AAA Working Group Pat R. Calhoun Internet-Draft Black Storm Networks Category: Standards Track Stephen Farrell Baltimore Technologies William Bulley Merit Network, Inc. March 2002 Diameter CMS Security Application Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract The Diameter base protocol leverages either IPsec or TLS for integrity and confidentiality between two Diameter peers, and allows the peers to communicate through relay and proxy agents. Relay agents perform message routing, and other than routing AVPs, do not modify Diameter messages. Proxy agents, on the other hand, implement policy enforcement, and actively modify Diameter messages. This Diameter application describes how a security association is established by two peers through agents, and how authentication, integrity, confidentiality and data origin authentication are achieved using a mixture of symmetric and asymmetric transforms, by Calhoun, Farrell, Bulley,expires September 2002 [Page 1] Internet-Draft March 2002 encapsulating Cryptographic Message Syntax (CMS) data within AVPs. CMS is also used to carry X.509 certificates. Table of Contents 1.0 Introduction 1.1 Requirements language 1.2 Establishing Security Relationship through relay agents 1.3 Establishing Security Relationship through proxy agents 1.4 Using Redirect agents in lieu of DSA 1.5 When to use DSAs 1.6 Advertising application support 1.7 CMS Processing of Grouped AVPs. 2.0 AVP Format 3.0 Key Management 3.1 Usage Scenario 3.2 Certificate Requirements 3.3 Algorithms 3.4 Reuse of CMS Content Encryption Keys 4.0 Command-Codes Values 4.1 Diameter-Security-Association-Request 4.2 Diameter-Security-Association-Answer 4.3 Proxy-Diameter-Security-Association-Request 4.4 Proxy-Diameter-Security-Association-Answer 5.0 Diameter Security Association Message Flow 6.0 Diameter Security AVPs 6.1 CMS-Signed-Data AVP 6.2 CMS-Encrypted-Data AVP 6.3 Example Encodings 6.4 Local-CA-Info AVP 6.4.1 CA-Name AVP 6.4.2 Key-Hash AVP 6.5 OCSP-Nonce AVP 6.6 AAA-Node-Cert AVP 6.7 OCSP-Responses AVP 6.8 CA-Chain AVP 6.9 OCSP-Request-Flags AVP 6.10 DSAR-Target-Realm AVP 6.11 DSA-TTL AVP 7.0 Result-Code AVP Values 7.1 Transient Failures 7.2 Permanent Failures 8.0 AVP Occurrence Tables 9.0 IANA Considerations 9.1 Command Codes 9.2 AVP Codes 9.3 Result-Code AVP Values Calhoun, Farrell, Bulley,expires September 2002 [Page 2] Internet-Draft March 2002 9.4 Application Identifier 9.5 OCSP-Request-Flags AVP Values 10.0 Security Considerations 11.0 References 12.0 Acknowledgements 13.0 Authors' Addresses 14.0 Full Copyright Statement 15.0 Expiration Date Calhoun, Farrell, Bulley,expires September 2002 [Page 3] Internet-Draft March 2002 1.0 Introduction The Diameter base protocol [BASE] leverages either IPsec or TLS for integrity and confidentiality between two Diameter peers. However, the Diameter protocol also allows peers to communicate through relay and proxy agents, and in such environments security information is lost at each agent. Relay agents perform message routing, and other than routing AVPs, do not modify Diameter messages. Proxy agents, on the other hand, implement policy enforcement, and actively modify Diameter messages. See [BASE] for a more comprehensive definition of the role of relay and proxy agents. There are two main techniques used in this specification. Digital signatures (along with digital certificates) provide authentication, integrity and data origin authentication. Encryption provides confidentiality (using asymmetric techniques to encrypt a content encryption key, which is then used for bulk encryption). Both techniques can be used simultaneously to provide all the specified security services. This Diameter application makes use of Cryptographic Message Syntax (CMS), which is the method used to secure MIME (S/MIME) messages. This application was designed to allow Diameter implementations to use existing S/MIME toolkits in order to comply with this specification. This specification contains two different set of messages. The Diameter Security Association (DSA) messages are used to establish a security assocation, while the Proxy Diameter Security (PDS) messages are used to request that a security association be established by a third party. The following details the necessary support for both types of messages based on the type of Diameter node: - Diameter servers: MUST support DSA messages; MAY support PDS messages - Proxy agents: MUST support DSA messages; MUST support PDS messages - Diameter clients: SHOULD support DSA messages; MUST support PDS messages - Relay agents: MAY support DSA messages; MAY support PDS messages - Redirector agents: MAY support DSA messages; MAY support PDS messages 1.1 Requirements language In this document, the key words "MAY", "MUST", "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be Calhoun, Farrell, Bulley,expires September 2002 [Page 4] Internet-Draft March 2002 interpreted as described in [MUSTSHOULD]. 1.2 Establishing a Security Relationship through relay agents The AAA Working Group has defined a set of requirements in [AAAREQS] to allow for Diameter peers to communicate securely through Relay agents. This requirement calls for AVP integrity and confidentiality between two peers communicating through agents. The term agent is used in this specification for either a relay or a proxy agent. Figure 1 provides an example of two Diameter peers establishing a Diameter Security Association (DSA) through Relay agents. The participants of a DSA are the peers where the DSA setup messages terminate. In this example, the participants of the DSA would the NAS (access device), and the Home Server. mno.net mno.net xyz.net abc.com +------+ <----> +------+ <----> +------+ <----> +------+ | | TLS |Agent | IPSec |Agent | IPSec | Home | | NAS | | | | | | | | | | 1 | | 2 | |Server| +------+ +------+ +------+ +------+ <--------------------------------------------> Diameter Security Association Figure 1: Diameter Security Association When one or more agents are used between two communicating Diameter peers, the use of hop-by-hop security mechanisms (e.g. TLS, IPSec) is unsuitable, since Diameter messages are processed at the application layer at each agent. Therefore, an alternative mechanism is required to protect portions of the message at the application layer. Allowing for a security association to be established through Diameter relays allows the participants of the DSA to detect whether protected AVPs have been modified en-route, and hides sensitive data from intermediate agents. Furthermore, the Mobile IP and NASREQ Working Groups have stated in [CDMAREQ, MIPREQ] that data origin authentication of Diameter data, such as Accounting related AVPs, is necessary. Figure 2 provides an example of a message sent by an access device (NAS), through Diameter relay agents, to its intended destination, the home server. In this example, Proxy 2 modifies the contents of the foo AVP, perhaps due to mis-configuration, or maliciously. This specification would allow the participants of the DSA to detect such a problem, as long as the AVP being modified was protected. Calhoun, Farrell, Bulley,expires September 2002 [Page 5] Internet-Draft March 2002 (Request) (Request) (Request) [AVP(foo)=x] [AVP(foo)=x] [AVP(foo)=y] +------+ -----> +------+ -----> +------+ -----> +------+ | | |Relay | |Proxy | | Home | | NAS | | | | | | | | | | 1 | | 2 | |Server| +------+ <----- +------+ <----- +------+ <----- +------+ (Answer) (Answer) (Answer) [AVP(foo)=b] [AVP(foo)=b] [AVP(foo)=a] Figure 2: Diameter agent modifying AVP This document defines the Diameter commands