Skip to Main content Skip to Navigation

Compromis performance/sécurité des passerelles très haut débit pour Internet

Abstract : In this thesis, we explore the design of a high-bandwidth IPsec gateway to secure communications between local networks. We consider two gateway architectures: the first one, called "integrated gateway", is a purely software approach that uses a single server; the second one, called "split architecture", relies on a hardware security module and two servers. The first contribution of this thesis consists in an evaluation of both architectures on the performance side. We show that an off-the-shell server lacks processing capacities to sustain 10 Gb/s networking and ciphering. Moreover, although new graphic card architectures seem promising, they are not appropriate to cipher network packets. Therefore we have designed and evaluated a prototype for the split architecture. Particularly, we show that the 10 Gb/s goal is hard to reach when using only the standards sizes and no software aggregation method, which creates jitter. The second contribution of this thesis concerns the gateway integration inside a network, mainly on the ICMP/IPsec interaction level. Given the importance of ICMP in the Path Maximum Transmission Unit discovery (PMTUd), we developed IBTrack, a software which aims at characterizing router's behavior, with regards to their ICMP handling, along a path. Afterwards, we show that ICMP can be used as an attack channel on IPsec gateways by exploiting a fundamental flaw in the IP and IPsec standards: the IPsec tunnel mode overhead conflicts with the minimum maximal size of IP packets.
Document type :
Complete list of metadata

Cited literature [74 references]  Display  Hide  Download
Contributor : Abes Star :  Contact
Submitted on : Tuesday, March 24, 2015 - 7:02:05 PM
Last modification on : Thursday, October 29, 2020 - 3:26:32 AM


Version validated by the jury (STAR)


  • HAL Id : tel-01135182, version 1



Ludovic Jacquin. Compromis performance/sécurité des passerelles très haut débit pour Internet. Autre [cs.OH]. Université de Grenoble, 2013. Français. ⟨NNT : 2013GRENM041⟩. ⟨tel-01135182⟩



Record views


Files downloads