Internet Engineering Task Force (IETF)                     H. Tschofenig
Request for Comments: 7966
Category: Informational                                 J. Korhonen, Ed.
ISSN: 2070-1721                                         Broadcom Limited
                                                                 G. Zorn
                                                             Network Zen
                                                               K. Pillay
                                                      Internet Solutions
                                                          September 2016
        
Internet Engineering Task Force (IETF)                     H. Tschofenig
Request for Comments: 7966
Category: Informational                                 J. Korhonen, Ed.
ISSN: 2070-1721                                         Broadcom Limited
                                                                 G. Zorn
                                                             Network Zen
                                                               K. Pillay
                                                      Internet Solutions
                                                          September 2016
        

Security at the Attribute-Value Pair (AVP) Level for Non-neighboring Diameter Nodes: Scenarios and Requirements

非相邻直径节点的属性值对(AVP)级别的安全性:场景和要求

Abstract

摘要

This specification specifies requirements for providing Diameter security at the level of individual Attribute-Value Pairs (AVPs).

本规范规定了在单个属性值对(AVP)级别提供直径安全性的要求。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7966.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7966.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Security Threats  . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Scenarios for Diameter AVP-Level Protection . . . . . . . . .   7
   5.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . .   8
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Security Threats  . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Scenarios for Diameter AVP-Level Protection . . . . . . . . .   7
   5.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . .   8
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11
        
1. Introduction
1. 介绍

The Diameter base protocol specification [2] defines security protection between neighboring Diameter peers. Diameter mandates that peer connections must be protected by Transport Layer Security (TLS) [6] for TCP, by Datagram TLS (DTLS) [7] for the Stream Control Transmission Protocol (SCTP), or by security mechanisms that are independent of Diameter (such as IPsec [5]). These security protocols offer a wide range of security properties, including entity authentication, data-origin authentication, integrity protection, confidentiality protection, and replay protection. They also support a large number of cryptographic algorithms, algorithm negotiation, and different types of credentials. It should be understood that TLS/DTLS/IPsec in the Diameter context does not provide end-to-end security unless the Diameter nodes are direct peers, i.e., neighboring Diameter nodes. The current Diameter security is realized hop by hop.

Diameter基本协议规范[2]定义了相邻Diameter对等方之间的安全保护。Diameter要求对等连接必须通过TCP的传输层安全性(TLS)[6],流控制传输协议(SCTP)的数据报TLS(DTL)[7]或独立于Diameter的安全机制(如IPsec[5])进行保护。这些安全协议提供了广泛的安全属性,包括实体身份验证、数据源身份验证、完整性保护、机密性保护和重播保护。它们还支持大量加密算法、算法协商和不同类型的凭证。应当理解,Diameter上下文中的TLS/DTLS/IPsec不提供端到端安全性,除非Diameter节点是直接对等方,即相邻Diameter节点。当前的Diameter安全是逐跳实现的。

The need to also offer additional security protection of AVPs between non-neighboring Diameter nodes was recognized very early in the work on Diameter. This led to work on Diameter security using the Cryptographic Message Syntax (CMS) [3]. However, due to the lack of deployment interest at that time (and the complexity of the developed solution), the specification was never completed.

在有关Diameter的工作中,很早就认识到需要为非相邻Diameter节点之间的AVP提供额外的安全保护。这导致了使用加密消息语法(CMS)[3]研究Diameter安全性。然而,由于当时缺乏部署兴趣(以及开发的解决方案的复杂性),规范从未完成。

In the meanwhile, Diameter had received a lot of deployment interest from the cellular operator community, and because of the sophistication of those deployments, the need for protecting Diameter AVPs between non-neighboring nodes resurfaced. Since the early 2000s (when the work on [3] was discontinued), the Internet community has seen advances in cryptographic algorithms (for example, authenticated encryption algorithms), and new security building blocks have been developed.

与此同时,Diameter受到了蜂窝运营商社区的广泛关注,由于这些部署的复杂性,非相邻节点之间保护Diameter AVP的需求再次浮出水面。自21世纪初(关于[3]的工作停止后),互联网社区在加密算法(例如,认证加密算法)方面取得了进步,并开发了新的安全构建块。

This document specifies requirements for developing a solution to protect Diameter AVPs between non-neighboring Diameter nodes.

本文件规定了开发解决方案以保护非相邻Diameter节点之间的Diameter AVP的要求。

2. Terminology
2. 术语

The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in RFC 2119 [1].

本文件中的关键词‘必须’、‘不得’、‘必需’、‘应’、‘不应该’、‘建议’、‘可能’和‘可选’应按照RFC 2119[1]中的说明进行解释。

This document reuses terminology from the Diameter base specification [2].

本文件重复使用直径基准规范[2]中的术语。

In the figures below, AVP refers to an unprotected AVP, and {AVP}k refers to an AVP that experiences security protection (using key "k") without further distinguishing between integrity and confidentiality protection.

在下图中,AVP指未受保护的AVP,{AVP}k指经历安全保护(使用密钥“k”)而不进一步区分完整性和机密性保护的AVP。

The following terms are also used in this document:

本文件中还使用了以下术语:

AAA broker

AAA经纪人

An entity that manages Authentication, Authorization, and Accounting (AAA) traffic between roaming partner networks.

管理漫游伙伴网络之间的身份验证、授权和记帐(AAA)流量的实体。

AAA broker network

AAA代理网络

A network operated by a AAA broker, which consists of necessary AAA functions to provide AAA brokering services for its customer AAA networks.

由AAA代理运营的网络,由必要的AAA功能组成,为其客户AAA网络提供AAA代理服务。

Diameter firewall

直径防火墙

A Diameter firewall is a proxy (or a relay) agent that acts similarly to conventional IP traffic firewalls but only at the Diameter AVP and command level. A Diameter firewall may, for example, discard AVPs that violate security policy, thus preventing them from traversing the firewall. The Diameter firewall may even discard entire Diameter messages based on the security policy.

Diameter防火墙是一种代理(或中继)代理,其作用类似于传统IP流量防火墙,但仅在Diameter AVP和命令级别。例如,Diameter防火墙可以丢弃违反安全策略的AVP,从而防止它们穿越防火墙。Diameter防火墙甚至可以基于安全策略丢弃整个Diameter消息。

3. Security Threats
3. 安全威胁

This section describes various security threats that raise the need for protecting Diameter Attribute-Value Pairs (AVPs). Figure 1 illustrates an example of a Diameter-based roaming architecture in which Diameter clients within the visited networks need to interact with Diameter servers in the home domain. AAA domains are interconnected using a Diameter-based AAA interconnection network labeled as "AAA broker network".

本节介绍了各种安全威胁,这些威胁会增加保护直径属性值对(AVP)的需要。图1展示了一个基于Diameter的漫游架构示例,其中访问网络中的Diameter客户端需要与主域中的Diameter服务器交互。AAA域使用基于直径的AAA互连网络(标记为“AAA代理网络”)进行互连。

      +oooooooooooooooooo+              +====================+
      |   Example.net    |              |                    |
      |                  |              |                    |
   +--------+      +--------+        +--------+        +--------+
   |Diameter|      |Diameter+--------+Diameter|        |Diameter|
   |Client 1|      |Proxy A1|        |Proxy B |        |Proxy C |
   | (NAS)  +------+        | +------+        +--------+        |----+
   +--------+      +--------+ |      +--------+        +--------+    |
      |                  |    |         |                    |       |
      | Visited Domain 1 |    |         | AAA Broker Network |       |
      +oooooooooooooooooo+    |         +====================+       |
                              |                                      |
                              |                                      |
                              |                                      |
                              |            +\\\\\\\\\\\\\\\\\\\\+    |
                              |     +--------+  Example.com     |    |
                              |     |Diameter|                  |    |
      +oooooooooooooooooo+    |     |Server X+--+         +--------+ |
      |   Example.org    |    |     +--------+  |         |Diameter| |
      |                  |    |     +--------+  +---------+Proxy D |-+
   +--------+      +--------+ |     |Diameter|  |         +--------+
   |Diameter|      |Diameter| |     |Server Y+--+               |
   |Client 2+------+Proxy A2+-+     +--------+    Home Domain   |
   | (NAS)  |      |        |              +////////////////////+
   +--------+      +--------+
      |                  |
      | Visited Domain 2 |
      +oooooooooooooooooo+
        
