SlideShare una empresa de Scribd logo

Sen 214 simple secure multicast transmission

S
Senetas
Tecnología
1 de 9
Descargar para leer sin conexión
Fact Sheet SEN-214 Simple Secure Multicast Transmission Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
Simple Secure Multicast Transmission Introduction Senetas Ethernet encryptors are layer 2 (data link) devices that can secure traffic at wire speeds across wide area Ethernet services to provide confidentiality of transmitted information. Encryption of multicast traffic is conventionally difficult because of the one to many nature of the data flow. This paper describes how multicast traffic can be transmitted simply and securely when encrypting at layer 2 in the OSI model. Multicast applications Multicast transmission is a means of simultaneously sending information to a group of interested receivers in a single transmission and is considered a bandwidth saving technology as it provides an efficient way of delivering the same information to a group rather than copying it individually to each of the group members. Multicast traffic volumes have been increasing rapidly mainly due to the growth of video-based applications but also from other uses such as real-time information feeds and content delivery systems. Figure 1 - Types of transmission Multicast delivery across layer 2 networks Figure 1 shows data transmission for the unicast, broadcast and multicast cases. Whereas traditional unicast delivery requires that a source transmits just one copy of the data to one receiver and broadcast delivery requires one copy of the data to be sent to all members of a group; multicast delivery requires that traffic be delivered to only selected members of a group. Efficient multicast delivery therefore requires all network devices in the path between transmitter and receivers to have knowledge of the selected group members as well as the ability to intelligently deliver those packets only where they are needed. __________________________________________________________________________________ Page 1
Simple Secure Multicast Transmission Multicast transmission uses various protocols and reserved network addresses to allow this efficient distribution. At layer 3 the class D range of IP addresses is reserved for multicast protocols and at layer 2 the low order bit of the high-order byte in the destination MAC address is used to distinguish unicast addresses from multicast addresses. For example: 00:80:C8:F9:76:EF is a Unicast address –as indicated by the 00 in the first octet of the MAC address 01:00:5E:00:00:05 is a Multicast address since the first octet of the MAC address is set to 01. Multicast group membership is normally implemented using the Internet Group Management Protocol (IGMP) for IPv4 networks or Multicast Listener Discovery (MLD) Messages for IPv6 networks. Both protocols provide a mechanism to dynamically register individual hosts in a particular multicast group with a multicast router. The default behaviour of a layer 2 switch is to broadcast multicast traffic out all destination ports. To prevent this and allow efficient delivery of multicast traffic layer 2 switches need to learn which ports are associated with each multicast group. This process is normally achieved by IGMP/MLD snooping which is the process of “listening in” on IGMP network traffic as it passes through the switch. Figure 2 - IGMP Snooping __________________________________________________________________________________ Page 2
Simple Secure Multicast Transmission Figure 2 shows a layer 2 switch in the path between a multicast router and the participating hosts. IGMP snooping requires the switch to eavesdrop on the information in the IGMP packets that are sent between the hosts and the multicast router. This allows the switch to learn when hosts join a group (using IGMP join) or leave the group (using IGMP leave) and therefore intelligently transmit multicast data only out the relevant ports. The encryption of IGMP/MLD packets will prevent snooping and cause multicast traffic to be broadcast everywhere. For this reason Senetas encryptors have a policy control that permits them to selectively encrypt OR bypass IGMP/MLD packets through the encryptor thus allowing switch snooping and efficient network delivery. Security of multicast traffic The risk to multicast communication is similar to or greater than that for unicast transmission and includes the threat of eavesdropping as well as unauthorised modification or destruction of data. The nature of multicast distribution introduces some particular vulnerabilities that are not present for unicast traffic; for example because multicast group membership is open and not authenticated it means that anyone is able to easily join a multicast group so that they can receive the traffic stream or alternately insert data for malicious purposes into the group (even senders need not be members). Increasingly businesses are using multicast technologies to reduce the number and frequency of face-to-face meetings by using widely available webinar and video conferencing tools. Recent research has shown that insecure video conferencing systems can be ‘the bug in the boardroom’ and allow hackers to listen in to a company’s confidential discussions. To prevent this encrypted multicast sessions should be used to ensure the confidentiality of network traffic. Encryption of multicast traffic encryption is challenging because a single sender must synchronise encryption state with multiple receivers. Each receiver must securely have knowledge of the encryption key, the encryption state and be able to both receive and send traffic to other members of the group. This problem can be solved using a group key system in which all members of the shared community (which could be the multicast group or a VLAN) share a common key that is used to encrypt and decrypt traffic. This is in contrast to unicast encryption in which a unique key per connection is used between a single sender and a single receiver. One approach to group key implementation is to use a dedicated key server (see Figure 3) that pushes encryption keys to all members. __________________________________________________________________________________ Page 3
