How do you put a TV station on the Mbone?
jra at baylink.com
Thu May 5 19:45:06 UTC 2011
----- Original Message -----
> From: "George Bonser" <gbonser at seven.com>
> So using multicast for things like software updates to computers over
> the general internet to the general public probably isn't going to
> Encryption is also an issue because it doesn't really work well over
> multicast. How do I encrypt something in a way that anyone can decrypt
> but nobody can duplicate? If I have a separate stream per user, that
> easy. If I have one stream for all users, that is harder. The answer
> is probably in some sort of digital signature but not really
Um, yeah; that'd be private key digital signature.
> Using public/private key encryption over multicast, I would have to
> distribute the private key so others could decrypt the content. If
> they have the private key, they can generate a public key to use to
> generate content.
> Encryption is probably overkill anyway. What is needed is a mechanism
> simply to say that the content is certified to have come from the
> source it claims to come from. So ... basically ... better not to use
> multicast for anything you really might have any security issues with.
> Fine for broadcasting a video, not so fine for a kernel update.
Nah; you're overthinking it. Signed updates solve the problem just fine.
Note that Linux (SuSE/YAST/YOU) does this already.
But you *are* expanding the attack surface, and the signature/PKI
infrastructure has to be correspondingly more robust.
More information about the NANOG