idnits 2.17.1 

draft-calhoun-diameter-proxy-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == The page length should not exceed 58 lines per page, but there was 20
     longer pages, the longest (page 2) being 60 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 21 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There are 4 instances of too long lines in the document, the longest one
     being 1 character in excess of 72.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 92: '...   MUST      This word, or the adjecti...'
     RFC 2119 keyword, line 96: '...   MUST NOT  This phrase means that th...'
     RFC 2119 keyword, line 99: '...   SHOULD    This word, or the adjecti...'
     RFC 2119 keyword, line 105: '...   MAY       This word, or the adjecti...'
     RFC 2119 keyword, line 107: '...hich does not include this option MUST...'
     (61 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '1' is defined on line 889, but no explicit reference
     was found in the text

  == Unused Reference: '3' is defined on line 892, but no explicit reference
     was found in the text

  == Unused Reference: '4' is defined on line 894, but no explicit reference
     was found in the text

  == Unused Reference: '5' is defined on line 897, but no explicit reference
     was found in the text

  == Unused Reference: '6' is defined on line 899, but no explicit reference
     was found in the text

  == Unused Reference: '7' is defined on line 901, but no explicit reference
     was found in the text

  == Unused Reference: '8' is defined on line 903, but no explicit reference
     was found in the text

  == Unused Reference: '10' is defined on line 907, but no explicit reference
     was found in the text

  ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865)

  == Outdated reference: A later version (-18) exists of
     draft-calhoun-diameter-05

  -- Possible downref: Normative reference to a draft: ref. '2' 

  ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '3')

  -- Possible downref: Non-RFC (?) normative reference: ref. '4'

  ** Downref: Normative reference to an Informational RFC: RFC 2104 (ref. '5')

  -- No information found for draft-calhoun-diameter-authen - is the name
     correct?

  -- Possible downref: Normative reference to a draft: ref. '6' 

  ** Obsolete normative reference: RFC 2486 (ref. '7') (Obsoleted by RFC 4282)

  ** Downref: Normative reference to an Informational RFC: RFC 2477 (ref. '8')

  -- Unexpected draft version: The latest known version of 
     draft-hoffman-pkcs-rsa-encrypt is -02, but you're referring to -03.
     (However, the state information for draft-calhoun-diameter-authen is not
     up-to-date.  The last update was unsuccessful)

  ** Downref: Normative reference to an Informational draft:
     draft-hoffman-pkcs-rsa-encrypt (ref. '9')

  == Outdated reference: A later version (-09) exists of
     draft-calhoun-diameter-framework-02

  -- Possible downref: Normative reference to a draft: ref. '10' 

  ** Downref: Normative reference to an Informational draft:
     draft-ietf-roamops-auth (ref. '11')


     Summary: 17 errors (**), 0 flaws (~~), 12 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET DRAFT                                             Pat R. Calhoun
3	Category: Standards Track                          Sun Microsystems, Inc.
4	Title: draft-calhoun-diameter-proxy-01.txt                 William Bulley
5	Date: August 1998                                     Merit Network, Inc.

7	                               DIAMETER
8	                        Proxy Server Extensions

10	Status of this Memo

12	   This document is an individual contribution for consideration by the
13	   AAA Working Group of the Internet Engineering Task Force.  Comments
14	   should be submitted to the diameter@ipass.com mailing list.

16	   Distribution of this memo is unlimited.

18	   This document is an Internet-Draft and is in full conformance with
19	   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
20	   documents of the Internet Engineering Task Force (IETF), its areas,
21	   and its working groups.  Note that other groups may also distribute
22	   working documents as Internet-Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at:

31	      http://www.ietf.org/ietf/1id-abstracts.txt

33	   The list of Internet-Draft Shadow Directories can be accessed at:

35	      http://www.ietf.org/shadow.html.

37	Abstract

39	   This DIAMETER Extension defines commands and AVPs that are used when
40	   DIAMETER messages must be proxied by DIAMETER Servers. This extension
41	   is intended to clearly define how proxying can be done with DIAMETER.

