User plane security alternatives in the 3G evolved Multimedia Broadcast Multicast Service (e-MBMS)

The multimedia broadcast multicast service (MBMS) has been included in the 3GGP architecture to provide broadcast/multicast services. In the 3GPP Long Term Evolution, the evolved MBMS (e-MBMS) architecture is currently being standardized. This position paper discusses the security issues currently being considered for the e-MBMS IP multicast user plane. Currently proposed security architectures ldquolimitrdquo themselves to include group security associations (GSA). In this paper we raise the position that GSA might not be a sufficiently secure solution in the long run. In sight of this, we propose to adopt a secure multicast overlay approach as a possible short-term solution, thanks to its straightforward deployment. To prove this latter point we overview how to set-up a proof-of-concept implementation over public domain linux routers. We functionally compare GSA with the proposed secure multicast overlay approach, showing that the overlay approach provides not only the same level of security, but also a reduced risk of denial of service attacks. We preliminarily (qualitatively) discuss the pros and cons of the two solutions in terms of performance. Ongoing work is targeted to complement these preliminary considerations with a quantitative investigation.

[1]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[2]  Brian Weis,et al.  Multicast Extensions to the Security Architecture for the Internet Protocol , 2008, RFC.

[3]  Matthew J. Moyer,et al.  A survey of security issues in multicast communications , 1999, IEEE Network.

[4]  Ran Canetti,et al.  Multicast Security (MSEC) Group Key Management Architecture , 2005, RFC.

[5]  Ran Canetti,et al.  Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction , 2005, RFC.

[6]  Adrian Perrig,et al.  The BiBa one-time signature and broadcast authentication protocol , 2001, CCS '01.

[7]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[8]  David Thaler,et al.  Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification , 1997, RFC.

[9]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[10]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[11]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[12]  Srinivasan Seshan,et al.  A case for end system multicast , 2002, IEEE J. Sel. Areas Commun..

[13]  Andrea Detti,et al.  Effectiveness of overlay multicasting in mobile ad-hoc network , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[14]  Yakov Rekhter,et al.  Use of Provider Edge to Provider Edge (PE-PE) Generic Routing Encapsulation (GRE) or IP in BGP/MPLS IP Virtual Private Networks , 2007, RFC.

[15]  Min-You Wu,et al.  Approaches to establishing multicast overlays , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.

[16]  Yacine Challal,et al.  A taxonomy of multicast data origin authentication: Issues and solutions , 2004, IEEE Communications Surveys & Tutorials.

[17]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.