Diameter is end to end secure protocol.The Diameter Protocol MUST have security mechanism TLS or IPsec. In Diameter deployment Diameter client MUST support IPsec, and MAY support TLS. While Diameter servers MUST support TLS and IPsec. This is mandatory because any client can send request irrespective of whether it support IPsec or TLS,so server must support both.
IPsec security mechanism primarily used for intra-domain traffic i.e. with in the same domain. While TLS is primarily used for inter-domain traffic.
Before we go into details of these security mechanism we will first see what are the threats to diameter message, some basic issues for which security is needed are integrity,confidentiality and replay. Replay is the major issue.
Replay Attack
A replay attack occurs when somebody intercepts (Untrusted proxy or Diameter agent) a series of packets and uses them later either to flood the system for causing a denial-of-service (DoS), or to gain entry to the trusted network.
Solution of Replay
To overcome the problem of Replay it is necessary to identify each packet uniquely so that in some implementation a unique number of given range is allotted to each message and it was ensured that number should not be tempered during transmission. Once a node receive the message with no. which it has already received is rejected immediately.
Now we will see how these security mechanisms works to secure the whole diameter message End-to-End.
1) IPsec (Within same domain) [Obsoleted]
Now RFC-6733 (Latest) says, TLS to be used when two nodes communicating on TCP transport connection and DTLS to be used when two nodes communicating of SCTP transport connection. Support for IPSec is no more needed.
Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.
|
Is the use of IPsec for intra-domain and TLS for inter-domain described in the specs or is this from your experience?
ReplyDelete@ Howard
DeleteIPSec is deprecated in latest release of DIAMETER. Two security mechanisms are defined in all sense either TLS or DTLS
Thanks for your query.
Happy to help you again
Team-Diameter
You have mentioned that IPsec was removed in the latest release of DIAMETER. Where can i find the latest release of DIAMETER?
ReplyDeleteHi Rasha,
DeleteFollowing link shall help you.
http://diameter-protocol.blogspot.in/2013/02/blog-post.html
Thanks for your query.
Happy to help you again.
Team-Diameter
Hello,
DeleteThank you for your reply. If you go to section 13 in RFC6733 in the following link, it says that TLS/DTLS should be used and for additional security IPsec can be used. It did not discard the total use of IPsec. Do you have any information on this?
https://tools.ietf.org/html/rfc6733#section-13
Thank you.
Rasha
Hi Rasha,
DeleteYou are right, Idea of using MAY is to support BACKWARD compatibility, because there would be so many system are already deployed in network if a new node is to be added then it should have IPsec if required.
" However, all Diameter base protocol implementations
MUST support the use of TLS/TCP and DTLS/SCTP, and the Diameter
protocol MUST NOT be used without one of TLS, DTLS, or IPsec."
But in fresh deployment one should focus on TLS and DTLS.
We hope our suggestion shall help you.
Thanks for your query.
Happy to help you again.
Team-Diameter
Hi Team-Diameter,
DeleteThank you for your reply!
If I want to cite information from this blog, who is the party responsible of this blog? Can you please provide more details on that.
Thanks,
Rasha
is it allowed by Diameter to exchange traffic without any security measures,i.e. exchange Diameter traffic without not ipsec and not tls or dtls?
ReplyDeleteplease answer with RFC and credible references
Hi
DeleteYes, Many applications are there that does not require Security information.
Following link shall help you as S6a/S6d (3gpp-29272) is an application
http://diameter-protocol.blogspot.in/2012/07/s6as6d.html
Thanks for your query.
Happy to help you again
Team-Diameter
We have a system where currently we are supporting TCP Connections for diameter messages, now we are planning to move over TLS and we have a simulator seagull , can you explain what are the changes required to support ?
ReplyDeleteHi Roshan Prasad,
DeleteTo change from TCP to TLS changes to be mode on transport level instead of Application level
you can use following to convert seagull in to TLS (snippet taken from Seagull document)
define entity="transport"
name="trans-ip-tls"
file="libtrans_iptls.so"
create_function="create_ciptlsio_instance"
delete_function="delete_ciptlsio_instance"
init-args="method=SSLv23;cert_chain_file=xxx;private_key_file=yyy;passwd=zzz">
/define>
define entity="channel"
name="channel-tls"
protocol="Protocol"
transport="trans-ip-tls"
open-args="mode=client;dest=192.168.0.10:3868">
/define>
and at Diameter Application need to check diameter Stack configuration parameters.
Thanks for you query.
Happy to help you again