43	Table of Contents

45	   1.0 Introduction
46	       1.1 Definitions
47	       1.2 Terminology
48	   2.0 Command Codes
49	       2.1 Domain-Discovery-Request (DDR)
50	       2.2 Domain-Discovery-Answer (DDA)
51	   3.0 DIAMETER AVPs
52	       3.1 Proxy-State
53	       3.2 Digital-Signature
54	       3.3 X509-Certificate
55	       3.4 X509-Certificate-URL
56	       3.5 Next-Hop
57	   4.0 Protocol Definition
58	       4.1 Data Integrity
59	           4.1.1 Using Digital Signatures
60	           4.1.1 Using Mixed Data Integrity AVPs
61	       4.2 AVP Data Encryption
62	           4.2.1 AVP Encryption with Public Keys
63	       4.3 Public Key Cryptography Support
64	           4.3.1 X509-Certificate
65	           4.3.2 X509-Certificate-URL
66	           4.3.3 Static Public Key Configuration
67	   5.0 References
68	   6.0 Acknowledgements
69	   7.0 Author's Address

71	1.0  Introduction

73	   Many services, including ROAMOPS and MobileIP, have a requirement for
74	   DIAMETER Server to proxy a request to another DIAMETER Server. The
75	   concept of proxying AAA requests was introduced by RADIUS and has
76	   been in use for many years.

78	   Unfortunately due to the fact that RADIUS only supports hop-by-hop
79	   security, where each node has a security association with the next
80	   hop, this does introduce some security flaws. Specifically a
81	   fraudulent proxy server can modify some portions of an AAA request in
82	   order to make the next hop improperly believe that some services were
83	   rendered. For example, a DIAMETER Proxy Server could modify an
84	   accounting request, such as the number of bytes that a user
85	   transfered, and the end system would have no way of determining that
86	   this change occured.

88	1.1  Definitions
89	   In this document, several words are used to signify the requirements
90	   of the specification.  These words are often capitalized.

92	   MUST      This word, or the adjective "required", means that the
93	             definition is an absolute requirement of the
94	             specification.

96	   MUST NOT  This phrase means that the definition is an absolute
97	             prohibition of the specification.

99	   SHOULD    This word, or the adjective "recommended", means that
100	             there may exist valid reasons in particular circumstances
101	             to ignore this item, but the full implications must be
102	             understood and carefully weighed before choosing a
103	             different course.

105	   MAY       This word, or the adjective "optional", means that this
106	             item is one of an allowed set of alternatives.  An
107	             implementation which does not include this option MUST
108	             be prepared to interoperate with another implementation
109	             which does include the option.

111	2.0  Command Codes

113	   This document defines the following DIAMETER Commands. All DIAMETER
114	   implementations supporting this extension MUST support all of the
115	   following commands:

117	      Command Name          Command Code
118	      -----------------------------------
119	      Domain-Discovery-Request  261
120	      Domain-Discovery-Answer   262

122	2.1  Domain-Discovery-Request (DDR)

124	   Description

126	      The Domain-Discovery-Request message is used by a DIAMETER device
127	      wishing to get contact information about a domain's home
128	      authentication server as well as to receive password policy
129	      information. This message MUST contain the User-Name attribute in
130	      order to pass along the user's domain information.

132	      It is not necessary for an implementation to issue a DDR in order
133	      to make use of a proxy server.

135	      The X509-Certificate or the X509-Certificate-URL [2] MUST be
136	      present in this message in order to inform the home authentication
137	      server of the issuing host's certificate.

139	      At least one Extension-Id AVP MUST be present in the DDR in order
140	      to inform the peer about the locally supported extensions.

142	   Message Format

144	      <Domain-Discovery-Req> ::= <DIAMETER Header>
145	                                 <Domain-Discovery-Req Command AVP>
146	                                 <Host-IP-Address AVP>
147	                                 [<Host-Name AVP>]
148	                                 <Extension-Id AVPs>
149	                                 <User-Name AVP>
150	                                 [<X509-Certificate AVP>]
151	                                 [<X509-Certificate-URL AVP>]
152	                                 <Timestamp AVP>
153	                                 <Nonce AVP>
154	                                 {<Integrity-Check-Vector AVP> ||
155	                                  <Digital-Signature AVP }

157	   AVP Format

159	      A summary of the Domain-Discovery-Request packet format is shown
160	      below. The fields are transmitted from left to right.

162	      0                   1                   2                   3
163	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
164	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
165	      |                           AVP Code                            |
166	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
167	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
168	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
169	      |                         Command Code                          |
170	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

172	      AVP Code

174	         256     DIAMETER Command

176	      AVP Length

178	         The length of this attribute MUST be 12.

180	      AVP Flags

182	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
183	         upon the security model used. The 'V', 'T' and the 'P' bits
184	         MUST NOT be set.

186	      Command Type

188	         The Command Type field MUST be set to 261 (Domain-Discovery-
189	         Request).

191	2.2  Domain-Discovery-Answer (DDA)

193	   Description

195	      The Domain-Discovery-Answer message is sent in response to the
196	      Domain-Discovery-Request message by the domain's Home
197	      authentication server. The message MUST contain either the Host-
198	      Name or Host-IP-Address and either the X509-Certificate or the
199	      X509-Certificate-URL attribute and SHOULD contain at least one
200	      Framed-Password-Policy AVP.

