I will assume that the IV for each packet is unknown to the attacker. Perhaps the IV is the simple block encryption of the serial number of the packet. I assume that the encryptor demands the entire packet before it reveals any of the ciphertext. Let X be the set of values that can be fed to the block cipher. In the cases of interest X is either [0, 264−1] or [0, 2128−1]. Consider an abelian group whose elements are X, such as add or XOR. The group is chosen independently of the key and known to the attacker. Let f be the operator of the group. A good packet is one whose sum (using f) over each plaintext block is 0 (the group identity). The task for the attacker is to choose a good packet which when encrypted with the key=k and IV=i yields the encrypted packet. The attacker may then see that packet and then choose an alternative encrypted packet which when decrypted with k and i produces a good packet different from the original.
The attacker does not know k or i but has a large collection of plaintext-ciphertext pairs for k.
To set notation, the blocks of the plaintext are Pj for 0 ≤ j ≤ n. That the plaintext packet is good is the requirement that csn = O where cs−1 = O and for 0 ≤ j ≤ n; csj = csj−1 • Pj where “•” is the group operator and “O” is the group identity. E(x) is the encryption of text x and D(E(x)) = x. Block j of the encrypted packet is Cj. C0 = E(E(sn) xor P0) and for 0 < j ≤ n; Cj = E(Cj−1 xor Pj). “sn” is the packet serial number and E(sn) serves as the initial vector.
The attacker may attempt to find a substitute encrypted packet for delivery as follows. He chooses some encrypted block in some packet and searches for substitute encrypted blocks for that and the following blocks of the encrypted packet. The modified encrypted packet need not be the same length but it must decrypt to a good packet. The attacker can consult his PCB and consider alternate encrypted blocks for which he knows the block decryption.
Suppose that the attacker chooses ciphertext block Cj. He considers substituting C'j for Cj because he knows D(C'j) from his PCB. He already knows Cj−1. He can thus predict the decryption of the corrupted plaintext block P'j = Cj−1 xor D(C'j). Next he checks to see of the abelian checksum is zero and in the likely case that it not he must either try another value for C'j or try propagating the ruse further into the packet. Each step of this process has a probability of success of 2−J in case of a block cipher of J bits. If he does not succeed he must eventually pass the uncorrupted encrypted packet thru lest the time-out of the communications protocols call attention to his efforts. He can restart his efforts with the arrival of the next encrypted packet. All of the combinatorial work or the attacker must be done while these timeouts are running. These work can be done in parallel.
I define a “good packet” rather than committing where the checksum is. I found that I was spending too much time wondering whether there were advantages of putting it first or last.