Media Distribution Management Platform and IPTV over Internet 2 Tereza Cristina Melo de Brito...

Media Distribution Management Platform and IPTV overInternet 2

Tereza Cristina Melo de Brito Carvalho [email protected]

Regina Melo Silveira [email protected]

Christiane Marie Schweitzer [email protected]

LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of São Paulo - Brazil

IPTV over Internet 2



LARC – PCS/EP – University of São PauloEricsson Research SwedenKyatera Project – TIDIA Program - FAPESP

4-7 December, 2006 Fall 2006 Internet 2 Member Meeting

3

Team

Ayodele [email protected]


Daniel Pires [email protected]

Diego Sanchez Gallo [email protected]

Flávio [email protected]

Marcio Augusto Lima e [email protected]


Tereza Cristina Melo de Brito Carvalho

[email protected]

Wilson Vicente Ruggiero [email protected]


4

Agenda

Introduction Scenario Requirements IPTV Architecture IPTV over Internet2 Final Considerations Acknowledgments


5

Introduction

What is IPTV? TV Channels over the Internet ? Video streams encapsulated in IP packets over

a “service provider” network ?

Will Internet support a High Definition IPTV Service?

“Internet no ready for its future roles” (Bill St. Arnaud)


6

Scenario

High Definition Streamings (HDTV) Typically, 25 Mbps per TV Channel for

MPEG2 encoding.

Multiple channels sent simultaneously to multiple receivers at a same location. A home with three TV sets would

require at least 3 x 25 Mbps.


7

Scenario

IPTV requires high levels of: Quality of Service (QoS) Quality of Experience (QoE)

… at least on par with analog or digital TV broadcast system.

Access networks technologies like xDSL do not support high definition IPTV services: VDSL has bandwidth and distance limitations. It

achieves 50Mbps at 300m.


8

Scenario

Currently, FTTH (Fiber-To-The-Home) services seems to be the only one alternative for the fulfillment of IPTV (HDTV) needs

PON (Passive Optical Network) presents itself as the most viable FTTH technology, both from economical and operational standpoint WDM-PON can provide 100Mbps fiber

connection far beyond 300m – around tens of kilometers)


9

Requirements

Security Content protection: protection of the

intellectual property of the content owner, while allowing fair use for the final user.

Service protection: authentication, confidentiality and access control.


10

Requirements

Quality of Experience (simple and convenient handling): Multi-channel. Zapping.

Infrastructure: Availability (at least on par with analog or

digital TV broadcast system). Accessibility (diversity of devices – e.g. PCs,

Set-Top-Boxes). Network/Application scalability.


11

IPTV Architecture


12

Architecture Entities

Head-End: provides IPTV services (Broadcast TV and VoD).

Transport Network: delivers video streams to the customers.

Customer Premises: broadband network termination.


13

IPTV Architecture: Head-End

Broadcast TV Head-End system: Receives an analog or digital signal via satellite

or other mean, typically with multiple transport streams.

Converts it to a series of single program streams.

Encodes or transcodes the signals (e.g. to MPEG-4 format).

Encapsulates streams in IP packets for transmission.

Sends streams to a specific IP multicast group


14

IPTV Architecture: Head-End

VoD (Video-On-Demand) Head-End System: Encapsulates video streams in IP

packets. Sends streams to the users.


15

IPTV Architecture: Transport Network

Core Network: High capacity optical network with

technologies such as IP over DWDM and MPLS/GMPLS.

Edge Network: Multicast enabled network that connects the

core network to the access network.

Access Network: It is a FTTH-PON (Fiber-To-The-Home Passive

Optical Network).


16

IPTV Architecture: Customer Premise

Provides broadband network termination functionalities.

It is the IPTV service client.

The heterogeneous technologies existing in a home network devices lead to the need for a robust Home Gateway to connect it, providing the necessary services.


17

Multicast X Overlay

Overlay tries to provide multicast functionalities at the application layer: It is still a immature solution to provide a

reliable and QoE enabled service for High-definition content with scalability.

Multicast is proven to be a more efficient distribution scheme with scalability.

