Media Distribution Management Platform and IPTV over Internet 2
description
Transcript of Media Distribution Management Platform and IPTV over Internet 2
Media Distribution Management Platform and IPTV overInternet 2
Tereza Cristina Melo de Brito Carvalho [email protected]
Regina Melo Silveira [email protected]
LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of Sao Paulo - Brazil
IPTV over Internet 2
Tereza Cristina Melo de Brito Carvalho [email protected]
Regina Melo Silveira [email protected]
LARC – PCS/EP – University of São PauloEricsson Research Sweden
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
3
Team
Marcio Augusto Lima e [email protected]
Flávio [email protected]
Daniel Pires [email protected]
Christiane Marie Schweitzer [email protected]
Diego Sanchez Gallo [email protected]
Regina Melo Silveira [email protected]
Tereza Cristina Melo de Brito Carvalho
Wilson Vicente Ruggiero [email protected]
Ayodele [email protected]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
4
Agenda
Introduction Scenario Requirements IPTV Architecture IPTV over Internet2 Final Considerations Acknowledgments
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
5
Introduction
What is IPTV? TV Channels over the Internet ? Video streams encapsulated in IP packets over
a “service provider” network ?
Will Internet support a High Definition IPTV Service?
“Internet no ready for its future roles” (Bill St. Arnaud)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
6
Scenario
High Definition Streamings (HDTV) Typically, 25 Mbps per TV Channel for
MPEG2 encoding
Multiple different channels sent simultaneously to multiple different receivers at a same location A home with three TV sets would
require at least 3 x 25 Mbps.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
7
Scenario
IPTV requires high levels of Quality of Service (QoS) and Quality of Experience (QoE) at least on par with analog or digital TV broadcast system
Access networks technologies like xDSL will not support high definition IPTV services VDSL has bandwidth and distance limitations.
It achieves 50Mbps at 300m.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
8
Scenario
Currently, FTTH (Fiber-To-The-Home) services seems to be only alternative for the fulfillment of IPTV (HDTV) needs
PON (Passive Optical Network) presents itself as the most viable FTTH technology, both from economical and operational standpoint WDM-PON can provide 100Mbps fiber
connection far beyond 300m – around tens of kilometers)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
9
Requirements
Security Content protection: protection of the
intellectual property of the content owner, while allowing fair use for the final user.
Service protection: authentication, confidentiality and access control
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
10
Requirements
Quality of Experience (simple and convenient handling) Multi-channel Zapping
Infrastructure Availability (at least on par with analog or
digital TV broadcast system) Accessibility (diversity of devices – e.g. PCs,
Set-Top-Boxes) Network/Application scalability
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
11
IPTV Architecture
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
12
Architecture Entities
Head-End: provides IPTV services (Broadcast TV and VoD)
Transport Network: delivers video streams to customers
Customer Premises: broadband network termination
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
13
IPTV Architecture: Head-End
Broadcast TV Head-End system: Receives an analog or digital signal via satellite
or other mean, typically with multiple transport streams
Converts it to a series of single program streams
Encodes or transcodes the signals (e.g. to MPEG-4 format)
Encapsulates streams in IP packets for transmission
Sends streams to a specific IP multicast group
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
14
IPTV Architecture: Head-End
VoD (Video-On-Demand) Head-End System: Encapsulates video streams in IP
packets Sends streams to users
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
15
IPTV Architecture: Transport Network
Core Network High capacity optical network with
technologies such as IP over DWDM and MPLS/GMPLS
Edge Network Multicast enabled network that connects the
core network to the access network
Access Network It is a FTTH-PON (Fiber-To-The-Home Passive
Optical Network)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
16
IPTV Architecture: Customer Premise
Provides broadband network termination functionalities
It is the IPTV service client
The heterogeneous technologies existing in a home network devices lead to the need for a robust Home Gateway to connect it providing the necessary services
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
17
Multicast X Overlay
Overlay tries to provide multicast functionalities on application layer It is still a immature solution to provide a
reliable and QoE enabled service for High-definition content with scalability
Multicast is proven to be a more efficient distribution scheme with scalability
This work proposes an auto-contained, controlled private network Internet does (still) not provide the required
levels of availability, scalability, QoE and QoS
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
18
Final Considerations
IPTV over Internet2 HDTV over Internet with stringent QoS
and QoE requirements it is not possible in the current infrastructure.
Due to QoE requirements (e.g. zapping), a bandwidth of hundreds of Mbps per service user (per subscriber) is required.
