Here we have noted down some of the major points in DIAMETER protocol that would help you to walk through it in just few minutes.
1)Diameter is a AAA (Authorization, Authentication and Accounting ) protocol works at application layer in OSI model, over TCP/SCTP or TLS/DTLS(for security) protocol. Diameter is successor of RADIUS (Remote Authentication Dial In User Service) protocol that run over UDP.
2)Diameter has following improvements over RADIUS.
a) Reliable b) Transport Layer Security
c) Fail-over Mechanism d) Server Initiated Messages
e) Agent Support f) Audit-ability
g) Transition Support h) Capability Negotiation
i) Roaming Support j) Peer Discovery & Configuration
3)Diameter Default port is 3868 for TCP/SCTP and 5868 for TLS/DTLS.
3)Diameter Default port is 3868 for TCP/SCTP and 5868 for TLS/DTLS.
4)Diameter is a message based protocol,where information is exchanged on the basis of Request and Answer message. Each message contains Header and Data sections. Header section contains following fields
a) Version - Diameter version, Remain set to 1.
b) Command Code - To uniquely identify a message in application
c) Command Flags - R(Request),P (Proxiable), E (Error Response)
T(Re-Transmission of Request)
d) Application Id - To uniquely identify and Application
e) Hop-by-Hop Id - To uniquely identify a message between two nodes and to map response with request.
f) End-to-End Id - To detect duplicate message.
h) Length - Header length + Data length
Data field contains AVPs, AVPs are likely in field-value format.
Command Code and Application Ids are decided by a governing bodies such as IANA, 3gpp etc.
5)AVPs are the actual unit that shall contain the data that is meaning full for application. AVP also has a Header and Data section. AVP Header section contains following.
a) AVP Code -To Uniquely Identify an AVP (assigned by IANA,3gpp etc.)
b) AVP Flag - M (Mandatory), V(Vendor Specific), P (Protected)
c) Vendor Id - Vendor Id assigned by IANA is set if V bit of AVP Flag is set.
d) AVP Length - Header Length + Data Length
Data section contains actual data. This section can contain another AVP in it. AVP containing another AVP in its data section is called Grouped AVP.
6) As we know that DIAMETER has a great feature Peer Discovery over RADIUS, A DIAMETER Node can be aware of its surrounding DIAMETER Node. It can be of two type Static and Dynamic. In static when a Diameter node is deployed then its surrounding nodes are statically configured by the Operator. While in Dynamic discovery Peer used SRVLOC and DNS to know about surroundings.
7) A DIAMETER Node that wants to make connection with other DIAMETER node shall first make transport connection over TCP/SCTP then DIAMETER Connection by performing Capability negotiation between nodes. Capability negotiation is a process where to nodes decide whether they have any thing common (Application) topic to talk or not. CER/CEA message is used for this process, CER-CEA is the first DIAMETER message exchanged between two nodes. If protection is to be maintain then TLS/DTLS is used as transport and even CER-CEA is exchanged over secured channel.
8)Capability Exchange is the process where two nodes shares what all applications they support with the help of CER-CEA messages. Applications are identified with the help of application IDs assigned by IANA. Two nodes that are supposed to make DIAMETER connection, then any node can trigger CER message and other node shall respond with CEA message. If both nodes initiates CER at simultaneously then ELECTION occurs to chose one DIAMETER connection out of two. Node whose Origin-Host AVP value is higher in Dictionary Order shall win election and Must drop connection initiated by it.
9) Diameter standard advises to make two DIAMETER connection with a peer one as PRIMARY and other is called as SECONDARY. If in-case Primary connection breaks down then application has secondary connection to provide services.
10)Device-Watchdog-Request/Answer are exchanged between two nodes as soon as DIAMETER connection is established. DWR-DWA act as health check messages to check DIAMETER connection status.
11) A DIAMETER node can close a diameter connection with another node by sending Disconnect-Peer-Request (DPR) with one of the following reasons 1) Reboot 2) Busy 3) Do not want to talk to you.