This work proposes an auto-contained, controlled private network: Internet does (still) not provide the required

levels of availability, scalability, QoE and QoS.


18

IPTV over Internet 2 Demonstration

Creation of an infrastructure for High Definition Streamings (HDTV) support

Specification and performance evaluation of high definition video distribution experiments


19

IPTV over Internet 2 Demonstration


20

Infrastructure

Comprised of three sites: LARC – Ericsson IPTV Infrastructure

Content generation Multicast distribution

III Workshop TIDIA – KyaTera Content consumption

International partners Content generation, Multicast distribution And/Or Content consumption


21

Content Distribution


22

Content Distribution

A hybrid topology Physical routers

2 Juniper routers with 2 x 1Gbps interfaces Emulated routers

6 emulated routers with XORP (eXtensible Open Router Platform – http://www.xorp.org)

This topology will be set up in a server with Linux virtual machines (VMWare) and XORP

All routers will be multicast enabled (PIM-SM – Protocol Independent Multicast – Sparse Mode)

Minimal of 100 – 200 Mbps bandwidth links interconnecting the three sites

Minimal of 1 Gbps bandwidth links interconnecting the routers in the multicast network


23

Content Consumption


24

Content Consumption

Three clients with a Front End application over a VLC Client Two clients connected to TVs One client with a Media Player (though EPG –

Electronic Program Guide) Basic functionality of the Front End application:

zapping among multicast groups

A supervisor station that monitors the network to demonstrate some behaviors (link bandwidth, routing tables, multicast protocols, and so on)


25

EPG (Electronic Program Guide)


26

IPTV over Internet 2 Demonstration: EPG (Electronic Program Guide)


27

Final Considerations

IPTV over Internet2 HDTV over Internet with stringent QoS

and QoE requirements it is not possible in the current infrastructure.

Due to QoE requirements (e.g. zapping), a bandwidth of hundreds of Mbps per service user (per subscriber) is required.

A Platform for Media Distribution Management

Regina Melo [email protected]

LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of Sao Paulo - Brazil


29

Agenda

Introduction Our Challenge Related Work Proposal

Conceptual Model Physical Model

Main Functionalities General View Work in Progress Final Considerations


30

Introduction

Huge number of multimedia applications (documentation, advertisement, entertainment …);

New multimedia services (broadcast, telecommunications, CATV);

Convergence - services integration with access network independence;

Progressive demand of storage, distribution and consume management allowing largely media utilization and re-use.


31

Introduction

Multimedia services management includes:(i) multimedia content storage, retrieval and search; (ii) users and groups of users access control and authentication; (iii) system distribution, adaptation, configuration and monitoring (server and clients) to multimedia content delivery and consumption;(iv) network elements management.


32

Our Challenge To develop a Platform for Media

Distribution Management respecting the following requirements: Use open standards (ISMA, MPEG-7, MPEG-21); Define integrated interfaces for different multimedia

services already implanted at RNP network; Prototype development and tests at RNP network.

At the prototype uses two multimedia distribution services developed by LAVID/UFPB: dvod - video on demand dlive – live video


33

Related Work MUFFINS - MUltimedia Framework For INteroperability in

Secure – IST PERSEO - Personalised Multichannel Services for Advanced

Multimedia Stream Management – IST CODAC - Modeling and Querying Content Description and

Quality Adaptation Capabilities of Audio-Visual Data - Klagenfurt University – Austria

ADMITS - Adaptation in Distributed Multimedia IT Systems - Klagenfurt University – Austria

DANAE - Dynamic and distributed Adaptation of scalable multimedia coNtent in a context Aware Environment – IST

iTVP - Interactive TV Services over IP Networks - PSNC – PIONNER

Rich Content Infrastructure and Middleware for Media - IBM


34

Proposal 4 (four) users types

Client, Content Provider, Administrator, Manager.

4 (four) sub-systems Portal; Access control, storage and retrieval, Manager (Coordinator and Monitor), Transmitter (Multimedia delivery service).

3 (three) management levels Service, Server, Network.


