Secure receiver access control for IP multicast at the network level: Design and validation

The classical service model of IP multicast is open; anyone can receive multicast data. When using this model, it is impossible to ensure that receivers are authorized to receive the data, or (if appropriate) to generate any revenue from a service based on open multicast. This has resulted in restricted deployment of IP multicast.We have developed a secure IP multicast architecture to enforce receiver access control at two levels: application level and network level. This paper addresses the design and validation of the solution at the network level. The design starts from four assumptions, which express the independence of the network-level solution from the previous work at the application level. At the network level, receiver access control is achieved using two proposed protocols: Secure Internet Group Management Protocol (SIGMP) and Group Security Association Management (GSAM) protocol.SIGMP is an extension to IGMP, in which the messages that are related to secure groups are protected by IPsec Group Security Associations (GSAs). GSAM manages the IPsec GSAs used in SIGMP and couples the network-level access control with the application-level access control.The design requirements for SIGMP and for GSAM are expressed in terms of Design Criteria and Security Goals. These design requirements are then used to justify the final design. Several security properties of GSAM have been formally validated using AVISPA and the remaining security properties of our proposal have been analyzed.