Valancius, V., Feamster, N., Madhyastha, H., Anderson,
T., and Krishnamurthy, A. LIFEGUARD: Practical repair
of persistent route failures. In Proceedings of ACM
SIGCOMM (Helsinki, Finland, Aug. 13–17). ACM Press,
New York, 2012.
17. Kim, T. H., Basescu, C., Jia, L., Lee, S. B., Hu, Y., and
Perrig, A. Lightweight source authentication and
path validation. In Proceedings of ACM SIGCOMM
(Chicago, IL, Aug. 17–22). ACM Press, New York, 2014.
18. Kushman, N., Kandula, S., and Katabi, D. Can you hear
me now? It must be BGP. ACM SIGCOMM Computer
Communication Review 37, 2 (Apr. 2007), 75–84.
19. Lepinski, M. and Turner, S. An Overview of BGPsec.
IETF draft, May 8, 2012; http://tools.ietf.org/html/
20. Matsumoto, S., Reischuk, R.M., Szalachowski, P., Kim,
T.H.-J., and Perrig, A. Authentication challenges in a
global environment. ACM Transactions on Privacy and
Security 20, 1 (Feb. 2017), 1–34.
21. Palo Alto Research Center. The CCNx Project (
Content-Centric Networking); http://blogs.parc.com/ccnx/
22. Perrig, A., Szalachowski, P., Reischuk, R.M., and Chuat,
L. SCION: A Secure Internet Architecture. Springer,
Berlin, Germany, 2017.
23. Raychaudhuri, D., Nagaraja, K., and Venkataramani, A.
MobilityFirst: A robust and trustworthy mobility-centric architecture for the future Internet. ACM
SIGMOBILE Mobile Computing and Communications
Review 16, 3 (July 2012), 2–13.
24. Sahoo, A., Kant, K., and Mohapatra, P. BGP
convergence delay under large-scale failures:
Characterization and solutions. Computer
Communications 32, 7 (May 2009), 1207–1218.
25. Saltzer, J. H., Reed, D.P., and Clark, D. D. End-to-end
arguments in system design. ACM Transactions on
Computer Systems 2, 4 (Nov. 1984), 277–288.
26. Schuchard, M., Vasserman, E. Y., Mohaisen, A., Kune,
D. F., Hopper, N., and Kim, Y. Losing control of the
Internet: Using the data plane to attack the control
plane. In Proceedings of the Network and Distributed
System Security Symposium (San Diego, CA, Feb.
6–9). Internet Society, Reston, VA, 2011.
27. Toonk, A. Massive route leak causes Internet
slowdown. BGPmon, June 12, 2015; http://www.
28. Zhang, X., Hsiao, H.-C., Hasker, G., Chan, H., Perrig, A.,
and Andersen, D.G. SCION: Scalability, control, and
isolation on next-generation networks. In Proceedings
of IEEE Symposium on Security and Privacy (Oakland,
CA, May 22–25). IEEE Press, 2011.
David Barrera ( firstname.lastname@example.org) is a postdoc in
the Network Security Group at ETH Zürich in Switzerland.
Laurent Chuat ( email@example.com) is a Ph.D.
student in the Network Security Group at ETH Zürich in
Adrian Perrig ( firstname.lastname@example.org) is a professor in the
Department of Computer Science and leads the Network
Security Group at ETH Zürich in Switzerland and an ACM
Raphael M. Reischuk ( email@example.com) is a senior
IT-security researcher at ETH Zürich in Switzerland
focusing on network and Web security.
Pawel Szalachowski ( firstname.lastname@example.org) is a senior
researcher in the Network Security Group at ETH Zürich
Copyright held by the authors.
Publication rights licensed to ACM. $15.00
sible, remote ASes can be connected via
IP tunnels, but their communication
depends on the BGP routing protocol.
As the testbed expands, we expect more
participants will connect directly to
benefit from SCION’s full feature set.
To use SCION, ISPs at a minimum
must deploy a border router capable
of “encapsulating” and “
decapsulat-ing” SCION traffic as it leaves or enters
their networks. SCION ASes must also
deploy certificate, beacon, name, and
path servers that can run on commodity
hardware. Deploying SCION in homes or
businesses is designed to require little effort, initially with no changes to existing
software or networking stacks or replacement of end-user network devices. This
ready connection is achieved through a
gateway device that transparently switches communication over to SCION if the
remote endpoint is also SCION-enabled.
Several companies are currently exploring commercialization of these technologies, notably the startup Anapaya Systems, which offers SCION routers.
SCION is an Internet architecture that
provides security, availability, transparency, control, scalability, and more
(see the sidebar “The Future Looks
Bright with SCION”). SCION offers
numerous advantages over the current Internet and supports other future Internet proposals as an underlying building block for highly reliable
Despite its research maturity following six years of effort, SCION is still
in its infancy in terms of deployment.
