Entry Point of NGN access control security
-- Diameter protocol and its application in the SIP network environment
Xie Wei
I. Introduction
The diameter series protocol is a new generation of AAA technology, which is gaining more and more attention due to its powerful scalability and security assurance. In international standards organizations such as ITU, 3GPP and PP2, DIAM-ETER protocols have been officially used as the preferred AAA protocol for future communication networks such as NGN, WCDMA and CDMA. User access control is an important part of the Next Generation Network (NGN) network security. The application of Diameter protocol in the SIP environment discussed in this article is an important starting point for this issue.
Ii. design purpose of the Diameter protocol
Radius and TACACS + have been widely used in many ISP and enterprise networks. In fact, these two protocols were designed to support only a few small network devices that require simple server authentication. Currently, access providers are providing AAA services for thousands of concurrent end users using different access technologies (including wireless, DSL, Mobile IP, and Ethernet. The security and scalability of the AAA service are not satisfactory for radius and TACACS +.
Currently, the AAA Protocol cannot meet the increasing requirements of AAA services in the current and future IP networks, especially in the NGN era. Therefore, IETF began to develop the next-generation AAA protocol-Diameter protocol to solve some problems in AAA services.
Diameter is designed to create an AAA protocol that fully meets current and future IP network (including NGN and 3G) user access control requirements. The specific design requirements include:
(1) Good network adaptability and scalability;
(2) Unified and sound failure control and detection mechanism;
(3) complete Transport Layer Security Assurance (including intra-domain and Inter-Domain );
(4) Data Transmission reliability assurance mechanism;
(5) various types of proxies are supported, including proxy, redirection proxy, and relay proxy:
(6) support server-initiated messages, that is, allow the server to actively send messages to its clients;
(7) Good interoperability with existing network protocols;
(8) support for cross-node capability negotiation:
(9) Support for dynamic Peer Discovery and configuration;
(10) supports secure and scalable roaming.
Iii. features and advantages of the Diameter protocol
The Diameter protocol has many excellent features, so it has great advantages over the AAA protocol in actual network application.
(1) to ensure that the next-generation AAA protocol can meet the needs of various network environments for a long period of time. the Diameter protocol adopts a new Protocol definition model: first, a lightweight, easy-to-implement basic protocol designed to provide an AAA framework, including the most basic requirements for implementing AAA functions. Specific Application Extensions are developed based on different network conditions and business needs.
(2) the next generation of AAA protocol, in order to better meet the development speed of IP network construction and services in a long period of time in the future, diameter's network scalability and business scalability are greatly improved through various technical means. This includes extending the length of the request identifier. The Diameter protocol is called the "end-to-end ID field" and the length is 4 bytes 232 (radius: 1 byte 255 ), this can greatly increase the number of pending requests simultaneously supported. The number of value pairs (AVP) is extended from 255 to 232 in radius. diameter also supports commands defined by merchants, this is not available in radius.
To ensure more reliable transmission, the Diameter protocol must be able to run on the transport layer that provides retransmission policies so that it can effectively switch to another host when the peer fails. In contrast to radius, the diameter Protocol requires that each node on the proxy chain should confirm the request or response at the transport layer. Because diameter runs on sctp that provides reliable transmission, each node on the proxy chain has the responsibility to re-transmit unconfirmed messages. In addition, sctp also provides traffic control to the server. The Diameter protocol has many other outstanding features:
(1) It has a good failure mechanism and supports failover and faiback ):
(2) ability to quickly detect remote connection failures;
(3) A better packet discard processing mechanism is in place. The Diameter protocol requires confirmation of each message:
(4) Support active messages initiated from servers to customers, which can be used for some special billing services (such as pre-payment );
(5) data body integrity and confidentiality can be ensured;
(6) supports end-to-end security and TLS and IPSec;
(7) authentication/authorization for each session to ensure security;
(8) Try to be compatible with the RADIUS protocol.
Iv. Diameter Framework Structure
Diameter includes basic protocols, transfer protocols, and different application extensions, such as nasreq and Mobile IP. The basic functions shared by all applications and services are implemented in the basic protocol, while the specific functions of applications are implemented in different applications.
The basic Diameter protocol is designed to provide an AAA framework for various applications. The basic Protocol also defines the message format, transmission, error reporting, and security services that all diameter devices must support.
Figure 1 shows the Diameter protocol structure. The transmission mechanism in the figure mainly defines the Problems and Solutions of the Diameter protocol transmission layer, including failure detection algorithms and state machines, other applications with different functions must support basic protocols. The SIP application in the figure is the requirement of the Diameter Protocol application in the IP environment.
