SCION (Internet architecture)

SCION
International standard	IETF Draft
Introduced	2009
Website	Official Website

Last updated July 06, 2024

SCION (Scalability, Control, and Isolation On Next-Generation Networks) is a Future Internet architecture that aims to offer high availability and efficient point-to-point packet delivery with network path selection, even in the presence of actively malicious network operators and devices. It has been developed by researchers at ETH Zurich since 2009, is deployed in production networks, and is currently being explored by the IETF Path Aware Networking Research Group.

Goals

Availability in the presence of distributed adversaries: As long as an attacker-free path between endpoints exists, it should be discovered and utilized with guaranteed bandwidth.
Transparency and Control: Separation of control and data planes by encoding paths as packet-carried forwarding state (PCFS) in the packet header, as well as enabling of multipath communication for enhanced availability ^[1] and defense against network attacks.
Efficiency, Scalability, and Extensibility: Packet forwarding is at least as efficient in latency and throughput as current IP in common cases and more scalable with respect to BGP and the size of routing tables. Achieved by storing state in packet headers and protecting them cryptographically, using modern block ciphers such as AES that can be computed very efficiently (within 10ns on a modern CPU ^[2]).
Support for Global but Heterogeneous Trust: Scale the authentication of entities to a global environment ^[3] and utilizing trust agility ^[4] so each end host or user can know the complete set of trust roots for the validation of a certificate.
Deployability: Deployment should only require installation or upgrade of a few border routers, thus requiring minimal added complexity to the existing infrastructure. In addition, it should not disrupt current Internet topology and business models/relationships (e.g., should still support peering).

Isolation domains and autonomous systems

SCION introduces the concept of an isolation domain (ISD) which is a logical grouping of autonomous systems (ASes), administered by a smaller subset of the ASes that constitute the ISD core.^[5] The ISD is governed by a policy, called the trust root configuration (TRC), which is negotiated by the ISD core and defines the roots of trust that are used to validate bindings between names and public keys or addresses. ASes within an ISD can be connected by core links, customer-provider links, or peering links, representative of the relationship between the ASes.

Within an AS there are several services such as:

Beacon Servers - responsible for beaconing which is a process to generate, receive, and propagate messages called path-segment construction beacons (PCBs) to construct path segments and explore routing paths.
Path Servers - storage for mappings of AS to path that were discovered during beaconing.
Name Servers - perform name translation similar to DNS by using RAINS^[5] to retrieve (ISD, AS) tuple that can be used to find and construct end-to-end paths.
Certificate Servers - cache for copies of TRCs retrieved from the ISD core, AS certificates, and key management for securing inter-AS communication.
Border Routers - used for SCION packet forwarding to the next SCION border router or to the destination host within the destination AS.

Control plane

The control plane is responsible for discovering networking paths and making those paths available to end hosts. Inter-domain beaconing connects ISDs by enabling core ASes to learn paths to other core ASes while intra-domain beaconing allows non-core ASes to learn path segments to core ASes. The SCION control plane operates at the AS level, while communication within an AS is governed by existing intra-domain communication technologies and protocols (e.g. OSPF, SDN, MPLS).

To reach a remote destination, a host performs a path lookup at its local path server to obtain up-segments (from source AS to the core), down segments (from core AS to destination AS), and core segments (between core ASes) in the case these up and down segments end at different core ASes. Paths can be combined as desired, possibly using peering links where available.

Data plane

A SCION packet minimally contains a path and the data plane ensures packet forwarding using the provided paths. Forwarding utilizes a split of locator (AS-level path) and identifier (the destination address), like in the Locator/Identifier Separation Protocol (LISP).^[6] As a result, SCION border routers forward packets based on the AS-level path in the packet header without inspecting the destination address and also without consulting an inter-domain routing table. The destination address can have any format that the destination AS can interpret because only the border router at the destination AS needs to inspect the destination address to forward it to the appropriate local host. The destination can respond to the source by inverting the end-to-end path from the packet header, or it can perform its own path lookup and path-segment construction.

