Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] OSCORE dissector

From: Michael Mann <mmann78@xxxxxxxxxxxx>
Date: Tue, 19 Dec 2017 22:30:26 -0500
Mališa,
 
I think you are approaching this correctly in making OSCORE a separate protocol for now.  The deciding point may be overall size of "OSCORE only" code and how much of the CoAP dissector API you have to put in a header file.  Remember dissectors don't always equal protocols, so you may need a few dissectors to get the proper layering that you desire.
You can always submit a patch for review even if it's just a "WIP" (work in progress).  Reviewers may be able to better steer you in a direction by seeing the code itself (I know I work better that way, anyway).
 
Michael
 
 
-----Original Message-----
From: Mališa Vučinić <malishav@xxxxxxxxx>
To: wireshark-dev <wireshark-dev@xxxxxxxxxxxxx>
Sent: Tue, Dec 19, 2017 10:48 am
Subject: [Wireshark-dev] OSCORE dissector

Hello all,

I am looking for an advice how to organize the dissector code of OSCORE (https://tools.ietf.org/html/draft-ietf-core-object-security-07).

OSCORE is a mechanism to encrypt *part* of CoAP-RFC7252 message, leaving CoAP header in the clear. Encryption is signaled with a special CoAP option called Object-Security. The plaintext of OSCORE contains CoAP code, *some* CoAP options and CoAP payload. This means that once decryption has taken place, functions specific to CoAP dissector are needed to dissect it.

OSCORE message can also be carried with HTTP, in order to support HTTP-to-CoAP proxies, and is signaled by the presence of a special HTTP header.

Another data point is that IETF CORE has also standardized CoAP to be used over TCP and Websockets (https://tools.ietf.org/html/draft-ietf-core-coap-tcp-tls-11) with a different on-the-wire format from CoAP over UDP currently implemented in Wireshark. I do not intend to implement this now but would like to organize my OSCORE dissection code in a way that will facilitate this extension of CoAP.

I started implementing OSCORE as a separate dissector, explicitly called from CoAP for now. To dissect OSCORE plaintext after decryption, I plan on exporting some CoAP functions and calling them from the OSCORE dissector. I will need to refactor the CoAP dissector code a bit to facilitate this. CoAP over TCP can then be implemented as a separate dissector using the same exported CoAP functions. 

I would like to check whether this is the right approach and if I should pursue it. Another option is to put everything within the CoAP dissector but I am not sure if that would cover OSCORE over HTTP case.

Any feedback would be greatly appreciated.

Mališa


___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe