-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IKEv2: improve dissection of IKEv2 redirect notifications #3779
Conversation
The isotp_packet test currently fails on my machine, not only on this pull branch, also on the master branch:
The isakmp, ikev2, and ipsec tests succeed, however. |
Codecov Report
@@ Coverage Diff @@
## master #3779 +/- ##
===========================================
+ Coverage 49.97% 84.59% +34.61%
===========================================
Files 228 296 +68
Lines 53157 62179 +9022
===========================================
+ Hits 26565 52600 +26035
+ Misses 26592 9579 -17013
|
4a0a902
to
e1d8c4a
Compare
@gpotter2 I have a general question to you (and/or the other maintainers): As you can see here
the packet names in the ikev2 (and the isakmp) module tend to be terribly long, due to the redundand I would very much like to shorten the names by removing this useless infix ( What is your preferred choice?
(I probably already know your answer, but I had to ask nevertheless...) current names shortened names |
733ba89
to
12aa0a0
Compare
Last force-push fixes the flake8 E501 errors. |
Current ikev2 layer is a mess, and really not up to what we do nowadays in Scapy. Another thing I would do for instance, is remove So feel free to rework the module, again, if it's in |
Strictly speeking, it will be in layers/ after #3766 is merged. But still unreleased as official layer.
Does your ok apply to isakmp.py as well? Or should I leave it untouched, even though that would be inconsistent? |
Now that you mention it: I hadn't noticed yet how broken the overloading of the
I noticed it when I started removing the redundand (so I thought)
|
However, there is also good nows: apart from this 'known bug', the test suite is now complete and succeeds:
|
12aa0a0
to
98fecd0
Compare
Last force-push was a pure rebase to remain on top of #3766. |
98fecd0
to
f4eecaa
Compare
Rebased onto master. Still in draft mode, because tests are still missing. |
The IKE messages tend to have a lot of payloads and those unnecessary eight characters per payload add a lot of redundancy and size to the output of the dissected packets. Removing them improves readability of the output and makes typing less tedious. The removal was automated using the following find+sed script: find * -type f -exec sed -i \ -e 's/IKEv2_payload_type/IKEv2_payloax_type/g' \ -e 's/IKEv2_payload_/IKEv2_/g' \ -e 's/IKEv2_payload/IKEv2_Payload/g' \ -e 's/IKEv2_payloax/IKEv2_payload/g' {} +
* IKEv2AttributeTypes Swap names and numbers in the IKEv2AttributeTypes dictionary and its nested algorithm dictionaries to get rid of the awkward code to invert the entries. With this change, the transform types and algorithms can now be extracted using a simple dictionary comprehension. * IKEv2PayloadTypes and IKEv2ExchangeTypes Instead of arrays, use dictionaries like everywhere else in the module. Also change their names to make them consistent with the names of the other dictionaries.
Replace the names of the 'Encrypted', 'Encrypted_Fragement, and 'VendorID' payload with their official IANA abbreviations 'SK', 'SKF, and 'V', to be more consistent with the other payload names. The only remaining exceptions are the 'Nonce' and 'Notify' payloads ('N' resp. 'Ni'/'Nr'), because they would end up with the same abbreviation (the dissector does not distinguish between the initiator's and responder's nonce).
The previous bindings were incomplete: the payloads were only bound to the main IKEv2 layer, but not to the other payloads. For example, the lower binding between KE and Nonce payload is missing here: >>> IKEv2() / IKEv2_KE() / IKEv2_Nonce() <IKEv2 next_payload=KE |<IKEv2_KE |<IKEv2_Nonce |>>> This commit removes the manually implemented bindings and replaces them with bind_layers() calls: For every entry (np, name) in the IKEv2PayloadTypes dictionary it is now expected that there exists a corresponding 'IKEv2_<name>' class, which is derived from IKEv2_Packet. The layers get bound as follows: bind_layers(IKEv2_Packet, IKEv2_<name>, next_payload=np)
* CERT payload [RFC 7296, section 3.6] Previously, the IKEv2_CERT class used a dispatch hook to define three different classes IKEv2_CERT_CRT, IKEv2_CERT_CRL, and IKEv2_CERT_STR. This commit removes the three subclasses and uses a MultipleTypeField for the `cert_data` instead. * CERTREQ payload [RFC 7296, section 3.7] The field description was apparently copied from the vendor id payload and never updated. This commit adds the correct members, however the size and count of the SPIs are not updated automatically yet.
All the fields contain binary data, so it makes the output much more readable to show their value as hexadecimal string. It is also more consistent with the ipsec module, see for example the spi and data fields of the ESP packet.
This commit adds a dispatch hook for the IKEv2_payload_Notify class to support adding specialized classes for specific notifications for which the payload can be dissected further. As a first use-case, it adds two new notification classes - IKEv2_payload_Notify_Redirect - IKEv2_payload_Notify_Redirected_from See RFC 5685, sections 9.2 and 9.3
f4eecaa
to
693de59
Compare
Last force-push was a rebase on master without further changes. |
Superseded by #3925 |
Commits in chronological order.
The first one is a preparation for the second, main commit.(update: squashed into one)Still a draft, because the pull request is based on the unmerged pull request #3766 and because tests are still missing.
commit 733ba89e4ec0f3fd2e0b19d9788afd27a7fdef46
Checklist:
cd test && ./run_tests
ortox
)