1
SCION:Scalability, Control and Isolation On
Next-Generation Networks
Xin Zhang, Hsu-Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen
ApplicationApplication
TransportTransport
Data linkData link
NetworkNetwork
PhysicalPhysical
The Internet is still unreliable and insecure!
2
Feb 2008: Pakistani ISP hijacks YouTube prefix
Apr 2010: A Chinese ISP inserts fake routes affecting thousands of US networks.
Nov 2010: 10% of Internet traffic 'hijacked' to Chinese servers due to DNS Tampering.
S-BGP origin attest.
S-BGP origin attest.
S-BGP route attest.DNSSec Multi-path
Fixes to date – ad hoc, patchesInconvenient truths
S-BGP: delayed convergence Global PKI: single root of trust
Limitations of the Current Internet Too little or too much path control by end points
D
C
A
B M
D’s prefix here!D’s prefix here!
3
Prefer the red path …Prefer the red path …
Destination has too little control over inbound paths Source has too much control to aggregate DDoS traffic
Limitations of the Current Internet Too little or too much path control by end points
4
Destination has too little control over inbound paths Source has too much control to aggregate DDoS traffic
Lack of routing isolationA failure/attack can have global effectsGlobal visibility of paths is not scalable
Lack of route freshnessCurrent (S-)BGP enables replaying of obsolete paths
Related Work Routing security
S-BGP, soBGP, psBGP, SPV, PGBGP Routing control
Multipath (MIRO, Deflection, Path splicing, Pathlet), NIRA Scalable and policy-based routing
HLP, HAIR, RBF Secure DNS
DNSSec Source accountability and router accountability
AIP, Statistical FL, PAAI
5
Wish List (1): Isolation
6
… … … …
M
Attacks(e.g., bad routes)
… …
…
Localization of attacks Mutually distrusting domains, no single root of trust
… …
Independent routing region
Wish List (2): Balanced Control
77
… … … …
CMU
PSC
I2L3
… …
D
CA B
Hide the peering link from CMU
Hide the peering link from CMU
Source, destination, transit ISPs all have path control Support rich policies and DDoS defenses
Wish List (3): Explicit Trust
8
CMU
PSC
Level 3 I2
Know who needs to be trusted
X Y Z
Who will forwardPackets on the path?
Who will forwardPackets on the path?Go through X and Z,
but not YGo through X and Z,
but not Y
Enforceable accountability … … … … … …
Internet
SCION Architecture Overview
9
Source Destination
PCB
Trust domain (TD)s Isolation and scalability
Path construction scalability
Path resolution Control Explicit trust
Route joining (shortcuts) Efficiency, flexibility
S: blue pathsD: red paths
path srvTD
TD Core
AD: admin domain
Logical Decomposition Split the network into a set of trust domains (TD)
10
TD: isolation of route computation
TD cores: interconnected Tier-1 ADs (ISPs)
SourceDestination
corecore
Up-pathsDown-paths
Path Construction Beacons (PCBs)
11
TD Core
A
B
CEmbed into pkts
: interface : Opaque field : expiration time : signature
= SIG( || || )
= ||MAC( )
= SIG( || || || )
= || MAC( || )
= || MAC( || )
= SIG( || || || )
SCION Security Benefits
12
S-BGP etc SCION
Isolation
Scalability, freshness
Path replay attack
Collusion attack
Single root of trust
Trusted Computing Base Whole InternetTD Core and on-
path ADs
Path Control
SourceEnd-to-end
controlOnly up-path
Destination No control Inbound paths
DDoS Open attacks Enable defenses
Performance Benefits Scalability
Routing updates are scoped within the local TD
FlexibilityTransit ISPs can embed local routing policies in opaque fields
Simplicity and efficiencyNo inter-domain forwarding table
13
Evaluation Methodology
Use of CAIDA topology information
Assume 5 TDs (AfriNIC, ARIN, APNIC, LACNIC, RIPE)
We compare to S-BGP/BGP
14
Performance Evaluation Additional path length (AD hops) compared to BGP
without shortcuts: 21% longer
with shortcuts: 1 down/up- path: 6.7% 2 down/up- path: 3.5% 5 down/up- path: 2.5%
15
Policy Expressiveness Evaluation Fraction of BGP paths available under SCION, reflecting
SCION’s expressiveness of BGP policies
16
Security Evaluation Resilience against routing and data-plane attacks
Malicious ADs announce bogus links between each other
17
SCION
S-BGP
ConclusionsBasic architecture design for a next-generation network that emphasizes isolation, control and explicit trust
Highly efficient, scalable, available architecture
Enables numerous additional security mechanisms, e.g., network capabilities
18