288:. As a result, SCION border routers forward packets based on the AS-level path in the packet header without inspecting the destination address and also without consulting an inter-domain routing table. The destination address can have any format that the destination AS can interpret because only the border router at the destination AS needs to inspect the destination address to forward it to the appropriate local host. The destination can respond to the source by inverting the end-to-end path from the packet header, or it can perform its own path lookup and path-segment construction.
88:
300:, each AS signs the PCBs it forwards. This signature enables PCB validation by all entities. To ensure path correctness, the forwarding information within each packet is also cryptographically protected. Each AS uses a secret symmetric key that is shared among beacon servers and border routers and is used to efficiently compute a
274:
To reach a remote destination, a host performs a path lookup at its local path server to obtain up-segments (from source AS to the core), down segments (from core AS to destination AS), and core segments (between core ASes) in the case these up and down segments end at different core ASes. Paths can
258:
The control plane is responsible for discovering networking paths and making those paths available to end hosts. Inter-domain beaconing connects ISDs by enabling core ASes to learn paths to other core ASes while intra-domain beaconing allows non-core ASes to learn path segments to core ASes. The
207:, which is negotiated by the ISD core and defines the roots of trust that are used to validate bindings between names and public keys or addresses. ASes within an ISD can be connected by core links, customer-provider links, or peering links, representative of the relationship between the ASes.
181:: Deployment should only require installation or upgrade of a few border routers, thus requiring minimal added complexity to the existing infrastructure. In addition, it should not disrupt current Internet topology and business models/relationships (e.g., should still support peering).
304:(MAC) over the forwarding information. The per-AS information includes the ingress and egress interfaces, an expiration time, and the MAC computed over these fields, which is (by default) all encoded within an 8-byte field referred to as a
65:
architecture that aims to offer high availability and efficient point-to-point packet delivery with network path selection, even in the presence of actively malicious network operators and devices. It has been developed by researchers at
283:
A SCION packet minimally contains a path and the data plane ensures packet forwarding using the provided paths. Forwarding utilizes a split of locator (AS-level path) and identifier (the destination address), like in the
448:
Kahraman
Akdemir, Martin Dixon, Wajdi Feghali, Patrick Fay, Vinodh Gopal, Jim Guilford, Erdinc Ozturk, Gil Wolrich, and Ronen Zohar. Breakthrough AES performance with Intel AES New Instructions.
175:
Scale the authentication of entities to a global environment and utilizing trust agility so each end host or user can know the complete set of trust roots for the validation of a certificate.
259:
SCION control plane operates at the AS level, while communication within an AS is governed by existing intra-domain communication technologies and protocols (e.g.
165:
and the size of routing tables. Achieved by storing state in packet headers and protecting them cryptographically, using modern block ciphers such as
416:
404:
285:
583:
513:
237:- perform name translation similar to DNS by using RAINS to retrieve (ISD, AS) tuple that can be used to find and construct end-to-end paths.
536:
Dino
Farinacci, Vince Fuller, David Meyer, and Darrel Lewis. The locator/ID separation protocol (LISP). RFC 6830, January 2013. Page 25.
368:
together with fellow professors David Basin and Peter Müller at the
Department of Computer Science at ETH Zurich, founded the spin-off
399:, the open source implementation of SCION. The SCION Association is a non-profit organization whose members include Anapaya Systems,
634:
624:
243:- cache for copies of TRCs retrieved from the ISD core, AS certificates, and key management for securing inter-AS communication.
317:
71:
461:
Martin Abadi, Andrew
Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. Global authentication in an untrustworthy world. In
268:
137:
As long as an attacker-free path between endpoints exists, it should be discovered and utilized with guaranteed bandwidth.
203:, administered by a smaller subset of the ASes that constitute the ISD core. The ISD is governed by a policy, called the
546:
249:- used for SCION packet forwarding to the next SCION border router or to the destination host within the destination AS.
