Post on 04-Jan-2016
1
Integrating security in a quality aware multimedia delivery platform
Paul Koster
21 november 2001
2
Contents
Introduction Research question Technology overview Design Demonstrator Evaluation Conclusions & recommendations Questions
3
Internet
Introduction
Trends in multimedia delivery Increase in available multimedia
content on the Internet: multimedia streaming
Commercial multimedia services Quality cannot be guaranteed
on the Internet: best-effort service
Increasing interest in security▬► Quality of Service
??
Context QuAM (Quality Aware Middleware)
Assignment Integrate security
4
Research question
How can security be integrated in a quality aware multimedia delivery platform that supports performance guarantees?
What types of security?
How to extend QuAM?
5
Technology overview (1/4)- Quality of service
best-effort quality cannot be
guaranteed for overloaded network
performance QoS bandwidth
reservation guarantees quality
security QoS
QoS is the run-time non-functional characteristics of a distributed system
QoS mechanisms realize performance and security aspects
6
Technology overview (2/4) - Performance
Performance QoS aspects: Bandwidth
Latency
Jitter QoS mechanism: RSVP
Admission control
Claim of resources
reservation
no reservation
7
Technology overview (3/4) - Security
Security types Confidentiality Integrity Authenticity Authorization Visibility (anonimity) Availability
Secure network protocol needed Proprietary protocols IPsec
• Currently mainly used for VPNs (static configuration)• But we need dynamic created secure links, because
# Changing relationships# Control of resources
8
Technology overview (4/4) - Security & performance interactions
Security and performance conflict: RSVP cannot reserve bandwidth for IPsec flows
Encryption costs computing capacity
However, solutions exist: RSVP support for IPsec data flows
Resource management
IPsec + reservation
no reservation
9
Design (1/2) - Layers
QoS support for multimedia delivery
MM Applications
Middleware
Network & hosts
ObjectObject
RSVPIPsec
QuAM
10
Client
Design (2/2) - QuAM Architecture
MediaConsumer Media
Producer
Server
Coordinator
IPsec RSVPRSVP IPsec + RSVP support for
IPsec data flows
Resource agent
11
Demonstrator
The demonstrator is an example application created on top of the implementation.
The middleware is able to setup a secure path with resource reservations.
The user can select his quality of service without being aware of the underlying technologies.
Routers have been extended to support the combination of IPsec and RSVP.
12
Evaluation (1/3)
Requirements Confidentiality and integrity protection with authentication have to
be supported for the multimedia data on the network. Performance (bandwidth) guarantees have to be supported. Performance enforcement may not be affected by security.
Evaluation Performance
• Network# RSVP
• Server CPU load # Admission function
Security analysis• CC (Common Criteria for Information Technology Security
Evaluation)
13
CPU load caused by a different number of jobs
0
20
40
60
80
100
120
0 50 100 150 200 250 300 350 400 450
Inserted number of jobs (128kbps)
CP
U l
oad
(%
) (C
use
d, j
ob
-typ
e)
Sender (AH)AH
Evaluation (2/3) - Performance
First step to model CPU usage CPU load is propertional to bandwidth requirements
Different encryption algorithms have different requirements Admission function
• ∑ bwtype·ctype ≤ Cap
Maximum number of jobs per job type
0,00
2,00
4,00
6,00
8,00
10,00
12,00
14,00
16,00
18,00
20,00
0 50 100 150 200 250 300 350 400 450
Inserted number of jobs (128kbps)
Me
as
ure
d n
etw
ork
ba
nd
wid
th
(Mb
ps
)
AH (SHA1)
14
Evaluation (3/3) - Security
ClientRouter
QuAM server running e.g.: middleware / webserver
MM Server
12345
55
1 MM data (e.g. RTP protocol)2 MM control (e.g. RTSP)3 MM delivery quality feedback (e.g. RTCP)4 Resource reservation protocol (e.g. RSVP)5 Middleware communication (e.g. CORBA)
CC: Protection Profile TOE (Target of Evaluation)
Assumptions
Threats
Objectives
15
Conclusions
Some security types can be succesfully offered to applications.
Low-level mechanisms are required to enforce QoS. These may interact however. The design and implementation take this into account.
Achievements Implementation of RFC 2247 (RSVP support for IPsec data flows)
Reported and fixed various bugs for the RSVP daemon and the FreeBSD IPsec implementation.
16
Recommendations
Use of open standards and protocols Security analysis: towards overall security Support for authentication, authorization and billing Resource modelling
17
Questions