FRAMINGHAM (01/31/2000) - Authenticating remote users has always posed a challenge to network managers. The authentication mechanism should be as strong and simple as possible to minimize network overhead and the impact on overall response times.
The best-known authentication protocol for these qualities is Remote Authentication Dial-In User Service, or RADIUS.
But some users are finding RADIUS unable to cope with their more mobile work habits. The "Dial-In" piece gives a clue: RADIUS was designed to function only with Serial Line Internet Protocol and PPP for standard analog modems. It is not extensible and so cannot be used for access authentication of handheld or other wireless computing devices, cellular phones or Ethernet-based virtual private networks (VPN).
For most users, the solution will come in the form of an authentication protocol evolved from RADIUS, called Diameter.
Now in draft status at the Internet Engineering Task Force, Diameter is designed to do more than RADIUS in terms of authenticating more types of users and yet maintain compatibility with RADIUS-based systems.
Like RADIUS, Diameter is a "triple-A" protocol - it authenticates and authorizes users and performs basic back-end accounting services for bookkeeping purposes.
Also like RADIUS, the basic Diameter transaction involves what are called attribute value pairs (AVP). For example, an AVP might be "user ID" and "Joe Smith," or "password" and "goldfish."
Upon receiving an authentication request, a RADIUS or Diameter server typically issues the user ID attribute as a challenge, to which the requesting user system responds with the user value - the ID. Then the server issues the password attribute. If the user value response is correct, the user is considered authentic.
But the AVP exchange goes beyond simple authentication, and this is where authorization comes in. Through its other value pairs, the server can further qualify the user to determine the specific resources to which the user will be granted access. For instance, access to a high-security application might require the user to supply a private-key code.
This is possible with RADIUS but easier to implement with Diameter because Diameter lets a remote server send unsolicited messages to a client. This way, if the user sends only the password, the Diameter-equipped server sends another message, requesting the private-key code.
Perhaps the most important difference between Diameter and RADIUS involves the scope of AVP use. The RADIUS address space is limited to 256 value pairs.
However, Diameter features a 32-bit AVP address space, enough for a million or more pairs. This AVP potential is what gives Diameter extensibility. The more powerful Diameter value pairs are also able to serve mobile, nondial-up users.
For instance, one Diameter value pair involves "home-agent-address" as the attribute and uses an IP address as the value. A mobile user calling from a cell phone might use this to pass through to the Diameter server of his or her home agent ISP in order to authenticate the user ID and password value pairs.
This is how Diameter liberates users from the SLIP or PPP dial-up tethers.
Also like RADIUS, Diameter supports the two industry-standard challenge response protocols - Password Authentication Protocol and Challenge Handshake Authentication Protocol - as the actual transport mechanisms for maintaining security while passing AVP information across the network.
But in order to allow for authentication through a third party - for instance, through a remote ISP to the user's home-agent ISP - Diameter also enhances the previously limited proxy capabilities of RADIUS. This way the remote ISP is allowed to create a proxy back to the user's home agent ISP, and on to the home-agent Diameter server. From there, the home-agent ISP and the user can carry on their authentication transaction. Once that is complete, the home agent ISP tells the remote ISP to give the user service.
Diameter also lets the two ISPs exchange the necessary billing information, so the home agent ISP can bill the user and settle accounts with the remote ISP.
By permitting this type of roaming, and by offering extensibility to handhelds, cell phones and other devices yet to be invented, Diameter redefines remote access for contemporary users.
Mark Roy is a product engineer in 3Com Corp.'s Network Management Division. He can be reached at Mark_Roy@3Com.com.