Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Participant Access Control in IP Multicasting

778 views

Published on

Participant Access Control in IP Multicasting

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Participant Access Control in IP Multicasting

  1. 1. Participant Access Control in IP Multicasting Salekul Islam (salekul@cse.uiu.ac.bd) United International University (UIU) Dhaka, Bangladesh
  2. 2. Outline of the presentation 24-May-14 Participant Access Control in IP Multicasting 2 Sender Access Control PANA, IKEv2 and IPsec SA Receiver Access Control IGMP with Access Control (IGMP-AC) PIM-SM Routers build the data distribution tree IGMP End hosts join/leave a multicast group IP Multicast Secure Multicast: Protects multicast data and control messages. Why it fails to provide access control? Access Control Architecture Access Control: Authentication, Authorization & Accounting Participant: Receivers & Sender(s)
  3. 3. Protocols Involved in IP Multicast •  Internet Group Management Protocol (IGMP) o  IGMPv3 has been standardized by the IETF o  End hosts inform the neighboring router(s) about the multicast group memberships using IGMP o  Two types of messages: Query and Report •  Protocol Independent Multicast - Sparse Mode (PIM-SM) o  Depends on underlying unicast routing information base o  Builds unidirectional shared trees o  Optionally creates shortest-path trees per source. 24-May-14 Participant Access Control in IP Multicasting 3
  4. 4. IGMP Query Message 24-May-14 Participant Access Control in IP Multicasting 4 Querier Query Message Directly connected Access Router (AR) AR AR CR
  5. 5. IGMP Report Message 24-May-14 Participant Access Control in IP Multicasting 5 Querier Directly connected Access Router (AR) AR AR CR Receiver 1 Receiver 2 Report Messages
  6. 6. IP Multicast Service Model 24-May-14 Participant Access Control in IP Multicasting 6 AR1 AR2 AR3CR3 Sender Receivers End Users Routing Protocol (PIM-SM) Builds DDT IGMP Messages User Joins/Leaves Sends multicast data Data forwarding using DDT CR1 CR2 CR3 DDT: Data Distribution Tree
  7. 7. Multicast-based Applications 24-May-14 Participant Access Control in IP Multicasting 7 Number of Participants Applications One-to-many (single sender multiple receivers) • Scheduled audio/video distribution • Push media: news headlines, weather updates • File distribution and caching • Announcements: multicast session, key updates • Monitoring: stock prices, sensor equipment Many-to-many (multiple senders multiple receivers) • Multimedia conferencing • Synchronized resources • Distance learning with input from receivers • Multi-player games Many-to-one (multiple senders single receivers) • Resource discovery • Auctions • Polling
  8. 8. Multicast Service Model: Vulnerabilities 24-May-14 Participant Access Control in IP Multicasting 8 AR1 AR2 AR3CR3 Sender Receivers End Users CR1 CR2 CR3 AR4 AR1 IGMP Join Routing Protocol Join Adversary Receiver Forged data Adversary Sender IP multicast model: • Multicast groups are open • Any one can join any one can send
  9. 9. Motivation: Revenue Generation Architecture •  Secure Multicasting is composed of o  Protecting control messages—routing protocol specific (secured IGMP and PIM-SM) o  Protecting multicast data—encryption and authentication (IETF standardized TESLA ) •  Significant progress of securing multicasting fails to happen in large scale commercial deployment •  A revenue generation architecture considers o  Participant access control—AAA for sender(s) and receivers o  Policy enforcement o  E-commerce communications 24-May-14 Participant Access Control in IP Multicasting 9
