Matthew Toseland wrote: > If the internal MAC is invalid on a packet, the endpoint silently drops > the packet.
I think I can get round it. All attacker-controlled nodes share a symmetric key. When an attacker-controlled node is asked to participate in a tunnel and it's not the endpoint, it injects a single packet into the tunnel, replacing a bogus packet if possible, otherwise replacing a non-bogus packet. The injected packet contains its predecessor's identity, and is encrypted and MACed with the attacker's key. When an attacker-controlled node is selected to be the endpoint of a tunnel, it looks for packets MACed with the attacker's key and decrypts them to collect predecessor samples. If a tunnel contains two non-adjacent attackers, one of which is the endpoint, the nodes between the attackers can't distinguish the injected packet from a genuine packet, so they pass it on. Cheers, Michael
