HOME

TheInfoList



Click Here for Items Related To - SCION (Internet Architecture)
OR:
SCION (Internet Architecture) on:   [Wikipedia]   [Google]   [Amazon]

SCION (Scalability, Control, and Isolation On Next-Generation Networks) is a modern
Future Internet Future Internet is a general term for research activities on new architectures for the Internet. History While the technical development of the Internet was an extensive research topic from the beginning, an increased public awareness of several ...
architecture that aims to offer high availability and efficient point-to-point packet delivery, even in the presence of actively malicious network operators and devices. As of 2018 it is an ongoing research project lead by researchers at
ETH Zurich (colloquially) , former_name = eidgenössische polytechnische Schule , image = ETHZ.JPG , image_size = , established = , type = Public , budget = CHF 1.896 billion (2021) , rector = Günther Dissertori , president = Joël Mesot , ac ...
and, among other ''Future Internet'' proposals, is being explored in the
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
research group for path-aware networking.


Goals

* ''Availability in the presence of distributed adversaries:'' As long as an attacker-free path between endpoints exists, it should be discovered and utilized with guaranteed bandwidth. * ''Transparency and Control:'' Separation of control and data planes by encoding paths as ''packet-carried forwarding state (PCFS)'' in the packet header, as well as enabling of multipath communication for enhanced availability and defense against network attacks. * ''Efficiency, Scalability, and Extensibility:'' Packet forwarding is at least efficient in latency and throughput as current IP in common cases and more scalable with respect to
BGP Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol, and it mak ...
and the size of routing tables. Achieved by storing state in packet headers and protecting them cryptographically, using modern block ciphers such as AES that can be computed very efficiently (within 10ns on a modern CPU ). * ''Support for Global but Heterogeneous Trust:'' Scale the authentication of entities to a global environment and utilizing trust agility so each end host or user can know the complete set of trust roots for the validation of a certificate. *''Deployability'': Deployment should only require installation or upgrade of a few border routers, thus requiring minimal added complexity to the existing infrastructure. In addition, it should not disrupt current Internet topology and business models/relationships (e.g., should still support peering).


Isolation domains and autonomous systems

SCION introduces the concept of an ''isolation domain (ISD)'' which is a logical grouping of ''autonomous systems'' ''(ASes)'', administered by a smaller subset of the ASes that constitute the ISD core. The ISD is governed by a policy, called the ''trust root configuration (TRC)'', which is negotiated by the ISD core and defines the roots of trust that are used to validate bindings between names and public keys or addresses. ASes within an ISD can be connected by core links, customer-provider links, or peering links, representative of the relationship between the ASes. Within an AS there are several services such as: * ''Beacon Servers'' - responsible for ''beaconing'' which is a process to generate, receive, and propagate messages called ''path-segment construction beacons (PCBs)'' to construct path segments and explore routing paths. * ''Path Servers'' - storage for mappings of AS to path that were discovered during beaconing. * ''Name Servers'' - perform name translation similar to DNS by using RAINS to retrieve (ISD, AS) tuple that can be used to find and construct end-to-end paths. * ''Certificate Servers'' - cache for copies of TRCs retrieved from the ISD core, AS certificates, and key management for securing inter-AS communication. * ''Border Routers'' - used for SCION packet forwarding to the next SCION border router or to the destination host within the destination AS.


Control plane

The control plane is responsible for discovering networking paths and making those paths available to end hosts. Inter-domain beaconing connects ISDs by enabling core ASes to learn paths to other core ASes while intra-domain beaconing allows non-core ASes to learn path segments to core ASes. The SCION control plane operates at the AS level, while communication within an AS is governed by existing intra-domain communication technologies and protocols (e.g.
OSPF Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous sys ...
, SDN,
MPLS Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on labels rather than network addresses. Whereas network addresses identify endpoints the labels identif ...
). To reach a remote destination, a host performs a path lookup at its local path server to obtain up-segments (from source AS to the core), down segments (from core AS to destination AS), and core segments (between core ASes) in the case these up and down segments end at different core ASes. Paths can be combined as desired, possibly using peering links where available.


Data plane

A SCION packet minimally contains a path and the data plane ensures packet forwarding using the provided paths. Forwarding utilizes a split of locator (AS-level path) and identifier (the destination address), like in the Locator/Identifier Separation Protocol (LISP). As a result, SCION border routers forward packets based on the AS-level path in the packet header without inspecting the destination address and also without consulting an inter-domain routing table. The destination address can have any format that the destination AS can interpret because only the border router at the destination AS needs to inspect the destination address to forward it to the appropriate local host. The destination can respond to the source by inverting the end-to-end path from the packet header, or it can perform its own path lookup and path-segment construction.


Security

Similar to BGPsec, each AS signs the PCBs it forwards. This signature enables PCB validation by all entities. To ensure path correctness, the forwarding information within each packet is also cryptographically protected. Each AS uses a secret symmetric key that is shared among beacon servers and border routers and is used to efficiently compute a
message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...
(MAC) over the forwarding information. The per-AS information includes the ingress and egress interfaces, an expiration time, and the MAC computed over these fields, which is (by default) all encoded within an 8-byte field referred to as a ''hop field (HF)''.


Deployment and commercial operations

SCION is running on a number of nodes around the world. "In 2017, several internet service providers and financial institutions in Switzerland wanted to use SCION for their commercial operations. And so
Adrian Perrig Adrian Perrig (born 1972) is a Swiss computer science researcher and professor at ETH Zurich, leading the Network Security research group. His research focuses on networking and systems security, and specifically on the design of a secure next-gene ...
founded the spin-off Anapaya Systems together with David Basin and Peter Müller, fellow professors at the Department of Computer Science at ETH Zurich." The first ISPs to use SCION are
Swisscom Swisscom AG is a major telecommunications provider in Switzerland. Its headquarters are located in Ittigen near Bern. The Swiss government owns 51.0 percent of Swisscom AG. According to its own published data, Swisscom holds a market share of 56 ...
and
SWITCH In electrical engineering, a switch is an electrical component that can disconnect or connect the conducting path in an electrical circuit, interrupting the electric current or diverting it from one conductor to another. The most common type of ...
. Several corporations have obtained SCION network connections through these ISPs to the corporate SCION network. Among the first customer deployments are SNB, ZKB and
SIX 6 is a number, numeral, and glyph. 6 or six may also refer to: * AD 6, the sixth year of the AD era * 6 BC, the sixth year before the AD era * The month of June Science * Carbon, the element with atomic number 6 * 6 Hebe, an asteroid People ...
from the Swiss financial sector.


References


Further reading

* {{Cite book, title=SCION: A Secure Internet Architecture, last=Perrig, first=A., last2=Szalachowski, first2=P., last3=Reischuk, first3=R. M., last4=Chuat, first4=L., publisher=Springer International Publishing AG, year=2017, isbn=978-3-319-67080-5, location=, pages=


External links


Official website

IETF Path-Aware Networking Research Group
Network layer protocols Routing protocols Internet layer protocols