Simple Secure Multicast Transmission This approach is commonly used but does have some limitations: Requires purchase & maintenance of another server in the network (in practice more than one is required if load balancing / redundancy is needed) Server must be located where it is always reachable by all members of the group Server must be always online or the keys are not refreshed Presents a single point of compromise (redundant servers don’t necessarily mitigate this because a compromise to one server is a compromise to all with shared keys) Presents a single point of failure (redundant servers can reduce this to some degree at additional expense) Figure 3 - External Key server model Senetas group encryption Senetas uses an alternate approach to group key distribution, which avoids the need for a separate key server, by giving one encryptor in the group responsibility for generating and distributing keys to all other members as shown in Figure 4. __________________________________________________________________________________ Page 4
Simple Secure Multicast Transmission Figure 4 - Encryptor Key Master In this model an encryptor is delegated the role of key master from an automatic election process amongst the visible encryptors in the network. This mechanism has the following features: Automatic discovery of multicast encryption groups and secure connections (no manual configuration of MAC addresses or VLAN IDs is required) Secure distribution and automatic updates of keys to all members of the group New members can securely join or leave the group at any time Automatic aging/deletion of inactive groups Fault tolerant to network outages and topology changes In the event of a temporary isolation of network segments (caused for example by a network outage or reconfiguration as shown in Figure 5), the group key management scheme will automatically maintain/establish new group key managers within each visible network. When the network segments rejoin the network will transparently re-elect a single group key master. Importantly this ‘split-rejoin’ process can occur with no disruption to network traffic as long as the network is separated for less than two key update periods. If the key update period is for example one hour, then two split groups will have the same key to use for more than an hour, but less than 2 hours. Key updates effectively keep the encryptor with keys one key update period change ahead. __________________________________________________________________________________ Page 5
Simple Secure Multicast Transmission If two or more key updates occur while the networks are separate, the terminating group (i.e. the group controlled by the key master that terminates) will synchronise with the remaining Master, which results in less than three seconds of disruption. Figure 5 - Network split with 2 key masters Policy control Multicast encryption is supported in both MAC and VLAN modes of operation on Senetas encryption appliances. i. In MAC mode the encryptor will establish both unicast and multicast connections based on the MAC address in each received Ethernet frame. In this mode pairwise keys are used for encrypting frames with unicast destination addresses and dynamic multicast connections are established using group keys for frames with multicast destination addresses. Multicast connections can be automatically deleted when no traffic is present for a specified number of minutes ii. In VLAN mode the encryptor will establish an encrypted connection per VLAN using group keys only. The VLAN identifier in the frame is used to distinguish secure connections. VLAN connections are automatically discovered but do not age with inactivity. __________________________________________________________________________________ Page 6
Simple Secure Multicast Transmission Figure 6 - Multicast group that spans VLANs In architectures where one multicast group address spans multiple VLAN IDs (for example in Figure 6 where all hosts are part of the same multicast group) then VLAN mode must be used. This is to ensure that the encryptor’s key management traffic is always on the same VLAN for a given connection. Senetas provides a GUI management tool CypherManager to configure the encryptor policy. This tool provides fine-grained control of traffic processing and allows encryption policy to be set on a per ethertype / per address class level of resolution as shown in Figure 7. Figure 7 - Policy control __________________________________________________________________________________ Page 7
Simple Secure Multicast Transmission Performance The CN encryption platform uses dedicated silicon to perform cut-through forwarding of data plane traffic. This allows for wire speed processing of encrypted traffic at full line rate at up to 10Gbps. Latency on the CN1000 Ethernet encryptor for example is approximately 7uS and is independent of packet size. Encryption introduces little or no jitter regardless of the network application or traffic profile. Encryption is performed using the AES algorithm with 256 or 128 bit keys. In group encryption mode (VLAN or multicast MAC) the CTR mode of encryption is used which introduces an additional eight bytes of data to every encrypted frame. Summary There is a growing need to securely and efficiently deliver multicast traffic across networks for a variety of applications. Traditional approaches to this using layer 3 encryption can be problematic from both a complexity and performance perspective. Encryption at layer 2 can provide a simple, effective way to secure multicast traffic streams without compromising network performance. __________________________________________________________________________________ Page 8

