (using DNS SRV and NAPTR)
Capability negotiation（即CER，CEA）
Supports application layer acknowledgements, defines failover methods and state machines (RFC 3539)
Error notification
Better roaming support
More easily extended; new commands and attributes can be defined
Aligned on 32-bit boundaries
Basic support for user-sessions and accounting
故障恢复就是failback；如果故障了，尝试使用另外一个，则是failover。

Applications[edit source | editbeta]

A Diameter Application is not a software application but is a protocol based on the Diameter base protocol defined in RFC 6733 (Obsoletes: RFC 3588). Each application is defined by an application identifier and can add new command codes and/or new mandatory AVPs. Adding a new optional AVP does not require a new application.

Examples of Diameter applications:

Diameter Mobile IPv4 Application (MobileIP, RFC 4004)
Diameter Network Access Server Application (NASREQ, RFC 4005)
Diameter Extensible Authentication Protocol Application (RFC 4072)
Diameter Credit-Control Application (DCCA, RFC 4006) --------------------- 用于3gpp 32.299的在线离线计费。
Diameter Session Initiation Protocol Application (RFC 4740)
Various applications in the 3GPP IP Multimedia Subsystem

Both the HSS and the SLF communicate using the Diameter protocol.

(Generic Bootstrapping Architecture): Bootstrapping Server Function

History[edit source | editbeta]

The Diameter protocol was initially developed by Pat R. Calhoun, Glen Zorn, and Ping Pan in 1998 to provide an Authentication, Authorization, and Accounting (AAA) framework that could overcome the limitations of RADIUS. RADIUS had issues with reliability, scalability, security and flexibility. RADIUS cannot effectively deal well with remote access, IP mobility, and policy control. The Diameter protocol defines a policy protocol used by clients to perform Policy, AAA, and Resource Control. This allows a single server to handle policies for many services.^[1]

Like RADIUS, Diameter provides AAA functionality but in addition it is made more reliable by using TCP and SCTP instead of UDP. The Diameter protocol is further enhanced by the development of the 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS). The Cx, Dh, Dx, Rf, Ro, and Shinterfaces are supported by Diameter applications.^[2] Through the use of extensions, the protocol was designed to be extensible to support Proxies, Brokers, Strong Security, Mobile-IP, Network Access Servers (NASREQ), Accounting, and Resource Management.

Protocol description[edit source | editbeta]

This section requires expansion. (June 2008)

The Diameter base protocol is defined by RFC 6733 (Obsoletes: RFC 3588) and defines the minimum requirements for an AAA protocol. Diameter Applications can extend the base protocol by adding new commands, attributes, or both. Diameter security is provided by IPsec or TLS.The IANA has assigned TCP and SCTP port number 3868 to Diameter.

----- TLS/TCP and Datagram Transport Layer Security，DTLS/SCTP缺省使用5658，为了兼容rfc3588，也可以支持3868。

Packet format[edit source | editbeta]

The packet consists of a Diameter header and a variable number of Attribute-Value Pairs, or AVPs, for encapsulating information relevant to the Diameter message.

Diameter Header
Bit offset	`0`	`1`	`2`	`3`	`8`
0	version				message length
32	`R`	`P`	`E`	`T`	command code
64	application ID ------ Diameter common message(0),NASreq(1),MOBILE-IP（2），diameter base accounting（3）；DCCA(4) 即使在同一个应用中的不同报文中此字段也可能不同，需要参考对应的RFC文档。举例： NASreq：在CER，CEA，AA-Request (AAR)，AA-Answer (AAA)中都是1。其他消息都是0。??? DCCA：在CER，CEA，CCR，CCA，RAR，RAA中都是4。??? 。。。。 The Gx application is defined as a vendorspecific Diameter application, where the vendor is 3GPP and the Application-IDfor the Gx Application in the present release is 16777238. The vendoridentifier assigned by IANA to 3GPP (http://www.iana.org/assignments/enterprise-numbers)is 10415. The application can be an authentication application, an accounting application, or a vendor-specific application. The value of the Application-ID field in the header MUST be the same as any relevant Application-Id AVPs contained in the message. 此值必须和AVP里面的Application-Id相同。
96	hop-by-hop ID 逐跳标识用于判断请求与应答的对应关系，尽可能保证重启后仍然唯一。不认识此值的应答消息要丢弃。为了支持failover，需要缓存所有没有应答的消息；当收到应答消息，通过hop-by-hop ID找到并删除缓存的请求消息。
128	end-to-end ID 端到端标识主要用于重复消息的检查网络字节序；高12位为当前时间的低12位；低20位为随机值；要求保证至少4min只能本地唯一；和 Origin-Host AVP结合起来检查重复消息；因为出现failover，所以会重复发送消息，带T标记，需要对端检查重复。
160 ...	AVPs ...

The "R" (Request) bit – If set, the message is a request. If cleared, the message is an answer.

The "P" (Proxiable) bit – If set, the message MAY be proxied, relayed or redirected. If cleared, the message MUST be locally processed.