that are used to establish a DSA through Diameter agents, and specifies how encapsulating CMS objects [CMS] in Diameter AVPs can provide authentication, integrity, confidentiality and data origin authentication. CMS objects MAY also be used to transport X.509 certificates and revocation lists. Establishing a DSA through relay agents requires that the initiator issues a Diameter Security Association Request (DSAR) message. In the example provided in figure 1, NAS would issue the DSAR with the Destination-Realm AVP set to abc.com. The Home Server would process the request, and respond by issuing a Diameter Security Association Answer (DSAA) message. If the DSAA message contains a Result-Code indicating success, the DSA is established between the NAS and the home server. Once the DSA is established, participants with private keys MAY apply digital signatures to protect one or more AVPs within a message. In the example provided in Figure 2, the Foo AVP would be protected by the digital signature, and any modification of the AVP by the relay agents, would be detected since the signature validation algorithm would fail. 1.3 Establishing Security Relationship through proxy agents As previously discussed, proxy agents typically modify Diameter messages to implement policy enforcement. An example of a proxy server would be an aggregating server, which typically sits one Diameter hop away from the access device, and enforces policy in order to protect the access device from receiving AVPs that could cause harm (e.g. excessive number of filters, unsupported tunneling protocol). Although in theory such checks could be performed on the access device, these devices are typically embedded systems, and not easily configurable. The proxy agent's behavior, on the other hand, is typically under control of the network operator. Calhoun, Farrell, Bulley,expires September 2002 [Page 6] Internet-Draft March 2002 Diameter messages between two participants of a DSA would fail verification if a proxy agent were to modify any protected AVPs. Therefore proxy agents that modify AVPs MAY prevent the establishment of DSAs based on local configuration. In this section, we discuss the capabilities provided by this Diameter application which allow proxy agents to secure AVPs on behalf of an access device. The following scenarios are envisioned: - The access device does not have the cryptographic ability to handle CMS functions locally, and therefore requests such services from the local agent, such an an aggregating relay or proxy agent. The NAS may have been configured to always issue a PDSR to its local agent for CMS services. In such cases, the agent MUST select the values for the DSA-TTL. - The access device has the cryptographic ability to perform CMS functions, but a proxy agent is in the route towards the home server, and it returned a failure to the DSAR messages stating that it was not willing to allow the DSA to traverse through it. Such agents MAY attempt to re-use the values from the initial DSAR sent by the access device. In such cases,the PDSR initiator SHOULD include the Destination-Host AVP to ensure that the PDSR is received by the same proxy agent. - The access device may have the cryptographic ability to perform CMS functions locally, but does not request a DSAR to request a DSA. The local agent, however, has been configured to establish DSAs with certain realms automatically, hiding the existence of the DSAs from the access device. In the above scenarios, the first two occur at the explicit request of the access device, while the last one occurs without any messaging from the access device. In the latter case, the proxy agent acts as an access device of sorts and the rules in section 1.2 should be used instead. When a local agent receives a DSAR, it has the following options: - The local agent rejects the DSAR by sending a DSAA message whose Result-Code AVP is set to DIAMETER_NO_CMS_THROUGH_PROXY. The DSAA SHOULD include the CMS-Signed-Data AVP, signed by the proxy agent, and include its certificate to allow the access device to validate the originator of the DSAA. The access device can then determine whether it is willing to provide service, based on its local policy. - The local agent rejects the DSAR by sending a DSAA message whose Result-Code AVP is set to DIAMETER_CAN_ACT_AS_CMS_PROXY, informing the access device that the agent is willing to Calhoun, Farrell, Bulley,expires September 2002 [Page 7] Internet-Draft March 2002 establish the DSA on its behalf. The DSAA MUST include the CMS- Signed-Data AVP, signed by the proxy agent, and include its certificate to allow the access device to validate the originator of the DSAA. If the access device is willing to use the agent's services, it issues a Proxy-Diameter-Security- Association-Request (PDSR) which MUST contain the target realm. The local agent MAY use any of the parameters provided by the access device in the previous DSAR attempt when establishing the DSA. Once the DSA is established, the agent MUST issue a Proxy- Diameter-Security-Association-Answer (PDSA). The PDSA MUST contain the TTL setting agreed by the proxy agent for its DSA. This information will allow the access device to re-issue a PDSR prior to the proxy's DSA expiry if it needs the DSA to remain active. Note that an access device MAY be configured to always issue a PDSR to its aggregating proxy, reducing the number of round trips. Similarly, an aggregating proxy MAY be configured to initiate an DSAR regardless of whether a PDSR was sent by the access device. mno.net mno.net xyz.net abc.com +------+ +------+ +------+ +------+ | | |Proxy | |Relay | | Home | | NAS | | | | | | | | | |Agent | |Agent | |Server| +------+ +------+ +------+ +------+ -------------> (DSAR) Destination-Realm = abc.com <------------- (DSAA) Result-Code = DIAMETER_CAN_ACT_AS_CMS_PROXY -------------> (PDSR) DSAR-Target-Realm = abc.com ----------------------------> (DSAR) Destination-Realm = abc.com <---------------------------- (DSAA) Result-Code = DIAMETER_SUCCESS <------------- (PDSA) Result-Code = DIAMETER_SUCCESS Figure 3: Establishing Security through Proxy Agent An optimized approach also allows the PDSR to be sent by the access Calhoun, Farrell, Bulley,expires September 2002 [Page 8] Internet-Draft March 2002 device without the DSAR-Target-Realm AVP. This message is used to inform the proxy that it MUST establish a DSA for all realms it will be communicating with on behalf of the access device. DSAs are typically established once the first request for a given realm has been recelived by the proxy agent, but it MAY establish certain DSAs with known realms in advance. If a DSA for a given realm cannot be established, the proxy agent MUST reject the access device's request, and set the Result-Code AVP to DIAMETER_NO_DSA_ESTABLISHED. Although the proxy agent MAY receive many PDSRs from access devices, only one DSA per realm need be established. Furthermore, the proxy is responsible for re- establishing the DSA prior to expiration without any involvement by the access device. It is important to note that proxy agents establishing DSA's on behalf of a client will most likely need to reorder AVPs during the encryption process, in order to fit the encrypted AVPs within a CMS- Encrypted-Data AVP. This is contrary to the rule established in the Diameter base protocol [BASE], which states that proxy agents SHOULD NOT reorder AVPs. Allowing the first hop agent to be used to establish the DSA with the home server may reduce the current concerns that the cryptographic operations resulting from this specification MAY overburden embedded access devices. 