Diameter addresses RADIUS flaws

www.nwfusion.com |  Security, Network access control

You've heard of RADIUS, but what is Diameter?

RADIUS is a protocol to authenticate users who dial in to private networks, hence its full name: Remote Authentication Dial-in User Service.

Dial-in network access servers challenge callers for user name and password, which are checked against a RADIUS server. But RADIUS has been used in ways in which it was never intended, and some say it is time for a new protocol.

One proposal is Diameter. "[The name] Diameter is really a joke that means RADIUS times two," says Pat Calhoun, a Sun engineer and the main author of the Diameter draft under consideration by the Internet Engineering Task Force (IETF).

Diameter can offer more secure authentication, authorization and accounting than RADIUS in some cases, Calhoun says. For instance, ISPs share dial-up points of presence with other ISPs. That way, an ISP's customers can travel from country to country and access the 'Net via local calls. But in this case, RADIUS has a shortcoming that makes Diameter attractive.

The cooperating ISPs use RADIUS checks to ensure that customers are authorized to use the distant POPs. Because the local network access server issues the challenge to customers, the local ISP that takes the call can capture valid challenge and response exchanges. Later, that ISP could use those valid exchanges to make it appear that customers are making calls when they are not. Dishonest ISPs could alter accounting that affects the bills charged for roaming Internet access.

Diameter sets up a challenge and response between a customer and the customer's home Diameter server. Intervening devices don't know that the packets include authentication data. Such a Diameter server could reside in a corporate net to handle authentication challenges for traveling employees.

Diameter can also be used to authenticate and authorize users of Code Division Multiple Access (CDMA) wireless data services. Employees using portable CDMA devices would seek authorization to use a carrier's CDMA net. The request would be forwarded to a Diameter server within the net of the firm paying for the service. The server would accept or reject the request.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness