NGN Access Control Safety Point
--Diameter protocol and its application in the SIP network environment
Xie Wei
I. Introduction
The Diameter series protocol is a new generation of AAA technology due to its powerful scalability and security guarantees, which is getting more and more attention. In international standards such as ITU, 3GPP, and 3GPP2, Diam-Eter protocol has been officially used as the preferred AAA protocol for future communication networks such as NGN, WCDMA and CDMA2000. For the user's access control is an important part of the next-generation network (NGN) network security, the application discussed in this article is an important entry point for this issue in the SIP environment.
Second, the design purpose of the Diameter protocol
Radius and TACACS have been widely used in many ISPs and enterprise networks. In fact, these two protocols are applied to small network devices that are only supported only a simple server-based end user that require simple server-based end users. At present, access providers provide AAA services to thousands of concurrent end users using different access technologies (including wireless, DSL, mobile IP, and Ethernet, etc.). The security of the AAA service is not very satisfactory for RADIUS and TACACS .
The current AAA protocol is unable to compete and the IP network in the future, especially the NGN era, the growing requirements of AAA services. Therefore, IETF started to develop the next generation AAA protocol-Diameter protocol to solve some problems in the AAA service.
Diameter's design is to create a AAA protocol that can fully meet the current and future IP networks (including NGN and 3G, etc.) user access control requirements. The specific contents of its design requirements include:
(1) Good network adaptability and scalability;
(2) Unified and good failed control and detection mechanism;
(3) Complete transfer layer security guarantee (including domains and intervals);
(4) Data transmission reliability guarantee mechanism;
(5) Support various types of agents, including Proxy Agents, Redirect Agents, and Relay Agents, etc .:
(6) Support the message initiated by the server, that is, allow the server to actively send a message to its client;
(7) Good interoperability with existing network protocols;
(8) Supporting the capacity negotiation mechanism between nodes:
(9) Support dynamic peer discovery and configuration mechanism;
(10) Support security and scalable roaming.
Third, the characteristics and advantages of the Diameter protocol
The Diameter protocol has a lot of very good features that make it a great advantage over the previous AAA protocol when applied in the actual network.
(1) In order to ensure a new generation of AAA protocols can meet the needs of various network environments for a long period of time. The Diameter protocol uses a new protocol definition mode: first launched a lightweight, easy-to-implement basic protocol, intended to provide an AAA framework, including the most basic requirements for the AAA function. And for different network conditions and business needs, corresponding application extensions are respectively developed.
(2) The new generation of AAA protocols in order to better meet the growth rate of IP network construction and business in their longer period of time, greatly improved Diameter's network scalability and business scalable through various technical means. Sex. This includes extending the length of the request identification, the Diameter protocol is called "end-to-end ID field", which is 4 bytes 232 (RADIUS: 1 byte 255), which can greatly increase the number of unrestricted requests while supporting; attribute The amount of value (AVP) is 455 extensions from RADIUS to 232; Diameter also supports commands that support merchant definitions, which is not included in RADIUS.
In order to obtain a more reliable transmission guarantee, the Diameter protocol must be able to run on a transport layer that can provide retransmission strategies to enable it to effectively convert another host when the peer is not arrogant. Contrary to RADIUS, Diameter protocol requires each node on the proxy chain to confirm the request or response on the "Transport Layer". Since the Diameter runs on SCTPs that provide reliable transmission, each node on the proxy chain is responsible for retransmitting messages that are not confirmed. Moreover, the SCTP protocol also provides traffic control to the server. There are still many other excellent features of the Diameter protocol: (1) Have a good failure mechanism, support failover and failure (FAIBACK):
(2) It has the ability to quickly detect the opposite end;
(3) Having a better package discard process mechanism, the Diameter protocol requires confirmation of each message:
(4) Support the server to initiate active messages to customers, which can be used for some special billing services (such as prepaid);
(5) The integrity and confidentiality of the data body can be guaranteed;
(6) Support end-to-end security, support TLS and IPSec;
(7) Perform authentication / authorization for each session to ensure security;
(8) It is as compatible with the RADIUS protocol.
Fourth, Diameter's frame structure
Diameter includes basic protocols, transfer protocols, different application extensions, such as NASREQ and mobile IP. The basic functions of all applications and services shared are implemented in the underlying protocol, while the application specific function will be implemented in different applications.
The DIAMETER fundamental protocol is intended to provide an AAA framework for use in various applications. The basic protocol also defines all Diameter applications, and all Diameter devices must support message format, transfer, error reporting, and security services.
Figure 1 is a schematic diagram of the Diameter protocol structure, the transmission mechanism in the figure mainly defines the problem and solution of the Diameter protocol transport layer, including failure detection algorithms and state machines, etc., other applications with various functions must support the fundamental protocol. The SIP application in the figure is the requirements for the Diameter protocol application in the IP environment.