      +oooooooooooooooooo+              +====================+
      |   Example.net    |              |                    |
      |                  |              |                    |
   +--------+      +--------+        +--------+        +--------+
   |Diameter|      |Diameter+--------+Diameter|        |Diameter|
   |Client 1|      |Proxy A1|        |Proxy B |        |Proxy C |
   | (NAS)  +------+        | +------+        +--------+        |----+
   +--------+      +--------+ |      +--------+        +--------+    |
      |                  |    |         |                    |       |
      | Visited Domain 1 |    |         | AAA Broker Network |       |
      +oooooooooooooooooo+    |         +====================+       |
                              |                                      |
                              |                                      |
                              |                                      |
                              |            +\\\\\\\\\\\\\\\\\\\\+    |
                              |     +--------+  Example.com     |    |
                              |     |Diameter|                  |    |
      +oooooooooooooooooo+    |     |Server X+--+         +--------+ |
      |   Example.org    |    |     +--------+  |         |Diameter| |
      |                  |    |     +--------+  +---------+Proxy D |-+
   +--------+      +--------+ |     |Diameter|  |         +--------+
   |Diameter|      |Diameter| |     |Server Y+--+               |
   |Client 2+------+Proxy A2+-+     +--------+    Home Domain   |
   | (NAS)  |      |        |              +////////////////////+
   +--------+      +--------+
      |                  |
      | Visited Domain 2 |
      +oooooooooooooooooo+
        

Figure 1: Example Diameter Deployment

图1:直径部署示例

Eavesdropping: Some Diameter applications carry information that is only intended for consumption by end points, either by the Diameter client or by the Diameter server but not by intermediaries. As an example, consider the Diameter Extensible Authentication Protocol (EAP) application [4] that allows the

窃听:某些Diameter应用程序所携带的信息只供端点使用,Diameter客户端或Diameter服务器使用,而中介机构不使用。作为一个例子,考虑直径可扩展认证协议(EAP)应用程序(4),它允许

transport of keying material between the Diameter server to the Diameter client (using the EAP-Master-Session-Key AVP) for the protection of the air interface (i.e., the wireless link) between the end device (such as a mobile phone; not shown in the figure) and the Network Access Server (NAS). The content of the EAP-Master-Session-Key AVP should benefit from protection against eavesdropping by intermediaries. Other AVPs (for example, those listed in Section 13.3 of [2]) might also carry sensitive personal data that, when collected by intermediaries, allow for traffic analysis.

在Diameter服务器与Diameter客户端之间传输密钥材料(使用EAP主会话密钥AVP),以保护终端设备(如移动电话;图中未显示)与网络访问服务器(NAS)之间的空中接口(即无线链路)。EAP主会话密钥AVP的内容应受益于防止中间人窃听的保护。其他AVP(例如,[2]第13.3节中列出的AVP)也可能携带敏感的个人数据,当由中介机构收集时,允许进行流量分析。

In the context of the deployment shown in Figure 1, the adversary could, for example, be in the AAA broker network.

例如,在图1所示的部署环境中,对手可能位于AAA代理网络中。

Injection and Manipulation: The Diameter base protocol specification mandates security protection between neighboring nodes, but Diameter agents may be compromised or misconfigured and inject or manipulate AVPs. To detect such actions, additional security protection needs to be applied at the Diameter layer.

