Professional Documents
Culture Documents
Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
Multicast applications
Multicast transmission is a means of simultaneously sending information to a group of interested receivers in a single transmission and is considered a bandwidth saving technology as it provides an efficient way of delivering the same information to a group rather than copying it individually to each of the group members. Multicast traffic volumes have been increasing rapidly mainly due to the growth of video-based applications but also from other uses such as real-time information feeds and content delivery systems.
__________________________________________________________________________________ Page 1
Multicast group membership is normally implemented using the Internet Group Management Protocol (IGMP) for IPv4 networks or Multicast Listener Discovery (MLD) Messages for IPv6 networks. Both protocols provide a mechanism to dynamically register individual hosts in a particular multicast group with a multicast router. The default behaviour of a layer 2 switch is to broadcast multicast traffic out all destination ports. To prevent this and allow efficient delivery of multicast traffic layer 2 switches need to learn which ports are associated with each multicast group. This process is normally achieved by IGMP/MLD snooping which is the process of listening in on IGMP network traffic as it passes through the switch.
__________________________________________________________________________________ Page 2
__________________________________________________________________________________ Page 3
__________________________________________________________________________________ Page 4
In this model an encryptor is delegated the role of key master from an automatic election process amongst the visible encryptors in the network. This mechanism has the following features: Automatic discovery of multicast encryption groups and secure connections (no manual configuration of MAC addresses or VLAN IDs is required) Secure distribution and automatic updates of keys to all members of the group New members can securely join or leave the group at any time Automatic aging/deletion of inactive groups Fault tolerant to network outages and topology changes In the event of a temporary isolation of network segments (caused for example by a network outage or reconfiguration as shown in Figure 5), the group key management scheme will automatically maintain/establish new group key managers within each visible network. When the network segments rejoin the network will transparently re-elect a single group key master. Importantly this split-rejoin process can occur with no disruption to network traffic as long as the network is separated for less than two key update periods. If the key update period is for example one hour, then two split groups will have the same key to use for more than an hour, but less than 2 hours. Key updates effectively keep the encryptor with keys one key update period change ahead.
__________________________________________________________________________________ Page 5
Policy control
Multicast encryption is supported in both MAC and VLAN modes of operation on Senetas encryption appliances. i. In MAC mode the encryptor will establish both unicast and multicast connections based on the MAC address in each received Ethernet frame. In this mode pairwise keys are used for encrypting frames with unicast destination addresses and dynamic multicast connections are established using group keys for frames with multicast destination addresses. Multicast connections can be automatically deleted when no traffic is present for a specified number of minutes ii. In VLAN mode the encryptor will establish an encrypted connection per VLAN using group keys only. The VLAN identifier in the frame is used to distinguish secure connections. VLAN connections are automatically discovered but do not age with inactivity.
__________________________________________________________________________________ Page 6
In architectures where one multicast group address spans multiple VLAN IDs (for example in Figure 6 where all hosts are part of the same multicast group) then VLAN mode must be used. This is to ensure that the encryptors key management traffic is always on the same VLAN for a given connection. Senetas provides a GUI management tool CypherManager to configure the encryptor policy. This tool provides fine-grained control of traffic processing and allows encryption policy to be set on a per ethertype / per address class level of resolution as shown in Figure 7.
__________________________________________________________________________________ Page 7
Summary
There is a growing need to securely and efficiently deliver multicast traffic across networks for a variety of applications. Traditional approaches to this using layer 3 encryption can be problematic from both a complexity and performance perspective. Encryption at layer 2 can provide a simple, effective way to secure multicast traffic streams without compromising network performance.
__________________________________________________________________________________ Page 8