5.1 Introduction

In the design of Internet protocols, security is approached in a structured way by analyzing threats, which requires a high‐level understanding of the protocol's communication architecture 1 and has been described in earlier chapters, and then deriving security requirements. These security requirements can then be addressed by various security services, such as data integrity and confidentiality protection, authentication, authorization, etc. The IETF has developed building blocks offering such security services and offers guidance to specification authors on how to engineer security into protocols with RFC 3552 2. Guidance for considering privacy in protocol design is captured in RFC 6973 3.

We approach a description of Diameter security in this book similarly to RFC 3552, in addition we provide background information about information security in Section 5.2. We discuss threats in Section 5.3, followed by a description of security services applied to the Diameter protocol in Section 5.4, and conclude with an example in Section 5.5.

Recall that historically a user would connect to a network by contacting a Network Access Server (NAS) over a land line via a modem, then had to authenticate, probably using a login and password, before being granted access to the Internet or a company network. The NAS then communicated with a back‐end server and the AAA process took place. Since phone lines were not shared, the security of the network access was mainly provided by the AAA protocol, and in particular by the authentication interaction.

While dialup modems have disappeared, the basic principle of authenticating users before they are granted access to a network is still in widespread use. Mobile phones, for example, perform authentication via the subscriber identity module (SIM) and the authentication server checks whether the user is authorized before granting the user access to the mobile operator network. Another example is a remote access server (RAS) that enables company employees to access company internal resources from remote locations by establishing a virtual private network (VPN) connection, after the employee is successfully authenticated and authorized. In many deployments today, users access the network via wireless or cellular radio technology, and everyone within the transmission range can eavesdrop on the communication. Hence, there is not only the need to authenticate and authorize the access to the network, which is mainly of interest to the network operator, but also to secure the wireless link between the device and the NAS, such that unencrypted communication content is not available to an eavesdropper.¹

The AAA architecture has therefore been designed to offer authentication and authorization of the device and user requesting access to the network and also to facilitate the distribution of keying material to enable integrity and confidentiality protection of data transmitted over the wireless link.

The authorization policies stored at AAA servers typically support a range of deployment scenarios. For example, in an enterprise WLAN environment, only employees may be entitled to access to the network, while at an Internet cafe access to the network and to the Internet may only be granted to paying customers.

The incentives for hackers to circumvent access control systems are obvious – in parallel, the techniques to protect the access control systems evolve rapidly to match the attacks as soon as new threats are identified. For example, the trend today in enterprise networks is not only to control access of remote connections in the RAS, but also to control all connections to the internal network, with the assumption that the protection granted by the enterprise premise's physical isolation is insufficient to protect against unauthorized access. For this purpose, architectures such as IEEE 802.1X 4 enforce authentication of devices connecting to wireless or wired 5 networks, similar to the remote access scenario. Here again, the AAA protocol is one component of the complete solution that secures the access to the network.

Besides network access control, Diameter is used nowadays in a variety of deployments where the nature of Diameter's signaling behavior is convenient for other applications and services as well. It is therefore important to understand the security properties Diameter offers when making a design decision to reuse Diameter for a specific service.

5.2 Background

For a better understanding of Diameter security concepts we will review a few basics. We do not aim, however, to provide a detailed treatment of cryptography, which is the study of mathematical techniques related to information security. There are many good books about cryptography and Internet security. For a good introduction to cryptography we recommend Handbook of Applied Cryptography by Alfred Menezes, Paul van Oorschot, and Scott Vanstone, which is available as a free download at http://cacr.uwaterloo.ca/hac/. For a better understanding of TLS we recommend SSL and TLS: Designing and Building Secure Systems by Eric Rescorla 6. Eric Rescorla is co‐author of the TLS and DTLS specifications and has co‐chaired the IETF TLS working group for several years. For IPsec and IKEv2 we recommend the reader consults the original IETF specifications, namely 7 for IPsec ESP and 8 for IKEv2.

