On Wed, 2019-11-20 at 17:31 +0800, Christoph Paasch wrote:
On Nov 20, 2019, at 5:15 PM, Paolo Abeni <pabeni(a)redhat.com>
> To be 110% honest, I don't see why HMAC is needed here, assuming
> ADD_ADDR comes after MP_JOIN/MP_CAPABLE, we already authenticated both
> peers, and if an attacker can inject malicious TCP packets inside the
> stream we are at loss no matter what.
The problem here is that an attacker that is off-path would be able
to get himself on-path with an ADD_ADDR-attack (described at
) and thus can observe
all traffic. Sure, he still needs to guess sequence-numbers and port-
numbers, but with a TCP-window of 2MB it is not all that hard.
Thanks for the pointer, now I think I understood the problem, and I
can't see how to avoid it without HMAC :(