TelcomIQ

Navigate

BrowseSecurityCoverageQuizContact

Graph

Full GraphBuilder

Diameter

The 4G/5G signalling protocol for authentication, policy, and mobility

Type

protocol

Generations

4G5Gcross-gen

Threat level

high
🧩

Diameter Knowledge Check

10 questions

1 comment on this topic

Join the discussion

Overview

Diameter is the signalling protocol that underpins authentication, mobility management, and policy enforcement in 4G LTE networks, and remains present in hybrid 4G/5G deployments. Defined at its base by IETF RFC 6733 and extended by a family of 3GPP application specifications, it was purpose-built as the successor to both RADIUS and the SS7/MAP stack that had served 2G and 3G core networks since the 1980s.

Where SS7 relied on point codes and Global Titles routed through Signal Transfer Points, Diameter operates as a peer-to-peer protocol over SCTP or TCP, carrying structured messages between named nodes. It introduces a proper session layer, retry semantics, and the concept of application IDs that allow multiple logical protocols β€” authentication, policy, charging β€” to share the same transport. These were genuine improvements over the MAP/TCAP model.

Despite its more modern design, Diameter inherited the same fundamental problem as SS7: it was not designed with hostile interconnect in mind. The roaming architecture requires operators to exchange Diameter messages across the IPX/GRX network with potentially dozens of partner operators. A node that can send messages on the interconnect can impersonate any Diameter peer, and the base protocol provides no mechanism for the receiving node to verify the claim.

The result is a protocol that is structurally more robust than SS7 for domestic deployments but carries comparable risk in the roaming scenario β€” which is precisely the scenario most relevant to a mobile operator's attack surface.

How it works

Diameter messages are built from a fixed header followed by a sequence of Attribute-Value Pairs (AVPs). The header carries a command code that identifies the message type, an application ID that identifies the Diameter application (base, 3GPP S6a, 3GPP Gx, etc.), flags, and hop-by-hop and end-to-end identifiers for routing and deduplication.

The protocol structure:

  • Header β€” 20 bytes. Command code, application ID, flags (request/answer, proxiable, error), hop-by-hop ID, end-to-end ID.
  • AVPs β€” Variable-length attribute-value pairs carrying all message content. Each AVP has a code, vendor ID (for vendor-specific AVPs), flags (mandatory, protected), and a value. AVPs can be grouped β€” a Group AVP contains other AVPs β€” enabling complex nested structures.
  • Application IDs β€” Each Diameter application (base auth, 3GPP S6a, 3GPP Gx) has a registered application ID. Nodes advertise supported applications during capability exchange.
  • Command codes β€” Each request/answer pair has a dedicated command code. For example, Update-Location-Request/Answer is CCR 316; Credit-Control-Request/Answer is CCR 272.
  • Sessions β€” Diameter maintains session state. A session begins with a request and persists until explicitly terminated, enabling stateful interactions like the Gx policy session between the PCEF and PCRF.

Peer discovery and routing

Diameter nodes maintain a peer table populated via static configuration or DNS-based discovery (S-NAPTR). Routing uses the Destination-Realm and Destination-Host AVPs. A Diameter Routing Agent (DRA) acts as an intermediary, forwarding messages between nodes that do not have direct peering relationships β€” an essential function in large operator networks and across the IPX for roaming.

The Update-Location procedure (S6a)

The S6a interface between the MME and HSS carries the subscriber's initial attach and all subsequent location updates. The core procedure:

  1. When a UE attaches, the MME sends a Update-Location-Request (ULR) to the HSS, identified by the subscriber's IMSI. The ULR includes the MME's identity, the visited PLMN ID, and capability flags.
  2. The HSS validates the IMSI, checks for roaming restrictions, and returns a Update-Location-Answer (ULA) containing the subscription data: APN configurations, QoS profiles, and the subscriber's authentication vectors.
  3. The MME stores the subscription data and proceeds with authentication using the vectors provided.
  4. On detach or handover, the MME sends a Cancel-Location-Request (CLR) equivalent β€” a Purge-UE-Request (PUR) β€” to inform the HSS that the subscriber has left.

This is the Diameter equivalent of MAP's Update-Location and Insert-Subscriber-Data procedures.

Architecture role

In 4G EPC, Diameter is what SS7 was to 2G/3G: the signalling layer that holds the core together. Every significant control-plane interaction between core nodes runs over a Diameter interface.

The MME is the central Diameter client in the mobility domain, connecting to the HSS via S6a for subscriber authentication and profile delivery, to the EIR via S13 for IMEI validation, and to other MMEs via S10 (though S10 uses GTPv2, not Diameter).