202	      At least one Extension-Id AVP MUST be present in the DDA in order
203	      to inform the requestor about the locally supported extensions.

205	      The Domain-Discovery-Answer message MUST include the Result-Code
206	      AVP to indicate whether the request was successful or not. The
207	      following Error Codes are defined for this command:

209	         DIAMETER_ERROR_UNKNOWN_DOMAIN       1
210	            This error code is used to indicate to the initiator of the
211	            request that the requested domain is unknown and cannot be
212	            resolved.

214	         DIAMETER_ERROR_BAD_CERT             2
215	            This error code is used to indicate that the X509-
216	            Certificate or the X509-Certificate-URL in the Domain-
217	            Discovery-Request was invalid.

219	         DIAMETER_ERROR_CANNOT_REPLY         3
220	            This error code is returned when either an intermediate
221	            DIAMETER node or the home authentication server cannot reply
222	            to DIAMETER messages directly.  This could be that the
223	            policy of an intermediate DIAMETER server does not permit
224	            direct contact and therefore requires proxying. It could
225	            also signify that the home authentication server does not
226	            have public key support.

228	   Message Format
229	      <Domain-Discovery-Answer> ::= <DIAMETER Header>
230	                                    <Domain-Disc-Answer Command AVP>
231	                                    <Result-Code AVP>
232	                                    [<Error-Code AVP>]
233	                                    <Host-IP-Address AVP>
234	                                    [<Host-Name AVP>]
235	                                    <Extension-Id AVPs>
236	                                    <Framed-Password-Policy AVP>
237	                                    [<X509-Certificate AVP>]
238	                                    [<X509-Certificate-URL AVP>]
239	                                    <Timestamp AVP>
240	                                    <Nonce AVP>
241	                                    {<Integrity-Check-Vector AVP> ||
242	                                     <Digital-Signature AVP }

244	   AVP Format

246	      A summary of the Domain-Discovery-Answer packet format is shown
247	      below. The fields are transmitted from left to right.

249	      0                   1                   2                   3
250	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
251	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
252	      |                           AVP Code                            |
253	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
254	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
255	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
256	      |                         Command Code                          |
257	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

259	      AVP Code

261	         256     DIAMETER Command

263	      AVP Length

265	         The length of this attribute MUST be 12.

267	      AVP Flags

269	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
270	         upon the security model used. The 'V', 'T' and the 'P' bits
271	         MUST NOT be set.

273	      Command Type

275	         The Command Type field MUST be set to 262 (Domain-Discovery-
276	         Answer).

278	3.0  DIAMETER AVPs

280	   This section will define the mandatory AVPs which MUST be supported
281	   by all DIAMETER implementations. Note the first 256 AVP numbers are
282	   reserved for RADIUS compatibility.

284	   The following AVPs are defined in this document:

286	      Attribute Name       Attribute Code
287	      -----------------------------------
288	      Proxy-State                33
289	      Digital-Signature         260
290	      X509-Certificate          264
291	      X509-Certificate-URL      265
292	      Next-Hop                  278

294	3.1  Proxy-State

296	   Description

298	      The Proxy-State AVP is used by proxy servers when forwarding
299	      requests and contains opaque data that is used by the proxy to
300	      further process the response.

302	      This attribute should be removed by the proxy server before the
303	      response is forwarded to the NAS, and SHOULD therefore not be
304	      protected by the Integrity-Check-Vector or the Digital-Signature.

306	   AVP Format

308	      A summary of the Proxy-State AVP format is shown below. The fields
309	      are transmitted from left to right.

311	      0                   1                   2                   3
312	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
313	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
314	      |                           AVP Code                            |
315	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
316	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
317	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
318	      |    Data ...
319	      +-+-+-+-+-+-+-+-+

321	      AVP Code

323	         33 for Proxy-State.

325	      AVP Length

327	         The length of this attribute MUST be at least 9.

329	      AVP Flags

331	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
332	         upon the security model used. The 'V', 'T' and the 'P' bits
333	         MUST NOT be set.

335	      String

337	         The String field is one or more octets. The actual format of
338	         the information is site or application specific, and a robust
339	         implementation SHOULD support the field as undistinguished
340	         octets.

342	3.2  Digital-Signature

344	   Description

346	      The Digital-Signature AVP is used for authentication, integrity as
347	      well as non-repudiation. A DIAMETER entity adding AVPs to a
348	      message MUST ensure that all AVPs appear prior to the Digital-
349	      Signature AVP (with the exception of the Integrity-Check-Vector
350	      AVP that MUST appear after the Digital-Signature AVP). The
351	      Timestamp AVP MUST be present to provide replay protection and the
352	      Nonce AVP must be present to add randomness to the packet.

