\u00ab Study of Mechanisms Ensuring Service Continuity for IKEv2 and IPsec Protocols\u00bb.<\/p>\n
Soutenance de th\u00e8se de doctorat Jeudi 14 Novembre 2013 \u00e0 10h en salle G09<\/p>\n Composition du Jury:<\/strong><\/p>\n – Monsieur BONNIN Jean-Marie, Professeur HDR, Telecom Bretagne, Rapporteur.<\/p>\n – Monsieur CARLE Georg, Professeur, Department of Computer Science University of T\u00fcbingen, Rapporteur. – Monsieur PUJOLLE Guy, Professeur HDR, Universit\u00e9 Pierre et Marie Curie \u2013 Paris 6 LIP6, Examinateur.<\/p>\n – Monsieur COMBES, Jean-Michel, Ing\u00e9nieur Recherche, Orange Labs, Examinateur.<\/p>\n – Madame LAURENT, Maryline, Professeur HDR, T\u00e9l\u00e9com SudParis – D\u00e9partement RST, Directrice de Th\u00e8se.<\/p>\n During 2012, the global mobile traffic represented 70% more than 2011. The arrival of the 4G technology introduced 19 times more traffic than non-4G sessions, and in 2013 the number of mobile-connected to the Internet exceeded the number of human beings on earth. This scenario introduces great pressure towards the Internet service providers (ISPs), which are requested to ensure access to the network and maintain the QoS. At short\/middle term, operators will rely on alternative access networks for maintaining the same performance characteristics. Thus, the traffic of the clients might be offloaded from RANs to some other available access networks. However, the same security level is not ensured by those wireless access networks. Femtocells, WiFi or WiMAX (among other wireless technologies), must rely on some mechanisms to secure the communications.<\/p>\n Operators are mainly using IPsec to extend a security domain over untrusted networks. This introduces new challenges in terms of performance and connectivity for IPsec. This thesis concentrates on the study of the mechanism considering to improve the IPsec protocol in terms of continuity of service.<\/p>\n The continuity of service, also known as resilience, becomes crucial when offloading the traffic from RANs to other access networks. This is why, we first concentrate our effort in defining the protocols ensuring an IP communication: IKEv2 and IPsec. Then, we present a detailed study of the parameters needed to keep a VPN session alive, and we demonstrate that it is possible to dynamically manage a VPN session between different gateways. Some of the reasons that justify the management of VPN sessions is to provide high availability, load sharing or load balancing features for IPsec connections. These mechanisms increase the continuity of service of IPsec-based communication. For example, if for some reasons, a failure occurs to a security gateway, the ISP should be able to overcome this situation and to provide mechanisms to ensure continuity of service to its clients.<\/p>\n Some new mechanisms have recently been implemented to provide High Availability over IPsec. The open source VPN project, StrongSwan, implemented a mechanism called ClusterIP in order to create a cluster of IPsec gateways. We merged ClusterIP with our own developments in order to define two architectures: High Availability and Context Management over Mono-LAN and Multi-LAN environments. We called Mono-LAN those architectures where the cluster of security gateways is configured under a single IP address, whereas Multi-LAN concerns those architectures where different security gateways are configured with different IP addresses.<\/p>\n Performance measurements throughout the thesis show that transferring a VPN session between different gateways avoids re-authentication delays and reduces the CPU consumption and the computing effort by cryptographic materials. From an ISP point of view, this could be used to avoid overloaded gateways, and enable load redistribution, better network performances, improvements of the QoS, etc. The idea is to allow a peer to enjoy the service continuity while maintaining the same security level that was initially proposed.<\/p>\n En 2012, le trafic mobile mondial repr\u00e9sentait 70% de plus qu’en 2011. L’arriv\u00e9e de la technologie 4G a multipli\u00e9 par 19 le volume de trafic non 4G, et en 2013 le nombre de mobiles connect\u00e9s \u00e0 l’Internet a d\u00e9pass\u00e9 le nombre d’\u00eatres humains sur la plan\u00e8te. Les fournisseurs d’acc\u00e8s Internet (FAI) subissent une forte pression, car ils ont pour obligations d’assurer \u00e0 leurs clients l’acc\u00e8s au r\u00e9seau et le maintien de la qualit\u00e9 de service. \u00c0 court\/moyen terme, les op\u00e9rateurs doivent d\u00e9lester une partie de leur trafic sur des r\u00e9seaux d’acc\u00e8s alternatifs afin de maintenir les m\u00eames caract\u00e9ristiques de performances. Ainsi, pour d\u00e9sengorger les r\u00e9seaux d’acc\u00e8s radio (RAN), le trafic des clients peut \u00eatre pr\u00e9f\u00e9rentiellement pris en charge par d’autres r\u00e9seaux d’acc\u00e8s disponibles. Notons cependant que les r\u00e9seaux d’acc\u00e8s sans fil offrent des niveaux de s\u00e9curit\u00e9 tr\u00e8s diff\u00e9rents. Pour les femtocells, WiFi ou WiMAX (parmi d’autres technologies sans fil), il doit \u00eatre pr\u00e9vu des m\u00e9canismes permettant de s\u00e9curiser les communications.