roots are revoked manually or through
operating system or browser updates,
often requiring a week or more before
a large fraction of the Internet popula-
tion has seen the revocations. There is
also a long tail of devices and installa-
tions that apply revocations very late or
never. In SCION, PCBs carry the version
number of the current TRC, and the up-
dated TRC is required to validate that
PCB. An AS that realizes it needs a new-
er TRC can contact the AS from which it
has received the PCB. Following distri-
bution of PCBs, an entire ISD updates
the TRC within tens of seconds.
SCION Control Message Protocol.
The SCMP is similar to ICMP in the
current Internet but is authenticated
and adapted to SCION. One challenge
we have had to address in the design
of SCMP is how to enable efficient authentication of SCMP messages, as
the naïve approach of adding a digital
signature to SCMP messages could create a processing bottleneck at routers
when many SCMP messages would be
created in response to a link failure.
The SCION architecture thus makes
use of an efficient symmetric key derivation mechanism called the “
Dynamically Re-creatable Key” (DRKey)
which each AS uses a local secret key
known to SCION border routers to derive on-the-fly a per-AS secret key using
an efficient “pseudorandom function.”
Hardware implementations of modern block ciphers enable faster computation than a memory lookup from
DRAM, and such dynamic key derivation can thus result in a speedup even
over fetching the key from memory.
For verification of SCMP messages, the
destination AS can fetch the derived
key through an additional request message from the originating AS, which is
protected by a relatively slow asymmetric operation. However, local caching
ensures this key needs to be fetched
only infrequently. As a consequence,
SCION provides fully secured control
messages with minimal overhead.
As of April 2017, we had deployed a
global SCION testbed we use to vet
SCION’s functionality and security,
including deployment nodes in five
continents with four ISDs and 15 ASes,
including ISPs—KDDI, Swisscom, and
SWITCH—and financial and academ-
ic institutions. SCION’s open-source
code and information for how to de-
ploy a SCION node is available at http://
Obtaining SCION’s full benefits re-
quires a direct connection among mul-
tiple ASes. When a direct link is not pos-
fers this property by requiring all ISDs
with a link between them to sign each
other’s TRCs; as long as a network path
exists, a validation path exists along
that network path. Efficient revocation
of trust roots is the second important
property. In the current Internet, trust
The SCION inter-domain network architecture enables new systems that can take
advantage of the isolation, scalability, and transparency properties it indeed provides.
Path validation. Through its use of packet-carried forwarding state (PCFS), SCION
paves the way for the Origin and Path Trace (OP T) mechanism,
17 enabling senders,
receivers, and routers to cryptographically verify the exact path the packets have
traversed, with negligible overhead. OP T allows transmission of banking or medical
data that is typically bound to strict data-privacy regulations to be constrained to
traverse only selected authorized ASes.
Anonymity and privacy. PCFS also provides advantages for privacy. For example,
with PCFS and path transparency, the source is able to select paths that appear more
trustworthy (such as those that do not traverse certain ASes). In addition, the packet
header can be further obfuscated such that ASes on the path cannot learn identifying
details about the source or the destination, unless they are immediately connected
to one of them. The High-speed Onion Routing at the Network Layer (HORNE T)
leverages SCION’s path-selection infrastructure to deliver high-bandwidth, low-latency
Highly available communication. Critical infrastructure (such as financial networks
and industrial control systems used for power distribution) requires a high degree of
availability. Internet outages have been known to disrupt day-to-day operations by, for
example, preventing ATM withdrawals or payment terminal operations.
such outages are due to the malicious or erroneous announcement of IP address
spaces, or “prefix hijacking.” Perhaps the most well-known example is the 2008 hijack
of You Tube by Pakistan Telecom for the purpose of censorship, resulting in a global
outage of You Tube.
9 In fact, hijacks affecting only a small portion of the Internet
happen on a daily basis. SCION’s control-plane isolation through ISDs, its stable data
plane, and its multipath operation all contribute to dramatically higher availability.
With ISDs, misconfigurations and attacks in one ISD do not affect other ISDs; digitally
signed route announcements prevent unauthorized injection of routes; and digitally
signed path distribution allows verification of paths by the sender.
DDoS prevention. Bandwidth guarantees are enabled by the Scalable Internet
Bandwidth Reservation Architecture (SIBRA),
6 preventing DDoS attacks at the
architectural level; independent of the number of distributed bots, end hosts gain
protection against Internet-wide link-flooding attacks, a major threat in the current
Internet. SIBRA provides ISDs with dynamic bandwidth guarantees to permanently
enable communication. Critical infrastructures can additionally keep some network
paths to a destination secret, preventing an adversary from even sending traffic to that
destination because the cryptographic HFs are necessary to use a path but are unknown
to an adversary.
High-speed Web browsing. Through the SIBRA extension, the sender performs
a resource reservation with its initial packet, and the receiver will likely obtain a
reservation with a high sending rate it can use immediately on the reverse path. With
such a reservation, no congestion control is needed; consequently, Web servers can
start sending content immediately at a high rate to the client.
Mobility support. With the ongoing proliferation of mobile devices, supporting
reliable communication can be a challenge for any architecture, as these devices
frequently connect and disconnect from (sometimes multiple) networks. SCION
supports high availability through multipath communication and provides a header
extension to inform the other party of new down segments as it connects to a new
network. Failing paths are discarded, and new paths are discovered dynamically.
Protection from forged TLS certificates. The government of Iran in 2011
infamously used compromised roots of trust to create rogue TLS certificates for Google
and Yahoo services to perform man-in-the-middle attacks on its own citizens. Iran is
suspected of having mounted the attack on the DigiNotar certificate authority (CA)
that signed these certificates. ISDs and the Attack Resilient Public-Key Infrastructure
7 system used in SCION prevent such attacks, as a CA’s authority is scoped to the
ISDs in which the CA is active. Moreover, in the ARPKI, multiple trusted entities must
be compromised to perform a successful man-in-the-middle attack, and revocation of
trust roots is possible within a minute, enabling quick recovery from the compromise.
The Future Looks Bright