Upload
frayne
View
36
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Media Distribution Management Platform and IPTV over Internet 2. Tereza Cristina Melo de Brito Carvalho [email protected] Regina Melo Silveira [email protected] Christiane Marie Schweitzer [email protected] LARC- Laboratory of Computer Network Architecture - PowerPoint PPT Presentation
Citation preview
Media Distribution Management Platform and IPTV overInternet 2
Tereza Cristina Melo de Brito Carvalho [email protected]
Regina Melo Silveira [email protected]
Christiane Marie Schweitzer [email protected]
LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of São Paulo - Brazil
IPTV over Internet 2
Tereza Cristina Melo de Brito Carvalho [email protected]
Regina Melo Silveira [email protected]
LARC – PCS/EP – University of São PauloEricsson Research SwedenKyatera Project – TIDIA Program - FAPESP
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
3
Team
Ayodele [email protected]
Christiane Marie Schweitzer [email protected]
Daniel Pires [email protected]
Diego Sanchez Gallo [email protected]
Flávio [email protected]
Marcio Augusto Lima e [email protected]
Regina Melo Silveira [email protected]
Tereza Cristina Melo de Brito Carvalho
Wilson Vicente Ruggiero [email protected]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
4
Agenda
Introduction Scenario Requirements IPTV Architecture IPTV over Internet2 Final Considerations Acknowledgments
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
5
Introduction
What is IPTV? TV Channels over the Internet ? Video streams encapsulated in IP packets over
a “service provider” network ?
Will Internet support a High Definition IPTV Service?
“Internet no ready for its future roles” (Bill St. Arnaud)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
6
Scenario
High Definition Streamings (HDTV) Typically, 25 Mbps per TV Channel for
MPEG2 encoding.
Multiple channels sent simultaneously to multiple receivers at a same location. A home with three TV sets would
require at least 3 x 25 Mbps.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
7
Scenario
IPTV requires high levels of: Quality of Service (QoS) Quality of Experience (QoE)
… at least on par with analog or digital TV broadcast system.
Access networks technologies like xDSL do not support high definition IPTV services: VDSL has bandwidth and distance limitations. It
achieves 50Mbps at 300m.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
8
Scenario
Currently, FTTH (Fiber-To-The-Home) services seems to be the only one alternative for the fulfillment of IPTV (HDTV) needs
PON (Passive Optical Network) presents itself as the most viable FTTH technology, both from economical and operational standpoint WDM-PON can provide 100Mbps fiber
connection far beyond 300m – around tens of kilometers)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
9
Requirements
Security Content protection: protection of the
intellectual property of the content owner, while allowing fair use for the final user.
Service protection: authentication, confidentiality and access control.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
10
Requirements
Quality of Experience (simple and convenient handling): Multi-channel. Zapping.
Infrastructure: Availability (at least on par with analog or
digital TV broadcast system). Accessibility (diversity of devices – e.g. PCs,
Set-Top-Boxes). Network/Application scalability.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
11
IPTV Architecture
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
12
Architecture Entities
Head-End: provides IPTV services (Broadcast TV and VoD).
Transport Network: delivers video streams to the customers.
Customer Premises: broadband network termination.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
13
IPTV Architecture: Head-End
Broadcast TV Head-End system: Receives an analog or digital signal via satellite
or other mean, typically with multiple transport streams.
Converts it to a series of single program streams.
Encodes or transcodes the signals (e.g. to MPEG-4 format).
Encapsulates streams in IP packets for transmission.
Sends streams to a specific IP multicast group
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
14
IPTV Architecture: Head-End
VoD (Video-On-Demand) Head-End System: Encapsulates video streams in IP
packets. Sends streams to the users.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
15
IPTV Architecture: Transport Network
Core Network: High capacity optical network with
technologies such as IP over DWDM and MPLS/GMPLS.
Edge Network: Multicast enabled network that connects the
core network to the access network.
Access Network: It is a FTTH-PON (Fiber-To-The-Home Passive
Optical Network).
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
16
IPTV Architecture: Customer Premise
Provides broadband network termination functionalities.
It is the IPTV service client.