12)DIAMETER defines agents by providing specific role to each. namely
a)RELAY (Route a message without changing message),
b)Proxy (Route a message and can change message),
c)Redirect (Doesn't Route a message but provides Routing Info),
d)Translator (Converts DIAMETER message to RADIUS message and vice-versa)
Agent is nothing but an application.
13)On established DIAMETER connection to send/receive a request message every diameter node shall contain two tables namely
a) Peer Table - Identity Information of nodes that are directly connected with considered node.
b) Realm Table - Contains routing and processing information of the nodes that are present in peer table.
Both tables are used in message processing,initiating a message or forwarding a message etc.
14)Every DIAMETER message shall be responded with an Answer message. Answer message shall follow the same path that was followed by request. Answer message can contain either Success or Failure/Error. Failure/Error is also accepted as an Answer.
15)Diameter also have the concept of session, Session is different than connection. Connection is a transport layer entity while Session is Application layer. Ideally in a session resources assigned to a session shall remain associated with the session until session terminates. Two nodes can have multiple, nested sessions. State of node is maintained during session. Diameter provides various messages and AVPs to manipulate or control a session.
Your Comments /Suggestions and Questions are always welcome. We would try to clarify doubts with best of our knowledge. So feel free to put Questions.
Great post! I am impresed to read your blog It takes me almost half an hour to read the whole post. Definitely this one of the informative and useful post to me. Thanks for the share. you also visit my site SInvestment Property AccountingThere is great satisfaction in knowing we've done our job well and served our clients' interests.
ReplyDeleteBest explained. Very useful and informative...
ReplyDeleteHi Friend ,
ReplyDeleteCan any one explain Diameter error code 5013 Diameter_Invalid_Bit_in_Header.
If the CCA result code is 5013 means from where this is missing either client end or server end.
AVP: Result-Code(268) l=12 f=-M- val=DIAMETER_INVALID_BIT_IN_HEADER (5013)
Hi Jadhav,
DeleteAs far as our understanding of you issue, we have observed that CCR Header bits are not proper. So the entity originating CCR shall be checked, Wireshark trace shall help you people to understand it better
According to RFC-6733,
DIAMETER_INVALID_BIT_IN_HEADER 5013
This error is returned when a reserved bit in the Diameter header
is set to one (1) or the bits in the Diameter header are set
incorrectly.
Therefore this issue could be one of the following reasons
1) R -Reserve Bit :: Any of the reserve bit is set to one, and receiver of CCR message is developed in such a way that it is not ignoring reserve bit, It is up to the receiver that it may Ignore reserve bits or Return error to highlight that header format is incorrect
2)Bit combination in Command Flag is invalid, Such as setting error bit in Request message or Re-Transmitting (T-Bit is set but R-bit is not set) message with invalid command flag etc. This could be easily observed with the help of Wireshark trace.
Thanks for your query.
Happy to help you again.
Team-Diameter
Please give complete error description . this i faced in live environment.......
ReplyDeleteExcellent Article !!!
ReplyDeleteI have an query related to application-id, why application-id is used in two place in diameter messages for example in CCR message in gx interface.
ReplyDelete1. Application-ID in message header.
2. Auth-Application-Id in message data.
Can you also explain diameter dictionary?
ReplyDeleteEspecially WHY there are commented AVPs in wireshark dictionary.
Diameter dictionary means definition of AVPs and messages as per diameter standards.
Deletee.g. each interface defines its AVPs with following parameters
AVP Flag rules
Attribute Name
AVP Code
Value Type
Must
May
Should not
Must not
As you have seen wireshark uses dictionary in xml format. It is upto the tool how it wants to read above values.
Commented AVPs means either they are obsoleted or not required.
I think you have got your answers.
This comment has been removed by the author.
ReplyDeleteHi,
ReplyDeleteFirst of all, Excellent Article.
I have few doubts on Transport connection.
1. Is it mandatory that the SCTP connection is tried first before trying TCP.?
2. What happens when the port only acccepts TCP packets?
Hi
DeleteThere is no such type of priorities are defined in RFC-6733 that one should try SCTP first then TCP.