354	      The DIAMETER header as well as all AVPs with the 'P' bit disabled
355	      are protected by the Digital-Signature.

357	      In order to support proxy DIAMETER servers, which forwards
358	      messages to next hop server, the proxy server MUST NOT modify any
359	      AVPs with the 'P' bit disabled. This ensures that end-to-end
360	      security is maintained even through proxy arrangements.

362	      The Digital-Signature is generated in the method described in
363	      section 4.5.2.

365	      All DIAMETER implementations supporting this extension MUST
366	      support this AVP.

368	   AVP Format

370	      A summary of the Digital-Signature AVP format is shown below. The
371	      fields are transmitted from left to right.

373	      0                   1                   2                   3
374	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
375	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
376	      |                           AVP Code                            |
377	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
378	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
379	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
380	      |                            Address                            |
381	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
382	      |                          Transform ID                         |
383	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
384	      |    Data ...
385	      +-+-+-+-+-+-+-+-+

387	      AVP Code

389	         260     Digital-Signature

391	      AVP Length

393	         The length of this attribute MUST be at least 17.

395	      AVP Flags

397	         The 'M' bit MUST be set. The 'H' MAY be set if the request is
398	         protected with an ICV AVP. The 'E', 'V', 'T' and the 'P' bits
399	         MUST NOT be set.

401	      Address

403	         The Address field contains the IP address of the DIAMETER host
404	         which generated the Digital-Signature.

406	      Transform ID

408	         The Transform ID field contains a value that identifies the
409	         transform that was used to compute the signature. The following
410	         values are defined in this document:

412	         RSA [9]          1

414	      Data

416	         The Data field contains the digital signature of the packet up
417	         to this AVP.

419	3.3  X509-Certificate
420	   Description

422	      The X509-Certificate is used in order to send a DIAMETER peer the
423	      local system's X.509 certificate chain, which is used in order to
424	      validate the Digital-Signature attribute.

426	      Section 4.3.1 contains more information about the use of
427	      certificates.

429	   AVP Format

431	      A summary of the X509-Certificate AVP format is shown below. The
432	      fields are transmitted from left to right.

434	      0                   1                   2                   3
435	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
436	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
437	      |                           AVP Code                            |
438	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
439	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
440	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
441	      |    Data ...
442	      +-+-+-+-+-+-+-+-+

444	      AVP Code

446	         264     X509-Certificate

448	      AVP Length

450	         The length of this attribute MUST be at least 9.

452	      AVP Flags

454	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
455	         upon the security model used. The 'V', 'T' and the 'P' bits
456	         MUST NOT be set.

458	      Data

460	         The Data field contains the X.509 Certificate Chain.

462	3.4  X509-Certificate-URL

464	   Description

466	      The X509-Certificate-URL is used in order to send a DIAMETER peer
467	      a URL to the local system's X.509 certificate chain, which is used
468	      in order to validate the Digital-Signature attribute.

470	      Section 4.3.1 contains more information about the use of
471	      certificates.

473	   AVP Format

475	      A summary of the X509-Certificate-URL AVP format is shown below.
476	      The fields are transmitted from left to right.

478	      0                   1                   2                   3
479	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
480	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
481	      |                           AVP Code                            |
482	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
483	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
484	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
485	      |   String ...
486	      +-+-+-+-+-+-+-+-+

488	      AVP Code

490	         265     X509-Certificate-URL

492	      AVP Length

494	         The length of this attribute MUST be at least 9.

496	      AVP Flags

498	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
499	         upon the security model used. The 'V', 'T' and the 'P' bits
500	         MUST NOT be set.

502	      String

504	         The String field contains the X.509 Certificate Chain URL.

506	3.5  Next-Hop

508	   Description

510	      The Next-Hop AVP MUST preceed a Digital-Signature AVP and is used
511	      to validate that a packet traversed the proxy chain that was
512	      intended. A DIAMETER message that includes a Host-IP-Address with
513	      a different Next-Hop AVP that preceeds it is considered invalid.

515	   AVP Format

517	      A summary of the Next-Hop AVP format is shown below. The fields
518	      are transmitted from left to right.

520	      0                   1                   2                   3
521	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
522	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
523	      |                           AVP Code                            |
524	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
525	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
526	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
527	      |                            Address                            |
528	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

530	      AVP Code

532	         278     Next-Hop

534	      AVP Length

536	         The length of this attribute MUST be 12.

538	      AVP Flags

540	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
541	         upon the security model used. The 'V', 'T' and the 'P' bits
542	         MUST NOT be set.

