SCIONSCALABILITY, CONTROL, AND ISOLATION ON NEXT-GENERATION NETWORKS
SCION is the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communications. SCION organizes existing ASes into groups of independent routing sub-planes, called isolation domains, which then interconnect to form complete routes. Isolation domains provide natural isolation of routing failures and human misconfiguration, give endpoints strong control for both inbound and outbound traffic, provide meaningful and enforceable trust, and enable scalable routing updates with high path freshness. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of good design principles, avoiding piecemeal add-on protocols as security patches. Meanwhile, SCION only assumes that a few top-tier ISPs in the isolation domain are trusted for providing reliable end-to-end communications, thus achieving a small Trusted Computing Base. Both our security analysis and evaluation results show that SCION naturally prevents numerous attacks and provides a high level of resilience, scalability, control, and isolation.
The internet was not designed with security in mind. Fixes to date are mostly ad hoc patches that either introduce unexpected consequences (e.g., S-BGP prevents route hijacking but causes delayed route convergence) or require a single root of trust. The latter is unlikely to exist in today's geographically, administratively, and socially diverse Internet. Moreover, a clean-slate design can be a reference that tells us how good a network could be even if we want to evolve the current Internet.
There are plenty of ways to dive into SCION. Check the frequently asked questions (FAQ) or the publications, see our news and press coverage, watch an introduction of the SCION architecture on YouTube, or have a look at the source code on GitHub (please contact us if you want the permission to access it). Finally, you can join the SCION community.
You can also subscribe to the SCION newsletter:
Here is a list of recent scientific publications that present some of the SCION highlights. In addition to considering the list, you may also check the publications of the Network Security Group at ETH Zurich, or consult selected publications in the following research areas: Public-Key Infrastructures, Denial-of-Service (DoS) Defenses, and High-Speed Anonymous Communication.
SCION is running on a number of hosts around the world.
Are you interested in setting up your SCION node? That's great! Send us an email.
Similar to the different tools of a Swiss Army Knife, different extensions of SCION provide additional security properties.
Multipath Communication: SCION follows a true multipath communication model that offers better availability and higher throughput compared to today's singlepath communication. Per default, SCION packets are forwarded on multiple paths that are automatically chosen based on the current state of the network.
HORNET: HORNET enables high-speed end-to-end anonymous communication through a low-latency onion routing system at the network layer. HORNET supports a wide range of applications, in particular since HORNET routers implemented on off-the-shelf hardware process anonymous traffic at over 93 Gb/s.
Faultprints: Faultprints is a fault localization architecture that relies on deterministic packet sampling: each AS samples observed packets in a way that is predictable by the source, but unpredictable by all other network entities. To the source, packet sampling yields a complete picture of the transit ASes that drop, delay, and modify packets. In contrast to earlier fault localization approaches, Faultprint supports asymmetric network paths.
DENA: The DENA extension implements a strategy for bootstrapping the initial deployment of future Internet architectures by focusing on providing high availability as an incentive for early adopters. With only a small number of adopting ISPs, customers can obtain high availability guarantees.
SIBRA: SIBRA is an interdomain bandwidth reservation architecture that achieves vital protection against volumetric DDoS attacks. SIBRA enables the efficient creation of dynamic interdomain leased lines (DILLs) that offer new business opportunities for ISPs.
OPT/DRKey: Origin and Path Trace (OPT) is a suite of lightweight, scalable, and secure protocols for source authentication and path validation. OPT is based on DRKeys, which enable routers to (re-)create symmetric keys shared with the endhosts on the fly. The stateless operation of DRKey on routers prevents state exhaustion DoS attacks and simplifies router architectures.
FAIR: FAIR is a forwarding accountability mechanism that incentivizes ISPs to apply stricter security policies to their customers. Policy violations are detected through proofs of misbehavior.
ARPKI: ARPKI is a public-key infrastructure in which certificate-related operations (such as certificate issuance, update, revocation, and validation) are transparent and accountable. ARPKI's security properties are formally specified and verified using the Tamarin prover.
SAINT: SAINT is an infrastructure to address the problem of scaling authentication for naming, routing, and end-entity certification to a global environment, in which trust is assumed to be heterogeneous.
Do you want to learn more about SCION?
We have an 80-minute video from an event at the Geneva Internet Platform
(April 2016) that includes slides and questions from the
Furthermore, we have a 60-minute talk (November 2014): Exciting Security Research Opportunity – Next-Generation Internet.
We are grateful for the collaborations and the support we receive from the following institutions:
and XIA, the eXpressive Internet Architecture.
Want to provide ideas? Want to be part of our team? Want to see SCION in action? Want to run SCION yourself? We are happy to welcome you in our team, just send us an email.
If you want to learn more and receive periodic updates about SCION, please subscribe to the SCION newsletter!