Re: tcpdump -E doesn't work for 3des-cbc/hmac-md5

[Michael Mueller <m.mueller99 () kay-mueller de>]

authlen depends on the authentication algorithm used by esp. But on the 
command line we only have the encryption algorithm. Unfortunately the 
decryption at least for the *-cbc algorithms fails completely if authlen 
is wrong. The two algorithms can be chosen independently of each other 
in principle. This means with the current command line tcpdump doesn't 
know the authlen. But 12 would be a good default and 0 for 3des is 
definitely bad because authlen doesn't depend on any encryption algorithm.

I'd be willing to come up with a patch for optionally specifying authlen 
on the command line if we can agree on the syntax. This should solve all 
authlen issues.

How about the following syntax for tcpdump -E:

  tcpdump -E 'spi@ipaddr algo:secret[:authlen][,...]'

The new part is the optional :authlen. This new syntax should apply to 
the -E 'file filename' case too. If authlen is not given, it should 
default to 12.

I also would try and update the man page. The current description of -E 
is already kind of cryptic and an example would be helpful. (I learned 
the -E syntax from the sources.)

Michael


Guy Harris wrote:
> Michael Mueller wrote:
>
> > Are there any positive or negative reactions to this? Will somebody 
> > fix it?
>
>
> I'd check in the patch if somebody resolved the issue
>
> > > > Tcpdump -E doesn't work for 3des-cbc encryption with hmac-md5 
> > > > authentication (tested with tcpdump-2004.09.22 on Linux 2.6). The 
> > > > reason is that in esp_print_decode_onesecret(), print-esp.c authlen 
> > > > is left 0 instead of setting it to 12 for *-cbc encryptions. The 12 
> > > > byte authlen is required for
> > > >
> > > >         hmac-md5        by rfc2403
> > > >         hmac-sha1       by rfc2404
> > > >
> > > > and seems to have the same value for other authentication algorithms 
> > > > too. I don't think that authlen should depend on the encryption 
> > > > algorithm used. I append a patch that sets it to 12. I hope that 
> > > > this is good for all cases. Otherwise specifying authlen on the 
> > > > command line would be an alternative.
>
>
> either by saying that 12 is the right authlen for all encryption 
> algorithms, saying it's not and supplying a way (including a patch) to 
> figure out what the right authlen is, or saying it's not, saying you 
> can't determine it from the packet contents, and supplying a patch to 
> add the authentication length on the command line (and if nobody on the 
> list says "that won't work" or "here's a better way to do it" or 
> something such as that).
> -
> This is the tcpdump-workers list.
> Visit https://lists.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.