SCION vs. Segment Routing

This article wants to shed light on how SCION [9] and Segment Routing (SR) [1] compare.

Although both are source- routing based architectures, they target different audiences and are, as the article is going to show, complementary.

While SR targets intra-domain environments, SCION aims to provide a global secure routing solution; this means dealing with conflicting entities' interests, which needs a careful design to be addressed.

A brief introduction to conventional routing

Conventional routing is the most widespread technique to route a packet on the Internet.

A sender specifies the destination address and the routing infrastructure takes care of delivering the packet to the desired destination -- much like a postal service.

So-called "routing tables" on each routing node (or router) contain information on where to forward the packet to get it closer to its destination.

Simply speaking, a routing table is a table-like data structure used by the router to decide which interface to use to forward a packet based on its destination address.

For performance reasons, router manufacturers use specialized hardware, called TCAM, to realize routing tables.

Although this technique proved to be quite efficient in terms of scalability and maintainability -- again, the de-facto standard on the Internet, it has some notable shortcomings:

• routing tables need to be kept consistent between the routers in a network. This process is complex and can easily lead to misconfigurations and so to unavailability of the network,
• the sender cannot control, and cannot even know, the path followed by a packet, and
• routing tables turn out to be bottlenecks for software-defined networking (SDN) [3] -- an innovative networking paradigm that centralizes the network intelligence in one or more controllers in charge of defining all the paths through a network.

Source Routing

Source routing introduces a fundamental change in the routing paradigm, going from stateful to stateless routing.

Unlike conventional routing, all the information to steer a packet resides in its header rather than in routing tables.

Filling a packet's header with hop-by-hop instructions on how to forward it along the path is carried out by the sender (or some service on their behalf).

What are the advantages of source-routing?

The most notable change brought about source routing is that there is no need for routing tables anymore.

As we saw earlier, routing tables make network management complex due to the difficulty of keeping tables between routers in a consistent state. Removing routing tables then translates to getting rid of a major complexity, rendering the management process straightforward and less prone to errors. Moreover, removing routing tables means eliminating a significant bottleneck for SDN networks and the need for expensive and power hungry TCAMs [2]. Finally, in a source routing architecture, the sender controls the path the traffic takes, increasing control and transparency of the traffic.

Another advantage of source routing is that traffic policies, used in traffic engineering to handle traffic differently based on its type, can be enforced without keeping per-flow state. Conventional routing requires each router to maintain and manage state for each flow to perform forwarding decisions based on traffic policies, hindering efficiency, and scalability. On the other hand, with source routing, there is no need to keep such state, and the burden of deciding what path a flow must take is carried out only once at the source. This reduced complexity allows for using cheaper and more efficient routers that can be implemented on commodity hardware, improving network scalability.

Segment Routing (SR)

SR is a flavor of source routing which uses so-called "segments" to specify hop-by-hop instructions to route packets in a segment routing domain -- which we can loosely map to an AS (Autonomous System) [10].
The most notable implementations of segment routing are SR-MPLS, and MPLS based version, and SRv6, an IPv6 based version.

Better traffic engineering tools

Segment Routing mainly improves networks in two ways: simplifies them by removing protocols, and make them more robust by providing state of the art network sensing features.

Segment routing also empowers ISPs and cloud providers with great new traffic engineering tools. These tools enable providers to use their network in a more agile way, utilizing more of the available capacity and meeting Quality of Service (QoS) requirements.

With dynamic traffic rerouting, providers can change the path taken by packets on the fly to squeeze more out of their network infrastructure.

Moreover, thanks to two low-latency and disjointness services, providers can guarantee QoS for various application requirements. The low-latency network service ensures that time-sensitive applications are always get routed over the optimal low-latency path. The disjointness network service ensures that applications can use multiple paths, independent of one another, to achieve a high resiliency in case of network failure.

Finally, SR is highly compatible with the SDN paradigm, further contributing to being scalable and affordable.

An inherently private protocol

SR aims to offer concrete, simple, and scalable architecture for intra-domain traffic engineering.
The typical deployment of segment routing is in discrete domains and under the control of a single operator (e.g., data centers or access networks).

Although there is an ongoing effort to extend SR across IGP boundaries [4], the proposed solutions are a mere extension of BGP, which has shown not to be a solution to achieve a secure and reliable internet.

SCION routing

SCION (Scalability, Control, and Isolation on next-generation Networks) [9] is a next-generation internet architecture built from the ground up with security and scalability in mind.

Routing in the SCION-Internet is similar to SR, in the sense that both are source-routing like architectures, entailing all the previously listed advantages.

