On May 30, 2025, at 3:52 AM, Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx> wrote:
> sent previously to community.mailimg lost but no response there, so resending it here.
>
> Hello mailing list,
>
> I set up ESP deciphering/decoding preferences with following relevant parameters in wireshark 4.4.6:
>
> -- attempt to check ESP Authentication -- off
> -- attempt to detect/decode NULL encrypted ESP payload -- off
>
> then I entered ESP SAs with relevant IPs, SPIs and deciphering key, leaving the authentication algorithm at NULL and wireshark did not decipher ESP payload.
> I set authentication algorithm to HMAC-SHA1-96 (RFC 2404) then, without authentication key and wireshark did decipher as expected.
>
> Question: why wireshark cares so much about authentication algorithm in this scenario, shouldn't it just decipher with all the information for it available or what goes on here as in "potential bug" ?
If decryption fails for any reason, we should - in *all* the places we decrypt (ESP, TLS, 802.11, etc.) - put in an expert info or other indication of the cause, so that this can be better debugged.