Matthew Toseland wrote: > The other problem with swapping - which may also be a fatal flaw, and may be > another variant of the same bug - is that an attacker can send bogus swap > requests, which can be catastrophic.
Currently an attacker can wait until it sees the other node's location and peer-locations, then reply with a location and peer-locations that will persuade the other node to swap, right? I wonder if we can work out a way for the two swapping nodes to commit to their locations and peer-locations without revealing them until the swap has been agreed? (For example by sending the hash of the list instead of the list?) An attacker could still abort the swap after agreeing, but at least it would have to pick locations by trial and error instead of choosing them after seeing those of the other node. And the limit on the number of swap requests per link would limit the amount of trial and error... Cheers, Michael