35

Proposal – Conceptual Model


36

Proposal – Physical Model


37

Main Functionalities

Video Upload and Indexation Live events Transmission registration Media search Media catalogue (Personalized) Media Visualization (Personalized) Users, groups and projects management Applications/services (sections)

management Servers management Network elements management


38


39

General View – Overlay Network

Camad

a de

Serviç

os

Cam

ada de

Servido

res

Cam

ada de

Red

e

Serv

ices

Lay

er

Serv

er L

ayer

Net

wor

k La

yer


40


41


42

Work in Progress Testing prototype New functionalities and optimization

Video replication Access control and distributed metadata Multicast Overlay proposal adoption (for example,

Overlay Multicast Control Protocol from IETF); Adoption of management data models based on XML

from Global Grid Fórum Use of components model for Manager dynamic

configuration update Integration with measurement infrastructure

and new services.


43


Our project proposed/implemented: Common infrastructure for multimedia services; Architecture based on open standards allow uniform

interfaces for all the applications; Web-based Management system; Resources Optimization; Flexibility and scalability.

Service will be personalized for different context: schools, hospitals e community and educational

TVs.


44

Acknowledgements Financial Support

RNP (National Education and Research Network)

Collaboration Prof. Guido Lemos de Souza Filho –

LAVID/DI/UFPB Prof. José Augusto Suruagy Monteiro –

UNIFACS

Applying Security in IPTV Environment


LARC – PCS/EP – University of São PauloEricsson Research Sweden


46

Team

Ayodele [email protected]


Daniel Pires [email protected]

Diego Sanchez Gallo [email protected]

Flávio [email protected]

Marcio Augusto Lima e [email protected]


Tereza Cristina Melo de Brito Carvalho

[email protected]

Wilson Vicente Ruggiero [email protected]


47

Agenda

Security Context (Application Layer and Network Layer)

Threats (Service and Content) IPTV Security Countermeasures IPTV Policies Final Considerations


48

Security Context

Application Level Security On STB (Set-Top Box) video client,

video services and content store.

Referred as Digital Rights Management (DRM) systems, enclosing conditional access, copy protection, encryption and watermarking.


49

Security Context

Network Level Security On the content delivery architecture

confidentiality, integrity and availability of the data flows

Prevention, Detection, and Reaction.


50

Security Threats in Multimedia Communications [ITU-T 2003]


51

Threats

Service Illegal service usage. Disruption of service.

Content An insider stealing content from the service core. A subscriber stealing content from the service core. A subscriber stealing content from the STB.


52

Threats: Illegal service usage

Rogue subscription: An attacker gains access to broadband video services without a subscription.

Escalation of subscription: An attacker gains access to video services that are beyond the parameters of his/her subscription.


53

Threats : Disruption of service

Attack against other subscribers The attacker attempts to disrupt the service for a specific

subscriber or group of subscribers by directly acting on equipment that resides on the victim’s home network.

Attack against the access and transport infrastructure

The attacker attempts to disrupt the service by degrading the performance of one or several components of the architecture (access node, Broadband Service Aggregators, Broadband Service Routers, etc).

Attack against the video service core The attacker directly targets the components that render

the video services, such as the VoD servers.


54

Threats: Content

An insider stealing content from the service core The thief is an insider, i.e., a service provider’s

employee, who has easy access to the stored content.

A subscriber stealing content from the service core Weaknesses in the broadband TV architecture allow

the attacker (from his/her home network) to compromise the servers that host the content.

A subscriber stealing content from the STB The attacker is a subscriber who wants to use the

content acquired beyond his/her fair right of usage.


55

IPTV Security

Privacy Confidentiality Integrity Availability Interoperability


56

IPTV Security: Privacy

The Service Provider must handle customer information, without any personal identifiable information.

The Service Provider must manage CPEs (Customer Premise Equipments) and it must not know if it belong to a customer, or how many equipments this customer has at home.


57

IPTV Security: Confidentiality

Video Content The video must be transported

encrypted. The content must be recorded

protected. Authentication and authorization

guarantees.


58

IPTV Security: Integrity

The content cannot be modified: Multicast and unicast security. Content source security.

