Hi Mike, > The hop-by-hop option proposal and SEAL suffer from a security hole: > the L4 information is duplicated, and thereby creating a security > hole. An attacker could put one thing in the option or in the SEAL > header (to be interpreted by a middlebox) and another thing in the > actual transport header (to be interpreted by an end system). A new > version of UDP would not have this problem, as the same header would > be interpreted by both the middlebox and the end system.
For SEAL, that is a bug in the spec which is easily fixed. What it should say is that the initial segment does not carry the L4 information from the transport layer protocol so the middlebox interprets only based on the actual transport header. It is only in non-initial segment that the transport layer information needs to appear in the header. I'll fix that. Thanks - Fred [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