544	      Address

546	         This field contains the IP Address of the next DIAMETER Server.

548	4.0  Protocol Definition

550	   This section will describe how the base protocol works (or is at
551	   least an attempt to).

553	4.1  DIAMETER Proxying

555	   The ROAMOPS specification [11] discusses how RADIUS servers can be
556	   arranged in a hierarchical manner, allowing message exchanges across
557	   domain boundaries. The specification also describes some security
558	   flaws encountered when RADIUS is used in a proxy environment. The
559	   DIAMETER extension described in this document introduces end-to-end
560	   security, which solves many of the problems encountered when RADIUS
561	   is used.

563	                   (Request)                   (Request)
564	      +------+       ----->       +------+      ------>       +------+
565	      |      |                    |      |                    |      |
566	      | NASB +--------------------+ DIA2 +--------------------+ DIA1 |
567	      |      |                    |      |                    |      |
568	      +------+       <-----       +------+      <------       +------+
569	                     (Answer)                   (Answer)

571	   In this example NASB generates a Request that is forwarded to DIA2.
572	   The Request contains a digital signature AVP which "protects" all
573	   mandatory (or non-editable) AVPs within the request. All AVPs which
574	   may be modified, or removed appear after the digital signature AVP.
575	   Once DIA2 receives the request, it MAY authenticate the request to
576	   ensure that it was originated by NASB (verifying the signature is not
577	   necessary if the link between NASB and DIA2 is secured using IPSEC).

579	   The DIA2 Server SHOULD add the Proxy-State AVP, which contains opaque
580	   data that MUST be present in the response and is used to identify
581	   state information related to the request or response. If the Proxy-
582	   State AVP is already present in the request, it MUST be replaced with
583	   DIA2's Proxy-State AVP. This means that the Proxy-State AVP cannot be
584	   protected end-to-end. The Server MAY also add other new AVPs to the
585	   request. All AVPs that are protected by the Digital-Signature MUST
586	   have the 'P' bit set, and all AVPs MUST preceed the Digital-Signature
587	   AVP. The message is then forwarded towards the DIA1 server.

589	   Since all packets between NASB and DIA1 must flow through DIA2, it is
590	   not possible to use IPSEC between them, therefore the digital
591	   signature must be present within the DIAMETER protocol itself. NASB
592	   and DIA1 do not need to validate the digital signature AVP if the
593	   link between themselves and DIA2 is secured using IP Security.

595	   This mechanism now provides a method for DIA1 to prove that NASB was
596	   the initiator of the request (note that DIAMETER also includes a
597	   timestap to prevent replay attacks). It also provides a method of
598	   ensuring that DIA2 cannot modify any protected AVPs (such as length
599	   of call, etc.).

601	   In addition, this same mechanism can be used for end-to-end
602	   encryption of AVPs. In the case where NASB needs to encrypt an AVP it
603	   is done using asymetric encryption using DIA1's public key. This
604	   ensures that only DIA1 can decrypt the AVP.

606	   An attack has been identified in this proposal which allows a
607	   malicous man in the middle attack as shown in the following diagram.

609	              (Request)         (Request)         (Request)
610	      +------+  ----->  +------+  ----->  +------+  ----->  +------+
611	      |      |          |      |          |      |          |      |
612	      | NASB +----------+ DIA2 +----------+ DIA3 +----------+ DIA1 |
613	      |      |          |      |          |      |          |      |
614	      +------+  <-----  +------+  <-----  +------+  <-----  +------+
615	                (Answer)         (Answer)          (Answer)

617	   In this example, DIA3 traps packets generated from DIA2 towards DIA1,
618	   removes the AVPs added by DIA2 and inserts its own AVPs (possibly by
619	   trying to convince DIA1 to pay DIA3 for the services). This attack
620	   can be prevented by supporting a new Next-Hop AVP. In this case when
621	   NASB prepares a request it inserts a non-editable Next-Hop AVP which
622	   contains DIA2's identitity. DIA2 also adds a Next-Hop AVP with DIA1
623	   as the next hop.

625	   This mechanism ensures that a man in the middle cannot alter the
626	   packet by overriding the previous hop's additions and signature. DIA1
627	   could easily validate the packet's path with the use of the Next-Hop
628	   AVPs.

630	4.2  Domain Discovery

632	   The Domain Discovery message set is very useful in determining the
633	   Home authentication server, the password policies for the domain, as
634	   a mechanism to retrieve a certificate (or a pointer to a
635	   certificate).

