SCION (Internet architecture)

SCION
Introduced	2009
Website	Official Website

Last updated December 24, 2024

SCION (Scalability, Control, and Isolation On Next-Generation Networks) is a Future Internet architecture that aims to offer high availability and efficient point-to-point packet delivery with network path selection, even in the presence of actively malicious network operators and devices. It has been developed by researchers at ETH Zurich since 2009, is deployed in production networks, and is currently being explored by the IETF Path Aware Networking Research Group.

Goals

Availability in the presence of distributed adversaries: As long as an attacker-free path between endpoints exists, it should be discovered and utilized with guaranteed bandwidth.
Transparency and Control: Separation of control and data planes by encoding paths as packet-carried forwarding state (PCFS) in the packet header, as well as enabling of multipath communication for enhanced availability ^[1] and defense against network attacks.
Efficiency, Scalability, and Extensibility: Packet forwarding is at least as efficient in latency and throughput as current IP in common cases and more scalable with respect to BGP and the size of routing tables. Achieved by storing state in packet headers and protecting them cryptographically, using modern block ciphers such as AES that can be computed very efficiently (within 10ns on a modern CPU ^[2]).
Support for Global but Heterogeneous Trust: Scale the authentication of entities to a global environment ^[3] and utilizing trust agility ^[4] so each end host or user can know the complete set of trust roots for the validation of a certificate.
Deployability: Deployment should only require installation or upgrade of a few border routers, thus requiring minimal added complexity to the existing infrastructure. In addition, it should not disrupt current Internet topology and business models/relationships (e.g., should still support peering).

Isolation domains and autonomous systems

SCION introduces the concept of an isolation domain (ISD) which is a logical grouping of autonomous systems (ASes), administered by a smaller subset of the ASes that constitute the ISD core.^[5] The ISD is governed by a policy, called the trust root configuration (TRC), which is negotiated by the ISD core and defines the roots of trust that are used to validate bindings between names and public keys or addresses. ASes within an ISD can be connected by core links, customer-provider links, or peering links, representative of the relationship between the ASes.

Within an AS there are several services such as:

Beacon Servers - responsible for beaconing which is a process to generate, receive, and propagate messages called path-segment construction beacons (PCBs) to construct path segments and explore routing paths.
Path Servers - storage for mappings of AS to path that were discovered during beaconing.
Name Servers - perform name translation similar to DNS by using RAINS^[5] to retrieve (ISD, AS) tuple that can be used to find and construct end-to-end paths.
Certificate Servers - cache for copies of TRCs retrieved from the ISD core, AS certificates, and key management for securing inter-AS communication.
Border Routers - used for SCION packet forwarding to the next SCION border router or to the destination host within the destination AS.

Control plane

The control plane is responsible for discovering networking paths and making those paths available to end hosts. Inter-domain beaconing connects ISDs by enabling core ASes to learn paths to other core ASes while intra-domain beaconing allows non-core ASes to learn path segments to core ASes. The SCION control plane operates at the AS level, while communication within an AS is governed by existing intra-domain communication technologies and protocols (e.g. OSPF, SDN, MPLS).

To reach a remote destination, a host performs a path lookup at its local path server to obtain up-segments (from source AS to the core), down segments (from core AS to destination AS), and core segments (between core ASes) in the case these up and down segments end at different core ASes. Paths can be combined as desired, possibly using peering links where available.

Data plane

A SCION packet minimally contains a path and the data plane ensures packet forwarding using the provided paths. Forwarding utilizes a split of locator (AS-level path) and identifier (the destination address), like in the Locator/Identifier Separation Protocol (LISP).^[6] As a result, SCION border routers forward packets based on the AS-level path in the packet header without inspecting the destination address and also without consulting an inter-domain routing table. The destination address can have any format that the destination AS can interpret because only the border router at the destination AS needs to inspect the destination address to forward it to the appropriate local host. The destination can respond to the source by inverting the end-to-end path from the packet header, or it can perform its own path lookup and path-segment construction.

