The invention generally relates networks and, more particularly, the invention relates to message transmissions across multicast domains in a computer network.
Multicasting is a well known method of transmitting messages to selected groups of users across a network, such as the Internet. One simple example of multicasting entails transmitting an E-mail message to a plurality of users that each are on a mailing list. Video conferencing and teleconferencing also use multicasting principles and thus, often are referred to as xe2x80x9cmulticonferencing.xe2x80x9d
Messages transmitted during a multicast often include multicast control parameters that control the execution of the multicast (xe2x80x9ccontrol messagesxe2x80x9d). One exemplary type of control message enables nodes to end an ongoing multicast. Problems arise when an unauthorized network device transmits a control message to a multicast session. For example, an unauthorized network device undesirably may transmits a control message that prematurely ends a multicast session. One solution to this problem (recently proposed by the PIM Working Group of the Internet Engineering Task Force) utilizes well known key encryption techniques to authenticate control messages transmitted between routers within a single multicast domain. To that end, a symmetrical authentication key is provided to each router in the multicast to encrypt and decrypt control messages transmitted in the multicast. Accordingly, upon receipt of a control message from another router, a receiving router can confirm that the control message was transmitted from an authorized router in the multicast by decrypting the received control message with the authentication key.
As is known in the art, a group of network devices (e.g., routers) in a multicast that are administered as a unit with common rules and procedures (e.g., each router utilizing a common authentication key) are considered to be a single multicast domain. Problems therefore arise when members of one multicast domain attempt to communicate with members of another multicast domain. Specifically, network devices in a first multicast domain do not have the second multicast domain authentication key for authenticating messages received from second domain devices. Consequently, multicast messages transmitted from the second multicast domain to the first multicast domain are considered (by receiving devices in the first domain) to originate from devices not authorized to participate in the first domain multicast and thus, are dropped.
In accordance with one aspect of the invention, a border network device for transmitting messages between a first multicast domain and a second multicast domain includes a first interface that receives a first domain message from the first domain for delivery to the second domain, a first message converter that converts the received first domain message into a first intermediate message, and an output that forwards the first intermediate message to a receiving second network device in the second domain. The first multicast domain and second multicast domain each respectively have first network devices and second network devices. In preferred embodiments, the first domain message has first domain origin data. Messages with first domain origin data originate from at least one of the first network devices. In a similar manner, the intermediate message includes intermediate data indicating that the intermediate message originated from the border network device. A similar method also may be utilized to effectuate this aspect of the invention.
In preferred embodiments, the first intermediate message includes data that causes the receiving second network device to convert the first intermediate message into a second message. The second message includes data indicating that the second message originated from the receiving second network device. In other embodiments, the border network device further includes an intermediate interface that receives a second intermediate message from a given second network device, and a second message converter that converts the received second intermediate message into a converted first domain message with first domain data. The second intermediate message has origination data indicating that it originated from the given second network device. The output may forward the converted first domain message to at least one of the first network devices.
In other embodiments, the first multicast domain has an associated key for authenticating messages transmitted between first network devices. Accordingly, the first origin data may be associated with the first key. The first multicast domain may require that each message authorized to be forwarded to first network devises in a multicast include first domain origin data. In some embodiments, the border network device is one of the first network devices. The border network device also may include memory for storing an intermediate key. The first message converter may retrieve the intermediate key from memory to convert the received first domain message into the first intermediate message. The border network device also may include an authenticator operatively coupled with the first message converter. The authenticator may confirm that the first domain message includes the first domain origin data. In other embodiments, the receiving second network device is a border network device that converts the first intermediate message into a second domain message having data indicating that the message originated from one of the second network devices.
In accordance with another aspect of the invention, a border network device for transmitting messages between a first multicast domain and a second multicast domain includes an intermediate interface that receives a second intermediate message from the second domain, a first message converter that converts the received second intermediate message into a converted first domain message with first domain data, and a first output that forwards the converted first domain message to at least one of the first network devices. The received second intermediate message includes intermediate data indicating that the second intermediate message originated from at least one of the second network devices. In a manner similar to other embodiments, messages with first domain data originate from one of the first network devices. A similar method also may be utilized to effectuate this aspect of the invention.
In other embodiments, the border network device further includes a first interface that receives a first domain message (with first domain data) from at least one of the first network devices, a second message converter that converts the received first domain message into a first intermediate message, and a second output that forwards the first intermediate message to at least one of the second network devices. The first intermediate message has data indicating that it originated from the border router. In another embodiment, the first multicast domain has an associated first key for authenticating messages transmitted between first network devices, where the first domain data is associated with the first key. The first multicast domain may require that each first domain message authorized to participate in the multicast in the first domain include first domain origin data. The border network device also may include an authenticator operatively coupled with the first message converter. The authenticator may check the second intermediate message to determine if the intermediate message includes the second intermediate data.
In accordance with other aspects of the invention, an apparatus and method of transmitting messages between a first multicast domain and a second multicast receives a first message with first identification data from a first network device in the first domain, controls a confirming network device to analyze the first identification data to determine that the first message originated from the first network device, adds second identification data to the first message to form an authenticated message, and forwards the authenticated message to a second network device in the second domain. The first identification data indicates that the first message originated from the first network device. The second identification data indicates that the first message was authenticated by the confirming network device.
In a preferred embodiment, the first identification data includes a digital signature of the first network device, while the second identification data includes a digital signature of the confirming network device. Once authenticated, the first identification data may be removed from the first method.
In accordance with yet another aspect of the invention, an apparatus and method of transmitting messages between a first network device in a first multicast domain, and a second network device in a second multicast domain adds first identification data to a first message to form a preliminary message. The first identification data indicates that the first message originated from the first network device. The preliminary message then is forwarded to a confirming network device in the first multicast domain. The confirming network device then is controlled to determine if the preliminary message includes the first identification data. If determined to include the first identification data, the confirming network device then adds second identification data to the message to form an authenticated message. The second identification data indicates that the first message was authenticated by the confirming network device. The authenticated message then is forwarded to the second network device in the second domain.
Preferred embodiments of the invention are implemented as a computer program product having a computer usable medium with computer readable program code thereon. The computer readable code may be read and utilized by the computer system in accordance with conventional processes.