1. RMTP-II Security Considerations Brian Whetten GlobalCast Communications

2. Types of Security Concerns Security Level Highest Lowest Mis-Configuration Denial of Service Authentication Access Control Privacy Non-Repudiation Multicast IPSec RMTP-II IP Multicast

3. RMTP-II Roles  Sender - Sends reliable IP multicast traffic  Top Node (TN) - Provides central control point  Designated Receiver (DR) - ACK Aggregation, Local Retransmission  Receiver - Receives traffic, does not necessarily source multicast packets  Assume: DR’s and TN’s are trusted, others aren’t

4. Denial of Service Attacks  Denial of Service to a Specific Receiver or Sender  Corruption of Control State  Network Overload  Spurious Retransmission Requests  Sender Transmitting Too Fast  Improperly Scoped Multicast Packets  CPU Exhaustion  Group Membership Change Request Flooding  Memory Exhaustion  Refusal to ACK Packets  Others?

5. Strong Defense for Denial of Service  Extend Multicast IPSec to provide light-weight group authentication  One key for all DR’s and TN’s in the same trust domain  One key for each sender  One key for all receivers  Otherwise as per Canetti Draft  Still allows valid senders/receivers access to DoS attacks, if they are malicious  Network manager can likely remove or punish user  Still allows brute force DoS attacks  Solved at the IP Level (SEP)

6. Light Weight Authentication New York Sender Tokyo London ISP Top Node DR Receivers  Different keys, depending on roles  Options: multiple keys for each network trust domain, for each sender  Implemented as part of security architecture Group Controller Server

7. Weak Defenses for Denial of Service  Check IP Addresses of Control Packet Author Against Local Group List (spoofable)  Helps: Corruption of Control State  Helps: Spurious Retransmission Requests  Helps: Group Membership Change Request Flooding  Bandwidth Limits on Local Retransmissions  Part of Local Recovery Pathology Management  Helps: Spurious Retransmission Requests  Forced Removal of Slow Receivers  Helps: Refusal to ACK Packets  Helps: Spurious Retransmission Requests

8. Weak Defenses (cont.)  Manual Network Manager Controls  Allows Network Manager to Control Transmission Rates  Could be Extended to Rejecting Senders and Receivers  Helps: Sender Transmitting Too Fast  Helps: Spurious Retransmission Requests  Congestion Control Works With Worst Report  Helps: Sender Transmitting Too Fast  IP Multicast Defenses (pruning, etc.)  Helps: Improperly Scoped Multicast Packets (SEP)  Helps: Sender Transmitting Too Fast

9.  Top node controls the tree  Gives manager control  App requests QoS  Manager can override  Congestion control works to meet QoS  Top node reports group performance to manager  Manager can adjust parameters on the fly TN Manageability TN The Network Sender Manager DR Receivers

10. Mis-Configuration  RMTP-II Presently Requires Manual Configuration  Performance Parameters  Tree Topology Configuration  Both Are Topics for Further Research  Concern: Minimize Scope of Configuration Errors  Ideally to the network controlled by that administrator  Tree topology errors typically affect all downstream nodes  Performance parameters are primarily specified per-tree, at the top node, or per-group, specified at the sender  Topic requires further study