DIAMETER

Protocol suite:	TCP/IP.
Protocol type:	Application layer protocol.
Port:	3868 (SCTP, TCP).
URI:	aaa:, aaas:
MIME subtype:
SNMP MIBs:
Working groups:	aaa, Authentication, Authorization and Accounting. dime, Diameter Maintanence and Extensions.
Links:	diameter.org IANA: AAA AVPs.

RFC 3588:

The Diameter base protocol is intended to provide an Authentication, Authorization and Accounting (AAA) framework for applications such as network access or IP mobility. Diameter is also intended to work in both local Authentication, Authorization & Accounting and roaming situations. This document specifies the message format, transport, error reporting, accounting and security services to be used by all Diameter applications. The Diameter base application needs to be supported by all Diameter implementations.

The Diameter protocol consists of the Diameter header followed by one or more AVP structures.

MAC header

IP header

SCTP | TCP header

Diameter header

Data :::

Diameter header:

00	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
Version								Message length
Flags								Code
Application ID
Hop by Hop ID
End to End ID
AVP[] :::

Version. 8 bits.
Diameter protocol version.

Message length. 24 bits.
Size of the Diameter message including the header fields.

Flags. 8 bits.

00	01	02	03	04	05	06	07
R	P	E	T	reserved

R, Request. 1 bit.
If set, the message is a request. Otherwise the message is an answer.

P, Proxiable. 1 bit.
If set, the message MAY be proxied, relayed or redirected. Otherwise the message MUST be locally processed.

E, Error. 1 bit.
If set, the message contains a protocol error, and the message will not conform to the ABNF described for this command. Messages with this bit set are commonly referred to as error messages. This bit MUST NOT be set in request messages.

T, Potentially retransmitted message. 1 bit.
This flag is set after a link failover procedure, to aid the removal of duplicate requests. It is set when resending requests not yet acknowledged, as an indication of a possible duplicate due to a link failure. This bit MUST be cleared when sending a request for the first time, otherwise the sender MUST set this flag. Diameter agents only need to be concerned about the number of requests they send based on a single received request. Retransmissions by other entities do not need to be tracked. Diameter agents that receive a request with the T flag set, MUST keep the T flag set in the forwarded request. This flag MUST NOT be set if an error answer message (e.g., a protocol error) has been received for the earlier message. It can be set only in cases where no answer has been received from the server for a request and the request is sent again. This flag MUST NOT be set in answer messages.

reserved. 4 bits.
Must be cleared to zero.

Code. 24 bits.

Code	Description	References
0 - 255	Radius command codes.
256
257	CER; CEA.
258	RAR, Re-Auth-Request; RAA, Re-Auth-Answer.	RFC 4005
259
260	AMR, AA-Mobile-Node-Request; AMA, AA-Mobile-Node-Answer.	RFC 4004
261
262	HAR, Home-Agent-MIP-Request; HAA, Home-Agent-MIP-Answer.	RFC 4004
263 264
265	AAR, AA-Request; AAA, AA-Answer.	RFC 4005
266 267
268	DER, Diameter-EAP-Request; DEA, Diameter-EAP-Answer.	RFC 4072
269 270
271	ACR, Accounting-Request; ACA, Accounting-Answer.	RFC 4005
272	CCR, Credit-Control-Request; CCA, Credit-Control-Answer.	RFC 4006
273
274	ASR, Abort-Session-Request; ASA, Abort-Session-Answer.	RFC 4005
275	STR, Session-Termination-Request; STA, Session-Termination-Answer.	RFC 4005
276 - 279
280	DWR; DWA.	RFC 3588
281
282	DPR; DPA.	RFC 3588
283	UAR; UAA.	RFC 4740
284	SAR; SAA.	RFC 4740
285	LIR; LIA.	RFC 4740
286	MAR; MAA.	RFC 4740
287	RTR; RTA.	RFC 4740
288	PPR; PPA.	RFC 4740
289 - 299

16777215	Experimental code.	RFC 3588

Application ID. 32 bits.
Used to identify to which application the message is applicable for. The application can be an authentication application, an accounting application or a vendor specific application. The application ID in the header MUST be the same as what is contained in any relevant AVPs contained in the message.

Hop by Hop ID. 32 bits, unsigned.
This field aids in matching requests and replies. The sender MUST ensure that the identifier in a request is unique on a given connection at any given time, and MAY attempt to ensure that the number is unique across reboots. The sender of an Answer message MUST ensure that this field contains the same value that was found in the corresponding request. The identifier is normally a monotonically increasing number, whose start value was randomly generated. An answer message that is received with an unknown identifier MUST be discarded.

