Proceedings of IEEE IC-BNMT2013

DESIGN AND IMPLEMENTATION OF SECURE

MULTICAST BASED ON SDN
Jianfeng ZOU, Guochu SHOU, Zhigang GUO, Yihong HU
School of Information and Communication Engineering,
Beijing Laboratory of Network System Architecture and Convergence,
Beijing University of Posts and Telecommunications,
Beijing 100876, P. R. China
{jianfengzou, gcshou, gzgang, yhhu}@bupt.edu.cn
Abstract: Multicast communication is an important
requirement for many types of applications such as
IPTV, video conference. In current IP multicast
architecture, any host can join a multicast group without
authentication because no host identification information
is maintained by routers, which leads to security risks. In
addition, the routers need to be involved in both
forwarding packets and maintaining route states, which
results in massive complexity of the devices and
produces a lot of control overheads. This paper proposes
a
multicast
clean-slate
scheme
based
on
Software-defined Networking (SDN), aiming to improve
security and controllability of multicast networks. A
multicast controller logically centralized is designed to
be responsible for handling multicast events, calculating
multicast tree and authentication the identity of host. A
prototype is implemented in our SDN platform. The
result proves that our scheme is superior to the
traditional IP multicast, which is reflected in two aspects:
firstly, the illegal users are prevented from joining
multicast group effectively. Secondly, the delay of
joining a group is less than the traditional IP multicast.
Keywords: Software-Defined
Multicast; Controller; Security

Networking

multicast source to send packets without controlling

[1-3].
2) The routers in multicast network need be responsible
for both forwarding packets and maintaining route states,
which results in massive complexity of the devices and
produces a lot of control overheads. User joining and
leaving a multicast group dynamically also increases the
complexity of management in routers. Moreover, it may
be impossible to construct the multicast tree and handle
control events efficiently because exchanging flood of
messages among the distributed routers and updating
routing tables to obtain the information of route or
topology are slow process [4-5].
In order to resolve these problems mentioned above,
secure and logically centralized multicast approaches
attract more and more attentions. This paper focuses on
multicast scheme based on new network architecture
named Software Defined Networking (SDN) which is
proposed by Open Networking Foundation (ONF). As a
candidate of future network, SDN has many typical
characteristics. Firstly, network control is decoupled
from forwarding and the switches only need to forward
packets. This simplifies the network devices themselves
greatly, since they no longer understand and process
thousands of protocol standards but merely accept
instructions from the SDN controllers. Secondly, SDN
network is programmed and centralized controlled.
OpenFlow is the first standard communications interface
defined between the controls and forwarding layers of
SDN architecture. OpenFlow switches (OFS) are
capable of forwarding packets using flow entries defined
in the so-called flow tables. [6-8]

(SDN);

1 Introduction
Multicast communication is an important requirement
for many types of applications such as IPTV, video
conference. Network multicast transfers large data from
one point to one or more points simultaneously, which
can improve bandwidth utilization efficiently.
Although multicast is considered as a useful technology,
the practical application of IP multicast still faces the
following problems.

In this paper, we propose a secure and controllable

multicast scheme on the basis of SDN and design the
multicast controller which is located in the control plane
of SDN architecture. The multicast controller is
responsible for routing, multicast tree computing,
handling joining and leaving events, user authentication,
and multicast group management. User authentication
module of multicast controller will authenticate users
identity and prevent illegal client from joining multicast
group. The switch devices forward packets according to
actions of flow entry managed by the controller, so the
clients cannot turn into multicast source without
permission of controller. This approach assures the

1) Membership in a multicast group is dynamically

changing, allowing any hosts to join and leave the
multicast session without the permission of other hosts.
This way of routing and protocol may present some
vulnerability making it susceptible to attacks and threats.
Firstly, there is no authentication mechanism in
multicast protocol. The user may join a group or leave
freely and some illegal user can get multicast packets
without obstacles. Secondly, multicast protocol cant
assure safety of data source, because any client may be a
____________________________________
978-1-4799-0094-7/13/$31.00 2013 IEEE
124

Proceedings of IEEE IC-BNMT2013

reliability of source.

between multicast controller and switch device, while

data packets are transmitted in the links building
between switches. The secure channel is the interface
that connects each switch to a multicast controller. The
controller configures and manages the switch, receives
events from the switch, and sends command packets to
switch through this interface. Secure channel assures the
safety of control messages by building a TLS
connection.
transport layer Security

We structure the remainder of the paper as follows.