The "E" (Error) bit – If set, the message contains a protocol error, and the message will not conform to the ABNF described for this command. Messages with the "E" bit set are commonly referred to as error messages. This bit MUST NOT be set in request messages.

The "T" (Potentially re-transmitted message) bit – This flag is set after a link failover procedure, to aid the removal of duplicate requests. It is set when resending requests not yet acknowledged as an indication of a possible duplicate due to a link failure.一定不能出现在应答消息里。

Commands[edit source | editbeta]

Each command is assigned a command code, which is used for both Requests and Answers.

The values 0-255 are reserved for RADIUS backward compatibility. The values 256-16777213 are for permanent, standard commands allocated by IANA. The values 16777214 and 16777215 (hex 0xFFFFFE and 0xFFFFFF) are reserved for experimental and testing purposes.

Some common Diameter commands are:

Command-Name	Abbr.	Code
AA-Request	AAR	265
AA-Answer	AAA	265
Diameter-EAP-Request	DER	268
Diameter-EAP-Answer	DEA	268
Abort-Session-Request，必须包含< Session-Id >字段，和DPR不是一个级别的。	ASR	274
Abort-Session-Answer	ASA	274
Accounting-Request	ACR	271
Accounting-Answer	ACA	271
Credit-Control-Request，必须包含< Session-Id >字段	CCR	272
Credit-Control-Answer	CCA	272
Capabilities-Exchange-Request	CER	257
Capabilities-Exchange-Answer	CEA	257
Device-Watchdog-Request	DWR	280
Device-Watchdog-Answer	DWA	280
Disconnect-Peer-Request	DPR	282
Disconnect-Peer-Answer	DPA	282
Re-Auth-Request，必须包含< Session-Id >字段	RAR	258
Re-Auth-Answer	RAA	258
Session-Termination-Request	STR	275
Session-Termination-Answer	STA	275
User-Authorization-Request	UAR	300
User-Authorization-Answer	UAA	300
Server-Assignment-Request	SAR	301
Server-Assignment-Answer	SAA	301
Location-Info-Request	LIR	302
Location-Info-Answer	LIA	302
Multimedia-Auth-Request	MAR	303
Multimedia-Auth-Answer	MAA	303
Registration-Termination-Request	RTR	304
Registration-Termination-Answer	RTA	304
Push-Profile-Request	PPR	305
Push-Profile-Answer	PPA	305
User-Data-Request	UDR	306
User-Data-Answer	UDA	306
Profile-Update-Request	PUR	307
Profile-Update-Answer	PUA	307
Subscribe-Notifications-Request	SNR	308
Subscribe-Notifications-Answer	SNA	308
Push-Notification-Request	PNR	309
Push-Notification-Answer	PNA	309
Bootstrapping-Info-Request	BIR	310
Bootstrapping-Info-Answer	BIA	310
Message-Process-Request	MPR	311
Message-Process-Answer	MPA	311
Update-Location-Request	ULR	316
Update-Location-Answer	ULA	316
Authentication-Information-Request	AIR	318
Authentication-Information-Answer	AIA	318
Notify-Request	NR	323
Notify-Answer	NA	323

This section requires expansion.(December 2009)

Attribute-Value Pairs (AVP)[edit source | editbeta]

AVP Header
Bit offset	`0`	`1`	`2`	`8`
0	AVP code-----32位长度，而radius只有255个。
32	`V`	`M`	`P`	AVP length
64	vendor ID (optional)
96 ...	data ...

For simplicity, "V" bit Means Vendor Specific; "M" bit means Mandatory;"P" bit means Protected.

The "V" bit, known as the Vendor-Specific bit, indicates whether the optional Vendor-ID field is present in the AVP header. When set the AVP Code belongs to the specific vendor code address space.

The "M" bit, known as the Mandatory bit, indicates whether support of the AVP is required. If an AVP with the "M" bit set is received by a Diameter client, server, proxy, or translation agent and either the AVP or its value is unrecognized, the message MUST be rejected. Diameter Relay and redirect agents MUST NOT reject messages with unrecognized AVPs.

The "P" bit indicates the need for encryption for end-to-end security.