注入和操作:Diameter基本协议规范要求在相邻节点之间提供安全保护,但Diameter代理可能会受到损害或配置错误,从而注入或操作AVP。为了检测此类行为,需要在Diameter层应用额外的安全保护。

Nodes that could launch such an attack are any Diameter agents along the end-to-end communication path.

可能发起此类攻击的节点是端到端通信路径上的任意直径代理。

Impersonation: Imagine a case where a Diameter message from Example.net contains information claiming to be from Example.org. This would either require strict verification at the edge of the AAA broker network or cryptographic assurance at the Diameter layer to prevent a successful impersonation attack.

模拟:想象一个例子,来自Example.net的Diameter消息包含声称来自Example.org的信息。这需要在AAA代理网络边缘进行严格验证,或者在Diameter层进行加密保证,以防止成功的模拟攻击。

Any Diameter realm could launch such an attack aiming for financial benefits or to disrupt service availability.

任何Diameter领域都可能发起这样的攻击,目的是为了获得经济利益或破坏服务可用性。

4. Scenarios for Diameter AVP-Level Protection
4. 直径AVP级别保护的场景

This scenario outlines a number of cases for deploying security protection of individual Diameter AVPs.

此场景概述了部署单个Diameter AVP安全保护的一些案例。

In the first scenario, shown in Figure 2, end-to-end security protection is provided between the Diameter client and the Diameter server with any number of intermediate Diameter agents. Diameter AVPs exchanged between these two Diameter nodes may be protected end to end (notation '{AVP}k') or unprotected (notation 'AVP').

在第一个场景中,如图2所示,Diameter客户端和Diameter服务器之间提供了端到端的安全保护,其中包含任意数量的中间Diameter代理。这两个Diameter节点之间交换的Diameter AVP可以是端到端受保护的(符号“{AVP}k”)或不受保护的(符号“AVP”)。

   +--------+                                                +--------+
   |Diameter| AVP, {AVP}k                                    |Diameter|
   |Client  +-----------------........... -------------------+Server  |
   +--------+                                                +--------+
        
   +--------+                                                +--------+
   |Diameter| AVP, {AVP}k                                    |Diameter|
   |Client  +-----------------........... -------------------+Server  |
   +--------+                                                +--------+
        

Figure 2: End-to-End Diameter AVP Security Protection

图2:端到端直径AVP安全保护

In the second scenario, shown in Figure 3, a Diameter proxy acts on behalf of the Diameter client with regard to security protection. It applies security protection to outgoing Diameter AVPs and verifies incoming AVPs. Typically, the proxy enforcing the security protection belongs to the same domain as the Diameter client/server without end-to-end security features.

在第二个场景中,如图3所示,Diameter代理代表Diameter客户端进行安全保护。它对输出直径AVP应用安全保护,并验证输入AVP。通常,实施安全保护的代理与Diameter客户端/服务器属于同一个域,没有端到端安全功能。

   +--------+     +--------+                                 +--------+
   |Diameter| AVP |Diameter|   AVP, {AVP}k                   |Diameter|
   |Client  +-----+Proxy A +---------- .......... -----------+Server  |
   +--------+     +--------+                                 +--------+
        
   +--------+     +--------+                                 +--------+
   |Diameter| AVP |Diameter|   AVP, {AVP}k                   |Diameter|
   |Client  +-----+Proxy A +---------- .......... -----------+Server  |
   +--------+     +--------+                                 +--------+
        

Figure 3: Middle-to-End Diameter AVP Security Protection

图3:中端直径AVP安全保护

In the third scenario, shown in Figure 4, a Diameter proxy acts on behalf of the Diameter server.

