IPTV Access Methods with RADIUS-Server Authorization

Document Type : Research Paper

Authors

1 Bonch-Bruevich Saint-Petersburg State, University of Telecommunications, St. Petersburg, 193232, Russian Federation

2 Biomedical Engineering Department, Al-Mustaqbal University College, 51001 Hillah, Babil, Iraq.

3 Bonch-Bruevich Saint-Petersburg State, University of Telecommunications, St. Petersburg, 193232, Russian Federation.

10.22059/jitm.2022.86929

Abstract

Security is one of the most important aspects of data transmission. To provide controlled access to the network, user authorization and authentication are often used with the help of an AAA server. RADIUS servers provide users with access to data, user authentication, and configuration information. When designing networks with such access control method implementation, it is necessary to understand how the characteristics of the communication channel affect the switching time of IP-TV channels, and therefore the overall quality of IP-TV services. The principles of the main protocols for IP-TV using a RADIUS server are described. The main parameters of the communication channel were identified. The mathematical model and the graphs demonstrate how IP-TV service access time depends on telecommunication channel parameters. The results of a practical experiment are presented to prove the formed mathematical model. The results of a practical experiment and theoretical calculation are compared.

Keywords


Introduction

IP-TV is a technology (standard) of digital television in IP data transmission networks, a new generation of television. As a rule, when organizing IP-TV broadcasting over packet-switched networks, multicast transmission is used. Multicast traffic (multicast packets) is used for video streaming. Multicast delivers video content to an unlimited number of subscribers without network overload (Kovtsur and Polyanicheva, 2019; Kovtsur, 2019). Service is provided in such a way that each channel appears as a separate multicast group. To watch the content, the user must subscribe to a group, and leave the group at the end of watching session.

 IGMP (Internet Group Membership Protocol) (Krasov, 2020; RFC, 2019) is used to join or leave a group. The network model is shown in Figure 1.

 

Figure 1. Network model.

The basic rules for the IGMP protocol are as follows:

  • IP-TV client sends a "report" type IGMP packet to start the process of connecting to a distribution group;
  • The node sends a "Leave" packet when disconnected from a distribution group;
  • A router or a switch with multicast support sends IGMP general queries to the network at specified time intervals. These queries allow to determine the current status of distribution groups;
  • IP-TV client responds to IGMP general query indicating the addresses of the channels being viewed.

One of the important aspects in the organization of IP-TV is user authorization during channel  request. IGMP access lists can be used for this task, but this approach requires updating the lists on the equipment when the customer's tariff plan changes. The most popular approaches are either using media encryption and provider portals, or using RADIUS authorization for multicast. When using portals, the provider loads specialized software on the client's equipment, but this approach reduces the amount of supported equipment (RFC, 2020). In the case of RADIUS authorization, the user can use almost any software for watching IP-TV.

Methodology

When IP-TV RADIUS authorization, is implemented additional time is incurred due to the need for the switch to request permission to connect to the group for each individual client. The RADIUS Timeout parameter can also affect the time of access to the service. It specifies how long the switch waits for a RADIUS Response from the RADIUS server before deeming an authorization attempt unsuccessful. Some delays in the communication channel are introduced by periodic polling of clients with IGMP General query packets. All these delays affect the channel switching time. The study is devoted to assessing the influence of the parameters of the communication channel on the speed of providing access to the IP-TV service (Podgornov, 2929).

Let’s take the communication channel with the following parameters: delay Ddist, bit error probability P0 and bandwidth Cdist.

The model of the user authorization process is shown in Figure 2. The following model parameters are used to estimate the time characteristics:

  • Transmission time of the service access request from the client to the provider's switch port
    • T12 (s);
  • Time needed for the switch to process a user's request, depending on the equipment – T23 (s);
  • Amount of time the switch waits for a RADIUS Response from the RADIUS server - Ttimeout (s);
  • Timeout for client response to IGMP request - TtimeoutIGMP (s);
  • Time between repeated sending of requests from the switch to the RADIUS server - Trepeat (s);
  • Processing time for a multicast packet, depends on the equipment - Tcash (s);
  • Processing time of the RADIUS server - TRADIUS (s);
  • The number of repetitions of the RADIUS Request message by the switch - nrepeat
  • Delay in the communication channel between the authenticator and the RADIUS server - Ddist (ms);
  • Delay in the communication channel between the user and the authenticator - Ddist_success (ms);
  • Transmission time of multicast packet from the switch port to the user - T56 (s);
  • Time of multicast stream caching on user's IP-TV client - Tcash (s);
  • Size of the Access Request packet - Nrqr (bits);
  • IGMP packet size - Nrqi (bit);
  • Access Response packet size - Nrs (bits);
  • Multicast packet size - Nm (bit);
  • Communication channel speed - Cdist (bit / s).

