PhD thesis: "Performance/security trade-off for high-bandwidth Internet VPN gateways." [pdf,fr] [Slides,pdf,fr]

My PhD was part of the SHIVA project, which aims to design a high-bandwidth (10 Gb/s) secured IPsec gateway.

I mainly focused on network integration with regards to the Internet protocols such as ICMP and the software parallel packet processing.

Research interests

Abstract

In this thesis, we explore the design of a high-bandwidth IPsec gateway to secure communications between local networks. We consider two gateway architectures: the first one, called "integrated gateway", is a purely software approach that uses a single server; the second one, called "split architecture", relies on a hardware security module and two servers.

The first contribution of this thesis consists in an evaluation o both architectures on the performance side. We show that an off-the-shell server lacks processing capacities to sustain 10 Gb/s networking and ciphering. Moreover, although new graphic card architectures seem promising, they are not appropriate to cipher network packets. Therefore we have designed and evaluatef a prototype for the split architecture. Particularly, we show that the 10 Gb/s goal is hard to reach when using only the standards sizes and no software aggregation method, which creates jitter.

The second contribution of this thesis concerns the gateway integration inside a network, mainly on the ICMP/IPsec interaction level. Given the importance of ICMP in the Path Maximum Transmission Unit discovery (PMTUd), we developed IBTrack, a software which aims at characterizing router's behavior, with regards to their ICMP handling, along a path. Afterwards, we show that ICMP can be used as an attack channel on IPsec gateways by exploiting a fundamental flaw in the IP and IPsec standards: the IPsec tunnel mode overhead conflicts with the minimum maximal size of IP packets.