Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from and replaces the much less capable RADIUS protocol that preceded it. in this presentation I will try to familiarize you with the new AAA protocol and deep dive into the diameter protocol details, Credit Control Application (Gx,Gy and GZ) and sample use case for peering Sandvine PTS (Working as PCEF) with freePCRF.server and finally introduce you with seagull, a popular test tool to test different diameter-based scenarios. Hope you like it
basim.alyy@gmail.com
basimaly.wordpress.com
https://eg.linkedin.com/pub/basim-aly/38/774/228
2. What’s Diameter
• Diameter is an authentication, authorization, and accounting protocol
• Work within AAA Framework
• Provides an upgrade path for RADIUS
• Dynamic discovery of peers (using DNS SRV and NAPTR)
• Capability negotiation
• Error notification
• RFC 6733
3. Reliable Transport Depend on TCP to transport the message
More Secure Depend on IPSEC and STCP protocols
WIDER Twice as radius in AVP!
App based-
Extensible
You can extend the core code by building your own application
over the top
Why use DIAMETER over the RADIUS?
4. One More reason
Once subscriber reached to purchased quota, The diameter client will trigger an
event to inform the server, However in radius-based network you have to wait for
the incoming Accounting-Interim to trigger this action which is considered a
revenue leakage
7. Diameter Elements
MME (Mobility Management Entity)
HSS (Home Subscriber Server)
EIR (Equipment Identity Register)
CSCF (Call Session Control Function)
PCRF (Policy and Charging Rules Function)
PCEF (Policy and Charging Enforcement Function)
SGSN (Serving GPRS Support Node)
PDN GW (Packet Data Network Gateway)
8. CCA
We will discuss this scenario later!
Through passing CGI (Cell Global Identifier) and RAI (Routing Area
Identifier) from PCEF (GGSN) to PCRF in Event-Trigger AVP
Support Roaming(Inter-PLMN)!
9. Diameter Core Protocol
Application1 (Gx) Application2 (SIP)
• Diameter allow you to write a new application as an extension to base
code. these apps not a software app but a new protocols that use diameter
original code
• The Diameter protocol will replace the SS7 and SIGTRAN by
introducing a new Interfaces (Apps!) that will connect to HSS
Diameter Applications
10. Diameter RADIUS
Transportation Protocol
Connection-Oriented
Protocols (TCP and SCTP)
Connectionless Protocol (UDP)
Security Hop-to-Hop, End-to-End Hop-to-Hop
Agent Support
Relay, Proxy, Redirect,
Translation
Implicit support, which means the
agent behaviors might be
implemented in a RADIUS server
Capabilities Negotiation
Negotiate supported
applications and security
level
Don't support
Peer Discovery
Static configuration and
dynamic lookup
Static configuration
Server Initiated Message
Supported. for example, re-
authentication message,
Session termination
Don't support
Maximum Attribute Data Size 16,777,215 octets 255 octets
Vendor-specific Support
Support both vendor-
specific messages and
attributes
Comparison Between Radius and Diameter
15. • An access network that provides Internet Protocol (IP) connectivity.
• The term is usually used in cellular context
1 of 3
IP-CAN(IP Connectivity Access Network)
New Definitions
16. The IP-CAN domain ends with the GGSN or (P-GW) node and it
created after the PCRF install the rules in PCEF
2 of 3
New Definitions
IP-CAN
17. • 3GPP-GPRS (0) This value shall be used to indicate that the IP-CAN is
associated with a 3GPP GPRS access that is connected to the GGSN
based on the Gn/Gp interfaces and is further detailed by the RAT-Type
AVP. RAT-Type AVP will include applicable 3GPP values, except
EUTRAN.
• DOCSIS (1) This value shall be used to indicate that the IP-CAN is
associated with a DOCSIS access.
• xDSL (2) This value shall be used to indicate that the IP-CAN is
associated with an xDSL access.
• WiMAX (3) This value shall be used to indicate that the IP-CAN is
associated with a WiMAX access (IEEE 802.16).
3 of 3
IP-CAN Types
New Definitions
18. • 3GPP2 (4) This value shall be used to indicate that the IP-CAN is
associated with a 3GPP2 access connected to the 3GPP2 packet core
as specified in 3GPP2 X.S0011 [20] and is further detailed by the RAT-
Type AVP. AVP.
• 3GPP-EPS (5) This value shall be used to indicate that the IP-CAN
associated with a 3GPP EPS access and is further detailed by the RAT-
Type AVP.
