Compromis performance/sécurité des passerelles très haut débit pour Internet.

Ludovic Jacquin 1, 2
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
2 MOAIS - PrograMming and scheduling design fOr Applications in Interactive Simulation
Inria Grenoble - Rhône-Alpes, LIG - Laboratoire d'Informatique de Grenoble
Abstract : In this thesis, we explore the design of a high-bandwidth IPsec gateway to secure communications between local networks. We consider two gateway architectures: the first one, called "integrated gateway", is a purely software approach that uses a single server; the second one, called "split architecture", relies on a hardware security module and two standard servers. The first contribution of this thesis consists in an evaluation of both architectures on the performance side. We show that a standard server lacks processing capacities to sustain 10 Gb/s networking and ciphering. Moreover, although new graphic card architectures seem promising, they are not appropriate to cipher network packets. Therefore we have designed and evaluated a prototype for the split architecture. Particularly, we show that the 10 Gb/s goal is hard to reach when using only the standards sizes and no software aggregation method, which creates jitter. The second contribution of this thesis concerns the gateway integration inside a network, mainly at the ICMP/IPsec interaction level. Given the importance of ICMP in the Path Maximum Transmission Unit discovery (PMTUd), we developed IBTrack, a software which aims at characterizing router's behavior, with regards to their ICMP handling, along a path. Afterwards, we show that ICMP can be used as an attack vector against IPsec gateways by exploiting a fundamental flaw in the IP and IPsec standards: the IPsec tunnel mode overhead conflicts with the minimum maximal size of IP packets.
Keywords : security
Complete list of metadatas

Cited literature [74 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-00911075
Contributor : Ludovic Jacquin <>
Submitted on : Thursday, November 28, 2013 - 4:40:02 PM
Last modification on : Saturday, October 27, 2018 - 1:19:10 AM
Long-term archiving on : Monday, March 3, 2014 - 6:25:39 PM

Identifiers

  • HAL Id : tel-00911075, version 1

Citation

Ludovic Jacquin. Compromis performance/sécurité des passerelles très haut débit pour Internet.. Réseaux et télécommunications [cs.NI]. Université de Grenoble, 2013. Français. ⟨tel-00911075⟩

Share

Metrics

Record views

595

Files downloads

1708