2006 6th Intermational Coference on ITS Teleconuiiic&ations Proceedings MESP: A Modiufied IPSec xfor secur multicast communication Eng. Eman All Amn Shams University Faculty of Engineering e mail: imaneCaliOyahoc Dr. Tarek El-fouly University of Qatar Faculty of Engineering a e m cemail: tarekfouly tqu.edu.qa Prof Ahmed Badr Senior Member, IEEE Dean Akhbar Alyoum Academy e_mail: abadr a asunet.shams.eun.eg Abstract - We propose the multicast encryption security protocol MESP. It is driven form the IPSEC ESP. The specification of the protocol are discussed and applied the existing IPSEC ESP. We use the existing implementation of the IPSEC ESP; modify it to meet the MESP specifications to implement the MESP. A multicast chat system is used as an application for this protocol. I. INTRODUCTION Nearly all the traffic on the Intelret today is unicast: it is sent by a single host and is intended to be received by a single host. How ever, it has weaknesses in the case of data transfer from one sender to a group of receivers. As a matter of principle, such a type of communication is realizable via unicast by sending a copy of the datagram to each receiver. The cost of this method (in terms of bandwidth usage) is proportional in the number of receivers. The Intemet does not support broadcast. There was early discussion of a global Intemret bioadcast address, but netwoik engineers quickly decided that this was a bad idea. Somewhere between unicast and broadcast is multicast. For this aticle we are interested in "IP-multicast" --that is, multicasting that happens at the Internet Protocol network layer. Like broadcast, a single multicast data transmission can be received by many hosts. But unlike broadcast, the data is not sent to all corners of the Internet; rather it only gaoes to those networks W hich have specifically requested it. This wxork represents mainly an implementation for a new protocol that supports secure multicasting over the IP network layer. This protocol is an extension of the existing implementation of the IPSec ESP protocol (encapsulating Security Protocol). This protocol is called the Multicast ESP (MESP). This work uses these specifications' differences and maps it to implementation point of view. It also modifies some of these specs to conform to the ESP implementation already existing. II. BACKGROUND A. Mflticasting Multicast communications is the most efficient means of distributing data to a group of participants. In conrtrast to unicast corrmmun:ications, multicast routing perinits a single up datagram to be routed to multiple hosts simultaneously. The bandwidth usage of that operation is optimal since the datagram is only duplicated if necessary. Membership in a multicast group is dynamic, allowing hosts to enter an:d leave the multicast session without the permission or knowledge of other hosts. The inherent benefits of multicast routing may also present some vulnerability making it susceptible to attack unless they are secured. * IPSee and Multicast: IPSec is designed to handle any kind of IP traffic. Hence, it is in particular applicable to multicast traffic. Howevxer, the security mechanisms included in the IPSec standard so far are not suitable for group communication. The reason is that the requirements for multicast security are different from those for pair wise security. In particular. the usage of a message authentication code (MAC) for data origin authentication is impossible for multicast groups of three or more members. Since all members share the same symmetric authentication key, a MAC cannot be attached uniquely to a group member. One of the ways for solving this problem is the extension of the ESP header to support group secrecy, group authentication, and source authentication. * Any Source Multicast: In the MBone's "Any Source MuL:lticasting" (ASM) model, multicast traffic is divided into "groups" which are numbered like IP addresses. When an application wants to "join" group G, it notifies its host operating system, which in tum communicates this request to routers on the local network with Intemret Group Management Protocol (IGMP). These routers, in turn, talk to other routers on the Internet and set up distribution trees for the desired group. Once a distribution tree is established, the application's host will receive eveiy packet on the entire Intemet sent to group G. One of the problems the ASM faces is hooking senders up with receivers. Getting multicast data packets, which can appear anywhere on the Internet at ay time,. delivered to everyone Who is interested in them is a complex problem. The solution currently in use involves what are called Rendezvous Points (RPs). RPs are spread throughout the Internet and each one is responsible for knowing all the active senders to all the groups on the entire Internet. Unfortunately, requiring a single machine to keep state information for every single multicast transmitter on the 0-7803-9586-7/06/$20.00 c2006 IEEE. 8o12 Authorized licensed use limited to: QATAR UNIVERSITY. Downloaded on December 30, 2009 at 00:34 from IEEE Xplore. Restrictions apply.