Diameter Edge Agent

Overview

The GSMA PRD IR.88 – "LTE Roaming Guidelines", 3.1, 17 February 2011 describes the Diameter Edge Agent (DEA) roaming capabilities from the context of implementing the DEA on the boundaries between two interconnected roaming partners.

When deployed as a DEA (see the following figure), the DSC adheres to GSMA specifications (as defined in IR.88) by providing the following capabilities:

• a single point of contact into a mobile service providers network
  
  • prevents the export of network topologies
  • provides a powerful set of routing and screening functions to protect the network
• Topology Hiding
• Diameter-level firewall to protect the network
• route or screen on any message
• route or screen on any Attribute-Value Pair (AVP)
• operate as either a Diameter Relay or a Diameter Proxy
  
  

Diameter Edge Agent

Topology Hiding

GSMA PRD IR.88 – "LTE Roaming Guidelines", v15.0, 03 November 2016 recommends that a DEA should be able to perform Topology Hiding that is to remove Diameter Identity information which is not required outside the local realm. The DSC provides topology hiding according to these requirements as a configurable option.

For more information about topology hiding, refer to Topology Hiding.

Routing Messages in the DEA

The DSC contains powerful routing tables that can be used to make DEA message routing more efficient. For example, it is assumed a carrier has a direct connection to another carrier’s DEA, along with two different IPX providers, it is also assumed that the carrier will want to direct traffic based on where the message is going. A message destined for the other carrier will route directly because the realm is known. However, for other destinations, the carrier can choose one IPX over the other. The following figure shows an example for the DEA routing choices. This scenario is a simple configuration in the DSC routing tables.

For information about configuring DSC routing tables, refer to Configuring Ribbon DSC Routing Tables.

Example of DEA Routing Choices

Diameter-level Screening in a DEA Environment

The DSC is equipped with an IP firewall. Most carriers choose to deploy a firewall between the internal and outside IP network. This security measure makes sure that the DSC can examine the Diameter traffic better, and frees it from concerns of lower level Denial-of-Service attacks.

Beyond the IP firewall, most carriers want to implement routing and screening at the Diameter-level to determine who can enter the network and from where.

The following figure depicts the use of Diameter screening that takes place in a DEA roaming environment. In this figure, assume that the DEA must allow all connections between dea.local.com and dea.adjacent.com, and all connections between dea.local.com and gw.ipx.com. However, even if traffic from gw.untrusted.com is sent through a trusted source such as gw.pix.com, the DSC can reject this traffic. No direct connections from untrusted.com or the inner network elements of other realms are allowed, and must, therefore, be made through the DEA. This restriction forces all external Diameter signaling traffic to local.com through dea.local.com, and limits the types of attacks on dea.local.com and other entities in local.com. 

Use of Diameter Screening in a DEA Roaming Environment

For more information about configuring the DSC firewall, refer to Security and Firewall.