MAFIA - A Multicast Management Solution for Access Control and Traffic Filtering

Abstract

Recently, multicast has seen only marginal wide-scale deployment. One of the main reasons is the lack of support for security and traffic management. Although there has been some recent work, these efforts have not emphasized the critical need to deploy security features side-by-side with management solutions. In this paper, we propose MAFIA, a multicast management solution with the specific aim of strengthening multicast security through multicast access control, multicast traffic filtering, and DoS attack prevention. MAFIA achieves these tasks by making use of information about multicast group memberships available at different locations in a network. We have designed various deployment solutions for MAFIA. Among these various solutions, a variety of factors need to be considered. In particular, a solution should have the capability to handle high traffic rates, be easy to deploy, and be flexible in terms of functionality. We also implement one such solution using the GNU/Linux operating system.

Publications

K. Ramachandran and K. Almeroth, "MAFIA: A Multicast Management Solution for Access Control and Packet Filtering", IEEE/IFIP Conference on Management of Multimedia Networks and Services, Belfast, Ireland, September 2003.

Software

The software given below implements MAFIA's IGMP functionality. The software can be easily extended for filtering PIM and MSDP packets. The software given below is released under the GPL license.

Requirements:
1)libipq: This is required to pass packets from within the kernel to the module that implements MAFIA's functionalities in userspace. To install libipq, download the latest version of iptables and follow the instructions given there.
2)perlipq: This can be downloaded from here.
3)NetPacket Perl module. This can be downloaded from here.

Finally, you will need to run the perl file given here to filter IGMP packets. This file currently accepts all IGMP group membership reports by default. The file can be easily modified to filter IGMP packets based on source/group (S,G) pairs. I am currently working on a simple enhancement that will enable a user to specify (S, G) mappings in real-time instead of having to modify the file each time. Please check this site soon for the enhancement.

Executing MAFIA

Executing MAFIA is simple. Once you have installed all the packages given above, run the following commands to enable IGMP filtering: 
modprobe ip_queue
perl igmp_mafia.pl

Contact

krishna @ cs.ucsb.edu.
Bug reports and comments are welcome.