Security

Similar to BGPsec, each AS signs the PCBs it forwards. This signature enables PCB validation by all entities. To ensure path correctness, the forwarding information within each packet is also cryptographically protected. Each AS uses a secret symmetric key that is shared among beacon servers and border routers and is used to efficiently compute a message authentication code (MAC) over the forwarding information. The per-AS information includes the ingress and egress interfaces, an expiration time, and the MAC computed over these fields, which is (by default) all encoded within an 8-byte field referred to as a hop field (HF).

Specifications

Internet Drafts submitted to the Internet Engineering Task Force Independent Submission process include:

Deployment and commercial operations

SCION is running on a number of nodes around the world. It has been utilized for the Secure Swiss Finance Network (SSFN), the SCION Education, Research and Academic Network, the SwissIX, and is being deployed on the Swiss Health Info Net (HIN).

In 2017, Adrian Perrig together with fellow professors David Basin and Peter Müller at the Department of Computer Science at ETH Zurich, founded the spin-off Anapaya Systems to develop a commercial implementation of SCION.^[7]

In 2022, the SCION Association was founded by the Swiss National Bank, SIX, ETH Zurich and Uli Sigg to promote SCION and develop SCION Proto, the open source implementation of SCION. The SCION Association is a non-profit organization whose members include Anapaya Systems, Swisscom, SWITCH, Cyberlink, Sunrise, AXPO, DIDAS, Eraneos, libC Technologies, OVGU Magdeburg, and the Swiss Finance + Technology Association.

2023 SCION was rolled out on Sui blockchain testnet to secure the validator network and reduce latency SCION Day 2024: SUI.

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address. For example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on labels rather than network addresses. Whereas network addresses identify endpoints, the labels identify established paths between endpoints. MPLS can encapsulate packets of various network protocols, hence the multiprotocol component of the name. MPLS supports a range of access technologies, including T1/E1, ATM, Frame Relay, and DSL.

<span class="mw-page-title-main">Router (computing)</span> Device that forwards data packets between computer networks

A router is a computer and networking device that forwards data packets between computer networks, including internetworks such as the global Internet.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes. The routing table contains information about the topology of the network immediately around it.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was initially used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

Networking hardware, also known as network equipment or computer networking devices, are electronic devices that are required for communication and interaction between devices on a computer network. Specifically, they mediate data transmission in a computer network. Units which are the last receiver or generate data are called hosts, end systems or data terminal equipment.

In computer networking, source routing, also called path addressing, allows a sender of a data packet to partially or completely specify the route the packet takes through the network. In contrast, in conventional routing, routers in the network determine the path incrementally based on the packet's destination. Another routing alternative, label switching, is used in connection-oriented networks such as X.25, Frame Relay, Asynchronous Transfer Mode and Multiprotocol Label Switching.

A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates network switches from Ethernet hubs. Content-addressable memory (CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a CAM table.

<span class="mw-page-title-main">Data plane</span> Router architecture

In routing, the data plane, sometimes called the forwarding plane or user plane, defines the part of the router architecture that decides what to do with packets arriving on an inbound interface. Most commonly, it refers to a table in which the router looks up the destination address of the incoming packet and retrieves the information necessary to determine the path from the receiving element, through the internal forwarding fabric of the router, and to the proper outgoing interface(s).

An IPv6 packet is the smallest message entity exchanged using Internet Protocol version 6 (IPv6). Packets consist of control information for addressing and routing and a payload of user data. The control information in IPv6 packets is subdivided into a mandatory fixed header and optional extension headers. The payload of an IPv6 packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

In digital communications networks, packet processing refers to the wide variety of algorithms that are applied to a packet of data or information as it moves through the various network elements of a communications network. With the increased performance of network interfaces, there is a corresponding need for faster packet processing.

Segment routing, a form of computer networking, is a modern variant of source routing that is being developed within the SPRING and IPv6 working groups of the IETF. In a segment routed network, an ingress node may prepend a header to packets that contain a list of segments, which are instructions that are executed on subsequent nodes in the network. These instructions may be forwarding instructions, such as an instruction to forward a packet to a specific destination or interface.