1.4 Using Redirect agents in lieu of DSA When a redirect agent is used, allowing an access device, relay or proxy agent to communicate directly with the home server, the hop-by- hop security mechanisms specified in the base protocol may be sufficient. However, there are certain business models where signing of selected Diameter AVPs (e.g. accounting) MAY be desired, even when redirect agents are used. Figure 4 shows an example where the relay agent contacts the redirect agent to retrieve the necessary information for it to communicate directly with the home server, which MAY include the home server's certificates. The relay agent MAY then initiate a DSA with the home server, using the certificates provided by the redirect agents. Calhoun, Farrell, Bulley,expires September 2002 [Page 9] Internet-Draft March 2002 +------+ | | | DRD | | | +------+ ^ | 2. Request | | 3. Redirection | | Notification | v +------+ ---------> +------+ <--------> +------+ | | 1. Request | | 4. DSAR/DSAA | | | NAS | | DRL | | HMS | | | 6. Answer | | 5. Request/Answer | | +------+ <--------- +------+ <--------> +------+ mno.net mno.net abc.com Figure 4: DSA Setup following redirect The CMS specification allows for Diameter AVPs to be multiply-signed (see section 6.1), which may prove useful in business models that require both parties to sign accounting data in parallel. This scheme provides some assurance that both parties agreed to the accounting data, which MAY be used for settlement purposes. 1.5 When to use DSAs Given that asymmetric transform operations are expensive, access devices and/or Diameter agents MAY wish to restrict establishment of a DSA to cases where the participants belong to a different administrative domain. 1.6 Advertising application support Diameter nodes conforming to this specification MAY advertise support by including the value of two (2) in the Auth-Application-Id or the Acct-Application-Id AVP of the Capabilities-Exchange-Request and Capabilities-Exchange-Answer command [BASE]. 1.7 CMS Processing of Grouped AVPs. Grouped AVPs are processed as a whole, there is no partial signing or encryption mechanism defined. Only the P flag (resp. MAY Encr) setting for a Grouped AVP need be set to Y to allow the Grouped AVP to be signed (resp. encrypted). That is, the AVPs within the Grouped AVP need not have their "P" bit Calhoun, Farrell, Bulley,expires September 2002 [Page 10] Internet-Draft March 2002 set (resp. MAY Encr) in order to be part of a signed (resp. encrypted) Grouped AVP. Where a Grouped AVP is to be signed, implementations MAY set the "P" bit for each of the AVPs within the Grouped AVP. When verifying signatures over a Grouped AVP, implementations MUST NOT insist that the "P" bit has been set for AVPs within the group. Where a Grouped AVP is to be encrypted, implementations MUST NOT fail encryption due to one of the members of the group being defined so as to prevent encryption ("MAY Encr" set to "N"). Similarly following decryption, implementations MUST NOT produce an error if one of the group members is defined so as to prevent encryption. The Grouped AVP itself, of course, MUST be defined to allow encryption. Where a Grouped AVP is defined to disallow encryption then that Grouped AVP MUST NOT include any AVPs which are defined so as to allow encryption (since the member of the group might be erroneously sent in clear, if included in such a Grouped AVP). 2.0 AVP Format The Diameter base protocol [BASE] details the AVP header, which includes the 'P' bit, but does not specify how the 'P' bit is used. The 'P' bit, known as the protected AVP bit, is used to indicate whether the AVP is protected by a digital signature. When set, the AVP is protected and the contents cannot be changed by agents without detection. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AVP Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V M P r r r r r| AVP Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-ID (opt) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data ... +-+-+-+-+-+-+-+-+ Figure 5: Diameter AVP Header All Diameter specifications MUST specify whether the 'P' bit can be set or not, as is done in section 4.6 of [BASE] and section 6 below. For AVPs that are designed to be changed at each hop (such as the Proxy-Info AVP) Diameter nodes MUST NOT allow the 'P' bit to be set. Diameter implementations MUST check whether AVPs with their 'P' bit Calhoun, Farrell, Bulley,expires September 2002 [Page 11] Internet-Draft March 2002 set are allowed to have that setting. If not, an appropriate error message MUST be issued containing DIAMETER_INVALID_AVP_BIT_COMBO result code. 3.0 Key Management For origin authentication, CMS itself already provides sufficient key management without the need for additional specification. Basically, the originating Diameter node signs and includes whatever certificates are necessary for validation of the digital signature. Section 3.1 provides an example of how the Diameter CMS Security application is used. In order to encrypt AVPs for a recipient, the originating Diameter node must have a copy of the recipient's public key. There are many well-known key retrieval schemes (e.g. LDAP [CERTLDAP]), but this specification also allows for the transportation of certificates within Diameter AVPs, which is expected to simplify implementations. Section 3.2 describes how Diameter node names are encoded within such certificates. Finally, it is anticipated that the overhead of asymmetric encryption for each Diameter message sent to a given peer could be significant. Section 3.4 specifies how CMS encryption keys MAY be reused for multiple Diameter messages. 3.1 Usage Scenario When a Diameter node is about to send a message, it must determine whether a DSA should be established or not. We assume the Diameter node knows the user's realm, perhaps through the User-Name AVP. Implementations MAY cache the information required to establish a DSA. However, they MUST honor time-to-live settings so that certificates MUST re-validated (possibly including revocation checks) once the DSA has expired. Revalidations SHOULD also occur before the DSA expires according to PKI policies. During the process of certificate path validation some implementations will calculate a duration for which the certificate path may be considered "safe". For example, if an implementation did not support certificate revocation checks, then the "safe" period would be from the time of initial validation until the earliest notAfter time in the set of certificates in the path. An implementation which does support certificate revocation checks will typically be able to calculate a "safe" period based additionally on Calhoun, Farrell, Bulley,expires September 2002 [Page 12] Internet-Draft March 2002 the earliest nextUpdate field in a CRL or OCSP response. Basically, the safe period is from the time of certificate validation to the earliest value from the set of notAfter and nextUpdate fields encountered during certificate validation. However, implemetors should note that CAs MAY issue additional CRLs before the nextUpdate period. Generally it is a matter of local PKI policy as to whether an implementation will make additional checks even during the calculated "safe" period. For the purposes of this specification implementations are not required to make such checks and MAY assume that no re-validation of certificates is required during the "safe" period defined above. We use Diameter Security Association Request (DSAR) and Diameter Security Association Answer (DSAA) messages