Adding quic.rst and a QUIC section to ssl.rst #232
Conversation
logs/ssl.rst
Outdated
| The QUIC protocol integrates encryption, stream multiplexing and flow control | ||
| at the transport layer. QUIC uses TLS 1.3 by default. The QUIC analyzer outputs | ||
| logs to :file:`ssl.log`. The QUIC analyzer attempts to handle the INITIAL packet | ||
| payload to provide greater observability. |
There was a problem hiding this comment.
Thanks for the PR - I'd think a small logs/quic.rst file, noting that ssl.log entries are created as well would better fitting.
There's a separate quic.log. Anything showing in ssl.log is because the QUIC analyzer forwards data to the SSL analyzer, not because it explicitly writes to the ssl.log.
|
This needs some squashing and line wrapping...I wanted to check my understanding of the SCID field. In RFC 9000 the ID fields can change to adapt to new conditions but the analyzer will continue to use the same SCID seen in the initial packet. Is that correct? |
mbispham
changed the title
The analyzer should send the actual SCID for a given packet to the script layer. On the script side we simply log the latest one seen for a given connection. Reality and corner-cases likely aren't as straightforward. If you have pcap/scenario and an idea how the behavior should be (maybe a new log entry when the SCID), this could certainly be changed. For RETRY packets, a new log entry should already be created here, even if the connection is the same. |
mbispham
force-pushed
the
topic/matti/add-quic-to-ssl-log
branch
3 times, most recently
from
7e1cf6a
to
96c10cd
Compare
logs/ssl.rst
Outdated
| issues are greatly appreciated, and can be reported via Zeek github, slack or | ||
| discourse - https://zeek.org/community/. | ||
|
|
||
|
|
There was a problem hiding this comment.
Drop this all from ssl.log now that there's a dedicated QUIC section?
There was a problem hiding this comment.
Yeah - it's gone. One to ponder is whether ssl.log has a field identifying the underlying transport protocol.
mbispham
force-pushed
the
topic/matti/add-quic-to-ssl-log
branch
from
96c10cd
to
1969a87
Compare
Align code block with indenting in this section Add bold typeface to emphasize server name in TLS 1.3 Modified conclusion for ldap.log Add quic.rst Add quic.log to TOC Add missing char to ssl.log Add Arne's feedback Remove whitespace
mbispham
force-pushed
the
topic/matti/add-quic-to-ssl-log
branch
from
1969a87
to
cbdaa82
Compare
Added a QUIC section. Trying to emphasize the presence of a server name in TLS 1.3.