Receiver Access Control in IGMP

download report

Transcript Receiver Access Control in IGMP

Receiver Access Control in IGMP
Thomas Hardjono, Verisign
Haixiang He, Nortel Networks
Brad Cain, Cereva Networks
Motivation of Receiver Access Control
• Current Service Model
– Current multicast model allow any host to join a group
by issuing join message
– Data Encryption doesn’t prevent bogus join messages
• Problem: Hosts can pull the multicast tree to its
subnet when there is no other receivers.
– Waste bandwidths
– Waste router processing power
• Solution to DoS of Multicast.
• Maybe a simple solution to protect content on non
shared medium.
Solution Goals and Requirements
• Prevent a host from pulling the distribution
tree into the host's subnet when no other
members exists in that same subnet.
• Does not address the situation when there is
already a member in that subnet.
• Should be light-weight solution. Provide
enough benefits to be turned on.
Approach: Use Access Token
• Use current key management service to
distribute Access Tokens to hosts.
• Tokens are signed by GCKS. Only legitimate
routers posses the public key of GCKS.
• Hosts attach Access Token to the IGMP
control message.
• Routers only need the public key of GCKS.
Access Token
• Contains group address (source address for SSM),
host IP, expiration time, etc.
• Uploaded by hosts for their first IGMP reports and
requested by routers.
• Routers decrypt the tokens and decide whether to
grant access or not.
– Group/Source addresses prevent illegal hosts.
– Host IP prevents other hosts to use the same token.
– Expiration time prevents hosts to reuse the token.
IGMP Authentication APIs
• Authentication module and IGMP module
should be separated.
• Use Authentication APIs to communicate.
• Bool IGMPAllowed(Token, Group/Source,
Host IP, Time).
• Authentication module decrypt Token and
compare with arguments to make decision.
IGMP Authentication Extension
• Propose two new messages
– Authentication Membership Query
– Authentication Membership Report
• Access Tokens are attached in the
Authentication Membership Reports.
• Access Token is per multicast group based
and is per group-and-source based for SSM.
Host Behavior
• In addition to the normal IGMP behavior,
host will receive Authentication Query.
• Response with Authentication Report that
contains Access Token.
• For SSM, hosts have to use multicast group
records for different sources.
Router Behavior
• Send General Authentication Query periodically.
• When a group record is first created, send Group
Specific Authentication Query.
• When a source record is first added to the source list,
send Group-and-Source Authentication Query.
• When receiving State-Change records and need to send
Group Specific Query, send Group Specific
Authentication Query instead.
• When need to send Group-and-Source Specific Query,
send Group-and-Source Specific Authentication Query.
Router Behavior Cont.
• When receiving Current-State records
– Update related timers
– Send Group or Group-and Source Specific
Authentication Query
• When receiving State-Change records
– Follow the IGMPv3 behavior
– Send appropriate Authentication Queries instead of
normal queries when needed.
• When receiving Authentication Reports
– Authentication Reports only has Current-State records
– Trigger Authentication Module and updated related
timers according to the return values.