End to End ID. 32 bits, unsigned.
This field is used to detect duplicate messages. Upon reboot implementations MAY set the high order 12 bits to contain the low order 12 bits of current time, and the low order 20 bits to a random value. Senders of request messages MUST insert a unique identifier on each message. The identifier MUST remain locally unique for a period of at least 4 minutes, even across reboots. The originator of an Answer message MUST ensure that the field contains the same value that was found in the corresponding request. This field MUST NOT be modified by Diameter agents of any kind. The combination of the Origin-Host and this field is used to detect duplicates. Duplicate requests SHOULD cause the same answer to be transmitted (modulo the Hop by Hop ID field and any routing AVPs that may be present), and MUST NOT affect any state that was set when the original request was processed. Duplicate answer messages that are to be locally consumed SHOULD be silently discarded.

AVP, Attribute Value Pair.
A structure used to encapsulate protocol specific data as well as authentication, authorization and accounting information.

00	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
AVP code
AVP flags								AVP length
Vendor ID
Data :::

AVP code. 32 bits.
When combined with the Vendor ID the attribute is uniquely identified. AVP numbers 1 through 255 are reserved for backward compatibility with RADIUS, without setting the Vendor ID field. AVP numbers 256 and above are used for Diameter, which are allocated by IANA.

Code	Description	References
1 - 255	Radius attributes.
256
257	Host-IP-Address.	RFC 3588
258	Auth-Application-Id.	RFC 3588
259	Acct-Application-Id.	RFC 3588
260	Vendor-Specific-Application-Id.	RFC 3588
261	Redirect-Host-Usage.	RFC 3588
262	Redirect-Max-Cache-Time.	RFC 3588
263	Session-Id.	RFC 3588
264	Origin-Host.
265	Supported-Vendor-Id.
266	Vendor-Id.
267	Firmware-Version.
268	Result-Code.
269	Product-Name.
270	Session-Binding.
271	Session-Server-Failover.
272	Multi-Round-Time-Out.
273	Disconnect-Cause.
274	Auth-Request-Type.
275
276	Auth-Grace-Period.
277	Auth-Session-State.
278	Origin-State-Id.
279	Failed-AVP.
280	Proxy-Host.
281	Error-Message.
282	Route-Record.
283	Destination-Realm.
284	Proxy-Info.
285	Re-Auth-Request-Type.
286
287	Accounting-Sub-Session-Id.	RFC 3588
288 - 290
291	Authorization-Lifetime.
292	Redirect-Host.
293	Destination-Host.
294	Error-Reporting-Host.
295	Termination-Cause.	RFC 4005
296	Origin-Realm.
297	Experimental-Result.
298	Experimental-Result-Code.
299	Inband-Security-Id.
300	E2E-Sequence.
301 - 317
318	MIP-FA-to-HA-SPI.	RFC 4004
319	MIP-FA-to-MN-SPI.	RFC 4004
320	MIP-Reg-Request.	RFC 4004
321	MIP-Reg-Reply.	RFC 4004
322	MIP-MN-AAA-Auth.	RFC 4004
323	MIP-HA-to-FA-SPI.	RFC 4004
324
325	MIP-MN-to-FA-MSA.	RFC 4004
326	MIP-FA-to-MN-MSA.	RFC 4004
327
328	MIP-FA-to-HA-MSA.	RFC 4004
329	MIP-HA-to-FA-MSA.	RFC 4004
330
331	MIP-MN-to-HA-MSA.	RFC 4004
332	MIP-HA-to-MN-MSA.	RFC 4004
333	MIP-Mobile-Node-Address.	RFC 4004
334	MIP-Home-Agent-Address.	RFC 4004
335	MIP-Nonce.	RFC 4004
336	MIP-Candidate-Home-Agent-Host.	RFC 4004
337	MIP-Feature-Vector.	RFC 4004
338	MIP-Auth-Input-Data-Length.	RFC 4004
339	MIP-Authenticator-Length.	RFC 4004
340	MIP-Authenticator-Offset.	RFC 4004
341	MIP-MN-AAA-SPI.	RFC 4004
342	MIP-Filter-Rule.	RFC 4004
343	MIP-Session-Key.	RFC 4004
344	MIP-FA-Challenge.	RFC 4004
345	MIP-Algorithm-Type.	RFC 4004
346	MIP-Replay-Mode.	RFC 4004
347	MIP-Originating-Foreign-AAA.	RFC 4004
