so that's a pretty cool and elegant solution. i suppose they don't have the log tampering detection stuff implemented yet, but it seems straightforward to implement and i'm sure it will happen eventually.

cool. netflow for encrypted mesh networking. still vulnerable if both nodes are compromised via a sidechannel and collude on their logs, but that's also getting pretty radical in terms of an attack vector.

what about actually logging the contents? i've seen big commercial systems that look pretty much like distributed wireshark, with capture points, storage systems and pretty guis for inspection... not sure how prevalent and useful they are, but having a step deeper than netflow style logs can be useful, both for debugging and security purposes. i suppose you could do this double entry for that as well, but that seems a pretty high cost if the tunnels are high bandwidth?