[PPT] - B G B G B G order ateway M M M P P ulticast P PowerPoint Presentation

SLIDE 1

1

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

rder ateway

ulticast rotocol

B B B G G G M M M P P P

SLIDE 2

2

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Abstract

1. Introduction
1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations
4. Bidirectional Trees

4.1 Third Party Dependency 4.2 Method of choosing the root 4.3 Establishing the bidirectional shared tree 4.4 Data from external Domains

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 3

3

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

???? ???? ????

1. Introduction
2. Tasks and Rules of Border Routers

SLIDE 4

4

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

1. Introduction
protocol for inter-domain multicast routing
run by the border routers of a domain
constructs inter-domain

bidirectional shared trees

allows any existing multicast routing protocol

to be used within individual domains

Domain A Domain Domain A A Domain B Domain Domain B B

TCP:264

2. Tasks and Rules of Border Routers

SLIDE 5

5

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

1. Introduction

BGMP uses TCP:

message fragmentation
retransmission
acknowledgement
sequencing

no need for implementation of:

2. Tasks and Rules of Border Routers

SLIDE 6

6

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations
border routers build:
group specific bidirectional branches
and source specific unidirectional branches

where needed

Domain A Domain Domain A A Domain B Domain Domain B B Domain C Domain Domain C C

SLIDE 7

7

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Domain A Domain Domain A A Domain B Domain Domain B B

border router border router

BGMP BGMP

inter

inter-

domain connections

domain connections MIGP MIGP

intra

intra-

domain connections

domain connections

BMGP BMGP

MI GP MI GP

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations

SLIDE 8

8

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations

Multicast Interior Gateway Protocol (MIGP): Multicast Interior Gateway Protocol (MIGP):

A generic term for any multicast routing protocol used for tree construction within a domain. Typical examples are: PIM-SM, PIM-DM, DVMRP, MOSPF and CBT

Domain Domain Domain

MI GP Host Host Host

SLIDE 9

9

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

messages used by border routers:

pen
pen

first message sent by each side

keep alive

keep alive (periodically) to ensure the liveliness

f the connection and to confirm “open”
update

update update if group memberships change (via join/prune/source or group messages)

notification

notification response to errors or special conditions

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations
pen

update notification keep alive

SLIDE 10

10

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

messages used by border routers:

processed only after entirely received
maximum size: 4096 octets
all implementations are required to support

this maximum message size

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations

SLIDE 11

11

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

if arrives on an MIGP interface accepted and forwarded according to MIGP rules

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations

Domain Domain Domain

MI GP

forwarding-rules used by border routers:

SLIDE 12

12

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

forwarding-rules used by border routers:

if arrives over a point-to-point BGMP interface (and the packet got accepted)

1. targets listed in (S,G) entry (source specific)
2. targets listed in (*,G) entry (bidirectional)
3. next hop towards the group
1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations

Domain A Domain Domain A A Domain B Domain Domain B B

SLIDE 13

13

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

forwarding-rules used by border routers:

a packet will be dropped if:

it was not received by the next hop target

towards the group or the source after dropping the packet no further actions are taken.

1. Introduction
2. Tasks and Rules of Border Routers
3. Implementations

SLIDE 14

14

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

What is this good for?? What is this good for??

2. Tasks and Rules of Border Routers
3. Implementations
4. Bidirectional Trees
Multimedia teleconferencing
Distance learning
Data replication
Network games

IP Multicast

SLIDE 15

15

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

3. Implementations
4. Bidirectional Trees

4.1 Method of choosing the root

Bidirectional Tree Bidirectional Tree

Domain A Domain Domain A A Domain C Domain Domain C C Domain B Domain Domain B B

SLIDE 16

16

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Bidirectional Trees: Bidirectional Trees:

minimize third party dependencies
improve performance
more efficient
4. Bidirectional Trees
3. Implementations

4.1 Third Party Dependency

SLIDE 17

17

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Domain C Domain Domain C C Domain D Domain Domain D D Domain C Domain Domain C C Domain D Domain Domain D D

4.1 Method of choosing the root

4.1. Third Party Dependency

Domain B Domain Domain B B

4.2 Method of choosing the root

(Root) Domain A (Root) (Root) Domain Domain A A Domain B Domain Domain B B

SLIDE 18

18

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

4.1 Third Party Dependency

4.2. Method of choosing the root

4.3. Establishing the bidirectional shared tree

Intra-domain shared tree protocols:

all routers are treated as

equivalent candidates

it is a more or less random choice

(depending on load sharing and stability)

Method of choosing the root for the shared tree:

SLIDE 19

19

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

4.1 Third Party Dependency

4.2. Method of choosing the root

4.3. Establishing the bidirectional shared tree

In BGMP:

the choice of a group's root is

subject to administrative control (depending e.g. on poor locality)

usually rooted at the domain of the

initiator of the group

Method of choosing the root for the shared tree:

SLIDE 20

20

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Domain C Domain Domain C C Domain A Domain Domain A A Domain B Domain Domain B B

C1

join Host MIGP A2 child target parent target

C1: 224.0.128.1 ?

MIGP A2 A3 B1

Root Domain for 224.0.128.1

join

4.3. Establishing the bidirectional shared tree

4.2 Third Party Dependency

4.4 Data from external domains

SLIDE 21

21

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004 MIGP A2

child target parent target BGMP peer, that is the next hop towards the group’s root domain BGMP peer or MIGP component, from which a join request was received

= target list / multicast-group forwarding entry

4.3. Establishing the bidirectional shared tree

4.2 Third Party Dependency

4.4 Data from external domains

SLIDE 22

22

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

(*,G) entry

MIGP A2

child target parent target

Packets from any (*) source send to the Group received by the border router are to be forwarded to all the targets in the list except to the sender itself.

