Presentation is loading. Please wait.

Presentation is loading. Please wait.

L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

Published byYessenia Hammill Modified over 9 years ago

Similar presentations

Presentation on theme: "L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA."— Presentation transcript:

1 L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA Rhône-Alpes, Planète project, France lina.alchaal@inrialpes.fr Vincent ROCA INRIA Rhône-Alpes, Planète Project, France vincent.roca@inrialpes.fr Michel HABERT Netcelo S.A., Echirolles, France michel.habert@netcelo.com

2 L. Alchaal & al. Page 2 2002 Introduction: a centralized environment Internet Virtual Network Operation Center (VNOC) (e.g. Netcelo) Request of Configuration Policies Configuration Policies Request of Configuration Policies VPN edge devices include: IPSec, Firewall, Policy configuration and group communication services VPN Secure Tunnel VPN User ConfigurationPolicies

3 L. Alchaal & al. Page 3 2002 Introduction Goal of the work: offer a group communication service in this fully secure VPN environment Different from work at IETF MSEC opposite approach… in our case the environment is already secure! Different from work at IETF PPVPN (provider provisioned VPN) in our case we target a VPN service provider who doesn’t master the core IP network

4 L. Alchaal & al. Page 4 2002 Outline 1. Experiments with Multicast Routing Protocols in a VPN Environment 2. IVGMP in a VPN environment 3. Conclusions

5 L. Alchaal & al. Page 5 2002 1- PIM-SM in an IP VPN environment We tried to deploy PIM-SM on VPN edge devices pimd (University of Southern California/Information Sciences Institute) Free/SWAN IPSec implementation Linux / Lanner FW500-ME embedded PC Internet VPN edge devices with PIM-SM support

6 L. Alchaal & al. Page 6 2002 PIM within IP VPN Environment… cont’ Problems:  PIM-SM and IPSec ignore each other…  multicast flag not set for IPSec interfaces  two independent routing tables  PIM doesn’t register itself to IPSec and vice-versa  Free/SWAN IPSec implementation doesn’t support a security association (SA) with a multicast destination address  PIM is very complex compared to the simplicity of a VPN environment

7 L. Alchaal & al. Page 7 2002 2. IVGMP in a VPN environment  IVGMP benefits from the centralized VPN architecture around the VNOC  close integration of group communication & VPN management  Avoids the complexity of Multicast Routing Protocols  a VPN topology is much simpler than the Internet mbone  shares some similarities with overlay multicast solutions ! Internet VNOC VPN edge devices

8 L. Alchaal & al. Page 8 2002 IVGMP features IVGMP functions:   dynamic discovery of group members/sources located in local subnets   use IGMP queries / traffic listening   more or less easy, depending on the site configuration (single LAN vs.   add/remove a site dynamically to a group VPN   … with the help of the VNOC   depends on the presence or not of receivers/sources   send multicast packets to other sites belonging to the same group via IPSec tunnels

9 L. Alchaal & al. Page 9 2002 An example… Internet VNOC (3) Join group G (4) Send info of group G IVGMP (6) Mcast traffic (7) Join group G (8) Send info of group G (9) Create VPN entry for group G (2) IGMP Report for group G (1) IGMP Query Multicast application awaiting traffic for group G Group G Receiver Multicast application sending traffic for group G Group G Sender (5) Create VPN entry for group G IVGMP VPN edge device

10 L. Alchaal & al. Page 10 2002 The implementation VPN edge devices IVGMP IPIPSec UDP IVGMP IPIPSec UDP IPSec Ifr. Eth Ifr. 1. Mcast packet for group G 3. Encapsulate Mcast packet in a UDP packet 4. Decapsulate the UDP packet 2. Capture Mcast packet (with headers) for group G & check for group G entry 5. Inject Mcast packet for group G Libpcap Sock Raw

11 L. Alchaal & al. Page 11 2002 IVGMP advanced features IVGMP goes beyond these simple examples…

12 L. Alchaal & al. Page 12 2002 Handling multiple groups Classify according to Mcast @ IP Mcast Packet VPN group with Mcast @ 1 VPN group with Mcast @ 2 VPN group with Mcast @ 3 IVGMP can handle multiple groups simultaneously VPN groups entries are updated by IVGMP with the help of IGMP and VNOC Mcast G1 Mcast G1 Mcast G2 Mcast G2 Mcast G1 Mcast G1

