CDR: Re: PipeNet protocol

[Adam Back]

Tom Vogt writes:
> > This is to defend against active attacks delaying packets to observe
> > the effect on the network and hence trace routes.
> 
> I don't understand the necessity of this. if the amount of traffic is a
> constant anyway, a delay would vanish at the first node.
> 
> e.g. my upstreams provider sends out x bytes every time unit, no matter
> whether or not he gets anything from me. when I stop sending, nothing in
> his traffic pattern changes.

You're presuming hop-by-hop padding, Wei is presuming end-to-end
padding.

His threat model is that some fixed set of switches is compromised:

| The adversary may control a fixed subset of the nodes.

Also you'll note in the scheduling description that there is 
nothing about switches adding or removing padding.  I think 
Wei is implicitly considering that this is done by the 
caller and receiver (who open links and keep the full until 
they close them).  Even closing links is mixed to prevent 
closure leaking too much:

| The process of making and breaking connections must also not leak
| information.  This can be done by using a protocol analogous to
mix-net.
| Link forming/destroying requests are queued and performed in batches
in a
| way similar to queuing and mixing of e-mail in a mix-net.

Adam