直径与半径
直径和半径(用户服务中的远程身份验证拨号)是用于AAA(身份验证,授权和会计)服务的两个协议。半径和直径的基本操作彼此相似,因为它们都在网络访问服务器(NAS)和共享身份验证服务器之间携带身份验证,授权和配置信息。直径类似于半径的许多功能,因为它已经从半径演变而来。因此,在直径上,数据包格式已经显着改善,运输机制也改善了从客户服务器转移到点对点架构的整体概念。
What is Diameter?
Diameter is a protocol that provides a basic framework for any kind of services which require Access, Authorization, and Accounting (AAA) or Policy support across many IP based networks. This protocol was originally derived from the RADIUS protocol which is also a protocol provides AAA services to computers in order to connect and use a network. Diameter has come up with a lot of improvements over RADIUS in different aspects. It includes numerous enhancements such as error handling and message delivery reliability. Thus, it is aiming to become the next generation Authentication, Authorization, and Accounting (AAA) protocol.
直径以AVP的形式传递数据(属性值对)。这些AVP值中的大多数与使用直径的特定应用相关联,而直径协议本身则使用其中一些应用。这些属性值对可以随机添加到直径消息中,因此它限制了包括任何不需要的属性值对,只要包括必要的属性值对,它们就会故意阻止。这些属性值对由基本直径协议使用,以支持众多所需功能。
Generally with the diameter protocol, any host can be configured as either a client or a server, based on network infrastructure, since diameter is designed to facilitate Peer-To-Peer architecture. With the addition of new commands or Attribute value pairs, It is also possible for the base protocol to be expanded for use in new applications. A legacy AAA protocol used by many applications might provide different functionality not provided by Diameter. Thus, the designers who use diameter for new applications have to be very careful of their requirements.
什么是半径?
Similar to Diameter, RADIUS is a protocol designed for carrying authentication, authorization, and configuration information between a Network Access Server (NAS) and a shared Authentication Server. The NAS operates as a client of RADIUS and is responsible for passing user information to/from the designated RADIUS servers. On the other hand, RADIUS servers receive user connection requests, and they perform user authentication and return all the configuration information necessary for the client to deliver service to the user.
For example, when a client is configured to use RADIUS, the users of the client have to present authentication information (username and password). The user may use a link framing protocol such as the Point to Point Protocol (PPP), in order to carry this information. Once the client has received this information, it sends an “Access-Request” to the client with the user’s username and password. RADIUS use UDP port 1812 for authentication and port 1813 for RADIUS Accounting by the Internet Assigned Numbers Authority (IANA). RADIUS mainly uses PAP, CHAP or EAP protocols for user authentication.
The RADIUS packet structure includes a fixed size header first, followed by a variable number of attributes referred to as AVP (Attribute Value Pairs). Each of these AVP consists of attribute code, length, and value. The RADIUS header consists of fields namely code, identifier, length, and authenticator. The code field contains the message type and length. The Identifier field is used to match requests and replies. The length field gives the length of the entire RADIUS packet including all the relevant fields. The authenticator field authenticates the reply messages from the RADIUS server and encrypts the passwords.
直径与半径
Feature |
Diameter |
半径 |
Communication Ports |
3868 for base protocol |
1812 - UDP 1813 – Accounting |
Message handling |
Server Initiated Messages are not supported |
支持服务器发起的消息 |
Error reporting scheme |
支持的 |
Not Supported |
Security |
直径客户 support IPSec and may support TLS (Transport Layer Security) protocol |
RADIUS defines the use of IPSec, but supporting it is not mandatory. |
Transport Methods |
使用SCTP(流控制传输协议)或TCP(传输控制协议) |
Use UDP (User Datagram Protocol) |
Proxies and agents |
Diameter defines four kinds of agents, which support relay, proxy, redirect or translation 服务。 |
半径没有定义 代理的行为正是在不同的实现之间可能会有所不同。 |
Authentication |
Using NAIs (Network Access Identifier), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol), and PAP (Password Authentication Protocol) |
Using NAIs (Network Access Identifier), CHAP (Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol), and PAP (Password Authentication Protocol) |
Discovering Node Capabilities |
支持的 |
Not supported |
Maximum size of attributes |
16MB |
255字节 |
可伸缩性 |
好的 |
Very poor |
可靠性 |
Reliable transmission |
传输不可靠 |
发表评论