Overview
The DRA β Diameter Routing Agent β is the central signalling hub in a 4G EPC Diameter network, analogous to the STP in an SS7 network. Rather than requiring every core node to maintain direct Diameter peerings with every other node β an unmanageable mesh as the number of nodes grows β each node peers with the DRA, which routes messages to the appropriate destination based on message content, subscriber identity, and routing policy.
Diameter defines three routing agent roles: Relay Agent (forwards messages without modification), Proxy Agent (may modify messages and enforce policy), and Redirect Agent (returns the destination address and instructs the sender to connect directly). The DRA most commonly operates in proxy or relay mode for intra-PLMN traffic, handling the S6a interface between MMEs and the HSS, the Gx interface between Policy and Charging Enforcement Functions and the PCRF, and the Gy interface to the Online Charging System.
For roaming, the DRA is the anchor of the inter-PLMN Diameter interconnect. The S9 interface connects a visited network's PCRF to the home network's PCRF for policy coordination. This interface transits the IPX/GRX network via DRA-to-DRA peerings β the direct Diameter equivalent of the international STP in SS7. A Diameter Edge Agent (DEA), typically a hardened DRA variant, sits at this boundary to apply security policy.
The DRA has no 5G-native equivalent β in 5G SA networks, the Service-Based Interface uses HTTP/2 with TLS and mutual authentication, routing handled by the NRF service discovery mechanism. However, hybrid 4G/5G deployments maintain DRA infrastructure to serve ongoing 4G EPC signalling.
How it works
The DRA operates as a Diameter proxy or relay: it receives Diameter requests, selects an appropriate destination, and forwards the message. The selection logic is the DRA's core value β and its complexity.
Intra-PLMN routing
For traffic within the operator's network (e.g., MME to HSS on S6a), the DRA receives an Authentication-Information-Request from an MME, identifies the target HSS based on the IMSI in the User-Name AVP, selects the least-loaded HSS in the pool, and forwards the request. It appends a Route-Record AVP to the message identifying itself, ensuring that the HSS response can be routed back through the same DRA. This stateless routing approach avoids the need for the DRA to maintain per-session state.
For session-bearing interfaces like Gx (policy), the DRA must perform session binding β ensuring that all Diameter messages for a given subscriber's PDP context/bearer reach the same PCRF instance. The DRA maintains a session binding table keyed on Session-Id, mapping each active subscriber session to its designated PCRF. Without this, a Credit-Control-Request for an existing session could be misrouted to a different PCRF instance that has no session context.
Inter-PLMN routing (S9 and roaming)
When a roaming subscriber's visited PCRF (vPCRF) needs to communicate with the home PCRF (hPCRF) for policy decisions, it sends a Diameter message over the S9 interface. This message must traverse the IPX/GRX network from the visited network's DRA to the home network's DRA. The visited DRA resolves the home network based on the Destination-Realm AVP (containing the home PLMN's Diameter realm), looks up the appropriate IPX peering, and forwards the message. The home DRA receives it, validates the origin, and routes it to the hPCRF.
A Diameter Edge Agent (DEA) at this boundary additionally inspects the message content, applies GSMA FS.19 security categories, and rejects messages that violate the policy β for example, blocking a request that claims to originate from the home network but arrived from a foreign interconnect peer.
Redirect mode
In some deployments, the DRA operates in redirect mode: rather than forwarding the message, it returns a Redirect-Host AVP instructing the originating node to connect directly to the target. This reduces DRA load by eliminating the DRA from the ongoing message exchange after the initial discovery step. It is appropriate for long-lived sessions but not for inter-PLMN traffic where the DRA must remain in the path for security enforcement.
Architecture role
The DRA occupies the same topological position in 4G Diameter signalling that the STP occupies in 2G/3G SS7 signalling. Its deployment scale reflects the growth of LTE: a national 4G network may have millions of active subscribers each with multiple Diameter sessions (authentication, policy, charging), requiring a high-capacity DRA cluster at the core.
S6a (MME β HSS): The most critical DRA-mediated interface. Every LTE subscriber attach, location update, and authentication request passes over S6a. The DRA pools these requests across multiple HSS nodes for load distribution and failover.
Gx (PCEF β PCRF): Policy interface used by the P-GW to obtain per-bearer QoS rules and charging policies. The DRA performs session binding to ensure that all Gx messages for a subscriber's active session reach the same PCRF. Failure here can result in policy inconsistency or bearer drops.
Gy (P-GW β OCS): Online charging interface. Real-time credit control requests pass through the DRA to the Online Charging System. High throughput and low latency requirements make this interface particularly sensitive to DRA processing overhead.
S9 (vPCRF β hPCRF): The inter-PLMN policy interface for LTE roaming. The DRA with DEA function at the PLMN boundary is the security enforcement point for all inbound and outbound S9 traffic.