Broadcast, unknown-unicast and multicast traffic is network traffic transmitted using one of three methods of sending data link layer network traffic to a destination of which the sender does not know the network address. This is achieved by sending the network traffic to multiple destinations on an Ethernet network. As a concept related to computer networking, it includes three types of Ethernet modes: broadcast, unicast and multicast Ethernet. BUM traffic refers to that kind of network traffic that will be forwarded to multiple destinations or that cannot be addressed to the intended destination only.

Packet Forwarding Control Protocol (PFCP) is a 3GPP protocol used on the Sx/N4 interface between the control plane and the user plane function, specified in TS 29.244. It is one of the main protocols introduced in the 5G Next Generation Mobile Core Network, but also used in the 4G/LTE EPC to implement the Control and User Plane Separation (CUPS). PFCP and the associated interfaces seek to formalize the interactions between different types of functional elements used in the Mobile Core Networks as deployed by most operators providing 4G, as well as 5G, services to mobile subscribers. These two types of components are:

The Control Plane (CP) functional elements, handling mostly signaling procedures
The User-data Plane (UP) functional elements, handling mostly packet forwarding, based on rules set by the CP elements.

Adrian Perrig is a Swiss computer science researcher and professor at ETH Zurich, leading the Network Security research group. His research focuses on networking and systems security, and specifically on the design of a secure next-generation internet architecture.

References

↑ David G. Andersen, Hari Balakrishnan, M. Frans Kaashoek, and Robert Morris. Resilient overlay networks. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2001. Pages 9, 24, and 192.
↑ Kahraman Akdemir, Martin Dixon, Wajdi Feghali, Patrick Fay, Vinodh Gopal, Jim Guilford, Erdinc Ozturk, Gil Wolrich, and Ronen Zohar. Breakthrough AES performance with Intel AES New Instructions. White paper, June, 2010. Page 11.
↑ Martin Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Global authentication in an untrustworthy world. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), May 2013. Page 10.
↑ Moxie Marlinspike. SSL and the future of authenticity. https://moxie.org/blog/ssl-and-the-future-of-authenticity/, Apr 2011. Page 10.
1 2 Perrig, Adrian; Szalachowski, Pawel; Reischuk, Raphael M.; Chuat, Laurent (2017). SCION: A Secure Internet Architecture (PDF). Springer International Publishing AG. doi:10.1007/978-3-319-67080-5. ISBN 978-3-319-67080-5. S2CID 26748541.
↑ Dino Farinacci, Vince Fuller, David Meyer, and Darrel Lewis. The locator/ID separation protocol (LISP). RFC 6830, January 2013. Page 25.
↑ "A secure internet isn't science fiction". inf.ethz.ch. Retrieved 2021-02-18.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] David G. Andersen, Hari Balakrishnan, M. Frans Kaashoek, and Robert Morris. Resilient overlay networks. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2001. Pages 9, 24, and 192.

[2] Kahraman Akdemir, Martin Dixon, Wajdi Feghali, Patrick Fay, Vinodh Gopal, Jim Guilford, Erdinc Ozturk, Gil Wolrich, and Ronen Zohar. Breakthrough AES performance with Intel AES New Instructions. White paper, June, 2010. Page 11.

[3] Martin Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Global authentication in an untrustworthy world. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), May 2013. Page 10.

[4] Moxie Marlinspike. SSL and the future of authenticity. https://moxie.org/blog/ssl-and-the-future-of-authenticity/, Apr 2011. Page 10.

[:0-5] 1 2 Perrig, Adrian; Szalachowski, Pawel; Reischuk, Raphael M.; Chuat, Laurent (2017). SCION: A Secure Internet Architecture (PDF). Springer International Publishing AG. doi:10.1007/978-3-319-67080-5. ISBN 978-3-319-67080-5. S2CID 26748541.

[6] Dino Farinacci, Vince Fuller, David Meyer, and Darrel Lewis. The locator/ID separation protocol (LISP). RFC 6830, January 2013. Page 25.

[7] "A secure internet isn't science fiction". inf.ethz.ch. Retrieved 2021-02-18.

[1]

[2]

[3]

[4]

[5]

[6]

[7]