195:
166:
301:
264:
629:
260:
354:
346:
162:
435:
David G. Andersen, Hari
Balakrishnan, M. Frans Kaashoek, and Robert Morris. Resilient overlay networks. In
492:
329:
380:
334:
519:
384:
579:
509:
158:
148:
475:
501:
324:
62:
70:
since 2009, is deployed in production networks, and is currently being explored by the
618:
365:
345:
SCION is running on a number of nodes around the world. It has been utilized for the
523:
412:
113:
491:
Perrig, Adrian; Szalachowski, Pawel; Reischuk, Raphael M.; Chuat, Laurent (2017).
408:
157:
Packet forwarding is at least as efficient in latency and throughput as current
609:
505:
388:
67:
102:
350:
231:- storage for mappings of AS to path that were discovered during beaconing.
400:
392:
98:
221:
which is a process to generate, receive, and propagate messages called
59:
SCION (Scalability, Control, and
Isolation On Next-Generation Networks)
604:
275:
be combined as desired, possibly using peering links where available.
297:
169:
that can be computed very efficiently (within 10ns on a modern CPU ).
396:
437:
Proceedings of ACM Symposium on
Operating Systems Principles (SOSP)
463:
Proceedings of
Workshop on Hot Topics in Operating Systems (HotOS)
574:
Perrig, A.; Szalachowski, P.; Reischuk, R. M.; Chuat, L. (2017).
151:
for enhanced availability and defense against network attacks.
81:
143:
Separation of control and data planes by encoding paths as
476:
https://moxie.org/blog/ssl-and-the-future-of-authenticity/
369:
135:
Availability in the presence of distributed adversaries:
474:
109:
25:
599:
358:
225:
to construct path segments and explore routing paths.
50:
376:
46:
31:
21:
419:, and the Swiss Finance + Technology Association.
161:in common cases and more scalable with respect to
372:to develop a commercial implementation of SCION.
210:Within an AS there are several services such as:
351:SCION Education, Research and Academic Network
286:Locator/Identifier Separation Protocol (LISP)
147:in the packet header, as well as enabling of
8:
16:
173:Support for Global but Heterogeneous Trust:
155:Efficiency, Scalability, and Extensibility:
15:
610:IETF Path-Aware Networking Research Group
547:"A secure internet isn't science fiction"
578:. Springer International Publishing AG.
500:. Springer International Publishing AG.
223:path-segment construction beacons (PCBs)
186:Isolation domains and autonomous systems
428:
74:Path Aware Networking Research Group.
145:packet-carried forwarding state (PCFS)
576:SCION: A Secure Internet Architecture
494:SCION: A Secure Internet Architecture
439:, October 2001. Pages 9, 24, and 192.
415:, DIDAS, Eraneos, libC Technologies,
7:
486:
484:
341:Deployment and commercial operations
347:Secure Swiss Finance Network (SSFN)
190:SCION introduces the concept of an
14:
316:Internet Drafts submitted to the
86:
357:, and is being deployed on the
318:Internet Engineering Task Force
194:which is a logical grouping of
205:trust root configuration (TRC)
101:format but may read better as
1:
395:to promote SCION and develop
359:Swiss Health Info Net (HIN)
302:message authentication code
651:
506:10.1007/978-3-319-67080-5
141:Transparency and Control:
635:Internet layer protocols
625:Network layer protocols
325:SCION Control Plane PKI
149:multipath communication
110:converting this article
600:SCION Official Website
452:, June, 2010. Page 11.
192:isolation domain (ISD)
22:International standard
605:SCION Project Website
478:, Apr 2011. Page 10.
465:, May 2013. Page 10.
381:Swiss National Bank
379:was founded by the
330:SCION Control Plane
320:standards process:
241:Certificate Servers
18:
217:- responsible for
197:autonomous systems
112:, if appropriate.