Many Internet communication protocols assume a very simple adversary model, which is shown in Figure 5.1. Two entities, a client and a server, interact with each other by exchanging messages over an unsecured communication channel. This communication channel is exposed to an adversary, which may eavesdrop, replay, reorder, delete, and inject messages.

Both the sender and the receiver want confidentiality of data communication so that an adversary cannot spy on the exchange and retrieve plaintext data. A receiver also wants authenticity of the exchanged data so that he has a guarantee that the data was sent by a certain sender and not injected or modified by an adversary. The obvious solution to this problem is to use a dedicated communication channel between the sender and the receiver that is physically isolated from any adversary. Needless to say, this is expensive and impractical for most purposes. Since it is more cost‐effective to share communication channels, cryptography techniques are used to protect the data in transit over non‐secure channels, such as Internet communications.

Well‐established cryptographic algorithms, which are used to build cryptographic protocols, are known as cryptographic primitives. These cryptographic primitives can be split into three families of techniques with different properties, as described in the subsequent sub‐sections.

5.3 Security Threats

Information conveyed in Diameter is sensitive. It consists of personal data, such as geographic location (defined in RFC 5580 19), user identifiers (such as the Network Access Identifier (NAI) 20), and account balance (specified in RFC 4006 21). It also includes security relevant information, such as keying material (e.g., RFC 7155 22, RFC 4072 23, RFC 6738 24), as well as authorization and service usage information (e.g., via accounting information). An adversary able to retrieve this data or inject new data will be able to gain information about end users (e.g., for surveillance purposes), interfere with services, reject access to services (as a denial‐of‐service attack), or commit fraud.

Since Diameter is versatile and usable in a variety of situations and applications with different security requirements, there are some intrinsic constants that help explain the security model of Diameter, starting with the actors involved in any Diameter deployment.

• End User:

  The end user of the service does not use the Diameter protocol directly, but utilizes a service provider. The authentication interactions may be transparent for the user, for example when it is performed by hardware security modules without the user's interaction, like a mobile phone's subscriber identity module, or they may require user involvement (e.g., by having the user enter a PIN or password). For our discussion, unless specified otherwise, we will not distinguish between the human end user and his or her device, such as a mobile phone or tablet.

• Service Provider:

  The service provider offers a specific service for users, such as Internet access, voice over IP (VoIP) services, or IPTV, and incurs costs in terms of bandwidth, service operation, hardware, etc. The service provider operates the client‐side of the AAA protocol as part of the service. Note that the service provider may offer network access as a service (which is the case of the classical use of network access authentication utilized by an Internet Service Provider (ISP)), or the service provider may offer application layer services, such as a VoIP service. It is also possible for an ISP to offer application layer services.

• Identity Provider:

  The identity provider operates the server side of the AAA protocol and of the Diameter application. The identity provider is responsible for providing the user with credentials, processing requests forwarded from the service provider, authenticating end users, making access control decisions and forwarding authorization information to the service provider, collecting accounting records, etc. For commercial services, the accounting records are used to determine the actual service usage and consequently the service charge.

• AAA Broker:

  The AAA broker is an intermediary that connects service providers and identity providers in larger eco‐systems. Not all deployments involve AAA brokers, but many large‐scale deployments utilize these intermediaries in order to scale their business relationships, i.e., to lower the number of contracts needed between identity providers and service providers. The functions of an AAA broker are to establish and maintain relationships between different parties (technically as well as business‐wise), to route Diameter messages, to offer security protection and privacy, to deal with fraud, to ensure that resource usage is correctly metered, and to perform financial settlement. While many AAA brokers do not publish a description of their architecture and processes, educational federations have been more transparent. An example of such an educational federation (using RADIUS) is Eduroam and a description of their infrastructure can be found in 25.

