SCION (Internet architecture)


SCION is a proposed Future Internet architecture that aims to offer high availability and efficient point-to-point packet delivery, even in the presence of actively malicious network operators and devices. As of 2018 it is an ongoing research project lead by researchers at ETH Zurich and, among other Future Internet proposals, is being explored in the Internet Engineering Task Force research group for path-aware networking.

Goals

SCION introduces the concept of an isolation domain which is a logical grouping of autonomous systems , administered by a smaller subset of the ASes that constitute the ISD core. The ISD is governed by a policy, called the trust root configuration , which is negotiated by the ISD core and defines the roots of trust that are used to validate bindings between names and public keys or addresses. ASes within an ISD can be connected by core links, customer-provider links, or peering links, representative of the relationship between the ASes.
Within an AS there are several services such as:
The control plane is responsible for discovering networking paths and making those paths available to end hosts. Inter-domain beaconing connects ISDs by enabling core ASes to learn paths to other core ASes while intra-domain beaconing allows non-core ASes to learn path segments to core ASes. The SCION control plane operates at the AS level, while communication within an AS is governed by existing intra-domain communication technologies and protocols.
To reach a remote destination, a host performs a path lookup at its local path server to obtain up-segments, down segments, and core segments in the case these up and down segments end at different core ASes. Paths can be combined as desired, possibly using peering links where available.

Data plane

A SCION packet minimally contains a path and the data plane ensures packet forwarding using the provided paths. Forwarding utilizes a split of locator and identifier, like in the Locator/Identifier Separation Protocol . As a result, SCION border routers forward packets based on the AS-level path in the packet header without inspecting the destination address and also without consulting an inter-domain routing table. The destination address can have any format that the destination AS can interpret because only the border router at the destination AS needs to inspect the destination address to forward it to the appropriate local host. The destination can respond to the source by inverting the end-to-end path from the packet header, or it can perform its own path lookup and path-segment construction.

Security

Similar to BGPsec, each AS signs the PCBs it forwards. This signature enables PCB validation by all entities. To ensure path correctness, the forwarding information within each packet is also cryptographically protected. Each AS uses a secret symmetric key that is shared among beacon servers and border routers and is used to efficiently compute a message authentication code over the forwarding information. The per-AS information includes the ingress and egress interfaces, an expiration time, and the MAC computed over these fields, which is all encoded within an 8-byte field referred to as a hop field .

Deployment and commercial operations

SCION is running on a number of nodes around the world. "In 2017, several internet service providers and financial institutions in Switzerland wanted to use SCION for their commercial operations. And so Adrian Perrig founded the spin-off Anapaya Systems together with David Basin and Peter Müller, fellow professors at the Department of Computer Science at ETH Zurich."
The first ISPs to use SCION are Swisscom and SWITCH. Several corporations have obtained SCION network connections through these ISPs to the corporate SCION network. Among the first customer deployments are SNB, ZKB and SIX from the Swiss financial sector.