  10. 10. Why Access Control? •  Effects of forged IGMP messages o  Join message pulls distribution tree, may create DoS o  Leave message prunes distribution tree, prevents legitimate users from receiving o  IGMP security—only authenticates IGMP messages •  Attacks by a forged sender o  Replay attack o  Sender address spoofing attack o  May create DoS •  Secure Multicast (Group Key Management) fails to prevent these attacks 24-May-14 Participant Access Control in IP Multicasting 10
  11. 11. How to deploy access control? •  Receiver access control for a secured group o  While joining/leaving o  Changing reception state at ARs •  Sender access control for a secured group o  Sending data 24-May-14 Participant Access Control in IP Multicasting 11 Coupling access control with IGMP Per-packet cryptographic protection at AR
  12. 12. Sender Access Control •  AAA for sender(s) •  Per-packet protection Data Distribution Control •  Protects distribution tree from forged sender •  Not routing protocol security Receiver Access Control •  AAA for receivers/EUs Overview of Access Control Architecture 24-May-14 Participant Access Control in IP Multicasting 12 AR1 AR2 AR3CR3 CR1 CR2 Sender Receivers EUs
  13. 13. Unicast Access Control and Authentication •  Access Control is achieved by AAA framework o  RADIUS—older version, with limited functionalities o  Diameter—next generation AAA protocol •  Extensible •  Large AVP •  Agent support •  For authentication IETF has designed o  Extensible Authentication Protocol (EAP) o  Protocol for carrying Authentication for Network Access (PANA)—EAP lower layer 24-May-14 Participant Access Control in IP Multicasting 13
  14. 14. Authentication, Authorization and Accounting (AAA) Framework 24-May-14 Participant Access Control in IP Multicasting 14 AAA protocol AAA Server Authentication Authorization Accounting NAS AAA Client End User Network End User Database Requesting access to network EU credentials Accept Access is granted NAS: Network Access Server
  15. 15. Extensible Authentication Protocol (EAP) 24-May-14 Participant Access Control in IP Multicasting 15 EAP Request1 EAP Response1 EAP Request2 EAP ResponseN Diameter (EAP ResponseN) Diameter (EAP Success) EAP Success NAS/ EAP Authenticator AAA Server EAP Server EAP Diameter (EAP) End User EAP Peer §  EAP summary -  Authentication framework -  Multiple authentication -  EAP methods -  Four EAP messages Request, Response Success, Failure (Initiate EAP) By peer or authenticator Authenticator to peer Peer to authenticator Diameter (EAP Response1) Diameter (EAP Request2) Encapsulated over Diameter
  16. 16. Key Challenges for Access Control •  The most generic architecture o  Deployable for multi-domain distributed groups o  Supports wide range of authentication o  Independent of routing protocol o  Supports both ASM and SSM •  A scalable solution o  Minimum workload for on-tree routers and end hosts o  A distributed solution (e.g., using AAA) •  Reuse standard frameworks/protocols o  Fits easily in the existing Internet service model o  Will reduce the work of service providers 24-May-14 Participant Access Control in IP Multicasting 16
  17. 17. Out of the scope NAS NAS Access Control Architecture 24-May-14 Participant Access Control in IP Multicasting 17 AR1 AR2 AR3CR3 CR1 CR2 Sender End Users AAAS Participants Database & Policy Server Updates Registration GO/MR FI Diameter IGMP Carrying EU auth. info
  18. 18. NAS Receiver Access Control using IGMP-AC 24-May-14 Participant Access Control in IP Multicasting 18 AR1 AR2 AR3 CR1 CR2 CR3 End Users Sender IGMP-AC (EAP) IGMP with Access Control (IGMP-AC) •  Extended version of IGMPv3 •  Encapsulates EAP packets •  Verification using SPIN •  Validation using AVISPA AAA ServerParticipants Database Diameter (EAP)
  19. 19. EAP auth End User Authentication using Extensible Authentication Protocol (EAP) 24-May-14 Participant Access Control in IP Multicasting 19 EAP method EAP peer EAP layer IGMP-AC Lower layers EAP peer IGMP-AC EAP layer Lower layers EAP auth EAP layer AAA/IP EAP method EAP auth EAP layer AAA/IP EU/ Peer AR/Authenticator/NAS AAA Server EAP Encapsulation over IGMP-AC
