1

SCION:Scalability, Control and Isolation On

Next-Generation Networks

Xin Zhang, Hsu-Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen

ApplicationApplication

TransportTransport

Data linkData link

NetworkNetwork

PhysicalPhysical

The Internet is still unreliable and insecure!

2

Feb 2008: Pakistani ISP hijacks YouTube prefix

Apr 2010: A Chinese ISP inserts fake routes affecting thousands of US networks.

Nov 2010: 10% of Internet traffic 'hijacked' to Chinese servers due to DNS Tampering.

S-BGP origin attest.

S-BGP origin attest.

S-BGP route attest.DNSSec Multi-path

Fixes to date – ad hoc, patchesInconvenient truths

S-BGP: delayed convergence Global PKI: single root of trust

Limitations of the Current Internet Too little or too much path control by end points

D

C

A

B M

D’s prefix here!D’s prefix here!

3

Prefer the red path …Prefer the red path …

Destination has too little control over inbound paths Source has too much control to aggregate DDoS traffic

Limitations of the Current Internet Too little or too much path control by end points

4

Destination has too little control over inbound paths Source has too much control to aggregate DDoS traffic

Lack of routing isolationA failure/attack can have global effectsGlobal visibility of paths is not scalable

Lack of route freshnessCurrent (S-)BGP enables replaying of obsolete paths

Related Work Routing security

S-BGP, soBGP, psBGP, SPV, PGBGP Routing control

Multipath (MIRO, Deflection, Path splicing, Pathlet), NIRA Scalable and policy-based routing

HLP, HAIR, RBF Secure DNS

DNSSec Source accountability and router accountability

AIP, Statistical FL, PAAI

5

Wish List (1): Isolation

6

… … … …

M

Attacks(e.g., bad routes)

… …

…

Localization of attacks Mutually distrusting domains, no single root of trust

… …

Independent routing region

Wish List (2): Balanced Control

77

… … … …

CMU

PSC

I2L3

… …

D

CA B

Hide the peering link from CMU

Hide the peering link from CMU

Source, destination, transit ISPs all have path control Support rich policies and DDoS defenses

Wish List (3): Explicit Trust

8

CMU

PSC

Level 3 I2

Know who needs to be trusted

X Y Z

Who will forwardPackets on the path?

Who will forwardPackets on the path?Go through X and Z,

but not YGo through X and Z,

but not Y

Enforceable accountability … … … … … …

Internet

SCION Architecture Overview

9

Source Destination

PCB

Trust domain (TD)s Isolation and scalability

Path construction scalability

Path resolution Control Explicit trust

Route joining (shortcuts) Efficiency, flexibility

S: blue pathsD: red paths

path srvTD

TD Core

AD: admin domain

Logical Decomposition Split the network into a set of trust domains (TD)

10

TD: isolation of route computation

TD cores: interconnected Tier-1 ADs (ISPs)

SourceDestination

corecore

Up-pathsDown-paths

Path Construction Beacons (PCBs)

11

TD Core

A

B

CEmbed into pkts

: interface : Opaque field : expiration time : signature

= SIG( || || )

= ||MAC( )

= SIG( || || || )

= || MAC( || )

= || MAC( || )

= SIG( || || || )

SCION Security Benefits

12

S-BGP etc SCION

Isolation

Scalability, freshness

Path replay attack

Collusion attack

Single root of trust

Trusted Computing Base Whole InternetTD Core and on-

path ADs

Path Control

SourceEnd-to-end

controlOnly up-path

Destination No control Inbound paths

DDoS Open attacks Enable defenses

Performance Benefits Scalability

Routing updates are scoped within the local TD

FlexibilityTransit ISPs can embed local routing policies in opaque fields

Simplicity and efficiencyNo inter-domain forwarding table

13

Evaluation Methodology

Use of CAIDA topology information

Assume 5 TDs (AfriNIC, ARIN, APNIC, LACNIC, RIPE)

We compare to S-BGP/BGP

14

Performance Evaluation Additional path length (AD hops) compared to BGP

without shortcuts: 21% longer

with shortcuts: 1 down/up- path: 6.7% 2 down/up- path: 3.5% 5 down/up- path: 2.5%

15

Policy Expressiveness Evaluation Fraction of BGP paths available under SCION, reflecting

SCION’s expressiveness of BGP policies

16

Security Evaluation Resilience against routing and data-plane attacks

Malicious ADs announce bogus links between each other

17

SCION

S-BGP

ConclusionsBasic architecture design for a next-generation network that emphasizes isolation, control and explicit trust

Highly efficient, scalable, available architecture

Enables numerous additional security mechanisms, e.g., network capabilities

18

Questions?

19

Xin Zhang <xzhang1@cmu.edu>