1 / 12

IGAP : IP Multicast Management Protocol that can collaborate with User Authentication

IGAP : IP Multicast Management Protocol that can collaborate with User Authentication. Akihiro Tanabe † , Daisuke Andou † , Kaori Izutsu † , Tsunemasa Hayashi ‡ and Hiroshi Tohjo ‡ † NTT Access Network Service Systems Laboratories Email: {atanabe, dandou, izutsu}@ansl.ntt.co.jp

astro
Download Presentation

IGAP : IP Multicast Management Protocol that can collaborate with User Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IGAP : IP Multicast Management Protocolthat can collaborate with User Authentication Akihiro Tanabe†, Daisuke Andou†, Kaori Izutsu†, Tsunemasa Hayashi‡and Hiroshi Tohjo‡ †NTT Access Network Service Systems Laboratories Email: {atanabe, dandou, izutsu}@ansl.ntt.co.jp ‡NTT Network Innovation Laboratories Email: {hayashi.tsunemasa, tohjo.hiroshi}@lab.ntt.co.jp

  2. Introduction [What do we want to achieve?] Provide New Content Service for Broadband IP network (using xDSL, fiber optic network, …) • [Viewpoints] • Network should be able to transfer many broadband contents. • --> CDN with IP Multicast • Service providers should strictly manage the data of their users. • Per content accounting mechanism should refer to the access data of users. • --> No mechanism available IGAP (Internet Group membership Authentication Protocol)

  3. Multicast data, Authentication data, etc Internet content data Assumed Network Environment User management system Video Distribution Server to the Internet Authentication and Accounting Server Portal Server Content Delivery Network (CDN) Provider’s Network • Copy of Multicast Packets • Distribute IP packets toward CDN and the PPPoE frame toward the Internet <Distribution Table> PPPoE : 0x8863, 0x8864 IP : 0x0800 Distribution Switch Access Network • User client : PC or STB •       (Set-Top-Box) Customers Customers

  4. IGMPv2 Membership Report Multicast Packet Current Situation in IGAP development Any client sending IGMPv2 Membership Report can join a multicast group, even if an illegal user is behind the client. Client subscribing to the service Multicast Router Content Server non subscribing to the service (illegal user) should authenticate the user Filtering by IP address is not sufficient, because IP address of clients may be changed for every connecting to network. <ex.> Client change ? 192.168.0.1 192.168.10.1 <filter table> 192.168.0.1 : accept 192.168.0.2 : reject <filter table> 192.168.10.* : unknown (depends on default setting) ? 192.168.0.2 192.168.10.2

  5. Summary of IGAP • IGAP is based on IGMPv2, and works with user authentication and accounting mechanism. So users accepted by the multicast group can only receive the content data by IP multicast. • Router implementing IGAP sends user authentication (accounting) data to authentication (accounting) server, and sends message about result of authentication and accounting status (start or stop) to user-client joining multicast group. • IGAP can check whether the user is accepted for accessing the multicast group while receiving the multicast packets (re-authentication). • Leave process of IGAP differs from that of IGMP. IGAP leave process is designed to lower the delay upon changing multicast content (such as changing TV channel).

  6. Message (64bytes) User Account (16bytes) IGAP Header Format 0 1 2 3 4 (Byte) http://www.ietf.org/internet-drafts/draft-hayashi-igap-02.txt Type Max Resp Time Checksum IGMPv2 Compatible (8bytes) Group Address Version Subtype (Reserve-1) Challenge ID Account Size Message Size (Reserve-2) IGAP Original (88bytes) • Challenge ID : the parameter for encryption of password by Challenge-Response mechanism • User Account : the parameter to indicate the user name • Message : the parameter for authentication, e.g. password

  7. IGMPv2 Membership Report Multicast Packet RADIUS Packet IGAP Join Multicast Packet IGAP Join process • [Join multicast group using IGMPv2] • Send IGMPv2 Membership Report from user client to IGMP router • Start to send multicast packets from IGMP router to user client IGMP Router User Client Content Server 1 2 • [Join multicast group using IGAP] • Send IGAP Join from user client to IGAP router • Send RADIUS Access Request from IGAP router to RADIUS server • Send RADIUS Access Accept from RADIUS server to IGAP router • Start to send multicast packets from IGAP router to user client • Send RADIUS Accounting Request from IGAP router to RADIUS server • Send RADIUS Accounting Response (start) from RADIUS server to IGAP router Content Server Multicast Stream IGAP Router RADIUS Server User Client 1 2 / 3 4 5 / 6

  8. IGAP Query process and Re-authentication IGAP Query / IGAP Join (for replying to query) Re-authentication (access request / access accept or reject) IGAP Router [Query Interval (same as IGMPv2)]  This is interval for resending IGAP Query packet. When the timer of Query Interval expires, IGAP Router sends a Query and restarts the timer. [Validity-Period]  This is interval to re-authenticate user, RADIUS server tells the value to IGAP Router. When the timer of Validity Period expires, IGAP Router sends the packets for re-authentication after IGAP Join received in reply to next IGAP Query. User Client RADIUS Server [time schedule] time Count of “Query Interval” Count of “Validity Period” IGAP query process IGAP query and re-authentication process

  9. IGAP Leave process Sending multicast packets User Clients • [Leave using IGMPv2] • (the case of last member of multicast group) • Send IGMPv2 Leave from user client to IGMP router • 2. Send IGMPv2 Group Membership Query from IGMP router to clients of the multicast • 3. If no IGMP Membership Report received, multicast packets are stopped to all user clients. IGMP Router IGMPv2 Leave IGMPv2 Query Sending multicast packets User Clients • [Leave using IGAP (Fast Leave)] • Send IGAP Leave from user client to IGMP router • The user client leaves the multicast group • (independent of other user clients) IGAP Router User (client) management per user-ID IGAP Leave

  10. Experimental Network Environment MPEG2 multicast stream (6Mbps) Video Cable STB (Set Top Box) DistributionSwitch (IGAP Router) [experiment] Video streams encoded in MPEG2 are transferred by IP Multicast from encoders to IGAP Router. • Join : Validation by authentication mechanism after STB or PC sends IGAP Join • Query and Re-authentication : Validation by authentication mechanism after STB or PC sends IGAP Join in reply to IGAP Query, while the STB or PC is receiving multicast streams • Leave : Validation by “Fast Leave” mechanism after STB or PC sends IGAP Leave • Management system : Verification of accounting and watching log of users using this system IGAP MPEG2 encoder (6 commercial) units GigabitEthernet L3SW PC RADIUS server (commercial) PPPoE linkage L2SW portal Web server (PC) Ethernet Management System L3SW (Internet gateway) (to The Internet)

  11. IP Multicast Management System <Menu Image> <Program Information (reception time, etc)> <Program Guide> <User’s Account Information>

  12. [Reports] The development of new IP Multicast management protocol IGAP for user authentication and accounting in content delivery services. The IGAP implementation for user-client and router Validation of IGAP operation The Improvements Revision of IGAP header (concordance with IGMPv3, IPv6, etc) QoS mechanism and flow management for keeping content (video) quality (e.g. expedited forwarding) Brush up implementation detials Inspection for actual (commercial) service etc Conclusions

More Related