在第三个场景中,如图4所示,Diameter代理代表Diameter服务器。

   +--------+                                 +--------+     +--------+
   |Diameter| AVP, {AVP}k                     |Diameter| AVP |Diameter|
   |Client  +-----------------........... ----+Proxy D +-----+Server  |
   +--------+                                 +--------+     +--------+
        
   +--------+                                 +--------+     +--------+
   |Diameter| AVP, {AVP}k                     |Diameter| AVP |Diameter|
   |Client  +-----------------........... ----+Proxy D +-----+Server  |
   +--------+                                 +--------+     +--------+
        

Figure 4: End-to-Middle Diameter AVP Security Protection

图4:端到中直径AVP安全保护

The fourth and the final scenario (see Figure 5) is a combination of the middle-to-end and the end-to-middle scenarios shown in Figures 3 and 4. From a deployment point of view, this scenario is easier to accomplish for two reasons. First, Diameter clients and Diameter servers remain unmodified. This ensures that no modifications are needed to the installed Diameter infrastructure, except for the

第四个也是最后一个场景(见图5)是图3和图4所示的中间到端和端到中间场景的组合。从部署的角度来看,此场景更容易实现,原因有二。首先,Diameter客户端和Diameter服务器保持不变。这可确保不需要对已安装的Diameter基础结构进行任何修改,但

security-enabled proxies, obviously. Second, the key management is also simplified since a fewer number of keys need to be negotiated and provisioned. The assumption here is that the number of security-enabled proxies would be significantly less than unprotected Diameter nodes in the installed base.

显然,支持安全的代理。其次,由于需要协商和提供的密钥数量较少,因此密钥管理也得到了简化。这里的假设是,启用安全性的代理的数量将大大少于已安装基础中未受保护的Diameter节点的数量。

   +--------+     +--------+                  +--------+     +--------+
   |Diameter| AVP |Diameter|   AVP, {AVP}k    |Diameter| AVP |Diameter|
   |Client  +-----+Proxy A +-- .......... ----+Proxy D +-----+Server  |
   +--------+     +--------+                  +--------+     +--------+
        
   +--------+     +--------+                  +--------+     +--------+
   |Diameter| AVP |Diameter|   AVP, {AVP}k    |Diameter| AVP |Diameter|
   |Client  +-----+Proxy A +-- .......... ----+Proxy D +-----+Server  |
   +--------+     +--------+                  +--------+     +--------+
        

Figure 5: Middle-to-Middle Diameter AVP Security Protection

图5:中直径AVP安全保护

5. Requirements
5. 要求

Requirement #1: The solution MUST support an extensible set of cryptographic algorithms.

要求#1:解决方案必须支持一组可扩展的加密算法。

Motivation: Solutions MUST be able to evolve to adapt to evolving cryptographic algorithms and security requirements. This may include the provision of a modular mechanism to allow cryptographic algorithms to be updated without substantial disruption to deployed implementations.

动机:解决方案必须能够不断发展,以适应不断发展的密码算法和安全要求。这可能包括提供模块化机制,以允许在不严重中断已部署实现的情况下更新加密算法。

Requirement #2: The solution MUST support confidentiality, integrity, and data-origin authentication. Solutions for integrity protection MUST work in a backwards-compatible way with existing Diameter applications and therefore be able to traverse legacy proxy and relay agents.

要求#2:解决方案必须支持机密性、完整性和数据源身份验证。完整性保护解决方案必须以与现有Diameter应用程序向后兼容的方式工作,因此能够遍历遗留代理和中继代理。

Requirement #3: The solution MUST support replay protection.

要求#3:解决方案必须支持重播保护。

Requirement #4: The solution MUST support the ability to delegate security functionality to another entity.

要求#4:解决方案必须支持将安全功能委托给其他实体的能力。

Motivation: As described in Section 4, the ability to let a Diameter proxy perform security services on behalf of all clients within the same administrative domain is important for incremental deployability. The same applies to the other communication side where a load balancer terminates security services for the servers it interfaces.

动机:如第4节所述,让Diameter代理代表同一管理域内的所有客户端执行安全服务的能力对于增量部署非常重要。这同样适用于另一个通信端,其中负载平衡器终止其接口服务器的安全服务。

Requirement #5: The solution MUST be able to selectively apply its cryptographic protection to certain Diameter AVPs.

要求#5:解决方案必须能够选择性地将其加密保护应用于特定直径的AVP。

Motivation: Some Diameter applications assume that certain AVPs are added, removed, or modified by intermediaries. As such, it must be possible to apply security protection selectively.

动机:一些Diameter应用程序假定某些AVP是由中介添加、删除或修改的。因此,必须能够有选择地应用安全保护。

Furthermore, there are AVPs that must not be confidentiality protected but may still be integrity protected, such as those required for Diameter message routing.

此外,有些AVP必须不受机密性保护,但仍可能受到完整性保护,例如Diameter消息路由所需的AVP。

Requirement #6: The solution MUST define a mandatory-to-implement cryptographic algorithm.

要求#6:解决方案必须定义一个强制密码来实现加密算法。

Motivation: For interoperability purposes, it is beneficial to have a mandatory-to-implement cryptographic algorithm specified (unless profiles for specific usage environments specify otherwise).

动机:出于互操作性的目的,指定一个强制实现加密算法是有益的(除非特定使用环境的概要文件另有规定)。

Requirement #7: The solution MUST support symmetric keys and asymmetric keys.

需求#7:解决方案必须支持对称密钥和非对称密钥。

Motivation: Symmetric and asymmetric cryptographic algorithms provide different security services. Asymmetric algorithms, for example, allow non-repudiation services to be offered.

动机:对称和非对称加密算法提供不同的安全服务。例如,不对称算法允许提供不可否认性服务。

Requirement #8: A solution for dynamic key management MUST be included in the overall solution framework.

需求#8:动态密钥管理解决方案必须包含在总体解决方案框架中。

However, it is assumed that no "new" key management protocol needs to be developed; instead, existing ones are reused, if at all possible. Rekeying could be triggered by (a) management actions and (b) expiring keying material.

然而,假设不需要开发“新的”密钥管理协议;相反,如果可能的话,可以重用现有的。重新键入可能由(a)管理措施和(b)过期键入材料触发。

6. Security Considerations
6. 安全考虑

This entire document focuses on the discussion of new functionality for securing Diameter AVPs selectively between non-neighboring nodes.

整个文档重点讨论在非相邻节点之间选择性地保护Diameter AVP的新功能。

Various security threats are mitigated by selectively applying security protection for individual Diameter AVPs. Without protection, there is the possibility for password sniffing, confidentiality violation, and AVP insertion, deletion, or modification. Additionally, applying a digital signature offers non-repudiation capabilities, a feature not yet available in today's Diameter deployment. Modification of certain Diameter AVPs may not necessarily be the act of malicious behavior but could also be the result of misconfiguration. An over-aggressively configured firewalling Diameter proxy may also remove certain AVPs. In most cases, data-origin authentication and integrity protection of AVPs will provide the most benefits for existing deployments with minimal overhead and (potentially) operate in a full-backwards compatible manner.

通过选择性地对单个直径AVP应用安全保护,缓解了各种安全威胁。在没有保护的情况下,可能会进行密码嗅探、违反保密性以及AVP插入、删除或修改。此外,应用数字签名还提供了不可否认性功能,这在今天的Diameter部署中尚不可用。修改某些直径的AVP不一定是恶意行为,也可能是错误配置的结果。过度配置的防火墙直径代理也可能删除某些AVP。在大多数情况下,AVP的数据源身份验证和完整性保护将以最小的开销为现有部署提供最大的好处,并且(可能)以完全向后兼容的方式运行。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.

[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.

[2] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn, Ed., "Diameter Base Protocol", RFC 6733, DOI 10.17487/RFC6733, October 2012, <http://www.rfc-editor.org/info/rfc6733>.