Key interfaces
| Interface | Between | Protocol | Purpose |
|---|---|---|---|
| S6a | MME β HSS (via DRA) | Diameter/SCTP | Authentication, location update, subscription download |
| S6d | SGSN β HSS (via DRA) | Diameter/SCTP | 3G to 4G HSS for UMTS subscribers using Diameter |
| S9 | vPCRF β hPCRF (via DRA) | Diameter/SCTP | Inter-PLMN policy coordination for roaming subscribers |
| Gx | PCEF/P-GW β PCRF | Diameter/SCTP | Policy and charging rules download and enforcement |
| Gy | P-GW β OCS | Diameter/SCTP | Online charging; real-time credit control |
| Sh | AS β HSS | Diameter/SCTP | User profile access for IMS application servers |
| Cx | CSCF β HSS | Diameter/SCTP | IMS registration and authentication via HSS |
Security posture
The DRA has a high threat level for the same structural reason as the STP: it is the transit node through which all Diameter signalling flows, and Diameter offers only weak inter-node authentication. Diameter's TLS and IPsec transport security protects individual peering links, but does not authenticate the content of messages that originate from a remote realm and arrive via an intermediate DRA.
The trust model of the inter-PLMN Diameter interconnect assumes that each DRA correctly identifies the source realm of messages it forwards. A malicious DRA that lies about the Origin-Realm of a message it forwards can cause the receiving node to apply incorrect trust decisions β for example, accepting a subscriber management message that claims to be from the home realm when it actually originates from a foreign interconnect partner.
GSMA FS.19 addresses this problem through category-based filtering at the DEA: messages are classified by type and origin, and those that claim to be intra-PLMN traffic but arrive on an inter-PLMN link are blocked.
Attack surface
Subscriber data harvesting via spoofed ULR
The Update-Location-Request (ULR) on S6a updates the HSS with the subscriber's current serving MME. A DRA that proxies a spoofed ULR can redirect the HSS to deliver subscriber profile data (including authentication vectors) to an attacker-controlled MME address.
Impact: Subscriber identity and authentication material disclosure. Difficulty: Medium. Requires access to the Diameter interconnect and knowledge of IMSI.
Policy bypass via forged Gx messages
If an attacker can inject a forged Credit-Control-Answer (CCA) on the Gx interface with a modified Policy and Charging Control (PCC) rule set, the P-GW may apply permissive QoS or charging rules β for example, granting unlimited bandwidth or suppressing charging for a subscriber.
Impact: Revenue loss; policy enforcement bypass; potential for targeted service manipulation. Difficulty: Medium. Requires access to the Gx path.
DRA as attack transit
An interconnect DRA that does not apply FS.19 category filtering passes inter-PLMN Diameter attacks transparently. A foreign DRA that allows a connected operator to send arbitrary ULR messages into the home network's DRA is the Diameter equivalent of a misconfigured international STP.
Impact: All S6a-facing HSS operations are reachable from the foreign interconnect. Difficulty: Low if the interconnect DRA is permissive.
Mitigations
-
Diameter Edge Agent (DEA) at the PLMN boundary: The DEA is a DRA with security enforcement functions. It applies GSMA FS.19 category-based filtering to all inter-PLMN Diameter traffic, blocking message types that cannot legitimately originate from a roaming partner (e.g., Insert-Subscriber-Data from a foreign realm).
-
Origin-Host and Origin-Realm validation: Validate that the Origin-Host and Origin-Realm AVPs in inter-PLMN messages match a known peer from IR.21. Messages claiming to originate from the home realm that arrive on an inter-PLMN link should be rejected.
-
S9 peering whitelisting: Restrict inter-PLMN DRA peerings to known roaming partners. Unrecognised Diameter peers attempting to establish a connection to the DRA on the inter-PLMN interface should be rejected at the TLS/SCTP level.
-
Session binding validation: Ensure the DRA's session binding table is reconciled with active bearer state. Orphaned session entries should time out and be removed to prevent exploitation via stale session hijacking.
-
Anomaly detection on S6a volumes: Monitor ULR and Authentication-Information-Request volumes per interconnect partner. Spikes outside normal roaming patterns indicate a mass harvesting or attack campaign.
Spec references
-
RFC 6733 β Diameter Base Protocol. Sections 6 and 13 define the routing agent model (relay, proxy, redirect) and the Diameter routing AVPs (Route-Record, Proxy-Info, Destination-Host, Destination-Realm) that the DRA processes.
-
3GPP TS 29.272 β EPS Diameter interfaces. Defines S6a and S6d command codes and AVPs β the primary DRA-mediated interfaces for subscriber management.
-
3GPP TS 29.215 β Policy and Charging Control over S9. Defines the inter-PLMN PCRF-to-PCRF interface that the DRA routes for roaming subscribers.
-
GSMA FS.19 β Diameter Interconnect Security. The primary operational reference for DRA/DEA security configuration. Sections 3 and 5 define the Diameter threat categories; Annex A maps message types to risk categories for firewall configuration.
Related topics
The DRA routes Diameter messages between MME, HSS, PCRF, and other 4G core nodes. It is the 4G architectural successor to the STP for signalling routing, and supersedes the STP's role at the international interconnect boundary.
For roaming Diameter traffic, the DRA interfaces with the GRX/IPX roaming architecture. The security framework governing inter-PLMN Diameter is GSMA FS.19, and the primary threat taxonomy is the Diameter equivalent of SS7 attacks.