CME Market Data Platform Connectivity

The CME Market Data Platform (MDP) disseminates market data and provides the following benefits:

  • No API required to program to the new CME MDP

  • No third-party software required for connectivity

  • Reduced network bandwidth usage

  • Improved performance and scalability from streamlined architecture through multicast message distribution

CME MDP uses multicast technology to deliver market data and other information to customers worldwide. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information from a host to multiple recipients without physical or geographical boundaries. Multicast achieves this without adding any additional burden on the source or receivers while using the least network bandwidth of any competing technology.

Whether a customer requires only the receipt of quotes from certain markets or requires every market data message produced, the CME MDP provides flexibility and ease of management.

For details regarding messaging or the MDP application, see CME Globex Market Data and Streamlined Market Data Cold Storage.

Connecting to the CME Market Data Platform

CME MDP uses a VPN-based environment to provide connectivity over the Internet. To establish VPN connectivity, Internet Protocol Security (IPSec) and Generic Routing Encapsulation (GRE) must be configured to connect and review multicast traffic from CME MDP systems.

GRE is the tunneling protocol used to transport CME MDP multicast packets through a VPN tunnel. When GRE tunnels are configured, each endpoint of the GRE tunnel must have the IP addresses of all other endpoints. Therefore, the hub and all spoke routers in the network must have static, private IP addresses. After GRE “tunneling”, IPSec encrypts the GRE tunnel packet.

IPSec provides application-transparent encryption services for market data delivery. IPSec supports two encryption modes: transport and tunnel. CME MDP utilizes tunnel mode to encrypt both the message header and data portion (payload) of market data messages. On the client side, an IPSec-compliant device decrypts each packet.

The following diagram illustrates a CME multicast environment showing information flow from CME to multiple customers:

Figure: CME Multicast Environment

Unlike a direct Wide Area Network (WAN), VPN traffic is carried over the Internet using tunneling technology. The following figure illustrates a single VPN connection between CME and a remote customer site.

Figure: Single VPN Connection between CME and Customer Site

Protection and Transport Methods for Customer-CME Connectivity

The VPN connection implemented jointly by CME and participating customers meets the following protection and transport requirements:

  • Maintain the confidentiality and integrity of the packet contents (message data)

  • Transport multicast and broadcast packets

Protecting Connection Path

A VPN connection path is created using IPSec, the Internet standard protocol for tunneling, encryption, and authentication. It protects data traffic by addressing basic usage issues, including:

  • Access control

  • Connection integrity

  • Authentication of data origin

  • Protection against replay attacks (In the context of VPN, “replay” refers to the interception by a third-party of a response packet intended for the authenticated device on the initiating network.)

  • Traffic flow confidentiality

To build the IPSec tunnel to the CME Group environment, CME Group and the client system send each other their respective device IP addresses. CME Group and the client system then configure the peer IP address information so that each network can establish a VPN connection with the unique IP address of the peer device. To achieve this, the hub and all of the spoke routers in this network must have static, non-private, Internet-routable IP addresses.

Protecting Data Content

CME Group uses a pre-shared key (PSK) to authenticate the devices at each endpoint of the tunnel. The customer receives the PSK to authenticate the CME device and complete the tunnel. Once each network successfully authenticates the peer device, the tunnel is ready to transport packets.

Transporting Multicast and Broadcast Packets

Although the IPSec tunnel may be established and the data encryption is available through IPSec, a final step must occur before the actual physical transport of the data. IPSec, as supported by Cisco routers, does not support the transport of multicast packets.

To accommodate this limitation, the CME Group and customer networks use GRE, a protocol that encapsulates the multicast packets with IP unicast packets. The IP unicast packet surrounding the multicast packet creates a “tunnel” that the IPSec tunnel encrypts and transports to the authenticated device at the receiving end.

The resulting architecture is GRE over IP Security (IPSec), which is the most widely chosen VPN architecture for securely transporting multicast with advantages in convergence, path availability, ease of configuration, and troubleshooting.  The following diagram illustrates the relationship of the GRE tunnel to the IPSec tunnel.

Figure: GRE Tunnel within IPSec Tunnel

MDP Production and Replay Channel Definitions

CME Globex Market Data Platform Production and Replay channel definitions are provided in the market data configuration file. Refer to MDP 3.0 - FTP and SFTP Site Information for information on accessing the file via the FTP site.

 

 




How was your Client Systems Wiki Experience? Submit Feedback

Copyright © 2024 CME Group Inc. All rights reserved.