Hi Goran Please post your patch in Gerrit and it is possible attach sample/example to bugtracker ( https://bugs.wireshark.org )
Regards, On Fri, Feb 21, 2014 at 2:50 PM, Goran Macut <[email protected]>wrote: > Hello, > > > I'm working at Ericsson's R&D in Croatia. During the work on one of > our projects we've noticed that IPsec IKEv2 packets, encapsulated in > UDP for NAT traversal, sometimes aren't properly dissected. > > > I have analysed the problem: > > To enable NAT traversal, IPsec ESP and IKE traffic can > be encapsulated into UDP, on port 4500. Even though the UDP > encapsulated packets should be sent with source and destination > ports set to 4500, the NAT box can change the source port in > this situation: > > *------------* *-----* *------------* > | Endpoint 1 |--| NAT |-----public network-----| Endpoint 2 | > *------------* *-----* *------------* > > Endpoint 1 sends packets with source and destination ports 4500. > NAT then changes the source port of the message to P1. Endpoint > 2 receives the message and responds to the port P1, with source > port set to 4500. NAT changes the destination port P1 of the > response to port 4500, and Endpoint 1 receives packets on 4500. > > If we dump packets on Endpoint 1, they will have source and > destination ports 4500, and Wireshark will be able to dissect > these messages well. However, Endpoint 2 will see ports P1 and > 4500, and Wireshark will have problems with correct dissection. > Currently, if the port P1 is lower than 4500, and Wireshark > recognizes it, the message won't be recognized as UDP > encapsulated. > > RFC5996 states: > "2.23. NAT Traversal > It is a common practice of NATs to translate TCP and UDP > port numbers as well as addresses and use the port numbers > of inbound packets to decide which internal node should get > a given packet. For this reason, even though IKE packets > MUST be sent to and from UDP port 500 or 4500, they MUST be > accepted coming from any port and responses MUST be sent to > the port from whence they came. This is because the ports > may be modified as the packets pass through NATs." > > > > I have inspected your code and tried to devise a solution. It seems > to me that the least destructive way to try to solve this problem in > a clean way is to add a heuristic dissector for UDP which will > detect packets that have at least one of the UDP ports set to 4500. > Of course, I don't know your architecture well, there might be a > better way. > > I have implemented that change, tested it with my examples and it > works, but only after enabling UDP heuristic dissectors in preferences. > I have a commit prepared, would you be willing to accept it on > your Gerrit to check it out? > > > Best regards, > Goran Macut > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected] > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
