Robust Congestion Control for IP Multicast

1
Robust Congestion Control for IP Multicast

• Sergey Gorinsky
• Applied Research Laboratory
• Department of Computer Science and Engineering
• Washington University in St. Louis
• November 3, 2003

2
The Internet Growth and Its Implications

• Evolution of the Internet
• Original design
• Small test bed. Close-knit scientific community
• Todays reality
• Global commercial network. Large number of
  selfish users
• Need to rethink assumptions in the Internet
  design
• Network bandwidth allocation
• Traditional assumption of universal trust
• Misbehavior incentives unfairly high acquisition
  of bandwidth
• Misbehavior opportunities open-source operating
  systems

Challenge robust allocation of network bandwidth
in distrusted environments
3
This Talk

• Focus
• Robust congestion control for multicast services
• Outline
• Background
• Congestion control and multicast services
• Trust model
• Self-beneficial attacks by a receiver
• Vulnerabilities of existing multicast protocols
• Robust mechanisms for multicast congestion
  control
• DELTA and SIGMA
• Conclusion and future work

4

Congestion Control

• Congestion
• Excessive transmission results in packet losses
• Uncontrolled retransmission leads to congestion
  collapse
• Congestion control
• Allocation of bandwidth along network paths
• Prevention of congestion collapse
• Responsiveness to congestion
• Efficient utilization
• Fair sharing
• Unicast TCP congestion control Jacobson 1988
• Receiver acknowledges delivered packets
• Sender adjusts its transmission in response to
  feedback

5
One-to-Many Communications

• Dissemination of data to multiple receivers
• Example
• Video address by the CEO of an international
  company to employees
• Inefficient solutions
• Direct unicast from the sender to each receiver
• Broadcast
• Multicast
• Hierarchy for data duplication and forwarding
• Implementations
• IP multicast router-based hierarchy Deering
  1991
• End-system multicast host-based hierarchy Chu
  2000

6
Supporting Scalable IP Multicast
Sender
Receiver
Receiver
Receiver

• Receivers subscribe to a multicast group at
  their local edge routers
• Receivers provide the sender with limited
  feedback
• RMTP Paul 1997, SAMM Albuquerque 1998, pgmcc
  Rizzo 2000, TFMCC Widmer 2001

7
Addressing Receiver Heterogeneity
Sender
1 Mbps receiver
1 Mbps receiver
4 Mbps receiver

• A multicast session is composed of multiple
  groups
• Layered multicast RLM McCanne 1996, FLID-DL
  Byers 2000, WEBRC Luby 2002
• Replicated multicast DSG Cheung 1996

8
Talk Outline

• Background
• Congestion control and multicast
• Trust model
• Self-beneficial attacks by a receiver
• Vulnerabilities of existing multicast protocols
• Robust mechanisms for multicast congestion
  control
• DELTA and SIGMA
• Conclusion and future work

9
Trust
Existing protocols
Sender
Receiver
Receiver
Receiver
10
Types of Bandwidth Attacks

• Denial-of-service attacks
• Disruption of network services
• Intentionally visible
• Self-beneficial attacks
• Acquisition of data at an unfairly high rate
• Intentionally keeping a low profile
• Easy to launch
• TCP Daytona Savage 1999, throughput
  improvement tools
• Dangerous

Our focus self-beneficial bandwidth attacks
11
Vulnerabilities of Multicast Protocols
12
Inflated Subscription in FLID-DL
One bottleneck link shared by six sessions two
FLID-DL and four TCP
Inflated subscription is a fundamental threat to
fair bandwidth allocation
13

Protection against Inflated Subscription

• Source of inflated subscription ability to join
  any group

• Solution congestion-dependent group access
  control
• Access rights are a function of the congestion
  status
• Access keys change every time slot
• Requirements
• Minimal generic changes in the network
• Support of existing and future multicast
  protocols
• Preservation of congestion control properties

14
Linkage of Access Rights with the Congestion
Status
Packets
Sender
15

Robust Group Subscription DELTA and SIGMA

• DELTA (Distribution of ELigibility To Access)
• In-band distribution of keys from the sender to
  eligible receivers
• Transforms a vulnerable multicast protocol into
  its robust version
• Requires a protocol-specific instantiation
  dependent on
• Congestion notification
• Session structure
• Congested state
• Subscription rules
• SIGMA (Secure Internet Group Management
  Architecture)
• Generic distribution of keys from the sender to
  edge routers
• Key-based group access control at edge routers