 

 

Figure 2. Model of the client authorization process.

Let's compose a probabilistic graphical model which describes the process of user authorization for the IP-TV service access (Kovtsur, 2019). The graph is shown in Figure 3, where each branch corresponds to a transition from one state to another according to the model of the client authorization process.

 

Figure 3. Graphical model of the client authorization process.

The numbering of the vertices of the graphical model corresponds to the numbering of the nodes in Figure 3. The transition 1-6 corresponds to the successful completion of the authorization process, and the transition 1-7 describes the process of unsuccessful authorization (Goldstein, 2014; Nikitin, 2010). The transition 1-9 corresponds to the user's access to the IP-TV service.

The formula for calculating the probability of a successful transmission of an authorization request from the switch to the RADIUS server is as follows:

, where Nrqr is the size of the RADIUS Request message in bits, P0 is the probability of a bit error in the communication channel (Nikitin, 2012).

The generating function of the branch H36 is defined by the formula:

, где:                                                                                (1)                                                               

The probability of an unsuccessful transmission of an authorization request as an opposite event is defined by the formula:

                                                                                                            (2) (2) Then, the generating function of the branch H34 is as follows:

                                                                                                               (3)                                                 Other intermediate generating functions are defined in a similar way.

The branch for unsuccessful completion of the authorization process is:

                                                          (4)                                                                                                   The branch for successful completion of the authorization process Tsuccess is:

                        (5)                                 Let's calculate the generating function of full protocol completion. The completion time T is determined by the formula [5].

                                                                                                (6)

The probability of successful user authorization to access the IP-TV service is defined by the formula:

                                                                                                                        (7)                                                                                         

Next, we will compose graphs showing dependencies between the time of successful access to IP-TV service and the main parameters of the communication channel.

The graph showing the dependence of the service access time with a bit error P0 = 10-7 on the delay in the communication channel is as follows:

 

Figure 4. Graph of dependence of service access time on channel delay.

 

Graphs showing the dependence of service access time on the bit error in the channel at several different delay values:

 

Figure 5. Graph of dependence of service access time on bit error in the channel.

The resulting graphs allow predicting the value of the service access time with known parameters of the bit error and delay in the communication channel. Next, we will confirm the obtained dependences using a practical experiment.

Results

To study this method, a stand with equipment was organized, the diagram of which is shown in Figure 5. The equipment was configured to provide IP-TV services using RADIUS authorization. The experiment showed that implementing IP-TV RADIUS authorization introduces additional time costs caused by the need for the switch to request permission to connect to the group of each individual client (Krasov, 2017a; Krasov 2017b).

 

Figure 6. Test stand diagram.

The switch has been configured to process subscriptions to the channel with the IP address 239.1.1.2, with the multicast traffic source being connected to the switch port 3. RADIUS authorization has been configured for channel subscriptions on the switch port 2 which is the port the client computer is connected to. When requesting a subscription to a channel, the switch will send a request to a RADIUS server located in the 10.0.10.0 network behind a software router in the form of the Free BSD m0n0wall distribution, which can be used to introduce a delay in the communication channel (Krasov, 2017a; Krasov 2017b).

m0n0wall is a software firewall that can perform various manipulations with packets passing through it using special rules. One of its features is the creation of rules for delaying packets for a specified time, so that you can emulate the presence of any delays in the communication channel (Vitkova, 2018). In the test stand, m0n0wall acts as a router between networks 10.0.10.0 and 192.168.4.0, and all packets passing from one network to another through it are delayed. This study examines the effect of the delay in the communication channel between the switch and the RADIUS server on the access time to the IP-TV service; the delay in the communication channel between the user and the switch is assumed to be zero (Gerasimova, 2016).

