L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

L. Alchaal & al.Page 12002

Offering a Multicast Delivery Service Offering a Multicast Delivery Service in a Programmable Secure IP VPN in a Programmable Secure IP VPN

EnvironmentEnvironment

Lina ALCHAALLina ALCHAAL

Netcelo S.A., EchirollesNetcelo S.A., EchirollesINRIA Rhône-Alpes, INRIA Rhône-Alpes,

Planète project, FrancePlanète project, [email protected]@inrialpes.fr

Vincent ROCAVincent ROCA

INRIA Rhône-Alpes, Planète INRIA Rhône-Alpes, Planète Project, FranceProject, France

[email protected]@inrialpes.fr

Michel HABERTMichel HABERT

Netcelo S.A., Netcelo S.A., Echirolles, FranceEchirolles, France

[email protected]@netcelo.com


Introduction: a centralized environmentIntroduction: a centralized environment

InternetInternet

Virtual Network Virtual Network Operation Center Operation Center

(VNOC) (e.g. Netcelo)(VNOC) (e.g. Netcelo)

Request of Request of ConfigurationConfiguration

PoliciesPolicies

Configuration Configuration PoliciesPolicies

Request of Request of ConfigurationConfiguration

PoliciesPolicies

VPN edge devices include: IPSec, Firewall, Policy

configuration and group communication services

VPN Secure TunnelVPN Secure Tunnel

VPN UserVPN User

ConfigurationConfiguration

PoliciesPolicies


IntroductionIntroduction

Goal of the work:offer a group communication service in this fully secure VPN environment

Different from work at IETF MSECopposite approach… in our case the environment is already secure!

Different from work at IETF PPVPN (provider provisioned VPN)in our case we target a VPN service provider who doesn’t master the core IP network


OutlineOutline

1. Experiments with Multicast Routing Protocols in a VPN Environment

2. IVGMP in a VPN environment

3. Conclusions


1- PIM-SM in an IP VPN environment1- PIM-SM in an IP VPN environment

We tried to deploy PIM-SM on VPN edge devices pimd (University of Southern California/Information Sciences Institute)

Free/SWAN IPSec implementation

Linux / Lanner FW500-ME embedded PC

InternetInternet

VPN edge devices with PIM-SM support


PIM within IP VPN Environment… cont’PIM within IP VPN Environment… cont’

Problems: PIM-SM and IPSec ignore each other…

multicast flag not set for IPSec interfaces two independent routing tables PIM doesn’t register itself to IPSec and vice-versa

Free/SWAN IPSec implementation doesn’t support a security association (SA) with a multicast destination address

PIM is very complex compared to the simplicity of a VPN environment


2. IVGMP in a VPN environment2. IVGMP in a VPN environment

IVGMP benefits from the centralized VPN architecture around the VNOC close integration of group communication & VPN management

Avoids the complexity of Multicast Routing Protocols a VPN topology is much simpler than the Internet mbone shares some similarities with overlay multicast solutions !

InternetInternet

VNOCVNOC

VPN edge devices


IVGMP featuresIVGMP features

IVGMP functions: dynamic discovery of group members/sources located in local subnets

use IGMP queries / traffic listening more or less easy, depending on the site configuration (single LAN vs.

add/remove a site dynamically to a group VPN … with the help of the VNOC depends on the presence or not of receivers/sources

send multicast packets to other sites belonging to the same group via IPSec tunnels


An example…An example…

InternetInternet

VNOC

(3) Join group G

(4) Send info of group G

IVGMP

(6) Mcast traffic

(7) Join group G

(8) Send info of group G

(9) Create VPN entry for group G

(2) IGMP Report for group G

(1) IGMP Query

Multicast application awaiting traffic for group G

Group G Receiver

Multicast application sending traffic for group G

Group G Sender

(5) Create VPN entry for group G

IVGMP

VPN edge

device


2002

The implementationThe implementation

VPN edge

devices

IVGMPIVGMP

IPIP IPSecIPSec

UDPUDP

IVGMPIVGMP

IPIPIPSecIPSec

UDPUDP

IPSec Ifr.IPSec Ifr. IPSec Ifr.IPSec Ifr.Eth Ifr.Eth Ifr. Eth Ifr.Eth Ifr.

1. Mcast 1. Mcast packet packet

for group for group GG

3. 3. EncapsulaEncapsulate Mcast te Mcast packet in packet in

a UDP a UDP packetpacket

4. 4. DecapsulaDecapsula

te the te the UDP UDP

packet packet

2. Capture Mcast 2. Capture Mcast packet (with packet (with

headers) for group headers) for group GG

& check for group G & check for group G entryentry

5. Inject Mcast 5. Inject Mcast packet for packet for group Ggroup G

Lib

pcap

Lib

pcap

Sock R

aw

Sock R

aw


2002

IVGMP advanced featuresIVGMP advanced features

IVGMP goes beyond these simple examples…


2002

Handling multiple groups Handling multiple groups

Classify Classify according to according to

Mcast @Mcast @

IP Mcast IP Mcast PacketPacket

VPN group VPN group with Mcast with Mcast

@ 1@ 1


@ 2@ 2


@ 3@ 3

IVGMP can handle multiple groups simultaneouslyVPN groups entries are updated by IVGMP with

the help of IGMP and VNOC

Mcast Mcast G1G1

Mcast Mcast G1G1

Mcast Mcast G2G2

Mcast Mcast G2G2

Mcast Mcast G1G1


2002

Scalability ImprovementScalability Improvement

InternetInternet

VPRN VPRN

distribution tree leveldistribution tree level

Meshed Meshed

VPN levelVPN level

Physical network Physical network levellevel

Scalability problem can be addressed by provisioning some sites (or dedicated servers) as VPRN nodes that perform traffic forwarding


2002

IVGMP and Mcast routing Protocols IVGMP and Mcast routing Protocols InteroperabilityInteroperability

When a site is composed of several subnets supporting a multicast routing protocol…

Receiver problem

Sender problem

IVGMP

PIM router

Group G

Receiver

IGMP QueryIGMP Query

PIM router doesn’t forward IGMP

queries to inner subnets

IVGMP

PIM router

Group G

Sender

IGMP QueryIGMP Query

IVGMP doesn’t know the

address of the new Mcast

group IVGMP can’t send

IGMP report


2002

IVGMP and Mcast routing Protocols IVGMP and Mcast routing Protocols Interoperability… cont’Interoperability… cont’

Possible solutions… Use IGMP-proxying on inner subnets routers:

Solves only the « receiver problem » Requires some administration work on clients sites

Predefine a small number of multicast groups Solves only the « source problem » Might be used with the first solution , but increases IGMP

signaling

Use a dedicated application to inform the local IVGMP of new multicast groups Doesn’t require any modification to the internal site It’s the responsibility of users to announce new groups


2002

3. Conclusions3. Conclusions

This approach : gets out with a simple way to manage a

communicating group sparsed over the Internet

offers a secure multicast delivery service over the Internet

is fully dynamic is fully transparent to the end

users/applications

No configuration burdens on group members


2002

Many thanks for your attention!


2002


2002

VPRN DefinitionVPRN Definition

A VPRN consists of a mesh of IP tunnels between ISP routers, together with the routing capabilities needed to forward traffic received

at each VPRN node to the appropriate destination site

L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

Documents

group vpn

vpn environment slide

vpn entry

vpn topology

group g group g sender

vpn environment ivgmp

join group g

vpn service provider