PhD thesis: "Performance/security trade-off for high-bandwidth Internet VPN gateways." [pdf,fr] [Slides,pdf,fr]

My PhD was part of the SHIVA project, which aims to design a high-bandwidth (10 Gb/s) secured IPsec gateway.

I mainly focused on network integration with regards to the Internet protocols such as ICMP and the software parallel packet processing.

Research interests


In this thesis, we explore the design of a high-bandwidth IPsec gateway to secure communications between local networks. We consider two gateway architectures: the first one, called "integrated gateway", is a purely software approach that uses a single server; the second one, called "split architecture", relies on a hardware security module and two servers.

The first contribution of this thesis consists in an evaluation o both architectures on the performance side. We show that an off-the-shell server lacks processing capacities to sustain 10 Gb/s networking and ciphering. Moreover, although new graphic card architectures seem promising, they are not appropriate to cipher network packets. Therefore we have designed and evaluatef a prototype for the split architecture. Particularly, we show that the 10 Gb/s goal is hard to reach when using only the standards sizes and no software aggregation method, which creates jitter.

The second contribution of this thesis concerns the gateway integration inside a network, mainly on the ICMP/IPsec interaction level. Given the importance of ICMP in the Path Maximum Transmission Unit discovery (PMTUd), we developed IBTrack, a software which aims at characterizing router's behavior, with regards to their ICMP handling, along a path. Afterwards, we show that ICMP can be used as an attack channel on IPsec gateways by exploiting a fundamental flaw in the IP and IPsec standards: the IPsec tunnel mode overhead conflicts with the minimum maximal size of IP packets.