Communications of the ACM

roots are revoked manually or through
operating system or browser updates,
often requiring a week or more before
a large fraction of the Internet popula-
tion has seen the revocations. There is
also a long tail of devices and installa-
tions that apply revocations very late or
never. In SCION, PCBs carry the version
number of the current TRC, and the up-
dated TRC is required to validate that
PCB. An AS that realizes it needs a new-
er TRC can contact the AS from which it
has received the PCB. Following distri-
bution of PCBs, an entire ISD updates
the TRC within tens of seconds.

SCION Control Message Protocol. The SCMP is similar to ICMP in the current Internet but is authenticated and adapted to SCION. One challenge we have had to address in the design of SCMP is how to enable efficient authentication of SCMP messages, as the naïve approach of adding a digital signature to SCMP messages could create a processing bottleneck at routers when many SCMP messages would be created in response to a link failure. The SCION architecture thus makes use of an efficient symmetric key derivation mechanism called the “ Dynamically Re-creatable Key” (DRKey) 17 in which each AS uses a local secret key known to SCION border routers to derive on-the-fly a per-AS secret key using an efficient “pseudorandom function.” Hardware implementations of modern block ciphers enable faster computation than a memory lookup from DRAM, and such dynamic key derivation can thus result in a speedup even over fetching the key from memory. For verification of SCMP messages, the destination AS can fetch the derived key through an additional request message from the originating AS, which is protected by a relatively slow asymmetric operation. However, local caching ensures this key needs to be fetched only infrequently. As a consequence, SCION provides fully secured control messages with minimal overhead.

Deployment

As of April 2017, we had deployed a
global SCION testbed we use to vet
SCION’s functionality and security,
including deployment nodes in five
continents with four ISDs and 15 ASes,
including ISPs—KDDI, Swisscom, and
SWITCH—and financial and academ-
ic institutions. SCION’s open-source
code and information for how to de-
ploy a SCION node is available at http://
www.scion-architecture.net/
Obtaining SCION’s full benefits re-
quires a direct connection among mul-
tiple ASes. When a direct link is not pos-
fers this property by requiring all ISDs
with a link between them to sign each
other’s TRCs; as long as a network path
exists, a validation path exists along
that network path. Efficient revocation
of trust roots is the second important
property. In the current Internet, trust

The SCION inter-domain network architecture enables new systems that can take advantage of the isolation, scalability, and transparency properties it indeed provides.

Path validation. Through its use of packet-carried forwarding state (PCFS), SCION paves the way for the Origin and Path Trace (OP T) mechanism, 17 enabling senders, receivers, and routers to cryptographically verify the exact path the packets have traversed, with negligible overhead. OP T allows transmission of banking or medical data that is typically bound to strict data-privacy regulations to be constrained to traverse only selected authorized ASes.

Anonymity and privacy. PCFS also provides advantages for privacy. For example, with PCFS and path transparency, the source is able to select paths that appear more trustworthy (such as those that do not traverse certain ASes). In addition, the packet header can be further obfuscated such that ASes on the path cannot learn identifying details about the source or the destination, unless they are immediately connected to one of them. The High-speed Onion Routing at the Network Layer (HORNE T) 10 leverages SCION’s path-selection infrastructure to deliver high-bandwidth, low-latency anonymous communication.

Highly available communication. Critical infrastructure (such as financial networks and industrial control systems used for power distribution) requires a high degree of availability. Internet outages have been known to disrupt day-to-day operations by, for example, preventing ATM withdrawals or payment terminal operations. 27 Numerous such outages are due to the malicious or erroneous announcement of IP address spaces, or “prefix hijacking.” Perhaps the most well-known example is the 2008 hijack of You Tube by Pakistan Telecom for the purpose of censorship, resulting in a global outage of You Tube. 9 In fact, hijacks affecting only a small portion of the Internet happen on a daily basis. SCION’s control-plane isolation through ISDs, its stable data plane, and its multipath operation all contribute to dramatically higher availability. With ISDs, misconfigurations and attacks in one ISD do not affect other ISDs; digitally signed route announcements prevent unauthorized injection of routes; and digitally signed path distribution allows verification of paths by the sender.

DDoS prevention. Bandwidth guarantees are enabled by the Scalable Internet Bandwidth Reservation Architecture (SIBRA), 6 preventing DDoS attacks at the architectural level; independent of the number of distributed bots, end hosts gain protection against Internet-wide link-flooding attacks, a major threat in the current Internet. SIBRA provides ISDs with dynamic bandwidth guarantees to permanently enable communication. Critical infrastructures can additionally keep some network paths to a destination secret, preventing an adversary from even sending traffic to that destination because the cryptographic HFs are necessary to use a path but are unknown to an adversary.

High-speed Web browsing. Through the SIBRA extension, the sender performs a resource reservation with its initial packet, and the receiver will likely obtain a reservation with a high sending rate it can use immediately on the reverse path. With such a reservation, no congestion control is needed; consequently, Web servers can start sending content immediately at a high rate to the client.

Mobility support. With the ongoing proliferation of mobile devices, supporting reliable communication can be a challenge for any architecture, as these devices frequently connect and disconnect from (sometimes multiple) networks. SCION supports high availability through multipath communication and provides a header extension to inform the other party of new down segments as it connects to a new network. Failing paths are discarded, and new paths are discovered dynamically.

Protection from forged TLS certificates. The government of Iran in 2011 infamously used compromised roots of trust to create rogue TLS certificates for Google and Yahoo services to perform man-in-the-middle attacks on its own citizens. Iran is suspected of having mounted the attack on the DigiNotar certificate authority (CA) that signed these certificates. ISDs and the Attack Resilient Public-Key Infrastructure (ARPKI) 7 system used in SCION prevent such attacks, as a CA’s authority is scoped to the ISDs in which the CA is active. Moreover, in the ARPKI, multiple trusted entities must be compromised to perform a successful man-in-the-middle attack, and revocation of trust roots is possible within a minute, enabling quick recovery from the compromise. The Future Looks Bright with SCION