Each of these actors has different views on what is considered valuable data and how it should be protected. End users value the protection of their identity and privacy, and want to be charged correctly for their service usage. The service provider needs to keep accurate records of the service usage for billing and planning purposes. Keeping data about the service usage may also be a legal obligation for providing the service. The identity provider needs to protect the subscriber database against unauthorized access and data loss. AAA brokers are interested in ensuring the correct flow of accounting data to prevent fraud. It is worth noting that for a single end user service, several Diameter servers may be involved, with different Diameter applications, as is the case in an Long‐Term Evolution (LTE) network.

There are different adversaries to the Diameter infrastructure that need to be considered. An adversary aims to gain unauthorized access to data or attempts to inject or forge data within the AAA system. We have to assume that the entities bound by contract for the delivery of the service are trusted to fulfill their functions, meaning they will not purposely exploit the data collected for purposes other than AAA functions. In the security context, the term “trust” often has a negative connotation since trusting parties requires more entities to behave appropriately, which typically increases the attack surface. Of course, not all data in Diameter is required to be known by every entity since some Diameter payloads have only end‐to‐end significance and do not need to be processed by routing agents. However, certain Diameter payloads must be visible to all Diameter entities along the path, as explained in earlier chapters.

• From the point of view of the end user, an adversary can:
  • Passively observe and collect data at any point along the entire communication chain (from the device to the network operator, during the service initialization and usage), in order to extract useful information such as identifiers, credentials, meta‐data about the user's communication partners, communication and mobility patterns, etc. or to replay this exchange to gain access to the service at a later time. In the context of government surveillance activities this is indeed a real threat.
  • Impersonate the service provider in order to trick the end user into sending any information that can be reused by this adversary, or at least allow this adversary to gain access to the service. This might lead to higher resource consumption, which may increase the service charge.
  • Impersonate end users to prevent them from accessing the service, or to cause the early termination of the service. This may, for example, allow the adversary to get faster Internet access or more bandwidth in a resource‐shared environment.
  • Impersonate end users in order to get access to the service, possibly after the legitimate user has ended using the service.
• From the point of view of a service provider, an adversary can:
  • Impersonate an end user or otherwise try to gain access to the service, for example by exploiting flaws in the access control system.
  • Eavesdrop on AAA message exchanges for surveillance purposes.
  • Inject itself as a Diameter node in order to gain access to Diameter messages. This gives an adversary full control over the Diameter protocol, including access to the Diameter message content, the ability to modify messages, to inject new messages, and to control Diameter clients.
  • Disrupt the normal operation of the service (e.g., via a denial‐of‐service attack) in order to blackmail a service provider or to damage their reputation.
  • Replay previous authentication exchanges with a backend server in order to re‐authenticate a device without involving the end user.
  • Compromise the equipment of the network operator in order to get remote access to this device and to change the behaviour of the software running on this equipment.
• From the point of view of an identity provider, an adversary can:
  • Disrupt the flow of the accounting records in order to use the service without being charged.
  • Compromise the AAA server to gain access to the subscriber data and other sensitive data stored in databases or in memory.
  • Mount a denial‐of‐service attack to make the server inaccessible.
• From the point of view of a AAA broker, an adversary can:
  • Disrupt the routing of Diameter messages and thereby impact the service of the broker.
  • Gain unauthorized access to data stored by the AAA broker, such as accounting records.
  • Compromise the security of the AAA broker to launch an attack against service and identity providers.
  • Inject Diameter messages to cause fraudulent transactions.

All the above‐described threats can be categorized into three categories:

1. (1) passive attacks, where an adversary simply collects and analyzes information without interfering;
2. (2) active attacks on a communication channel, where an attacker may change the content of the packets exchanged between two parties involved in the system; and
3. (3) active attacks on Diameter nodes participating in the system.

A short note about the threat of traffic analysis, which is a technique where an adversary is able to learn useful information of even encrypted communication interactions, for example by observing patterns in the exchange, the frequency of exchanges, unencrypted header information, or even the lack of communication. Diameter is less vulnerable to traffic analysis since Diameter links are typically encrypted and busy with messages pertaining to a large number of users and possibly many Diameter applications. Individual sessions belonging to a single user are therefore well hidden among the other Diameter messages when Diameter links are properly protected with channel security.

