The necessity of integrating multicast routing and QoS routing is clarified, and the mechanism of realizing both multicasting and QoS guarantee is outlined. It is also shown that receiver-initiated signaling is the only signaling function in practice and that resource reservation security is realized through the receiver-initiated signaling.
Two technologies are currently in demand on the Internet. One is Quality of Service (QoS) guarantee, which is a necessity for realizing applications that have strict QoS requirements for telephone and video transmissions. The other is multicasting, for transmitting data to multiple receivers simultaneously.
Obviously, QoS guarantee requires QoS routing and multicasting requires multicast routing. But QoS routing is also necessary for multicasting and multicast routing is necessary for QoS guarantee. Protocols that realize only one of the two are of little use in practice. It is necessary to have protocols that are designed for both. We propose such a protocol.
Resource Reservation Protocol (RSVP)[RSVP1993,1997] is proposed as a method for guaranteeing QoS, and Protocol Independent Multicast (PIM)[PIM1994,1997] is proposed as a method for multicasting. However, since neither can facilitate both QoS routing and multicast routing at the same time, they cannot be used in practice.
In this article, we first explain that a routing mechanism is divided into three functions, and describe what weak security is. In Section 3, we show that both resource reservation and multicasting can be implemented using signaling. In section 4, we clarify how QoS guarantee and multicasting are closely related, and in Section 5 we propose integrated protocols that implement both QoS guarantee and multicasting at the same time, paying special attention to the important role of receiver-initiated signaling. Resource reservation security is discussed in Section 6.
The term "routing" and two types of weak security are defined here.
The term "routing" has various meanings. It sometimes means forwarding IP packets and sometimes means advertising information required for actual data transmission. In this article, the routing mechanism is divided into the following three functions:
The meaning of multicast routing therefore includes advertisement of topology information, signaling, and actual packet forwarding for multicasting.
Resource reservation security is defined in Section 6 below as a type of weak security. Here we describe two types of weak security -- routing security and cookie security -- and the necessity for weak security.
Weak security can be implemented by the routing mechanism on the Internet. This kind of security ensures only that packets actually reach a receiver. It is called routing security.
Unicast routing enables transmitted packets to reach a receiver (if they are not lost during the transmission). Here we assume the routers on the transmission path are working correctly. However, since a sender can freely change the source address of the packets, it cannot be guaranteed that the packets received by the receiver are actually the ones sent from the source address.
There are many kinds of denial of service attacks that transmit packets whose source address has been incorrectly changed.
A cookie, whose value is known only to the end hosts, is exchanged by routing security between the ends before communication. Packets from an unauthorized sender can be distinguished from those from an authorized sender by placing the cookie in every packet. Examples of a cookie are the sequence number and the client's port number for the communication between a client and a server in TCP. Cookie security is another type of weak security, but is stronger than routing security.
It is generally difficult for the third party to obtain the value of a cookie. However, once cookie security is violated -- for example, by tapping -- an unauthorized sender can send data to the receiver.
Weak security is necessary even when strong security is available.
For strong security, a key is exchanged between the end hosts for authentication and/or encryption before communication is established. Authentication and encryption require considerable time for calculation. For hosts that can use only strong security, the possibility exists for an attack in which packets requiring authentication and/or decryption are continuously sent to the host in order to induce heavy loading on the host.
The effective use of strong security includes the use of weak (low overhead) security to ensure a proper transmission before using the strong security.
Here we explain the basic mechanisms of resource reservations and multicasting, and demonstrate that this can be accomplished using signaling.
A QoS requested by a user can be guaranteed by making a resource reservation to the network. Here we first define what resources on the network are and the types of QoS that can be guaranteed by a resource reservation. We then describe the procedure of making a resource reservation.
Entry of routing table and bandwidth are considered as resources on the network. Then bandwidth, delay, jitter, and loss ratio are considered as the types of QoS that should be guaranteed during actual data transmission. Charging is also required as long as resources are reserved on the routers on the transmission path, and so it should be treated as a type of QoS.
