Distance Vector Multicast Routing Protocol
(DVMRP) [2, 5]. Some properties of these routing
topologies may prove beneficial in multicast key
distribution architectures. For example, in [7],
Ballardie describes a key distribution architecture
centered around a core router defined for the Core
Based Tree (CBT) multicast routing protocol [4].
The scope of a multicast group can be limited by
restricting the routing of its IP datagrams. By
manipulating the time-to-live field in each IP
datagram [6], hosts can limit the scope of their
traffic by controlling the number of hops a
datagram travels before routers discard it. By
restricting the time-to-live field of a datagram, we
create basic form of confidentiality for the group
by limiting the potential audience of the data. This
may be considered at best a very weak form of
confidentiality that is difficult to enforce.
Therefore, stronger mechanisms are required if we
want greater assurance.
Multicast application layer data is typically
encapsulated by the transport layer UDP protocol.
The combination of UDP and IP protocols create
an unreliable datagram service without error
correction capabilities. Protocols such as the Real-
Time Transport (RTP) protocol are designed to
correct some of these deficiencies [8]. RTP runs
on top of UDP and the underlying network protocol
to provide end-to-end network transport functions
for multicast audio and video conferences or
sessions. A session is defined as the exchange of
multimedia data (e.g., an audio conference) within
a multicast group [9]. Several sessions may be
active within a single multicast group (e.g., one for
audio and another for video). The type of host
participation in a multicast session can further
define the nature of the session. In a many-to-
many type application, multiple group members
may receive and transmit data simultaneously
during the session. In contrast, a one-to-many or
push application typically has only one transmitter
and many receivers for the session. The type of
application may influence the design of a security
architecture. For example, a one-to-many
application is inherently centralized and may
benefit from a security architecture centered around
a single trusted host. Distributed many-to-many
applications may benefit from distributed security
architectures with multiple trusted hosts performing
registration and key distribution functions.
Multicast sessions may also be described in terms
of their membership. In general, a session is
defined as either public or private. Both types are
defined by the level of access control required to
join the multicast group [10]. Public sessions are
typically encountered on the MBONE and are
supported by the dynamic nature of multicast
communications (i.e., knowledge of the multicast
address is the only requirement for membership).
We can further restrict public sessions by requiring
users to register and pass an authentication check
in order to participate. In order to limit the scope
of a private multicast session, both registration and
authentication are required for participation [10].
To limit the visibility of the secure session, the
session traffic is usually encrypted. In this paper,
we define a secure multicast session as a private
session with encryption.
Multicast applications can benefit from the addition
of security services. Commercial applications that
use public networks can limit user access to
services and control user participation. Without
these security features, user participation cannot be
tightly controlled. Access control mechanisms
applied during registration can limit participation to
only paying customers. Military applications such
as command and control have obvious benefits
from the application of security. By tightly
controlling access during registration, only users
with the proper credentials can join the session. In
both arenas, access control is the important initial
step in defining the multicast group. Once the
group is established, we can argue that most of our
security concerns can be abstracted into a key
management problem.
APPLYING SECURITY TO MULTICAST
Threats to IP multicast communications are similar
to those for unicast IP transmissions. In general,
threats include eavesdropping, the unauthorized
creation of data, the unauthorized alteration of
data, the unauthorized destruction of data, denial
of service, and illegitimate use of data [11]. In the