5.4 Security Services

In this section, we first present the security measures built into the Diameter protocol and how they address some of the threats described in the previous section. Subsequently, we discuss possible ways to mitigate generic security threats that are also applicable to Diameter deployments.

5.5 PKI Example Configuration in freeDiameter

In this section we explain how to secure freeDiameter using the guidance provided in this chapter. The freeDiameter implementation, similar to many commercial products, supports TLS protection of Diameter communication by using GnuTLS, an open source TLS implementation. Many TLS stacks are designed with the use of securing Web traffic in mind and hence they typically offer a wide range of features.⁵

The ability to protect SCTP using TLS, as specified in RFC 3588, is offered by freeDiameter. However, this approach requires a lot of resources when a large number of streams are used. The alternative, namely to protect SCTP with DTLS, is work in progress in freeDiameter and not available at the time of writing.

5.5.1 The Configuration File

The good news is that configuring TLS in freeDiameter is easy since there is only a handful of configuration parameters. For extra customization we describe the freeDiameter configuration file in detail in Section B.7.

• Certificate and Private Key:

  Each Diameter peer needs to possess a certificate along with the private key since we use asymmetric cryptography in our example. The most important configuration parameter is therefore the path to this X.509 certificate and to the corresponding private key. This key pair will be used to authenticate the Diameter peer. The path is specified with the TLS_Cred parameter. It is important to note that the CN (Common Name) field of the certificate must match the DiameterIdentity of the peer. Both files should be PEM‐encoded. Protecting the private key with a password is currently not supported in freeDiameter.

• Trust Anchors:

  The path to one or more trust anchor(s) is configured using the TLS_CA parameter. The trust anchor should be PEM‐encoded and by default the trust anchor store is empty. Only incoming TLS connections authenticated with a certificate anchored in one of the specified trust anchors will be accepted. Of course, other security checks may lead to a certificate verification failure, for example if the DiameterIdentity of a peer does not match the common name in the certificate, or if the certificate has expired.

• Certificate Revocation Lists:

  freeDiameter has support for certificate revocation lists (CRLs) that help protect the network when a certificate is revoked, for example when the private key is compromised. The TLS_CRL parameter specifies the path to the CRL.⁶ This configuration can be omitted if the CRL feature is not used.

• Ciphersuites:

  The TLS_Prio parameter enables fine control over the TLS ciphersuite selection. The TLS ciphersuites concept defines a combination of cryptographic algorithms, key sizes, and key exchange methods.

To display the configuration file, type the following command on server.example.net:

The configuration file has the following content:⁷

In this configuration we are not using the CRL feature. The ConnectPeer parameter serves three purposes:

• authorizes a peer with identity client.example.net to join the Diameter network,
• establishes a connection to this peer periodically, and
• uses TCP for connection attempts.