A Platform for Media Distribution Management
Regina Melo [email protected]
LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of Sao Paulo - Brazil
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
20
Agenda
Introduction Our Challenge Related Work Proposal
Conceptual Model Physical Model
Main Functionalities General View Work in Progress Final Considerations
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
21
Introduction
Huge number of multimedia applications (documentation, advertisement, entertainment …);
New multimedia services (broadcast, telecommunications, CATV);
Convergence - services integration with access network independence;
Progressive demand of storage, distribution and consume management allowing largely media utilization and re-use.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
22
Introduction
Multimedia services management includes:(i) multimedia content storage, retrieval and search; (ii) users and groups of users access control and authentication; (iii) system distribution, adaptation, configuration and monitoring (server and clients) to multimedia content delivery and consumption;(iv) network elements management.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
23
Our Challenge To develop a Platform for Media
Distribution Management respecting the following requirements: Use open standards (ISMA, MPEG-7, MPEG-21); Define integrated interfaces for different multimedia
services already implanted at RNP network; Prototype development and tests at RNP network.
At the prototype uses two multimedia distribution services developed by LAVID/UFPB: dvod - video on demand dlive – live video
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
24
Related Work MUFFINS - MUltimedia Framework For INteroperability in
Secure – IST PERSEO - Personalised Multichannel Services for Advanced
Multimedia Stream Management – IST CODAC - Modeling and Querying Content Description and
Quality Adaptation Capabilities of Audio-Visual Data - Klagenfurt University – Austria
ADMITS - Adaptation in Distributed Multimedia IT Systems - Klagenfurt University – Austria
DANAE - Dynamic and distributed Adaptation of scalable multimedia coNtent in a context Aware Environment – IST
iTVP - Interactive TV Services over IP Networks - PSNC – PIONNER
Rich Content Infrastructure and Middleware for Media - IBM
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
25
Proposal 4 (four) users types
Client, Content Provider, Administrator, Manager.
4 (four) sub-systems Portal; Access control, storage and retrieval, Manager (Coordinator and Monitor), Transmitter (Multimedia delivery service).
3 (three) management levels Service, Server, Network.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
26
Proposal – Conceptual Model
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
27
Proposal – Physical Model
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
28
Main Functionalities
Video Upload and Indexation Live events Transmission registration Media search Media catalogue (Personalized) Media Visualization (Personalized) Users, groups and projects management Applications/services (sections) management Servers management Network elements management
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
29
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
30
General View – Overlay Network
Camad
a de
Serviç
os
Cam
ada de
Servido
res
Cam
ada de
Red
e
Serv
ices
Lay
er
Serv
er L
ayer
Net
wor
k La
yer
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
31
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
32
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
33
Work in Progress Testing prototype New functionalities and optimization
Video replication Access control and distributed metadata Multicast Overlay proposal adoption (for example,
Overlay Multicast Control Protocol from IETF); Adoption of management data models based on XML
from Global Grid Fórum Use of components model for Manager dynamic
configuration update Integration with measurement infrastructure
and new services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
34
Final Considerations
Our project proposed/implemented: Common infrastructure for multimedia services; Architecture based on open standards allow uniform
interfaces for all the applications; Web-based Management system; Resources Optimization; Flexibility and scalability.
Service will be personalized for different context: schools, hospitals e community and educational
TVs.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
35
Acknowledgements Financial Support
RNP (National Education and Research Network)
Collaboration Prof. Guido Lemos de Souza Filho –
LAVID/DI/UFPB Prof. José Augusto Suruagy Monteiro –
UNIFACS
Applying Security in IPTV Environment
Tereza Cristina Melo de Brito Carvalho [email protected]
LARC – PCS/EP – University of São PauloEricsson Research Sweden
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
37
Team
Christiane Marie Schweitzer [email protected]
Daniel Pires [email protected]
Diego Sanchez Gallo [email protected]
Flávio [email protected]
Marcio Augusto Lima e [email protected]
Regina Melo Silveira [email protected]
Tereza Cristina Melo de Brito Carvalho
Wilson Vicente Ruggiero [email protected]
Ayodele [email protected]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
38
Agenda
Security Context (Application Layer and Network Layer)
Threats (Service and Content) IPTV Security Countermeasures IPTV Policies Final Considerations
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
39
Security Context
Application Level Security On STB (Set-Top Box) video client,
video services and content store. Refereed as digital rights management
(DRM) systems, enclosing conditional access, copy protection, encryption and watermarking.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
40
Security Context
Network Level Security On the content delivery architecture
confidentiality, integrity and availability of the data flows
prevention, detection and reaction.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
41
Security Threats in Multimedia Communications [ITU-T 2003]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
42
Threats
Service Illegal service usage Disruption of service
Content An insider stealing content from the service core A subscriber stealing content from the service core A subscriber stealing content from the STB
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
43
Threats: Illegal service usage
Rogue subscription: An attacker gains access to broadband video services without a subscription.
Escalation of subscription: An attacker gains access to video services that are beyond the parameters of his/her subscription.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
44
Threats : Disruption of service
Attack against other subscribers The attacker attempts to disrupt the service for a specific
subscriber or group of subscribers by directly acting on equipment that resides on the victim’s home network.
Attack against the access and transport infrastructure
The attacker attempts to disrupt the service by degrading the performance of one or several components of the architecture (access node, Broadband Service Aggregators, Broadband Service Routers, etc).