to establish a DSA, which specifies which AVPs should be encrypted, signed or both, as well as which public key(s) to use. The originating node sends the DSAR message to a server in the destination realm. The DSAR message contains: - TTL for this DSA (seconds) - the realm part of the user's NAI - the list of direct trust CA's that the originating Diameter node has configured into it for certificate validation. A "direct trust" CA is one that the node is willing to use as the "top" of a certificate chain, sometimes confusingly known as a "root CA." - a flag indicating whether the originating Diameter node wishes to receive certificate status information using OCSP messages. If this flag requires a fresh OCSP response, a nonce to be used by the destination Diameter node in OCSP requests MUST also be supplied. See [OCSP] for more details on the certificate status protocol and messages. The destination node MUST check that the provided elements of the DSAR are valid. It MUST check, at least, that: - Its local policy allows the given TTL, realm, AVP protection expectations, certification status, and other parameters. - A common "top" of the certificate chain can be found between the home and foreign domains. If these conditions can not be verified, the destination node MUST return a DSAA with the Result-Code AVP set to DIAMETER_NO_DSA_ESTABLISHED. In the event the DSAR requested OCSP validation, via the OCSP- Calhoun, Farrell, Bulley,expires September 2002 [Page 13] Internet-Draft March 2002 Request-Flags AVP, and OCSP is not locally supported, the DSAA MUST be returned with the Result-Code AVP set to DIAMETER_OCSP_NOT_SUPPORTED. Otherwise, the destination node returns the DSAA message which contains: - TTL for this DSA (seconds) - a chain of CA certificates (possibly empty) - public key certificates for the Diameter servers in the realm, all of which MUST validate up to one of the CA's contained in the DSAR message, via the chain of CA certificates above; - (optionally, if OCSP an response was requested in the DSAR and OCSP is supported) a list of OCSP responses for the certificates in question. If a fresh response was required and a nonce value was included, each response will contain the nonce from the DSAR message The originating Diameter node now has to check the response. Any failure results in error messages, auditing and not sending the Diameter message. DSAA Checks: - the certificate chain provided in the DSAA is cryptographically correct, passes the (relevant parts of the) path validation algorithm specified in [CERTPROF] and terminates at a CA mentioned in the DSAR message - the name in the certificate is consistent with the rules detailed in section 3.2. - the DSAA message MUST include the CMS-Signed-Data AVP, the signature MUST be validated and the signer's certificate chain MUST terminate as a CA mentioned in the DSAR message - the expiration of the TTL MUST be less or equal to the earliest expiration of all certificates in the message, encoded in the notAfter field. If the initiator's policy is such that certificate status is required, it MAY indicate that it requires an OCSP response from the DSA peer in the DSAA message, via the OCSP-Request-Flags AVP. Further, the initiator MAY request that the OCSP response be fresh (non-cached) via the OCSP-Request-Flags and OCSP-Nonce AVPs. Upon receipt of a DSAR message requesting an OCSP response, the receiver issues an OCSP request and returns the response within the DSAA message's OCSP-Responses AVP. The sender of the DSAA MAY included a cached OCSP response, unless the requestor specifically requested a fresh response. The nonce value is to be (the beginning of) the nonce in the OCSP response. The reason for this is that the responder MAY add Calhoun, Farrell, Bulley,expires September 2002 [Page 14] Internet-Draft March 2002 additional bits to the nonce, but the nonce provided in the OSCP- Nonce MUST be present at the beginning of the nonce of the OSCP response. The DSAR message MAY include the CMS-Signed-Data AVP. If the originating node has a private key, and it includes AVPs whose 'P' bit are set, the CMS-Signed-Data AVP MUST be present. The DSAA MUST include the CMS-Signed-Data, signed by a Diameter agent or server within the user's realm, to prevent an intermediate node from modifying the protection expectations for AVPs. Depending upon the security technique required (digital signature, encryption or both), then the originating node prepares the CMS related AVPs as required. If certificate revocation is enabled, anytime a certificate is used from the local certificate cache, a revocation check MUST be performed. Once the DSA is in place, any Diameter messages created by a DSA peer that has a private key MUST contain a signature over all AVPs whose definition states that their 'P' bit MAY be set. Furthermore, these peers MUST encrypt any AVPs whose definition states that they MAY be encrypted. Note: [BASE] includes the "MAY encr" column when describing AVPs. For the originator "MAY encr" as used in [BASE] means that if a message containing that AVP is to be sent via a proxy/agent (as opposed to directly) then the message MUST NOT be sent unless there is a DSA between the originator and the recipient OR the originator has locally trusted configuration that indicates that CMS need not be used. 3.2 Certificate Requirements Certificates used for the purposes of Diameter MUST conform to the PKIX profile [CERTPROF], and MUST also include a Diameter node's FQDN, which is typically added in the Origin-Host AVP [BASE], as one of the values of the subjectAltName extension of the Certificate. The FQDN is to be encoded as a dNSName within the subjectAltName. For Diameter nodes (capable of acting as recipients for confidentiality), the FQDN MUST be of the form "Diameter-.". Other Diameter nodes MAY use this naming scheme. Note that this naming constraint is for PKI purposes only, Calhoun, Farrell, Bulley,expires September 2002 [Page 15] Internet-Draft March 2002 and in no way restricts a Diameter's host name. The naming scheme presented here is intended to: - make it simple to use existing certification authorities (CAs) for Diameter CMS - allow CAs to ensure that only "proper" Diameter certificates are accepted by Diameter nodes - allow Diameter certificates to be used for other purposes where that meets a CA's practices. These names are used for two purposes: 1. Where a Diameter node is verifying a signature it needs to be able to compare the identity of the signer against the identity in the Origin-Host AVP. 2. Where a Diameter node is encrypting AVPs, it needs to be able to ensure that it uses a public key for the intended recipient. This requires comparing the identity in a Certificate against the FQDN of the intended recipient (which is assumed to be known). In either case, the presence of the required FQDN as a dNSName value in the subjectAltName extension of a verified public key certificate satisfies the matching requirement. Note that there MAY also be other values in the subjectAltName extension, (either using dNSName or other elements of the CHOICE), these can be safely ignored, but implementations MUST be able to handle their presence. Note also that the PKIX profile [CERTPROF], section 4.1.2.6, specifies the rules for the relationship between the subjectAltName extension and the subject field of public key certificates. For multiple Diameter servers within a realm that share a public key, each server's identity is encoded in the subjectAltName extension. This allows any server within a realm to decrypt AVPs intended for that realm. Note that once operational experience has been gained, a future document may specify a restricted profile of [CERTPROF] in order to simplify implementation. 