Attribute-Name	Code	Data Type
Acct-Interim-Interval	85	Unsigned32
Accounting-Realtime-Required	483	Enumerated
Acct-Multi-Session-Id	50	UTF8String
Accounting-Record-Number	485	Unsigned32
Accounting-Record-Type	480	Enumerated
Accounting-Session-Id	44	OctetString
Accounting-Sub-Session-Id	287	Unsigned64
Acct-Application-Id	259	Unsigned32
Auth-Application-Id	258	Unsigned32
Auth-Request-Type	274	Enumerated
Authorization-Lifetime	291	Unsigned32
Auth-Grace-Period	276	Unsigned32
Auth-Session-State	277	Enumerated
Re-Auth-Request-Type	285	Enumerated
Class	25	OctetString
Destination-Host	293	DiamIdent
Destination-Realm	283	DiamIdent
Disconnect-Cause	273	Enumerated
E2E-Sequence	300	Grouped
Error-Message	281	UTF8String
Error-Reporting-Host	294	DiamIdent
Event-Timestamp	55	Time
Experimental-Result	297	Grouped
Experimental-Result-Code	298	Unsigned32
Failed-AVP	279	Grouped
Firmware-Revision	267	Unsigned32
Host-IP-Address	257	Address
Inband-Security-Id	299	Unsigned32
Multi-Round-Time-Out	272	Unsigned32
Origin-Host	264	DiamIdent
Origin-Realm	296	DiamIdent
Origin-State-Id	278	Unsigned32
Product-Name	269	UTF8String
Proxy-Host	280	DiamIdent
Proxy-Info	284	Grouped
Proxy-State	33	OctetString
Redirect-Host	292	DiamURI
Redirect-Host-Usage	261	Enumerated
Redirect-Max-Cache-Time	262	Unsigned32
Result-Code	268	Unsigned32
Route-Record	282	DiamIdent
Session-Id	263	UTF8String
Session-Timeout	27	Unsigned32
Session-Binding	270	Unsigned32
Session-Server-Failover	271	Enumerated
Supported-Vendor-Id	265	Unsigned32
Termination-Cause	295	Enumerated
User-Name	1	UTF8String
Vendor-Id	266	Unsigned32
Vendor-Specific-Application-Id	260	Grouped

State machines[edit source | editbeta]

This section requires expansion.(December 2009)

The RFC 3588 defines a core state machine for maintaining connections between peers and processing messages. This is part of the basic protocol functionality and all stacks should support it and as such abstract from the connectivity related operations.

Peer State Machine Part 1
Peer State Machine Part 2

Additionally, application specific state machines can be introduced either later or at a higher abstraction layer. The RFC 3588 defines an authorization and an accounting state machine.

Diameter Authorization State Machines (Client)
Diameter Authorization State Machines (Server)
Diameter Accounting State Machines (Client)
Diameter Accounting State Machines (Server)

Message flows[edit source | editbeta]

The communication between two diameter peers starts with the establishment of a transport connection (TCP or SCTP). The initiator then sends a Capabilities-Exchange-Request (CER) to the other peer, which responds with a Capabilities-Exchange-Answer (CEA).For RFC3588 compliant peers TLS (Transport Layer Security) may optionally be negotiated. For RFC6733 compliant peers TLS negotiation may optionally happen before the CER/CEA.TLS功能是协商的。

The connection is then ready for exchanging application messages.

If no messages have been exchanged for some time either side may send a Device-Watchdog-Request (DWR) and the other peer must respond with Device-Watchdog-Answer. 如果一段时间没有消息，任何一端可以发送DWR。

Either side may terminate the communication by sending a Disconnect-Peer-Request (DPR) which the other peer must respond to with Disconnect-Peer-Answer. After that the transport connection can be disconnected. 任何一端可以主动通过DPR断开连接

RFCs[edit source | editbeta]

The Diameter protocol is currently defined in the following IETF RFCs: Obsolete RFCs are indicated with strikethrough text.

#	Title	Date published	Related article	Obsoleted by	Notes
~~RFC 3588~~	~~Diameter Base Protocol.~~	~~September 2003~~		RFC 6733
RFC 3589	Diameter Command Codes for Third Generation Partnership Project (3GPP) Release 5.	September 2003
RFC 4004	Diameter Mobile IPv4 Application.	August 2005
RFC 4005	Diameter Network Access Server Application	August 2005
RFC 4006	Diameter Credit-Control Application.	August 2005	Diameter Credit-Control Application
RFC 4072	Diameter Extensible Authentication Protocol (EAP) Application.	August 2005
RFC 4740	Diameter Session Initiation Protocol (SIP) Application. M.	November 2006
RFC 5224	Diameter Policy Processing Application.	March 2008
RFC 5431	Diameter ITU-T Rw Policy Enforcement Interface Application.	March 2009
RFC 5447	Diameter Mobile IPv6: Support for Network Access Server to Diameter Server Interaction.	February 2009
RFC 5516	Diameter Command Code Registration for the Third Generation Partnership Project (3GPP) Evolved Packet System (EPS).	April 2009			-
RFC 5624	Quality of Service Parameters for Usage with Diameter.	August 2009
RFC 6733	Diameter Base Protocol.	October 2012
RFC 6737	The Diameter Capabilities Update Application.	October 2012

 8. Diameter SIP Application Command Codes .........................22
      8.1. User-Authorization-Request (UAR) Command ..................22
      8.2. User-Authorization-Answer (UAA) Command ...................23
      8.3. Server-Assignment-Request (SAR) Command ...................27
      8.4. Server-Assignment-Answer (SAA) Command ....................29
      8.5. Location-Info-Request (LIR) Command .......................33
      8.6. Location-Info-Answer (LIA) Command ........................33
      8.7. Multimedia-Auth-Request (MAR) Command .....................35
      8.8. Multimedia-Auth-Answer (MAA) Command ......................36
      8.9. Registration-Termination-Request (RTR) Command ............39
      8.10. Registration-Termination-Answer (RTA) Command ............39
      8.11. Push-Profile-Request (PPR) Command .......................41
      8.12. Push-Profile-Answer (PPA) Command ........................42