Securing Diameter Messages

Diameter is end to end secure protocol.The Diameter Protocol MUST have security mechanism TLS or IPsec. In Diameter deployment Diameter client MUST support IPsec, and MAY support TLS. While Diameter servers MUST support TLS and IPsec. This is mandatory because any client can send request irrespective of whether it support IPsec or TLS,so server must support both.

IPsec security mechanism primarily used for intra-domain traffic i.e. with in the same domain. While TLS is primarily used for inter-domain traffic.

Before we go into details of these security mechanism we will first see what are the threats to diameter message, some basic issues for which security is needed are integrity,confidentiality and replay. Replay is the major issue.

Replay Attack
A replay attack occurs when somebody intercepts (Untrusted proxy or Diameter agent) a series of packets and uses them later either to flood the system for causing a denial-of-service (DoS), or to gain entry to the trusted network.

Solution of Replay
To overcome the problem of Replay it is necessary to identify each packet uniquely so that in some implementation a unique number of given range is allotted to each message and it was ensured that number should not be tempered during transmission. Once a node receive the message with no. which it has already received is rejected immediately.

Now we will see how these security mechanisms works to secure the whole diameter message End-to-End.
1) IPsec (Within same domain)  [Obsoleted]
2) TLS

3)    DTLS 



Now RFC-6733 (Latest) says, TLS to be used when two nodes communicating on TCP transport  connection and DTLS to be used when two nodes communicating of SCTP transport connection. Support for IPSec is no more needed.


Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.
|

11 comments:

  1. Is the use of IPsec for intra-domain and TLS for inter-domain described in the specs or is this from your experience?

    ReplyDelete
    Replies
    1. @ Howard

      IPSec is deprecated in latest release of DIAMETER. Two security mechanisms are defined in all sense either TLS or DTLS

      Thanks for your query.

      Happy to help you again
      Team-Diameter

      Delete
  2. You have mentioned that IPsec was removed in the latest release of DIAMETER. Where can i find the latest release of DIAMETER?

    ReplyDelete
    Replies
    1. Hi Rasha,

      Following link shall help you.
      http://diameter-protocol.blogspot.in/2013/02/blog-post.html

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
    2. Hello,

      Thank you for your reply. If you go to section 13 in RFC6733 in the following link, it says that TLS/DTLS should be used and for additional security IPsec can be used. It did not discard the total use of IPsec. Do you have any information on this?

      https://tools.ietf.org/html/rfc6733#section-13

      Thank you.
      Rasha

      Delete
    3. Hi Rasha,

      You are right, Idea of using MAY is to support BACKWARD compatibility, because there would be so many system are already deployed in network if a new node is to be added then it should have IPsec if required.

      " However, all Diameter base protocol implementations
      MUST support the use of TLS/TCP and DTLS/SCTP, and the Diameter
      protocol MUST NOT be used without one of TLS, DTLS, or IPsec."

      But in fresh deployment one should focus on TLS and DTLS.

      We hope our suggestion shall help you.

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
    4. Hi Team-Diameter,

      Thank you for your reply!
      If I want to cite information from this blog, who is the party responsible of this blog? Can you please provide more details on that.

      Thanks,
      Rasha

      Delete
  3. is it allowed by Diameter to exchange traffic without any security measures,i.e. exchange Diameter traffic without not ipsec and not tls or dtls?
    please answer with RFC and credible references

    ReplyDelete
    Replies
    1. Hi

      Yes, Many applications are there that does not require Security information.

      Following link shall help you as S6a/S6d (3gpp-29272) is an application

      http://diameter-protocol.blogspot.in/2012/07/s6as6d.html


      Thanks for your query.
      Happy to help you again
      Team-Diameter

      Delete
  4. We have a system where currently we are supporting TCP Connections for diameter messages, now we are planning to move over TLS and we have a simulator seagull , can you explain what are the changes required to support ?

    ReplyDelete
    Replies
    1. Hi Roshan Prasad,

      To change from TCP to TLS changes to be mode on transport level instead of Application level

      you can use following to convert seagull in to TLS (snippet taken from Seagull document)
      define entity="transport"
      name="trans-ip-tls"
      file="libtrans_iptls.so"
      create_function="create_ciptlsio_instance"
      delete_function="delete_ciptlsio_instance"
      init-args="method=SSLv23;cert_chain_file=xxx;private_key_file=yyy;passwd=zzz">

      /define>

      define entity="channel"
      name="channel-tls"
      protocol="Protocol"
      transport="trans-ip-tls"
      open-args="mode=client;dest=192.168.0.10:3868">

      /define>






      and at Diameter Application need to check diameter Stack configuration parameters.


      Thanks for you query.
      Happy to help you again

      Delete