348	MIP-Home-Agent-Host.	RFC 4004
349 - 362
363	Accounting-Input-Octets.	RFC 4005
364	Accounting-Output-Octets.	RFC 4005
365	Accounting-Input-Packets.	RFC 4005
366	Accounting-Output-Packets.	RFC 4005
367	MIP-MSA-Lifetime.	RFC 4004
368	SIP-Accounting-Information.	RFC4740
369	SIP-Accounting-Server-URI.	RFC4740
370	SIP-Credit-Control-Server-URI.	RFC4740
371	SIP-Server-URI.	RFC4740
372	SIP-Server-Capabilities.	RFC4740
373	SIP-Mandatory-Capability.	RFC4740
374	SIP-Optional-Capability.	RFC4740
375	SIP-Server-Assignment-Type.	RFC4740
376	SIP-Auth-Data-Item.	RFC4740
377	SIP-Authentication-Scheme.	RFC4740
378	SIP-Item-Number.	RFC4740
379	SIP-Authenticate.	RFC4740
380	SIP-Authorization.	RFC4740
381	SIP-Authentication-Info.	RFC4740
382	SIP-Number-Auth-Items.	RFC4740
383	SIP-Deregistration-Reason.	RFC4740
384	SIP-Reason-Code.	RFC4740
385	SIP-Reason-Info.	RFC4740
386	SIP-Visited-Network-Id.	RFC4740
387	SIP-User-Authorization-Type.	RFC4740
388	SIP-Supported-User-Data-Type.	RFC4740
389	SIP-User-Data.	RFC4740
390	SIP-User-Data-Type.	RFC4740
391	SIP-User-Data-Contents.	RFC4740
392	SIP-User-Data-Already-Available.	RFC4740
393	SIP-Method.	RFC4740
394 - 399
400	NAS-Filter-Rule.	RFC 4005
401	Tunneling.	RFC 4005
402	CHAP-Auth.	RFC 4005
403	CHAP-Algorithm.	RFC 4005
404	CHAP-Ident.	RFC 4005
405	CHAP-Response.	RFC 4005
406	Acounting-Auth-Method.	RFC 4005
407	QoS-Filter-Rule.	RFC 4005
408	Origin-AAA-Protocol.	RFC 4005
409
410
411	CC-Correlation-Id.	RFC 4006
412	CC-Input-Octets.	RFC 4006
413	CC-Money.	RFC 4006
414	CC-Output-Octets.	RFC 4006
415	CC-Request-Number.	RFC 4006
416	CC-Request-Type.	RFC 4006
417	CC-Service-Specific-Units.	RFC 4006
418	CC-Session-Failover.	RFC 4006
419	CC-Sub-Session-Id.	RFC 4006
420	CC-Time.	RFC 4006
421	CC-Total-Octets.	RFC 4006
422	Check-Balance-Result.	RFC 4006
423	Cost-Information.	RFC 4006
424	Cost-Unit.	RFC 4006
425	Currency-Code.	RFC 4006
426	Credit-Control.	RFC 4006
427	Credit-Control-Failure-Handling.	RFC 4006
428	Direct-Debiting-Failure-Handling.	RFC 4006
429	Exponent.	RFC 4006
430	Final-Unit-Indication.	RFC 4006
431	Granted-Service-Unit.	RFC 4006
432	Rating-Group.	RFC 4006
433	Redirect-Address-Type.	RFC 4006
434	Redirect-Server.	RFC 4006
435	Redirect-Server-Address.	RFC 4006
436	Requested-Action.	RFC 4006
437	Requested-Service-Unit.	RFC 4006
438	Restriction-Filter-Rule.	RFC 4006
439	Service-Identifier.	RFC 4006
440	Service-Parameter-Info.	RFC 4006
441	Service-Parameter-Type.	RFC 4006
442	Service-Parameter-Value.	RFC 4006
443	Subscription-Id.	RFC 4006
444	Subscription-Id-Data.	RFC 4006
445	Unit-Value.	RFC 4006
446	Used-Service-Unit.	RFC 4006
447	Value-Digits.	RFC 4006
448	Validity-Time.	RFC 4006
449	Final-Unit-Action.	RFC 4006
450	Subscription-Id-Type.	RFC 4006
451	Tariff-Time-Change.	RFC 4006
452	Tariff-Change-Usage.	RFC 4006
453	G-S-U-Pool-Identifier.	RFC 4006
454	CC-Unit-Type.	RFC 4006
455	Multiple-Services-Indicator.	RFC 4006
456	Multiple-Services-Credit-Control.	RFC 4006
457	G-S-U-Pool-Reference.	RFC 4006
458	User-Equipment-Info.	RFC 4006
459	User-Equipment-Info-Type.	RFC 4006
460	User-Equipment-Info-Value.	RFC 4006
461	Service-Context-Id.	RFC 4006
462	EAP-Payload.	RFC 4072
463	EAP-Reissued-Payload.	RFC 4072
464	EAP-Master-Session-Key.	RFC 4072
465	Accounting-EAP-Auth-Method.	RFC 4072
466 - 479
480	Accounting-Record-Type.	RFC 3588
481 482
483	Accounting-Realtime-Required.	RFC 3588
484
485	Accounting-Record-Number.	RFC 3588
486	MIP6-Agent-Info.	RFC 5447
487	Accounting-Sub-Session-Id.	RFC 3588
488 - 0xFFFFFF

AVP flags. 8 bits.