Figure 1 DIAMETER protocol frame structure
V. Diameter Session Initial Agreement (SIP) Application Overview
The Diameter Session Initial Protocol (SIP) application is used with the initial protocol (SIP), providing Diameter client features in the SIP server, and the SIP server must be able to request the Diameter server authentication user, authorize SIP resources. I
Diameter SIP Application Extensions allows the Diameter client to request authentication, authorization information to the Diameter server for the initial session protocol (SIP) of the IP Multimedia Service. Assume that the SIP server and the Diameter client are located in the same node, the SIP server can receive, process the SIP request message and answer message, based on the AAA architecture of the authentication SIP request message and the authorized specific SIP service. When the SIP protocol is used for initial and finalized multimedia sessions or SIP protocols for non-session-related applications, the Diameter SIP application extension provides Diameter procedures for specific functions.
The Diameter SIP application extension assumes a generic architecture, that is, the home field consists of one or more nodes that implement the Diameter or SIP function. Among them, there is at least such a node to implement the DIAMETER server function. The Diameter server has the right to use the user database. The user data of a particular user is stored in the user database. There are more than one Diameter server in the network, and all Diameter servers have access to the user database.
In the SIP network environment, there are a variety of configurations in the home field. In the case of one of the configurations, the SIP server is assigned to the user for triggering and executing services. The user dynamically assigns the SIP server when registering in the network. In this configuration, there is a SIP server located on the network edge to support a routing algorithm for the SIP request and answer message. The SIP server node implements the Diameter client. In another configuration, the SIP output agent is configured as a SIP endpoint. The output Diameter client authentication user in the SIP output proxy node is authorized and completed the billing activity for the SIP request message. 6. General Structure of Diameter Application in the SIP environment
Figure 2 is a simple schematic diagram of a SIP environmental structure with aaa architecture, which is just a possible structure example of a Diameter SIP application. The SIP User Agent (UA) is used to initiate or terminate the SIP service flow of the SIP through one or more SIP servers; both SIP servers can support Diameter applications as a DIAMETER customer.
Figure 2 General Structure of Diameter Application in a SIP environment
As can be seen in FIG. 2, the SIP server 1 and the SIP server 2 can transmit and receive different Diameter commands through the DIAMETER server. This is because the SIP server 1 in Figure 1 is located on the edge of the network, the main task is to position (address) SIP server 2. Server 2 is not in the network edge, which requests and receives authentication and authorization data from the Diameter server. Diameter SL (User Locator) is used to locate the Diameter server that contains the user-related data.
7. Simple processes for Diameter apply in the SIP environment
A simple process for the Diameter server authenticated user request in a SIP management network domain. Among them, the network size is medium, the Diameter server is responsible for saving the user record and authenticates the SIP request. Only one SIP Register request is selected as an example. In fact, the SIP server can request authentication any other SIP request.
As can be seen from Figure 3, an SIP User Agent Client (UAC) sends an SIP Register request to its own home domain (step 1). SIP Server 1 receives the SIP request. We assume that the SIP server can be positioned, for example, it is at the edge of the administrative placement domain. The Diameter client in SIP Server 1 will contact its own Diameter server by sending a Diameter User Authorization Request (UAR) message (step 2) to determine if the user is allowed to accept the service, if it can be, request can control the user's The address of the local SIP server. The DIAMETER server responds in a Diameter user authorization (UAA) message (step 3), which indicates that the SIP server 1 can use, the appropriate SIP server (SIP server 2) list or one or more points to the SIP server 2 SIP URL.
SIP Server 1 Forward SIP Register Request (Step 4) to a suitable SIP server (SIP server 2). The Diameter client in SIP Server 2 is requested by sending a Diameter server by sending a DIAMETER Multimedia Authentication Request (Mar) (step 5). The request is also also used to enable the DIAMETER server to get the SIP URI list of the SIP or SIP server 2 to accurately forward the same user's subsequent request to the same SIP server 2. The Diameter server uses the results code AVP value to respond to the Diameter_mul Ti_Round_Auth's Diameter Multimedia Authentication Answer (MAA) message (step 6). The DIAMETER server also includes a "inquiry", SIP server 2 mapping the inquiry into the WWW authentication head in SIP 401 (unauthorized) response (step 7), which is sent back to SIP server 1, then return Give the SIP UAC (step 8).
SIP Server 1 will receive a SIP Register request containing the user authenticating information (step 9). It should be noted that the SIP server 1 does not need to be reserved, and the SIP request does not necessarily be transmitted to the same SIP server 1, under redundant configuration, it is likely to have a set of SIP server 1. The Diameter client in SIP Server 1 will contact a Diameter server (step 10) by sending a Diameter UAR message to determine which SIP server is assigned to the user. The DIAMETER server will send the SIP or SIP URI of the SIP server 2 in a Diameter UAA message. The SIP server 1 proceeds to the SIP Register request to SIP Server 2 (step 12). SIP Server 2 extracts authentication information from the SIP Register request. The Diameter client in SIP Server 2 places these authentication information in a Diameter Mar message and sends the message to the Diameter server (step 13). At this point, the Diameter server can be authenticated. After the authentication is successful, a Diameter MAA message will be returned (step 14), and the AVP result code in the message is value Diameter_suCcess. The DIAMETER MAA message also includes custom information of the user for use by SIP Server 2 to serve users.
SIP server 2 then generates a SIP 200 (OK) response (step 15), which is forwarded to the SIP server 1, and eventually returns to the SIP UAC (step 16).
Figure 3 Authentication process performed in the Diameter server