3.3 Algorithms For all uses of CMS in this specification the mandatory to implement Calhoun, Farrell, Bulley,expires September 2002 [Page 16] Internet-Draft March 2002 algorithms are as follows: - Hashing: sha-1 (see [CMS] section 12.1.1) - Signature (the hash algorithm is specified separately): rsaEncryption (see [CMS] section 12.2.2) - Content Encryption: des-ede3-cbc (see [CMS] section 12.4.1) - Asymmetric key transport: rsaEncryption (see [CMS] 12.3.2.1) - Symmetric key encryption (only needed in conjunction with [RCEK]): id-alg-CMS3DESwrap (see [CMS] section 12.3.3.1) At some point in future, AES will replace 3DES. 3.4 Reuse of CMS Content Encryption Keys This section describes an efficiency improvement which MAY be supported by Diameter nodes. If a node doesn't support this feature, then it MUST (and naturally will), treat all packets with re-used content encryption keys as a cryptographic failure. The originating node MAY then attempt to re-send the packets using asymmetric key transport. If a node does support this feature, then the MUST/SHOULD statements in this section apply, otherwise not. Once a CMS-Encrypted-Data AVP has been exchanged between two Diameter peers, then they share a symmetric cryptographic key (the content encryption key) which can be used to encrypt further Diameter AVPs between the peers by using the scheme specified in [RCEK]. The peers MUST first take part in an DSAR/DSAA exchange in order to distribute the required asymmetric keys. Although the use of symmetric encryption might be used to provide integrity or confidentiality, it does not provide data origin authentication with proof of origin. [RCEK] leaves open some issues, namely how to handle loss of a shared secret (say following a peer re-boot) and for how long to continue to use a shared secret (the maximum number of decryptions required). Where a Diameter node receives a CMS-Encrypted-Data AVP, but doesn't have the required shared secret, that node SHOULD return the DIAMETER_KEY_UNKNOWN error message. The peer MAY then use the DSAR/DSAA exchange to rebuild their Diameter security association. In [RCEK], the default value for the maximum number of decryptions Calhoun, Farrell, Bulley,expires September 2002 [Page 17] Internet-Draft March 2002 allowed (CEKMaxDecrypts) when re-using a content encryption key is 1. In general this default SHOULD be used, but if a Diameter node "knows" that more than one CMS-Encrypted-Data AVP will be exchanged between the nodes, then the CEKMaxDecrypts setting MAY be set higher. Diameter nodes MUST be able to support a maxDecrypts setting of 1000. Note that the CEKMaxDecrypts value used does not affect that DSA-TTL. The DSA-TTL dictates the lifetime of the DSA, while the CEKMaxDecrypts dictates how often rekeying will occur within the CMS protocol. A content encryption key MUST NOT be reused once the DSA has expired. Implementations MUST be able to support a DSA-TTL of one day, and nodes which support certificate checking (e.g. CRLs, OCSP) that are re-establishing a DSA due to expiration of the TTL MUST re-validate the certificate. 4.0 Command-Codes Values This section defines new Command-Code [BASE] values that MUST be supported by all Diameter implementations that conform to this specification. The following Command Codes are currently defined in this document: Command-Name Abbrev. Code Reference -------------------------------------------------------- Diameter-Security- DSAR 304 4.1 Association-Request Diameter-Security- DSAA 304 4.2 Association-Answer Proxy-Diameter-Security- PDSR 305 4.3 Association-Request Proxy-Diameter-Security- PDSA 305 4.4 Association-Answer 4.1 Diameter-Security-Association-Request The Diameter-Security-Association-Request command, indicated by the Command-Code field set to 304 and the 'R' bit set in the message flags field, is sent by a Diameter node to establish a Diameter Security Association. The DSAR message MUST NOT be used simply as a convenient certificate distribution protocol without establishing a DSA. The CMS-Signed-Data AVP MUST be present if any AVP in the message has the 'P' bit set. Message Format Calhoun, Farrell, Bulley,expires September 2002 [Page 18] Internet-Draft March 2002 ::= < Diameter-Header: 304, REQ, PXY > { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Application-Id } { OCSP-Request-Flags } { DSA-TTL } * { Local-CA-info } 0*1[ CA-Chain ] * [ AAA-Node-Cert ] 0*1[ OCSP-Nonce ] 0*1[ Origin-State-Id ] 0*1[ Destination-Host ] 0*1[ CMS-Signed-Data ] * [ AVP ] * [ Proxy-Info ] * [ Route-Record ] 4.2 Diameter-Security-Association-Answer The Diameter-Security-Association-Answer command, indicated by the Command-Code field set to 304, with the 'R' bit in the Command Flags cleared, in response to a DSAR. The CMS-Signed-Data AVP MUST be present if any AVP in the message has the 'P' bit set. If the Result- Code AVP indicates success, the CA-Chain, AAA-Node-Cert, DSA-TTL and CMS-Signed-Data AVPs MUST be present. Message Format ::= < Diameter-Header: 304, PXY > { Result-Code } { Origin-Host } { Auth-Application-Id } { DSA-TTL } * { Local-CA-info } 0*1[ CA-Chain ] * [ AAA-Node-Cert ] 0*1[ Origin-Realm ] 0*1[ Error-Message ] 0*1[ Error-Reporting-Host ] * [ OCSP-Responses ] 0*1[ CMS-Signed-Data ] 0*1[ Origin-State-Id ] * [ AVP ] * [ Proxy-Info ] Calhoun, Farrell, Bulley,expires September 2002 [Page 19] Internet-Draft March 2002 4.3 Proxy-Diameter-Security-Association-Request The Proxy-Diameter-Security-Association-Request command, indicated by the Command-Code field set to 305 and the 'R' bit set in the Command Flags field, is sent by a Diameter node to request that a downstream proxy establishes a Diameter Security Association with a server in a given realm on its behalf. Message Format ::= < Diameter-Header: 305, REQ, PXY > { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Application-Id } 0*1[ DSAR-Target-Realm ] 0*1[ Origin-State-Id ] 0*1[ Destination-Host ] * [ AVP ] * [ Proxy-Info ] * [ Route-Record ] 4.4 Proxy-Diameter-Security-Association-Answer The Proxy-Diameter-Security-Association-Answer command, indicated by the Command-Code field set to 305 and the 'R' bit cleared in the Command Flags field, is sent by a Diameter node in response to an PDSR message. Message Format ::= < Diameter-Header: 305, PXY > { Result-Code } { Origin-Host } { Origin-Realm } { Auth-Application-Id } { DSA-TTL } 0*1[ Error-Message ] 0*1[ Error-Reporting-Host ] 0*1[ Origin-State-Id ] * [ Redirect-Host ] 0*1[ Redirect-Host-Usage ] 0*1[ Redirect-Max-Cache-Time ] * [ AVP ] * [ Proxy-Info ] Calhoun, Farrell, Bulley,expires September 2002 [Page 20] Internet-Draft March 2002 5.0 Diameter Security Association Message Flow This section contains an example of a NAS in realm xyz.com, communicating with its local relay agent, which in turn communicates with a server in ABC.COM's network. In the following example, once the initial capabilities exchange is complete, the NAS receives a request for access from alice@abc.com, which causes the DSA setup to be initiated, followed by the application-specific authentication request. Although the example doesn't specifically use bi-directional digital signature and encryption, this feature is supported. +-------+ +-------+ +---------+ | NAS | | Relay | | abc.com | | | | Agent | |Home Srv | +-------+ +-------+ +---------+ | | | |CER apps 1, 2 | | (a) |------------------->| | |CAA apps -1 | | (b) |<-------------------| | | . |CER apps 1, 2 | (c) | |<-------------------| | |CEA apps -1 | (d) | |------------------->| ->| User alice@abc.com | | (e) | Requests Access | | | | | | DSAR | | | Dest-Realm=abc.com | | (f) |--------------------+------------------->| | | DSAA | | | Origin-Host=foo | (g) |<-------------------+--------------------| | Auth-Request + | | | CMS-Signed-Data | | | Dest-Host=foo | | (h) |--------------------+------------------->| | | Auth-Answer + | | | CMS-Encrypted-Data | (i) |<-------------------+--------------------| Figure 6: Example of a DSA Setup (a) NAS sends a CER message to its relay agent indicating that it supports applications 1 (NASREQ) and 2 (CMS Security). (b) The relay agent sends a CEA message to the NAS indicating that Calhoun, Farrell, Bulley,expires September 2002 [Page 21] Internet-Draft March 2002 it is a relay supporting all Diameter applications. (c) ABC.COM's Home Server sends a CER message to a relay agent indicating that it supports applications 1 (NASREQ) and 2 (CMS Security). (d) The relay agent sends a CEA message to ABC.COM's Home Server indicating that it is a relay supporting all Diameter applications. (e) The NAS receives a request for access from a user (alice@abc.com). (f) The NAS issues an DSAR message, with the Destination-Realm AVP set to abc.com. (g) ABC.COM's Home Server processes the DSAR message, and replies with the DSAA message. (h) The NAS issues an authentication request with the Destination- Host AVP set to the value of the Origin-Host AVP in the DSAA. The message includes the CMS-Signed-AVP, which authenticates the AVPs that were requested by the Home Server in the DSAA. (i) The Home Server successfully authenticates the user, and returns a reply, which includes the CMS-Encrypted-Data AVP, whose contents include the AVPs that require encryption. 6.0 CMS Security AVPs This section contains AVPs that are used to establish a Diameter Security Association, and to transport CMS objects. Except as specifically constrained, the profile of CMS algorithm and structure usage is as specified in the S/MIME v3 message specification [MSG]. Calhoun, Farrell, Bulley,expires September 2002 [Page 22] Internet-Draft March 2002 +---------------------+ | AVP Flag rules | |----+-----+----+-----|----+ AVP Section | | |SHLD| MUST|MAY | Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| -----------------------------------------|----+-----+----+-----|----| AAA-Node-Cert 351 6.6 OctetString|M,P | | | V | N | CA-Chain 353 6.8 OctetString| M | P | | V | N | CA-Name 349 6.4.1 UTF8String | M | P | | V | N | CMS-Encrypted- 355 6.2 OctetString| M | P | | V | N | Data | | | | | | CMS-Signed-Data 310 6.1 OctetString| M | | | P,V | N | DSA-TTL 362 6.11 Unsigned32 | M | P | | V | N | DSAR-Target- 360 6.10 UTF8String | M | P | | V | N | Realm | | | | | | Key-Hash 350 6.4.2 OctetString| M | P | | V | N | Local-CA-Info 348 6.4 Grouped | M | P | | V | N | OCSP-Nonce 358 6.5 OctetString| M | P | | V | N | OCSP-Request- 361 6.9 Enumerated | M | P | | V | N | Flags | | | | | | OCSP-Responses 359 6.7 OctetString| M | P | | V | N | The profile of CMS algorithm and structure usage is conformant to that specified in the S/MIME v3 message specification [MSG]. This makes is simpler to base an implementation of this specification upon an existing S/MIME toolkit. No MIME encoding of binary data is required for this specification. This is different from the use of CMS in S/MIME, but is acceptable since Diameter is a binary protocol and investigation has not shown this to cause problems when using existing CMS & S/MIME toolkits. 6.1 CMS-Signed-Data AVP The CMS-Signed-Data AVP (AVP Code 310) is of type OctetString and contains the Basic Encoding Rules (BER) encoding of a CMS object [CMS] of type ContentInfo. This means that where a set of AVPs is to be signed, the set of AVPs with the 'P' bit set MUST first be catenated together in the order in which they occur in the Diameter message. The result of this encoding is used as input into the signing process. Note that the AVPs themselves are not encapsulated within the CMS- Signed-Data AVP. Instead, the digest value of the AVPs produced in the signature process MUST be included in the CMS-Signed-Data AVP, as a message-digest attribute (defined in section 11.2 of [CMS]) in the Calhoun, Farrell, Bulley,expires September 2002 [Page 23] Internet-Draft March 2002 SignerInfo value. Multiple Diameter entities MAY add their signatures to an existing CMS-Signed-Data AVP. Multiple signatures are added within the countersignature attribute (defined in section 11.4 of [CMS]) and not as additional SignerInfo values. The countersignature attribute requires that the signatures occur sequentially, meaning that each signature covers the existing signatures in the CMS object. The initial signature, and any additional countersignatures, MUST cover the exact same set of AVPs, in the order they are present in the message. Note that the CMS-Signed-Data AVP itself MUST NOT be used in the generation of the signature, and therefore MUST NOT have its 'P' bit set. The eContent field of the EncapsulatedContentInfo structure MUST be absent since the digital signature covers data outside of the object. If a receiver cannot verify correctly the signature carried by the CMS-Signed-Data AVP, it SHOULD return the DIAMETER_INVALID_AUTH Result-Code AVP value defined in section 7.1. When AVPs are to be both encrypted and signed, the CMS-Encrypted-Data AVP MUST be created first. This AVP MUST then have the 'P' bit set and be one of the inputs to the signing process as described above. (Any other processing resulting in the same output can be used.) This means that signing is "outside" encryption. No more than one CMS-Signed-Data AVP MUST be present in any given Diameter message. 6.2 CMS-Encrypted-Data AVP The CMS-Encrypted-Data AVP (AVP Code 355) is of type OctetString with the OctetString containing the Basic Encoding Rules (BER) encoding of a CMS object [CMS] of type ContentInfo. All AVPs to be encrypted are concatenated. This value is then: - encrypted according to normal CMS rules, - used as the value of the EncryptedContent field within EnvelopedData. The contentType of the EncryptedContentInfo value MUST be id- data [MSG]. Calhoun, Farrell, Bulley,expires September 2002 [Page 24] Internet-Draft March 2002 A CMS-Encrypted-Data AVP contains exactly one EnvelopedData. Where one or more AVP would be encrypted within separate EnvelopedData structures, then separate CMS-Encrypted-Data AVPs MUST be used. Thus, implementations MUST be able to support the presence of multiple CMS-Encrypted-Data AVPs and MUST be able to decrypt any EnvelopedData for which it is a recipient, as indicated in the EnvelopedData's RecipientInfos field [CMS]. If the recipient is not specified in a RecipientInfo, it MAY choose to process the message or return an answer with the Result-Code AVP set to DIAMETER_NO_DSA_RECIPIENT. If the recipient is in the RecipientInfos and an error occurs during decryption, then the recipient MUST answer with the Result-Code set to DIAMETER_INVALID_AVP_VALUE. Diameter nodes SHOULD implement content encryption key reuse (see section 3.4 above). If a receiver detects that the contents of the CMS-Encrypted- Data AVP are invalid, it SHOULD answer with the Result-Code set to DIAMETER_INVALID_CMS_DATA. Zero or more CMS-Encrypted-Data AVP MAY be present in any Diameter message. 