Authentication, Authorization and Accounting (AAA)

The AAA working group of the IETF originally focused on the development of require- ments for authentication, authorisation and accounting, as applied to network access. The AAA working group solicited submissions of protocols meeting these requirements, and evaluated the submissions. The AAA working group is now developing an IETF stan- dards track protocol, based on the Diameter submission [14]. The AAA working group defined, and is also still working, on some RFC standards and internet drafts related to Diameter. A candidate protocol must meet the security requirements as documented in [15][16][24][29][31], and must be engineered and reviewed properly as developed and deployed. In the next section, I describe the Diameter Base Protocol, which is the most representative protocol of AAA.

Diameter Base Protocol

The Diameter Base Protocol is essentially an extension of the Remote Authentication Dial- in User Service (RADIUS) [60], which the AAA working group defined in RFC3588 [14]. The name ”Diameter” is really a joke that means RADIUS times two. Essentially, it means that the protocol functionalities are better than RADIUS. Diameter can also be used to authenticate and authorise users of Code Division Multiple Access (CDMA) wireless data services. Diameter is a more sophisticated protocol than RADIUS. Its base protocol is intended to provide an AAA framework for applications such as network access or IP mobility. Diameter is also intended to work in both local authentication, authorisation and accounting situations and also in roaming situations.

In the decade since AAA protocols were first introduced, the capabilities of Network Access Server (NAS) devices have increased substantially. As a result, while Diameter is a considerably more sophisticated protocol than RADIUS, it remains feasible to implement it within embedded devices, given improvements in processor speeds and the widespread availability of embedded IPsec and TLS implementations. The Diameter base protocol provides the minimum requirements needed for an AAA protocol, as required by [10]. The base protocol focuses on network access and accounting applications.

Diameter over SCTP

The Diameter base protocol requires reliable transport. The base Diameter protocol runs over TCP [58] or SCTP [75] transport protocols. The Diameter clients must support either TCP or SCTP and servers must support both. In future versions of the protocol specifica- tion, clients may have to support SCTP as well. When the client supports both TCP and SCTP, it will first try to establish an SCTP association. If this fails, it may fall back to TCP. In AAA, transport usage has several issues, for which SCTP is a better solution than TCP. For example, head of line blocking is one issue, which is avoided in SCTP but not in TCP.

More details about AAA transport profiles are defined in [11]. The following are guidelines for Diameter implementations that support SCTP:

• For interoperability: All Diameter nodes MUST be prepared to receive Diameter

messages on any SCTP stream in the association.

• To prevent blocking: All Diameter nodes SHOULD utilise all SCTP streams avail-

able to the association to prevent head-of-line blocking.

In several scenarios the Diameter protocol uses agents. The agents are used in, for example, a complex network which has multiple authentication sources. In this case the agents can sort requests and forward them towards the correct destination or the agents can distribute administration of systems to a configurable group. More details about the role of Diameter agents are described in section 2.8 of [14]. The Diameter base protocol introduces the following four agents:

Relay Agent: Relay Agents relay messages between Diameter nodes. Every message has a routing information and it includes the Diameter application identifier and a server identifier. Relay Agents are inserting or removing routing information from messages.

Proxy Agent: Proxy Agents route messages like the Relay Agents mentioned above. But the Proxy Agents use the Diameter Routing Table and decide based on predefined policies. Proxy Agents don’t need to support all Diameter applications.

Redirect Agent: Redirect Agents allow servers and clients to communicate directly re- turning the information necessary, for Diameter agents to communicate directly. The redirect agents do not modify messages and never relay requests.

Translation Agent: Translation Agents provide translation between Diameter and another AAA protocol, such as RADIUS.

Security considerations

The authentication of each connection and authorisation of sessions are very important parts of the Diameter protocol. Also because Diameter requires confidentiality, trans- mission level security must be used on each connection (TLS or IPsec or some kind of transmission-level security). Therefore, each connection is authenticated, replay and in- tegrity protected and confidential on a per-packet basis. Diameter clients have to support IPsec, and may support TLS. Diameter servers have to support both TLS and IPsec. The Diameter protocol must not be used without any security mechanism (TLS or IPsec). In RFC3588 [14] it is suggested that IPsec can be used primarily at the edges and in intra- domain traffic. Pre-shared keys are used between a Network Access Server (NAS) or a local AAA proxy when the NAS devices don’t support certificates. It is also suggested that inter-domain traffic would primarily use TLS. See section 13 of [14] for a more de- tailed explanation of the Diameter protocol security mechanism.