top | item 40918551

(no title)

royce | 1 year ago

The paper https://www.blastradius.fail/pdf/radius.pdf) explicitly states DIAMETER "never replaced RADIUS for many common use cases" and "the protocol itself offers no security when used over TCP". So unless the DIAMETER traffic is isolated or tunneled, it's arguably less secure than RADIUS/TLS.

discuss

rcarmo|1 year ago

That paper is completely outdated (newest references are from 2016) or just badly researched.

3GPP references several RFCs for Diameter security (including TLS), and every single 5G network on the planet uses it (I work in telco).

Even Wikipedia is more accurate: https://en.wikipedia.org/wiki/Diameter_(protocol)

royce|1 year ago

I work in telco, too - by my read, they're not disagreeing:

  Although Diameter was intended to replace RADIUS, the
  protocol itself offers no security when used over TCP. As a
  result, RFC 6733 suggests that Diameter messages should
  be secured using TLS or DTLS; 5G has replaced Diameter
  with signaling over HTTP/2 [30].

Edit: here's ref [30]: https://mailarchive.ietf.org/arch/msg/radext/Zcuud3GyG221DXn...

"5G completely replaced DIAMETER with signaling over HTTP/2. DIAMETER is only used in legacy systems that has not yet been updated. Early 5G can be deployed as Non-standalone (NSA) or standalone (SA). NSA means a 4G core with 5G radio while SA means both 5G core and 5G radio. NSA has a lot of severe limitations. Many networks are already SA and the rest are working on rolling out SA."