Recomendados

Gossip based reliable multicast protocol
Gossip based reliable multicast protocolGossip based reliable multicast protocol
Gossip based reliable multicast protocoleSAT Journals
 
A Comparative Study of Group Key Management in MANET
A Comparative Study of Group Key Management in MANETA Comparative Study of Group Key Management in MANET
A Comparative Study of Group Key Management in MANETIJERA Editor
 
Ccag gossip based reliable multicast protocol
Ccag gossip based reliable multicast protocolCcag gossip based reliable multicast protocol
Ccag gossip based reliable multicast protocoleSAT Publishing House
 
Secure key exchange and encryption mechanism for group communication in wirel...
Secure key exchange and encryption mechanism for group communication in wirel...Secure key exchange and encryption mechanism for group communication in wirel...
Secure key exchange and encryption mechanism for group communication in wirel...graphhoc
 
Attacks on mobile ad hoc networks
Attacks on mobile ad hoc networksAttacks on mobile ad hoc networks
Attacks on mobile ad hoc networksZdravko Danailov
 
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsA Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsIJMER
 
Lt2520382043
Lt2520382043Lt2520382043
Lt2520382043IJERA Editor
 
Vmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesVmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesCloudSyntrix
 

Recomendados

Gossip based reliable multicast protocol
Gossip based reliable multicast protocolGossip based reliable multicast protocol
Gossip based reliable multicast protocoleSAT Journals
 
A Comparative Study of Group Key Management in MANET
A Comparative Study of Group Key Management in MANETA Comparative Study of Group Key Management in MANET
A Comparative Study of Group Key Management in MANETIJERA Editor
 
Ccag gossip based reliable multicast protocol
Ccag gossip based reliable multicast protocolCcag gossip based reliable multicast protocol
Ccag gossip based reliable multicast protocoleSAT Publishing House
 
Secure key exchange and encryption mechanism for group communication in wirel...
Secure key exchange and encryption mechanism for group communication in wirel...Secure key exchange and encryption mechanism for group communication in wirel...
Secure key exchange and encryption mechanism for group communication in wirel...graphhoc
 
Attacks on mobile ad hoc networks
Attacks on mobile ad hoc networksAttacks on mobile ad hoc networks
Attacks on mobile ad hoc networksZdravko Danailov
 
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsA Novel Key Management Paradigm for Broadcasting to Remote Cooperative Groups
A Novel Key Management Paradigm for Broadcasting to Remote Cooperative GroupsIJMER
 
Lt2520382043
Lt2520382043Lt2520382043
Lt2520382043IJERA Editor
 
Vmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesVmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesCloudSyntrix
 
Enhancing msf for mobile ad hoc network security though active handshaking &a...
Enhancing msf for mobile ad hoc network security though active handshaking &a...Enhancing msf for mobile ad hoc network security though active handshaking &a...
Enhancing msf for mobile ad hoc network security though active handshaking &a...ijctet
 
A comparative study on different trust based routing schemes in manet
A comparative study on different trust based routing schemes in manetA comparative study on different trust based routing schemes in manet
A comparative study on different trust based routing schemes in manetijwmn
 
A depth detail about vpn security
A depth detail about vpn securityA depth detail about vpn security
A depth detail about vpn securityEric Fedewa
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...International Journal of Engineering Inventions www.ijeijournal.com
 
Wireless networks security
Wireless networks securityWireless networks security
Wireless networks securityMohammed Abdalhakam Taha
 