• Non-3GPP-EPS (6) This value shall be used to indicate that the IP-CAN
associated with an EPC based non-3GPP access and is further detailed
by the RAT-Type
3 of 3
IP-CAN Types
New Definitions
19. Capacity 1 Delay 1 Bit-Error Rate 1
Capacity 2 Delay 2 Bit-Error Rate 2
Bearer 1
Bearer 2UE
The Bearer is created inside IP-CAN according the service requirement. If you
have VoLTE service that need high bandwidth with low latency, and browsing
service that work on best effort then you need two Bearers for the same IP-
CAN with different QoS
New Definitions
1 of 2
Bearer
20. Default bearer
Dedicated bearer
for VoIP for example
APN-Aggregate-Max-Bitrate-UL=1M
APN-Aggregate-Max-Bitrate-DL=2M
Max-Requested-Bandwidth-UL=10M
Max-Requested-Bandwidth-DL=10M
Bearer-Identifier=999
Default-EPS-Bearer-QoS AVP
QoS-Information AVP
2 of 2
New Definitions
Bearer AVP
21. This is Policy and Charging Control. It could be either Dynamic (Rules are
pushed from PCRF to PCEF) or Static (PCRF just Activate or Deactivate the
pre-defined rules in PCEF)
Dynamic Static
1 of 1
New Definitions
PCC
24. • Each command is either a request or answer is assigned a command
code
• The request or answer is identified via the ’R’ bit in the Command Flags
field of the header.
Command Code
27. Capabilities-Exchange
CER CEA
1
• A negotiation message between diameter peers to agree on supported
applications
• Command Code Number : 257
• Diameter peers use it to create peer table
• Message Exchange advertise the following:
• Peer Identity
• Use the secure transport or not
• SCTP Host address
Command Code
28. Device-Watchdog-Request
DWR DWA
• A keep alive message between the diameter peers to watch the status
and availability
• Command Code Number : 280
Keep Alive, We need You JIM!
2
Command Code
33. Session-Id1
AVP: Session-Id(263) l=47 f=-M- val=qps.tedata.net;4FD78691;5458;3B9ACA00;0
AVPairs
• The Session Identifier for the Subscriber
• Never Changed as long as the Subscriber session is up
• Consist of the diameter peer name followed by unique number
34. • Each vendor create application should have a unique vendor ID
Vendor-Id2
AVPairs
35. • Identify the broadcasted Diameter Origin Peer Name
• Example : Origin-Host : pcef1.tedata.net.eg
Origin-Host3
AVPairs
39. Host-IP-Address7
• The Source IP address that initiate the Diameter message
• Sent in HEX format
• Example : Host-IP-Address: 1.1.1.7
• Use the below website to obtain the hex value from IP Address
http://ncalculators.com/digital-computation/ip-address-hex-
decimal-binary.htm
Padding 0x0001
0x00010A8347AC
AVPairs
40. Event-Trigger8
Sent from PCEF to PCRF to inform it of specific Event occur
Example Values:
• Event-Trigger: LOSS_OF_BEARER
• Event-Trigger: SGSN_CHANGE
• Event-Trigger: RAI_CHANGE
AVPairs
41. Uniquely identify the supported application ID (Gx, Gy, Vodafone Gx, E///..etc)
3GPP Gx Application ID =16777238, Old was 16777224.
Check this link http://www.iana.org/assignments/aaa-parameters/aaa-parameters.xhtml
Application ID
42. Credit Control Application1
• Used to identify the credit control application
• Associated with CC-Request-Type
• INITIAL_REQUEST (CCR-I) or (CCA-I)
• UPDATE_REQUEST (CCR-U) or (CCA-U)
• TERMINATION_REQUEST (CCR-T) or (CCA-T)
Application ID
43. Auth-Application-Id
The Auth-Application-Id AVP (AVP Code 258) is used in order to advertise
support of the Authentication and Authorization portion of an application. The
Auth-Application-Id MUST also be present in all Authentication and/or
Authorization messages that are defined in a separate Diameter specification
and have an Application ID assigned.
Acct-Application-Id
The Acct-Application-Id AVP (AVP Code 259) is used in order to advertise
support of the Accounting portion of an application The Acct-Application-Id
MUST also be present in all Accounting messages. Exactly one of the Auth-
Application-Id and Acct-Application-Id AVPs MAY be present.
AVPairs
44. Developed Application
Authentication Portion
of application
Authorization Portion
of application
Accounting Portion of
application
Diameter Core
Auth-Application-Id AVP Acct-Application-Id AVP
109
Application-Id
Vendor-Id
AVPairs Summary
47. Build over Diameter Core Protocol
Provide a framework for real-time charging
The application specifies methods for:
Quota management (Reserve, Reauthorize, Abandon)
Simple Debit/Credit
Balance checks
Price inquiries
Does not specify which type units are bought/used
CCR/CCA
Credit Control
49. The purpose of the diameter credit control application is to
provide a framework for real-time charging, primarily meant for
the communication between gateways/control-points and the
back-end account/balance systems (typically an Online
Charging System)
Command Code = 272 Auth-Application-Id=4
Credit Control
50. Credit-Control-Request (CCR) Command
The Credit-Control-Request message (CCR) is indicated by the command-code
field being set to 272 and the 'R' bit being set in the Command Flags field. It is
used between the Diameter credit-control client and the credit-control server to
request credit authorization for a given service. The Auth-Application-Id MUST
be set to the value 4, indicating the Diameter credit-control application.
