1 - 2 - 3 - 6 - 7 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
security
Click on the red underlined text to get to the source
... AAA deployment. In order to
provide universal support for transmission-level security, and
enable both intra- and inter-domain AAA ...
... Auditability
RADIUS does not define data-object security mechanisms, and as a
result, untrusted proxies may modify attributes or even packet
headers ...
... determine what occurred in the event of a dispute. While
implementation of data object security is not mandatory within
Diameter, these capabilities are supported, and are described in
...
... RADIUS shared secret, which can result in major security
vulnerabilities if the Request Authenticator is not globally and
temporally unique as required in [RADIUS ...
... Diameter
enables dynamic discovery of peers. Derivation of dynamic session
keys is enabled via transmission-level security.
Roaming ...
... RADIUS does not provide explicit support for proxies, and lacks
auditability and transmission-level security features, RADIUS-
based roaming ...
... and 6), auditability [AAACMS], and transmission-layer security
(Section 13) features, Diameter addresses ...
... Security Exchange
A Diameter Security Exchange is a process through which two
Diameter nodes establish end-to-end security ...
... Security Exchange is a process through which two
Diameter nodes establish end-to-end security.
Diameter Server ...
... TLS and IPsec provide hop-by-hop security, or security across a
transport connection. When relays or proxy ...
... transport connection. When relays or proxy are involved, this
hop-by-hop security does not protect the entire Diameter user
session ...
... Diameter user
session. End-to-end security is security between two Diameter
nodes, possibly communicating through Diameter ...
... session. End-to-end security is security between two Diameter
nodes, possibly communicating through Diameter Agents ...
... Diameter Agents. This
security protects the entire Diameter communications path from the
originating Diameter node ...
... port unreachable messages as explicit indications that the server is
not reachable, subject to security policy on trusting such messages.
Diameter implementations SHOULD also be able to interpret a reset
...
... IPsec. The Diameter protocol
MUST NOT be used without any security mechanism (TLS or IPsec).
...
... peer.
Additional security information, when needed (e.g., keys,
certificates)
...
...
- They can distribute administration of systems to a configurable
grouping, including the maintenance of security associations.
- They can be used for concentration of requests from an number of
...
... Relays is advantageous since it eliminates the need for NASes to be
configured with the necessary security information they would
otherwise require to communicate with Diameter servers in other
...
... function for NASes, they do not allow access devices to use end-to-
end security, since modifying messages breaks authentication.
...
... End-to-End Security Framework ...
... agents.
End-to-end security is provided via the End-to-End security
extension, described in [AAACMS ...
...
End-to-end security is provided via the End-to-End security
extension, described in [AAACMS]. The circumstances requiring the
...
... extension, described in [AAACMS]. The circumstances requiring the
use of end-to-end security are determined by policy on each of the
peers. Security policies, which are not the subject ...
... use of end-to-end security are determined by policy on each of the
peers. Security policies, which are not the subject of
standardization, may be applied by next hop ...
... TLS or IPsec transmission-
level security is sufficient, there may be no need for end-to-end
security.
...
... IPsec transmission-
level security is sufficient, there may be no need for end-to-end
security.
End-to-end security ...
... End-to-end security policies include:
- Never use end-to-end security.
- Use end-to-end security ...
... end-to-end security.
- Use end-to-end security on messages containing sensitive AVPs.
Which AVPs ...
... sensitive.
- Always use end-to-end security.
It is strongly RECOMMENDED that all Diameter ...
... It is strongly RECOMMENDED that all Diameter implementations support
end-to-end security.
...
... As noted in Section 2.2, Diameter requires transmission level
security to be used on each connection (TLS or IPsec ...
... authorization, routing and security information as well as
configuration details for the request and reply.
...
... agent (proxy, redirect or relay)
then the message MUST NOT be sent unless there is end-to-end security
between the originator and the recipient and integrity /
...
... AVP OR the originator
has locally trusted configuration that indicates that end-to-end
security is not needed. Similarly, for the originator of a Diameter
message, a "P" in the "MAY" column means that if a message containing
...
... agent (proxy, redirect or
relay) then the message MUST NOT be sent unless there is end-to-end
security between the originator and the recipient or the originator
has locally trusted configuration that indicates that end-to-end
security is not needed.