  20. 20. Protocol for carrying Authentication for Network Access (PANA) 24-May-14 Participant Access Control in IP Multicasting 20 PaC (EU) PAA (NAS/AR) AS (AAAS) EP (AR) SNMP/ API PANA RADIUS/ Diameter IKE PaC : PANA Client AS : Authentication Server EP : Enforcement Point PAA : PANA Authentication Agent §  PANA summary -  Network access protocol -  Works as EAP lower layer -  Four entities: PaC, PAA, AS, EP
  21. 21. Sender Access Control 24-May-14 Participant Access Control in IP Multicasting 21 AR1 AR2 AR3 CR1 CR2 CR3 PANA (EAP) AAA Server End User Sender IKEv2 IPsec SA NAS IKE-pre- shared-Key 1. Anti-replay 2. Prevents source address spoofing 3. Minimizes DoS AAA-Key PaC-EP- Master-Key IKE-pre- Shared-Key
  22. 22. More about access control in multicast •  This is a brief description of our work in this area •  What else we have done? o  Policy framework o  Inter-domain access control architecture based on Diameter agents o  Data distribution control using multicast SA o  Mobile multicast: receiver access control & secured handoff 24-May-14 Participant Access Control in IP Multicasting 22
  23. 23. Conclusion: Present status •  A set of Internet Drafts have been written and presented to bring our ideas at the IETF o  J. William Atwood, Salekul Islam and Bing Li “Requirements for IP Multicast Receiver Access Control”, IETF Internet Draft, draft-atwood-mboned-mrac-req-00, 2014. o  J. William Atwood, Bing Li and Salekul Islam “Architecture for IP Multicast Receiver Access Control”, IETF Internet Draft, draft-atwood-mboned-mrac-arch-00, 2014. 24-May-14 Participant Access Control in IP Multicasting 23
  24. 24. Other Publications 1.  Salekul Islam and J. William Atwood, "Sender Access and Data Distribution Control for Inter-domain Multicast Groups", Computer Networks, Vol. 54, No. 10, 2010, pp. 1646-1671. 2.  Salekul Islam and J. William Atwood, "Multicast Receiver Access Control by IGMP-AC", Computer Networks, Vol. 53, No. 7, 2009, pp. 989-1013. 3.  Salekul Islam and J. William Atwood, "Multicast Security", in Horizons in Computer Science Research Vol. 2. Thomas S. Clay (ed.), Nova Publishers. 2011, pp. 127-149. 4.  Salekul Islam, "Participant Access Control in IP Multicasting", VDM Verlag, Nov. 2009. 5.  S. Islam and J.W. Atwood, "Receiver Access Control and Secured Handoff in Mobile Multicast using IGMP-AC", submitted to 33rd IEEE Conference on Local Computer Networks. 6.  S. Islam and J.W. Atwood, "Sender Access Control in IP Multicast", in 32nd IEEE Conference on Local Computer Networks, Dublin, Ireland, 2007 October 15-18, pp. 79-86. 7.  S. Islam and J.W. Atwood, "A Policy Framework for Multicast Group Control", in IEEE CCNC--Workshop on Peer-to-Peer Multicasting, Las Vegas, NV, 2007 January 11, pp. 1103-1107. 8.  S. Islam and J.W. Atwood, "The Internet Group Management Protocol with Access Control (IGMP-AC) ", in 31st IEEE Conference on Local Computer Networks, Tampa, Florida, U.S.A., 2006 November 14-16, pp. 475-482. 9.  S. Islam and J.W. Atwood, "A Framework to Add AAA Functionalities in IP Multicast'', in Advanced International Conference on Telecommunications (AICT'06), Guadeloupe, French Caribbean, 2006 February 19-22. 24-May-14 Participant Access Control in IP Multicasting 24
  25. 25. Project Funding •  FQRNT (Quebec Provincial Govt’s fund) o  Doctoral Research Scholarship •  NSERC (Canada Govt’s fund) o  Discovery Grant •  Concordia University 24-May-14 Participant Access Control in IP Multicasting 25
  26. 26. Contact •  Dr. Salekul Islam UIU, Bangladesh Email: salekul@cse.uiu.ac.bd •  Dr. J. William Atwood Concordia University, Canada Email: william.atwood@concordia.ca 24-May-14 Participant Access Control in IP Multicasting 26

×