martinthomson
commented
4 months ago I currently have text in the draft that says that you only accept signals that have the modified version when there is a packet in the same datagram that is accepted. This does not prevent an off-path attacker that is able to observe a valid packet from trying to race a modified packet toward the receiver, but I think that this is the best we can manage.
huitema
We have a risk that some "man on the side" will inject spoofed packets for fun and profit. We need to consider that in the security section. We have basically two level of protection:
1) The attacker needs to see the original traffic in order to learn connection IDs, etc. 2) The receiver can verify that the packet decrypts correctly after resetting the version ID.
The combination of the two is probably OK: it proves that the network element was able to receive a packet and change it. But in the case of packets sent after the handshake completes, the keys have been discarded and there is no way to do any verification. The only security is the check of the CIDs. Is that sufficient?