The procedure of making a resource reservation is as follows:.
First, a sender or a receiver sends messages for a reservation to the other end. These messages include information about the flow and the required QoS. Routers on the transmission path forward these messages to the other end and maintain the resources for the reservation. This procedure is called signaling. Data are delivered to the receiver with guaranteed QoS.
Signaling is used in classical networks such as PSTN and X.25 network, and is also used in RSVP and PIM on the Internet.
PIM, as one of the multicast protocols, uses signaling for the Rendezvous Point (RVP) from a receiver and merges multiple signals at the routers on the transmission path to accomplish multicasting.
To perform multicasting, the following two functions are added to a resource reservation procedure when it is already established:
Using this method, each router maintains the multicast flows that pass through it. This method can be adopted for the whole Internet.
Thus, both resource reservation and multicasting can be achieved using signaling.
Note that multicast protocols such as DVMRP[DVMR1988,1988-2] and MOSPF[MOSP1994], which are not based on signaling, are neither scalable nor adaptable to the whole Internet.
A multicast mechanism requires QoS routing, a QoS guarantee mechanism requires multicast routing, and both multicasting and QoS guarantee can only be achieved using receiver-initiated signaling.
QoS routing is necessary for employing a multicast mechanism in the real world.
In multicasting, more resources of the routers on the path are consumed than in best-effort unicasting. For this reason, users of multicasting should be charged more than users of best-effort unicasting.
There has not been sufficient discussion of this point, nor has a valid protocol been proposed. However, providers that are going to support multicasting are in urgent need of an adequate charging system.
For multicast communications, it is necessary from an economic point of view to offer a structure that allows users to select a less expensive path. Otherwise, a provider may select a more expensive path and thus induce an unnecessary charge for the user. A method of selecting a path that matches the request of the user is inevitable. This can be achieved by signaling along the path that satisfies the QoS, that is, QoS routing. This topic is discussed further in [SRSV1999].
Here we clarify that multicasting is necessary for QoS guarantee.
As shown above, in multicasting, the merging function and the duplicating function are both needed, in addition to the resource reservation function. Here we consider a signaling method initiated by the receiver for QoS guarantee, that is, the receiver-initiated signaling.
Assume that an unauthorized receiver makes a QoS guarantee request to the sender. Since it is difficult for routers on the path to judge whether the request is authorized or not, the QoS guarantee is performed. As a result, QoS guarantee is performed on the path from the sender to the unauthorized receiver.
For example, consider the network shown in Figure 4.1. Assume sender S and receiver R are making a resource reservation, and R' is an unauthorized receiver. If R' performs signaling on the path R' -> T4 -> T3 -> T1 -> S, router T1 cannot determine whether the request from T3 is authorized or not. This is because, when considering QoS guarantee, it is possible that the authorized receiver R may also perform signaling on the path R -> T2 -> T4 -> T3 -> T1 -> S. T1 has to process this unauthorized signaling, and this causes an unauthorized resource reservation.
Figure 4.1: Signaling from an unauthorized receiver
In the case of signaling in PSTN, since the switch at the terminal access network (which corresponds to T4 in Figure 4.1) that performs signaling can ensure the legitimacy of the signaling, unauthorized resource reservations can be prevented. Terminals in PSTN have low functionality, while the switches, with high functionality, are reliable because they are under complete control of the carriers. However, this is not the case for the Internet. Terminals on the Internet have high functionality and the routers are placed not only by carriers but also by various other organizations.
The current routing protocols in the Internet only provide the routing security described above. When a data receiver initiates signaling, it is easy for signaling that changes the address information of the receiver (sender of the signaling) to occur. The sender who receives that signaling (receiver of the signaling) and the routers on the path cannot necessarily judge the legitimacy of the signaling.
Even if an unauthorized resource reservation has been established, a QoS request from an authorized receiver can be established by adding the multicast mechanism to the unicast resource reservation mechanism. In Figure 4.2, T1 forwards the data received as S -> T1 to both T2 and T3. Thus, authorized receiver R can make a resource reservation without disturbance, even when unauthorized receiver R' makes a reservation in advance. Similarly, R' cannot steal the resource reservation already established by R.
