Protection from statistical traffic analysis attacks calls for effective design of
Traffic Flow Confidentiality (TFC) mechanisms. These are devised to alter the traffic
pattern in order to hide information about contents transmitted, which, despite encryption,
can be revealed by malicious users through statistical analysis. Widespread diffusion
of these mechanisms requires embedding them in widely deployed protocols. This paper
proposes an IPsec based framework aimed at enforcing TFC. This is characterized by
two key components: i) a module designed to enforce packet padding, fragmentation,
dummy packet generation, and artificial alteration of the packet forwarding delay,
and ii) a TFC header devised to carry information across the IPsec tunnel to allow
packet handling at the receiver side. The proposed approach has been implemented in
a Linux 2.6 Kernel, and preliminary experimental results are reported to show its
operation.