The heterogeneous technologies existing in a home network devices lead to the need for a robust Home Gateway to connect it, providing the necessary services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
17
Multicast X Overlay
Overlay tries to provide multicast functionalities at the application layer: It is still a immature solution to provide a
reliable and QoE enabled service for High-definition content with scalability.
Multicast is proven to be a more efficient distribution scheme with scalability.
This work proposes an auto-contained, controlled private network: Internet does (still) not provide the required
levels of availability, scalability, QoE and QoS.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
18
IPTV over Internet 2 Demonstration
Creation of an infrastructure for High Definition Streamings (HDTV) support
Specification and performance evaluation of high definition video distribution experiments
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
19
IPTV over Internet 2 Demonstration
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
20
Infrastructure
Comprised of three sites: LARC – Ericsson IPTV Infrastructure
Content generation Multicast distribution
III Workshop TIDIA – KyaTera Content consumption
International partners Content generation, Multicast distribution And/Or Content consumption
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
21
Content Distribution
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
22
Content Distribution
A hybrid topology Physical routers
2 Juniper routers with 2 x 1Gbps interfaces Emulated routers
6 emulated routers with XORP (eXtensible Open Router Platform – http://www.xorp.org)
This topology will be set up in a server with Linux virtual machines (VMWare) and XORP
All routers will be multicast enabled (PIM-SM – Protocol Independent Multicast – Sparse Mode)
Minimal of 100 – 200 Mbps bandwidth links interconnecting the three sites
Minimal of 1 Gbps bandwidth links interconnecting the routers in the multicast network
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
23
Content Consumption
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
24
Content Consumption
Three clients with a Front End application over a VLC Client Two clients connected to TVs One client with a Media Player (though EPG –
Electronic Program Guide) Basic functionality of the Front End application:
zapping among multicast groups
A supervisor station that monitors the network to demonstrate some behaviors (link bandwidth, routing tables, multicast protocols, and so on)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
25
EPG (Electronic Program Guide)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
26
IPTV over Internet 2 Demonstration: EPG (Electronic Program Guide)
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
27
Final Considerations
IPTV over Internet2 HDTV over Internet with stringent QoS
and QoE requirements it is not possible in the current infrastructure.
Due to QoE requirements (e.g. zapping), a bandwidth of hundreds of Mbps per service user (per subscriber) is required.
A Platform for Media Distribution Management
Regina Melo [email protected]
LARC- Laboratory of Computer Network ArchitectureEPUSP – Escola PolitecnicaUniversity of Sao Paulo - Brazil
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
29
Agenda
Introduction Our Challenge Related Work Proposal
Conceptual Model Physical Model
Main Functionalities General View Work in Progress Final Considerations
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
30
Introduction
Huge number of multimedia applications (documentation, advertisement, entertainment …);
New multimedia services (broadcast, telecommunications, CATV);
Convergence - services integration with access network independence;
Progressive demand of storage, distribution and consume management allowing largely media utilization and re-use.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
31
Introduction
Multimedia services management includes:(i) multimedia content storage, retrieval and search; (ii) users and groups of users access control and authentication; (iii) system distribution, adaptation, configuration and monitoring (server and clients) to multimedia content delivery and consumption;(iv) network elements management.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
32
Our Challenge To develop a Platform for Media
Distribution Management respecting the following requirements: Use open standards (ISMA, MPEG-7, MPEG-21); Define integrated interfaces for different multimedia
services already implanted at RNP network; Prototype development and tests at RNP network.
At the prototype uses two multimedia distribution services developed by LAVID/UFPB: dvod - video on demand dlive – live video
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
33
Related Work MUFFINS - MUltimedia Framework For INteroperability in
Secure – IST PERSEO - Personalised Multichannel Services for Advanced
Multimedia Stream Management – IST CODAC - Modeling and Querying Content Description and
Quality Adaptation Capabilities of Audio-Visual Data - Klagenfurt University – Austria
ADMITS - Adaptation in Distributed Multimedia IT Systems - Klagenfurt University – Austria
DANAE - Dynamic and distributed Adaptation of scalable multimedia coNtent in a context Aware Environment – IST
iTVP - Interactive TV Services over IP Networks - PSNC – PIONNER
Rich Content Infrastructure and Middleware for Media - IBM
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
34
Proposal 4 (four) users types
Client, Content Provider, Administrator, Manager.
