Communications of the ACM

ing cannot be retroactively influenced by control plane operations (such as routing changes);

Enabling multipath communication. Improving availability by allowing senders to select multiple paths to their destinations; and

Defending against network attacks. Including DDoS and traffic interception by rogue networks, since destinations can observe a packet’s traversed path in the packet header.

Particular care must be taken for the proper handling of the fragile aspects of communication, including:

Respecting ISPs’ forwarding policies. By offering policy-compliant paths from which senders can choose;

Preventing malicious path creation.

Including paths that contain loops;

Ensuring scalability of path control. By allowing sources to select paths from among a relatively small set, as opposed to full-edged source routing; and

Enabling ISP traffic engineering. Despite end hosts’ path control, giving ISPs the ability to balance their load across the links to their neighbor autonomous systems (ASes).

Transparency and control over trust
roots. Roots of trust are used to verify
entities in the current Internet, as in
verification of a server’s public key in
a Transport Layer Security (TLS) cer-
tificate or of a Domain Name System
(DNS) response in DNSSEC (DNS Secu-
rity Extensions). 5 Transparency of trust
roots provides end hosts and users
knowledge of the complete set of trust
roots relied upon for entity-certificate
validation. Enumerating trust roots is
difficult due to intermediate certifica-
tion authorities that are trusted implic-
itly. Control over trust-root selection
enables trust agility, allowing users to
readily select or exclude the roots of
trust they wish to rely upon.

Efficiency and scalability. Despite the lack of availability and transparency, the current Internet also suffers from efficiency and scalability deficiencies; for instance, the Border Gateway Protocol (BGP) has scaling issues in cases of network fluctuations, where routing protocol convergence can take minutes24 or even days. 8 Moreover, routing tables have reached the limit of their scalability due to multi-homing and prefix de-aggregation or announcement of more-specific IP address spaces. Increasing memory size for routing tables is problematic, as the underlying hardware is expensive and power-hungry, accounting for approximately one-third of a router’s total power consumption.

Security and high availability usually come at a cost, resulting in less efficiency and potentially diminished scalability. High performance and scalability are, however, required for economic viability. We thus explicitly seek high efficiency such that packet-forwarding latency and throughput are at least as fast as current IP forwarding. Moreover, we seek improved scalability compared to the current Internet, most notably with respect to BGP and to the growing size of routing tables.

One approach for achieving effi-
ciency and scalability is to avoid router
state wherever possible. We thus aim
to place state into packet headers and
protect that state cryptographically.
Since modern block ciphers (such
as AES) can be computed faster than
performing DRAM memory lookups,
packet-carried state can enable greater
packet processing speeds and sim-
pler router architectures compared to
today’s IP routers. Avoiding state on
routers also prevents state-exhaustion
could render paths not traversing its
network less desirable (such as by
inducing congestion). An adversary
controlling a large botnet could also
perform distributed denial-of-service
(DDoS) attacks, congesting select-
ed network links. And an adversary
could interfere with the discovery of
legitimate paths (such as by announc-
ing bogus paths).

Transparency and control. When the network offers path transparency, end hosts know (and can verify) the forwarding path taken by network packets. Applications that transmit sensitive data can benefit from this property, as packets are ensured of being able to traverse certain Internet service providers (ISPs) and avoid others.

In addition to path transparency, we aim for SCION to achieve end-host “path control,” a stronger property that allows receivers to select the incoming paths through which they are reachable and senders to select the end-to-end path. This seemingly benign requirement has multiple repercussions that are beneficial but also fragile if implemented incorrectly.

The beneficial aspects of path control include:

Separation of network control plane and data plane. Ensuring that forward-

Figure 1. ASes grouped into four ISDs. Core ASes are connected through core links. Non-core ASes are connected through customer-to-provider or peering links. Some ASes are contained in multiple ISDs.