Section 2 introduces related works. We discuss how to
use the SDN architectures to implement the new
multicast scheme in Section 3. A new multicast scheme
and the design of multicast controller are presented in
Section 4. Section 5 outlines experimental environment
and verifies the effectiveness of the scheme. Finally the
paper is concluded in Section 6.

3.2 Centralized calculation multicast tree

Related works

Users join and leave multicast group dynamically, so it

is difficult to calculate multicast tree quickly and
accurately in traditional IP networks. It is essential to
create a mechanism of calculating route and multicast
tree with full topology of networks. In SDN architecture,
network intelligence is centralized in software-based
SDN controllers, which maintain a global view and
topology of the network. We can add API in SDN
controller to compute multicast tree and route. When the
controller receives a request of joining group from user,
it calculates route quickly according to topology
information.

Recently the research about controllable and secure

mechanism can be classified into two major categories,
one is to add related modules to the IP multicast protocol
to enhance controllability and management. Reference
[3] proposed a scheme of adding user management and
source management module on the basis of IGMP
(Internet Group Management Protocol) [9] proxy to
improve multicast controllability. But the schemes
depend on traditional IP multicast architecture, it is
difficult to deploy in real networks due to the limitation
and ossification of IP architecture.

3.3 User authentication

Other researchers start paying attention to controllable

multicast mechanism on the basis of new network
architecture. A novel multicast mechanism was
proposed based on OpenFlow, called OFM which
mainly discusses multicast tree algorithm in reference
[10]. Ref. [11] presented a scheme to approach unified
multicast in IP-over-OBS networks by introducing
OpenFlow in terms of network architectures without
consideration of controllers design. Ref. [12] gave a
design of an OpenFlow controller handing IP multicast
and a method to switch a multicast tree to the other with
little packet loss. Ref. [13] proposed a multicast
approach logically centralized based on programmable
networks and anticipated processing for all routes from
each possible source, aiming to reduce event delays.
These schemes and approaches have resolved partial
problems of multicast, however there is not a secure and
controllable multicast mechanism which can be
deployed in real networks recently.

In traditional IP multicast, users can join a group or

leave freely without limitations, which may cause safety
threats. Authentication is an essential part of providing
access control to a multicast group. Applying
authentication mechanisms to the joining process
Internet
ensures that only authorized clients are permitted to join Group
the group. Switch devices have no flow entry initially, Management
so IGMP request from clients will be forwarded to the Protocol
controller which inspects request packet to obtain (IGMP)
information about users identity and configures flow
entries for switch devices depending on the result of
authentication. If result indicates that the user is illegal,
controller doesnt configure flow table, thus user cant
join multicast group.

3.4 Multicast source management

IP Multicast protocol cant assure safety of multicast
source, because any users may be a multicast source to
send packets. In new mechanism, the switch devices will
not forward packets without permission of controller,
which prevents any clients from becoming multicast
source randomly.

Rebuild multicast mechanism with SDN

With the programming flexibility promoted by the

controller of SDN networks, we can rebuild multicast
mechanism for improving security and management.
Our proposed multicast scheme has following
characteristics.

4 Multicast schemes
In this section, we will focus on the implementation of
clean-state multicast based on SDN at a technical level.