The HSS is the Diameter server for subscriber identity and profile. It also speaks the Sh interface to application servers in the IMS domain and the Cx interface to the I-CSCF and S-CSCF for IMS registration.

The PCRF anchors policy and charging control. The Gx interface connects the PCRF to the PCEF (typically the P-GW), carrying policy decisions β€” QoS rules, charging rules β€” in both directions. The Gy interface carries online charging between the PCEF and the Online Charging System (OCS).

The DRA is not a signalling node in the functional sense β€” it does not generate or terminate Diameter sessions. It routes Diameter messages between nodes that lack direct peering, and is the critical intermediary for roaming Diameter traffic crossing the IPX.

In 4G EPC: The S6a interface is the primary authentication and mobility path. Every LTE subscriber attach generates ULR/ULA traffic on S6a. Compromise of this interface is equivalent to compromise of the HSS.

In 5G SA, the Diameter interfaces are replaced by HTTP/2-based Service Based Interface (SBI) calls between network functions. However, operators running non-standalone 5G (NSA) or maintaining 4G coverage alongside 5G retain full Diameter exposure. In hybrid networks, the HSS and UDM may coexist, with an HSS-to-UDM proxy bridging the two signalling worlds.

Key interfaces

InterfaceBetweenDirectionPurpose
S6aMME ↔ HSSBidirectionalAuth, location update, subscription delivery
S6dSGSN ↔ HSSBidirectionalSame as S6a for 3G/GPRS attach via EPC HSS
S13MME ↔ EIRRequest/responseIMEI equipment identity check
GxPCEF ↔ PCRFBidirectionalPolicy and charging rules
GyPCEF ↔ OCSBidirectionalOnline charging (credit control)
ShAS ↔ HSSBidirectionalIMS application server subscriber data
CxCSCF ↔ HSSBidirectionalIMS registration, auth, routing

Security posture

Diameter's security model assumes that all peers are trusted nodes operated by cooperative operators. In a domestic network this assumption is reasonable β€” peering relationships are configured manually, and transport-layer protection via IPsec or TLS is achievable between known endpoints. In the roaming scenario it breaks down.

The IPX/GRX interconnect network connects hundreds of operators globally. Diameter messages for roaming subscribers must traverse this network, passing through DRAs operated by intermediate carriers. The base protocol does not authenticate message content β€” it trusts the Origin-Host and Origin-Realm AVPs as identity claims, with no cryptographic verification. A node on the interconnect can assert any Origin-Host identity and any realm.

This is structurally identical to the SS7 Global Title spoofing problem: the identity in the message is asserted by the sender and believed by the receiver. GSMA FS.19 attempts to address this with a category-based filtering framework analogous to FS.11 for SS7, but deployment is uneven across the industry.

The attack surface is narrower than SS7 in one respect: Diameter requires a session to be established before most operations can proceed, and the command codes are more granular than MAP operations. But the most damaging operations β€” location update, subscriber data retrieval, policy manipulation β€” are exactly the ones that legitimate roaming requires, making it difficult to distinguish attack traffic from normal roaming flows without deep contextual inspection.

Attack surface

Location disclosure via spoofed ULR

The Update-Location-Request command is the most abused Diameter message in the interconnect context. An attacker with access to the IPX sends a ULR to the target subscriber's HSS, asserting a plausible Origin-Realm and a foreign MME as Origin-Host. If the HSS does not validate the origin against IR.21 data, it returns a ULA containing the subscriber's serving MME identity.

The serving MME address maps directly to a geographic location β€” at minimum a city, often a specific cell site cluster.

Impact: Subscriber location disclosed to cell-level precision, without the subscriber's knowledge.
Difficulty: Medium. Requires IPX access and knowledge of the target subscriber's IMSI or MSISDN.

Subscriber data harvesting via SAR

Server-Assignment-Request (SAR) is used by the S-CSCF to register a subscriber with the HSS during IMS registration and to retrieve their IMS service profile. An attacker sending a spoofed SAR can retrieve the subscriber's full IMS profile β€” service triggers, filter criteria, and associated identities.

Impact: IMS service profile exposed, enabling targeted service disruption and identity correlation.
Difficulty: Medium. Requires familiarity with the Cx/Sh interface command set.

Subscriber denial of service via Cancel-Location

The Cancel-Location-Request (CLR) is sent by the HSS to the current serving MME when a subscriber registers with a new MME. A spoofed CLR causes the serving MME to deregister the subscriber, forcing a detach. The subscriber loses service until the UE re-attaches and triggers a new authentication cycle.

