Compromis performance/sécurité des passerelles très haut débit pour Internet

Abstract : In this thesis, we explore the design of a high-bandwidth IPsec gateway to secure communications between local networks. We consider two gateway architectures: the first one, called "integrated gateway", is a purely software approach that uses a single server; the second one, called "split architecture", relies on a hardware security module and two servers. The first contribution of this thesis consists in an evaluation of both architectures on the performance side. We show that an off-the-shell server lacks processing capacities to sustain 10 Gb/s networking and ciphering. Moreover, although new graphic card architectures seem promising, they are not appropriate to cipher network packets. Therefore we have designed and evaluated a prototype for the split architecture. Particularly, we show that the 10 Gb/s goal is hard to reach when using only the standards sizes and no software aggregation method, which creates jitter. The second contribution of this thesis concerns the gateway integration inside a network, mainly on the ICMP/IPsec interaction level. Given the importance of ICMP in the Path Maximum Transmission Unit discovery (PMTUd), we developed IBTrack, a software which aims at characterizing router's behavior, with regards to their ICMP handling, along a path. Afterwards, we show that ICMP can be used as an attack channel on IPsec gateways by exploiting a fundamental flaw in the IP and IPsec standards: the IPsec tunnel mode overhead conflicts with the minimum maximal size of IP packets.
Document type :
Theses
Liste complète des métadonnées

Cited literature [74 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-01135182
Contributor : Abes Star <>
Submitted on : Tuesday, March 24, 2015 - 7:02:05 PM
Last modification on : Thursday, June 21, 2018 - 2:48:16 PM

File

pdf2star-1389174759-32533_JACQ...
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01135182, version 1

Collections

Citation

Ludovic Jacquin. Compromis performance/sécurité des passerelles très haut débit pour Internet. Autre [cs.OH]. Université de Grenoble, 2013. Français. ⟨NNT : 2013GRENM041⟩. ⟨tel-01135182⟩

Share

Metrics

Record views

251

Files downloads

404