630:Routing protocols
585:978-3-319-67080-5
515:978-3-319-67080-5
377:SCION Association
131:
130:
56:
55:
642:
589:
561:
560:
558:
557:
543:
537:
534:
528:
527:
499:
488:
479:
472:
466:
459:
453:
446:
440:
433:
335:SCION Data Plane
126:
123:
117:
108:You can help by
90:
89:
82:
51:Official Website
42:
40:
19:
650:
649:
645:
644:
643:
641:
640:
639:
615:
614:
596:
586:
573:
570:
568:Further reading
565:
564:
555:
553:
545:
544:
540:
535:
531:
516:
497:
490:
489:
482:
473:
469:
460:
456:
447:
443:
434:
430:
425:
370:Anapaya Systems
343:
314:
312:Standardization
294:
281:
256:
188:
127:
121:
118:
107:
91:
87:
80:
63:Future Internet
38:
36:
12:
11:
5:
648:
646:
638:
637:
632:
627:
617:
616:
613:
612:
607:
602:
595:
594:External links
592:
591:
590:
584:
569:
566:
563:
562:
538:
529:
514:
480:
467:
454:
441:
427:
426:
424:
421:
417:OVGU Magdeburg
342:
339:
338:
337:
332:
327:
313:
310:
306:hop field (HF)
293:
290:
280:
277:
255:
252:
251:
250:
247:Border Routers
244:
238:
232:
226:
215:Beacon Servers
187:
184:
183:
182:
176:
170:
152:
138:
129:
128:
94:
92:
85:
79:
76:
54:
53:
48:
44:
43:
33:
29:
28:
23:
13:
10:
9:
6:
4:
3:
2:
647:
636:
633:
631:
628:
626:
623:
622:
620:
611:
608:
606:
603:
601:
598:
597:
593:
587:
581:
577:
572:
571:
567:
552:
548:
542:
539:
533:
530:
525:
521:
517:
511:
507:
503:
496:
495:
487:
485:
481:
477:
471:
468:
464:
458:
455:
451:
445:
442:
438:
432:
429:
422:
420:
418:
414:
410:
407:, Cyberlink,
406:
402:
398:
394:
390:
386:
382:
378:
375:In 2022, the
373:
371:
367:
366:Adrian Perrig
362:
360:
356:
352:
348:
340:
336:
333:
331:
328:
326:
323:
322:
321:
319:
311:
309:
307:
303:
299:
291:
289:
287:
278:
276:
272:
270:
266:
262:
254:Control plane
253:
248:
245:
242:
239:
236:
233:
230:
227:
224:
220:
216:
213:
212:
211:
208:
206:
202:
199:
198:
193:
185:
180:
179:Deployability
177:
174:
171:
168:
164:
160:
156:
153:
150:
146:
142:
139:
136:
133:
132:
125:
116:is available.
115:
111:
105:
104:
100:
95:This article
93:
84:
83:
77:
75:
73:
69:
64:
60:
52:
49:
45:
34:
30:
27:
24:
20:
575:
554:. Retrieved
550:
541:
532:
493:
470:
462:
457:
449:
444:
436:
431:
374:
363:
344:
315:
305:
295:
282:
273:
257:
246:
240:
235:Name Servers
234:
229:Path Servers
228:
222:
218:
214:
209:
204:
200:
196:
191:
189:
178:
172:
154:
144:
140:
134:
119:
114:Editing help
96:
58:
57:
551:inf.ethz.ch
450:White paper
397:SCION Proto
296:Similar to
122:August 2018
619:Categories
556:2021-02-18
423:References
389:ETH Zurich
279:Data plane
68:ETH Zurich
32:Introduced
26:IETF Draft
364:In 2017,
219:beaconing
524:26748541
401:Swisscom
393:Uli Sigg
292:Security
409:Sunrise
355:SwissIX
47:Website
37: (
582:
522:
512:
405:SWITCH
353:, the
349:, the
298:BGPsec
201:(ASes)
97:is in
520:S2CID
498:(PDF)
103:prose
78:Goals
61:is a
17:SCION
580:ISBN
510:ISBN
413:AXPO
391:and
269:MPLS
261:OSPF
99:list
72:IETF
39:2009
35:2009
502:doi
385:SIX
271:).
265:SDN
167:AES
163:BGP
621::
549:.
518:.
508:.
483:^
411:,
403:,
387:,
383:,
361:.
308:.
267:,
263:,
159:IP
588:.
559:.
526:.
504::
124:)
120:(
106:.
41:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.