Security

Similar to BGPsec, each AS signs the PCBs it forwards. This signature enables PCB validation by all entities. To ensure path correctness, the forwarding information within each packet is also cryptographically protected. Each AS uses a secret symmetric key that is shared among beacon servers and border routers and is used to efficiently compute a message authentication code (MAC) over the forwarding information. The per-AS information includes the ingress and egress interfaces, an expiration time, and the MAC computed over these fields, which is (by default) all encoded within an 8-byte field referred to as a hop field (HF).

Standardization

Internet Drafts submitted to the Internet Engineering Task Force standards process:

Deployment and commercial operations

SCION is running on a number of nodes around the world. It has been utilized for the Secure Swiss Finance Network (SSFN), the SCION Education, Research and Academic Network, the SwissIX, and is being deployed on the Swiss Health Info Net (HIN).

In 2017, Adrian Perrig together with fellow professors David Basin and Peter Müller at the Department of Computer Science at ETH Zurich, founded the spin-off Anapaya Systems to develop a commercial implementation of SCION.^[7]

In 2022, the SCION Association was founded by the Swiss National Bank, SIX, ETH Zurich and Uli Sigg to promote SCION and develop SCION Proto, the open source implementation of SCION. The SCION Association is a non-profit organization whose members include Anapaya Systems, Swisscom, SWITCH, Cyberlink, Sunrise, AXPO, DIDAS, Eraneos, libC Technologies, OVGU Magdeburg, and the Swiss Finance + Technology Association.

Related Research Articles

Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on labels rather than network addresses. Whereas network addresses identify endpoints, the labels identify established paths between endpoints. MPLS can encapsulate packets of various network protocols, hence the multiprotocol component of the name. MPLS supports a range of access technologies, including T1/E1, ATM, Frame Relay, and DSL.

<span class="mw-page-title-main">Router (computing)</span> Device that forwards data packets between computer networks

A router is a computer and networking device that forwards data packets between computer networks, including internetworks such as the global Internet.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with those routes. The routing table contains information about the topology of the network immediately around it.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

Differentiated services or DiffServ is a computer networking architecture that specifies a mechanism for classifying and managing network traffic and providing quality of service (QoS) on modern IP networks. DiffServ can, for example, be used to provide low-latency to critical network traffic such as voice or streaming media while providing best-effort service to non-critical services such as web traffic or file transfers.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

Virtual Private LAN Service (VPLS) is a way to provide Ethernet-based multipoint to multipoint communication over IP or MPLS networks. It allows geographically dispersed sites to share an Ethernet broadcast domain by connecting sites through pseudowires. The term sites includes multiplicities of both servers and clients. The technologies that can be used as pseudo-wire can be Ethernet over MPLS, L2TPv3 or even GRE. There are two IETF standards-track RFCs describing VPLS establishment.

IP traceback is any method for reliably determining the origin of a packet on the Internet. The IP protocol does not provide for the authentication of the source IP address of an IP packet, enabling the source address to be falsified in a strategy called IP address spoofing, and creating potential internet security and stability problems.

In computer networking, source routing, also called path addressing, allows a sender of a data packet to partially or completely specify the route the packet takes through the network. In contrast, in conventional routing, routers in the network determine the path incrementally based on the packet's destination. Another routing alternative, label switching, is used in connection-oriented networks such as X.25, Frame Relay, Asynchronous Transfer Mode and Multiprotocol Label Switching.

A forwarding information base (FIB), also known as a forwarding table or MAC table, is most commonly used in network bridging, routing, and similar functions to find the proper output network interface controller to which the input interface should forward a packet. It is a dynamic table that maps MAC addresses to ports. It is the essential mechanism that separates network switches from Ethernet hubs. Content-addressable memory (CAM) is typically used to efficiently implement the FIB, thus it is sometimes called a CAM table.

Email forwarding generically refers to the operation of re-sending a previously delivered email to an email address to one or more different email addresses.

<span class="mw-page-title-main">Data plane</span> Router architecture

In routing, the data plane, sometimes called the forwarding plane or user plane, defines the part of the router architecture that decides what to do with packets arriving on an inbound interface. Most commonly, it refers to a table in which the router looks up the destination address of the incoming packet and retrieves the information necessary to determine the path from the receiving element, through the internal forwarding fabric of the router, and to the proper outgoing interface(s).

