Securing the Migration
Problem: Increased vulnerability to hijacking
- Ingress filtering doesn’t help
- Attacker only needs token and sequence space
Solution: Keep the token secret
- Negotiate it using Diffie-Hellman exchange
- Use sequence numbers to prevent replay
Resulting connections are as secure as standard TCP (not very)
- Use IPsec or SSH for real security