Participant Access Control in IP Multicasting
-
Upload
bangladesh-network-operators-group -
Category
Internet
-
view
434 -
download
0
Transcript of Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting
Salekul Islam ([email protected]) United International University (UIU)
Dhaka, Bangladesh
Outline of the presentation
24-May-14 Participant Access Control in IP Multicasting 2
Sender Access Control PANA, IKEv2 and IPsec SA
Receiver Access Control IGMP with Access Control (IGMP-AC)
PIM-SM Routers build the data distribution tree
IGMP End hosts join/leave a multicast group
IP Multicast
Secure Multicast: Protects multicast data and control messages. Why it fails to provide access control?
Access Control Architecture
Access Control: Authentication, Authorization &
Accounting
Participant: Receivers & Sender(s)
Protocols Involved in IP Multicast • Internet Group Management Protocol (IGMP)
o IGMPv3 has been standardized by the IETF o End hosts inform the neighboring router(s) about the
multicast group memberships using IGMP o Two types of messages: Query and Report
• Protocol Independent Multicast - Sparse Mode (PIM-SM) o Depends on underlying unicast routing information base o Builds unidirectional shared trees o Optionally creates shortest-path trees per source.
24-May-14 Participant Access Control in IP Multicasting 3
IGMP Query Message
24-May-14 Participant Access Control in IP Multicasting 4
Querier
Query Message
Directly connected Access Router (AR)
AR AR
CR
IGMP Report Message
24-May-14 Participant Access Control in IP Multicasting 5
Querier
Directly connected Access Router (AR)
AR AR
CR
Receiver 1 Receiver 2
Report Messages
IP Multicast Service Model
24-May-14 Participant Access Control in IP Multicasting 6
AR1
AR2
AR3 CR3
Sender
Receivers End Users
Routing Protocol (PIM-SM) Builds DDT
IGMP Messages User Joins/Leaves
Sends multicast data
Data forwarding using DDT
CR1
CR2
CR3
DDT: Data Distribution Tree
Multicast-based Applications
24-May-14 Participant Access Control in IP Multicasting 7
Number of Participants Applications
One-to-many (single sender
multiple receivers)
• Scheduled audio/video distribution • Push media: news headlines, weather updates • File distribution and caching • Announcements: multicast session, key updates • Monitoring: stock prices, sensor equipment
Many-to-many (multiple senders multiple receivers)
• Multimedia conferencing • Synchronized resources • Distance learning with input from receivers • Multi-player games
Many-to-one (multiple senders single receivers)
• Resource discovery • Auctions • Polling
Multicast Service Model: Vulnerabilities
24-May-14 Participant Access Control in IP Multicasting 8
AR1
AR2
AR3 CR3
Sender
Receivers End Users
CR1
CR2
CR3
AR4
AR1
IGMP Join
Routing Protocol Join
Adversary Receiver
Forged data
Adversary Sender
IP multicast model: • Multicast groups are open • Any one can join any one can send
Motivation: Revenue Generation Architecture
• Secure Multicasting is composed of o Protecting control messages—routing protocol
specific (secured IGMP and PIM-SM) o Protecting multicast data—encryption and
authentication (IETF standardized TESLA ) • Significant progress of securing multicasting fails to
happen in large scale commercial deployment • A revenue generation architecture considers
o Participant access control—AAA for sender(s) and receivers
o Policy enforcement o E-commerce communications
24-May-14 Participant Access Control in IP Multicasting 9
Why Access Control?