Credit Control Request(CCR)
51. CCA Command sent from PCRF to PCEF as a
response to CCR
Provide PCEF with the following info
PCC rules
Event Trigger (When to report an event back to PCRF)
Selected bearer control mode for the IP-CAN session
Credit Control Answer(CCA)
53. PCEF/DPI
CC-Request-
Type=Initial
Credit Control
Answer
ReAuthorization
Request
ReAuthorization
Answer
Note the request is sent
using the Subscriber Name
and IP address received
from Radius accounting
ThisiscalledIP-
CANsession
1-Subscriber is connected to BNG which will send accounting start to AAA.
2-AAA will proxy accounting to DPI contains the username and IP Address
3-user start to browse internet and send traffic through the DPI
4-DPI will stop the traffic and will send CCR-I with IP address to PCRF. Smth like
query to get the username
5-PCRF will consult the SPR and will return the policies in CCA
Attach to
Network
1
54. 1-PGW send CCR-I with Subscriber-Id (IMSI or MSISDN or etc...) and Framed-
IP (IP address what network give for this device) to PCRF
2-PCRF calculate user tariff and respond policy or bearer settings
Calculate
Tariff in real
time
2
55. Interface between PCEF (BNG/DPI/GGSN) and
PCRF
PCRF send PCC rules to be installed on PCEF
Upon receive of an Event-Trigger, PCRF can puch a
new PCC rule over Gx for new bearer creation
Gx Interface
56. Interface between PCEF (BNG/DPI/GGSN) and
OCS
Used for Online Charging (Pre-Paid)
Used to take real-time decision on tired services
Gy Interface
57. Interface between PCEF (BNG/DPI/GGSN) and
OFCS
Used for Offline Charging (Post-Paid)
offline charging is a mechanism where charging
information does not affect, in real-time, the service
rendered.
Gz Interface
59. Username Identifier
• Subscriber username sent in Subscription-Id AVP
• Subscription-Id consist of two AVPs
– Subscription-Id Type
• Type of connected subscriber (Mobile, ADSL..etc)
– Subscription-Id value
63. Credit Control PCEF Sample Configuration(3/3)
• Identify Destination Realm
• Identify the Original Realm
• Identify the IP_CAN_TYPE = ADSL
• Identify the Subscription-id type = NAI
• Identify the Subscription-id value Sandvine
DPI PTS
65. First thing that you should notice inside the diameter protocol packets is the Command
Code AVP and CC-Request-Type AVP that indicates the type of request whether it’s
INITIATE(CCR-I) or UPDATE or TERMINIATE..etc
Request
- Initial
CC
CCR-I
Credit Control PCAP
67. • Seagull is a free, Open Source (GPL) multi-
protocol traffic generator test tool.
• powerful traffic generator
• Used for stress testing
• Developed by HP
• Coded using C++
• Simulation tool developed by HP to simulate
different protocols
• SIP
• Diameter
• Radius
• Support Linux (Centos/Debian) and Windows
(Through cygwin
Seagull
http://gull.sourceforge.net/
70. Define the correct client configuration3
#vim /opt/seagull/diameter/config/conf.client.xml
Define the correct dictionary file to be used for both client and server4
#vim /opt/seagull/diameter/config/base_cc.xml
Define the scenario5
#vim /opt/seagull/diameter/scenario/ccr-cca.client.xml
Seagull
71. Create Run script to use the files you created before6
#cd /opt/seagull/diameter/run
#vim start_client_gx_ccr_cca.ksh
#!/bin/ksh
export LD_LIBRARY_PATH=/usr/local/bin
seagull -conf /opt/seagull/diameter/config/conf.client.xml -dico
/opt/seagull/diameter/config/base_cc.xml -scen
/opt/seagull/diameter/scenario/ccr-cca.client.xml -log
/opt/seagull/diameter/logs/ccr-cca.client.log -llevel ET
Run the test7
cd /opt/seagull/diameter/run
./start_client_gx_ccr_cca.ksh
Seagull
72. Configure Client
(PCEF)
Create Channel (Diam version..)
Whom to open channel with (PCRF IP)
Call ch (Rate/timeout/max number..)
Load external data
Where to log the events
#vim /opt/seagull/diameter/config/conf.client.xml
Seagull
73. Configure Dictionary
Diameter header (CMD, HbH, EtE..)
Diameter base AVP with their values
Define diameter commands structure (CER,
CCR, RAR..)
Here you should define any vendor-spcefic
attributes (next slide)
#vim /opt/seagull/diameter/config/base_cc.xml
Seagull
75. Configure Scenario
Configure init section (configure both Send &
Receive tags that negotiate CER)
Configure traffic section (configure both Send &
Receive tags that send actual traffic)
#vim /opt/seagull/diameter/scenario/ccr-
cca.client.xml
Seagull
76. Run
Connecting the dots
Identify the config location
Identify the dictionary location
Identify the scenario
Identify where to store the log
Identify the debug level
#vim
/opt/seagull/diameter/run/start_client_cc.ksh
#export LD_LIBRARY_PATH=/usr/local/bin
#seagull -conf ../config/conf.client.xml -dico
../config/base_cc.xml -scen ../scenario/ccr-cca.client.xml -log
../logs/ccr-cca.client.log -llevel ET
If you can’t find seagull command, then copy content of seagull
bin folder the package to /usr/bin directory
You may need to install KSH package from YUM/apt-get
Seagull