Trying to find words to describe how PIDs are used.....

[Gorry Fairhurst <gorry@erg.abdn.ac.uk>]

Repost: My last posting to the list seemed to have gone astray, so I 
shall try an updated repost.

I was trying to use some of the email from others to propose some text 
that answered the second set of questions.

> 2) Can  we determine precisely what we man by a "Stream".
> Does a Stream always only have ONE originating source?
> That is, does the PID imply a specific intended source?

Here is some draft text, that could perhaps be placed at the end of 
section 3.2. I'd be very pleased to receive comments/corrections so we 
converge on some good description of this, since I think this relates 
directly to the need for authentication.

THOUGHTS??? Comments and corrections please...

Best wishes,

Gorry


----

In a MPEG-2 Transmission network, the originating source of MPEG-2 TS 
Packets is either a L2 interface device (media encoder, encapsulation 
gateway, etc) or a L2 network device (TS multiplexor, etc). These 
devices may, but do not necessarily, have an associated IP address. In 
the case of an encapsulation gateway (e.g. ULE sender), the device may 
operate at L2 or L3, and is not normally the originator of an IP traffic 
flow, and usually the IP source address of the packets that it forwards 
do not correspond to an IP address associated with the device. When 
authentication of the IP source is required this must be provided by 
IPsec, TLS, etc. operating at a higher layer.

The TS Packets are carried to the Receiver over a physical layer that 
usually includes Forward Error Correction and synchronisation processing 
that makes injection of single TS Packets very difficult. Replacement of 
a sequence of packets is difficult, but possible.

Each Receiver needs to identify a TS Logical Channel (or MPEG-2 Stream) 
to reassemble the fragments of PDUs sent by a L2 source [RFC4259]. In an 
MPEG-2 TS, this association is made via the Packet Identifier, PID 
[ISO-MPEG]. At the sender, each source associates a locally unique set 
of PID values with each stream it originates. However, there is no 
required relationship between the PID value used at the sender and that 
received at the Receiver.  Network devices may re-number the PID values 
associated with one or more TS Logical Channels (Streams) to prevent 
clashes at a multiplexor between input Streams with the same PID carried 
on different input multiplexes.  A device may also modify and/or insert 
new SI data into the control plane (also sent as TS Packets identified 
by PID value).

The Stream of TS Packets carried in a multiplex are usually received by 
many Receivers. One method is to secure the entire Stream at teh MPEG-2 
TS level. This approach is well-suited to TV-transmission, data-push, 
etc, where the PID carries one or a set of flows with similar security 
requirements. Where the Stream carries a set of IP traffic flows to 
different destinations with a range of properties (multicast, unicast, 
etc) this it is often not appropriate to provide IP confidentiality 
services for the entire Stream. A finer-grain control is required that 
at least allows control to the level of a single MAC/NPA address. 
However, there is only one valid source of data for each MPEG-2 Stream 
(i.e. PID). Although an attacker that is able to modify the content of 
the received multiplex (e.g. replay data) could inject data locally with 
an arbitrary PID value.

---