Firewalls

Firewalls are used to prevent traffic entering a site (and sometimes to prevent traffic leaving a site). They work on assuming that the services that people use are fixed and well-known and can be configured in a filtering table. However, multicast uses dynamically assigned addresses, and to allow users access to traffic requires a programmable filter.

The safest way of achieving dynamic programming is to use a pair of multicast relay machines either side of the firewall. The machine on the unfriendly side of the firewall receives all the multicast traffic, and only allows groups through which it has been programmed to accept. It then encapsulates the traffic and sends it through to the other side of the relay, which checks the origin of the traffic (to prevent spoofing), unwraps it and sends it out. The dynamic programming can be achieved through authenticated RPC control, and sensible policy in recognising which sessions should be allowed.