Failure preventive mechanism for IPsec gateways - Archive ouverte HAL Accéder directement au contenu
Communication Dans Un Congrès ICCIT '13 : The Third International Conference on Communications and Information Technology Année : 2013

Failure preventive mechanism for IPsec gateways

Résumé

Operators are mainly using IPsec Virtual Private Networks (VPNs) to extend a security domain over untrusted networks. A VPN is usually established when an End-User (EU) and a Security Gateway (SG) negotiate security associations (SA). For a better QoS, the SGs are geographically distributed so they are as close as possible to EU. As such, the higher is the level of responsibility of the SG, the higher is the risk to be overloaded and to break down.This paper presents a mechanism for extracting and reinstalling security associations as well as a mechanism to transfer a given IPsec traffic from one SG to another. We also propose an additional mechanism for solving the mis-synchronization of IPsec anti-replay counters and IKEv2 Messages ID counters. Finally some performance measurements are provided in terms of delays, and packet loss, and prove feasibility of the approach. Results obtained through real implementation showed that the system time to extract an IKEv2/IPsec session is in a range of 5ms up to 15ms whereas the system time to restore an IKEv2/IPsec session can take 2ms up to 22ms.
Fichier principal
Vignette du fichier
2013-ICCT-Failure-Preventive-Palomares.pdf (838.03 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-00860251 , version 1 (10-09-2013)

Identifiants

Citer

Daniel Palomares, Daniel Migault, Maryline Laurent. Failure preventive mechanism for IPsec gateways. ICCIT '13 : The Third International Conference on Communications and Information Technology, Jun 2013, Beirut, Lebanon. pp.167-172, ⟨10.1109/ICCITechnology.2013.6579543⟩. ⟨hal-00860251⟩
58 Consultations
487 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More