Transcript No Slide Title

RMTP-II Security Considerations
Brian Whetten
GlobalCast Communications
Types of Security Concerns
Highest
Non-Repudiation
Privacy
Multicast
IPSec
Access Control
Authentication
RMTP-II
Denial of Service
Lowest
Security
Level
Mis-Configuration
IP Multicast
RMTP-II Roles
 Sender
- Sends reliable IP multicast traffic
 Top Node (TN) - Provides central control point
 Designated Receiver (DR) - ACK Aggregation,
Local Retransmission
 Receiver - Receives traffic, does not necessarily
source multicast packets
 Assume:
DR’s and TN’s are trusted, others aren’t
Denial of Service Attacks
 Denial

of Service to a Specific Receiver or Sender
Corruption of Control State
 Network
Overload
Spurious Retransmission Requests
 Sender Transmitting Too Fast
 Improperly Scoped Multicast Packets

 CPU

Exhaustion
Group Membership Change Request Flooding
 Memory

Exhaustion
Refusal to ACK Packets
 Others?
Strong Defense for Denial of Service
 Extend
Multicast IPSec to provide light-weight
group authentication
One key for all DR’s and TN’s in the same trust domain
 One key for each sender
 One key for all receivers
 Otherwise as per Canetti Draft

 Still
allows valid senders/receivers access to DoS
attacks, if they are malicious

Network manager can likely remove or punish user
 Still

allows brute force DoS attacks
Solved at the IP Level (SEP)
Light Weight Authentication
 Different
keys, depending on roles
 Options: multiple keys for each network trust
domain, for each sender
 Implemented as part of security architecture
Receivers
Sender
Tokyo
New York
ISP
DR
Receivers
Top Node
London
Group
Controller
Server
DR
DR
Weak Defenses for Denial of Service
 Check
IP Addresses of Control Packet Author
Against Local Group List (spoofable)
Helps: Corruption of Control State
 Helps: Spurious Retransmission Requests
 Helps: Group Membership Change Request Flooding

 Bandwidth
Limits on Local Retransmissions
Part of Local Recovery Pathology Management
 Helps: Spurious Retransmission Requests

 Forced
Removal of Slow Receivers
Helps: Refusal to ACK Packets
 Helps: Spurious Retransmission Requests

Weak Defenses (cont.)
 Manual
Network Manager Controls
Allows Network Manager to Control Transmission Rates
 Could be Extended to Rejecting Senders and Receivers
 Helps: Sender Transmitting Too Fast
 Helps: Spurious Retransmission Requests

 Congestion

 IP
Control Works With Worst Report
Helps: Sender Transmitting Too Fast
Multicast Defenses (pruning, etc.)
Helps: Improperly Scoped Multicast Packets (SEP)
 Helps: Sender Transmitting Too Fast

Manageability
 Top
node controls the tree
 Gives manager control
 App requests QoS
Manager can override Sender
 Congestion control works
to meet QoS

The Network
TN
TN
DR
 Top
node reports group
performance to manager
 Manager can adjust
Manager
parameters on the fly
DR
Receivers
Mis-Configuration
 RMTP-II
Presently Requires Manual Configuration
Performance Parameters
 Tree Topology Configuration

 Both Are
Topics for Further Research
 Concern: Minimize Scope of Configuration Errors
Ideally to the network controlled by that administrator
 Tree topology errors typically affect all downstream
nodes
 Performance parameters are primarily specified per-tree,
at the top node, or per-group, specified at the sender
 Topic requires further study