Impact: Targeted denial of service. Repeated CLRs prevent any sustained service.
Difficulty: Low. A single correctly formatted CLR is sufficient; no session state is required.

Policy manipulation via rogue PCRF impersonation

The Gx interface carries policy decisions from the PCRF to the PCEF. An attacker positioned as a rogue PCRF β€” or able to inject Gx messages via a compromised DRA β€” can install arbitrary QoS and charging rules on active PDP contexts. This enables targeted throttling, traffic redirection, or free-data exploitation.

Impact: Subscriber traffic manipulated; operator charging bypassed or corrupted.
Difficulty: High. Requires a position within the operator's internal Diameter mesh or compromise of a DRA.

Origin-Host spoofing to bypass realm-based routing

Diameter routers make forwarding decisions based on Destination-Realm. Origin-Host and Origin-Realm are asserted values with no cryptographic backing. An attacker can craft messages that appear to originate from any node in any realm, bypassing realm-based access controls on the receiving HSS or PCRF.

Impact: Enables all other attack classes. Realm validation is the primary control gate.
Difficulty: Low given IPX access. No additional capability required beyond the ability to send Diameter messages.

Mitigations

The primary defence is a Diameter Edge Agent (DEA) deployed at the boundary where the operator's Diameter network connects to the IPX. The DEA inspects and filters all inbound roaming Diameter traffic before it reaches internal nodes.

  • GSMA FS.19 category filtering: FS.19 defines categories of Diameter messages by risk in the roaming context. A correctly configured DEA blocks Category 1 messages unconditionally and applies contextual validation to higher-numbered categories. Annex A maps specific command codes and application IDs to categories.

  • Origin-Host and Origin-Realm validation: For messages arriving from roaming partners, validate the Origin-Realm against the expected realm for the originating network, and verify that Origin-Host is a plausible node identity for that operator. Cross-reference against IR.21 data maintained for each interconnect partner. GT-to-realm mapping is the Diameter equivalent of SS7's GT whitelist.

  • Realm-based routing controls: Reject any message that claims the home realm as its Origin-Realm when arriving from an interconnect peer. Home realm assertions from foreign peers are always illegitimate and indicate either misconfiguration or an active attack.

  • Mutual TLS or IPsec: Between directly peered Diameter nodes, enforce transport-layer mutual authentication. This does not solve the IPX transit problem β€” messages traverse third-party DRAs β€” but limits lateral movement within the operator's network if a peer is compromised.

  • Anomaly detection on ULR and CLR volumes: A roaming partner generating ULR queries for subscribers who are not roaming to their network is performing subscriber surveillance. Establish per-realm baselines and alert on deviation. CLR messages from a realm that has not recently sent a ULR for the same subscriber are a reliable indicator of a denial-of-service attempt.

Spec references

  • RFC 6733 β€” The IETF Diameter base protocol specification. Section 4 defines the message format and AVP encoding. Section 6 defines the peer state machine. Section 8 defines the routing architecture. Essential foundation before reading any 3GPP Diameter application spec.

  • 3GPP TS 29.272 β€” The normative spec for Diameter on the S6a, S6d, and S13 interfaces. Section 5 defines the command codes; Section 7 defines the AVPs. The primary reference for MME-HSS and MME-EIR signalling.

  • 3GPP TS 29.212 β€” Policy and Charging Control reference points. Defines the Gx and Gy interfaces between PCEF, PCRF, and OCS. Section 4 defines the architecture; Section 5 defines the procedures and command codes.

  • GSMA FS.19 β€” The GSMA's Diameter interconnect security guidelines. The operational reference for DEA configuration and category-based filtering. Section 3 defines the threat model; Section 5 defines the countermeasures; Annex A maps command codes to risk categories.

Related topics

Diameter is the direct successor to MAP for subscriber management β€” the S6a interface replicates the mobility and authentication functions that MAP carried over SS7. For the signalling transport layer, Diameter shares the same SCTP underpinnings as SIGTRAN and operates in the same interconnect environment as SS7.

In the 4G core, Diameter is inseparable from the 4G EPC architecture. The MME and HSS are its primary nodes; the DRA is its routing backbone. In the IMS domain, the Cx and Sh interfaces connect Diameter to the IMS service layer alongside SIP.

For the security dimension, see Diameter attacks for the full attack taxonomy, and Signalling firewall for the primary defence β€” the DEA is the Diameter equivalent of the SS7 firewall.

Relationships