ing cannot be retroactively influenced
by control plane operations (such as
Enabling multipath communication. Improving availability by allowing senders to select multiple paths to
their destinations; and
Defending against network attacks.
Including DDoS and traffic interception by rogue networks, since destinations can observe a packet’s traversed
path in the packet header.
Particular care must be taken for the
proper handling of the fragile aspects
of communication, including:
Respecting ISPs’ forwarding policies.
By offering policy-compliant paths
from which senders can choose;
Preventing malicious path creation.
Including paths that contain loops;
Ensuring scalability of path control.
By allowing sources to select paths
from among a relatively small set, as
opposed to full-edged source routing;
Enabling ISP traffic engineering.
Despite end hosts’ path control, giving
ISPs the ability to balance their load
across the links to their neighbor autonomous systems (ASes).
Transparency and control over trust
roots. Roots of trust are used to verify
entities in the current Internet, as in
verification of a server’s public key in
a Transport Layer Security (TLS) cer-
tificate or of a Domain Name System
(DNS) response in DNSSEC (DNS Secu-
5 Transparency of trust
roots provides end hosts and users
knowledge of the complete set of trust
roots relied upon for entity-certificate
validation. Enumerating trust roots is
difficult due to intermediate certifica-
tion authorities that are trusted implic-
itly. Control over trust-root selection
enables trust agility, allowing users to
readily select or exclude the roots of
trust they wish to rely upon.
Efficiency and scalability. Despite
the lack of availability and transparency, the current Internet also suffers from efficiency and scalability
deficiencies; for instance, the Border
Gateway Protocol (BGP) has scaling issues in cases of network fluctuations,
where routing protocol convergence
can take minutes24 or even days.
8 Moreover, routing tables have reached the
limit of their scalability due to multi-homing and prefix de-aggregation or
announcement of more-specific IP address spaces. Increasing memory size
for routing tables is problematic, as
the underlying hardware is expensive
and power-hungry, accounting for approximately one-third of a router’s total power consumption.
Security and high availability usually come at a cost, resulting in less
efficiency and potentially diminished
scalability. High performance and
scalability are, however, required for
economic viability. We thus explicitly
seek high efficiency such that packet-forwarding latency and throughput are
at least as fast as current IP forwarding.
Moreover, we seek improved scalability compared to the current Internet,
most notably with respect to BGP and
to the growing size of routing tables.
One approach for achieving effi-
ciency and scalability is to avoid router
state wherever possible. We thus aim
to place state into packet headers and
protect that state cryptographically.
Since modern block ciphers (such
as AES) can be computed faster than
performing DRAM memory lookups,
packet-carried state can enable greater
packet processing speeds and sim-
pler router architectures compared to
today’s IP routers. Avoiding state on
routers also prevents state-exhaustion
could render paths not traversing its
network less desirable (such as by
inducing congestion). An adversary
controlling a large botnet could also
perform distributed denial-of-service
(DDoS) attacks, congesting select-
ed network links. And an adversary
could interfere with the discovery of
legitimate paths (such as by announc-
ing bogus paths).
Transparency and control. When the
network offers path transparency, end
hosts know (and can verify) the forwarding path taken by network packets. Applications that transmit sensitive data
can benefit from this property, as packets are ensured of being able to traverse
certain Internet service providers (ISPs)
and avoid others.
In addition to path transparency,
we aim for SCION to achieve end-host
“path control,” a stronger property that
allows receivers to select the incoming
paths through which they are reachable and senders to select the end-to-end path. This seemingly benign requirement has multiple repercussions
that are beneficial but also fragile if
The beneficial aspects of path control include:
Separation of network control plane
and data plane. Ensuring that forward-
Figure 1. ASes grouped into four ISDs. Core ASes are connected through core links. Non-core ASes are connected through customer-to-provider or peering links. Some ASes are
contained in multiple ISDs.