Attack against the video service core The attacker directly targets the components that render
the video services, such as the VoD servers.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
45
Threats: Content
An insider stealing content from the service core The thief is an insider, i.e., a service provider’s
employee, who has easy access to the stored content.
A subscriber stealing content from the service core Weaknesses in the broadband TV architecture allow
the attacker (from his/her home network) to compromise the servers that host the content.
A subscriber stealing content from the STB The attacker is a subscriber who wants to use the
content acquired beyond his/her fair right of usage.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
46
IPTV Security
Privacy Confidentiality Integrity Availability Interoperability
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
47
IPTV Security: Privacy
The Service Provider must handle customer information, without any personal identifiable information
The Service Provider must manage CPEs (Customer Premise Equipments) and it must not know if it belong to a customer, or how many equipments this customer has at home.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
48
IPTV Security: Confidentiality
Video Content The video must be transported
encrypted The content must be recorded
protected Authentication and authorization
guarantees
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
49
IPTV Security: Integrity
The content cannot be modified Multicast and unicast security Content source security
Billing system integrity Just authorized person should have
access to billing system
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
50
IPTV Security: Availability
Can someone disrupt your IPTV service? - To what scale? Any of the IPTV device could be vulnerable to
Denial-of-Service attack Buffer overflow Weak TCP/IP or protocol stack implementation
If other service is down (Voice and Data) would it take down IPTV too? System dependencies
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
51
IPTV Security: Interoperability
There is currently no common standard on IPTV Other than the use of multicast/unicast May help security as a ‘diversity factor’ One vulnerability for one service provider may
not work for another Standards on the work
ITU (ISO) ISMA.tv Others
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
52
Security Architecture [ITU-T/IPTV]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
53
Countermeasures
Protection of content Transport infrastructure protection Home network protection Secure operation of the
infrastructure
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
54
Countermeasures: Protection of Content
DRM state-of-the-art mechanisms To protect the content delivered to the
subscriber To apply appropriate content/service
usage policies enforcement mechanisms in the STB.
Content stored on the service delivery must be encrypted
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
55
Transport Infrastructure Protection
To restrict traffic dependency on the user’s subscription
IGMP proxies on the access node must have some awareness of the user subscription and refuse to forward any channel outside of the user’s subscription
Subscriber traffic should be segregated to disable residential bridging
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
56
Transport Infrastructure Protection
Efficient traffic filtering mechanisms need to be provided to keep the communication flow between home network and service delivery platform to a strict minimum
The infrastructure must provide a way to enforce QoS parameters on a per subscriber basis in order to mitigate the effect on the infrastructure of abusive usage of bandwidth by a specific subscriber
The access node must provide a number of protection mechanisms against MAC and IGMP-based attacks.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
57
Home Network Protection
Secure storage for security sensitive information on the STB is required to avoid cloning and disclosure of this information
Secure provisioning mechanisms of the STB are needed for the service provider to be able to support these systems
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
58
Secure Operation of the Infrastructure
Appropriate patch and vulnerability management on the service delivery platform.
Adding IDS or IPS mechanisms in order to detect and prevent attempts by the subscriber or any other attacker to compromise the content delivery infrastructure.
Efficient revocation mechanisms are needed for authentication information and key material used in the STB to access services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
59
IPTV Policies
Security policies DRM Specific ones and infrastructure.
QoS policies Adaptability and performance both
provided media and services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
60
IPTV Security Policies
Content owners are extremely reluctant to provide content to a distributor that doesn’t have an effective DRM system because a chance that a perfect digital copy of the content could be used to create copies for illegal resale.
This control needs to prevent copying not only at the distributor facility, but also on any device that a user may use to play back the content, such as a set-top-box or a PC.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
61
IPTV Security Policies - examples
DRM Specific Policies Can be intended as content usage policies,
regarding the content owner media rights. The content can not be modified by Service
Provider Samples from the content can not be
performed by Service Provider The content can not be replicated The content can be replicated The content can be displayed five times The content can not be saved The content can be saved
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
62
IPTV Security Policies - examples
Infrastructure Policies Can be intended as service policies,
regarding the security or QoS issues on the content delivery/transport architecture
All content MUST BE encrypted. All content MUST BE watermarked. All content users MUST BE identified.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
63
IPTV QoS Policies - examples
Interaction Policy The service must provide a specified
QoE level. The service must adapt itself to the
user device capabilities. The service must adapt the provided
content to the device resolution (e.g. HDTV 1920x1080 to low resolutions).
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
64
IPTV QoS Policies - examples
Infrastructure Policy The network must have bandwidth
guarantees. The network must have delay
guarantees. The network must have jitter
guarantees. The network must have loss
guarantees.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
65
Final Considerations
IPTV Security = Content + Service + Transport Security
DRM System is not enough, but it is a good start
Encryption and Authentication must be priority
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
66
Acknowledgments