4 (four) sub-systems Portal; Access control, storage and retrieval, Manager (Coordinator and Monitor), Transmitter (Multimedia delivery service).
3 (three) management levels Service, Server, Network.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
35
Proposal – Conceptual Model
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
36
Proposal – Physical Model
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
37
Main Functionalities
Video Upload and Indexation Live events Transmission registration Media search Media catalogue (Personalized) Media Visualization (Personalized) Users, groups and projects management Applications/services (sections)
management Servers management Network elements management
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
38
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
39
General View – Overlay Network
Camad
a de
Serviç
os
Cam
ada de
Servido
res
Cam
ada de
Red
e
Serv
ices
Lay
er
Serv
er L
ayer
Net
wor
k La
yer
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
40
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
41
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
42
Work in Progress Testing prototype New functionalities and optimization
Video replication Access control and distributed metadata Multicast Overlay proposal adoption (for example,
Overlay Multicast Control Protocol from IETF); Adoption of management data models based on XML
from Global Grid Fórum Use of components model for Manager dynamic
configuration update Integration with measurement infrastructure
and new services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
43
Final Considerations
Our project proposed/implemented: Common infrastructure for multimedia services; Architecture based on open standards allow uniform
interfaces for all the applications; Web-based Management system; Resources Optimization; Flexibility and scalability.
Service will be personalized for different context: schools, hospitals e community and educational
TVs.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
44
Acknowledgements Financial Support
RNP (National Education and Research Network)
Collaboration Prof. Guido Lemos de Souza Filho –
LAVID/DI/UFPB Prof. José Augusto Suruagy Monteiro –
UNIFACS
Applying Security in IPTV Environment
Tereza Cristina Melo de Brito Carvalho [email protected]
LARC – PCS/EP – University of São PauloEricsson Research Sweden
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
46
Team
Ayodele [email protected]
Christiane Marie Schweitzer [email protected]
Daniel Pires [email protected]
Diego Sanchez Gallo [email protected]
Flávio [email protected]
Marcio Augusto Lima e [email protected]
Regina Melo Silveira [email protected]
Tereza Cristina Melo de Brito Carvalho
Wilson Vicente Ruggiero [email protected]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
47
Agenda
Security Context (Application Layer and Network Layer)
Threats (Service and Content) IPTV Security Countermeasures IPTV Policies Final Considerations
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
48
Security Context
Application Level Security On STB (Set-Top Box) video client,
video services and content store.
Referred as Digital Rights Management (DRM) systems, enclosing conditional access, copy protection, encryption and watermarking.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
49
Security Context
Network Level Security On the content delivery architecture
confidentiality, integrity and availability of the data flows
Prevention, Detection, and Reaction.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
50
Security Threats in Multimedia Communications [ITU-T 2003]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
51
Threats
Service Illegal service usage. Disruption of service.
Content An insider stealing content from the service core. A subscriber stealing content from the service core. A subscriber stealing content from the STB.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
52
Threats: Illegal service usage
Rogue subscription: An attacker gains access to broadband video services without a subscription.
Escalation of subscription: An attacker gains access to video services that are beyond the parameters of his/her subscription.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
53
Threats : Disruption of service
Attack against other subscribers The attacker attempts to disrupt the service for a specific
subscriber or group of subscribers by directly acting on equipment that resides on the victim’s home network.
Attack against the access and transport infrastructure
The attacker attempts to disrupt the service by degrading the performance of one or several components of the architecture (access node, Broadband Service Aggregators, Broadband Service Routers, etc).
Attack against the video service core The attacker directly targets the components that render
the video services, such as the VoD servers.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
54
Threats: Content
An insider stealing content from the service core The thief is an insider, i.e., a service provider’s
employee, who has easy access to the stored content.
A subscriber stealing content from the service core Weaknesses in the broadband TV architecture allow
the attacker (from his/her home network) to compromise the servers that host the content.
A subscriber stealing content from the STB The attacker is a subscriber who wants to use the
content acquired beyond his/her fair right of usage.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
55
IPTV Security
Privacy Confidentiality Integrity Availability Interoperability
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
56
IPTV Security: Privacy
The Service Provider must handle customer information, without any personal identifiable information.
