Ethereal-dev: Re: [Ethereal-dev] IPsec dissecting

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Devin Heitmueller <dheitmueller@xxxxxxxxxxx>
Date: 25 Feb 2003 13:56:08 -0500
I think this would make a great addition to Ethereal.

A couple questions though:

You won't be able to decrypt the stream from within Ethereal if Perfect
Forward Secrecy (PFS) is used, even if you have the keying info.  Are
you looking to provide some sort of API to get the negotiated symmetric
key out of one of the peers?  Or are you just going to support only
sessions that use RSA for key negotiation?  Also, how commonplace is PFS
in IPSec implementations?  Is it the norm, or is it rarely used?  How
common PFS is could dictate how to approach the issue.  If it is rarely
used, you could probably get away with only decrypting RSA based
sessions.  If it is very common, then you will need some sort of
approach or else the feature will not have much practical application.

-Devin

On Tue, 2003-02-25 at 09:40, Dr. Uwe Girlich wrote:
> Hello list!
> 
> I'm currently working with IPsec and found, that Ethereal can only decode the
> non-encrypted part of the IP packets. I'm willing to correct this, so when all
> the necessary keys are provided, I hope to decode the full packet and give it
> to the upper layers (TCP, UDP). A check of the authentication on the way will
> also be easy to implement.
> 
> How it would be best to define a Security Association (SA) inside Ethereal?
> Should I add IPsec preferences entries (there is no list element possible and
> I have no idea how many SAs I encounter in a network trace file) or should I
> better read the SA definitions in a self-made file format from a configuration
> file? For all the non-IPsec-users: SA is basically based on an integer number
> in every packet and the destination address. The resulting data contain the
> encryption method+key and the authentication method+key. So we have a table
> with something like
> 
> 123 1.2.3.4 ESP -> des 0xdeadbeefdeadbeef + md5 0xdeadbeefdeadbeef
> 124 1.2.3.5 ESP -> 3des 0xdeadbeefdeadbeef + md4 0xdeadbeefdeadbeef
> 125 1.2.3.6 AH -> md4 0xdeadbeefdeadbeef
> 126 1.2.3.7 ESP -> null + md5 0xdeadbeefdeadbeef
> ...
> 
> I don't intend to get the keys from an IKE (ISAKMP) scheme.
> 
> The first step is implement the SA finding process and then comes the
> authentication checking. After this I can finally start to decrypt the ESP part
> of IPsec.
> 
> Bye, Uwe
> 
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
-- 
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc