bypassing an SF attack

[boucadair]

Hi Tiru,

I think it would be helpful to have such discussion in the draft.

With regards to the SF bypass, this may be detected without PoT if the SI isn’t decremented. The next SFF will detect such misbehavior and react accordingly.

If SFFs are not involved in the integrity checks, a misbehaving SFF which decrements SI on behalf of an SF will be detected by an SF upstream because the integrity check will fail.

[TR] Good points, we should update the Security Considerations Section.