16
Example of a Protected Protocol

• Session structure
• N cumulative subscription levels
• First level group 1 (base layer of data)
• Second level groups 1 and 2 (two lower layers
  of data)
• N-th level all N groups of the session (all
  layers of data)
• Congested state of a receiver
• Single packet loss in any of the subscribed
  groups
• Subscription rules
• Rule 1 Congested receiver must drop its top
  group
• Rule 2 Receiver can preserve its lower groups

17
Rule 1 Congested Receiver Must Drop Its Top Group
Packets of group 4

Packets of group 3
Packets of group 2
Packets of group 1
Time slot

• Problem each packet of group 1 carries N
  components
• Reason different keys use independent
  components

18
Rule 1 Congested Receiver Must Drop Its Top Group
Packets of group 4

Packets of group 3
Packets of group 2
Packets of group 1
1
2
3
4
5
Time slot

• Packets of a subscription level carry
  components of a key for its top group

• Problem each packet of group 1 carries N
  components
• Reason different keys use independent
  components

• Solution keys reuse components from lower
  groups

19
Rule 2 Receiver Can Preserve Its Lower Groups
Packets of group 4

Packets of group 3
Packets of group 2
Packets of group 1
Time slot

• Top key for each group g

• Solution decrease key and top key for each
  group are different

20
Rule 3 Authorized Uncongested Receiver Can Add
Group
Packets of group 4

Packets of group 3
Packets of group 2
Packets of group 1
Time slot

• Increase key for each authorized group

where is XOR, is a component in
packet p of group j
21
Generalizing the Solution

• Above example of DELTA instantiation
• Protected protocol
• No support for reliable delivery
• Loss-driven detection of congestion
• Layered multicast
• Single-loss definition for the congested state
• Protection against individual attacks
• Extensions
• Protection against collusion attacks
• DELTA instantiations for other types of protocols

22
DELTA Instantiations for Different Types of
Protocols

• Reliability
• Reliable protocols (vs. unreliable protocols)
• Sender distributes components among both original
  and additional packets
• Congestion notification
• ECN (vs. loss)
• Edge routers change the component in each marked
  packet
• Session structure
• Replicated multicast (vs. layered multicast)
• Keys consist of components from a single group
• Congested state
• Loss rate exceeding a threshold (vs. single
  packet loss)
• n packets are transmitted to a subscription level

23

SIGMA

• Distribution of keys from the sender to edge
  routers
• Challenge generic network support
• DELTA-style reconstruction of keys from
  components is protocol-specific
• Solution multicast of group addresses and keys
  to edge routers
• Special packets carry address-key tuples
• Edge routers intercept these packets
• Forward error correction provides reliable
  delivery
• Key-based group access control at edge routers

24

Group Access Control in SIGMA

• Operation timeline
• New challenges in group management
• Adding a group
• Unconditional access to the added group for two
  consecutive time slots
• Admitting a new receiver into the session
• Intermittently unrestricted access to the minimal
  group

25
Protection against Inflated Subscription
26
Preservation of Congestion Control Properties
Responsiveness
Efficiency
DELTA and SIGMA preserve congestion control
properties
27
Research Summary

• Relaxed the traditional assumption of universal
  trust in multicast congestion control
• Focused on self-beneficial attacks of misbehaving
  receivers
• Classified and demonstrated vulnerabilities in
  multicast protocols
• Designed protection against inflated subscription
• DELTA and SIGMA congestion-dependent group
  access control
• Generic network support
• Robustness to individual attacks (and extension
  for collusion attacks)
• Robust adaptation of FLID-DL (and RLM) protocols

28
Future Work

• Robust bandwidth allocation in peer-to-peer
  multicast
• Routing with misbehaving receivers
• New types of attacks
• Eliciting a self-beneficial multicast hierarchy
• Slow forwarding

Trusted base
Sender
Receiver
Receiver
Misbehaving receiver