• Effects of forged IGMP messages o Join message pulls distribution tree, may create DoS o Leave message prunes distribution tree, prevents
legitimate users from receiving o IGMP security—only authenticates IGMP messages
• Attacks by a forged sender o Replay attack o Sender address spoofing attack o May create DoS
• Secure Multicast (Group Key Management) fails to prevent these attacks
24-May-14 Participant Access Control in IP Multicasting 10
How to deploy access control? • Receiver access control for a secured group
o While joining/leaving o Changing reception state at ARs
• Sender access control for a secured group o Sending data
24-May-14 Participant Access Control in IP Multicasting 11
Coupling access control with IGMP
Per-packet cryptographic protection at AR
Sender Access Control
• AAA for sender(s) • Per-packet protection
Data Distribution Control
• Protects distribution tree from forged sender • Not routing protocol security
Receiver Access Control
• AAA for receivers/EUs
Overview of Access Control Architecture
24-May-14 Participant Access Control in IP Multicasting 12
AR1
AR2
AR3 CR3
CR1
CR2 Sender
Receivers EUs
Unicast Access Control and Authentication
• Access Control is achieved by AAA framework o RADIUS—older version, with limited functionalities o Diameter—next generation AAA protocol
• Extensible • Large AVP • Agent support
• For authentication IETF has designed o Extensible Authentication Protocol (EAP) o Protocol for carrying Authentication for Network Access
(PANA)—EAP lower layer
24-May-14 Participant Access Control in IP Multicasting 13
Authentication, Authorization and Accounting (AAA) Framework
24-May-14 Participant Access Control in IP Multicasting 14
AAA protocol
AAA Server Authentication
Authorization
Accounting NAS AAA Client
End User
Network
End User Database
Requesting access to network
EU credentials
Accept
Access is granted
NAS: Network Access Server
Extensible Authentication Protocol (EAP)
24-May-14 Participant Access Control in IP Multicasting 15
EAP Request1
EAP Response1
EAP Request2
EAP ResponseN Diameter (EAP ResponseN)
Diameter (EAP Success) EAP Success
NAS/ EAP Authenticator
AAA Server EAP Server
EAP Diameter (EAP)
End User EAP Peer
§ EAP summary - Authentication framework
- Multiple authentication
- EAP methods
- Four EAP messages
Request, Response
Success, Failure
(Initiate EAP)
By peer or authenticator
Authenticator to peer
Peer to authenticator
Diameter (EAP Response1)
Diameter (EAP Request2)
Encapsulated over Diameter
Key Challenges for Access Control
• The most generic architecture o Deployable for multi-domain distributed groups o Supports wide range of authentication o Independent of routing protocol o Supports both ASM and SSM
• A scalable solution o Minimum workload for on-tree routers and end hosts o A distributed solution (e.g., using AAA)
• Reuse standard frameworks/protocols o Fits easily in the existing Internet service model o Will reduce the work of service providers
24-May-14 Participant Access Control in IP Multicasting 16
Out of the scope
NAS
NAS
Access Control Architecture
24-May-14 Participant Access Control in IP Multicasting 17
AR1
AR2
AR3 CR3
CR1
CR2 Sender
End Users
AAAS
Participants Database &
Policy Server
Updates Registration
GO/MR FI
Diameter
IGMP Carrying EU auth. info
NAS
Receiver Access Control using IGMP-AC
24-May-14 Participant Access Control in IP Multicasting 18
AR1
AR2
AR3
CR1
CR2
CR3
End Users
Sender
IGMP-AC (EAP)
IGMP with Access Control (IGMP-AC) • Extended version of IGMPv3 • Encapsulates EAP packets
• Verification using SPIN • Validation using AVISPA
AAA Server Participants Database
Diameter (EAP)
EAP auth
End User Authentication using Extensible Authentication Protocol (EAP)
24-May-14 Participant Access Control in IP Multicasting 19
EAP method
EAP peer
EAP layer
IGMP-AC
Lower layers
EAP peer
IGMP-AC EAP layer
Lower layers
EAP auth
EAP layer
AAA/IP
EAP method
EAP auth
EAP layer
AAA/IP
EU/ Peer
AR/Authenticator/NAS
AAA Server
EAP Encapsulation over IGMP-AC
Protocol for carrying Authentication for Network Access (PANA)
24-May-14 Participant Access Control in IP Multicasting 20
PaC (EU)
PAA (NAS/AR)
AS (AAAS)
EP (AR)
SNMP/ API
PANA RADIUS/ Diameter
IKE
PaC : PANA Client AS : Authentication Server EP : Enforcement Point PAA : PANA Authentication Agent
§ PANA summary - Network access protocol - Works as EAP lower layer - Four entities: PaC, PAA, AS, EP
Sender Access Control
24-May-14 Participant Access Control in IP Multicasting 21
AR1
AR2
AR3
CR1
CR2
CR3
PANA (EAP)
AAA Server
End User
Sender
IKEv2
IPsec SA
NAS
IKE-pre-shared-Key
1. Anti-replay 2. Prevents source address spoofing 3. Minimizes DoS
AAA-Key
PaC-EP-Master-Key
IKE-pre-Shared-Key
More about access control in multicast
• This is a brief description of our work in this area • What else we have done?
