IKEv2: improve dissection of IKEv2 redirect notifications #3779
Conversation
|
The isotp_packet test currently fails on my machine, not only on this pull branch, also on the master branch: The isakmp, ikev2, and ipsec tests succeed, however. |
Codecov Report
@@ Coverage Diff @@
## master #3779 +/- ##
===========================================
+ Coverage 49.97% 84.59% +34.61%
===========================================
Files 228 296 +68
Lines 53157 62179 +9022
===========================================
+ Hits 26565 52600 +26035
+ Misses 26592 9579 -17013
|
mspncp
force-pushed
the
dissect-ikev2-redirect
branch
from
4a0a902
to
e1d8c4a
Compare
|
@gpotter2 I have a general question to you (and/or the other maintainers): As you can see here the packet names in the ikev2 (and the isakmp) module tend to be terribly long, due to the redundand I would very much like to shorten the names by removing this useless infix ( What is your preferred choice?
(I probably already know your answer, but I had to ask nevertheless...) current names
shortened names
|
mspncp
force-pushed
the
dissect-ikev2-redirect
branch
2 times, most recently
from
733ba89
to
12aa0a0
Compare
|
Last force-push fixes the flake8 E501 errors. |
|
Current ikev2 layer is a mess, and really not up to what we do nowadays in Scapy. Another thing I would do for instance, is remove So feel free to rework the module, again, if it's in |
Strictly speeking, it will be in layers/ after #3766 is merged. But still unreleased as official layer.
Does your ok apply to isakmp.py as well? Or should I leave it untouched, even though that would be inconsistent? |
Now that you mention it: I hadn't noticed yet how broken the overloading of the I noticed it when I started removing the redundand (so I thought) |
|
However, there is also good nows: apart from this 'known bug', the test suite is now complete and succeeds: |
mspncp
force-pushed
the
dissect-ikev2-redirect
branch
from
12aa0a0
to
98fecd0
Compare
|
Last force-push was a pure rebase to remain on top of #3766. |
mspncp
force-pushed
the
dissect-ikev2-redirect
branch
from
98fecd0
to
f4eecaa
Compare
|
Rebased onto master. Still in draft mode, because tests are still missing. |
The IKE messages tend to have a lot of payloads and those unnecessary
eight characters per payload add a lot of redundancy and size to the
output of the dissected packets. Removing them improves readability of
the output and makes typing less tedious.
The removal was automated using the following find+sed script:
find * -type f -exec sed -i \
-e 's/IKEv2_payload_type/IKEv2_payloax_type/g' \
-e 's/IKEv2_payload_/IKEv2_/g' \
-e 's/IKEv2_payload/IKEv2_Payload/g' \
-e 's/IKEv2_payloax/IKEv2_payload/g' {} +
* IKEv2AttributeTypes Swap names and numbers in the IKEv2AttributeTypes dictionary and its nested algorithm dictionaries to get rid of the awkward code to invert the entries. With this change, the transform types and algorithms can now be extracted using a simple dictionary comprehension. * IKEv2PayloadTypes and IKEv2ExchangeTypes Instead of arrays, use dictionaries like everywhere else in the module. Also change their names to make them consistent with the names of the other dictionaries.
Replace the names of the 'Encrypted', 'Encrypted_Fragement, and
'VendorID' payload with their official IANA abbreviations 'SK',
'SKF, and 'V', to be more consistent with the other payload names.
The only remaining exceptions are the 'Nonce' and 'Notify' payloads
('N' resp. 'Ni'/'Nr'), because they would end up with the same
abbreviation (the dissector does not distinguish between the
initiator's and responder's nonce).
The previous bindings were incomplete: the payloads were only bound
to the main IKEv2 layer, but not to the other payloads. For example,
the lower binding between KE and Nonce payload is missing here:
>>> IKEv2() / IKEv2_KE() / IKEv2_Nonce()
<IKEv2 next_payload=KE |<IKEv2_KE |<IKEv2_Nonce |>>>
This commit removes the manually implemented bindings and replaces them
with bind_layers() calls:
For every entry (np, name) in the IKEv2PayloadTypes dictionary it is
now expected that there exists a corresponding 'IKEv2_<name>' class,
which is derived from IKEv2_Packet. The layers get bound as follows:
bind_layers(IKEv2_Packet, IKEv2_<name>, next_payload=np)
* CERT payload [RFC 7296, section 3.6] Previously, the IKEv2_CERT class used a dispatch hook to define three different classes IKEv2_CERT_CRT, IKEv2_CERT_CRL, and IKEv2_CERT_STR. This commit removes the three subclasses and uses a MultipleTypeField for the `cert_data` instead. * CERTREQ payload [RFC 7296, section 3.7] The field description was apparently copied from the vendor id payload and never updated. This commit adds the correct members, however the size and count of the SPIs are not updated automatically yet.
All the fields contain binary data, so it makes the output much more readable to show their value as hexadecimal string. It is also more consistent with the ipsec module, see for example the spi and data fields of the ESP packet.
This commit adds a dispatch hook for the IKEv2_payload_Notify class to support adding specialized classes for specific notifications for which the payload can be dissected further. As a first use-case, it adds two new notification classes - IKEv2_payload_Notify_Redirect - IKEv2_payload_Notify_Redirected_from See RFC 5685, sections 9.2 and 9.3
mspncp
force-pushed
the
dissect-ikev2-redirect
branch
from
f4eecaa
to
693de59
Compare
|
Last force-push was a rebase on master without further changes. |
|
Superseded by #3925 |
Commits in chronological order.
The first one is a preparation for the second, main commit.(update: squashed into one)Still a draft, because the pull request is based on the unmerged pull request #3766 and because tests are still missing.
commit 733ba89e4ec0f3fd2e0b19d9788afd27a7fdef46
Checklist:
cd test && ./run_testsortox)