Secure multicast

From Wikipedia, the free encyclopedia
Jump to: navigation, search

IP Multicast is an internet communication method where a single data packet can be transmitted from a sender and replicated to a set of receivers. The replication techniques are somewhat dependent upon the media used to transmit the data. Transmission of multicast on an inherent broadcast media such as Ethernet or a satellite link automatically allows the data packet to be received by all the receivers directly attached to the media. In contrast, transmission of multicast on media that is point-to-point or point-to-multipoint requires the packet to be replicated for each link. The replication process should occur in an optimal manner where a distribution tree is built within the network. The packet can be replicated at each of the branches in the tree. This mitigates the requirement for the sender to replicate the packet once for each recipient.

The use of IPsec as a communication link requires a point-to-point connection establishment. Usually, the security is required from sender to receiver which implies the sender must replicate the packet on each of the secure connections - one for each receiver. As the number of receivers grows, the sender must scale by replicating the packet to each of the receivers. The processing load placed on the sender can be high which limits the scalability of the sender. A new method was required to securely transmit multicast and this was referred to as Secure Multicast or Multicast Security.

The Internet Engineering Task Force (IETF) created a new Internet Protocol (IP) to securely transmit multicast traffic across a packet network. The protocol definition was developed in the Multicast Security Workgroup and led to several Request for Comments (RFC) that are now used as standards for securing IP multicast traffic. The protocol allowed a sender to encrypt the multicast packet and forward it into the packet network on the optimal distribution tree. The packet may be replicated at the optimal locations in the network and delivered to all the receivers. The receivers are capable of decrypting the packet and forwarding the packet in the secure network environment. The sender of a multicast packet does not know the potential receivers; therefore, the creation of pair-wise encryption keys (one for each receiver) is impossible. The sender must encrypt packets using a shared key that all the legitimate receivers use to decrypt the packets. The security of the system is based on the ability to control the distribution of the keys only to those legitimate receivers. For this, the IETF created the Group Domain of Interpretation (GDOI) protocol defined in RFC-6407. The protocol allows the sender and receiver to join a key server where policies and keys are encrypted and distributed to the members of the secure multicast group. The key server can authenticate and authorize senders and receivers into a specific group where the shared key is used to encrypt and decrypt traffic between members of the group.

External links[edit]