Billing system integrity: Just authorized person should have

access to billing system.


59

IPTV Security: Availability

Can someone disrupt your IPTV service? - To what scale? Any of the IPTV device could be vulnerable to

Denial-of-Service attack. Buffer overflow. Weak TCP/IP or protocol stack implementation.

If other service is down (Voice and Data) would it take down IPTV too? System dependencies.


60

IPTV Security: Interoperability

There is currently no common standard on IPTV Other than the use of multicast/unicast. This may help security as a ‘diversity factor’. One vulnerability for one service provider may

not work for another. Standards on the work:

ITU (ISO) ISMA.tv Others


61

Security Architecture [ITU-T/IPTV]


62

Countermeasures

Protection of content. Transport infrastructure protection. Home network protection. Secure operation of the

infrastructure.


63

Countermeasures: Protection of Content

DRM state-of-the-art mechanisms To protect the content delivered to the

subscriber. To apply appropriate content/service

usage policies enforcement mechanisms in the STB.

Content stored on the service delivery must be encrypted.


64

Transport Infrastructure Protection

To restrict traffic dependency on the user’s subscription.

IGMP proxies on the access node must have some awareness of the user subscription and refuse to forward any channel outside of the user’s subscription.

Subscriber traffic should be segregated to disable residential bridging.


65

Transport Infrastructure Protection

Efficient traffic filtering mechanisms need to be provided to keep the communication flow between home network and service delivery platform to a strict minimum.

The infrastructure must provide a way to enforce QoS parameters on a per subscriber basis in order to mitigate the effect on the infrastructure of abusive usage of bandwidth by a specific subscriber.

The access node must provide a number of protection mechanisms against MAC and IGMP-based attacks.


66

Home Network Protection

Secure storage for security sensitive information on the STB is required to avoid cloning and disclosure of this information.

Secure provisioning mechanisms of the STB are needed for the service provider to be able to support these systems.


67

Secure Operation of the Infrastructure

Appropriate patch and vulnerability management on the service delivery platform.

Adding IDS or IPS mechanisms in order to detect and

prevent attempts by the subscriber or any other attacker to compromise the content delivery infrastructure.

Efficient revocation mechanisms are needed for authentication information and key material used in the STB to access services.


68

IPTV Policies

Security policies DRM Specific ones and infrastructure.

QoS policies Adaptability and performance both

provided media and services.


69

IPTV Security Policies

Content owners are extremely reluctant to provide content to a distributor that doesn’t have an effective DRM system because a perfect digital, copy of the content could be used to create copies for illegal resale.

This control needs to prevent copying not only at the distributor facility, but also on any device that a user may use to play back the content, such as a set-top-box or a PC.


70

IPTV Security Policies - example

DRM Specific Policies Can be intended as content usage policies,

regarding the content owner media rights. The content can not be modified by Service

Provider. Samples from the content can not be

performed by Service Provider. The content can/cannot be replicated. The content can/cannot be saved. The content can be displayed five times.


71

IPTV Security Policies - example

Infrastructure Policies Can be intended as service policies,

regarding the security or QoS issues on the content delivery/transport architecture:

All content MUST BE encrypted. All content MUST BE watermarked. All content users MUST BE identified.


72

IPTV QoS Policies - example

Interaction Policy The service must provide a specified

QoE level. The service must adapt itself to the

user device capabilities. The service must adapt the provided

content to the device resolution (e.g. HDTV 1920x1080 to low resolutions).


73

IPTV QoS Policies - examples

Infrastructure Policy The network must have bandwidth

guarantees. The network must have delay

guarantees. The network must have jitter

guarantees. The network must have loss

guarantees.


74


IPTV Security = Content + Service + Transport Security

DRM System is not enough, but it is a good start.

Encryption and Authentication must be priority.


75

Acknowledgments

Media Distribution Management Platform and IPTV over Internet 2 Tereza Cristina Melo de Brito...

Documents

Transcript of Media Distribution Management Platform and IPTV over Internet 2 Tereza Cristina Melo de Brito...