Consider padding to preserve traffic flow confidentiality

[sebdeckers]

Defense against network traffic analysis attacks.

HTTP/2

• paddingStrategy in client & server https://nodejs.org/api/http2.html#http2_http2_createserver_options_onrequesthandler & https://nodejs.org/api/http2.html#http2_http2_connect_authority_options_listener

EDNS0

Padding for the DNS query.

• https://tools.ietf.org/html/rfc7830
• https://edns0-padding.org
• https://datatracker.ietf.org/meeting/105/materials/slides-105-pearg-encrypted-dns-privacy-a-traffic-analysis-perspective-01
• https://www.esat.kuleuven.be/cosic/does-doh-imply-privacy/
• https://datatracker.ietf.org/doc/rfc8467/

[sebdeckers]

COSIC CRYPTOGRAPHY BLOG, COUNTERMEASURES: PADDING

We also simulate constant padding, i.e., all TLS record packets are padded to have the size of the maximum TLS record observed in the dataset. This padding strategy, as shown on the table of Figure 7, defeats the classifier by reducing its success rate to less than 7%.

[sebdeckers]

https://github.com/nodejs/node/blob/5207dec0175de92116262e8382d6ac57def3a203/src/node_http2.cc#L802-L852

Padding strategy ideas:

• Padding based on random amount per packet
• Padding aligned to N-bytes. (Currently fixed at 8. Could use expensive JS callback to emulate.)
• Apply padding only to HEADERS or DATA frames.