An IPv6 packet is the smallest message entity exchanged using Internet Protocol version 6 (IPv6). Packets consist of control information for addressing and routing and a payload of user data. The control information in IPv6 packets is subdivided into a mandatory fixed header and optional extension headers. The payload of an IPv6 packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

In digital communications networks, packet processing refers to the wide variety of algorithms that are applied to a packet of data or information as it moves through the various network elements of a communications network. With the increased performance of network interfaces, there is a corresponding need for faster packet processing.

Packet Forwarding Control Protocol (PFCP) is a 3GPP protocol used on the Sx/N4 interface between the control plane and the user plane function, specified in TS 29.244. It is one of the main protocols introduced in the 5G Next Generation Mobile Core Network, but also used in the 4G/LTE EPC to implement the Control and User Plane Separation (CUPS). PFCP and the associated interfaces seek to formalize the interactions between different types of functional elements used in the Mobile Core Networks as deployed by most operators providing 4G, as well as 5G, services to mobile subscribers. These two types of components are:

The Control Plane (CP) functional elements, handling mostly signaling procedures
The User-data Plane (UP) functional elements, handling mostly packet forwarding, based on rules set by the CP elements.

Adrian Perrig is a Swiss computer science researcher and professor at ETH Zurich, leading the Network Security research group. His research focuses on networking and systems security, and specifically on the design of a secure next-generation internet architecture.

References

↑ David G. Andersen, Hari Balakrishnan, M. Frans Kaashoek, and Robert Morris. Resilient overlay networks. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2001. Pages 9, 24, and 192.
↑ Kahraman Akdemir, Martin Dixon, Wajdi Feghali, Patrick Fay, Vinodh Gopal, Jim Guilford, Erdinc Ozturk, Gil Wolrich, and Ronen Zohar. Breakthrough AES performance with Intel AES New Instructions. White paper, June, 2010. Page 11.
↑ Martin Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Global authentication in an untrustworthy world. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), May 2013. Page 10.
↑ Moxie Marlinspike. SSL and the future of authenticity. https://moxie.org/blog/ssl-and-the-future-of-authenticity/, Apr 2011. Page 10.
1 2 Perrig, Adrian; Szalachowski, Pawel; Reischuk, Raphael M.; Chuat, Laurent (2017). SCION: A Secure Internet Architecture (PDF). Springer International Publishing AG. doi:10.1007/978-3-319-67080-5. ISBN 978-3-319-67080-5. S2CID 26748541.
↑ Dino Farinacci, Vince Fuller, David Meyer, and Darrel Lewis. The locator/ID separation protocol (LISP). RFC 6830, January 2013. Page 25.
↑ "A secure internet isn't science fiction". inf.ethz.ch. Retrieved 2021-02-18.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] David G. Andersen, Hari Balakrishnan, M. Frans Kaashoek, and Robert Morris. Resilient overlay networks. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2001. Pages 9, 24, and 192.

[2] Kahraman Akdemir, Martin Dixon, Wajdi Feghali, Patrick Fay, Vinodh Gopal, Jim Guilford, Erdinc Ozturk, Gil Wolrich, and Ronen Zohar. Breakthrough AES performance with Intel AES New Instructions. White paper, June, 2010. Page 11.

[3] Martin Abadi, Andrew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Global authentication in an untrustworthy world. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), May 2013. Page 10.

[4] Moxie Marlinspike. SSL and the future of authenticity. https://moxie.org/blog/ssl-and-the-future-of-authenticity/, Apr 2011. Page 10.

[:0-5] 1 2 Perrig, Adrian; Szalachowski, Pawel; Reischuk, Raphael M.; Chuat, Laurent (2017). SCION: A Secure Internet Architecture (PDF). Springer International Publishing AG. doi:10.1007/978-3-319-67080-5. ISBN 978-3-319-67080-5. S2CID 26748541.

[6] Dino Farinacci, Vince Fuller, David Meyer, and Darrel Lewis. The locator/ID separation protocol (LISP). RFC 6830, January 2013. Page 25.

[7] "A secure internet isn't science fiction". inf.ethz.ch. Retrieved 2021-02-18.

[1]

[2]

[3]

[4]

[5]

[6]

[7]