The DIAMETER of IMS Security

Richard “Zippy” Grigonis
One of the topics in this month’s issue is security (See “Are Current LI Solutions Sufficient in a World of Vulnerable IP Networks and Sophisticated Attacks?” by Dr. Supranamaya Ranjan of Narus).

Just before we went to press I found myself talking with Ben Volkow, the COO of

Traffix Systems (www.traffixsystems.com), whose company provides Authentication, Authorization and Accounting (AAA) products and solutions for network equipment providers and operators moving to NGN and IMS. One of their specialties is working with DIAMETER, an AAA computer networking protocol devised by the IETF that’s the successor to RADIUS.

“When a network operator migrates to IMS, it actually must manage and support two networks,” says Volkow. “Their legacy network is still functional with millions of users and then there’s the new IMS network. Problems start when operators find themselves with RADIUS running in the old network and DIAMETER in the new one. This means that those two networks cannot communicate; they cannot share functionality. So when operators launch their IMS networks, they need to build the entirety of their network functionality from scratch, because it’s not easy to share functionalities from the existing legacy network; the two networks talk in different languages. A Tier-1 operator can have many HLRs [Home Location Registers] where the subscriber information is kept. So when the operator moves to IMS, it can’t use the existing HLRs; it must buy the new version of HLR, called HSS [Home Subscriber Server]. So we’re talking about duplicating network functionality and components and the OSS and BSS for the new IMS network.”

“Furthermore, more network functionalities leads to more security risk,” says Volkow. “There’s a risk associated with one database. Having 10 databases leads to a risk greater than 10 times because if an attacker takes down any one database the other 10 won’t work. Today’s networks have HSS and SLF [Subscription Location Function] needed to map user addresses when multiple HSSs are used, and so in IMS you do have many more new databases. Thus, your security risks become extremely high.”

“Additionally, IMS is an open architecture,” says Volkow. “It’s open to MVNOs and third party applications and Skype and things like AOL (News - Alert). Thus, it’s subject to high risk, especially in the AAA area, which ties into online charging, and knowing how much credit you have, and whether you’re authorized to use a service, what your password is, and so forth.”

“AAA in IMS is more important than it was in IP Centrex or other legacy network services,” says Volkow. “DIAMETER is used here, but, it’s not just about security. It deals with QoS too, as well as bandwidth, rating and policies. Every ‘W’ question [who, what, where, when, why] in the network is communicated using DIAMETER. It’s much more complex than RADIUS and involves more infrastructure. RADIUS was something that was used with billing and OSS, but DIAMETER is appearing everywhere. It’s in softswitches, application servers, policies, GGSNs [Gateway (News - Alert) GPRS Support Nodes], everywhere. Almost every network component needs to know about and communicate using DIAMETER.”

Among other things, Traffix Systems offers an AAA NG Gateway that helps network operators migrate to IMS cost efficiently, using some of the existing functionality embedded in their operational legacy network, allowing for a unified network instead of multiple cases of reinventing the wheel. The NG Gateway also enables the operator to offer advanced IMS AAA DIAMETER-based functionality.

Richard Grigonis (News - Alert) is Executive Editor of TMC’s IP Communications Group.

IMS Magazine Table of Contents