ICMP: an Attack Vector against IPsec Gateways

In this work we show that the Internet Control Message Protocol (ICMP) can be used as an attack vector against IPsec gateways. The main contribution of this work is to demonstrate that an attacker having eavesdropping and traffic injection capabilities in the black untrusted network (he only sees ciphered packets), can force a gateway to reduce the Path MTU of an IPsec tunnel to a minimum, which in turn creates serious issues for devices on the trusted network behind this gateway: depending on the Path MTU discovery algorithm, it either prevents any new TCP connection (Denial of Service), or it creates major performance penalties (more than 6 seconds of delay in TCP connection establishment and ridiculously small TCP segment sizes). After detailing the attack and the behavior of the various nodes, we discuss some counter measures, with the goal to find a balance between ICMP benefits and the associated risks

ICMP: an Attack Vector against IPsec Gateways

In this work we show that the Internet Control Message Protocol (ICMP) can be used as an attack vector against IPsec gateways. The main contribution of this work is to demonstrate that an attacker having eavesdropping and traffic injection capabilities in the black untrusted network (he only sees ciphered packets), can force a gateway to reduce the Path MTU of an IPsec tunnel to a minimum, which in turn creates serious issues for devices on the trusted network behind this gateway: depending on the Path MTU discovery algorithm, it either prevents any new TCP connection (Denial of Service), or it creates major performance penalties (more than 6 seconds of delay in TCP connection establishment and ridiculously small TCP segment sizes). After detailing the attack and the behavior of the various nodes, we discuss some counter measures, with the goal to find a balance between ICMP benefits and the associated risks

Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways

International audienceThis work introduces the "Packet Too Big"-"Packet Too Small" ICMP based attack against IPsec gateways. We explain how an attacker having eavesdropping and packet injection capabilities, from the insecure network where he only sees encrypted packets, can force a gateway to reduce the Path MTU of an IPsec tunnel to the minimum, which triggers severe issues for the hosts behind this gateway: depending on the Path MTU discovery algorithm in use, the attack either creates a Denial of Service or major performance penalties. This attack highlights two fundamental problems that we discuss, along with potential counter-measures to mitigate the attack while keeping ICMP benefits

Too Big or Too Small? The PTB-PTS ICMP-based Attack against IPsec Gateways

International audienceThis work introduces the "Packet Too Big"-"Packet Too Small" ICMP based attack against IPsec gateways. We explain how an attacker having eavesdropping and packet injection capabilities, from the insecure network where he only sees encrypted packets, can force a gateway to reduce the Path MTU of an IPsec tunnel to the minimum, which triggers severe issues for the hosts behind this gateway: depending on the Path MTU discovery algorithm in use, the attack either creates a Denial of Service or major performance penalties. This attack highlights two fundamental problems that we discuss, along with potential counter-measures to mitigate the attack while keeping ICMP benefits

A Layer 2 Protocol to Protect the IP Communication in a Wired Ethernet Network

The IP protocol is the preferred data communication mechanism used nowadays. Data encapsulated using IP can be compromised if it is sent in clear text or without integrity protection, and even using known protocols to protect the confidentiality, integrity and authenticity of this data, the EtherType field of the Ethernet frames and the header of the IP packets in a wired Ethernet network still remain exposed opening possibilities for an attacker to gain knowledge of the network, cause a denial of service attack or steal information. In this thesis, we propose a new protocol that protects the confidentiality, integrity and authenticity of the IP communication in a wired Ethernet network. This new protocol operates in the layer 2 of the OSI model, and for each Ethernet frame, it encapsulates the EtherType field and the entire IP packet into a new PDU structure that is partially encrypted. Integrity and authenticity are assured by an HMAC value or a digital signature calculated over the entire frame. We ran several tests to analyze the security characteristics and performance impact of our proposed solution; the results of these tests demonstrate that all traffic is effectively protected and that an attacker or eavesdropper wouldn\u27t know the type of protocols, IP addresses or any other data travelling across the network. It is also demonstrated that under certain conditions, performance is not highly impacted and is feasible to protect the network communication with our new protocol

A DoS Attack Against the Integrity-Less ESP (IPSec)

Abstract. This paper describes a new practical DoS attack that can be mounted against the “encryptiononly” configuration (i.e. without authenticated integrity) of ESP as allowed by IPSec. This finding can serve as a strong argument to convince those in charge of the IPSec standardization to improve it by banning the “encryption-only ” configuration from the standard