C1

4.3. Establishing the bidirectional shared tree

4.2 Third Party Dependency

4.4 Data from external domains

SLIDE 23

23

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

4.4 Data from external domains

Domain C Domain Domain C C Domain A Domain Domain A A Domain B Domain Domain B B

Root Domain for 224.0.128.1

C1 A2 A3 B1

join Host MIGP A2 child target parent target

C1: 224.0.128.1 ?

join join

A2: 224.0.128.1 ?

C1 A3 child target parent target

B1: 224.0.128.1 ? A3: 224.0.128.1 ?

A3 MIGP child target parent target MIGP B1 child target parent target join join

MIGP MIGP MIGP

4.3. Establishing the bidirectional shared tree

4.2 Third Party Dependency

SLIDE 24

24

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Domain C Domain Domain C C Domain A Domain Domain A A Domain B Domain Domain B B

C1 A2 A3 B1 A1

4.4. Data from external domains

5. Source specific Branches/Trees

Domain E Domain Domain E E

E1

Host

MIGP MIGP Data 4.3 establishing the bidirectional shared tree

Root Domain for 224.0.128.1

Domain C Domain Domain C C Domain B Domain Domain B B

SLIDE 25

25

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

4.4 Data from external Domains

5.1 Establishing source specific Branches/Trees

source specific trees are used:

to be compatible with source specific trees used

by the MIGP (e.g. source rooted intra domain trees built by DVMRP and PIM-DM)

or to construct trees for source specific groups
5. Source Specific Branches/Trees

SLIDE 26

26

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

source specific branches/trees are built ONLY when:

it is needed to pull traffic down to a BGMP router that has a

source-specific (S,G) state

AND it is not yet in the shared tree
AND the router does not want to receive packets by

encapsulation from a router in the shared tree

4.4 Data from external Domains

5.1 Establishing source specific Branches/Trees

5. Source Specific Branches/Trees

SLIDE 27

27

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

E E E

encapsulated data

RPF (Reverse Path Forwarding) check:

Data gets forwarded, if it arrives on a device which the router claims as a part of the shortest path to the source (E2). Otherwise it is supposed as duplicate data and gets dropped. Therefore data packets need to be encapsulated to be accepted by

ther routers ( overhead!).

source source source

E2 E1

6. Security

SLIDE 28

28

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

Otherwise not source specific because:

inter-domain connectivity is small

shared distribution trees have acceptable path length and traffic concentration

by having the shared tree state precedence over the

source specific tree, ambiguities are avoided

4.4 Data from external Domains

5.1 Establishing source specific Branches/Trees

5. Source Specific Branches/Trees

SLIDE 29

29

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

C C C

5. Source Specific Branches/Trees

A A A B B B D D D E E E

D1 A3 E1 A4 A2 C1 B2 B1 E2

root

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 30

30

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

C C C A A A B B B D D D E E E

D1 A3 E1 A4 A2 C1 B2 B1 E2

root

D D D A A A B B B

Source

encapsulated data

Host Host Host Host Host Host

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 31

31

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

C C C A A A B B B D D D E E E

D1 A3 E1 A4 A2 C1 B2 B1 E2

root

join

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 32

32

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004 MIGP A4

child target parent target The next hop towards the source S BGMP peer or MIGP component, from which a join request was received

= target list / multicast forwarding entry A A A E E E

join

E2 A4 E1

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 33

33

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

(S,G) entry

MIGP A4

child target parent target

Packets that arrive from the parent target will be accepted and forwarded to all the targets listed in the (S,G) entry (unidirectional)

E2

A A A E E E

join

E2 A4 E1

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 34

34

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

(S,G) entry

A A A E E E

join

E2 A4

The source specific join propagates towards the source setting up (S,G) entries in the border routers until it reaches a border router that is in the shared tree for the group D D D

D1 E1

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 35

35

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

C C C A A A B B B D D D E E E

D1 A3 E1 A4 A2 C1 B2 B1 E2

root

join data

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

SLIDE 36

36

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

C C C A A A B B B D D D E E E

D1 A3 E1 A4 A2 C1 B2 B1 E2

root

data

D D D A A A B B B

source-specific-prune

5. Source Specific Branches/Trees

5.1. Establishing Source Specific Branches/Trees

6. Security

E E E

SLIDE 37

37

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

5. Establishing Source Specific Branches/Trees
6. Security

unauthorized or altered BGMP messages

denial of service denial of service

excess bandwidth consumption lack of multicast connectivity

SLIDE 38

38

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

5. Establishing Source Specific Branches/Trees
6. Security

denial of service denial of service

authentication of BGMP messages

unauthorized or altered BGMP messages

SLIDE 39

39

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

5. Establishing Source Specific Branches/Trees
6. Security
pen

update notification keep alive

To secure control messages, keyed MD5 (RFC2385) must be implemented

SLIDE 40

40

Sicherheit im Internet, Patrick Sicherheit im Internet, Patrick Lederer Lederer, 18.05.2004 , 18.05.2004

B G B G B G order ateway M M M P P ulticast P - - PowerPoint PPT Presentation

ulticast rotocol

B B B G G G M M M P P P

???? ???? ????

What is this good for?? What is this good for??

Bidirectional Trees: Bidirectional Trees:

Thank you! Thank you! Thank you!