A. Field of the Invention
The present invention relates to secure network communications.
B. Description of Related Art
Network computing applications involving groups of computers may require simultaneous communication. There are three conventional ways to design a network application for simultaneous group communication: unicast, broadcast, and multicast. Conventional unicast systems require the transmission of a copy of each data packet to one specific recipient. In order to transmit to multiple recipients, a separate connection is made with each recipient. Making multiple direct connections requires a large amount of bandwidth as the number of recipients increases and may result in delays since the same packet must be repeatedly copied and then transmitted to each recipient. In a conventional broadcast system, one copy of each packet is sent to a broadcast address. The broadcast transmission is sent to a large number of people when only a small number actually wish or need to receive the broadcast.
With a conventional multicast system, a network application may send one copy of a packet or packets addressed toward a group of recipients instead of just one recipient as in unicast systems. A network or networks are then responsible for forwarding the packet(s) on toward the necessary recipients. Multicast typically uses a standardized range of destination Internet Protocol (IP) addresses (e.g., 224.0.0.0-239.255.255.255). A multicast source signals the rest of a network to a multicast transmission by setting the destination IP address for a packet within the range of multicast destination IP addresses. The multicast destination IP address used is the multicast group address.
Protocol Independent Multicast—Sparse Mode (PIM-SM) is a control paradigm for multicast transmission. In a PIM-SM system, a multicast recipient requests participation in a group transmission by signaling to a closest router, a “last-hop router,” using the Internet Group Management Protocol (IGMP). The last-hop router uses PIM-SM to request the particular multicast stream from the next-hop routers. Therefore, under a PIM-SM system, multicast packets only go where requested. In order to draw the multicast from the source toward the last-hop router, a type of router, referred to here as a rendezvous point, may be necessary. This is because multicast sources and last-hop routers initially do not know of each other's presence. FIG. 1 illustrates an example of a conventional PIM-SM system including a rendezvous point 130. Referring to FIG. 1, multicast recipients 140a-140d (collectively, “140”) may signal the last-hop routers that they would like a particular transmission. The last-hop routers 125a-125c (collectively “125”) then send out a join request for multicast transmission to the rendezvous point 130 through intermediary routers 120. Different rendezvous points may exist for different multicast group transmissions. Last-hop routers 125 may determine which rendezvous point to send the join request to for a particular multicast transmission. Last-hop routers 125 make a connection to rendezvous point 130 for access to the source multicast stream instead of transmitting the join request directly to multicast source 110 when, for example, they do not know where the source is. The rendezvous point 130 receives the multicast transmission from multicast source 110 through first-hop router 115 and one or more intermediary nodes such as multicast routers 120, and distributes the multicast transmission toward all multicast recipients 140 subscribed to the multicast.
A conventional multicast router 120 is shown in FIG. 2. Multicast router 120 includes an interface 210 for receiving data, and access control list 220, a router 230 for determining the next path for data to follow in the network, and a forwarding module 240 for forwarding data to the next destination. Access control list 220 determines whether or not to allow access to the multicast router. Access control may be based on IP address information including the multicast group, the router the data came from, or a list of accepted users.