Paris Lodron Universität SalzburgDepartment of Scientific Computing
Paris Lodron   
Universität Salzburg
Multimedia Communications
Home
News and Events
About Us
How To Contact Us
How To Visit Us
The Team
Our Work
Projects
Student work
Results
Publications
IPEncaps
MPEG-2 TS Dissector
UDNS Resolver Library
ULE for Windows
Ulegene
SatNEx Platform Security
Related

Security Extension for the SatNEx Satellite Platform

Introduction

The SatNEx platform was created to facilitate easy interaction between the SatNEx partners distributed in Europe. Projects regarding the platfrom generally belong to WP 1300 (Platform) and JA-2420 (Application Layer Trials). It is hosted on the Eutelsat W3A satellite. The central up-link station, i.e. where the data is fed to the satellite, is maintained by the Fraunhofer FOKUS Institute (FhI) in Birlinghoven (near Bonn), Germany. The next figure shows a schematic of the SatNEx platform.

For meetings, the Polycom VSX 7000 video conferencing system is used. The inputs (video, audio, data) from the meeting participants run together at a multimedia conferencing bridge (Codian MCU 4200), also located at the premises of FhI. The data of the platform is transported using IP multicast. The total capacity allotted to the SatNEx platform is 1 Mbit.

It is also possible to use the platform for re-broadcasting other video/audio data (e.g. SatNEx Summer School). For this, a tunnel can be established to transfer the multimedia data to the up-link at FhI.

Every SatNEx partner receives a satellite dish along with the IPricot receiver device which is connected to the LNB of the dish. The IP data is transmitted using Multiprotocol Encapsulation (MPE). The IPricot device tunes to the transponder on Eutelsat W3A where the SatNEx platform is hosted, decodes the MPE data and outputs the extracted IP packets on the client LAN which is attached to its Ethernet port.

In the current configuration, everybody with a satellite dish in Europe and the necessary tuning information could (passively) join all meetings and view all broadcasts which take place on the SatNEx platform. Meetings, which are most of the time between SatNEx members only, often are confidential in nature, discussing strategic or technical issues. However, confidentiality is not guaranteed on the platform.

When (re-)broadcasting talks or lectures, the permissions of all lecturers have to be present. These permissions will certainly be granted more easily when there is only a closed group of potential receivers. This can be achieved by encrypting the broadcasts.

A Seurity Extension for the SatNEx Platform

The security extension devised for the SatNEx platform (SXPsec) and described here is a transparent solution for encrypting IP multicast using IPsec and consists of a sender and a receiver component. The following figure shows the software modules that comprise the sender and the receiver.

The sender-side part of the security extension is a Multicast Encryption Gateway (MEG) which is placed between the multimedia conferencing bridge and the satellite up-link. Basically, the MEG acts like an Ethernet bridge, passing everything from one Ethernet interface to the other. However, multicast Ethernet frames are treated in a special way: they are passed up the network stack where the multicast IP packets are routed through an IPsec tunnel and encrypted. The resulting IP packets carrying the Encapsulated Security Payload (ESP) are sent to a special multicast address, the Multicast Tunnel Endpoint (MTE) address.

At the receiver, a device is placed between the IPricot and the client LAN, to which, for example, the Polycom VSX 7000 is attached. This device is called the SXPsec client. It behaves similar to the MEG in that it passes all non-multicast traffic that it receives from the IPricot on to the client LAN. However, IP packets destined to the MTE address are routed via the IPsec tunnel and decrypted. The clear-text IP multicast packets are then forwarded to the client LAN if at least one host reported to be a member of the corresponding multicast group, using the Internet Group Management Protocol (IGMP) Report message.

Demonstration at the IWSSC 2007

We had a demonstration setup at the International Workshop on Satellite and Space Communications 2007 in Salzburg, Austria. Here are some pictures of this setup. You can also download the presentation poster (pdf).

Cipher AlgorithmMax Throughput
3des-cbc2 Mbit
des-cbc6,2 Mbit
blowfish-cbc12 Mbit

This table shows performance results of the SXPsec client that were obtained from a setup similar to the demonstration setup but without the DVB-T link.

© 2006-2007 Multimedia Communications Lab, Department of Computer Sciences, Paris Lodron Univ. Salzburg