Hiding message from hacker using novel network techniques
Hiding message from hacker using novel network techniquesHiding message from hacker using novel network techniques
Hiding message from hacker using novel network techniquesPriyangaRajaram
 
Securing cloud computing environment against d do s attacks
Securing cloud computing environment against d do s attacksSecuring cloud computing environment against d do s attacks
Securing cloud computing environment against d do s attacksSampatkumar Satyamurti
 
muti path encrypted data security architecture for mobile adhoc networks
muti path encrypted data security architecture for mobile adhoc networksmuti path encrypted data security architecture for mobile adhoc networks
muti path encrypted data security architecture for mobile adhoc networksPraveen Yadav
 
Wireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedWireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedDavid Sweigert
 
231 236
231 236231 236
231 236Editor IJARCET
 
How MQTT work ?
How MQTT work ?How MQTT work ?
How MQTT work ?Niket Chandrawanshi
 
Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksDavid Sweigert
 
Accelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnsAccelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnseSAT Publishing House
 
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...IJNSA Journal
 
Protecting Global Records Sharing with Identity Based Access Control List
Protecting Global Records Sharing with Identity Based Access Control ListProtecting Global Records Sharing with Identity Based Access Control List
Protecting Global Records Sharing with Identity Based Access Control ListEditor IJCATR
 
17 18
17 1817 18
17 18INTERNATIONAL INDEXED,REFERRED,MULTILINGUAL,INTERDISCIPLINARY, MONTHLY RESEARCH JOURNAL
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd Iaetsd
 
Understanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionUnderstanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionSenetas
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016Andrew Chen
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 

Más contenido relacionado

La actualidad más candente

Enhancing msf for mobile ad hoc network security though active handshaking &a...
Enhancing msf for mobile ad hoc network security though active handshaking &a...Enhancing msf for mobile ad hoc network security though active handshaking &a...
Enhancing msf for mobile ad hoc network security though active handshaking &a...ijctet
 
A comparative study on different trust based routing schemes in manet
A comparative study on different trust based routing schemes in manetA comparative study on different trust based routing schemes in manet
A comparative study on different trust based routing schemes in manetijwmn
 
A depth detail about vpn security
A depth detail about vpn securityA depth detail about vpn security
A depth detail about vpn securityEric Fedewa
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Hiding message from hacker using novel network techniques
Hiding message from hacker using novel network techniquesHiding message from hacker using novel network techniques
Hiding message from hacker using novel network techniquesPriyangaRajaram
 
Securing cloud computing environment against d do s attacks
Securing cloud computing environment against d do s attacksSecuring cloud computing environment against d do s attacks
Securing cloud computing environment against d do s attacksSampatkumar Satyamurti
 
muti path encrypted data security architecture for mobile adhoc networks
muti path encrypted data security architecture for mobile adhoc networksmuti path encrypted data security architecture for mobile adhoc networks
muti path encrypted data security architecture for mobile adhoc networksPraveen Yadav
 
Wireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedWireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedDavid Sweigert
 
Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksDavid Sweigert
 
Accelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnsAccelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnseSAT Publishing House
 
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...IJNSA Journal
 
Protecting Global Records Sharing with Identity Based Access Control List
Protecting Global Records Sharing with Identity Based Access Control ListProtecting Global Records Sharing with Identity Based Access Control List
Protecting Global Records Sharing with Identity Based Access Control ListEditor IJCATR
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd Iaetsd
 

La actualidad más candente (18)

Enhancing msf for mobile ad hoc network security though active handshaking &a...
Enhancing msf for mobile ad hoc network security though active handshaking &a...Enhancing msf for mobile ad hoc network security though active handshaking &a...
Enhancing msf for mobile ad hoc network security though active handshaking &a...
 
A comparative study on different trust based routing schemes in manet
A comparative study on different trust based routing schemes in manetA comparative study on different trust based routing schemes in manet
A comparative study on different trust based routing schemes in manet
 
A depth detail about vpn security
A depth detail about vpn securityA depth detail about vpn security
A depth detail about vpn security
 
TAM new report
TAM new reportTAM new report
TAM new report
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...
 