637	   Note that it is not necessary for a host to issue a Domain Discovery
638	   in order to make use of a proxy. A DIAMETER Request MAY be proxied by
639	   an intermediate server without the knowledge of the client, however
640	   the client will be unable to validate any Digital-Signatures if the
641	   home authentication server's certificate or public key is not known.

643	   The following example shows a case where DIA1 needs to communicate
644	   with DIA3. In this example it is necessary to use DIA2 as a proxy in
645	   order for both ISPs to communicate. Although this MAY be desireable
646	   in some business models, there are cases where it is beneficial to
647	   remove the proxy altogether and allow both DIA3 and DIA1 to
648	   communicate in a secure fashion.

650	                  (DD-Request)               (DD-Request)
651	      +------+       ----->       +------+      ------>       +------+
652	      |      |                    |      |                    |      |
653	      | DIA1 +--------------------+ DIA2 +--------------------+ DIA3 |
654	      |      |                    |      |                    |      |
655	      +------+       <-----       +------+      <------       +------+
656	                  (DD-Response)              (DD-Response)

658	   The way the Domain Discovery works is that prior to sending out an
659	   authentication request DIA1 would issue a Domain Discovery message
660	   towards DIA2. This message is protected with the digital signature as
661	   well as the Next-Hop AVP. DIA2 would then forward the request to DIA3
662	   including the Next-Hop and the digital signature AVP.

664	   When DIA3 receives the request, it MUST save the certificate (or the
665	   pointer to the certificate) and respond back including the local
666	   password policy, DIA3's certificate, its contact information (i.e. IP
667	   address) and protect the response with the digital signature.

669	   Note that in all cases the TimeStamp AVP is also present to ensure no
670	   replay packets are accepted.

672	   When DIA2 receives the packet, it must add the Next-Hop AVP as well
673	   as the digital signature AVP. When DIA1 receives the packet it then
674	   knows a direct route to communicate with DIA3 since the contact
675	   information is present in the response. The fact that both DIA1 and
676	   DIA3 can now communicate directly allows both peers to use IPSEC to
677	   protect the message exchange (it may be desirable to use the
678	   Digital-Signature AVP in instances where records of digitally signed
679	   packets must be kept).

681	                                  (Request)
682	                     +------+       ----->       +------+
683	                     |      |                    |      |
684	                     | DIA1 +--------------------+ DIA3 |
685	                     |      |                    |      |
686	                     +------+       <-----       +------+
687	                                   (Answer)

689	   In addition, the password policy is also present which can indicate
690	   whether DIA3 is willing to accept CHAP, PAP or EAP authentication.

692	   Note that the Domain-Discovery-Request/Answer MUST include at least
693	   one Extension-Id AVP [2].

695	4.3  Data Integrity
696	   This section will describe how data integrity and non-repudiation is
697	   achieved using the Digital-Signature AVP.

699	   Note that the Timestamp and Nonce AVPs MUST be present in the message
700	   PRIOR to the Digital-Signature AVPs discussed in this section. The
701	   Timestamp AVP provides replay protection and the Nonce AVP provides
702	   randomness.

704	   Any AVPs in a message that is not followed by either the ICV or the
705	   Digital-Signature AVPs MUST be ignored.

707	4.3.1  Using Digital Signatures

709	   In the case of a simple peer to peer relationship the use of IPSEC is
710	   sufficient for data integrity and non-repudiation. However there are
711	   instances where a peer must communicate with another peer through the
712	   use of a proxy server. IPSEC does not provide a mechanism to protect
713	   traffic when two peers must use an intermediary node to communicate
714	   at the application layer therefore the Digital-Signature AVP MUST be
715	   used.

717	   The following diagram shows an example of a router initiating a
718	   DIAMETER message to DIA1. Once DIA1 has finished processing the
719	   message it adds its signature and forwards the message to the non-
720	   trusted DIA2 proxy server. If DIA2 needs to add or change any
721	   protected AVPs it SHOULD add its digital signature before forwarding
722	   the message to DIA3.

724	      +------+  ----->  +------+  ----->  +------+  ----->  +------+
725	      |      |          |      |          | non- |          |      |
726	      |router+----------+ DIA1 +----------+trustd+----------+ DIA3 |
727	      |      |          |      |          | DIA2 |          |      |
728	      +------+  <-----  +------+  <-----  +------+  <-----  +------+

730	   Since some fields within the DIAMETER header will change "en route"
731	   towards the final DIAMETER destination, it is necessary to set the
732	   unprotected fields to zero (0) prior to calculating the signature.
733	   The two unprotected fields are the identifier and the length in the
734	   DIAMETER header.