 Certificate:  Data:    Version: 3 (0x2)    Serial Number: 3 (0x3)  Signature Algorithm: sha1WithRSAEncryption    Issuer: CN=freediameter.example.net    Validity      Not Before: Feb 3 14:56:49 2014 GMT      Not After : Feb 1 14:56:49 2024 GMT    Subject: CN=server.example.net    Subject Public Key Info:      Public Key Algorithm: rsaEncryption        Public-Key: (1024 bit)        Modulus:          00:ac:48:db:a6:a7:2d:4f:86:fd:db:58:22:0d:b6:          33:d5:e6:80:f5:1f:c8:75:a6:98:c5:34:08:02:f1:          c9:23:d6:27:e5:f6:cf:87:7d:3c:b9:4a:cf:6f:88:          f1:2c:ed:bb:05:db:d9:ef:f9:e9:4f:41:5d:0e:4c:          97:14:93:e4:15:4e:95:1c:69:50:00:7d:21:70:dd:          ca:4a:6e:aa:a4:98:77:eb:0f:db:c8:aa:9c:92:50:          e3:c7:a1:fe:2c:3a:c7:f3:45:62:30:6b:47:25:e3:          6d:38:9b:87:7d:f8:e6:f5:ef:08:8c:fc:ee:46:19:          87:e6:58:42:d9:dd:8d:13:09        Exponent: 65537 (0x10001)    X509v3 extensions:      X509v3 Basic Constraints:        CA:FALSE      X509v3 Key Usage:        Digital Signature, Non Repudiation,        Key Encipherment      X509v3 Subject Key Identifier:        C7:AE:A0:EF:04:72:4A:8E:EB:47:A3:7A:9C:0E:51:        D3:2D:67:DF:BB      X509v3 Authority Key Identifier:        keyid:5F:86:3C:1D:7E:EC:13:9F:B1:E3:B8:B6:50:        6D:FB:47:EE:A3:9E:F5  Signature Algorithm: sha1WithRSAEncryption     aa:c6:0a:e9:81:52:1e:e4:5b:99:2b:ee:ac:2c:fc:d3:e8:0a:     f1:9f:6c:10:36:19:f0:d2:e3:bc:45:f5:82:93:18:f8:da:1a:     2c:71:1c:33:42:98:40:4a:cc:49:b2:df:36:e3:49:e0:cb:88:     f7:6d:d5:89:3f:5d:97:14:4b:6d:a1:fe:cf:9e:fc:4a:20:b8:     e6:a8:1a:27:55:a0:b3:00:26:0f:53:76:6c:3f:f6:82:e9:f5:     4a:1b:23:69:d8:f8:a5:86:f6:69:8e:42:e6:7b:92:57:85:dc:     d0:2f:7d:34:5d:f4:96:7e:4b:35:d6:3e:64:f3:d4:0e:aa:a1:     f8:d3 [ Another 128 bytes skipped ] 

5.6 Security Evolution

Internet security is constantly evolving: new security threats arise, security solutions change, and cryptanalysis advances. The recommendations we give in this book are based on the state of the art in 2018, therefore the reader is strongly encouraged to consult the IETF DIME working group pages 35 for the latest specifications, information on our website at https://diameter‐book.info for updates, and new releases of the freeDiameter implementation.

For recommendations on the use of new ciphersuites in TLS consult the IETF working group. In addition, the Internet Engineering Research Task Force (IRTF) Crypto Forum Research Group (CFRG) at https://irtf.org/cfrg is a valuable resource for guidance on algorithms.