[2] Fajardo,V.,Ed.,Arkko,J.,Loughney,J.,和G.Zorn,Ed.,“直径基准协议”,RFC 6733,DOI 10.17487/RFC6733,2012年10月<http://www.rfc-editor.org/info/rfc6733>.

7.2. Informative References
7.2. 资料性引用

[3] Calhoun, P., Farrell, S., and W. Bulley, "Diameter CMS Security Application", Work in Progress, draft-ietf-aaa-diameter-cms-sec-04, March 2002.

[3] Calhoun,P.,Farrell,S.,和W.Bulley,“直径CMS安全应用”,正在进行的工作,草稿-ietf-aaa-DIAMER-CMS-sec-042002年3月。

[4] Eronen, P., Ed., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, DOI 10.17487/RFC4072, August 2005, <http://www.rfc-editor.org/info/rfc4072>.

[4] Eronen,P.,Ed.,Hiller,T.,和G.Zorn,“直径可扩展认证协议(EAP)应用”,RFC 4072,DOI 10.17487/RFC4072,2005年8月<http://www.rfc-editor.org/info/rfc4072>.

[5] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, <http://www.rfc-editor.org/info/rfc4301>.

[5] Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 4301,DOI 10.17487/RFC4301,2005年12月<http://www.rfc-editor.org/info/rfc4301>.

[6] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.

[6] Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.

[7] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram Transport Layer Security (DTLS) for Stream Control Transmission Protocol (SCTP)", RFC 6083, DOI 10.17487/RFC6083, January 2011, <http://www.rfc-editor.org/info/rfc6083>.

[7] Tuexen,M.,Seggelmann,R.,和E.Rescorla,“流控制传输协议(SCTP)的数据报传输层安全性(DTLS)”,RFC 6083,DOI 10.17487/RFC6083,2011年1月<http://www.rfc-editor.org/info/rfc6083>.

Acknowledgments

致谢

We would like to thank Guenther Horn, Martin Dolly, Steve Donovan, Lionel Morand, and Tom Taylor (rest in peace, Tom) for their review comments.

我们要感谢根瑟·霍恩、马丁·多利、史蒂夫·多诺万、莱昂内尔·莫兰和汤姆·泰勒(汤姆,安息吧)的评论。

The authors also thank Qin Wu, Christer Holmberg, Ben Campbell, and Radia Perlman, who provided additional reviews during the Last Call.

作者还感谢秦武、克里斯特·霍姆伯格、本·坎贝尔和拉迪娅·帕尔曼,他们在上次通话中提供了额外的评论。

Authors' Addresses

作者地址

Hannes Tschofenig Hall in Tirol 6060 Austria

奥地利蒂罗尔的汉内斯·茨霍芬尼大厅6060

   Email: Hannes.tschofenig@gmx.net
   URI:   http://www.tschofenig.priv.at
        
   Email: Hannes.tschofenig@gmx.net
   URI:   http://www.tschofenig.priv.at
        

Jouni Korhonen (editor) Broadcom Limited 3151 Zanker Rd. San Jose, CA 95134 United States of America

Jouni Korhonen(编辑)Broadcom Limited美国加利福尼亚州圣何塞市赞克路3151号,邮编95134

   Email: jouni.nospam@gmail.com
        
   Email: jouni.nospam@gmail.com
        

Glen Zorn Network Zen 227/358 Thanon Sanphawut Bang Na, Bangkok 10260 Thailand

格伦佐恩网络禅宗227/358泰国曼谷Thanon Sanphawut Bang Na 10260

   Email: glenzorn@gmail.com
        
   Email: glenzorn@gmail.com
        

Kervin Pillay Internet Solutions South Africa

Kervin Pillay互联网解决方案南非

   Email: kervin.pillay@gmail.com
        
   Email: kervin.pillay@gmail.com