[pcap-ng-format] Proposal for storing decryption secrets in a pcapng block

[Michael Richardson]

Peter Wu <peter at lekensteyn.nl> wrote:
    > Requirements for block placement:
    > - No requirement. Producers are allowed to write the block anywhere.
    > Disadvantages for consumers: requires a two-pass scan to collect
    > secrets before they are used.

I prefer this, but I would support having a flag in the block that
says that no other blocks exist in the file until at least X-bytes.

So, a producer (or something downstream of it), could scan for the
blocks, move them to the front, and indicate how far into the file it cover.
Naturally, if X >= file size, then the work is done.

    > - Place secrets before the packet blocks that require them. Consumers
    > can read and decrypt in one pass. Disadvantage: producers cannot
    > always guarantee availability of secrets while writing the capture.

    > - Place a single secret block before the first packet block. Consumers
    > can read and decrypt in one pass. Disadvantage: requires producers to
    > post-process (rewrite) the capture file to insert secrets.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [