The CME Market Data Platform (MDP) disseminates market data and provides the following benefits:
- No API required to program to the new CME MDP
- No third-party software required for connectivity
- Reduced network bandwidth usage
- Improved performance and scalability from streamlined architecture through multicast message distribution
CME MDP uses multicast technology to deliver market data and other information to customers worldwide. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information from a host to multiple recipients without physical or geographical boundaries. Multicast achieves this without adding any additional burden on the source or receivers while using the least network bandwidth of any competing technology.
Whether a customer requires only the receipt of quotes from certain markets or requires every market data message produced, the CME MDP provides flexibility and ease of management.
For details regarding messaging or the MDP application, see Streamlined Market Data Cold Storage.and
Connecting to the CME Market Data Platform
CME MDP uses a VPN-based environment to provide connectivity over the Internet. To establish VPN connectivity, Internet Protocol Security (IPSec) and Generic Routing Encapsulation (GRE) must be configured to connect and review multicast traffic from CME MDP systems.
GRE is the tunneling protocol used to transport CME MDP multicast packets through a VPN tunnel. When GRE tunnels are configured, each endpoint of the GRE tunnel must have the IP addresses of all other endpoints. Therefore, the hub and all spoke routers in the network must have static, private IP addresses. After GRE “tunneling”, IPSec encrypts the GRE tunnel packet.
IPSec provides application-transparent encryption services for market data delivery. IPSec supports two encryption modes: transport and tunnel. CME MDP utilizes tunnel mode to encrypt both the message header and data portion (payload) of market data messages. On the client side, an IPSec-compliant device decrypts each packet.
The following diagram illustrates a CME multicast environment showing information flow from CME to multiple customers:
Figure: CME Multicast Environment
Unlike a direct Wide Area Network (WAN), VPN traffic is carried over the Internet using tunneling technology. The following figure illustrates a single VPN connection between CME and a remote customer site.
Figure: Single VPN Connection between CME and Customer Site
Protection and Transport Methods for Customer-CME Connectivity
The VPN connection implemented jointly by CME and participating customers meets the following protection and transport requirements:
- Maintain the confidentiality and integrity of the packet contents (message data)
- Transport multicast and broadcast packets
Protecting Connection Path
A VPN connection path is created using IPSec, the Internet standard protocol for tunneling, encryption, and authentication. It protects data traffic by addressing basic usage issues, including:
- Access control
- Connection integrity
- Authentication of data origin
- Protection against replay attacks (In the context of VPN, “replay” refers to the interception by a third-party of a response packet intended for the authenticated device on the initiating network.)
- Traffic flow confidentiality
To build the IPSec tunnel to the CME Group environment, CME Group and the client system send each other their respective device IP addresses. CME Group and the client system then configure the peer IP address information so that each network can establish a VPN connection with the unique IP address of the peer device. To achieve this, the hub and all of the spoke routers in this network must have static, non-private, Internet-routable IP addresses.
Protecting Data Content
CME Group uses a pre-shared key (PSK) to authenticate the devices at each endpoint of the tunnel. The customer receives the PSK to authenticate the CME device and complete the tunnel. Once each network successfully authenticates the peer device, the tunnel is ready to transport packets.
Transporting Multicast and Broadcast Packets
Although the IPSec tunnel may be established and the data encryption is available through IPSec, a final step must occur before the actual physical transport of the data. IPSec, as supported by Cisco routers, does not support the transport of multicast packets.
To accommodate this limitation, the CME Group and customer networks use GRE, a protocol that encapsulates the multicast packets with IP unicast packets. The IP unicast packet surrounding the multicast packet creates a “tunnel” that the IPSec tunnel encrypts and transports to the authenticated device at the receiving end.
The resulting architecture is GRE over IP Security (IPSec), which is the most widely chosen VPN architecture for securely transporting multicast with advantages in convergence, path availability, ease of configuration, and troubleshooting. The following diagram illustrates the relationship of the GRE tunnel to the IPSec tunnel.
Figure: GRE Tunnel within IPSec Tunnel
MDP Production and Replay Channel Definitions
CME Globex Market Data Platform Production and Replay channel definitions are provided in the market data configuration file. Refer to MDP 3.0 - FTP and SFTP Site Information for information on accessing the file via the FTP site.