The Service Provider must manage CPEs (Customer Premise Equipments) and it must not know if it belong to a customer, or how many equipments this customer has at home.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
57
IPTV Security: Confidentiality
Video Content The video must be transported
encrypted. The content must be recorded
protected. Authentication and authorization
guarantees.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
58
IPTV Security: Integrity
The content cannot be modified: Multicast and unicast security. Content source security.
Billing system integrity: Just authorized person should have
access to billing system.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
59
IPTV Security: Availability
Can someone disrupt your IPTV service? - To what scale? Any of the IPTV device could be vulnerable to
Denial-of-Service attack. Buffer overflow. Weak TCP/IP or protocol stack implementation.
If other service is down (Voice and Data) would it take down IPTV too? System dependencies.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
60
IPTV Security: Interoperability
There is currently no common standard on IPTV Other than the use of multicast/unicast. This may help security as a ‘diversity factor’. One vulnerability for one service provider may
not work for another. Standards on the work:
ITU (ISO) ISMA.tv Others
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
61
Security Architecture [ITU-T/IPTV]
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
62
Countermeasures
Protection of content. Transport infrastructure protection. Home network protection. Secure operation of the
infrastructure.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
63
Countermeasures: Protection of Content
DRM state-of-the-art mechanisms To protect the content delivered to the
subscriber. To apply appropriate content/service
usage policies enforcement mechanisms in the STB.
Content stored on the service delivery must be encrypted.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
64
Transport Infrastructure Protection
To restrict traffic dependency on the user’s subscription.
IGMP proxies on the access node must have some awareness of the user subscription and refuse to forward any channel outside of the user’s subscription.
Subscriber traffic should be segregated to disable residential bridging.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
65
Transport Infrastructure Protection
Efficient traffic filtering mechanisms need to be provided to keep the communication flow between home network and service delivery platform to a strict minimum.
The infrastructure must provide a way to enforce QoS parameters on a per subscriber basis in order to mitigate the effect on the infrastructure of abusive usage of bandwidth by a specific subscriber.
The access node must provide a number of protection mechanisms against MAC and IGMP-based attacks.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
66
Home Network Protection
Secure storage for security sensitive information on the STB is required to avoid cloning and disclosure of this information.
Secure provisioning mechanisms of the STB are needed for the service provider to be able to support these systems.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
67
Secure Operation of the Infrastructure
Appropriate patch and vulnerability management on the service delivery platform.
Adding IDS or IPS mechanisms in order to detect and
prevent attempts by the subscriber or any other attacker to compromise the content delivery infrastructure.
Efficient revocation mechanisms are needed for authentication information and key material used in the STB to access services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
68
IPTV Policies
Security policies DRM Specific ones and infrastructure.
QoS policies Adaptability and performance both
provided media and services.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
69
IPTV Security Policies
Content owners are extremely reluctant to provide content to a distributor that doesn’t have an effective DRM system because a perfect digital, copy of the content could be used to create copies for illegal resale.
This control needs to prevent copying not only at the distributor facility, but also on any device that a user may use to play back the content, such as a set-top-box or a PC.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
70
IPTV Security Policies - example
DRM Specific Policies Can be intended as content usage policies,
regarding the content owner media rights. The content can not be modified by Service
Provider. Samples from the content can not be
performed by Service Provider. The content can/cannot be replicated. The content can/cannot be saved. The content can be displayed five times.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
71
IPTV Security Policies - example
Infrastructure Policies Can be intended as service policies,
regarding the security or QoS issues on the content delivery/transport architecture:
All content MUST BE encrypted. All content MUST BE watermarked. All content users MUST BE identified.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
72
IPTV QoS Policies - example
Interaction Policy The service must provide a specified
QoE level. The service must adapt itself to the
user device capabilities. The service must adapt the provided
content to the device resolution (e.g. HDTV 1920x1080 to low resolutions).
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
73
IPTV QoS Policies - examples
Infrastructure Policy The network must have bandwidth
guarantees. The network must have delay
guarantees. The network must have jitter
guarantees. The network must have loss
guarantees.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
74
Final Considerations
IPTV Security = Content + Service + Transport Security
DRM System is not enough, but it is a good start.
Encryption and Authentication must be priority.
4-7 December, 2006 Fall 2006 Internet 2 Member Meeting
75
Acknowledgments