On Nov 4, 2003, at 12:57 PM, Brian Buesker wrote:
In doing some testing of IKE daemons for Linux, I have run into the
following problem. Occassionally, ethereal and tethereal will
incorrectly decode an ISAKMP packet (Identity Protection Mode, Quick
Mode, or Aggressive Mode). The protocol is correct. However, the
information field says "UDP Encapsulated IPSec - NAT Keepalive".
There was a bunch of stuff in the ISAKMP dissector to handle
draft-ietf-ipsec-udp-encaps-06 UDP-encapsulated IPsec traffic.
draft-ietf-ipsec-udp-encaps-06 says "The UDP port numbers are the same
as used by IKE traffic, as defined in [Kiv05]", and "[Kiv05]" is
draft-ietf-ipsec-nat-t-ike-05, which has presumably been superseded by
draft-ietf-ipsec-nat-t-ike-07; the latter appears to imply that it goes
over port 4500, not port 500.
We already have a draft-ietf-ipsec-udp-encaps-06 dissector for port
4500 (packet-ipsec-udp.c), and it's not entirely clear to me how, if
draft-ietf-ipsec-udp-encaps-06 traffic *did* go over port 500, you'd
distinguish it from regular ISAKMP traffic.
I therefore have checked in a change to CVS to remove all the
draft-ietf-ipsec-udp-encaps-06 stuff from the ISAKMP dissector. If
that traffic *can* go over port 500, *and* somebody can figure out how
to distinguish it from regular ISAKMP traffic (and also remembers that
if there's a "non-ESP header", the traffic isn't ESP - the code that
was there before was treating it as ESP traffic if there was a "non-ESP
header"), they should submit a patch (and make sure it does *NOT*
misdissect your sample).