Heavy Networking 648: Using Zero Knowledge Middleboxes To Enforce Policy On Encrypted Traffic

If you use a middlebox such as a firewall or proxy to enforce security policies on network traffic, you’re well aware of the problem of pervasive encryption. If the middlebox can’t read the data stream, how can policy be enforced? The usual answer to this was to give a proxy keys so it could be a man in the middle of an encrypted session, at least for those few hosts you have the keys for. But as most of the traffic you want to inspect isn’t heading to a server you control, the man in the middle approach isn’t viable most of the time. And that’s especially the world we live in today, where the payload of everything from web to chat to DNS queries is probably encrypted. Our middleboxes can’t see what’s inside to protect us from the bad stuff. But what if there was a way a middlebox could still accurately enforce policy on encrypted traffic? That’s the research Paul Grubbs has been working on as an Assistant Professor at the University of Michigan. He wrote about “Unpacking Zero Knowledge Middleboxes” on the APNIC blog in July 2022, and we’re chatting with him about zero knowledge middleboxes today. We discuss: * Paul and his team’s research in zero knowledge middleboxes * How encryption can impact security policy enforcement * Using cryptographic verification between clients and middleboxes for policy enforcement * Use cases such as DNS * Practical implications and potential drawbacks * More Sponsor: IP Fabric IP Fabric recently sponsored an EMA research report discussing “The Future of DC Network Automation” which revealed more than half of organizations that use manual data gathering processes feel it undermines their automation efforts. That’s where IP Fabric comes in. IP Fabric puts the right data in the hands of the people who need it. Download the full report now, for free, at ipfabric.io/packetpushers. Show Links: Zero-Knowledge Middleboxes – Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish Unpacking Zero Knowledge Middleboxes – APNIC Blog @pag_crypto – Paul Grubbs Paul Grubbs’s Academic Website

Om Podcasten

Heavy Networking is an unabashedly nerdy dive into all things networking. Described by one listener as "verbal white papers," the weekly episodes feature network engineers, industry experts, and vendors sharing useful information to keep your professional knowledge sharp and your career growing. Hosts Ethan Banks & Drew Conry-Murray cut through the marketing spin to explore what works—and what doesn't—in networking today, while keeping an eye on what's ahead for the industry. On air since 2010, Heavy Networking is the flagship show of the Packet Pushers podcast network.