What is the Diameter protocol?

Question

I have 3 simple questions.

1. What is the Diameter protocol in simple explanation?
2. Why is it used?
3. How can one use it?

I have searched the net for a practical explanation but couldn't find one. All there is, is some technical blabber.

Answer 1

I found this complete article on Diameter protocol written in IBM website.

Introduction

The Diameter protocol was derived from the RADIUS protocol with a lot of improvements in different aspects, and is generally believed to be the next generation Authentication, Authorization, and Accounting (AAA) protocol. The Diameter protocol was widely used in the IMS architecture for IMS entities to exchange AAA-related information. Because the IMS system might be the next big thing in the telecom industry, we believe a clear understanding of the Diameter protocol is necessary for understanding the essence of the IMS architecture. This article offers an overview of Diameter and how it works. For developers interested in how AAA in IMS works, or who want to implement Diameter applications, this article is a good starting page.

With the emergence of new technologies and applications such as wireless networks and mobile IPs, the requirements for authentication and authorization have greatly increased, and access control mechanisms are more complex than ever. The existing RADIUS (Remote Authentication Dial-In User Service) protocol can be insufficient to cope with these new requirements; what's needed is a new protocol that is capable of fulfilling new access control features while keeping the flexibility for further extension. This is where the Diameter protocol comes into play.

Answer 2

Per the ITU, DIAMETER is the successor to RADIUS (twice as good). No, it's not a joke. RADIUS was, and is still used, in many telecommunications networks as the interface to the authorization, authentication and accounting protocol server (typically just called the AAA). The problem with RADIUS is that:

It's built on UDP -- RADIUS packets can just drop off. It was never designed to handle much more than short, attribute/value pairs. While it is extendible, it's limited to vendor-specific attributes (VSAs)

Theses were all wonderful back with Livingston incorporated made the Portmaster terminal/modem server. (Ah, back in the day... I can hear the telebit trailblazers now...) But that was when 19.2Kb UUCP was cool.

DIAMETER aims to address these issues for the modern world. First, it's based on TCP. This addresses the drop-out problem. We now know that packets don't get there "half way". We can also encrypt streams. It's also, courtesy of TCP, capable of having much larger attribute sets (we call them AVPs). Thus, it's much easier to convey value sets beyond the simple key/value pair.

As an example, in DIAMETER< you can do a login request, sending far more than a username/password. You can send the course location for example, telling the AAA where the user is at login (maybe there are geo-location rules for access). And, because we have a more robust, richer language to say things in, the AAA can convey, not only the yes/no, but the rules for a given yes, or the reasons for the no.

Does this help?

Answer 3

Diameter is a Authentication Authorization and Accounting (AAA) protocol. It works on the Application Layer if we consider OSI Layered model.

Example of AAA protocol:-

Any User trying to access a Network (Ex: Internet Service Provider) has to undergo "AAA" procedure that is being implemented by that Network. 1. Authentication: The network will validate that its an Authenticate User. 2. Authorization: The network will authorize the services requested by the User. 3. Accounting: The network will keep a track of usage made by the User.

While performing the above three steps, the Network may reject the User from using the service at any point and that is how security is maintained and hence the importance of AAA protocol.

So, Diameter basically is a message based protocol, where AAA procedure may occur and the AAA nodes exchange messages and receive Positive/Negative acknowledgment for each message exchanged between nodes.

Answer 4

In addition to IBM’s article “Introduction to Diameter” already mentioned by Hamed in a previous answer, Cisco’s article “Authentication, authorization, and accounting overview” also has some interesting information about Diameter, comparing it to RADIUS.

1. “Authentication identifies a user; authorization determines what that user can do; and accounting monitors the network usage time for billing purposes.” … “Diameter is the next-generation AAA protocol and overcomes (several) RADIUS deficiencies.”

2. “The RADIUS protocol carries authentication, authorization and configuration information between a NAS and a RADIUS authentication server.” (In this context, a NAS is a network access server, a gateway providing access to a protected network.) … “Implemented by several vendors of network access servers, RADIUS has gained support among a wide customer base.” RADIUS has codes for a limited number of attributes (including user name and password, service type, login information, etc.), so developers took advantage of its “vendor-specific attribute” (VSA) to exchange custom data, extending (in a proprietary manner) the scope of RADIUS, yet staying within its restrictions (e.g., attribute value no longer than 253 bytes). So, why use Diameter? Diameter offers much greater flexibility (longer data field, expandability, capability negotiation), higher performance (“32-bit alignment”), greater reliability & availability (TCP and STCP support, better acknowledgement mechanism and error messages, failover), increased security (“end-to-end security”), etc.

3. Just like FreeRADIUS implements a FOSS RADIUS server that you can install on a server so that your other applications and devices (e.g., a Wi-Fi access point or wired switch performing 802.1X authentication) can interact with it, FreeDiameter is a FOSS Diameter framework that you can install on a server. However, while TMCNews’ article “The Role of Diameter in IMS” (2007) mentions that “Diameter has been heavily adopted by the 3GPP in the IMS standards set”, I haven’t seen any consumer- or small-business-grade application or device that makes use of Diameter. On the other hand, Diameter is reportedly “backward compatible with RADIUS to ease migration” (Cisco), through a “translation agent” (IBM). For example, FreeDiameter has an extension, the “RADIUS/Diameter extensible gateway” (app_radgw.fdx), whose “purpose is to allow a RADIUS client to work with a Diameter server”. However, the documentation also warns that the “translation of RADIUS messages to Diameter is quite a complex task. It is likely that the translation plug-ins need some fine-tuning to fit your particular needs.”