[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-dev
Subject: Re: [Wireshark-dev] re-load IKEv2 / ESP UAT during wireshark gui runtime
From: "Dr. Matthias St. Pierre" <Matthias.St.Pierre () ncp-e ! com>
Date: 2021-08-20 19:28:17
Message-ID: 71e3a3a403684ac1b978e278279618f5 () ncp-e ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (text/plain)]
> > If there is a good reason to use UATs for this kind of encryption
> > keys, I'd wonder why the TLS and SSH dissectors don't use them ;)
I guess the only reason why UATs are used for ISAKMP and ESP, whereas keylog files \
are used for TLS is because the respective dissectors where implemented by different \
people at different times.
Personally, I find the keylog approach much more elegant and easier to use. Apart \
from having to save the pcap and restart Wireshark, the UAT approach has some other \
drawbacks:
- There is no command line option to specify the UAT file paths. So you end up having \
to copy files in the Wireshark config directory or create symbolic links, and it is \
difficult to run several copies of Wireshark with different secrets.
- The UAT files are not reloaded automatically.
- Having an editable dialog is not a useful feature, because nobody nowadays would \
edit the secrets manually. As you said in general the secrets are the result of some \
ephemeral key exchange.
So the keylog file approach would be a cool feature to have. (PR welcome 😉 ) A \
good start would be to look at how the TLS dissector implements the monitoring and \
reloading. (Maybe the UAT files should remain for as a legacy feature a while, for \
compatibility reasons)
> I have nothing against a text keylog file approach, but FWIW with ESP UAT (or the \
> run-time function I mentioned), you can configure the key in hex prefixed with 0x.
I can confirm that binary secrets can be added using 0x<hexvalue>. The VPN client of \
my company autogenerates the 'ikev2_decryption_table' and 'esp_sa' UATs with binary \
secrets, see the second IPsec example \
https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures#ipsec).
Matthias
["smime.p7s" (application/pkcs7-signature)]
[Attachment #6 (text/plain)]
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic