Fact Sheet SEN-214

Simple Secure Multicast Transmission

Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.

Simple Secure Multicast Transmission

Introduction
Senetas Ethernet encryptors are layer 2 (data link) devices that can secure traffic at wire speeds across wide area Ethernet services to provide confidentiality of transmitted information. Encryption of multicast traffic is conventionally difficult because of the one to many nature of the data flow. This paper describes how multicast traffic can be transmitted simply and securely when encrypting at layer 2 in the OSI model.

Multicast applications
Multicast transmission is a means of simultaneously sending information to a group of interested receivers in a single transmission and is considered a bandwidth saving technology as it provides an efficient way of delivering the same information to a group rather than copying it individually to each of the group members. Multicast traffic volumes have been increasing rapidly mainly due to the growth of video-based applications but also from other uses such as real-time information feeds and content delivery systems.

Figure 1 - Types of transmission

Multicast delivery across layer 2 networks

Figure 1 shows data transmission for the unicast, broadcast and multicast cases. Whereas traditional unicast delivery requires that a source transmits just one copy of the data to one receiver and broadcast delivery requires one copy of the data to be sent to all members of a group; multicast delivery requires that traffic be delivered to only selected members of a group. Efficient multicast delivery therefore requires all network devices in the path between transmitter and receivers to have knowledge of the selected group members as well as the ability to intelligently deliver those packets only where they are needed.

__________________________________________________________________________________ Page 1

Simple Secure Multicast Transmission

Multicast transmission uses various protocols and reserved network addresses to allow this efficient distribution. At layer 3 the class D range of IP addresses is reserved for multicast protocols and at layer 2 the low order bit of the high-order byte in the destination MAC address is used to distinguish unicast addresses from multicast addresses. For example: 00:80:C8:F9:76:EF is a Unicast address as indicated by the 00 in the first octet of the MAC address 01:00:5E:00:00:05 is a Multicast address since the first octet of the MAC address is set to 01.

Multicast group membership is normally implemented using the Internet Group Management Protocol (IGMP) for IPv4 networks or Multicast Listener Discovery (MLD) Messages for IPv6 networks. Both protocols provide a mechanism to dynamically register individual hosts in a particular multicast group with a multicast router. The default behaviour of a layer 2 switch is to broadcast multicast traffic out all destination ports. To prevent this and allow efficient delivery of multicast traffic layer 2 switches need to learn which ports are associated with each multicast group. This process is normally achieved by IGMP/MLD snooping which is the process of listening in on IGMP network traffic as it passes through the switch.

Figure 2 - IGMP Snooping

__________________________________________________________________________________ Page 2

Simple Secure Multicast Transmission

Figure 2 shows a layer 2 switch in the path between a multicast router and the participating hosts. IGMP snooping requires the switch to eavesdrop on the information in the IGMP packets that are sent between the hosts and the multicast router. This allows the switch to learn when hosts join a group (using IGMP join) or leave the group (using IGMP leave) and therefore intelligently transmit multicast data only out the relevant ports. The encryption of IGMP/MLD packets will prevent snooping and cause multicast traffic to be broadcast everywhere. For this reason Senetas encryptors have a policy control that permits them to selectively encrypt OR bypass IGMP/MLD packets through the encryptor thus allowing switch snooping and efficient network delivery.

Security of multicast traffic

The risk to multicast communication is similar to or greater than that for unicast transmission and includes the threat of eavesdropping as well as unauthorised modification or destruction of data. The nature of multicast distribution introduces some particular vulnerabilities that are not present for unicast traffic; for example because multicast group membership is open and not authenticated it means that anyone is able to easily join a multicast group so that they can receive the traffic stream or alternately insert data for malicious purposes into the group (even senders need not be members). Increasingly businesses are using multicast technologies to reduce the number and frequency of face-to-face meetings by using widely available webinar and video conferencing tools. Recent research has shown that insecure video conferencing systems can be the bug in the boardroom and allow hackers to listen in to a companys confidential discussions. To prevent this encrypted multicast sessions should be used to ensure the confidentiality of network traffic. Encryption of multicast traffic encryption is challenging because a single sender must synchronise encryption state with multiple receivers. Each receiver must securely have knowledge of the encryption key, the encryption state and be able to both receive and send traffic to other members of the group. This problem can be solved using a group key system in which all members of the shared community (which could be the multicast group or a VLAN) share a common key that is used to encrypt and decrypt traffic. This is in contrast to unicast encryption in which a unique key per connection is used between a single sender and a single receiver. One approach to group key implementation is to use a dedicated key server (see Figure 3) that pushes encryption keys to all members.