3.1 Control is decoupled from forwarding

4.1 Architecture

In traditional IP multicast, routers are responsible for

both forwarding packets and the exchange of routing
messages. This creates additional expenses in terms of
bandwidth utilizing when control messages along with
data packets are transmitted in the same link. We can
resolve this problem with the idea of decoupling control
from forwarding. The control message is transmitted

According to description above, we can conclude the

new multicast architecture (shown in Figure 1) in which
the routers are separated into two independent levels: the
control plane that plays the role of intelligent center for
management and forwarding plane. The SDN controller
which provides routing decision and user authentication

125

Proceedings of IEEE IC-BNMT2013

locates in control plane. The OpenFlow switches (OFS)

locating in the forwarding plane only forward the data
packets from a source node to some group members
according to commands of the controller. The procedure
of user joining a multicast group is as bellow.
User
Auc

Group
manage

Route

topology

The connection daemon module accepts and maintains

TLS connections based on TCP with OpenFlow switch
(OFS). It provides interface and secure channel to
forward and receive OpenFlow messages.
Packet classifier is in charge of forwarding the received
messages to different application modules. For example,
LLDP (link layer discovery protocol) packets are
forwarded to topology module to build full view of
networks. IGMP packets which can be identified by
class D address are passed on to the user authentication
module.

Data
base

Flow configuration
Host A

SDN controller
3.add_flow

2.request packet in
1.IGMP request

Multicast source

Host B

JURXS
PDQDJHPQHW

Host C
4 source packet transport
OFS

S\VZLWFK

URXWH
FRPSXWLQJ

WRSRORJ
\
RWKHUV
6ZLWFK
)ORZPRG
LQIR

Figure 1 Multicast architecture based on SDN

1) User sends IGMP packets to edge OFS which has no

flow table initially. The OFS will forward request packet
to multicast controller which is responsible for
processing joining and leaving group events.

XVHU'%

VUF'%

8VHU$8&

GLVFRYHU\

PDFBVUF
LQVSHFW

LSBGVW
LQVSHFW

,*03

//'3

)ORZPRG

SDFNHWLQ
FODVVLI\
FRQQHFWLRQGDHPRQ

2) The multicast controller inspects this request packet

for obtaining users identity. It decides whether a user is
allowed to join a group depending on the result of
querying the database in which user authority
information are restored. The multicast network can
prevent illegal request of users and improve network
security through this way.

6HFXULW\
FKDQQHO
2SHQIORZ
VZLWFK

Figure 2 An overview of multicast controller

Topology and discovery modules keep track of links

between controllers to acquire topology information
which is used to build the graph for calculating a
multicast tree and provide an in stored record of links
currently in the networks. The role of route computing
module is calculating multicast tree. Once the controller
has full knowledge of network, it can get multicast tree
accurately and quickly. Pyswitch module acts as a
Mac-learning controller which can be used to handle
general IP packets and configure flow entries for the
switches.

3) The multicast controller calculates a multicast tree

quickly according to topology information of full
networks and finds the optimal route from the source to
the users.
4) The multicast controller configure flow entries to
OFS, thus data packets can be transmitted from a source
to group members.
When user leaves multicast group, the controller deletes
corresponding flow entries and updates multicast group
memberships. With alteration of the group members,
multicast trees are recomputed dynamically to ensure the
best network performance.

User AUC module inspects IGMP request to get user IP,

MAC address, port information and authenticates
identity of user. Group management module restores and
updates information of multicast members for providing
the full knowledge of group members to a network
administrator. The following section describes functions
of multicast controller in detail.

4.2 Design of a multicast controller

In this section we present a design and implementation
of a controller to accomplish IP multicast. The multicast
controller is the core component of multicast network
and responsible for routing, multicast tree computing,
handling joining and leaving events, user authentication
and multicast group management.

4.2.1 Calculating multicast trees

Route computing module uses Kruskal algorithm to
calculate a minimum spanning tree (MST) centralized
on multicast source. Kruskal algorithm is a greedy
algorithm in graph theory that finds a minimum
spanning tree for a connected weighted graph. This
means it finds a subset of the edges that forms a tree that
includes every vertex, where the total weight of all the
edges in the tree is minimized. It is easy to calculate the

An overview of our designed controller is shown in

Figure 2, which consists of five kinds of modules:
connection
daemon,
packet
classifier,
user
authentication, group management, multicast tree
computing.

126

Proceedings of IEEE IC-BNMT2013

path and route lists from source to group members with

the MST and client information.

