Project Title:

Supporting Internet Multicast Multimedia.

University College London

D079

F49620-99-1-0291

15 JUL 1999

End Date:

14 OCT 2001

Sent as of June 30, 2000 - $124,990

Obligated in Contract - $199,984

$90,893

$34,107

October 15, 2000

Funding

$74,994

Additional

Since, according to our contract, the first annual fiscal status report is due September 15, no 2000, no such report is yet provided.

Peter

Kirstein

Address 1:

Department of Computer Science, University College London

Address 2:

Gower St

London

United Kingdom

WC1E 6BT

+44-20-7679-7286.

+44-20-7387-1397

p.kirsein@cs.ucl.ac.uk

Level Of

15 %

10%

Principal

Investigator:

John

Crowcroft

Address 1:

Department of Computer Science, University College London

Address 2:

Gower ST

London

United Kingdom

WC1E 6BT

+44-20-7679-7296.

+44-20-7387-1397

j.crowcroft@cs.ucl.ac.uk

Level Of

0 %

10%

The over-riding objective of this proposal is to establish mechanisms for Secure Distributed Conferencing, (audio, video, shared W/S) Scalable to large groups. The conferences are to be usable by people with variable speed access - e.g. mobile or weakly connected, to provide optimal quality for multicast applications within the given bandwidth constraints, and to safe and predictable performance for multicast applications. In order to achieve the main objective, we have a number of sub-objectives. One is establish mechanisms for secure distributed conferences, which are scalable. A second is to investigate mechanisms for QoS with high-bandwidth islands connected by lower-speed regions - with full QoS in place across the regions. A third is to establish mechanisms for accommodating speed differences across boundaries between domains of difference s performance. A fourth is to establish secure VPNs, which can be used for conferencing between islands of users.

Both this project and RADIOACTIVE are of small size. To allow the maximum impact of both projects, they will be closely aligned – with similar basic functional components. The RADIOACTIVE project will concentrate on their deployment in an Active Application Service environment; the SCAMPI project will concentrate on the Security of the components and their operation.

<P>

Secured Conferencing is of considerable importance to the Defence community. Many planning and logistics activities must be done in a multi-person environment; multicast is one of the most efficient mechanisms for achieving this. In the project of which this is an extension, we already provided application-level encryption in a number of multicast conferencing tools (VIC for video, RAT for audio and NTE for shared editing. A mechanism for secured announcement (Secure SAP) was also piloted. In the current project, we are completing the secure SAP, and investigating also secure invitations and secure web-based announcements. We are also trying to establish methods for using IPSEC and its associated key-management technology. In this context we wish to explore only mechanisms which will not require too specific a security PKI or other features, so that they can be deployable widely. In all our work we are aiming to move towards IPv6, to be able to take advantage of its features as they become more widely available.

<P>

In order to investigate the QoS mechanisms, the approach is to set up a testbed with two links between UCL and the CAIRN; on the UCL side, we are connecting in also another high bandwidth network LEANET. This allows the investigation of mechanisms for QoS with two high-bandwidth islands connected by a pair of lower-speed connections - with full QoS in place on the links.

<P>

In order to ensure that we can use a variety of network performances, we are investigating filtering and transcoding mechanisms at the boundaries between different domains. The devices at these boundaries should be controlled securely. Whether they must participate in the decryption/re-encryption of secure streams is one of the questions that will be studied.

<P>

We will be siting recording/replay caches at different places in the network. Again both their functionality and their security will be investigated.

<P>

We expect to use approved IETF procedures where these exist – and to influence the IETF procedures based on our results.

<P>

Finally, we will set up a Secured Virtual Private Network between the members of the ICB. This will include working through how to deal with the differing security policies of the ICB-member networks. While UCL will be one of the parties to this Coalition System, an important role will to act as a facilitator to the other partners - in the provision of secured applications, infrastructure, and practical assistance. Our participation in the above-mentioned CAIRN will ensure that this will provide an additional collaborator in the VPN.

QoS enabled links have been tested with a variety of QoS mechanisms between both UCL and LEANET, and between UCL and CAIRN. These tests have shown that it is possible to establish the links in such a way that conferencing can be carried through in the presence of other less urgent traffic with pre-designed performance.

<P>

During the current period, the conferencing tools RAT, VIC and NTE were made IPv6 capable, when linked with the relevant IPv6 stacks. The tools listed in the developers’ versions on the UCL Web page have this capability. The latest version of the Session Announcement has been modified to be IPv6 capable (based on some ISI work) – but without the security routines; in addition an alternative web-based mechanism has been developed, called SPAR, which provides security, and has been extended easily to IPv6. In the SPAR server, groups of users can be created for access control to the information and group managers can add/remove users, create/delete sessions, change session keys. Users only have access to the information for the groups to which they belong. The server is accessed securely from a normal Web browser, and Applets allow automatic initiation of the conferences. These developments should make secure IPv6 conferencing much easier to deploy.

<P>

Both the UCL MMCR storage/replay server and their UTG transcoding gateway have been rewritten in pure Java. Both are also being made into Proxylets under the DARPA RADIOACACTIVE project. These will become a movable proxy cache recorder, a movable player, and a movable transcoding gateway. The development of these components as proxylets is being done in RADIOACTIVE, but their security aspects is under SCAMPI. As a result of this activity, the components will be deployable in the IPv6 environment, as soon as JAVA becomes IPv6-aware.

<P>

Under the aegis of the International Collaboration Board (ICB), one part of the SCAMPI project has been to participate with other NATO members in the development of a Virtual Private Network (VPN) connecting the relevant sites. In collaboration with the Canadian HIRNS, and helped by both Cisco and Entrust, we have set up manual configurations for an IPSEC-based VPN between NIRNS and UCL. We have been working also with Touch of ISI, and have installed his Xbone software at UCL.

We will make our QoS links between UCL and both CAIRN and LEANET IPv6-capable. This should allow our QoS environment to be compatible with that intended for the rest of this project – and the next generation of Internet deployment.

<P>

We will move our existing application-level secure conferencing to IPSEC level security where this seems appropriate. This would allow it to be compatible with the current direction of other security activity in the Internet, and allow maximum use of outside development of new security implementations.

<P>

Both the UCL MMCR storage/replay server and their UTG transcoding gateway will be made into signed proxylets capable of secured operation in an IPv6 environment.

<P>

Mechanisms will be added to allow replication of the MMCR cache recorder, MMCR replay server, and UTG transcoding gateway. These will allow more rugged operation of these components.

<P>

The ICB Secure VPN will be set up between interested ICB members running the secured conferencing tools in an IPv6 mode. This will be of considerable importance to allow the tools to be used in a realistic setting. This VPN will include also the Xbone technology of ISI.

For the use of the UCL secure conference announcement store, users must currently be registered for the group facilities; some 50 persons are now so registered. The software has been down-loaded by many more sites, but it is not clear how many have loaded into onto their own servers. The main software is being used in earnest by many groups; we do not know, however, who is using the secure variants. It is being made the key application in several other on-going projects (RADIOACTIVE, ANDROID, TITRE). The industrial partners in those projects have enough faith in them to have made them the basis of the applications being pursued there.

<P>

Amongst the defence-related sites which have been working with the software are NATO C3A, the Canadian DND, the British DERA, and the Dutch TNO. While AFRL has expressed interest, it is not known if they have used the software in earnest.