This repository contains instructions and experimental code to recreate the setup and reproduce the results demonstrated in the paper Mitigating traffic analysis attacks while maintaining on-path network observability. The goal of the prototype is to verify the ideas presented in the paper and to take measurements. No consideration was given to cases not covered in the paper.
The proxy (reverse proxy) is implemented by merging an HTTP/2 server with an HTTP/3 client (HTTP/3 server with an HTTP/2 client). The code is mainly based on the following open source projects:
This version is fine-tuned to work with the oai-cn5g-fed system.
- oai-cn5g-fed git 94ecfac7476114f730e1b555779a20b3e78d77f0
- 5GCN container image tags (oaisoftwarealliance/oai-*): v2.0.1
- UERANSIM container image tag: latest, id: 89d9f3a55d93
- aioquic git a6d91fbcb5d7660adb1597bb711f6f963c598e03
- (Not needed for the 5G setup: DeathStarBench git 6ecb097)
-
Make sure the correct version of aioquic is available under the current directory and apply aioquic.patch
-
PKI: Generate the necessary files (ca-cert.pem, server-cert.pem and server-key.pem) and place them under the proxies directory. Note: in the current experimental version, the client doesn't validate the server certificate, but this can be easily re-enabled.
-
Build the sidecar container
docker build --no-cache -f Dockerfile.prox-base -t prox-base:latest .
docker build --no-cache -f Dockerfile.prox -t prox:latest .
Note: The application sets SO_BINDTODEVICE for the HTTP/2 client, which breaks the traffic hijacking mechanism (from application into the proxies). This setting could be removed from the application or can be ignored elsewhere. We opted for ignoring the setting in libcurl. To do this, libcurl needs to be modified, rebuilt and mounted into the application containers (see yaml file mentioned in the Run section).
- Override application configurations as needed: Copy
config.yamlfiles from the oai-cn5g-fed project into directoriesoverride/amf-confandoverride/ausf-confunder the current directory and lower the log level
-
Copy the provided
docker-compose-slicing-basic-nrf-prox-limit.yamlintooai-cn5g-fed/docker-compose -
Modify the
cpusetvalues according to the test system and update the paths of volumes (override AMF and AUSF settings, override libcurl) -
Bring up the 5GCN system and set variables (
PAD,SPAD,TIMEPAD1,TIMEPAD2) according to the desired defense level (packet padding, sequence padding, app-scheduling-1, app-scheduling-2)
echo -e "PAD=${PAD}\nSPAD=${SPAD}\nTIMEPAD1=${TIMEPAD1}\nTIMEPAD2=${TIMEPAD2}" > compose.env
docker-compose --env-file=compose.env -f docker-compose-slicing-basic-nrf-prox-limit.yaml up -d
-
Wait until all containers are started
-
To perform a single (successful) registration, run
docker-compose -f docker-compose-slicing-ransim.yaml up -d ueransim
To perform a failed registration (with a shorter sequence), use a different (unknown) IMSI
Metadata field (8 bytes)
- magic: 4 bytes, big endian (for easy debugging/verification without encryption)
- padding size: 2 bytes, little endian
- QUIC packet size before padding: 2 bytes, little endian
Encryption (AES GCM)
- nonce: 16 bytes (no explicit field, last 16 bytes of QUIC packet is used in the prototype)
- key: 16 bytes of zeroes
The tag (4 bytes) and ciphertext are sent in host order.