I'm looking for a way to better dissect ESP (RFC2406) packets in transport
mode with NULL encryption (RFC2410 ESP_NULL). Currently, packet-ipsec.c
only dissects SPI and sequence number and leaves the remaining bytes as "Data".
Now, if I know
- it's NULL encryption
- the authentication algorithm (RFC2404 HMAC-SHA-1-96 or RFC2403 HMAC-MD5-96)
- the dissector for the (encapsulated) protocol
I *should* be able to fully dissect the packet easily. What's the proper way
to do this?
A few considerations:
- Store a list of (IP address, SPI) and negotiated ciphersuite if the initial
key management is part of the capture and use that?
- Offer preference settings to set a default ciphersuite and use that?
- How to best find/call the dissector for the (encapsulated) protocol?
- The chosen approach should possibly allow decryption of non-NULL encrypted
packets later (once we finally have a crypto framework in place ;)).
Your feedback is highly appreciated.
+Thomas
--
Thomas Anders (thomas.anders at blue-cable.de)