Wireless networks security
Wireless networks securityWireless networks security
Wireless networks security
 
Hiding message from hacker using novel network techniques
Hiding message from hacker using novel network techniquesHiding message from hacker using novel network techniques
Hiding message from hacker using novel network techniques
 
Securing cloud computing environment against d do s attacks
Securing cloud computing environment against d do s attacksSecuring cloud computing environment against d do s attacks
Securing cloud computing environment against d do s attacks
 
muti path encrypted data security architecture for mobile adhoc networks
muti path encrypted data security architecture for mobile adhoc networksmuti path encrypted data security architecture for mobile adhoc networks
muti path encrypted data security architecture for mobile adhoc networks
 
Wireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explainedWireless Deauth and Disassociation Attacks explained
Wireless Deauth and Disassociation Attacks explained
 
231 236
231 236231 236
231 236
 
How MQTT work ?
How MQTT work ?How MQTT work ?
How MQTT work ?
 
Wireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication AttacksWireless Disassociation and Deauthentication Attacks
Wireless Disassociation and Deauthentication Attacks
 
Accelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsnsAccelerated broadcast authentication with signature amortization for wsns
Accelerated broadcast authentication with signature amortization for wsns
 
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
DSSS with ISAKMP Key Management Protocol to Secure Physical Layer for Mobile ...
 
Protecting Global Records Sharing with Identity Based Access Control List
Protecting Global Records Sharing with Identity Based Access Control ListProtecting Global Records Sharing with Identity Based Access Control List
Protecting Global Records Sharing with Identity Based Access Control List
 
17 18
17 1817 18
17 18
 
Iaetsd a framework for secure data
Iaetsd a framework for secure dataIaetsd a framework for secure data
Iaetsd a framework for secure data
 

Destacado

Understanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionUnderstanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionSenetas
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)maditabalnco
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016Andrew Chen
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsBarry Feldman
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 

Destacado (6)

Understanding senetas layer 2 encryption
Understanding senetas layer 2 encryptionUnderstanding senetas layer 2 encryption
Understanding senetas layer 2 encryption
 
Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)Reuters: Pictures of the Year 2016 (Part 2)
Reuters: Pictures of the Year 2016 (Part 2)
 
What's Next in Growth? 2016
What's Next in Growth? 2016What's Next in Growth? 2016
What's Next in Growth? 2016
 
The Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post FormatsThe Six Highest Performing B2B Blog Post Formats
The Six Highest Performing B2B Blog Post Formats
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
 

Similar a Sen 214 simple secure multicast transmission

A Novel High Order Tree for Securing Key Management for Multicast Services
A Novel High Order Tree for Securing Key Management for Multicast ServicesA Novel High Order Tree for Securing Key Management for Multicast Services
A Novel High Order Tree for Securing Key Management for Multicast ServicesIOSR Journals
 
PERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTE
PERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTEPERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTE
PERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTEIJCNCJournal
 
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...IRJET Journal
 
Fast transmission to remote cooperative groups a new key management paradigm
Fast transmission to remote cooperative groups a new key management paradigmFast transmission to remote cooperative groups a new key management paradigm
Fast transmission to remote cooperative groups a new key management paradigmJPINFOTECH JAYAPRAKASH
 
Switching and multicast schemes in asynchronous transfer mode networks
Switching and multicast schemes in asynchronous transfer mode networksSwitching and multicast schemes in asynchronous transfer mode networks
Switching and multicast schemes in asynchronous transfer mode networksEditor Jacotech
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...Editor IJCATR
 
Vmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesVmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesUdressme1
 
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATIONEFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATIONijiert bestjournal
 
Elliptic Curve for Secure Group Key Management in Distributed Network
Elliptic Curve for Secure Group Key Management in Distributed NetworkElliptic Curve for Secure Group Key Management in Distributed Network
Elliptic Curve for Secure Group Key Management in Distributed Networkijceronline
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...IOSR Journals
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...AM Publications,India
 
Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406pradip patel
 
Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406pradip patel
 
IRJET- Coordinates based Keying Scheme for WSN Security
IRJET- Coordinates based Keying Scheme for WSN SecurityIRJET- Coordinates based Keying Scheme for WSN Security
IRJET- Coordinates based Keying Scheme for WSN SecurityIRJET Journal
 
