L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA Rhône-Alpes, Planète project, France Vincent ROCA INRIA Rhône-Alpes, Planète Project, France Michel HABERT Netcelo S.A., Echirolles, France

L. Alchaal & al. Page Introduction: a centralized environment Internet Virtual Network Operation Center (VNOC) (e.g. Netcelo) Request of Configuration Policies Configuration Policies Request of Configuration Policies VPN edge devices include: IPSec, Firewall, Policy configuration and group communication services VPN Secure Tunnel VPN User ConfigurationPolicies

L. Alchaal & al. Page Introduction Goal of the work: offer a group communication service in this fully secure VPN environment Different from work at IETF MSEC opposite approach… in our case the environment is already secure! Different from work at IETF PPVPN (provider provisioned VPN) in our case we target a VPN service provider who doesn’t master the core IP network

L. Alchaal & al. Page Outline 1. Experiments with Multicast Routing Protocols in a VPN Environment 2. IVGMP in a VPN environment 3. Conclusions

L. Alchaal & al. Page PIM-SM in an IP VPN environment We tried to deploy PIM-SM on VPN edge devices pimd (University of Southern California/Information Sciences Institute) Free/SWAN IPSec implementation Linux / Lanner FW500-ME embedded PC Internet VPN edge devices with PIM-SM support

L. Alchaal & al. Page PIM within IP VPN Environment… cont’ Problems:  PIM-SM and IPSec ignore each other…  multicast flag not set for IPSec interfaces  two independent routing tables  PIM doesn’t register itself to IPSec and vice-versa  Free/SWAN IPSec implementation doesn’t support a security association (SA) with a multicast destination address  PIM is very complex compared to the simplicity of a VPN environment

L. Alchaal & al. Page IVGMP in a VPN environment  IVGMP benefits from the centralized VPN architecture around the VNOC  close integration of group communication & VPN management  Avoids the complexity of Multicast Routing Protocols  a VPN topology is much simpler than the Internet mbone  shares some similarities with overlay multicast solutions ! Internet VNOC VPN edge devices

L. Alchaal & al. Page IVGMP features IVGMP functions:   dynamic discovery of group members/sources located in local subnets   use IGMP queries / traffic listening   more or less easy, depending on the site configuration (single LAN vs.   add/remove a site dynamically to a group VPN   … with the help of the VNOC   depends on the presence or not of receivers/sources   send multicast packets to other sites belonging to the same group via IPSec tunnels

L. Alchaal & al. Page An example… Internet VNOC (3) Join group G (4) Send info of group G IVGMP (6) Mcast traffic (7) Join group G (8) Send info of group G (9) Create VPN entry for group G (2) IGMP Report for group G (1) IGMP Query Multicast application awaiting traffic for group G Group G Receiver Multicast application sending traffic for group G Group G Sender (5) Create VPN entry for group G IVGMP VPN edge device

L. Alchaal & al. Page The implementation VPN edge devices IVGMP IPIPSec UDP IVGMP IPIPSec UDP IPSec Ifr. Eth Ifr. 1. Mcast packet for group G 3. Encapsulate Mcast packet in a UDP packet 4. Decapsulate the UDP packet 2. Capture Mcast packet (with headers) for group G & check for group G entry 5. Inject Mcast packet for group G Libpcap Sock Raw

L. Alchaal & al. Page IVGMP advanced features IVGMP goes beyond these simple examples…

L. Alchaal & al. Page Handling multiple groups Classify according to IP Mcast Packet VPN group with 1 VPN group with 2 VPN group with 3 IVGMP can handle multiple groups simultaneously VPN groups entries are updated by IVGMP with the help of IGMP and VNOC Mcast G1 Mcast G1 Mcast G2 Mcast G2 Mcast G1 Mcast G1

L. Alchaal & al. Page Scalability Improvement Internet VPRN distribution tree level Meshed VPN level Physical network level Scalability problem can be addressed by provisioning some sites (or dedicated servers) as VPRN nodes that perform traffic forwarding

L. Alchaal & al. Page IVGMP and Mcast routing Protocols Interoperability When a site is composed of several subnets supporting a multicast routing protocol…  Receiver problem  Sender problem IVGMP PIM router Group G Receiver IGMP Query PIM router doesn’t forward IGMP queries to inner subnets IVGMP PIM router Group G Sender IGMP Query IVGMP doesn’t know the address of the new Mcast group  IVGMP can’t send IGMP report

L. Alchaal & al. Page IVGMP and Mcast routing Protocols Interoperability… cont’ Possible solutions…  Use IGMP-proxying on inner subnets routers:  Solves only the « receiver problem »  Requires some administration work on clients sites   Predefine a small number of multicast groups  Solves only the « source problem »  Might be used with the first solution, but increases IGMP signaling  Use a dedicated application to inform the local IVGMP of new multicast groups  Doesn’t require any modification to the internal site  It’s the responsibility of users to announce new groups

L. Alchaal & al. Page Conclusions This approach :   gets out with a simple way to manage a communicating group sparsed over the Internet   offers a secure multicast delivery service over the Internet   is fully dynamic   is fully transparent to the end users/applications  No configuration burdens on group members

L. Alchaal & al. Page Many thanks for your attention!

L. Alchaal & al. Page

L. Alchaal & al. Page VPRN Definition A VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing capabilities needed to forward traffic received at each VPRN node to the appropriate destination site