Title: Robust Congestion Control for IP Multicast
1Robust Congestion Control for IP Multicast
- Sergey Gorinsky
- Applied Research Laboratory
- Department of Computer Science and Engineering
- Washington University in St. Louis
- November 3, 2003
-
2The Internet Growth and Its Implications
- Evolution of the Internet
- Original design
- Small test bed. Close-knit scientific community
- Todays reality
- Global commercial network. Large number of
selfish users - Need to rethink assumptions in the Internet
design - Network bandwidth allocation
- Traditional assumption of universal trust
- Misbehavior incentives unfairly high acquisition
of bandwidth - Misbehavior opportunities open-source operating
systems
Challenge robust allocation of network bandwidth
in distrusted environments
3This Talk
- Focus
- Robust congestion control for multicast services
- Outline
- Background
- Congestion control and multicast services
-
- Trust model
- Self-beneficial attacks by a receiver
- Vulnerabilities of existing multicast protocols
- Robust mechanisms for multicast congestion
control - DELTA and SIGMA
- Conclusion and future work
4 Congestion Control
- Congestion
- Excessive transmission results in packet losses
- Uncontrolled retransmission leads to congestion
collapse - Congestion control
- Allocation of bandwidth along network paths
- Prevention of congestion collapse
- Responsiveness to congestion
- Efficient utilization
- Fair sharing
- Unicast TCP congestion control Jacobson 1988
- Receiver acknowledges delivered packets
- Sender adjusts its transmission in response to
feedback
5One-to-Many Communications
- Dissemination of data to multiple receivers
- Example
- Video address by the CEO of an international
company to employees - Inefficient solutions
- Direct unicast from the sender to each receiver
- Broadcast
- Multicast
- Hierarchy for data duplication and forwarding
- Implementations
- IP multicast router-based hierarchy Deering
1991 - End-system multicast host-based hierarchy Chu
2000
6Supporting Scalable IP Multicast
Sender
Receiver
Receiver
Receiver
- Receivers subscribe to a multicast group at
their local edge routers - Receivers provide the sender with limited
feedback - RMTP Paul 1997, SAMM Albuquerque 1998, pgmcc
Rizzo 2000, TFMCC Widmer 2001
7Addressing Receiver Heterogeneity
Sender
1 Mbps receiver
1 Mbps receiver
4 Mbps receiver
- A multicast session is composed of multiple
groups - Layered multicast RLM McCanne 1996, FLID-DL
Byers 2000, WEBRC Luby 2002 - Replicated multicast DSG Cheung 1996
8Talk Outline
- Background
- Congestion control and multicast
-
- Trust model
- Self-beneficial attacks by a receiver
- Vulnerabilities of existing multicast protocols
- Robust mechanisms for multicast congestion
control - DELTA and SIGMA
- Conclusion and future work
9Trust
Existing protocols
Sender
Receiver
Receiver
Receiver
10Types of Bandwidth Attacks
- Denial-of-service attacks
- Disruption of network services
- Intentionally visible
- Self-beneficial attacks
- Acquisition of data at an unfairly high rate
- Intentionally keeping a low profile
- Easy to launch
- TCP Daytona Savage 1999, throughput
improvement tools - Dangerous
Our focus self-beneficial bandwidth attacks
11Vulnerabilities of Multicast Protocols
12Inflated Subscription in FLID-DL
One bottleneck link shared by six sessions two
FLID-DL and four TCP
Inflated subscription is a fundamental threat to
fair bandwidth allocation
13 Protection against Inflated Subscription
- Source of inflated subscription ability to join
any group
- Solution congestion-dependent group access
control - Access rights are a function of the congestion
status - Access keys change every time slot
- Requirements
- Minimal generic changes in the network
- Support of existing and future multicast
protocols - Preservation of congestion control properties
14Linkage of Access Rights with the Congestion
Status
Packets
Sender
15 Robust Group Subscription DELTA and SIGMA
- DELTA (Distribution of ELigibility To Access)
- In-band distribution of keys from the sender to
eligible receivers - Transforms a vulnerable multicast protocol into
its robust version - Requires a protocol-specific instantiation
dependent on - Congestion notification
- Session structure
- Congested state