Secure Anti-Collusion Data Sharing Scheme for Dynamic Groups in Cloud
Secure Anti-Collusion Data Sharing Scheme for Dynamic Groups in CloudSecure Anti-Collusion Data Sharing Scheme for Dynamic Groups in Cloud
Secure Anti-Collusion Data Sharing Scheme for Dynamic Groups in CloudIRJET Journal
 
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATION
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATIONSECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATION
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATIONEditor IJMTER
 

Similar a Sen 214 simple secure multicast transmission (20)

A Novel High Order Tree for Securing Key Management for Multicast Services
A Novel High Order Tree for Securing Key Management for Multicast ServicesA Novel High Order Tree for Securing Key Management for Multicast Services
A Novel High Order Tree for Securing Key Management for Multicast Services
 
B018140813
B018140813B018140813
B018140813
 
PERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTE
PERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTEPERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTE
PERFORMANCE AND REKEYING ANALYSIS OF MULTICAST SECURITY IN LTE
 
H0362052056
H0362052056H0362052056
H0362052056
 
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
Efficient Secure Multi-Neuron Attack Defensive and Routing Security Technique...
 
G010425257
G010425257G010425257
G010425257
 
call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...call for papers, research paper publishing, where to publish research paper, ...
call for papers, research paper publishing, where to publish research paper, ...
 
Fast transmission to remote cooperative groups a new key management paradigm
Fast transmission to remote cooperative groups a new key management paradigmFast transmission to remote cooperative groups a new key management paradigm
Fast transmission to remote cooperative groups a new key management paradigm
 
Switching and multicast schemes in asynchronous transfer mode networks
Switching and multicast schemes in asynchronous transfer mode networksSwitching and multicast schemes in asynchronous transfer mode networks
Switching and multicast schemes in asynchronous transfer mode networks
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
 
Vmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologiesVmware vsan-layer2-and-layer3-network-topologies
Vmware vsan-layer2-and-layer3-network-topologies
 
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATIONEFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION
EFFECTIVE KEY GENERATION FOR MULTIMEDIA AND WEB APPLICATION
 
Elliptic Curve for Secure Group Key Management in Distributed Network
Elliptic Curve for Secure Group Key Management in Distributed NetworkElliptic Curve for Secure Group Key Management in Distributed Network
Elliptic Curve for Secure Group Key Management in Distributed Network
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
 
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
Advanced Data Protection and Key Organization Framework for Mobile Ad-Hoc Net...
 
Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406
 
Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406Secured key distribution techniques in wireless sensor networks 150429171406
Secured key distribution techniques in wireless sensor networks 150429171406
 
IRJET- Coordinates based Keying Scheme for WSN Security
IRJET- Coordinates based Keying Scheme for WSN SecurityIRJET- Coordinates based Keying Scheme for WSN Security
IRJET- Coordinates based Keying Scheme for WSN Security
 
Secure Anti-Collusion Data Sharing Scheme for Dynamic Groups in Cloud
Secure Anti-Collusion Data Sharing Scheme for Dynamic Groups in CloudSecure Anti-Collusion Data Sharing Scheme for Dynamic Groups in Cloud
Secure Anti-Collusion Data Sharing Scheme for Dynamic Groups in Cloud
 
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATION
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATIONSECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATION
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATION
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Sen 214 simple secure multicast transmission

