bpp: replay issues between ed25519 and FEC layer

[pesco]

The authenticated message layer (ed25519) does not provide a proper secure channel. In particular, replay protection is left to the sequence numbering at the FEC layer. These sequence numbers, however, reset with the special "serial=0" packet which is used to change encoding parameters. This allows an attacker to replay older packets and confuse the update process in various ways.

For example, it implies that an erasure code is used on something that is not an erasure channel (where bits are only detectably dropped). Without further authentication, this allows an attacker to corrupt the firmware image during download by injecting an earlier packet with an appropriate sequence number.

In addition, since the code accepts any packet with a sequence number greater than the last, replaying an old high-numbered packet allows an attacker to cheaply block out the following legitimate packets.

Relatedly, a missed "serial=0" packet will leave a client decoder in a confused state until another "serial=0" is received.