__________________________________________________________________________________ Page 3

Simple Secure Multicast Transmission

This approach is commonly used but does have some limitations: Requires purchase & maintenance of another server in the network (in practice more than one is required if load balancing / redundancy is needed) Server must be located where it is always reachable by all members of the group Server must be always online or the keys are not refreshed Presents a single point of compromise (redundant servers dont necessarily mitigate this because a compromise to one server is a compromise to all with shared keys) Presents a single point of failure (redundant servers can reduce this to some degree at additional expense)

Figure 3 - External Key server model

Senetas group encryption

Senetas uses an alternate approach to group key distribution, which avoids the need for a separate key server, by giving one encryptor in the group responsibility for generating and distributing keys to all other members as shown in Figure 4.

__________________________________________________________________________________ Page 4

Simple Secure Multicast Transmission

Figure 4 - Encryptor Key Master

In this model an encryptor is delegated the role of key master from an automatic election process amongst the visible encryptors in the network. This mechanism has the following features: Automatic discovery of multicast encryption groups and secure connections (no manual configuration of MAC addresses or VLAN IDs is required) Secure distribution and automatic updates of keys to all members of the group New members can securely join or leave the group at any time Automatic aging/deletion of inactive groups Fault tolerant to network outages and topology changes In the event of a temporary isolation of network segments (caused for example by a network outage or reconfiguration as shown in Figure 5), the group key management scheme will automatically maintain/establish new group key managers within each visible network. When the network segments rejoin the network will transparently re-elect a single group key master. Importantly this split-rejoin process can occur with no disruption to network traffic as long as the network is separated for less than two key update periods. If the key update period is for example one hour, then two split groups will have the same key to use for more than an hour, but less than 2 hours. Key updates effectively keep the encryptor with keys one key update period change ahead.

__________________________________________________________________________________ Page 5

Simple Secure Multicast Transmission

If two or more key updates occur while the networks are separate, the terminating group (i.e. the group controlled by the key master that terminates) will synchronise with the remaining Master, which results in less than three seconds of disruption.

Figure 5 - Network split with 2 key masters

Policy control
Multicast encryption is supported in both MAC and VLAN modes of operation on Senetas encryption appliances. i. In MAC mode the encryptor will establish both unicast and multicast connections based on the MAC address in each received Ethernet frame. In this mode pairwise keys are used for encrypting frames with unicast destination addresses and dynamic multicast connections are established using group keys for frames with multicast destination addresses. Multicast connections can be automatically deleted when no traffic is present for a specified number of minutes ii. In VLAN mode the encryptor will establish an encrypted connection per VLAN using group keys only. The VLAN identifier in the frame is used to distinguish secure connections. VLAN connections are automatically discovered but do not age with inactivity.

__________________________________________________________________________________ Page 6

Simple Secure Multicast Transmission

Figure 6 - Multicast group that spans VLANs

In architectures where one multicast group address spans multiple VLAN IDs (for example in Figure 6 where all hosts are part of the same multicast group) then VLAN mode must be used. This is to ensure that the encryptors key management traffic is always on the same VLAN for a given connection. Senetas provides a GUI management tool CypherManager to configure the encryptor policy. This tool provides fine-grained control of traffic processing and allows encryption policy to be set on a per ethertype / per address class level of resolution as shown in Figure 7.

Figure 7 - Policy control

__________________________________________________________________________________ Page 7

Simple Secure Multicast Transmission

Performance
The CN encryption platform uses dedicated silicon to perform cut-through forwarding of data plane traffic. This allows for wire speed processing of encrypted traffic at full line rate at up to 10Gbps. Latency on the CN1000 Ethernet encryptor for example is approximately 7uS and is independent of packet size. Encryption introduces little or no jitter regardless of the network application or traffic profile. Encryption is performed using the AES algorithm with 256 or 128 bit keys. In group encryption mode (VLAN or multicast MAC) the CTR mode of encryption is used which introduces an additional eight bytes of data to every encrypted frame.

Summary
There is a growing need to securely and efficiently deliver multicast traffic across networks for a variety of applications. Traditional approaches to this using layer 3 encryption can be problematic from both a complexity and performance perspective. Encryption at layer 2 can provide a simple, effective way to secure multicast traffic streams without compromising network performance.

__________________________________________________________________________________ Page 8