736	   The following is an example of a message that include end-to-end
737	   security:

739	      <DIAMETER Message> ::= <DIAMETER Header>
740	                             <Command AVP>
741	                             [<Additional AVPs>]
742	                             <Next-Hop AVP>
743	                             <Timestamp AVP>
744	                             <Nonce AVP>
745	                             <Digital-Signature AVP>

747	   The AVP Header's 'P' bit is used to identify which AVPs are
748	   considered protected when applying a digital signature to a DIAMETER
749	   message. Protected AVPs cannot be changed "en route" since they are
750	   protected by the Digital Signature AVP. All AVPs added by a DIAMETER
751	   entity MUST appear prior to the Digital Signature AVP that is added
752	   (with the exception of the Integrity-Check-Vector AVP). However, only
753	   AVPs with the 'P' bit set are used in the digital signature
754	   calculation.

756	   The Next-Hop AVP indicates the intended recipient of the DIAMETER
757	   message.  When a DIAMETER message is received with a Next-Hop AVP
758	   that does not correspond with the Host-IP-Address that follows, the
759	   message MUST be considered invalid and MUST be rejected.

761	   The Data field of the Digital-Signature AVP contains the RSA/MD5
762	   signature algorithm as defined in [9].

764	4.3.2  Using Mixed Data Integrity AVPs

766	   The previous sections described the Integrity-Check-Vector and the
767	   Digital-Signature AVP. Since the ICV offers hop-by-hop integrity and
768	   the digital signature offers end to end integrity, it is possible to
769	   use both AVPs within a single DIAMETER message.

771	   The following diagram provides an example where DIAMETER Server 1
772	   (DIA1) communicates with DIA3 using Digital-Signatures through DIA2.
773	   In this example ICVs are used between DIA1 and DIA2 as well as
774	   between DIA2 and DIA3.

776	                      <Public-Key>
777	             ----------------------------->
778	            <Shared-Secret>   <Shared-Secret>
779	      +------+  ----->  +------+  ----->  +------+
780	      |      |          |      |          |      |
781	      | DIA1 +----------+ DIA2 +----------+ DIA3 |
782	      |      |          |      |          |      |
783	      +------+          +------+          +------+

785	   Using the previous diagram, the following message would be sent
786	   between DIA1 and DIA2:

788	      <DIAMETER Message> ::= <DIAMETER Header>
789	                             <Command AVP>
790	                             [<Additional AVPs>]
791	                             <Timestamp AVP>
792	                             <Nonce AVP>
793	                             <Digital-Signature AVP>
794	                             <Integrity-Check-Vector AVP (DIA1->DIA2)>

796	   The following message would be sent between DIA2 and DIA3:

798	      <DIAMETER Message> ::= <DIAMETER Header>
799	                             <Command AVP>
800	                             [<Additional AVPs>]
801	                             <Timestamp AVP>
802	                             <Nonce AVP>
803	                             <Digital-Signature AVP>
804	                             <Timestamp AVP>
805	                             <Nonce AVP>
806	                             <Integrity-Check-Vector AVP (DIA2->DIA3)>

808	   Note that in the above example messages the ICV AVP appear after the
809	   Digital-Signature AVP. This is necessary since DIA2 above removes the
810	   ICV AVP (DIA1->DIA2) and adds its own ICV AVP (DIA2->DIA3). The ICVs
811	   provide hop-by-hop security while the Digital-Signature provides
812	   integrity of the message between DIA1 and DIA3.

814	            <Shared-Secret>    <Public-Key>
815	      +------+  ----->  +------+  ----->  +------+
816	      |      |          |      |          |      |
817	      |router+----------+ DIA1 +----------+ DIA2 |
818	      |      |          |      |          |      |
819	      +------+  <-----  +------+  <-----  +------+

821	   There are cases, such as in remote access, where the device
822	   initiating the DIAMETER request does not have the processing power to
823	   generate Digital-Signatures as required by the protocol. In such an
824	   arrangement, there normally exists a first hop DIAMETER Server (DIA1)
825	   which acts as a proxy to relay the request to the final
826	   authenticating DIAMETER server (DIA2). It is valid for the first hop
827	   server to remove the Integrity-Check-Vector AVP inserted by the
828	   router and replace it with a Digital-Signature AVP.

830	4.4  AVP Encryption with Public Keys

832	   AVP encryption using public keys is much more complex than the
833	   previously decribed method, yet it is desirable to use it in cases
834	   where the DIAMETER message will be processed by an untrusted
835	   intermediate node (proxy).

837	   Public Key encryption SHOULD be supported, however it is permissible
838	   for a low powered device initiating the DIAMETER message to use
839	   shared secret encryption with the first hop (proxy) DIAMETER server,
840	   which would decrypt and encrypt using the Public Key method.

