Re: OSCORE dissector

[Mališa Vučinić <malishav () gmail com>]

Thanks for your response Michael, that is helpful. I've just pushed some first CoAP-related changes that have been 
tested and are ready for review (https://code.wireshark.org/review/#/c/24910/2 
<https://code.wireshark.org/review/#/c/24910/2>). I will build OSCORE dissector on top of these and submit WIP changes 
as I progress.

Mališa


> On 20 Dec 2017, at 04:30, Michael Mann via Wireshark-dev <wireshark-dev () wireshark org> wrote:
>
> Mališa,
>  
> I think you are approaching this correctly in making OSCORE a separate protocol for now.  The deciding point may be 
> overall size of "OSCORE only" code and how much of the CoAP dissector API you have to put in a header file.  Remember 
> dissectors don't always equal protocols, so you may need a few dissectors to get the proper layering that you desire.
> You can always submit a patch for review even if it's just a "WIP" (work in progress).  Reviewers may be able to 
> better steer you in a direction by seeing the code itself (I know I work better that way, anyway).
>  
> Michael
>  
>  
> -----Original Message-----
> From: Mališa Vučinić <malishav () gmail com>
> To: wireshark-dev <wireshark-dev () wireshark org>
> Sent: Tue, Dec 19, 2017 10:48 am
> Subject: [Wireshark-dev] OSCORE dissector
>
> Hello all,
>
> I am looking for an advice how to organize the dissector code of OSCORE 
> (https://tools.ietf.org/html/draft-ietf-core-object-security-07 
> <https://tools.ietf.org/html/draft-ietf-core-object-security-07>).
>
> OSCORE is a mechanism to encrypt *part* of CoAP-RFC7252 message, leaving CoAP header in the clear. Encryption is 
> signaled with a special CoAP option called Object-Security. The plaintext of OSCORE contains CoAP code, *some* CoAP 
> options and CoAP payload. This means that once decryption has taken place, functions specific to CoAP dissector are 
> needed to dissect it.
>
> OSCORE message can also be carried with HTTP, in order to support HTTP-to-CoAP proxies, and is signaled by the 
> presence of a special HTTP header.
>
> Another data point is that IETF CORE has also standardized CoAP to be used over TCP and Websockets 
> (https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11 
> <https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11>) with a different on-the-wire format from CoAP over UDP 
> currently implemented in Wireshark. I do not intend to implement this now but would like to organize my OSCORE 
> dissection code in a way that will facilitate this extension of CoAP.
>
> I started implementing OSCORE as a separate dissector, explicitly called from CoAP for now. To dissect OSCORE 
> plaintext after decryption, I plan on exporting some CoAP functions and calling them from the OSCORE dissector. I 
> will need to refactor the CoAP dissector code a bit to facilitate this. CoAP over TCP can then be implemented as a 
> separate dissector using the same exported CoAP functions. 
>
> I would like to check whether this is the right approach and if I should pursue it. Another option is to put 
> everything within the CoAP dissector but I am not sure if that would cover OSCORE over HTTP case.
>
> Any feedback would be greatly appreciated.
>
> Mališa
>
>
> ___________________________________________________________________________ Sent via: Wireshark-dev mailing list 
> <wireshark-dev () wireshark org <mailto:dev () wireshark org>> Archives: 
> https://www.wireshark.org/lists/wireshark-dev <https://www.wireshark.org/lists/wireshark-dev> Unsubscribe: 
> https://www.wireshark.org/mailman/options/wireshark-dev <https://www.wireshark.org/mailman/options/wireshark-dev> 
> mailto:wireshark-dev-request () wireshark org?subject=unsubscribe <mailto:wireshark-dev-request () wireshark 
> org?subject=unsubscribe>___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe