Wireshark-dev: [Wireshark-dev] OSCORE dissector

From: Mališa Vučinić <malishav@xxxxxxxxx>
Date: Tue, 19 Dec 2017 16:48:29 +0100
Hello all,

I am looking for an advice how to organize the dissector code of OSCORE (https://tools.ietf.org/html/draft-ietf-core-object-security-07).

OSCORE is a mechanism to encrypt *part* of CoAP-RFC7252 message, leaving CoAP header in the clear. Encryption is signaled with a special CoAP option called Object-Security. The plaintext of OSCORE contains CoAP code, *some* CoAP options and CoAP payload. This means that once decryption has taken place, functions specific to CoAP dissector are needed to dissect it.

OSCORE message can also be carried with HTTP, in order to support HTTP-to-CoAP proxies, and is signaled by the presence of a special HTTP header.

Another data point is that IETF CORE has also standardized CoAP to be used over TCP and Websockets (https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11) with a different on-the-wire format from CoAP over UDP currently implemented in Wireshark. I do not intend to implement this now but would like to organize my OSCORE dissection code in a way that will facilitate this extension of CoAP.

I started implementing OSCORE as a separate dissector, explicitly called from CoAP for now. To dissect OSCORE plaintext after decryption, I plan on exporting some CoAP functions and calling them from the OSCORE dissector. I will need to refactor the CoAP dissector code a bit to facilitate this. CoAP over TCP can then be implemented as a separate dissector using the same exported CoAP functions. 

I would like to check whether this is the right approach and if I should pursue it. Another option is to put everything within the CoAP dissector but I am not sure if that would cover OSCORE over HTTP case.

Any feedback would be greatly appreciated.

Mališa