6.3 Example Encodings In order to clarify the contents of and the relationships between CMS-Signed-Data and CMS-Encrypted-Data AVPs we present the following example of how these AVPs are calculated. First, some short-hand: - The "|" character represents concatenation - EnvelopedData-fnc(x,y) represents the EnvelopedData produced as output of a function with x as the to-be-encrypted-data and y as the parameters (e.g. recipient information). - SignedData (y) represents the SignedData produced as output of a function with the catenation of the 'P is set' AVPs as the to-be-digested-data (which is not part of the output!) and y as the parameters (e.g. signer information). The scenario calls for a message containing 7 AVPs s,t,e,p,h,e' and n to meet the following: AVPs s, t and e are to be encrypted for recipient P. Calhoun, Farrell, Bulley,expires September 2002 [Page 25] Internet-Draft March 2002 AVPs e, p and h are to be encrypted for recipient A. AVPs s, and e' are to be signed by originator T. AVP s is to be sent to recipient A. AVP n needs neither signing nor encryption. Note that though there is no explicit requirement that AVP s be encrypted for A, since it will be encrypted for P, we also have to encrypt it for A. Implementations SHOULD NOT send the same AVP both encrypted and in clear. The resulting message will look like: AVP1='P is set', EnvelopedData-fnc(s|t|e,P) AVP2='P is set', EnvelopedData-fnc(s|e|p|h,A) AVP3='P is set', e' AVP4='P is clear', n AVP5='P is clear', SignedData(T) The result of this is that all AVPs except n are actually signed even though signing of t and e wasn't explicitly required. However, this is no harm. 6.4 Local-CA-Info AVP The Local-CA-Info AVP (AVP Code 348) is of type Grouped. The Grouped Data field has the following ABNF grammar: Local-CA-Info ::= < AVP Header: 348 > { CA-Name } { Key-Hash } 6.4.1 CA-Name AVP The CA-Name AVP (AVP Code 349) is of type UTF8String. The AVP contains the DN (in LDAP string syntax [LDAPSTR]) of the Certificate Authority, e.g. "CN=CA;O=Baltimore Technologies;C=IE". 6.4.2 Key-Hash AVP The Key-Hash AVP (AVP Code 350) is of type OctetString, and contains the SHA-1 hash of a public key. The hash MUST be calculated over the representation of the CA public key which would be present in an X.509 public key certificate, specifically, the input for the hash algorithm MUST be the DER encoding of a SubjectPublicKeyInfo representation of the key. Note: This includes the AlgorithmIdentifier as well as the BIT STRING. The Calhoun, Farrell, Bulley,expires September 2002 [Page 26] Internet-Draft March 2002 rules given in [CERTPROF] for encoding keys MUST be followed. Since this AVP is used for indexing and not for security (since Diameter nodes SHOULD validate certificates), there is no need to support more than one hash algorithm here. 6.5 OCSP-Nonce AVP The OCSP-Nonce AVP (AVP Code 358) is of type OctetString, and contains a random value (RECOMMENDED to be at least 128 bits) generated by the Diameter node. 6.6 AAA-Node-Cert AVP The AAA-Node-Cert AVP (AVP Code 351) is of type OctetString and contains a public key certificate for the AAA node. Note: this AVP contains no CA certificates, just the end-entity certificate. Certificates MUST follow the naming conventions described in section 3.2. 6.7 OCSP-Responses AVP The OCSP-Responses AVP (AVP Code 359) is of type OctetString, and contains an OCSP response message from an OCSP responder. If the OCSP-Request-Flags AVP indicating a response was required in the corresponding request message, the OCSP-Responses AVP MUST be present. Furthermore, the OCSP-Request-Flags AVP MAY request a fresh OCSP response message, which MUST also include the OCSP-Nonce AVP. 6.8 CA-Chain AVP The CA-Chain AVP (AVP Code 353) is of type OctetString, and contains a certificate chain, from one of the nominated locally trusted CAs down to the (one and only) CA which has issued the end entity certificates in the AAA-Node-Cert AVP. The OctetString contains a CMS "certs-only" message. To produce this AVP in an DSAA message, one (and only one) of the Local-CA-info values from the corresponding DSAR message is selected (call this the "top" CA for the purposes of this description). This AVP then contains a certificate path (in order) from the "top" CA down to the (one and only) CA which has issued the end entity certificate in the AAA-Node-Cert AVP. The (typically self-signed), certificate of the "top" CA MUST NOT be included. Calhoun, Farrell, Bulley,expires September 2002 [Page 27] Internet-Draft March 2002 6.9 OCSP-Request-Flags AVP The OCSP-Request-Flags AVP (AVP Code 361) is of type Enumerated, and specifies whether the sender wishes to receive an OCSP response. The following values are defined: NO_OCSP_RESPONSE 0 The sender does not wish to receive an OCSP Response. OCSP_RESPONSE 1 The sender wishes to receive an OCSP Response, and is willing to accept a stale response. OCSP_FRESH_RESPONSE 2 The sender wishes to receive a fresh OCSP Response. When this value is set, the OCSP-Nonce AVP MUST be present. 6.10 DSAR-Target-Realm AVP The DSAR-Target-Realm AVP (AVP Code 360) is of type UTF8String, and contains the Destination-Realm of the resulting DSAR sent by a non- transparent proxy. 6.11 DSA-TTL AVP The DSA-TTL AVP (AVP Code 362) is of type Unsigned32, and contains the time to live (in seconds) of the Diameter Security Association. The expiration time (now+TTL) MUST NOT be greater than the earliest expiration time (NotAfter field) of all certificates included in this message accompanying this AVP. The DSA-TTL AVP in the DSAA MUST NOT be greater than the DSA-TTL AVP in the DSAR. A DSA-TTL AVP MUST also be included in the PDSA in order to provide information about the lenght of the DSA established by the proxy on behalf of the access device. Implementations MUST be able to support a DSL-TTL of one day. 7.0 Result-Code AVP Values This section defines new Result-Code [BASE] values that MUST be supported by all Diameter implementations that conform to this specification. 7.1 Transient Failures Errors that fall within the transient failures category are used to Calhoun, Farrell, Bulley,expires September 2002 [Page 28] Internet-Draft March 2002 inform a peer that the request could not be satisfied at the time it was received, but MAY be able to satisfy the request in the future. DIAMETER_KEY_UNKNOWN 4008 This error code is returned when a CMS-Signed-Data or CMS- Encrypted-Data AVP is received that was generated using a key that is not locally recognized. This error could be caused if one of the participants of a DSA lost a previously agreed upon key, perhaps as a result of a reboot. DIAMETER_NO_CMS_THROUGH_PROXY 4009 This error code is returned when a non-transparent proxy receives an DSAR message to state that it doesn't allow a DSA through it since it plans to modify AVPs. DIAMETER_CAN_ACT_AS_CMS_PROXY 4010 This error code is returned when a non-transparent proxy receives an DSAR message, and although it doesn't allow a DSA through it, it is willing to initiate a DSA on behalf of the access device. DIAMETER_OCSP_NOT_SUPPORTED 4011 This error code is returned when a DSAR message is received requesting OCSP validation, and the receiver does not support OCSP. DIAMETER_INVALID_AUTH 4012 The signature in the CMS-Signed-Data AVP is invalid. DIAMETER_MISSING_SIGNED_AVPS 4013 Some AVPs within a Diameter message were expected to be signed. 