o Policy framework o Inter-domain access control architecture based on Diameter
agents o Data distribution control using multicast SA o Mobile multicast: receiver access control & secured handoff
24-May-14 Participant Access Control in IP Multicasting 22
Conclusion: Present status • A set of Internet Drafts have been written and
presented to bring our ideas at the IETF o J. William Atwood, Salekul Islam and Bing Li “Requirements
for IP Multicast Receiver Access Control”, IETF Internet Draft, draft-atwood-mboned-mrac-req-00, 2014.
o J. William Atwood, Bing Li and Salekul Islam “Architecture for IP Multicast Receiver Access Control”, IETF Internet Draft, draft-atwood-mboned-mrac-arch-00, 2014.
24-May-14 Participant Access Control in IP Multicasting 23
Other Publications 1. Salekul Islam and J. William Atwood, "Sender Access and Data Distribution Control for
Inter-domain Multicast Groups", Computer Networks, Vol. 54, No. 10, 2010, pp. 1646-1671. 2. Salekul Islam and J. William Atwood, "Multicast Receiver Access Control by IGMP-AC",
Computer Networks, Vol. 53, No. 7, 2009, pp. 989-1013. 3. Salekul Islam and J. William Atwood, "Multicast Security", in Horizons in Computer Science
Research Vol. 2. Thomas S. Clay (ed.), Nova Publishers. 2011, pp. 127-149. 4. Salekul Islam, "Participant Access Control in IP Multicasting", VDM Verlag, Nov. 2009. 5. S. Islam and J.W. Atwood, "Receiver Access Control and Secured Handoff in Mobile
Multicast using IGMP-AC", submitted to 33rd IEEE Conference on Local Computer Networks.
6. S. Islam and J.W. Atwood, "Sender Access Control in IP Multicast", in 32nd IEEE Conference on Local Computer Networks, Dublin, Ireland, 2007 October 15-18, pp. 79-86.
7. S. Islam and J.W. Atwood, "A Policy Framework for Multicast Group Control", in IEEE CCNC--Workshop on Peer-to-Peer Multicasting, Las Vegas, NV, 2007 January 11, pp. 1103-1107.
8. S. Islam and J.W. Atwood, "The Internet Group Management Protocol with Access Control (IGMP-AC) ", in 31st IEEE Conference on Local Computer Networks, Tampa, Florida, U.S.A., 2006 November 14-16, pp. 475-482.
9. S. Islam and J.W. Atwood, "A Framework to Add AAA Functionalities in IP Multicast'', in Advanced International Conference on Telecommunications (AICT'06), Guadeloupe, French Caribbean, 2006 February 19-22.
24-May-14 Participant Access Control in IP Multicasting 24
Project Funding • FQRNT (Quebec Provincial Govt’s fund)
o Doctoral Research Scholarship
• NSERC (Canada Govt’s fund) o Discovery Grant
• Concordia University
24-May-14 Participant Access Control in IP Multicasting 25
Contact • Dr. Salekul Islam
UIU, Bangladesh Email: [email protected]
• Dr. J. William Atwood
Concordia University, Canada Email: [email protected]
24-May-14 Participant Access Control in IP Multicasting 26