  • 1. Fact Sheet SEN-214 Simple Secure Multicast Transmission Copyright Senetas Corporation 2012 - All rights reserved. Permission to reproduce and distribute this document is granted provided this copyright notice is included and that no modifications are made to the original. Revisions to this document may be issued, without notice, from time to time.
  • 2. Simple Secure Multicast Transmission Introduction Senetas Ethernet encryptors are layer 2 (data link) devices that can secure traffic at wire speeds across wide area Ethernet services to provide confidentiality of transmitted information. Encryption of multicast traffic is conventionally difficult because of the one to many nature of the data flow. This paper describes how multicast traffic can be transmitted simply and securely when encrypting at layer 2 in the OSI model. Multicast applications Multicast transmission is a means of simultaneously sending information to a group of interested receivers in a single transmission and is considered a bandwidth saving technology as it provides an efficient way of delivering the same information to a group rather than copying it individually to each of the group members. Multicast traffic volumes have been increasing rapidly mainly due to the growth of video-based applications but also from other uses such as real-time information feeds and content delivery systems. Figure 1 - Types of transmission Multicast delivery across layer 2 networks Figure 1 shows data transmission for the unicast, broadcast and multicast cases. Whereas traditional unicast delivery requires that a source transmits just one copy of the data to one receiver and broadcast delivery requires one copy of the data to be sent to all members of a group; multicast delivery requires that traffic be delivered to only selected members of a group. Efficient multicast delivery therefore requires all network devices in the path between transmitter and receivers to have knowledge of the selected group members as well as the ability to intelligently deliver those packets only where they are needed. __________________________________________________________________________________ Page 1
  • 3. Simple Secure Multicast Transmission Multicast transmission uses various protocols and reserved network addresses to allow this efficient distribution. At layer 3 the class D range of IP addresses is reserved for multicast protocols and at layer 2 the low order bit of the high-order byte in the destination MAC address is used to distinguish unicast addresses from multicast addresses. For example: 00:80:C8:F9:76:EF is a Unicast address –as indicated by the 00 in the first octet of the MAC address 01:00:5E:00:00:05 is a Multicast address since the first octet of the MAC address is set to 01. Multicast group membership is normally implemented using the Internet Group Management Protocol (IGMP) for IPv4 networks or Multicast Listener Discovery (MLD) Messages for IPv6 networks. Both protocols provide a mechanism to dynamically register individual hosts in a particular multicast group with a multicast router. The default behaviour of a layer 2 switch is to broadcast multicast traffic out all destination ports. To prevent this and allow efficient delivery of multicast traffic layer 2 switches need to learn which ports are associated with each multicast group. This process is normally achieved by IGMP/MLD snooping which is the process of “listening in” on IGMP network traffic as it passes through the switch. Figure 2 - IGMP Snooping __________________________________________________________________________________ Page 2
  • 4. Simple Secure Multicast Transmission Figure 2 shows a layer 2 switch in the path between a multicast router and the participating hosts. IGMP snooping requires the switch to eavesdrop on the information in the IGMP packets that are sent between the hosts and the multicast router. This allows the switch to learn when hosts join a group (using IGMP join) or leave the group (using IGMP leave) and therefore intelligently transmit multicast data only out the relevant ports. The encryption of IGMP/MLD packets will prevent snooping and cause multicast traffic to be broadcast everywhere. For this reason Senetas encryptors have a policy control that permits them to selectively encrypt OR bypass IGMP/MLD packets through the encryptor thus allowing switch snooping and efficient network delivery. Security of multicast traffic The risk to multicast communication is similar to or greater than that for unicast transmission and includes the threat of eavesdropping as well as unauthorised modification or destruction of data. The nature of multicast distribution introduces some particular vulnerabilities that are not present for unicast traffic; for example because multicast group membership is open and not authenticated it means that anyone is able to easily join a multicast group so that they can receive the traffic stream or alternately insert data for malicious purposes into the group (even senders need not be members). Increasingly businesses are using multicast technologies to reduce the number and frequency of face-to-face meetings by using widely available webinar and video conferencing tools. Recent research has shown that insecure video conferencing systems can be ‘the bug in the boardroom’ and allow hackers to listen in to a company’s confidential discussions. To prevent this encrypted multicast sessions should be used to ensure the confidentiality of network traffic. Encryption of multicast traffic encryption is challenging because a single sender must synchronise encryption state with multiple receivers. Each receiver must securely have knowledge of the encryption key, the encryption state and be able to both receive and send traffic to other members of the group. This problem can be solved using a group key system in which all members of the shared community (which could be the multicast group or a VLAN) share a common key that is used to encrypt and decrypt traffic. This is in contrast to unicast encryption in which a unique key per connection is used between a single sender and a single receiver. One approach to group key implementation is to use a dedicated key server (see Figure 3) that pushes encryption keys to all members. __________________________________________________________________________________ Page 3
