Robin Jarry
2014-03-27 17:34:03 UTC
Hello all,
Some of you may already know the old
scapysec<http://roudaut.frederic.free.fr/Projects.Scapysec.php?js=2>implementation
by Frédéric Roudault. Unfortunately, this was for scapy 1.X
and it was never adapted from 2.X. After spending some time trying to
rebase it on the head of scapy, I decided to start from scratch.
While the old implementation works fine, I found some problems:
- Overly complex system with a SAD object hacked into scapy.conf.setkey.
Which does not cover the whole SP/SA mechanism of a real ipsec
implementation anyways (like linux).
- The user is forced to "know" the ipsec RFC when building ESP packets
- No support for AH
- And of course, does not work with scapy 2.X
I developed a re-implementation which has the following highlights:
- Support for both ESP and AH
- Simple SecurityAssociation object with 2 services "encrypt" and
"decrypt". One can give any IP(v6) packet to encrypt and get a valid ESP or
AH encrypted/authenticated packet in return. No complex "lookup" mechanism.
- Has unit tests
Attached to this message is a patch with my changes. Could you tell me what
you think of it? I'd like to have some input from "wise" guys before
creating an actual pull request on bb.
Cheers,
Robin
PS: I tried to add "ipsec" in scapy.config.Conf.load_layers but it seems to
break the startup imports. No layer classes are available except ESP AH and
SecurityAssociation. Maybe you can help?
*Robin Jarry*
*R&D Engineer*
*6WIND - http://www.6wind.com/ <http://www.6wind.com/>*
Some of you may already know the old
scapysec<http://roudaut.frederic.free.fr/Projects.Scapysec.php?js=2>implementation
by Frédéric Roudault. Unfortunately, this was for scapy 1.X
and it was never adapted from 2.X. After spending some time trying to
rebase it on the head of scapy, I decided to start from scratch.
While the old implementation works fine, I found some problems:
- Overly complex system with a SAD object hacked into scapy.conf.setkey.
Which does not cover the whole SP/SA mechanism of a real ipsec
implementation anyways (like linux).
- The user is forced to "know" the ipsec RFC when building ESP packets
- No support for AH
- And of course, does not work with scapy 2.X
I developed a re-implementation which has the following highlights:
- Support for both ESP and AH
- Simple SecurityAssociation object with 2 services "encrypt" and
"decrypt". One can give any IP(v6) packet to encrypt and get a valid ESP or
AH encrypted/authenticated packet in return. No complex "lookup" mechanism.
- Has unit tests
Attached to this message is a patch with my changes. Could you tell me what
you think of it? I'd like to have some input from "wise" guys before
creating an actual pull request on bb.
Cheers,
Robin
PS: I tried to add "ipsec" in scapy.config.Conf.load_layers but it seems to
break the startup imports. No layer classes are available except ESP AH and
SecurityAssociation. Maybe you can help?
*Robin Jarry*
*R&D Engineer*
*6WIND - http://www.6wind.com/ <http://www.6wind.com/>*