842	   The PK-Encrypted-Data bit MUST only be set if the final DIAMETER host
843	   is aware of the sender's public key. This information can be relayed
844	   in three different methods as described in section 4.3.

846	   The AVP is encrypted in the method described in [9].

848	4.5  Public Key Cryptography Support

850	   A DIAMETER peer's public key is required in order to validate a
851	   message which includes the the Digital-Signature AVP. There are three
852	   possibilities on retrieving public keys:

854	4.5.1  X509-Certificate

856	   A message which includes a Digital-Signature MAY include the X509-
857	   Certificate AVP. Given the size of a typical certificate, this is
858	   very wasteful and in most cases DIAMETER peers would cache such
859	   information in order to minimize per packet processing overhead.

861	   It is however valid for a DIAMETER host to provide its X509-
862	   Certificate in certain cases, such as when issuing the Device-
863	   Reboot-Indication. It is envisioned that the peer would validate and
864	   cache the certificate at that time.

866	4.5.2  X509-Certificate-URL

868	   The X509-Certificate-URL is a method for a DIAMETER host sending a
869	   message that includes the Digital-Signature to provide a pointer to
870	   its certificate.

872	   Upon receiving such a message a DIAMETER host MAY choose to retrieve
873	   the certificate if it is not locally cached. Of course the process of
874	   retrieving and validating a certificate is lengthy and will require
875	   the initiator of the message to retransmit the request. However once
876	   cached the certificate can be used until it expires.

878	4.5.3  Static Public Key Configuration

880	   Given that using certificates requires a PKI infrastructure which is
881	   very costly, it is also possible to use this technology by locally
882	   configuring DIAMETER peers' public keys.

884	   Note that in a network involving many DIAMETER proxies this may not
885	   scale well.

887	5.0  References

889	    [1] Rigney, et alia, "RADIUS", RFC-2138, April 1997
890	    [2] Calhoun, Rubens, "DIAMETER Base Protocol", Internet-Draft,
891	        draft-calhoun-diameter-05.txt, August 1998.
892	    [3] Rivest, Dusse, "The MD5 Message-Digest Algorithm",
893	        RFC 1321, April 1992.
894	    [4] Kaufman, Perlman, Speciner, "Network Security: Private
895	        Communications in a Public World", Prentice Hall,
896	        March 1995, ISBN 0-13-061466-1.
897	    [5] Krawczyk, Bellare, Canetti, "HMAC: Keyed-Hashing for Message
898	        Authentication", RFC 2104, January 1997.
899	    [6] Calhoun, Bulley, "DIAMETER User Authentication Extensions",
900	        draft-calhoun-diameter-authen-03.txt, May 1998.
901	    [7] Aboba, Beadles "The Network Access Identifier." RFC 2486.
902	        January 1999.
903	    [8] Aboba, Zorn, "Criteria for Evaluating Roaming Protocols",
904	        RFC 2477, January 1999.
905	    [9] Kaliski, "PKCS #1: RSA Encryption Version 1.5", Internet-
906	        Draft, draft-hoffman-pkcs-rsa-encrypt-03.txt, October 1997.
907	    [10] Calhoun, Zorn, Pan, "DIAMETER Framework",
908	         draft-calhoun-diameter-framework-02.txt, Work in Progress,
909	         December 1998
910	    [11] Aboba, Vollbrecht, "Proxy Chaining and Policy Implementation in
911	         Roaming", draft-ietf-roamops-auth-10.txt, Work in Progress,
912	         February 1999.

914	6.0  Acknowledgements

916	   The Authors would like to acknowledge the following people for their
917	   contribution in the development of the DIAMETER protocol:

919	   Bernard Aboba, Jari Arkko, , Daniel C. Fox, Lol Grant, Nancy Greene,
920	   Peter Heitman, Ryan Moats, Victor Muslin, Kenneth Peirce, Allan
921	   Rubens, Sumit Vakil, John R. Vollbrecht, Jeff Weisberg and Glen Zorn

923	7.0  Author's Address
924	   Questions about this memo can be directed to:

926	      Pat R. Calhoun
927	      Technology Development
928	      Sun Microsystems, Inc.
929	      15 Network Circle
930	      Menlo Park, California, 94025
931	      USA

933	       Phone:  1-650-786-7733
934	         Fax:  1-650-786-6445
935	      E-mail:  pcalhoun@eng.sun.com

937	      William Bulley
938	      Merit Network, Inc.
939	      4251 Plymouth Road, Suite C
940	      Ann Arbor, Michigan, 48105-2785
941	      USA

943	       Phone:  1-734-764-9993
944	         Fax:  1-734-647-3185
945	      E-mail:  web@merit.edu