How ZPR Works

Architecture Overview

A novel packet-level approach to network security

ZPR is built around three key components: ZPL (Zero trust Policy Language) – a readable, structured language for defining access rules based on user, device, and service attributes. ZDP (ZPR Data Protocol) – a packet format that replaces traditional IP headers with a permission identifier called a visa. ZPRnet Nodes and Services – a distributed routing layer where each node enforces policy based on visa validation rather than IP information.

ZPRnets

A ZPRnet is a distributed routing layer where policy enforcement happens at every node, not just at the perimeter. Each node checks visas locally before forwarding traffic, ensuring that no unauthorized packet slips through anywhere in the system. This creates a uniform fabric of security across datacenters, clouds, and the Internet.

Authenticated Identities

Every user, device, and service has an authenticated identity bound to attributes such as role or clearance. These attributes can come from trusted organizational services like LDAP or Active Directory. Because policies are written against identities instead of locations, ZPR eliminates the fragility of IP-based trust.

Adapters and Integration

Adapters sit at the edges of the ZPRnet and connect legacy IP endpoints. They transform traditional IP packets into ZDP packets, inject visas, and return packets to IP when leaving the network. This allows organizations to adopt ZPR incrementally without changing existing applications.

ZDP

ZPR Data Protocol

ZDP defines how packets carry proof of authorization in the form of a visa ID. By replacing traditional IP headers with visas and integrity checks, it ensures each packet can be validated against policy at every hop.

Transit Packets

ZDP introduces compact transit packets that contain only the information required for routing and enforcement. By stripping out reliance on source and destination IP, ZDP prevents attackers from exploiting address spoofing or topology assumptions.

Visa as Authorization Token

Every ZDP packet carries a reference to a cryptographic visa that encodes sender, receiver, and policy compliance. Visas act as real-time permission slips, and packets without them are dropped instantly. This turns the act of forwarding into a continuous enforcement checkpoint.

Integrity and Compliance

Each packet contains a message integrity check value (MICV) that binds the visa to the payload. This ensures packets cannot be forged or altered in transit. Flows automatically adapt when attributes or policies change, keeping communication compliant without manual intervention.

ZPL

Zero trust Policy Language: Readable rules that the network can enforce

ZPL is a human-readable language for defining enforceable network policies. It describes who can communicate, under what conditions, and with which services, all based on authenticated identities and attributes rather than IP addresses.

Example policyzpl

 
# Definitions
 
Define Employee as a user with roles, department and status.
Define Laptop as an endpoint with device-type:laptop and managed-flag.
Define TimeSheetLoadBalaner as a service with providing:Timesheet-database.
Define BuildService as a service providing:build.
Define Database as a service with optional tag customer.
 
 
# Guardrails
 
Never allow status:intern Employees to access classified services.
Never allow Employees on managed-flag:false Laptops to access internal services.
 
 
#  Permissions
 
Allow department:sales Employees on managed-flag:true laptops to access customer Databases.
Allow Employees to access TimeSheetLoadBalancers.
Allow TimeSheetLoadBalancers to access providing:time-sheet-db services.
Allow roles:{engineer, admin} Employees on managed-flag:true endpoints to access BuildServices.
Allow backup services to access services in time range 09:00-18:00 UTC.


# Definitions

Define Employee as a user with roles, department and status.
Define Laptop as an endpoint with device-type:laptop and managed-flag.
Define TimeSheetLoadBalaner as a service with providing:Timesheet-database.
Define BuildService as a service providing:build.
Define Database as a service with optional tag customer.


# Guardrails

Never allow status:intern Employees to access classified services.
Never allow Employees on managed-flag:false Laptops to access internal services.


#  Permissions

Allow department:sales Employees on managed-flag:true laptops to access customer Databases.
Allow Employees to access TimeSheetLoadBalancers.
Allow TimeSheetLoadBalancers to access providing:time-sheet-db services.
Allow roles:{engineer, admin} Employees on managed-flag:true endpoints to access BuildServices.
Allow backup services to access services in time range 09:00-18:00 UTC.

Purpose of ZPL

ZPL replaces brittle firewall and Network Security Group rules with policies that map directly to organizational logic. Instead of chaining together IP addresses and ports, policies read like clear sentences describing who may talk to what. This makes policies easier to understand, maintain, and verify.

Permissions and Denials

ZPL policies combine positive permissions with explicit denials. Permissions define the safe pathways of communication, while denials serve as guardrails that cannot be overridden.

This model allows teams to grant access confidently without the risk of unintentionally opening forbidden routes.

Attributes as Policy Inputs

Policies are written in terms of the attributes that make user, device, and service identities. For example, engineers with managed laptops may be allowed to reach build servers, while contractors may be restricted. Because policies are attribute-based, they stay valid as workloads and identities move across environments.