Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment

About This Presentation
Title:

Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment

Description:

INRIA Rh ne-Alpes, Plan te project, France. lina.alchaal_at_inrialpes.fr. Vincent ROCA ... multicast flag not set for IPSec interfaces. two independent routing tables ... –

Number of Views:8
Avg rating:3.0/5.0
Slides: 20
Provided by: hervgu
Category:

less

Transcript and Presenter's Notes

Title: Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment


1
Offering a Multicast Delivery Service in a
Programmable Secure IP VPN Environment
Lina ALCHAALNetcelo S.A., EchirollesINRIA
Rhône-Alpes, Planète project, Francelina.alchaal_at_
inrialpes.fr
Michel HABERT Netcelo S.A., Echirolles,
Francemichel.habert_at_netcelo.com
Vincent ROCAINRIA Rhône-Alpes, Planète Project,
Francevincent.roca_at_inrialpes.fr
2
Introduction a centralized environment
Virtual Network Operation Center (VNOC) (e.g.
Netcelo)
VPN User
Internet
VPN Secure Tunnel
VPN edge devices include IPSec, Firewall, Policy
configuration and group communication services
3
Introduction
  • Goal of the work
  • offer a group communication service in this
    fully secure VPN environment
  • Different from work at IETF MSEC
  • opposite approach in our case the environment
    is already secure!
  • Different from work at IETF PPVPN (provider
    provisioned VPN)
  • in our case we target a VPN service provider who
    doesnt master the core IP network

4
Outline
  1. Experiments with Multicast Routing Protocols in a
    VPN Environment
  2. IVGMP in a VPN environment
  3. Conclusions

5
1- PIM-SM in an IP VPN environment
We tried to deploy PIM-SM on VPN edge devices
pimd (University of Southern California/Informat
ion Sciences Institute) Free/SWAN IPSec
implementation Linux / Lanner FW500-ME embedded
PC
Internet
VPN edge devices with PIM-SM support
6
PIM within IP VPN Environment cont
  • Problems
  • PIM-SM and IPSec ignore each other
  • multicast flag not set for IPSec interfaces
  • two independent routing tables
  • PIM doesnt register itself to IPSec and
    vice-versa
  • Free/SWAN IPSec implementation doesnt support a
    security association (SA) with a multicast
    destination address
  • PIM is very complex compared to the simplicity of
    a VPN environment

7
2. IVGMP in a VPN environment
  • IVGMP benefits from the centralized VPN
    architecture around the VNOC
  • close integration of group communication VPN
    management
  • Avoids the complexity of Multicast Routing
    Protocols
  • a VPN topology is much simpler than the Internet
    mbone
  • shares some similarities with overlay multicast
    solutions !

VPN edge devices
8
IVGMP features
  • IVGMP functions
  • dynamic discovery of group members/sources
    located in local subnets
  • use IGMP queries / traffic listening
  • more or less easy, depending on the site
    configuration (single LAN vs.
  • add/remove a site dynamically to a group VPN
  • with the help of the VNOC
  • depends on the presence or not of
    receivers/sources
  • send multicast packets to other sites belonging
    to the same group via IPSec tunnels

9
An example
VNOC
(9) Create VPN entry for group G
Internet
IVGMP
VPN edge device
(5) Create VPN entry for group G
10
The implementation
VPN edge devices


IVGMP
IVGMP
Libpcap
Sock Raw
IP
IPSec
IP
IPSec
Eth Ifr.
IPSec Ifr.
IPSec Ifr.
Eth Ifr.
11
IVGMP advanced features
  • IVGMP goes beyond these simple examples

12
Handling multiple groups
IVGMP can handle multiple groups simultaneously
VPN groups entries are updated by IVGMP with the
help of IGMP and VNOC
Classify according to Mcast _at_
IP Mcast Packet
13
Scalability Improvement
Scalability problem can be addressed by
provisioning some sites (or dedicated servers) as
VPRN nodes that perform traffic forwarding
14
IVGMP and Mcast routing Protocols Interoperability
  • When a site is composed of several subnets
    supporting a multicast routing protocol
  • Receiver problem
  • Sender problem

15
IVGMP and Mcast routing Protocols
Interoperability cont
  • Possible solutions
  • Use IGMP-proxying on inner subnets routers
  • Solves only the  receiver problem 
  • Requires some administration work on clients
    sites ?
  • Predefine a small number of multicast groups
  • Solves only the  source problem 
  • Might be used with the first solution , but
    increases IGMP signaling
  • Use a dedicated application to inform the local
    IVGMP of new multicast groups
  • Doesnt require any modification to the internal
    site
  • Its the responsibility of users to announce new
    groups

16
3. Conclusions
  • This approach
  • gets out with a simple way to manage a
    communicating group sparsed over the Internet
  • offers a secure multicast delivery service over
    the Internet
  • is fully dynamic
  • is fully transparent to the end
    users/applications
  • ? No configuration burdens on group members

17
  • Many thanks for your attention!

18
(No Transcript)
19
VPRN Definition
  • A VPRN consists of a mesh of IP tunnels between
    ISP routers, together with the routing
    capabilities needed to forward traffic received
    at each VPRN node to the appropriate destination
    site
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!