non igmp specific security
play

Non-IGMP-specific security or Why not to do security at the IGMP - PDF document

Non-IGMP-specific security or Why not to do security at the IGMP level Dave Thaler dthaler@microsoft.com General Internet Case Group Receiver Group key Content Group Group Key acquisition Node Provider Key Key Server Server


  1. Non-IGMP-specific security or “Why not to do security at the IGMP level” Dave Thaler dthaler@microsoft.com

  2. General Internet Case Group Receiver Group key Content Group Group Key acquisition Node Provider Key Key Server Server Server App App End-to-end data session Stack Stack Hop-by-hop path setup ? ISP 1 ISP 2 ISP n . . .

  3. Reasonable Security Relationships Group Receiver Content Group Group Key Node Provider Key Key Server Server Server App App Stack Stack ISP 1 ISP 2 ISP n . . .

  4. NOT reasonable in general Group Receiver Content Group Group Key Node Provider Key Key Server Server Server App App X Stack Stack X . . . ISP 1 ISP 2 ISP n . . .

  5. Observations In general, there is no security relationship between receiver’s ISP/network and a content provider If the content provider and receiver are connected to the same ISP/network, there may be a security relationship Both problems are interesting If you solve #1, you also solve #2

  6. General case needs ISP/network needs to be able to – Do accounting per client (port flat rate, per time, per amount of data, whatever) – Use ACLs (ingress filtering, whatever) Content provider needs to be able to – Control who can view content These are not multicast-specific.

  7. A solution that matches security relationships Receiver-edge IP/Link layer: – ACLs placed on ports based on customer- provider relationship at “connect” time – Hop-by-hop messages on LANs secured with same relationship – Port ACLs may change over time based on ISP/network policy/protocol/whatever

  8. A solution (cont.) End-to-end app layer: – Per-group security/keys done between apps and group key server(s) – Data can be encrypted in general Internet case • If it’s not, then it’s no different from LAN case where other receivers benefit from a legit one

  9. Protecting bandwidth General case – Can just charge requesters – Same problem occurs with unicast datagrams and this is not protected today When receiver and content provider are on same network – Content authorizer (e.g. group key server) can cause port ACL to be updated

  10. Summary Solutions need to match practical security relationships Group-specific security in IGMP is not reasonable in general Other solutions exist which appear to meet the goals In the special case, other solutions can do everything IGMP group security does Conclusion: don’t do IGMP group security

Recommend


More recommend