On 1 feb 2008, at 16:12, Rahim Choudhary wrote: > Now if the change is in the muteable fields (DSCP, TTL) then no > IPSec measure seems to be able to detect that. This could be a > vulnerability that either causes the packets to drop on the way (TTL > manipulation) or assigns them to the wrong class (DSCP manipulation).
Who cares? If an attacker can flip your bits she can also flip the most significant bit in the destination address and you'll never receive that packet. The only thing a cryptographic hash over the header would give you there is the ability to drop the packet even sooner. And how exactly are you going to have a HMAC or some such over header fields? That requires having secret keying material in EVERY ROUTER ALONG THE PATH. Can we please stop this discussion? -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------