Diameter is end to end secure protocol.The Diameter Protocol MUST have security mechanism TLS or IPsec. In Diameter deployment Diameter client MUST support IPsec, and MAY support TLS. While Diameter servers MUST support TLS and IPsec. This is mandatory because any client can send request irrespective of whether it support IPsec or TLS,so server must support both.
IPsec security mechanism primarily used for intra-domain traffic i.e. with in the same domain. While TLS is primarily used for inter-domain traffic.
Before we go into details of these security mechanism we will first see what are the threats to diameter message, some basic issues for which security is needed are integrity,confidentiality and replay. Replay is the major issue.
A replay attack occurs when somebody intercepts (Untrusted proxy or Diameter agent) a series of packets and uses them later either to flood the system for causing a denial-of-service (DoS), or to gain entry to the trusted network.
Solution of Replay
To overcome the problem of Replay it is necessary to identify each packet uniquely so that in some implementation a unique number of given range is allotted to each message and it was ensured that number should not be tempered during transmission. Once a node receive the message with no. which it has already received is rejected immediately.
Now we will see how these security mechanisms works to secure the whole diameter message End-to-End.
IPsec (Within same domain) [Obsoleted]
Now RFC-6733 (Latest) says, TLS to be used when two nodes communicating on TCP transport connection and DTLS to be used when two nodes communicating of SCTP transport connection. Support for IPSec is no more needed.
Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.