- Subscription rules
- SIGMA (Secure Internet Group Management
Architecture) - Generic distribution of keys from the sender to
edge routers - Key-based group access control at edge routers
16Example of a Protected Protocol
- Session structure
- N cumulative subscription levels
- First level group 1 (base layer of data)
- Second level groups 1 and 2 (two lower layers
of data) -
- N-th level all N groups of the session (all
layers of data) - Congested state of a receiver
- Single packet loss in any of the subscribed
groups - Subscription rules
- Rule 1 Congested receiver must drop its top
group - Rule 2 Receiver can preserve its lower groups
17Rule 1 Congested Receiver Must Drop Its Top Group
Packets of group 4
Packets of group 3
Packets of group 2
Packets of group 1
Time slot
- Problem each packet of group 1 carries N
components - Reason different keys use independent
components
18Rule 1 Congested Receiver Must Drop Its Top Group
Packets of group 4
Packets of group 3
Packets of group 2
Packets of group 1
1
2
3
4
5
Time slot
- Packets of a subscription level carry
components of a key for its top group
- Problem each packet of group 1 carries N
components - Reason different keys use independent
components
- Solution keys reuse components from lower
groups
19Rule 2 Receiver Can Preserve Its Lower Groups
Packets of group 4
Packets of group 3
Packets of group 2
Packets of group 1
Time slot
- Solution decrease key and top key for each
group are different
20Rule 3 Authorized Uncongested Receiver Can Add
Group
Packets of group 4
Packets of group 3
Packets of group 2
Packets of group 1
Time slot
- Increase key for each authorized group
where is XOR, is a component in
packet p of group j
21Generalizing the Solution
- Above example of DELTA instantiation
- Protected protocol
- No support for reliable delivery
- Loss-driven detection of congestion
- Layered multicast
- Single-loss definition for the congested state
- Protection against individual attacks
- Extensions
- Protection against collusion attacks
- DELTA instantiations for other types of protocols
22DELTA Instantiations for Different Types of
Protocols
- Reliability
- Reliable protocols (vs. unreliable protocols)
- Sender distributes components among both original
and additional packets - Congestion notification
- ECN (vs. loss)
- Edge routers change the component in each marked
packet - Session structure
- Replicated multicast (vs. layered multicast)
- Keys consist of components from a single group
- Congested state
- Loss rate exceeding a threshold (vs. single
packet loss) - n packets are transmitted to a subscription level
23 SIGMA
- Distribution of keys from the sender to edge
routers - Challenge generic network support
- DELTA-style reconstruction of keys from
components is protocol-specific - Solution multicast of group addresses and keys
to edge routers - Special packets carry address-key tuples
- Edge routers intercept these packets
- Forward error correction provides reliable
delivery - Key-based group access control at edge routers
24 Group Access Control in SIGMA
- Operation timeline
- New challenges in group management
- Adding a group
- Unconditional access to the added group for two
consecutive time slots - Admitting a new receiver into the session
- Intermittently unrestricted access to the minimal
group
25Protection against Inflated Subscription
26Preservation of Congestion Control Properties
Responsiveness
Efficiency
DELTA and SIGMA preserve congestion control
properties
27Research Summary
- Relaxed the traditional assumption of universal
trust in multicast congestion control - Focused on self-beneficial attacks of misbehaving
receivers - Classified and demonstrated vulnerabilities in
multicast protocols - Designed protection against inflated subscription
- DELTA and SIGMA congestion-dependent group
access control - Generic network support
- Robustness to individual attacks (and extension
for collusion attacks) - Robust adaptation of FLID-DL (and RLM) protocols
28Future Work
- Robust bandwidth allocation in peer-to-peer
multicast - Routing with misbehaving receivers
- New types of attacks
- Eliciting a self-beneficial multicast hierarchy
- Slow forwarding
Trusted base
Sender
Receiver
Receiver
Misbehaving receiver