To calculate the access time to the IP-TV service, the time difference between the IGMP request packet and the first UDP packet with multicast traffic was calculated, an example is shown in Figure 7.

 

 

Figure 7. Test stand diagram.

Table 1 summarizes the results of the experiment, which are reflected in the graph (Figure 8).

Table 1. Measurement result.

Delay (ms)

Number of tests

Service access time (ms)

Delay of RADIUS (ms)

0

3

80

47

5

3

92

53

25

3

130

91

50

10

182

141

75

3

223

192

100

10

283

242

150

3

419

342

 

Figure 8. Comparison of theoretical and experimental dependence of the time of access to the service.

 

Conclusion

The results of the experiment confirmed the theoretical calculations. This makes it possible to apply the developed mathematical model to determine service access time when using RADIUS authorization in IP-TV solutions. Errors in the communication channel most strongly affect the service access time.

One possible way to improve service access time is to cache the previous RADIUS responses on the switch, which reduces the load on the RADIUS server and saves the time it usually takes to process authorization requests.

Future challenges include investigating the impact of load on RADIUS server response times.

The article shows that the use of RADIUS authorization provides a flexible approach, but it introduces additional time costs.

Conflict of interest

The authors declare no potential conflict of interest regarding the publication of this work. In addition, the ethical issues including plagiarism, informed consent, misconduct, data fabrication and, or falsification, double publication and, or submission, and redundancy have been completely witnessed by the authors.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article

Kovtsur, M., and Polyanicheva, A. (2019). Method for IPTV Service Authentication with RADIUS-server. Apino., vol. 1, pp. 466-471, 2018
Kovtsur, M.,  Kozmyan, A., and Tverdohlebova, Y. (2019).  Research of RADIUS Authorization of Users for the IP-TV Service in the Collection.  Digital region., pp. 351-354
Krasov, A., Pestov, I., Gelfand, A., Kazantsev, A., & Polyanicheva, A. (2020). Using Mathematical Forecasting Methods to Estimate the Load on the Computing Power of the IoT Network. In The 4th International Conference on Future Networks and Distributed Systems (ICFNDS) (pp. 1-6).
RFC 2865: Remote Authentication Dial In User Service (RADIUS) [Web resource] – access mode  http:www.rfc-base.org/rfc-2865.html/. Accessed on 21-July-2019
RFC 3376: Internet Group Management Protocol, Version 3 [Web resource] – access mode  https:tools.ietf.org/html/rfc3376/. Accessed on 21-September-2020
Podgornov, N., Davydov, R., Zotov, D., Antonov, V., Maslikov, V., & Maslikova, E. (2020). Mathematical Modelling of The Operation of A Multistage Flood Control System Using Parallel Computations. In The 4th International Conference on Future Networks and Distributed Systems (ICFNDS) (pp. 1-7).
Kovtsur, M.,  Kozmyan, A., and Tverdohlebova Y. (2019).  Investigation of the Mechanism for Providing Access to the IP-TV Service Using the Radius Server, Apino., vol. 1, pp. 528-532, 2019.
Goldstein, B., Elagin, V., and Senchenko, Y. (2014). AAA Protocols: RADIUS and DIAMETER. BHV-Petersburg Vol. 9, 2014.
Nikitin, V., Yurkin, D. (2010). Improving Authentication Methods for Failed Communication Channels, MIS., vol. 6, pp. 42-46.
Nikitin, V. , Kovtsur, M., and Yurkin, D (2012) “Assessment of the Probabilistic-Temporal Characteristics of the IP-Telephony Security”, Insider., vol. 4, pp. 64.
Krasov, A., Losin, E., and Ushakov, I. (2017). Security Issue of Multicast Transmission in IP Networks. Apino., vol. 1,  pp. 295-301.
Krasov, A., Saharov, D.,  Ushakov, I., and Losin, E. (2017). Securing the Transmission of Multicast Traffic in IP Networks. Inside., vol. 3, pp. 34-42.
Vitkova, L., Dudnikova, M., and Petrova, A., (2018).  Information Security Management Issues. Apino., vol. 1, pp. 143-146, 2018.
Gerasimova, V., (2016). TV Programs Transmission Over IP Networks. Compos., vol. 7, pp. 96-100.