Figure 1 architecture of the Diameter protocol
V. Application overview of diameter Session Initiation Protocol (SIP)
The diameter Session Initiation Protocol (SIP) application is used together with the Session Initiation Protocol (SIP) to provide the diameter client function on the SIP server, the SIP server must be able to request the diameter server to authenticate the user and authorize the SIP resources to use. I
The diameter sip application extension allows the diameter client to request authentication and authorization information from the diameter server for the initial session Protocol (SIP) based on IP multimedia services. Assuming that the SIP server and the diameter client are on the same node, the SIP server can receive and process SIP request messages and answer messages based on the AAA architecture that authenticates SIP request messages and authorizes specific sip services. When the SIP protocol is used for initial and final multi-media sessions or the SIP protocol is used for non-session-related applications, the diameter sip application extension provides the diameter procedure for specific functions.
The extension of the diameter sip application assumes a general architecture, that is, the attribution domain is composed of one or more nodes that implement the diameter or sip function. At least one such node implements the diameter server function. The diameter server has the right to use the user database. User data of a specific user is stored in the user database. There can be more than one diameter server in the network, and all diameter servers have the right to use the user database.
In the SIP network environment, multiple configurations are available for the domain name. In either case, the SIP server is assigned to the user for triggering and executing services. The user dynamically allocates the SIP server when registering in the network. In this configuration, a SIP server located on the edge of the network is required to support Routing Algorithms for SIP requests and response messages. The SIP server node implements the diameter client function. In another configuration, the SIP output proxy is configured as the SIP endpoint. Output the diameter client to authenticate the user in the SIP output proxy node, and request authorization and complete billing for the SIP request message.
Vi. general structure of diameter application in the SIP Environment
Figure 2 shows the simple structure of the SIP environment with AAA architecture. This figure is just a possible structure example of a diameter sip application. In the figure, the SIP User Agent (UA) is used to initiate or terminate the SIP service flow through one or more sip servers. Both sip servers can be used as a diameter customer to support the diameter application.
Figure 2 general structure of diameter application in the SIP Environment
As shown in figure 2, the two servers send and receive different diameter commands through the diameter server. This is because in Figure 1, SIP Server 1 is located at the edge of the network, and its main task is to locate (addressing) SIP Server 2. Server 2 is not on the edge of the network. It requests and receives authentication and authorization data from the diameter server. The diameter SL (User Locator) is used to locate the diameter server that contains user-related data.
VII. Simple process example of diameter application in the SIP Environment
An example is a simple process in which a SIP can manage diameter servers in a network domain to authenticate user requests. The diameter server stores user records and authenticates SIP requests with medium network size. Here, only one sip register request is selected as an example. In fact, the SIP server can request to authenticate any other SIP requests.
As shown in figure 3, a SIP User proxy client (UAC) sends a sip register request to its own domain (step 1 ). The SIP Server 1 receives the SIP request. We assume that the SIP server can be located, for example, on the edge of the administrative domain. The diameter client in SIP Server 1 will send a diameter user authorization request (uar) message (step 1) to contact its own diameter server to determine whether to allow the user to accept the service, if yes, the request can control the address of the user's local SIP server. The diameter server uses a diameter user-authorized response (uaa) Message response (step 1). This message indicates the applicable and suitable SIP Server (SIP Server 2) of the SIP Server 1) list or one or more sip URLs pointing to the SIP Server 2.
Before SIP Server 1, the request is forwarded to the SIP register (step 1) to a suitable SIP Server (SIP Server 2 ). The diameter client in SIP Server 2 sends a diameter multimedia authentication request (MAR) to perform user authentication on the diameter server (step 2 ). This request is also used for the diameter server to obtain the sip uri list of the SIP or SIP Server 2, so that subsequent requests of the same user can be accurately transferred to the same SIP Server 2. The diameter server uses the result code AVP value diameter_mul ti_round_auth to respond to the diameter multimedia authentication response (PAA) message (step 1. The diameter server also includes a "consultation". The SIP Server 2 maps the consultation to the WWW Authentication Header in the SIP 401 (unauthorized) Response (step 2, the response is sent back to the SIP Server 1 and then returned to the sip uac (step 1 ).
SIP Server 1 receives a sip register request containing the user authentication information (step 1 ). Note that the status of SIP Server 1 does not need to be retained, and the SIP request is not necessarily sent to the same SIP Server 1. In the redundant configuration, there may be a group of SIP Server 1. The diameter client in SIP Server 1 will send a diameter uar message to contact a diameter server (step 1) to determine which SIP server is allocated to the user. The diameter server will send the SIP or sip URI of the SIP Server 2 (step 1) in a diameter uaa message ).
The SIP Server 1 forwards the SIP register request to the SIP Server 2 (step 2 ). SIP Server 2 extracts authentication information from the SIP register request. The diameter client in SIP Server 2 places the authentication information in a diameter Mar message and sends the message to the diameter server (step 2 ). At this time, the diameter server can authenticate the user. After the authentication is successful, a message of diameter PAA is returned (step 1). The AvP result code in the message is set to diameter_success. The message of this diameter PAA also includes the customized information of this user for the service of SIP Server 2.
SIP Server 2 then generates a sip 200 (OK) Response (step 1), which is forwarded to SIP Server 1 and finally returned to sip UAC (step 2 ).
Figure 3 authentication process on the diameter Server