OpenFlow switches (Product model: V330T) which are

provided by Center Networks Corporation. We design
the controller based on open-source software NOX [1416].

4.2.2 Processing join and leave events

When controller receives a joining group event, user
authentication module recognizes identity of user and
updates the group membership. If a user leaves multicast
group, the controller deletes corresponding flow entry of
switches and updates memberships in the database of
group management.

6'1FRQWUROOHU

4.2.3 User authentication

&OLHQW

Figure 3 shows the procedure of user authentication. The

source Mac-address inspection and destination
IP-address inspection modules are charge of inspecting
the request packets to acquire multicast source address
and user identity information including MAC-address,
IP-address and UDP port. The multicast controller
decides whether user is allowed to join group depending
on the result of querying database. It is necessary to
establish user authority database in advance.

9HGLRVHUYHU
&OLHQW

&OLHQW

Figure 4 experiment environment

5.1 Experiment 1: user authentication

Video server is acted as multicast sources, while clients
try to join multicast group through SDN network. We
test the effectiveness of new multicast scheme in terms
of multiple flow configuration and user authentication.
User authority database stored in the controller is shown
in Figure 5.

3DFNHWBLQ
FOVVLI\
,*03PHVVDJH
MRLQJURXS
6RXUFH0DFDGGUHVV
LQVSHFWLQJ

$QWKHQWLFDWLRQ
BIODJ "

QR

8VHULV
LOOHJDO

Figure 5 user authority databases

'HVWLQDWLRQ,3DGGUHVV
LQVSHFWLQJ

0XOWLFDVW
VRXUFHLQ
1HWZRUN"

2)6

QR

Firstly, client1 (Mac-address is f0:de:f1:7a:ac:f7 )

requests joining multicast group(239.0.0.1). The result
of controller authentication indicates that this is an
illegal user. Secondly, client 2 joins the same multicast
group, multicast controller also does authentication. As
shown in Figure 6, the action segment of flow entry
could be configured with multiple output port IDs.

<RXUUHTXHVWVRXUFH
GRHVQRWH[LVW

$XWKHQWLFDWLRQ
(QGXSGDWLQJJURXS
GDWDEDVH
DGGLQJIORZHQWULHV

Figure 3 The flowchart of user authentication

4.2.4 Group management

The group management module learns and stores

receiver information by watching and monitoring the
result of authentication. The source IP address and
multicast address are seen as the unique identifier of a
group. When a client leave a group, the IGMP leaving
message is forwarded to the controller. The topology
module and group management module work together
to update membership in the database.

Figure 6 The flow entries inserted in the OpenFlow node

In order to verify effectiveness of user authentication, a

laptop (Mac-address 14:DA:E9:62:57:B7 ) tries to join
group 239.0.0.1, but it couldnt succeed. Multicast
controller prints information showed in Figure 7.

Prototype experiment and results

A prototype experiment is implemented in our SDN

platform shown in Figure 4. A multicast controller
installed in LINUX computer is connected with five

Figure 7 The result of authentication

127

Proceedings of IEEE IC-BNMT2013

The reason of failing to join is that user is illegal

(authority flag is 0 in user authority database). The result
of this experiment indicates that multicast controller we
designed can prevent illegal hosts from getting access to
multicast resources.

transmitted in secure channel. The test results indicate

our new multicast scheme is superior to the traditional
IP multicast.

Acknowledgements
This work is supported by National Natural Science Foundation
of China (Grant No. 61240040). We would like to express our
thanks to Centec Networks Corporation for providing
OpenFlow switches used in our platform.

5.2 Experiment 2: Delay of joining a multicast

group
The delay of joining group is an important QOS
parameter for evaluate performance. In this test the
joining delay is defined as the intervals from client
joining request to receive first multicast packet. We use
some traditional routers which support IP multicast
protocol build a same topology environment and
compare the delays between new scheme and traditional
IP multicast. Many clients try to join the same group in
sequence. The comparing of joining delay is shown in
Figure 8.

