This paper presents a method for communicating between machines without
doing so in a manner susceptible to traffic analysis. The assumption is
that an attacker may have access to the communication lines between
nodes, but not the data passing over the lines (we assume it to be
encrypted or otherwise secured).

If a traffic pattern can be determined that always satisfies the demands
of the nodes and remains constant at all times (padding is used to take
up slack when necessary), then it makes it much more difficult for an
attacker to determine relationships among the nodes.

Discussion points and remaining questions:

Several of the algorithms presented in this paper are based on
heuristics. What is the value of heuristics vs other methods that are
more 'hard'?

The strategy presented depends on the ability to constantly be sending
some amount of bogus data. What (if any) are the adverse effects of this
increased workload for the equipment? shorter work life, etc.

The protocol depends on some matrix calculations to determine the
correct traffic distribution. How is this information distributed
initially? The assumption is that the traffic requirements are known a
priori, but this may not always be a valid assumption. If not, this data
must somehow be exchanged before a steady state can be achieved - and in
doing so the participants must not reveal any potentially useful
information (chain of command, etc.).

The networks given as examples are military applications. Especially in
this case (but certainly in others as well) the possibility of the
destruction/loss of a node must be considered. There is no apparent
provision for this scenario, and it would appear that the whole
computation phase that was necessary at the beginning would once again
be necessary. This once again presents the problem of globally
determining the correct traffic distribution without sharing any useful
information with someone tapping the lines.

--------

summarized by Matt Schechtman <schechtm@uiuc.edu>