A Node that can acting as Client shall support either SCTP,TCP or Both. If a node acting as a SERVER must support both SCTP and TCP because server does not know on what transport client is going to connect. One client can connect on TCP while other of SCTP.
Thanks for your query.
Happy to help you again.
Team-Diameter
Hi Team Diameter,
ReplyDeleteI have a doubt in Introduction line "Diameter is a AAA (Authorization, Authentication and Accounting ) protocol works at application layer in OSI model", as it is mentioned its works at application layer of OSI model. My query is How CAP3 GPRS Charging is used to happen? Basically for GSM network we use SS7 model which uses CAP3 GPRS and Charging means use of AAA protocol(Diameter). Even when I read the RFC-6733 in their introduction they have no where mentioned explicitly that Diameter can be used only in OSI model.
Please correct me if its wrong.
Appreciate your help.
Hi Chinmoy,
DeleteYour point of view is right. Here we mentioned Diameter protocol as application layer protocol only in context of OSI model. In other model it might fall in other layers.
Thanks for your query.
Happy to help you again.
Team Diameter
Hi,
ReplyDeleteI am trying to create simple base diameter protocol. I have diameter.xml now i am confuse where should i place this xml.
Do i need to place this xml in some weblogic config folder or can i place in my project folder?
And how/where can i set the actual port, host relam and other values.
Thanks in advance
Dear Ram,
DeleteIts your design choice, wherever you want to put diameter configuration file, you can put. you can create a config or diaconfig folder. Simple base diameter protocol means you want limited functionality but major basics of rfc 6733 you need to implement.
All these must be part of configuration, so you can get it from xml or some other database. Its totally design specific. In your case, you should do it via xml.
Hi team,
ReplyDeleteCan anyone explain what are the Mandatory and optional AVPs in CCR and RAR messages.
Thanks,
Satish
Can anyone send some documents related to nfv
ReplyDeleteThanks, very good post and it helped me a lot. I would like to share a very good diameter protocol stack Development API/SDK available evaluation version free at http://www.packetforce.in/diameter-stack-java-api.htm
ReplyDeleteI have multiple Diameter servers (AAA-1 & AAA-12 servers) behind diameter routing agent. Client app (Mobile device) sends request (DER - EAP) to AAA-1 server via DRA. AAA-1 throws the challenge response (DEA). Device does some calculations and sends another DER (With payload) to AAA server via DRA. What should be done so that DRA should invoke same AAA server (AAA-1) which has posted challenge? One way is to copy the origin-host value from previous response (DEA) to destination-host for subsequent DER, is this standard way? is there any other way? Please reply ASAP. Thank you.
ReplyDeleteHi Vivek
ReplyDeleteDoes Client APP maintains Session??
if yes then session can be maintained.
Your option is also good.
Most of the solution depend on architecture.
Here are some other possible solutions as well that can be apply at DRA
1) One can use unique identification to divide traffic, eg. unique-id A11 messages should go to AAA-1
2)if your back end database is common then it doesn't matter which AAA it is going.
Thanks for your query.
Happy to help you again
Team-Diameter
Thank you for the response.
ReplyDeleteFor both of the requests Session-id AVP value is same.
1. Dividing traffic is customer's decision, cannot rely on this.
2. This information is not getting stored in database, which is the reason to route the request to same AAA as previous.
Thanks,
Vivek
Hi Vivek.
DeleteIf you have Session-id AVP same in both messages then it become very easy. Just maintain session, all messages of same session id should do to the single/one(or selected) server. DRA shall do it very easily.
Thanks for your query.
Happy to help you again.
Team-Diameter
Please give an example of a proxy changing a message
ReplyDeleteCan anyone tell me what are mandatory AVPs in CEA/CER messages
ReplyDeleteHi Vishwajeet
Delete{Mandatory}
[Optional]
Following Link shall help you.
https://diameter-protocol.blogspot.com/2011/03/capability-negotiation.html
Happy to help you again.
Thanks to your query.
Team-Diameter