13 L. Alchaal & al. Page 13 2002 Scalability Improvement Internet VPRN distribution tree level Meshed VPN level Physical network level Scalability problem can be addressed by provisioning some sites (or dedicated servers) as VPRN nodes that perform traffic forwarding

14 L. Alchaal & al. Page 14 2002 IVGMP and Mcast routing Protocols Interoperability When a site is composed of several subnets supporting a multicast routing protocol…  Receiver problem  Sender problem IVGMP PIM router Group G Receiver IGMP Query PIM router doesn’t forward IGMP queries to inner subnets IVGMP PIM router Group G Sender IGMP Query IVGMP doesn’t know the address of the new Mcast group  IVGMP can’t send IGMP report

15 L. Alchaal & al. Page 15 2002 IVGMP and Mcast routing Protocols Interoperability… cont’ Possible solutions…  Use IGMP-proxying on inner subnets routers:  Solves only the « receiver problem »  Requires some administration work on clients sites   Predefine a small number of multicast groups  Solves only the « source problem »  Might be used with the first solution, but increases IGMP signaling  Use a dedicated application to inform the local IVGMP of new multicast groups  Doesn’t require any modification to the internal site  It’s the responsibility of users to announce new groups

16 L. Alchaal & al. Page 16 2002 3. Conclusions This approach :   gets out with a simple way to manage a communicating group sparsed over the Internet   offers a secure multicast delivery service over the Internet   is fully dynamic   is fully transparent to the end users/applications  No configuration burdens on group members

17 L. Alchaal & al. Page 17 2002 Many thanks for your attention!

18 L. Alchaal & al. Page 18 2002

19 L. Alchaal & al. Page 19 2002 VPRN Definition A VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing capabilities needed to forward traffic received at each VPRN node to the appropriate destination site

Download ppt "L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA."

Similar presentations

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.

All Rights Reserved © Alcatel-Lucent 2009 Enhancing Dynamic Cloud-based Services using Network Virtualization F. Hao, T.V. Lakshman, Sarit Mukherjee, H.
Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.

Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.
Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.
1April 16, 2002 Layer 3 Multicast Addressing IP group addresses 224.0.0.0–239.255.255.255 “Class D” addresses = high order bits of “1110” Special reserved.

1April 16, 2002 Layer 3 Multicast Addressing IP group addresses – “Class D” addresses = high order bits of “1110” Special reserved.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
,< 資 管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.

,< 資 管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Ólafur Ragnar Helgason – Reykjavik University - Distance learning using IP multicast Ólafur Ragnar Helgason Network Systems and Services.

Ólafur Ragnar Helgason – Reykjavik University - Distance learning using IP multicast Ólafur Ragnar Helgason Network Systems and Services.
COS 420 Day 15. Agenda Assignment 3 Due Assignment 4 Posted Chap 16-20 Due April 6 Individual Project Presentations Due IEPREP - Jeff MANETS - Donnie.

COS 420 Day 15. Agenda Assignment 3 Due Assignment 4 Posted Chap Due April 6 Individual Project Presentations Due IEPREP - Jeff MANETS - Donnie.
CSCI 4550/8556 Computer Networks Comer, Chapter 25: Internet Routing.

CSCI 4550/8556 Computer Networks Comer, Chapter 25: Internet Routing.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Internet Networking Spring 2004 Tutorial 7 Multicast Routing Protocols.

1 Internet Networking Spring 2004 Tutorial 7 Multicast Routing Protocols.
1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.

1 Version 3.0 Module 8 Virtual LANs. 2 Version 3.0.
COS 420 Day 18. Agenda Group Project Discussion Program Requirements Rejected Resubmit by Friday Noon Protocol Definition Due April 12 Assignment 3 Due.

COS 420 Day 18. Agenda Group Project Discussion Program Requirements Rejected Resubmit by Friday Noon Protocol Definition Due April 12 Assignment 3 Due.
COS 420 Day 14. Agenda Assignment 3 Posted Covers chapters 11-15 Due March 23 Assignment 4 Posted Chap 16-20 Due April 6 Individual Project Papers due.

COS 420 Day 14. Agenda Assignment 3 Posted Covers chapters Due March 23 Assignment 4 Posted Chap Due April 6 Individual Project Papers due.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Similar presentations

Ads by Google