Re: OSCORE dissector

[Michael Mann via Wireshark-dev <wireshark-dev () wireshark org>]

Mališa,

I think you are approaching this correctly in making OSCORE a separate protocol for now.  The deciding point may be 
overall size of "OSCORE only" code and how much of the CoAP dissector API you have to put in a header file.  Remember 
dissectors don't always equal protocols, so you may need a few dissectors to get the proper layering that you desire.
You can always submit a patch for review even if it's just a "WIP" (work in progress).  Reviewers may be able to better 
steer you in a direction by seeing the code itself (I know I work better that way, anyway).

Michael

 
 
-----Original Message-----
From: Mališa Vučinić <malishav () gmail com>
To: wireshark-dev <wireshark-dev () wireshark org>
Sent: Tue, Dec 19, 2017 10:48 am
Subject: [Wireshark-dev] OSCORE dissector


Hello all,


I am looking for an advice how to organize the dissector code of OSCORE 
(https://tools.ietf.org/html/draft-ietf-core-object-security-07).


OSCORE is a mechanism to encrypt *part* of CoAP-RFC7252 message, leaving CoAP header in the clear. Encryption is 
signaled with a special CoAP option called Object-Security. The plaintext of OSCORE contains CoAP code, *some* CoAP 
options and CoAP payload. This means that once decryption has taken place, functions specific to CoAP dissector are 
needed to dissect it.


OSCORE message can also be carried with HTTP, in order to support HTTP-to-CoAP proxies, and is signaled by the presence 
of a special HTTP header.


Another data point is that IETF CORE has also standardized CoAP to be used over TCP and Websockets 
(https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11) with a different on-the-wire format from CoAP over UDP 
currently implemented in Wireshark. I do not intend to implement this now but would like to organize my OSCORE 
dissection code in a way that will facilitate this extension of CoAP.


I started implementing OSCORE as a separate dissector, explicitly called from CoAP for now. To dissect OSCORE plaintext 
after decryption, I plan on exporting some CoAP functions and calling them from the OSCORE dissector. I will need to 
refactor the CoAP dissector code a bit to facilitate this. CoAP over TCP can then be implemented as a separate 
dissector using the same exported CoAP functions. 


I would like to check whether this is the right approach and if I should pursue it. Another option is to put everything 
within the CoAP dissector but I am not sure if that would cover OSCORE over HTTP case.


Any feedback would be greatly appreciated.


Mališa





___________________________________________________________________________Sent via:    Wireshark-dev mailing list 
<wireshark-dev () wireshark org>Archives:    https://www.wireshark.org/lists/wireshark-devUnsubscribe: 
https://www.wireshark.org/mailman/options/wireshark-dev             mailto:wireshark-dev-request () wireshark 
org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe