> On May 30, 2022, at 8:00 AM, Christian Huitema <huit...@huitema.net> wrote: > > The bar against TCP injection attacks might be lower than you think. An > attacker that sees the traffic can easily inject TCP packet with sequence > number that fit in the flow control window and are ahead of what the actual > sender produced.
It might be useful to be more specific about the issue. Data injection attacks on TCP connections interfere with the IPsec stream in a similar way to IP or UDP fragment attacks on IP or UDP tunnels that use fragmentation. In all three cases, attackers can corrupt in-transit packets via IP packet attacks, which is not possible with an unfragmented IPsec message. In all three cases, this happens when an injection can overwrite a portion of an IPsec message. Data isn’t injected to the user, though. Joe
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