  • 5. Simple Secure Multicast Transmission This approach is commonly used but does have some limitations: Requires purchase & maintenance of another server in the network (in practice more than one is required if load balancing / redundancy is needed) Server must be located where it is always reachable by all members of the group Server must be always online or the keys are not refreshed Presents a single point of compromise (redundant servers don’t necessarily mitigate this because a compromise to one server is a compromise to all with shared keys) Presents a single point of failure (redundant servers can reduce this to some degree at additional expense) Figure 3 - External Key server model Senetas group encryption Senetas uses an alternate approach to group key distribution, which avoids the need for a separate key server, by giving one encryptor in the group responsibility for generating and distributing keys to all other members as shown in Figure 4. __________________________________________________________________________________ Page 4
  • 6. Simple Secure Multicast Transmission Figure 4 - Encryptor Key Master In this model an encryptor is delegated the role of key master from an automatic election process amongst the visible encryptors in the network. This mechanism has the following features: Automatic discovery of multicast encryption groups and secure connections (no manual configuration of MAC addresses or VLAN IDs is required) Secure distribution and automatic updates of keys to all members of the group New members can securely join or leave the group at any time Automatic aging/deletion of inactive groups Fault tolerant to network outages and topology changes In the event of a temporary isolation of network segments (caused for example by a network outage or reconfiguration as shown in Figure 5), the group key management scheme will automatically maintain/establish new group key managers within each visible network. When the network segments rejoin the network will transparently re-elect a single group key master. Importantly this ‘split-rejoin’ process can occur with no disruption to network traffic as long as the network is separated for less than two key update periods. If the key update period is for example one hour, then two split groups will have the same key to use for more than an hour, but less than 2 hours. Key updates effectively keep the encryptor with keys one key update period change ahead. __________________________________________________________________________________ Page 5
  • 7. Simple Secure Multicast Transmission If two or more key updates occur while the networks are separate, the terminating group (i.e. the group controlled by the key master that terminates) will synchronise with the remaining Master, which results in less than three seconds of disruption. Figure 5 - Network split with 2 key masters Policy control Multicast encryption is supported in both MAC and VLAN modes of operation on Senetas encryption appliances. i. In MAC mode the encryptor will establish both unicast and multicast connections based on the MAC address in each received Ethernet frame. In this mode pairwise keys are used for encrypting frames with unicast destination addresses and dynamic multicast connections are established using group keys for frames with multicast destination addresses. Multicast connections can be automatically deleted when no traffic is present for a specified number of minutes ii. In VLAN mode the encryptor will establish an encrypted connection per VLAN using group keys only. The VLAN identifier in the frame is used to distinguish secure connections. VLAN connections are automatically discovered but do not age with inactivity. __________________________________________________________________________________ Page 6
  • 8. Simple Secure Multicast Transmission Figure 6 - Multicast group that spans VLANs In architectures where one multicast group address spans multiple VLAN IDs (for example in Figure 6 where all hosts are part of the same multicast group) then VLAN mode must be used. This is to ensure that the encryptor’s key management traffic is always on the same VLAN for a given connection. Senetas provides a GUI management tool CypherManager to configure the encryptor policy. This tool provides fine-grained control of traffic processing and allows encryption policy to be set on a per ethertype / per address class level of resolution as shown in Figure 7. Figure 7 - Policy control __________________________________________________________________________________ Page 7
  • 9. Simple Secure Multicast Transmission Performance The CN encryption platform uses dedicated silicon to perform cut-through forwarding of data plane traffic. This allows for wire speed processing of encrypted traffic at full line rate at up to 10Gbps. Latency on the CN1000 Ethernet encryptor for example is approximately 7uS and is independent of packet size. Encryption introduces little or no jitter regardless of the network application or traffic profile. Encryption is performed using the AES algorithm with 256 or 128 bit keys. In group encryption mode (VLAN or multicast MAC) the CTR mode of encryption is used which introduces an additional eight bytes of data to every encrypted frame. Summary There is a growing need to securely and efficiently deliver multicast traffic across networks for a variety of applications. Traditional approaches to this using layer 3 encryption can be problematic from both a complexity and performance perspective. Encryption at layer 2 can provide a simple, effective way to secure multicast traffic streams without compromising network performance. __________________________________________________________________________________ Page 8