Vilhelm Jutvik writes: > ESP doesn't protect the immutable parts of the IPv6 header nor those > of any extension header. Both source as well as IP destination field > can be verified by comparing them to the information found in the > associated SA's traffic selector, but extension headers can be added, > removed and altered at will. It's clear that this security hole can be > used in malicious ways, the only question is how much trouble an > attacker could cause. Is there anyone who could come up with an > example of a nasty attack?
Note, that you can protect the IPv6 extension headers by putting them after the ESP header. Hop-by-Hop options are not issue, as the intermediate hops do not have keys to verify the message authentication code so they cannot really be protected anyways. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
