back to article Next-gen telco protocol Diameter has last-gen security – researchers

Some of the well-known weaknesses of SS7 Roaming Networks have been replicated in the next-gen telco protocol, Diameter. Diameter will be used for roaming connections of LTE/LTE-A mobile networks. The protocol is designed for trusted environments – roaming interconnection interfaces between providers – but the "walled garden" …

  1. Anonymous Coward
    Anonymous Coward

    Diameter

    ..with *twice* the number of security holes as RADIUS!

    More seriously, WTF is *anyone* designing a protocol for only "trusted network" use these days. The only advantage over untrusted networks is that the logfiles that need to be monitored will produce smaller amounts of output.

    1. TonyHoyle

      Re: Diameter

      Technically it wasn't designed 'these days'. Diameter (RFC3588) dates from 2003. Which probably makes it dangerously modern by telco standards..

      1. Anonymous Coward
        Anonymous Coward

        Re: Diameter

        Relax, it's design started back in 1998, they just didn't rush into the RFC process with any sense of urgency. Perfectly reasonable for the Telco industy to deploy a 20 year old protocol that was obsolete a decade ago to replace one from 1991. One fun note is that Diameter appears to have started about a year after the RADIUS protocol's first big RFC (2058) dropped.

        I can on only assume it took the original team 50 weeks to stop screaming and crying inconsolably and then spent the last 2 weeks trying to bang out a replacement.

        Something about early 90's protocols always made them turn out like CORBA. Say what you will about Diameter, it is WAY less CORBAish than RADIUS is. RADIUS and SNMP both cause a spastic twitch at the base of my spine whenever I think about them too hard.

        1. handleoclast

          Re: Diameter

          RADIUS and SNMP both cause a spastic twitch at the base of my spine whenever I think about them too hard.

          The thing I dislike about SNMP is that it seems to use anti-Huffman encoding. A query for a simple, common piece of functionality needs a byte string along the lines of 3.1.4.1.5.9.2.6.5.3.5.8.9.7.9.3.2.3.8.4.6.2.6.4.3.3.8.3.2.7. So much for efficiency. Security isn't much better than the efficiency, at least not until version 3.

          The only good thing about SNMP is that it relies on MIBs. Amusing films, those. Then again, it's rare to encounter any equipment that doesn't ignore the public MIB and define its own, even for stuff that's already in the public MIB. Gah!

          Anybody else notice that the last time the "S" in an internet protocol really meant simple was SMTP (the original, not the extended versions)? Or that the "L" in an internet protocol has never meant lightweight? LDAP, I'm looking at you. Sorta like the way "democratic" or "people's" in a country name meant that they were in no way republics. And if you ever got "democratic people's republic" it was a place to steer well clear of. I reckon if you see an internet protocol name starting "simple lightweight" you should run for the hills.

    2. Dave Pickles

      Re: Diameter

      "..with *twice* the number of security holes as RADIUS!"

      So the secure version will be called Circumference?

  2. Anonymous Coward
    Anonymous Coward

    The Only Secure Mobile Phone

    Is a mobile phone switched off.

    Telecom technology is by now wholly insecure from the backbone to the end user devices.

    Whoever likes to hack it can have a go. Not just your local state snoopers.

    1. John Smith 19 Gold badge
      Big Brother

      " The Only Secure Mobile Phone..Is a mobile phone switched off."

      You wish.

      Now pull the battery out (if you can) and you're talking.

    2. Christian Berger

      Networks cannot provide "security"

      As obviously everyone can just sniff the lines, and the network provided encryption has encryption keys inside the network.

      The big problem is billing, you could be falsely billed for something.

  3. GnuTzu

    SS7 Needs A Filtering API

    When I first learned about SS7, it seemed that it was strictly internal to the telco infrastructure. Then came ISDN and wireless, and the translation from those technologies into SS7 is way too direct. Someone needs to start work on some manner of Proxy/Adapter to restrict and filter that translation--because there's always going to be a problem regulating what cell phone handsets set over the air. It should be filtered before it gets into the SS7 network--and bad actors should be detected and logged. And, if they think they're already doing this, then they're obviously not doing it right.

  4. EnviableOne

    So DIAMETER is not in the process of replacing RADIUS, most of the features have been back ported and no-one can be bothered to change, as RADIUS is a great AAA protocol, its not really a signaling protocol.

    SS7 is more analogus to something like PPP and needs something on the top to handle the secure access and connections. the suites whole between layer 4 and 6 should be what's handling this.

    Session and Presentation layer protocols tend to handle this in most networks, allowing the transport and network layers to efficiently move and route traffic.

    SO basically they are trying to replace a routing protocol with an AAA protocol, so this is going to end well

  5. Richard Conto

    Good grief. I was there for the original RADIUS hack (and added a few odd hacks of my own.)

    It was for Internet of Things like devices before there was an Internet of Things.

    I was there when Diameter was trying to get off the ground - but stayed out of it since I was stuck supporting legacy code - in 2003.

    The only good thing I could have said about Diameter before this is that it didn't have a large installed base.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like