References
[1]

[2]
[3]

From the results, we can conclude that our new scheme

based on SDN is superior to the traditional IP scheme.
The difference between two scenarios is the result of the
existence of the SDN controller which is responsible for
calculating multicast tree and determines the route of
flow, thus saving the time of building a multicast tree
consumed by route protocol.

[4]

[5]

[6]

[7]

[8]
[9]
[10]

Figure 8 The comparison of joining delay

[11]

Conclusions

In this paper, we propose a secure multicast scheme

based on SDN and design the multicast controller which
is responsible for routing, multicast tree computing,
handling join and leave event, user authentication,
multicast group management. Our new multicast scheme
improves the safety of network, reflected in following
aspects. User authentication module of multicast
controller will authenticate the join request of user,
preventing illegal client from joining multicast group
and obtaining multicast data packet, thus improving the
safety of multicast network. Switch devices forward
packet according to flow entries configured by the
controller, so a client cant become multicast source
which sends packets without permission. This approach
assures the reliability of source. In additions, control
commands between OFS and multicast controller are

[12]

[13]

[14]

[15]
[16]

128

Matthew J. Moyer, Josyula R. Rao, Pankaj Rohatgi, A

Survey of Security Issues in Multicast Communications,
IEEE Network,Voleme 13,Issue 6,pp.12-23,1999.
S.Deering, Host extensions for IP multicasting, RFC
1112, Internet Engineering Task Force, 1989.
Wang Li, Liu Dong, A Survey of Multicast Control in
Mobile Internet, International Conference on Wireless
Communications, Networking and Mobile Computing,
pp.1-4, 2006.
Pragyansmita Paul, S.V. Raghavan, Survey of multicast
routing algorithms and protocols, in Proceedings of the
15th
international
conference
on
Computer
communication, pp.902-926, 2002.
Christophe Diot, Brian Niel Levine, Bryan Lyles, Hassan
Kassem, Deployment issues for the IP multicast
service and architecture,IEEE
Network, volume
14, Issue 1, pp.78-88, 2000.
Nick McKeown, Tom Anderson, Hari Balakrishnan,
Guru Parulkar, OpenFlow: Enabling Innovation in
Campus Networks, ACM SIGCOMM Computer
Communicaiton Review, volume 38, pp.69-74, 2008.
Vijay K. Gurbani, Michael Scharf, T.V. Lakshman,
Abstracting network state
in
Software
Defined Networks (SDN) for rendezvous services,
IEEE International Conference on Communications,
pp.6627-6632,2012.
SDN, https://www.opennetworking.org/.
W. Fenner, Internet Group Management Protocol, Version
2, RFC 2236, Internet Engineering Task Force, 1997.
Yang Yu, Qin Zhen, OFM: A Novel Multicast
Mechanism Based on OpenFlow, Advances in
Information Sciences and Service Sciences, volume 4,
Issue 9, pp.278-286, 2012.
Linfeng Hong, Dongxu Zhang, Hongxiang Guo,
OpenFlow-based Multicast in IP-over-LOBS Networks:
a
Proof-of-Concept
Demonstration,
17th
Opto-Electronics and Communications Conference
(OECC), pp.435-536, 2012.
Daisuke Kotani, Kazuya Suzuki, Hideyuki Shimonishi,
A design and implementation of OpenFlow Controller
handling IP multicast with Fast Tree Switching,
IEEE/IPSJ
12th
International
Symposium
on
Applications and the Internet, SAINT 2012, pp.60-67.
Cesar A. C. Marcondes, Tiago P. C. Santos, Arthur P.
Godoy, CastFlow: Clean-slate multicast approach using
in-advance path processing in programmable networks,
IEEE Symposium on Computers and Communications
(ISCC), pp.000094-000101, 2012.
Natasha Gude, Teemu Koponen, NOX: towards an
operating system for networks, ACM SIGCOMM
Computer Communication Review, volume 38,
pp.105-110, 2008.
OpenFlow
Specification,
online
available
http://www.OpenFlow.org/wk/index.php/Main_Page.
NOX, https://github.com/noxrepo/.