7.2 Permanent Failures Errors that fall within the permanent failures category are used to inform the peer that the request failed, and should not be attempted again. DIAMETER_INVALID_CMS_DATA 5019 This error code is returned when a CMS-Data AVP is received with an invalid ContentInfo object. DIAMETER_NO_COMMON_TRUST 5020 This error code is returned when a receiver receives a DSAR for which it has no common trust with the sender, which is required to establish the DSA. Calhoun, Farrell, Bulley,expires September 2002 [Page 29] Internet-Draft March 2002 DIAMETER_NO_DSA_ESTABLISHED 5021 A Diameter message refers to a Diameter Security Association which does not exist. DIAMETER_DSA_EXPIRED 5022 A Diameter message refers to a Diameter Security Association which has expired. DIAMETER_NO_DSA_RECIPIENT 5023 A Diameter message was received with encrypted data, and the local Diameter node is not a potential recipient of the EnvelopedData. 8.0 AVP Occurrence Tables The table in this section presents the AVPs defined in this document, and specifies in which Diameter messages they MAY, or MAY NOT be present. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. The table uses the following symbols: 0 The AVP MUST NOT be present in the message. 0+ Zero or more instances of the AVP MAY be present in the message. 0-1 Zero or one instance of the AVP MAY be present in the message. 1 One instance of the AVP MUST be present in the message. 1+ At least one instance of the AVP MUST be present in the message. Calhoun, Farrell, Bulley,expires September 2002 [Page 30] Internet-Draft March 2002 +-----------------------+ | Command-Code | |-----+-----+-----+-----+ Attribute Name | DSAR| DSAA| PDSR| PDSA| ------------------------------|-----+-----+-----+-----+ Auth-Application-Id | 1 | 1 | 1 | 1 | Destination-Host | 0-1 | 0 | 0 | 0 | Destination-Realm | 1 | 0 | 1 | 0 | Error-Message | 0 | 0-1 | 0 | 0-1 | Error-Reporting-Host | 0 | 0-1 | 0 | 0-1 | AAA-Node-Cert | 0-1 | 0-1 | 0 | 0 | CA-Chain | 0-1 | 0-1 | 0 | 0 | CA-Name | 0 | 0 | 0 | 0 | CMS-Encrypted-Data | 0 | 0 | 0 | 0 | CMS-Signed-Data | 0-1 | 0-1 | 0 | 0 | DSA-TTL | 1 | 1 | 0 | 0 | DSAR-Target-Realm | 0 | 0 | 0-1 | 0 | Local-CA-Info | 0+ | 0+ | 0 | 0 | OCSP-Nonce | 0-1 | 0 | 0 | 0 | OCSP-Request-Flags | 1 | 0 | 0 | 0 | OCSP-Responses | 0 | 1+ | 0 | 0 | Origin-Host | 1 | 1 | 1 | 1 | Origin-Realm | 1 | 1 | 1 | 1 | Original-State-Id | 0-1 | 0-1 | 0-1 | 0-1 | Proxy-Info | 0+ | 0+ | 0+ | 0+ | Redirect-Host | 0 | 0+ | 0 | 0+ | Redirect-Host-Usage | 0 | 0-1 | 0 | 0-1 | Redirect-Max-Cache-Time | 0 | 0-1 | 0 | 0-1 | Result-Code | 0 | 1 | 0 | 1 | Route-Record | 0+ | 0 | 0+ | 0 | ------------------------------|-----+-----+-----+-----| 9.0 IANA Considerations This section contains the namespaces that have either been created in this specification, or the values assigned to existing namespaces managed by IANA. 9.1 Command Codes This specification assigns the value 304 and 305 from the Command Code namespace defined in [BASE]. See section 4.0 for the assignment of the namespace in this specification. 9.2 AVP Codes Calhoun, Farrell, Bulley,expires September 2002 [Page 31] Internet-Draft March 2002 This specification assigns the values 348-351, 353, 355, 358-362 from the AVP Code namespace defined in [BASE]. See section 6.0 for the assignment of the namespace in this specification. 9.3 Result-Code AVP Values This specification assigns the values 4008-4011, 5019-5023 from the Result-Code AVP (AVP Code 268) value namespace defined in [BASE]. See section 7.0 for the assignment of the namespace in this specification. 9.4 Application Identifier This specification assigns the value two (2) to the Application Identifier namespace defined in [BASE]. See section 1.6 for more information. 9.5 OCSP-Request-Flags AVP Values As defined in Section 6.9, the OCSP-Request-Flags AVP (AVP Code 361) defines the values 0-2. All remaining values are available for assignment via IETF Consensus [HUH???????]. 10.0 Security Considerations This document describes how CMS security can be achieved in the Diameter protocol by allowing S/MIME Cryptographic Message Syntax [CMS] objects to be carried as a Diameter AVP. This specification does not mandate certificate revocation, however not verifying whether a given certificate has been revoked has serious implications, and MAY create a security hole. The PDSR and PDSA messages (sections 4.3 and 4.4) allow a third party proxy to establish a Diameter security association with a Diameter server in a target realm. An access device MUST ensure that the server establishing the SA on its behalf is a trusted entity, since the proxy in question could modify Diameter messages, which would be very difficult to trace. 11.0 References Calhoun, Farrell, Bulley,expires September 2002 [Page 32] Internet-Draft March 2002 Normative References [BASE] P. Calhoun, J. Arkko, E. Guttman, G. Zorn, J. Loughney, "Diameter Base Protocol", draft-ietf-aaa-diameter-09.txt, IETF work in progress, March, 2002. [CERTLDAP] Boyen, Howes, Richard, "Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2", RFC 2559, April 1999. [CERTPROF] Housley, Ford, Polk, Solo, "Internet X.509 Public Key Infrastruc- ture Certificate and CRL Profile", RFC 2459, January 1999. [CMS] R. Housley, "Cryptographic Message Syntax", RFC 2630, June 1999. [LDAPSTR] M. Wahl, S. Kille, T. Howes, "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", RFC 2253, December 1997. [MSG] B. Ramsdell, "S/MIME Version 3 Message Specification", RFC 2633, June 1999. [MUSTSHOULD] S. Bradner, "Key words for use in RFCs to Indicate Requirement Lev- els", BCP 14, RFC 2119, March 1997. [OCSP] Myers, Ankney, Malpani, Galperin, Adams, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP)", RFC 2560, June 1999. [RCEK] Farrell, Turner, "Reuse of CMS Content Encryption Keys", RFC 3185, October 2001. Informative References [AAAREQS] Aboba et al., "Criteria for Evaluating AAA Protocols for Network Access", RFC 2989, November 2000. Calhoun, Farrell, Bulley,expires September 2002 [Page 33] Internet-Draft March 2002 [CDMAREQ] T. Hiller et al., "Cdma2000 Wireless Data Requirements for AAA", RFC 3141, June 2001. [MIPREQ] S. Glass, S. Jacobs, C. Perkins, "Mobile IP Authentication, Autho- rization, and Accounting Requirements". RFC 2977. October 2000. 12.0 Acknowledgements The authors would also like to acknowledge the following people for their contribution in the development of this specification: Bernard Aboba, Jari Arkko, Steven Bellovin and Miguel A. Monjas Finally, Pat Calhoun would like to thank Sun Microsystems since most of the effort put into this document was done while he was in their employ. 13.0 Authors' Addresses Questions about this memo can be directed to: Pat R. Calhoun Black Storm Networks 250 Cambridge Avenue, Suite 200 Palo Alto, California, 94306 USA Phone: +1 650-617-2932 Fax: +1 650-786-6445 E-mail: pcalhoun@diameter.org Stephen Farrell Baltimore Technologies 39 Parkgate Street, Dublin 8, IRELAND Phone: +353-1-881-6000 Fax: +353-1-881-7000 E-Mail: stephen.farrell@baltimore.ie William Bulley Calhoun, Farrell, Bulley,expires September 2002 [Page 34] Internet-Draft March 2002 Merit Network, Inc. Building One, Suite 2000 4251 Plymouth Road Ann Arbor, Michigan, 48105-2785 USA Phone: +1 734-764-9993 Fax: +1 734-647-5185 E-mail: web@merit.edu 14.0 Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restric- tion of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this docu- ment itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Inter- net organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards pro- cess must be followed, or as required to translate it into languages other than English. The limited permis- sions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information con- tained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WAR- RANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 15.0 Expiration Date This memo is filed as and expires in September 2002. Calhoun, Farrell, Bulley,expires September 2002 [Page 35]