Analyse de sécurité et QoS dans les réseaux à contraintes temporelles

Dans le domaine des réseaux, deux précieux objectifs doivent être atteints, à savoir la QoS et la sécurité, plus particulièrement lorsqu’il s’agit des réseaux à caractère critique et à fortes contraintes temporelles. Malheureusement, un conflit existe : tandis que la QoS œuvre à réduire les temps de traitement, les mécanismes de sécurité quant à eux requièrent d’importants temps de traitement et causent, par conséquent, des délais et dégradent la QoS. Par ailleurs, les systèmes temps réel, la QoS et la sécurité ont très souvent été étudiés séparément, par des communautés différentes. Dans le contexte des réseaux avioniques de données, de nombreux domaines et applications, de criticités différentes, échangent mutuellement des informations, souvent à travers des passerelles. Il apparaît clairement que ces informations présentent différents niveaux de sensibilité en termes de sécurité et de QoS. Tenant compte de cela, le but de cette thèse est d’accroître la robustesse des futures générations de réseaux avioniques de données en contrant les menaces de sécurité et évitant les ruptures de trafic de données. A cet effet, nous avons réalisé un état de l’art des mécanismes de sécurité, de la QoS et des applications à contraintes temporelles. Nous avons, ensuite étudié la nouvelle génération des réseaux avioniques de données. Chose qui nous a permis de déterminer correctement les différentes menaces de sécurité. Sur la base de cette étude, nous avons identifié à la fois les exigences de sécurité et de QoS de cette nouvelle génération de réseaux avioniques. Afin de les satisfaire, nous avons proposé une architecture de passerelle de sécurité tenant compte de la QoS pour protéger ces réseaux avioniques et assurer une haute disponibilité en faveur des données critiques. Pour assurer l’intégration des différentes composantes de la passerelle, nous avons développé une table de session intégrée permettant de stocker toutes les informations nécessaires relatives aux sessions et d’accélérer les traitements appliqués aux paquets (filtrage à états, les traductions d’adresses NAT, la classification QoS et le routage). Cela a donc nécessité, en premier lieu, l'étude de la structure existante de la table de session puis, en second lieu, la proposition d'une toute nouvelle structure répondant à nos objectifs. Aussi, avons-nous présenté un algorithme permettant l’accès et l’exploitation de la nouvelle table de session intégrée. En ce qui concerne le composant VPN IPSec, nous avons détecté que le trafic chiffré par le protocole ESP d’IPSec ne peut pas être classé correctement par les routeurs de bordure. Afin de surmonter ce problème, nous avons développé un protocole, Q-ESP, permettant la classification des trafics chiffrés et offrant les services de sécurité fournis par les protocoles AH et ESP combinés. Plusieurs techniques de gestion de bande passante ont été développées en vue d’optimiser la gestion du trafic réseau. Pour évaluer les performances offertes par ces techniques et identifier laquelle serait la plus appropriée dans notre cas, nous avons effectué une comparaison basée sur le critère du délai, par le biais de tests expérimentaux. En dernière étape, nous avons évalué et comparé les performances de la passerelle de sécurité que nous proposons par rapport à trois produits commerciaux offrant les fonctions de passerelle de sécurité logicielle en vue de déterminer les points forts et faibles de notre implémentation pour la développer ultérieurement. Le manuscrit s’organise en deux parties : la première est rédigée en français et représente un résumé détaillé de la deuxième partie qui est, quant à elle, rédigée en anglais. ABSTRACT : QoS and security are two precious objectives for network systems to attain, especially for critical networks with temporal constraints. Unfortunately, they often conflict; while QoS tries to minimize the processing delay, strong security protection requires more processing time and causes traffic delay and QoS degradation. Moreover, real-time systems, QoS and security have often been studied separately and by different communities. In the context of the avionic data network various domains and heterogeneous applications with different levels of criticality cooperate for the mutual exchange of information, often through gateways. It is clear that this information has different levels of sensitivity in terms of security and QoS constraints. Given this context, the major goal of this thesis is then to increase the robustness of the next generation e-enabled avionic data network with respect to security threats and ruptures in traffic characteristics. From this perspective, we surveyed the literature to establish state of the art network security, QoS and applications with time constraints. Then, we studied the next generation e-enabled avionic data network. This allowed us to draw a map of the field, and to understand security threats. Based on this study we identified both security and QoS requirements of the next generation e-enabled avionic data network. In order to satisfy these requirements we proposed the architecture of QoS capable integrated security gateway to protect the next generation e-enabled avionic data network and ensure the availability of critical traffic. To provide for a true integration between the different gateway components we built an integrated session table to store all the needed session information and to speed up the packet processing (firewall stateful inspection, NAT mapping, QoS classification and routing). This necessitates the study of the existing session table structure and the proposition of a new structure to fulfill our objective. Also, we present the necessary processing algorithms to access the new integrated session table. In IPSec VPN component we identified the problem that IPSec ESP encrypted traffic cannot be classified appropriately by QoS edge routers. To overcome this problem, we developed a Q-ESP protocol which allows the classifications of encrypted traffic and combines the security services provided by IPSec ESP and AH. To manage the network traffic wisely, a variety of bandwidth management techniques have been developed. To assess their performance and identify which bandwidth management technique is the most suitable given our context we performed a delay-based comparison using experimental tests. In the final stage, we benchmarked our implemented security gateway against three commercially available software gateways. The goal of this benchmark test is to evaluate performance and identify problems for future research work. This dissertation is divided into two parts: in French and in English respectively. Both parts follow the same structure where the first is an extended summary of the second