Re: Forward and reply messages

[George Danezis <gd@theory.lcs.mit.edu>]

Dear All, 

I have looked through the David's design and I think that, given a few 
issues addressed by Roger's comments, it generally works. It resembles 
very much the initial design that we had during the MIT meeting (stream 
ciphers, variable length headers, some padding at the end, ..) but with 
the addition of MAC's to protect against tagging. This MACs make the reply 
mechanism distinguishable from the forward mechanism.

Some additional comments would be:
1) One has to be careful about the fact the header length is variable and 
that some nodes know it. It would be nice if the total length of the path 
cannot be deduced (so for example we require a minimum size of header 
padded with junk).
2) If we require the message to be encrypted end-to-end we have to specify 
how, and make sure that it looks like a normal encrypted message.

In general, while I find the proposal in itself ok, I am still not 
convinced about dropping the requirement about un-distinguish-ability of 
reply and forward messages. If the objective is to avoid the remaining 
tagging attacks that the swap like approach leave I think it is a 
disproportionate penalty.

Since I have been away for a while, it is possible that I am missing 
something so please fill me in. 

Yours,

George