Multimedia Networks Group
Networking Research at the University of Virginia
University of Virginia>Computer Science Dept.> Multimedia Networks Group> projects>firewalls 

      Introduction, Research Statement...

      Faculty, Postdocs, Students, Alumni...

      INDRA, QoSbox, HyperCast, RouteConfig, VintLab, Traffic Engineering...

      QoS Networks, Super-Scalable Multicasting, Hybrid Fiber Coax Networks...


 Private Links 
      For group members only.


MBONE through Internet Firewalls


Currently I am working on a research project with Jörg Liebeherr on safely routing MBONE traffic through internet firewalls. This will enable corporations and other institutions that have LANs behind firewalls to participate in the MBONE without compromising their security. This research is being done in the Multimedia Networks Group at UVA.

The setup will consist of a mbone gateway process running on the edge of the LAN. The way the system will work is that the mbone gateway process sets up "connections" (multicast groups that are allowed through the firewall) using socks. Any internal host on a multicast capable subnet will be able to join a multicast group just as he would if he were not behind the firewall. If the multicast TTL is high enough for the traffic to go outside the firewall, the mbone gateway will send a request for the group to be routed through the firewall.

Once the requested group has been allowed through the firewall, the mbone gateway can perform additional checks on traffic for more customizable security. These capabilities include:

  • Source host checking (for allowing only certain hosts to transmit through the firewall, or for denying specific hosts)
  • Destination port checking
  • Packet contents (unwrapping encapsulated IP)
  • Regulating bandwidth allocated to a multicast group's traffic

The mbone gateway will be a multicast routing daemon that has been changed in the following ways:

  • Only accepts incoming traffic that has passed through the socks server
  • Optionally keeps a list of what specific hosts are allowed to transmit through the firewall
  • Communicates with a daemon running on internal user's machines to send requests for new senders (when a new person wants to transmit through the firewall, the receiver optionally has to allow it)
  • Optionally regulates bandwidth allowed for multicast groups


© 1996-2003 Multimedia Networks Group. Please send feedback to Jörg Liebeherr.