that's a *great* summary. the attack summary leaves me thinking, tho: if you take the pipenet model (w/ end-to-end padding replaced by link padding), and layer on top of that a virtual circuit that is a composite of multiple routes through the pipenet, than are you not resistant to traffic analysis w/o being burdened by the risk of DoS? rather than having a circuit being a single route that can be easily analyzed, you utilize multiple routes, and distribute traffic over those routes both in a fashion meant to guard against passive latency attacks and route tracing, but also capable (given cooperation between the end nodes) of responding to active attacks on any sub-set of the routes? this seems similar to the mix-net mentioned on page 4, but i haven't read much on those. could somebody point to some material? hmmmm, also, w/ multiple channels, you have more room to randomly tear-down channels (rather than all at once). if incoming traffic can be queued at the end node (which i'm trying to do, so that even if somebody has lost all channels, they have a small period of time to reconnect to the end node and revive a session), you can reduce the benefit of manipulating latancy within some fixed local time period (at least for semi-realtime applications like http). iow, how long is an attacker willing to wait for his manipulations to manifest? it buys time for the network to react. i guess the basic idea i have is to move away from a static, synchronous network, and to utilize synchrnous routes w/ an intelligent asynchronous layer on top. thanx, Bill On Wed, Nov 28, 2001 at 04:49:53PM -0800, Anton Stiglic wrote:
You might be interested in this paper:
http://crypto.cs.mcgill.ca/~stiglic/Papers/traffic.pdf
In case you have not seen it...
--Anton