Feature #7986
openprotocol decoder: l2tpv3
Description
This feature would implement a protocol decoder similar to GENEVE or VXLAN and allow packets encapsulated with L2TPv3 to be decoded further within Suricata.
The Linux kernel supports L2TPv3, and a few network vendors use L2TPv3 tunnels within their deployments such as Juniper's MIST line of Wireless APs for tunnelling of data between the APs and the controllers or Mikrotik's "l2tp-ether" implementation.
I've got a pull request ready for a l2tpv3 decoder against Suricata v7 and I'm happy to send a pull request on GitHub for the v9 development branch but opened this issue on the advice of @Jamie Lavigne to discuss beforehand.
L2TPv3 RFC: https://datatracker.ietf.org/doc/html/rfc3931
Updated by Victor Julien about 5 hours ago ยท Edited
- Status changed from New to Assigned
- Target version changed from TBD to 9.0.0-beta1
Hi @Damian Poole, this would certainly be a welcome addition. I didn't see a PR for Suricata 7, but indeed lets work again the main branch and then we can go through the backport steps after it is merged there. Assuming it's not too intrusive we'd probably accept it for backports towards 7 and 8.
(btw I gave you the developer role here in redmine)