Wireshark mailing list archives

OSCORE dissector

From: Mališa Vučinić <malishav () gmail com>
Date: Tue, 19 Dec 2017 16:48:29 +0100

Hello all,

I am looking for an advice how to organize the dissector code of OSCORE
(https://tools.ietf.org/html/draft-ietf-core-object-security-07
<https://tools.ietf.org/html/draft-ietf-core-object-security-07>).

OSCORE is a mechanism to encrypt *part* of CoAP-RFC7252 message, leaving CoAP header in the clear. Encryption is
signaled with a special CoAP option called Object-Security. The plaintext of OSCORE contains CoAP code, *some* CoAP
options and CoAP payload. This means that once decryption has taken place, functions specific to CoAP dissector are
needed to dissect it.

OSCORE message can also be carried with HTTP, in order to support HTTP-to-CoAP proxies, and is signaled by the presence
of a special HTTP header.

Another data point is that IETF CORE has also standardized CoAP to be used over TCP and Websockets
(https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11
<https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11>) with a different on-the-wire format from CoAP over UDP
currently implemented in Wireshark. I do not intend to implement this now but would like to organize my OSCORE
dissection code in a way that will facilitate this extension of CoAP.

I started implementing OSCORE as a separate dissector, explicitly called from CoAP for now. To dissect OSCORE plaintext
after decryption, I plan on exporting some CoAP functions and calling them from the OSCORE dissector. I will need to
refactor the CoAP dissector code a bit to facilitate this. CoAP over TCP can then be implemented as a separate
dissector using the same exported CoAP functions.

I would like to check whether this is the right approach and if I should pursue it. Another option is to put everything
within the CoAP dissector but I am not sure if that would cover OSCORE over HTTP case.

Any feedback would be greatly appreciated.

Mališa

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

OSCORE dissector Mališa Vučinić (Dec 19)
- Re: OSCORE dissector Michael Mann via Wireshark-dev (Dec 19)
  - Re: OSCORE dissector Mališa Vučinić (Dec 20)