Figure 4.2: Multicast as a countermeasure to an unauthorized receiver
Note that introducing this mechanism does not prevent an unauthorized receiver from tapping the data. However, this should be prevented by encryption of the data and is more allowable than disturbance or stealing of the authorized resource reservations.
It is well known that only multicast protocols based on receiver-initiated signaling such as PIM scales over the whole Internet. This paper shows that receiver-initiated signaling is inevitable even for unicast resource reservations. In other words, sender-initiated signaling is not adaptable in the real world.
Consider sender-initiated signaling in the network shown in Figure 4.3, where S is the authorized sender, S' is the unauthorized sender, and R is the receiver. When S and S' simultaneously perform signaling, T1 has to validate signals from both T2 and T3, and forward the data from them to R. Therefore, a double bandwidth is needed to guarantee the requested bandwidth at link T1 -> R; in the worst case, the bandwidth guarantee becomes impossible.
Figure 4.3: Sender-initiated signaling
This problem does not occur in receiver-initiated signaling, since a node forwards data to multiple downstream nodes with a duplicating function.
For these reasons, receiver-initiated signaling is a unique solution for both multicasting and unicast resource reservation.
It is necessary to have protocols that have both QoS and multicast routing mechanisms for use in the real world, in order to ensure either multicast or unicast QoS guarantee. We describe briefly the procedure of the integrated protocols for each function described in Section 2.1 and give simple examples.
We are also proposing and implementing Hierarchical QoS Information Protocol (HQLIP) for advertisement and Simple Resource ReserVation Protocol (SRSVP)[SRSV1999] for signaling. However, the details are not described in this paper.
Each node on the network advertises topology information with QoS information that can be guaranteed at each link. Since a multicast route is determined by signaling, there is no need to advertise the locations of the sender and the participants of the multicasting; however, such advertisement is performed in MOSPF.
The integrated protocols should be layered for adapting to the whole Internet. The layering of information can be easily performed because only topology information of unicast addressing is used.
Unicast addressing information, link information, and bandwidth of each link as one of the QoS information for each node are shown in Figure 5.1. Other QoS information, such as delay and charging information, should be advertised, however, it is omitted here. The advertisement is done by means of flooding. The traffic each node receives becomes O(n), where n is the number of nodes.
Figure 5.1: Advertising function
Signaling must be receiver-initiated.
The requested QoS is included in the messages and the receiver performs signaling. Each node merges signaling messages from multiple downstream nodes, selects a path that satisfies the QoS, and forwards the merged signaling message to the upstream node. At the same time, it makes a resource reservation and makes sure that the requested QoS is guaranteed.
In Figure 5.2, R1 and R2 perform signaling with a bandwidth of two in the network. Each router forwards signaling messages according to the topology information. For example, T2 forwards the signaling message to T4, because in the shortest path P -> T1 -> T2 the bandwidth does not satisfy the requirement at link T1 -> T2. T4 merges signals from R1 and R2 and forwards the merged signal to T3.
Figure 5.2: Signaling function
The following capabilities are required for a forwarding function: the capability to guarantee bandwidth and delay, and the capability to duplicate packets from an upstream node and forward them to multiple downstream nodes when the signaling is performed by multiple downstream nodes.
Figure 5.3 shows a data forwarding path resulting from the signaling. For example, T4 uses the duplicating function to forward data to both R2 and T2.
Figure 5.3: Forwarding function
This section describes resource reservation security yielded from the above-mentioned procedure of resource reservation. A multicast model preventing an unauthorized sender from sending data is proposed as an application of it.
Based on the procedure of the receiver-initiated resource reservation, resource reservation security, which is a weak security but stronger than routing and cookie security, can be realized. This more strongly ensures that the received packets are sent from an authorized sender.