<\/p>\n Les op\u00e9rateurs peuvent s’appuyer sur des protocoles (tels que IPsec) afin d’\u00e9tendre un domaine de s\u00e9curit\u00e9 sur des r\u00e9seaux non s\u00e9curis\u00e9s. Cela introduit de nouveaux d\u00e9fis en termes de performances et de connectivit\u00e9 pour IPsec. Cette th\u00e8se se concentre sur l’\u00e9tude des m\u00e9canismes permettant de garantir et am\u00e9liorer les performances du protocole IPsec en termes de continuit\u00e9 de service.<\/p>\n La continuit\u00e9 de service, aussi connu comme r\u00e9silience, devient cruciale lorsque le trafic mobile est d\u00e9vi\u00e9 depuis un r\u00e9seau d’acc\u00e8s RAN vers d’autres r\u00e9seaux d’acc\u00e8s alternatifs. C’est pourquoi nous nous concentrons d’abord dans l’ensemble de protocoles assurant une communication IP: IKEv2 et IPsec. Ensuite, nous pr\u00e9sentons une \u00e9tude d\u00e9taill\u00e9e des param\u00e8tres n\u00e9cessaires pour maintenir une session VPN, et nous d\u00e9montrons qu’il est possible de g\u00e9rer dynamiquement une session VPN entre diff\u00e9rentes passerelles de s\u00e9curit\u00e9. L’une des raisons qui justifient la gestion des sessions VPN est d’offrir de la haute disponibilit\u00e9, le partage de charge ou l’\u00e9quilibrage de charge pour les connexions IPsec. Ces m\u00e9canismes ont pour finalit\u00e9 d’augmenter la continuit\u00e9 de service de sessions IPsec.<\/p>\n Certains nouveaux m\u00e9canismes ont \u00e9t\u00e9 r\u00e9cemment mis en oeuvre pour assurer la haute disponibilit\u00e9 sur IPsec. Le projet open source VPN, StrongSwan, a mis en place un m\u00e9canisme appel\u00e9 ClusterIP afin de cr\u00e9er un cluster de passerelles IPsec. Nous avons fusionn\u00e9 cette solution bas\u00e9e sur ClusterIP avec nos propres d\u00e9veloppements afin de d\u00e9finir deux architectures : une architecture permettant la Haute Disponibilit\u00e9 et une deuxi\u00e8me architecture pr\u00e9sentant la gestion dynamique d’un contexte IPsec. Nous avons d\u00e9fini deux environnements : le Mono-LAN o\u00f9 un cluster de noeuds est configur\u00e9 sous une m\u00eame adresse IP unique, et le Multi-LAN o\u00f9 chaque passerelle de s\u00e9curit\u00e9 dispose d’une adresse IP diff\u00e9rente.<\/p>\n Les mesures de performance tout au long de la th\u00e8se montrent que le transfert d’une session VPN entre diff\u00e9rentes passerelles \u00e9vite les d\u00e9lais suppl\u00e9mentaires li\u00e9s \u00e0 la r\u00e9-authentification et r\u00e9duit la consommation CPU, ainsi que les calculs par le mat\u00e9riel cryptographique. D’un point de vue FAI, le transfert de contexte IPsec\/IKEv2 pourrait \u00eatre utilis\u00e9 pour \u00e9viter la surcharge des passerelles, et permettre la redistribution de la charge, de meilleures performances du r\u00e9seau ainsi que l’am\u00e9lioration de la qualit\u00e9 de service. L’id\u00e9e est de permettre \u00e0 un utilisateur de profiter de la continuit\u00e9 d’un service tout en conservant le m\u00eame niveau de s\u00e9curit\u00e9 que celui initialement propos\u00e9.<\/p>\n \u00ab Study of Mechanisms Ensuring Service Continuity for IKEv2 and IPsec Protocols\u00bb. Soutenance de th\u00e8se de doctorat Par M. Daniel PALOMARES Du D\u00e9partement RST- T\u00e9l\u00e9com SudParis – EDITE Jeudi 14 Novembre 2013 \u00e0 10h en salle G09 Composition du Jury: – Monsieur BONNIN Jean-Marie, Professeur HDR, Telecom Bretagne, Rapporteur. – Monsieur CARLE Georg, Professeur, Department […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[400],"tags":[],"class_list":["post-440","post","type-post","status-publish","format-standard","hentry","category-theses-2013-fr","entry"],"_links":{"self":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/comments?post=440"}],"version-history":[{"count":1,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/440\/revisions"}],"predecessor-version":[{"id":1842,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/440\/revisions\/1842"}],"wp:attachment":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/media?parent=440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/categories?post=440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/tags?post=440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nPar M. Daniel PALOMARES<\/strong>
\nDu D\u00e9partement RST- T\u00e9l\u00e9com SudParis – EDITE<\/p>\n
\n– Monsieur MIGAULT Daniel, Ing\u00e9nieur Recherche, Orange Labs, Examinateur.<\/p>\n
\nAbstract:<\/strong><\/p>\n
\nR\u00e9sum\u00e9 en fran\u00e7ais:<\/strong><\/p>\n
\n","protected":false},"excerpt":{"rendered":"