@@ -225,8 +225,8 @@ The goal is to defend against a passive network Man-in-the-Middle, such as an IS
225225or a Tor exit node, observing the encrypted TLS stream, and making educated guesses
226226of the message contents based on TCP packet flow: timing, direction, and sizes of TCP packets.
227227
228- .. note :: Raw cleartext TCP as transport for the JSON-RPC payloads is clearly out-of-scope here.
229- Without encryption, a passive network observer could just see all the plaintext messages anyway .
228+ .. note :: When using raw cleartext TCP as transport for the JSON-RPC payloads, without encryption,
229+ a passive network observer can see all the plaintext messages.
230230
231231As a generic mitigation, implementations (both client and server) SHOULD
232232
@@ -273,6 +273,10 @@ and only add the padding into e.g. the last JSON-RPC message when emptying the b
273273 to round up the total length to 1 KB, or to the next power of 2.
274274 The buffer is flushed if it reaches 1 KB, plus there is extra logic that periodically polls
275275 if the oldest message in the buffer is older than 1 second, in which case it is also flushed.
276+ The worst-case 1 second delay is a performance hit that might in cases be felt by the user.
277+ This is a tradeoff to make the flow of packets harder to analyse for an observer.
278+
279+ Implementations COULD make the buffer size and the max time delay configurable.
276280
277281.. note :: Many protocol requests are <100 bytes. Contrast that with broadcasting a transaction,
278282 which could potentially be several megabytes of data.
@@ -281,23 +285,36 @@ and only add the padding into e.g. the last JSON-RPC message when emptying the b
281285 Instead it is recommended to pad to bucketed lengths, e.g. to powers of 2.
282286
283287The specific details of the size of the buffer, how often it is flushed, and how the padding
284- is done is not specified by the protocol at the moment.
288+ is done is not specified by the protocol at the moment. Consequently, neither the client nor
289+ the server can enforce the other to pad and much less to delay messages.
285290
286291.. note :: Some server implementations do not deal with TLS at all,
287292 they only implement the raw cleartext TCP protocol, and just recommend operators
288293 to put a reverse proxy in front that does TLS termination.
289- Such protocol implementations (both client and server) are nevertheless still
294+ Such protocol implementations (both client and server) nevertheless still
290295 SHOULD implement all mentioned traffic analysis protections.
291296 That way, if the operator tunnels the traffic over TLS externally,
292297 the resulting stream meaningfully receives the protections.
293298
299+ .. note :: An alternative approach to the buffer-based delaying and padding
300+ could be to more aggressively use JSON-RPC batching to batch messages, and to use the
301+ optional Record Padding of
302+ `TLS 1.3 <https://www.rfc-editor.org/rfc/rfc8446#section-5.4 >`_.
303+ See `SSL_CONF_cmd RecordPadding ` in openssl. However this only allows
304+ padding to multiples of a constant, while above the recommendation was to pad to powers of 2.
305+ The implementation might still want to delay messages a bit
306+ to accumulate them into a larger JSON-RPC batch. Also note if users
307+ (e.g. server operators) are expected to do their own TLS termination
308+ (e.g. using a reverse proxy), configuring TLS RecordPadding would become an externality
309+ for them to do, which they might forget.
310+
294311.. note :: Buffering the messages to introduce timing delays
295312 and padding to ~bucketed sizes is a good baseline.
296313 However even approximate timing and direction of TCP packets
297314 can leak too much information in some scenarios.
298315
299316 To combat timing analysis, both the client and the server
300- COULD send noise with a random timer, but more importantly at strategically selected events.
317+ COULD send dummy RPCs with a random timer, but more importantly at strategically selected events.
301318 For example, when the client receives a new block header notification,
302319 it COULD probabilistically send a random number of "server.ping" messages
303320 with small random sleeps in-between.
0 commit comments