Media Distribution Management Platform and IPTV over Internet 2

Media Distribution Management Platform and IPTV overInternet 2

Tereza Cristina Melo de Brito Carvalho [email protected]

Regina Melo Silveira [email protected]

LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of Sao Paulo - Brazil

IPTV over Internet 2



LARC – PCS/EP – University of São PauloEricsson Research Sweden

4-7 December, 2006 Fall 2006 Internet 2 Member Meeting

3

Team

Marcio Augusto Lima e [email protected]

Flávio [email protected]

Daniel Pires [email protected]

Christiane Marie Schweitzer [email protected]

Diego Sanchez Gallo [email protected]


Tereza Cristina Melo de Brito Carvalho

[email protected]

Wilson Vicente Ruggiero [email protected]

Ayodele [email protected]


4

Agenda

Introduction Scenario Requirements IPTV Architecture IPTV over Internet2 Final Considerations Acknowledgments


5

Introduction

What is IPTV? TV Channels over the Internet ? Video streams encapsulated in IP packets over

a “service provider” network ?

Will Internet support a High Definition IPTV Service?

“Internet no ready for its future roles” (Bill St. Arnaud)


6

Scenario

High Definition Streamings (HDTV) Typically, 25 Mbps per TV Channel for

MPEG2 encoding

Multiple different channels sent simultaneously to multiple different receivers at a same location A home with three TV sets would

require at least 3 x 25 Mbps.


7

Scenario

IPTV requires high levels of Quality of Service (QoS) and Quality of Experience (QoE) at least on par with analog or digital TV broadcast system

Access networks technologies like xDSL will not support high definition IPTV services VDSL has bandwidth and distance limitations.

It achieves 50Mbps at 300m.


8

Scenario

Currently, FTTH (Fiber-To-The-Home) services seems to be only alternative for the fulfillment of IPTV (HDTV) needs

PON (Passive Optical Network) presents itself as the most viable FTTH technology, both from economical and operational standpoint WDM-PON can provide 100Mbps fiber

connection far beyond 300m – around tens of kilometers)


9

Requirements

Security Content protection: protection of the

intellectual property of the content owner, while allowing fair use for the final user.

Service protection: authentication, confidentiality and access control


10

Requirements

Quality of Experience (simple and convenient handling) Multi-channel Zapping

Infrastructure Availability (at least on par with analog or

digital TV broadcast system) Accessibility (diversity of devices – e.g. PCs,

Set-Top-Boxes) Network/Application scalability


11

IPTV Architecture


12

Architecture Entities

Head-End: provides IPTV services (Broadcast TV and VoD)

Transport Network: delivers video streams to customers

Customer Premises: broadband network termination


13

IPTV Architecture: Head-End

Broadcast TV Head-End system: Receives an analog or digital signal via satellite

or other mean, typically with multiple transport streams

Converts it to a series of single program streams

Encodes or transcodes the signals (e.g. to MPEG-4 format)

Encapsulates streams in IP packets for transmission

Sends streams to a specific IP multicast group


14

IPTV Architecture: Head-End

VoD (Video-On-Demand) Head-End System: Encapsulates video streams in IP

packets Sends streams to users


15

IPTV Architecture: Transport Network

Core Network High capacity optical network with

technologies such as IP over DWDM and MPLS/GMPLS

Edge Network Multicast enabled network that connects the

core network to the access network

Access Network It is a FTTH-PON (Fiber-To-The-Home Passive

Optical Network)


16

IPTV Architecture: Customer Premise

Provides broadband network termination functionalities

It is the IPTV service client

The heterogeneous technologies existing in a home network devices lead to the need for a robust Home Gateway to connect it providing the necessary services


17

Multicast X Overlay

Overlay tries to provide multicast functionalities on application layer It is still a immature solution to provide a

reliable and QoE enabled service for High-definition content with scalability

Multicast is proven to be a more efficient distribution scheme with scalability

This work proposes an auto-contained, controlled private network Internet does (still) not provide the required

levels of availability, scalability, QoE and QoS


18

Final Considerations

IPTV over Internet2 HDTV over Internet with stringent QoS

and QoE requirements it is not possible in the current infrastructure.

Due to QoE requirements (e.g. zapping), a bandwidth of hundreds of Mbps per service user (per subscriber) is required.

A Platform for Media Distribution Management

Regina Melo [email protected]

LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of Sao Paulo - Brazil


20

Agenda

Introduction Our Challenge Related Work Proposal

Conceptual Model Physical Model

Main Functionalities General View Work in Progress Final Considerations


21

Introduction

Huge number of multimedia applications (documentation, advertisement, entertainment …);

New multimedia services (broadcast, telecommunications, CATV);

Convergence - services integration with access network independence;

Progressive demand of storage, distribution and consume management allowing largely media utilization and re-use.