References

1. 1 E. Rescorla and IAB. Writing Protocol Models. RFC 4101, Internet Engineering Task Force, June 2005.
2. 2 E. Rescorla and B. Korver. Guidelines for Writing RFC Text on Security Considerations. RFC 3552, Internet Engineering Task Force, July 2003.
3. 3 A. Cooper, H. Tschofenig, B. Aboba, J. Peterson, J. Morris, M. Hansen, and R. Smith. Privacy Considerations for Internet Protocols. RFC 6973, Internet Engineering Task Force, July 2013.
4. 4 802.1X‐2010 – IEEE Standard for Local and Metropolitan Area Networks: Port‐Based Network Access Control, May 2010.
5. 5 802.1AE‐2006 – IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security, June 2006.
6. 6 E. Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison Wesley, 2001.
7. 7 S. Frankel and S. Krishnan. IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap. RFC 6071, Internet Engineering Task Force, Feb. 2011.
8. 8 C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296, Internet Engineering Task Force, Oct. 2014.
9. 9 D. Eastlake 3rd and T. Hansen. US Secure Hash Algorithms (SHA and SHA‐based HMAC and HKDF). RFC 6234, Internet Engineering Task Force, May 2011.
10. 10 National Institute of Standards and Technology. FIPS 197, Advanced Encryption Standard (AES), pages 1–51, Nov. 2001.
11. 11 M. Dworkin. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, National Institute of Standards and Technology SP 800‐ 38D, Nov. 2007.
12. 12 R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public‐Key Cryptosystems. Communications of the ACM, 21:120–126, 1978.
13. 13 D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, Internet Engineering Task Force, May 2008.
14. 14 R. Housley and T. Polk. Planning for PKI: Best Practices for Deploying Public Key Infrastructure. Wiley, 2001.
15. 15 S. Blake‐Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492, Internet Engineering Task Force, May 2006.
16. 16 D. Handerson, A. J. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 2004.
17. 17 ENISA. Algorithms, Key Sizes and Parameters Report – 2013, Oct. 2013. http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/algorithms‐key‐sizes‐and‐parameters‐report.
18. 18 Y. Sheffer, R. Holz, and P. Saint‐Andre. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7525, Internet Engineering Task Force, May 2015.
19. 19 H. Tschofenig, F. Adrangi, M. Jones, A. Lior, and B. Aboba. Carrying Location Objects in RADIUS and Diameter. RFC 5580, Internet Engineering Task Force, Aug. 2009.
20. 20 B. Aboba, M. Beadles, J. Arkko, and P. Eronen. The Network Access Identifier. RFC 4282, Internet Engineering Task Force, Dec. 2005.
21. 21 H. Hakala, L. Mattila, J.‐P. Koskinen, M. Stura, and J. Loughney. Diameter Credit‐Control Application. RFC 4006, Internet Engineering Task Force, Aug. 2005.
22. 22 G. Zorn. Diameter Network Access Server Application. RFC 7155, Internet Engineering Task Force, Apr. 2014.
23. 23 P. Eronen, T. Hiller, and G. Zorn. Diameter Extensible Authentication Protocol (EAP) Application. RFC 4072, Internet Engineering Task Force, Aug. 2005.
24. 24 V. Cakulev, A. Lior, and S. Mizikovsky. Diameter IKEv2 SK: Using Shared Keys to Support Interaction between IKEv2 Servers and Diameter Servers. RFC 6738, Internet Engineering Task Force, Oct. 2012.
25. 25 K. Wierenga, S. Winter, and T. Wolniewicz. The eduroam Architecture for Network Roaming. RFC 7593, Internet Engineering Task Force, Sept. 2015.
26. 26 P. Calhoun, J. Loughney, E. Guttman, G. Zorn, and J. Arkko. Diameter Base Protocol. RFC 3588, Internet Engineering Task Force, Sept. 2003.
27. 27 H. Tschofenig, J. Korhonen, G. Zorn, and K. Pillay. Security at the Attribute‐Value Pair (AVP) Level for Non‐neighboring Diameter Nodes: Scenarios and Requirements. RFC 7966, Internet Engineering Task Force, Sept. 2016.
28. 28 P. Saint‐Andre and J. Hodges. Representation and Verification of Domain‐Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). RFC 6125, Internet Engineering Task Force, Mar. 2011.
29. 29 V. Fajardo, J. Arkko, J. Loughney, and G. Zorn. Diameter Base Protocol. RFC 6733, Internet Engineering Task Force, Oct. 2012.
30. 30 S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP. RFC 6960, Internet Engineering Task Force, June 2013.
31. 31 D. Eastlake 3rd, J. Schiller, and S. Crocker. Randomness Requirements for Security. RFC 4086, Internet Engineering Task Force, June 2005.
32. 32 IEEE. 802.11i‐2004 – IEEE Standard for Information Technology – Telecommunications and Information Exchange Between Systems – Local and Metropolitan Area Networks – Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications Amendment 6: Medium Access Control (MAC) Security Enhancements, July 2004.
33. 33 R. Housley and B. Aboba. Guidance for Authentication, Authorization, and Accounting (AAA) Key Management. RFC 4962, Internet Engineering Task Force, July 2007.
34. 34 R. Housley, S. Ashmore, and C. Wallace. Trust Anchor Management Protocol (TAMP). RFC 5934, Internet Engineering Task Force, Aug. 2010.
35. 35 IETF. Diameter Maintenance and Extensions (DIME), Mar. 2014. http://datatracker.ietf.org/wg/dime/charter/.