[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Flat Multicast Key Exchange (FMKE)"- Internet Draft

To: ip-dvb@erg.abdn.ac.uk
Subject: Re: "Flat Multicast Key Exchange (FMKE)"- Internet Draft
From: Haitham Cruickshank <H.Cruickshank@eim.surrey.ac.uk>
Date: Fri, 30 May 2003 12:41:38 +0100
Cc: Sebastien.Josset@space.alcatel.fr, Isabelle.Buret@space.alcatel.fr, satip6@tilab.com
Organization: CCSR
References: <>
Reply-to: ip-dvb@erg.abdn.ac.uk
Sender: owner-ip-dvb@erg.abdn.ac.uk

Dear Laurence,

Sorry for the delay in my reply.  I read your proposed Internet Draft "Flat
Multicast Key Exchange (FMKE)" and I have the following comments:

1. Fundamental question:  I remember your presentation at the ESTEC workshop "IP
networking over satellites" few weeks ago.  I remember that you said that this
solution will be implemented in the link level (for example DVB-S link level).  That
is something is not clear in my mind yet, because your proposal is IPSEC based.  One
more point, your Internet draft does not mention satellites.  May be you can clarify
this.  By the way, ALCATEL ASP has a project with ESA on DVB-RCS security for
multicast and also University of Surrey and ALCATEL ASP have some documentation in
the GEOCAST project on how to modify DVB-RCS current security to cater for
multicast.

2.  As I understand that you will present your draft at the MSEC group at the IETF
meeting in Vienna.  Your proposal looks fairly similar to The Group Domain of
Interpretation (GDOI) and latest draft is draft-ietf-msec-gdoi-08.txt  (see:
http://www.ietf.org/internet-drafts/draft-ietf-msec-gdoi-08.txt), which is well
established and going to be an RFC soon.  Your work is duplicating GDOI and adding
phase 3 which does not exist in GDOI.  In fact, GDOI has flat key and LKH (tree
architecture) distribution mechanisms.  Can you clarify the differences between FMKE
and GDOI.

3. In section 8 (security consideration), you should state the remaining or
potential problems with your protocol.  One example is Denial of Service (DoS)
attacks, where you should state how your protocol and your security server can cope
with thousands of forged messages coming from false IP addresses. One common
practice is to use stateless COOKIES in order to minimize the memory and CPU burden
on the security server which is experiencing the DoS attack (for more details see:
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ikev2-07.txt).

Please consider these as constructive comments and I hope they will improve your
draft.

Regards
Haitham

Laurence.Duquerroy@space.alcatel.fr wrote:

> Hello,
>
> In  the context of the SatIP6 IST project, Alcatel Space studies a multicast
> security scheme optimised to protect large multicast groups. Such a scheme is
> designed for IP over Satellite, Wifi or DVB systems; it is a security solution
> for the satellite segment. An implementation over DVB-S/RCS is planned in the
> SatIP6 demonstrator.
> We have presented this security solution (called SatIPSec) during the ESA
> workshop at ESTEC, 13-14 May on "IP networking over satellite".
>
> We have started to write an Internet Draft detailing our key exchange protocol
> (called "Flat Multicast Key Exchange (FMKE)"), and we think that it could be
> submitted to the "IP over DVB " group, as IP over DVB systems are targeted
> systems. We would be ready to present it to the next IETF meeting (in Vienna).
> As it is very security-oriented, it will probably also be submitted to an IETF
> security group (i.e. MSEC (Multicast Security) WG).
>
> You will find in attachment a draft of the ID. Your comments, opinion,  and
> feedback on it are welcome.
> (See attached file: draft-duquer-fmke-00.doc)
>
> This solution is very flexible. It is able to configure any security dataplane
> at layer 2 or 3 ( IPv4/6 IPSec, L2 security dataplanes...).
> It is based on similar principles to the ones of the protocols currently defined
> in the IETF MSEC group. It uses also similar messages (based on the ISAKMP
> standard protocol). However it implements additional mechanisms and features in
> order to provide a security solution optimized for satellite systems:
>
>      -  It is defined to be low ressource consuming in bandwidth
>      -  It provides a reliable key distribution ( unlike the GDOI and GSAKMP
> protocols)
>      -  It can be used in one-to-many and many-to-many scenarios, and is
> scalable in these scenarios (MIKEY cannot be used in many-to-many scenarios in
> large groups)
>      -  It provides a multicast re-keying (mandatory in large groups) (unlike
> MIKEY)
>      - etc
>
> We hope that you will find interest in it, and thank you in advance for your
> comments.
>
> Best regards,
>
> Laurence Duquerroy
>
> ALCATEL SPACE
> RT/ST
> Research Department / Advanced Telecom Satellite Systems
> Tel : 33 (0)5-34-35-63-06  /  Fax : 33 (0)5-34-35-55-60
> E-Mail : laurence.duquerroy@space.alcatel.fr
>
>   ------------------------------------------------------------------------
>                                   Name: draft-duquer-fmke-00.doc
>    draft-duquer-fmke-00.doc       Type: WINWORD File (application/msword)
>                               Encoding: base64
>                            Description: Mac Word 3.0

--
Dr. Haitham S. Cruickshank

Senior Research Fellow in Communications
Centre for Communication Systems Research (CCSR)
School of Electronics, Computing and Mathematics
University of Surrey
Guildford, Surrey GU2 7XH, UK

Tel: +44 1483 686007 (indirect 689844)
Fax: +44 1483 686011
e-mail: H.Cruickshank@surrey.ac.uk
http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/

References:
- "Flat Multicast Key Exchange (FMKE)"- Internet Draft
  - From: Laurence.Duquerroy@space.alcatel.fr

Prev by Date: I-D ACTION:draft-clausen-ipdvb-enc-01.txt
Previous by thread: "Flat Multicast Key Exchange (FMKE)"- Internet Draft
Next by thread: 57th IETF Meeting - Vienna, Austria
Index(es):
- Date
- Thread