00	01	02	03	04	05	06	07
V	M	P	reserved

V, Vendor specific. 1 bit.
If set, the Vendor ID field is present.

M, Mandatory. 1 bit.
If set, support of this AVP is required.

P. 1 bit.
If set, encryption for end to end security is needed.

reserved. 5 bits.
Must be cleared to zero.

AVP length. 24 bits.
Total size of the AVP header and data in bytes.

Vendor ID. 32 bits.
This field is present if the V bit is set in the AVP Flags field. This field contains the IANA assigned "SMI Network Management Private Enterprise Codes" value, encoded in network byte order. Any vendor wishing to implement a vendor-specific Diameter AVP MUST use their own Vendor ID along with their privately managed AVP address space, guaranteeing that they will not collide with any other vendor's vendor-specific AVP(s), nor with future IETF applications. A value of zero corresponds to the IETF adopted AVP values, as managed by the IANA. Since the absence of this field implies that the AVP in question is not vendor specific, implementations MUST NOT use the zero value.

Glossary:

Diameter Agent.
A Diameter node that provides either relay, proxy, redirect or translation services.

Diameter Client.
A device at the edge of the network that performs access control. An example of a Diameter client is a Network Access Server (NAS) or a Foreign Agent (FA).

Diameter Node.
A host process that implements the Diameter protocol, and acts either as a Client, Agent or Server.

Diameter Peer.
A Diameter Node to which a given Diameter Node has a direct transport connection.

Diameter Security Exchange.
A process through which two Diameter nodes establish end-to-end security.

Diameter Server.
A Diameter Server is one that handles authentication, authorization and accounting requests for a particular realm. By its very nature, a Diameter Server MUST support Diameter applications in addition to the base protocol.

Home Realm.
The administrative domain with which the user maintains an account relationship.

Local Realm.
The administrative domain providing services to a user. An administrative domain MAY act as a local realm for certain users, while being a home realm for others.

NAI, Network Access Identifier.
Used to extract the identity and realm of a user. The identity is used to recognize the user during authentication and/or authorization, while the realm is used for message routing purposes.

Realm.
The string in the NAI that immediately follows the '@' character. NAI realm names are required to be unique, and are piggybacked on the administration of the DNS namespace. Diameter makes use of the realm, also loosely referred to as domain, to determine whether messages can be satisfied locally, or whether they must be routed or redirected. In RADIUS, realm names are not necessarily piggybacked on the DNS namespace but may be independent of it.

RFCs:

[RFC 2924] Accounting Attributes and Record Formats.

Category: Informational.

[RFC 3127] Authentication, Authorization, and Accounting: Protocol Evaluation.

Category: Informational.

[RFC 3588] Diameter Base Protocol.

Category: Standards Track.
Defines Diameter version 1.
Defines URI schemes aaa:, aaas:.

[RFC 3589] Diameter Command Codes for Third Generation Partnership Project (3GPP) Release 5.

Category: Informational.

[RFC 3955] Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX).

Category: Informational.

[RFC 4004] Diameter Mobile IPv4 Application.

Category: Standards Track.
Defines Diameter command codes 260 and 262.
Defines Diameter AVP codes 318 - 323, 325, 326, 328, 329, 331 - 348, 367.

[RFC 4005] Diameter Network Access Server Application.

Category: Standards Track.
Defines Diameter command codes 258, 265, 271, 274, 275.
Defines Diameter AVP codes 295, 363 - 366, 400 - 408.

[RFC 4006] Diameter Credit-Control Application.

Category: Standards Track.
Defines Diameter command code 272 (Credit-Control-Request, Credit-Control-Answer).
Defines Diameter AVP codes 411 - 461.

[RFC 4072] Diameter Extensible Authentication Protocol (EAP) Application.

Category: Standards Track.
Defines Diameter command code 268.
Defines Diameter AVP codes 462 - 465.
Defines RADIUS AVP code 102 (EAP-Key-Name).

Publications:

Obsolete RFCs: