Access control & multicast (was RE: [AG-TECH] AG Security)

Markus Buchhorn Markus.Buchhorn at anu.edu.au
Wed Jul 24 21:52:07 CDT 2002


At 09:33 AM 23/07/2002 +0100, Robert Olson wrote:
>SSM helps this a bit; you at least aren't told by the routing infrastructure who the active senders are. However, I bet you could still go to the I2 router proxies and look at the active mroutes to find them.

True on both counts. If we agree that putting packets on the network is handing them to your attacker, then keeping the group/source address a secret is only of limited value (from a security view)

>>It's an access issue, which has AAA overtones, so it overlaps with security in some aspects.
>
>Ah, good point. I'm trying to remember enough PIM to see where the decision would have to be made to allow a join; seems like all the routeres along the distribution tree would have to know about the allowed access to the traffic.

That's what I initially thought. Now though I wonder (and I'm sure somebody's already considered it) if it can be done totally at the edge, where your IGMP join request goes to your first hop router. If that first router can somehow check your AAA details (how are they best provided? - S-IGMP?) against some profile or standard (in-band information in the session, or an ldap lookup, or ...?), it could just drop the request and never forward it up the tree. Hence no other routers need to make a decision - since they won't be asked in the first place. That'd scale linearly with the number of requesting receivers, and be distributed across the number of sites. It can also be revoked, so you can kick off problem sites in real time - which then also turns the AAA issue around to the revoking site.

>Would ratelimiting at the router ahead of a slow link be an acceptable solution this particular problem? (Need the tools to recognize the RTCP feedback and do appropriate throttling of streams that report lots of loss). 

I don't know what the vendors allow you to do now (Bill?). My impression was that all multicast could be throttled together, but not on a per-group/source basis. What's more of an issue for your 100Mb/s wide-area link: having 1000 users accessing 1000 different 1Mb/s streams, or having 1 user accessing a 1 Gb/s stream? In the middle ground you might have 5 users at 10Mb/s and 51 users at 1Mb/s - what's the fair thing to do? I think there's different policy issues involved, where rate-limiting (specific or general) may not be a kind/fair thing to do. 

>This becomes fairly important when we start playing with things like 10Mbps per stream MJPEG video (which we've been working again, btw, looks really nice. 

Which card are you using? We're aiming to put some in our nodes here. The LML and Targa cards are the only ones I've found so far.

>If anyone has any insights on how to do proper deinterlacing in either the DirectDraw or Linux environments we'd be interested :-).

Ditto (presumably)! :-)

Cheers,
        Markus


Markus Buchhorn, ANU Internet Futures Project,        | Ph: +61 2 61258810
Markus.Buchhorn at anu.edu.au, mail: Bldg #108 - CS&IT   |Fax: +61 2 61259805
Australian National University, Canberra 0200, Aust.  |Mobile: 0417 281429




More information about the ag-tech mailing list