...
... relay) then the message MUST NOT be sent unless there is end-to-end
security between the originator and the recipient or the originator
has locally trusted configuration that indicates that end-to-end
security is not needed.
Due to space constraints ...
... IP-Address 257 5.3.5 Address | M | P | | V | N |
Inband-Security | M | P | | V | N |
-Id 299 6.10 Unsigned32 | | | | | |
...
...
It is recommended that SLPv2 security be deployed (this requires
distributing keys to SLPv2 agents ...
... agents). This is discussed further in
Appendix A. SLPv2 security SHOULD be used (requiring distribution
of keys to SLPv2 agents ...
... receiver of a Capabilities-Exchange-Req (CER) message
that does not have any security mechanisms in common with the sender
MUST return a Capabilities-Exchange-Answer (CEA) with the Result-Code ...
... AVP set to DIAMETER_NO_COMMON_SECURITY, and SHOULD disconnect the
transport layer connection ...
...
- A Diameter message that uses a security mechanism that makes use
of a pre-established session key shared between the source and the
...
... Proxy-Info AVP has certain
security implications and SHOULD contain an embedded HMAC with a
node ...
... Diameter messages are processed by
agents, and therefore MUST NOT be protected by end-to-end security.
...
... AVP Code 299) is of type Unsigned32 and
is used in order to advertise support of the Security portion of the
application.
...
...
Currently, the following values are supported, but there is ample
room to add new security Ids.
NO ...
... DIAMETER_NO_COMMON_SECURITY 5017
This error is returned when a CER message is received, and there
...
... This error is returned when a CER message is received, and there
are no common security mechanisms supported between the peers. A
Capabilities-Exchange-Answer (CEA) MUST be returned with the
Result-Code ...
... authentication across agents is required, end-to-
end security may be used for authentication purposes.
...
... end-to-end fashion. If the Accounting-
Request was protected by end-to-end security, then the corresponding
ACA message MUST be protected by end-to-end security ...
... end-to-end security, then the corresponding
ACA message MUST be protected by end-to-end security.
Only the target ...
... Host-IP-Address |1+ |1+ |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |
Inband-Security-Id |0+ |0+ |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |
Multi-Round-Time-Out|0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |
...
... Security Considerations ...
... either IPSec or TLS. This security mechanism is acceptable in
environments where there is no untrusted third party agent ...
... IPsec. Diameter
implementations MUST use transmission-level security of some kind
(IPsec or TLS ...
... IPsec, then the CER/CEA
exchange MUST include an Inband-Security-ID AVP with a value of TLS.
...
... authentication,
negotiation of security associations, and key management, using the
IPsec DOI ...
... IP Subnet or IP
Address Range formats. This allows the Phase 2 security association
to correspond to specific TCP and SCTP ...
... Diameter nodes
implementing TLS for security MUST mutually authenticate as part of
TLS session ...
... peer-to-peer protocol, proper configuration of the trust
model within a Diameter peer is essential to security. When
certificates are used, it is necessary to configure the root ...
... intra-domain
usage when pre-shared keys are used as a security mechanism.
When pre-shared key authentication ...
...
It is recommended that a Diameter peer implement the same security
mechanism (IPsec or TLS) across all its peer-to-peer ...
... peer-to-peer connections.
Inconsistent use of security mechanisms can result in redundant
security mechanisms being used (e.g., TLS ...
... Inconsistent use of security mechanisms can result in redundant
security mechanisms being used (e.g., TLS over IPsec) or worse,
...
... TLS over IPsec) or worse,
potential security vulnerabilities. When IPsec is used with
Diameter ...
... IPsec is used with
Diameter, a typical security policy for outbound traffic is "Initiate
IPsec ...
... Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407(-> 4306prop), November 1998. ...
... Jungmaier, A., Rescorla, E. and M. Tuexen, "Transport Layer Security over Stream Control Transmission Protocol", RFC 3436prop, December 2002. ...
... Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401(-> 4301prop), November 1998. ...
... invaluable assistance in working out transport issues, and similarly
with Steven Bellovin in the security area.
Paul Funk and David Mitton were instrumental in getting the Peer
...