22

Introduction

Multimedia services management includes:(i) multimedia content storage, retrieval and search; (ii) users and groups of users access control and authentication; (iii) system distribution, adaptation, configuration and monitoring (server and clients) to multimedia content delivery and consumption;(iv) network elements management.


23

Our Challenge To develop a Platform for Media

Distribution Management respecting the following requirements: Use open standards (ISMA, MPEG-7, MPEG-21); Define integrated interfaces for different multimedia

services already implanted at RNP network; Prototype development and tests at RNP network.

At the prototype uses two multimedia distribution services developed by LAVID/UFPB: dvod - video on demand dlive – live video


24

Related Work MUFFINS - MUltimedia Framework For INteroperability in

Secure – IST PERSEO - Personalised Multichannel Services for Advanced

Multimedia Stream Management – IST CODAC - Modeling and Querying Content Description and

Quality Adaptation Capabilities of Audio-Visual Data - Klagenfurt University – Austria

ADMITS - Adaptation in Distributed Multimedia IT Systems - Klagenfurt University – Austria

DANAE - Dynamic and distributed Adaptation of scalable multimedia coNtent in a context Aware Environment – IST

iTVP - Interactive TV Services over IP Networks - PSNC – PIONNER

Rich Content Infrastructure and Middleware for Media - IBM


25

Proposal 4 (four) users types

Client, Content Provider, Administrator, Manager.

4 (four) sub-systems Portal; Access control, storage and retrieval, Manager (Coordinator and Monitor), Transmitter (Multimedia delivery service).

3 (three) management levels Service, Server, Network.


26

Proposal – Conceptual Model


27

Proposal – Physical Model


28

Main Functionalities

Video Upload and Indexation Live events Transmission registration Media search Media catalogue (Personalized) Media Visualization (Personalized) Users, groups and projects management Applications/services (sections) management Servers management Network elements management


29


30

General View – Overlay Network

Camad

a de

Serviç

os

Cam

ada de

Servido

res

Cam

ada de

Red

e

Serv

ices

Lay

er

Serv

er L

ayer

Net

wor

k La

yer


31


32


33

Work in Progress Testing prototype New functionalities and optimization

Video replication Access control and distributed metadata Multicast Overlay proposal adoption (for example,

Overlay Multicast Control Protocol from IETF); Adoption of management data models based on XML

from Global Grid Fórum Use of components model for Manager dynamic

configuration update Integration with measurement infrastructure

and new services.


34


Our project proposed/implemented: Common infrastructure for multimedia services; Architecture based on open standards allow uniform

interfaces for all the applications; Web-based Management system; Resources Optimization; Flexibility and scalability.

Service will be personalized for different context: schools, hospitals e community and educational

TVs.


35

Acknowledgements Financial Support

RNP (National Education and Research Network)

Collaboration Prof. Guido Lemos de Souza Filho –

LAVID/DI/UFPB Prof. José Augusto Suruagy Monteiro –

UNIFACS

Applying Security in IPTV Environment


LARC – PCS/EP – University of São PauloEricsson Research Sweden


37

Team

Christiane Marie Schweitzer [email protected]

Daniel Pires [email protected]

Diego Sanchez Gallo [email protected]

Flávio [email protected]

Marcio Augusto Lima e [email protected]


Tereza Cristina Melo de Brito Carvalho

[email protected]

Wilson Vicente Ruggiero [email protected]

Ayodele [email protected]


38

Agenda

Security Context (Application Layer and Network Layer)

Threats (Service and Content) IPTV Security Countermeasures IPTV Policies Final Considerations


39

Security Context

Application Level Security On STB (Set-Top Box) video client,

video services and content store. Refereed as digital rights management

(DRM) systems, enclosing conditional access, copy protection, encryption and watermarking.


40

Security Context

Network Level Security On the content delivery architecture

confidentiality, integrity and availability of the data flows

prevention, detection and reaction.


41

Security Threats in Multimedia Communications [ITU-T 2003]


42

Threats

Service Illegal service usage Disruption of service

Content An insider stealing content from the service core A subscriber stealing content from the service core A subscriber stealing content from the STB


43

Threats: Illegal service usage

Rogue subscription: An attacker gains access to broadband video services without a subscription.

Escalation of subscription: An attacker gains access to video services that are beyond the parameters of his/her subscription.


44

Threats : Disruption of service

Attack against other subscribers The attacker attempts to disrupt the service for a specific

subscriber or group of subscribers by directly acting on equipment that resides on the victim’s home network.

Attack against the access and transport infrastructure

The attacker attempts to disrupt the service by degrading the performance of one or several components of the architecture (access node, Broadband Service Aggregators, Broadband Service Routers, etc).

Attack against the video service core The attacker directly targets the components that render

the video services, such as the VoD servers.


