On Thu, Mar 22, 2018 at 1:13 PM, Mike Perry mikeperry@torproject.org wrote:
I strongly disagree. Dumping more traffic onto an already existing, otherwise in-use connection is not the same as the ability to force a new connection that is only used for a single request at a very specific time. These are completely different data retention resolutions, and if the netflow padding works as intended, dumping traffic onto an existing connection will be rolled up into all other traffic during that hour, or longer. At large scale, routers will likely be recording flows at just the connection level only, if that.
What this means in practice is the ability for an adversary to go to large ISPs and say "Hey, give me connection logs you already have/can easily generate for these IPs during this specific time period" instead of "Hey, install this custom black box monitoring equipment for me and let me get arbitrary reports from it whenever I want". I know ISPs that have received and refused the black box request case because it was too intrusive. I also know ISPs that have given records over in the connection-level case.
Yes it's important to distinguish specific "netflow" style of records analysis, from more general statistical traffic analysis of packets flowing through a network, even if only from a limited to degenerate number (2) of observation / targeting points. Even the simplest of overlay networks could be considered at least a start against the former. While the latter is a hard problem for nearly all of todays networks and why few if any can claim to have resistance to anything resembling GPA / GAA. Listing proposed solutions to the latter, and why adoption of any of them into any overlay (or base layer) network be it existing or new, doesn't seem to really be happening yet... a fine topic for another thread.