AoIP III: Management and security
In the first part of these AoIP series we reviewed the advantages of using this technology in our production environments and its main differences as compared to traditional audio, whether it was analogue or digital. In the second part, we addressed its practical applications and what features were necessary for AoIP systems to achieve these distinct functionalities. In this third part, we will focus on how to securely control and maintain our AoIP network, concepts that have been so far unheard of in linear digital or analog audio environments, but very common in IT environments for more than 30 years now.
In traditional linear systems, be they SDI, AES or MADI, monitoring where the signals were going to was fairly easy. After all, they were point-to-point connections. The problem inherent to these systems was scalability. If we want to introduce redundancy in these linear systems, it is ‘as simple’ as duplicating equipment, signals, and connections. But what happens if our array is full, if we do not have any additional equipment, or if it is just that no more cables fit? Then we have a problem.
This complexity when increasing the size of the systems led to two extremes: a static, rather rigid system designed for a specific use and a given dimension; or an oversized, expensive system, with the aim of gaining in flexibility at the cost of increasing its size disproportionately. Neither of these situations was desirable.
IP and redundancy are almost synonymous
In IT environments, redundancy is part of their design and is intrinsic to the features of the equipment. Achieving said redundancy does not involve duplicating the cabling or equipment, since connectivity itself is used to convey in a bidirectional way signals of any kind and in greater numbers than in linear systems: IP is data-agnostic.
Whether it is a video signal, an audio signal, an Ethernet frame or any other data packet intended for transfer, the IP infrastructure supports it and offers the same features, including redundancy. In fact, increasing the capacity of a network, either in terms of number of signals or bandwidth, does not usually require duplicating equipment or cabling: trunk connections are established between pieces of equipment and their capacity is shared, just as simple as that.
The ‘issue’ may lie in the fact that one additional layer of abstraction is added as compared to linear systems. In the latter, it was enough to follow the cable to know how a system is connected, but not in IP. A single cable conveys multiple signals in a multiplexed, bidirectional manner, and between several devices, which means that ‘following the cable’ is no longer valid. However, the redundancy that we have just gained is almost unattainable, in practice, in linear systems.
In addition to achieving the desired redundancy, the fact that the same equipment, cable or simply the capacity of the system in a global way is shared between different productions, be they studios, mobile units or similar, is natural and intrinsic to the system. There is no need to worry about some signals criss-crossing each other; the system takes care of it for us.
And this is one of the great benefits of IP systems, whether audio or otherwise: doing more with the same, or even with less. It is no longer necessary to properly streamline the equipment, or oversize it accurately based on the intended use in the future; it is not that scaling it up and sharing resources between productions is easy, it is just the right way to go.
With all this maelstrom of shared resources, the following question always comes to mind: what if an operator uses a resource that does not correspond to his/her own production, thus impacting another production? In linear systems this would be nearly impossible, unless someone pulled out the wrong cable or got into someone else’s control panel; but in IP environments it is enough to choose the wrong crossover point in the software to wreck havoc.
That is why user authentication, beyond security, is essential in order to properly control these shared resources and establish strict rights and limits on their respective use. As you can see, it is not about someone unauthorized accessing our resources, but rather that a person with operational capacity makes a mistake and creates chaos, not only in the production in which they are involved but in productions running in parallel. Because, in addition to the impact of this occurrence, detecting the source of the problem and correcting it usually is neither quick nor effective.
Attention, unauthorized access
Before dealing security, let’s delve a little more into access control. This requires two things: authentication and rights control. The former is provided by the standard corporate IT environment, typically through the LDAP protocol. In a very simplified way: it is a centralized system where all the credentials used throughout the corporate environment are stored; all subsystems can connect to it to learn the specific credentials of a particular user.
By doing this, adding or removing users from a system or from several systems at the same time, is much easier. Normally, a user not only accesses a specific system to operate it, but also needs access to a microphone, audio processor, mixer, or to a recording and encoding system, for example. Having to recreate the same credentials in all of them is very tedious, not to mention updating, maintaining and even deleting them. Materially unfeasible.
Once authentication has been dealt with, let us move on to rights control. This part must de addressed system by system. In LDAP we specify the user credentials and which systems can be accessed, but the rights within each one are so specific to that system that it is essential to do so on a case-by-case basis.
This solves issues relating to user management, maintenance and access control in a simple and practical way, so that sharing resources is neither a headache nor a risk.
More IP… I mean, IT
In addition to integration with user control systems like LDAP, there are many more things that AoIP systems can benefit from. Monitoring, for example.
Due to the typical high complexity of IT systems, it is already a standard procedure to use systems such as Nagios, PRTG, Grafana or Datadog to discover and monitor the entire network in real time. You can set alarms of almost any type and establish patterns to predict when a system will fail or exceed a certain capacity threshold, thus being able to foresee when to expand or replace part of the network.
Another very practical protocol is SNMP, which allows discovering and ‘auto-configuring’ new systems connected to the network, making it even more scalable and easy to expand.
What if we make it even more virtual?
Finally, we are going to introduce another disruptive concept in broadcast environments, but quite widespread in the IT world: virtualization. We are not referring to the use of cloud environments (although that too) but to virtual environments. Let us go a bit deeper into it.
A virtual IT environment is one in which computing resources do not exist discretely in the way they are used. That is, there is no processor, RAM, hard disk and motherboard for each machine that is working, but a set of these that are split or combined in order to virtualize as many machines -whether small or large- as needed within the total limit of available resources.
In a more pragmatic way: there are a number of computers, usually powerful, interconnected, with a management system that allows them to be split and combined in order to provide users with a certain number of computers with configuration capabilities. For those of us who come from a pure broadcast environment in which the machines did what they did and could be physically operated, this is something that requires a second or third reflection.
However, when combined with everything previously seen, this virtualization notion provides us with a level of flexibility, capacity, shared resources and security unheard of in linear environments and with an optimization of costs with respect to equipment that was just unthinkable a few years ago.
AoIP is not only taking our signals from a balanced cable to an Ethernet one, but also breaking with the traditional concepts of signal processing in order to embrace the great benefits offered by IT environments. It is not easy, especially at a logical and conceptual level, but if we manage to break off with the established paths and adopt these ‘new technologies’ -that have been around for 30 years- we will realize the great advantages that this provides.
Special care must be taken with security and planning, since as they are distributed systems and more abstract than traditional ones, any error can be much more costly and far more difficult to correct. However, there are great experts and good practices that our IT colleagues can offer us so that this does not become too overwhelming.
Let us not get overpowered by everything new, let us go little by little, but if we stay in wonderland we will discover how far the rabbit hole goes.
Author: Yeray Alfageme