Enabling Privacy-Preserving Header Matching for Outsourced Middleboxes

Over the past few years, enterprises start adopting software middlebox services from cloud or NFV service providers. Although this new service model is recognized to be cost-effective and scalable for traffic processing, privacy concerns arise because of traffic redirection to outsourced middleboxes. To ease these concerns, recent efforts are made to design secure middlebox services that can directly function over encrypted traffic and middlebox rules. But prior designs only work for portions of frequently-used network functions. To push forward this area, in this work, we investigate header matching based functions like firewall filtering and packet classification. To enable privacy-preserving processing on encrypted packets, we start from the latest primitive "order-revealing encryption (ORE)" for encrypted range search. In particular, we devise a new practical ORE construction tailored for network functions. The advantages include: 1) guaranteed protection of packet headers and rule specified ranges; 2) reduced accessible information during comparisons; 3) rule-aware size reduction for ORE ciphertexts. We implement a fully functional system prototype and deploy it at Microsoft Azure Cloud. Evaluation results show that our system can achieve per packet matching latency 0.53 to 15.87 millisecond over 1.6K firewall rules.