45

Threats: Content

An insider stealing content from the service core The thief is an insider, i.e., a service provider’s

employee, who has easy access to the stored content.

A subscriber stealing content from the service core Weaknesses in the broadband TV architecture allow

the attacker (from his/her home network) to compromise the servers that host the content.

A subscriber stealing content from the STB The attacker is a subscriber who wants to use the

content acquired beyond his/her fair right of usage.


46

IPTV Security

Privacy Confidentiality Integrity Availability Interoperability


47

IPTV Security: Privacy

The Service Provider must handle customer information, without any personal identifiable information

The Service Provider must manage CPEs (Customer Premise Equipments) and it must not know if it belong to a customer, or how many equipments this customer has at home.


48

IPTV Security: Confidentiality

Video Content The video must be transported

encrypted The content must be recorded

protected Authentication and authorization

guarantees


49

IPTV Security: Integrity

The content cannot be modified Multicast and unicast security Content source security

Billing system integrity Just authorized person should have

access to billing system


50

IPTV Security: Availability

Can someone disrupt your IPTV service? - To what scale? Any of the IPTV device could be vulnerable to

Denial-of-Service attack Buffer overflow Weak TCP/IP or protocol stack implementation

If other service is down (Voice and Data) would it take down IPTV too? System dependencies


51

IPTV Security: Interoperability

There is currently no common standard on IPTV Other than the use of multicast/unicast May help security as a ‘diversity factor’ One vulnerability for one service provider may

not work for another Standards on the work

ITU (ISO) ISMA.tv Others


52

Security Architecture [ITU-T/IPTV]


53

Countermeasures

Protection of content Transport infrastructure protection Home network protection Secure operation of the

infrastructure


54

Countermeasures: Protection of Content

DRM state-of-the-art mechanisms To protect the content delivered to the

subscriber To apply appropriate content/service

usage policies enforcement mechanisms in the STB.

Content stored on the service delivery must be encrypted


55

Transport Infrastructure Protection

To restrict traffic dependency on the user’s subscription

IGMP proxies on the access node must have some awareness of the user subscription and refuse to forward any channel outside of the user’s subscription

Subscriber traffic should be segregated to disable residential bridging


56

Transport Infrastructure Protection

Efficient traffic filtering mechanisms need to be provided to keep the communication flow between home network and service delivery platform to a strict minimum

The infrastructure must provide a way to enforce QoS parameters on a per subscriber basis in order to mitigate the effect on the infrastructure of abusive usage of bandwidth by a specific subscriber

The access node must provide a number of protection mechanisms against MAC and IGMP-based attacks.


57

Home Network Protection

Secure storage for security sensitive information on the STB is required to avoid cloning and disclosure of this information

Secure provisioning mechanisms of the STB are needed for the service provider to be able to support these systems


58

Secure Operation of the Infrastructure

Appropriate patch and vulnerability management on the service delivery platform.

Adding IDS or IPS mechanisms in order to detect and prevent attempts by the subscriber or any other attacker to compromise the content delivery infrastructure.

Efficient revocation mechanisms are needed for authentication information and key material used in the STB to access services.


59

IPTV Policies

Security policies DRM Specific ones and infrastructure.

QoS policies Adaptability and performance both

provided media and services.


60

IPTV Security Policies

Content owners are extremely reluctant to provide content to a distributor that doesn’t have an effective DRM system because a chance that a perfect digital copy of the content could be used to create copies for illegal resale.

This control needs to prevent copying not only at the distributor facility, but also on any device that a user may use to play back the content, such as a set-top-box or a PC.


61

IPTV Security Policies - examples

DRM Specific Policies Can be intended as content usage policies,

regarding the content owner media rights. The content can not be modified by Service

Provider Samples from the content can not be

performed by Service Provider The content can not be replicated The content can be replicated The content can be displayed five times The content can not be saved The content can be saved


62

IPTV Security Policies - examples

Infrastructure Policies Can be intended as service policies,

regarding the security or QoS issues on the content delivery/transport architecture

All content MUST BE encrypted. All content MUST BE watermarked. All content users MUST BE identified.


63

IPTV QoS Policies - examples

Interaction Policy The service must provide a specified

QoE level. The service must adapt itself to the

user device capabilities. The service must adapt the provided

content to the device resolution (e.g. HDTV 1920x1080 to low resolutions).


64

IPTV QoS Policies - examples

Infrastructure Policy The network must have bandwidth

guarantees. The network must have delay

guarantees. The network must have jitter

guarantees. The network must have loss

guarantees.


65


IPTV Security = Content + Service + Transport Security

DRM System is not enough, but it is a good start

Encryption and Authentication must be priority


66

Acknowledgments

Media Distribution Management Platform and IPTV over Internet 2

Documents

Transcript of Media Distribution Management Platform and IPTV over Internet 2