KHIP—a scalable protocol for secure multicast routing
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Multicast-specific security threats and counter-measures
SNDSS '95 Proceedings of the 1995 Symposium on Network and Distributed System Security (SNDSS'95)
The Ordered Core Based Tree Protocol
INFOCOM '97 Proceedings of the INFOCOM '97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution
Scalable sender access control for bi-directional multicast routing
Computer Networks: The International Journal of Computer and Telecommunications Networking
Journal of Computer Security - Special issue on ACM conference on computer and communications security, 2001
A Framework to Add AAA Functionalities in IP Multicast
AICT-ICIW '06 Proceedings of the Advanced Int'l Conference on Telecommunications and Int'l Conference on Internet and Web Applications and Services
Scalable solutions for secure group communications
Computer Networks: The International Journal of Computer and Telecommunications Networking
Cross-layer verification of type flaw attacks on security protocols
ACSC '07 Proceedings of the thirtieth Australasian conference on Computer science - Volume 62
An Architecture for Secure and Accountable Multicasting
LCN '07 Proceedings of the 32nd IEEE Conference on Local Computer Networks
Sender Access Control in IP Multicast
LCN '07 Proceedings of the 32nd IEEE Conference on Local Computer Networks
Multicast receiver access control by IGMP-AC
Computer Networks: The International Journal of Computer and Telecommunications Networking
Participant access control in ip multicasting
Participant access control in ip multicasting
IEEE Communications Surveys & Tutorials
Secure Border Gateway Protocol (S-BGP)
IEEE Journal on Selected Areas in Communications
Deployment issues for the IP multicast service and architecture
IEEE Network: The Magazine of Global Internetworking
Multicast receiver access control by IGMP-AC
Computer Networks: The International Journal of Computer and Telecommunications Networking
The Journal of Supercomputing
Hi-index | 0.00 |
The classical IP multicast model makes it impossible to restrict the forwarded data to that originated by an authorized sender. Without effective sender access control, an adversary may exploit the existing IP multicast model, where a sender can send multicast data without prior authentication and authorization. Even a group key management protocol that efficiently distributes the encryption and the authentication keys to the receivers will not be able to prevent an adversary from spoofing the sender address or replaying any previously sent data and hence, flooding the Data Distribution Tree. This can create an efficient Denial of Service attack. In this paper, we propose an architecture for sender access control and data distribution control in inter-domain multicast groups. For sender access control, the Protocol for Carrying Authentication for Network Access, encapsulating Extensible Authentication Protocol packets, is used to authenticate a sender and to establish an IPsec Security Association between the sender and the Access Router to cryptographically authenticate each packet. This access control architecture is then extended to support inter-domain multicast groups by making use of Diameter agents. An inter-domain Data Distribution Tree (DDT) is distributed over different domains. Hence, sender access control will be meaningless without protecting the whole DDT. We have protected the DDT from several attacks generated by a compromised network entity by carrying the multicast data in one or a series of Multicast Security Associations (MSA). Two alternate solutions have been developed that detect and stop forwarding of any forged packet by utilizing multiple checkpoints in the DDT. The first method uses a centralized MSA for the whole DDT while the second method uses a number of small-sized MSAs. Next, the two methods have been compared with respect to different features, such as establishment and maintenance costs, delivery time, etc. The MSA method has been compared with Keyed HIP (KHIP), and we have established that MSA-based methods reasonably outperform KHIP. Finally, the security properties of MSA construction using the GDOI protocol have been validated using the AVISPA tool. Two attacks have been detected by AVISPA, which we have fixed by modifying the GDOI protocol. The security properties of the data transmission method through MSAs using the Authentication Header (AH) protocol have also been analyzed.