While requiring relatively small changes by ISPs and domains, broadening
adoption is SCION’s foremost goal. We
expect the benefits for various stakeholders will provide strong incentives
for adoption, leading to islands of SCION
deployment. In the long term, connections and mergers among islands will
enable ever-increasing numbers of native SCION end-to-end connections.
Working on SCION has let us consider
Internet architectures from a clean-
slate perspective. The absence of limit-
ing constraints (imposed by the current
Internet environment) has been par-
ticularly rewarding, as the deep explo-
ration of this problem space enables
us ask not how a future Internet can
achieve what the current Internet has
already achieved, but rather what addi-
tional features can and should a future
Internet offer. We anticipate the in-
sight into the possible applications of
a secure, dynamic, highly available net-
work will help engage the network com-
munity to leverage SCION for its appli-
cations and contribute to the project.
Our 2017 book SCION: A Secure
Internet Architecture describes the
architecture in more detail, including authentication, name resolution,
deployment, operation, extensions,
1. Abadi, M., Birrell, A., Mironov, I., Wobber, T., and Xie,
Y. Global authentication in an untrustworthy world.
In Proceedings of the 14th Workshop on Hot Topics
in Operating Systems (Santa Ana Pueblo, NM, May
13–15). Usenix Association, Berkeley, CA, 2013.
2. American Registry for Internet Numbers. Resource
Public Key Infrastructure (RPKI); https://www.arin.
3. Andersen, D.G., Balakrishnan, H., Feamster, N.,
Koponen, T., Moon, D., and Shenker, S. Accountable
Internet Protocol (AIP). In Proceedings of ACM
SIGCOMM (Seattle, WA, Aug. 17–22). ACM Press, New
4. Andersen, D.G., Balakrishnan, H., Kaashoek, M.F., and
Morris, R. Resilient overlay networks. In Proceedings
of the ACM Symposium on Operating Systems
Principles (Chateau Lake Louise, Banff, Canada, Oct.
21–24). ACM Press, New York, 2001.
5. Arends, R., Austein, R., Larson, M., Massey, D., and
Rose, S. DNS Security Introduction and Requirements.
RFC 4033 (Proposed Standard), 2005; https://www.
6. Basescu, C., Reischuk, R.M., Szalachowski, P., Perrig,
A., Zhang, Y., Hsiao, H.-C., Kubota, A., and Urakawa,
J. SIBRA: Scalable Internet Bandwidth Reservation
Architecture. In Proceedings of Network and
Distributed System Security Symposium (San Diego,
CA, Feb. 21–24). Internet Society, Reston, VA, 2016.
7. Basin, D., Cremers, C., Kim, T. H.-J., Perrig, A., Sasse,
R., and Szalachowski, P. ARPKI: Attack Resilient
Public-Key Infrastructure. In Proceedings of the ACM
Conference on Computer and Communications Security
(Scottsdale, AZ, Nov. 3–7). ACM Press, New York, 2014.
8. BBC News. Asia communications hit by quake. Dec. 27,
9. Brown, M. Pakistan Hijacks You Tube; http://research.
10. Chen, C., Asoni, D., Barrera, D., Danezis, G., and Perrig,
A. HORNET: High-speed onion routing at the network
layer. In Proceedings of the ACM Conference on
Computer and Communications Security (Denver, CO,
Oct. 12–16). ACM Press, New York, 2015.
11. Dübendorfer, T., Wagner, A., and Plattner, B. An
economic damage model for large-scale Internet
attacks. In Proceedings of the 13th IEEE International
Workshops on Enabling Technologies: Infrastructure
for Collaborative Enterprises (University of Modena and
Reggio Emilia, Italy, June 14–16). IEEE Press, 2004.
12. Electronic Frontier Foundation. SSL Observatory,
13. Farinacci, D., Fuller, V., Meyer, D., and Lewis, D. The
Locator/ID Separation Protocol (LISP). RFC 6830,
14. Han, D., Anand, A., Dogar, F., Li, B., Lim, H., Machado,
M., Mukundan, A., Wu, W., Akella, A., Andersen, D.G.,
Byers, J. W., Seshan, S., and Steenkiste, P. XIA: Efficient
support for evolvable internetworking. In Proceedings
of the Ninth USENIX Symposium on Networked
Systems Design and Implementation (San Jose, CA,
Apr. 25–27). USENIX Association, Berkeley, CA, 2012.
15. Jacobson, V., Smetters, D.K., Thornton, J.D., Plass,
M.F., Briggs, N.H., and Braynard, R.L. Networking
named content. In Proceedings of the Fifth
International Conference on Emerging Networking
Experiments and Technologies (Rome, Italy, Dec. 1–4).
ACM Press, New York, 2009.
16. Katz-Bassett, E., Scott, C., Chones, D., Cunha, I.,