A receiver makes a resource reservation by signaling. The receiver's signaling messages are guaranteed to be reaching the sender by routing security. Since the data from the sender are sent along the opposite direction of the signaling, data received by the receiver can be guaranteed to be the data that were sent by the sender.
For the purpose of ensuring this security, each node on the path has to discard data packets that come from directions different from those of the signaling. In Figure 6.1, based on the fact that receiver R makes a resource reservation, router T forwards packets from authorized sender S, but discards packets from unauthorized sender S'.
Figure 6.1: Resource Reservation Security
It is difficult to prevent an unauthorized sender from sending unauthorized data in PIM, a multicast protocol that is currently becoming a de facto standard. When a multicast session is open, the bandwidth for it can easily be consumed illegally by an unauthorized sender. This is a very big problem considering the implementation of multicast protocols for commercial use.
In RVP, it is possible to filter unauthorized packets sent by unauthorized senders according to the sender information in the headers of the packets. However, as explained before, if routing security is the only security, an unauthorized sender can easily fake the information provided. Cookie security does have some effect. However, it is then unavoidable for the unauthorized sender to consume the bandwidth if it obtains the value of the cookie.
The resource reservation security may solve this problem. The procedure is shown below.
First, an RVP is given address information of authorized senders. Then, when a sender tries to transmit data packets to RVP, a resource reservation is made only if the sender is authorized. RVP discards packets other than the ones whose resources have been reserved.
In Figure 6.2, both authorized sender S and unauthorized sender S' send data packets with sender information of S in the packets' header to an RVP. Initially, all these packets are discarded at the RVP. Then, as shown in Figure 6.3, the signaling message from RVP is sent to S, the resource reservation is made, and router T only forwards the data packets from S to which the signaling message were sent. Since the RVP only forwards data packets from T to the multicast receivers, they only receive the data packets from an authorized sender.
Figure 6.2: Nonreserved data packets
Figure 6.3: Reserved data packet
As shown above, employment of resource reservation security, realized through receiver-initiated resource reservation, makes it possible to perform multicasting that prevents transmissions from unauthorized senders. This mechanism is currently implemented in our proposed resource reservation protocol, the SRSVP protocol.
In this article, we described resource reservation and QoS guarantee, and multicasting achieved through signaling. We clarified the necessity for integrating multicast routing and QoS routing, and showed the outline of the mechanism of achieving both multicasting and QoS guarantee. We showed that receiver-initiated signaling is the only solution for a signaling mechanism. We also explained resource reservation security by means of receiver-initiated signaling.
We are developing protocols based on the proposed methods and will verify their effectiveness by putting them into practice soon.
[RSVP1993] Zhang, L., Deering, S., Estrin, D., Shenker, S., and Zappala, D., "RSVP: A New Resource ReSerVation Protocol," IEEE Network, September 1993.
[RSVP1997] Braden, R., Zhang, L., Berson, S., Herzog, S., and Jamin, S., "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification," RFC 2205, September 1997.
[PIM1994] Deering, S., Estrin, D., Farinacci, D., Jacobson, V., Liu, C., and Wei, L., "An Architecture for Wide-Area Multicast Routing," ACM SIGCOMM'94, August 1994.
[PIM1997] Estrin, D., Farinacci, D., Helmy, A., Thaler, D., Deering, S., Handley, M., Jacobson, V., Liu, C., Sharma, P., and Wei, L., "Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification," RFC 2117, June 1997.
[DVMR1988] Deering, S., "Multicast Routing in Internetworks and Extended LANs," SIGCOMM Summer 1988 Proceedings, August 1988.
[DVMR1988-2] Waitzman, D., Partridge, C., and Deering, S., "Distance Vector Multicast Routing Protocol," RFC 1075, November 1988.
[MOSP1994] Moy, J. "Multicast Extensions to OSPF" RFC 1584, March 1994.
[SRSV1999] Fujikawa, K., and Ikeda, K., "RSVP Integrated Multicast (RIM)," "4b/4b_3.htm", INET'99, June 1999.