Nonetheless, their control planes are profoundly different due to the different environments they target.

While Segment Routing is an intra-domain architecture, SCION is purely an inter-domain routing protocol.

Inter-domain source routing

When interconnecting ASes on a global scale, two main challenges arise: dealing with a vast number of entities; each with different or conflicting goals.

When interconnecting ASes globally, two main challenges arise: dealing with many entities; each with different or conflicting goals.

While the former challenge is a scalability issue, the latter poses a risk for integrity, confidentiality, and availability.
SCION addresses these issues with a concept called isolation domains (ISD).

Isolation Domains (ISDs)

The SCION-Internet groups ASes in ISDs according to jurisdictions or other common characteristics.
Path discovery between ASes is then hierarchically separated into an intra- and inter-ISD process -- unlike between any pair of ASes like on the Internet. This separation reduces the number of overall paths and control plane messages exchanged.

Another main difference between SCION and conventional source routing lies in path selection. In conventional source routing, an end host knows the network topology and selects a path through that topology to reach the destination -- a solution that does not scale to the size of the Internet. On the other hand, in SCION, an end host selects it from a set of offered paths, freeing the host from knowing the network topology.

This concept is also called source-selected path routing.

So, in contrast to source routing, source nodes in SCION can combine up to three path segments (an up-segment, a core-segment, and a down-segment) without requiring knowledge of the entire network topology.

ISDs, however, are not only a convenient way of grouping ASes to reduce control-plane messages. They constitute a powerful tool to represent, at the network level, ASes' economic and political relationships. Therefore, intra-ISD routing is independent of other ISDs. ISDs also represent a vital building block to achieve network sovereignty.

In a world where state-sponsored attacks are becoming more and more common [17] [18], realizing a network that is resilient to foreign attacks is of utmost importance to guarantee customers (and citizens) access to services.

Cryptographically signed segments

In SCION, all routing information exchange between ASes is cryptographically signed -- this prevents several attacks such as hijacking attacks.

Cryptographically signing control plane messages is not a novelty itself, and the same is present also in BGPSEC [13] -- a "secure" extension of the well-known BGP protocol.

However, while BGPSEC relies on a single-entity administered RPKI (Resource Public Key Infrastructure), such as ICANN, the SCION-Internet allows ISDs to define a self-administered internal root of trust.

Such an independent public-key infrastructure (PKI) protects ISDs from foreign misbehaviors.

Moreover, BGPSEC is incompatible with prefix aggregation, a technique used to combine multiple IP prefixes to reduce the number of routes and announcements.

Such limitation, combined with increasing fragmentation of the IP space [15] and the trend towards announcing ever-smaller IP address ranges [16], will bring about serious scalability issues.

Conclusion

The source routing paradigm, although being proposed several decades ago, only recently found its way to large scale deployments through two novel architectures: Segment Routing and SCION.

The former focuses on intra-domain traffic engineering tools to provide better service quality, and the latter focuses on inter-domain security and availability of such services.

In conclusion, SR and SCION, combined, make for a robust and agile architecture to start building the internet of tomorrow - today.

Bibliography

[1]: https://www.segment-routing.net "Segment Routing"

[2]: https://ieeexplore.ieee.org/document/5766609 "Sun, Y., Liu, H., & Kim, M. S. (2011, January). Using TCAM efficiently for IP route lookup. In 2011 IEEE Consumer Communications and Networking Conference (CCNC) (pp. 816-817). IEEE."

[3]: https://ieeexplore.ieee.org/document/6566832 "Kanizo, Y., Hay, D., & Keslassy, I. (2013, April). Palette: Distributing tables in software-defined networks. In 2013 Proceedings IEEE INFOCOM (pp. 545-549). IEEE."

[4]: https://support.huawei.com/enterprise/en/doc/EDOC1100147923/1dfc1c9b/bgp-for-srv6 "BGP for SRv6"

[9]: https://ieeexplore.ieee.org/abstract/document/5958031 "Zhang, Xin, et al. 'SCION: Scalability, control, and isolation on next-generation networks.' 2011 IEEE Symposium on Security and Privacy. IEEE, 2011."

[10]: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) "Autonomous system"

[13]: https://tools.ietf.org/html/rfc8205 "BGPSEC"[

[15] https://labs.ripe.net/Members/wilhelm/impact-of-ipv4-transfers-on-routing-table-fragmentation “Impact of IPv4 Transfers on Routing Table Fragmentation”

[16] https://blog.apnic.net/2020/01/14/bgp-in-2019-the-bgp-table/ “BGP in 2019 – The BGP table”

[17]: https://www.cyberscoop.com/telegram-iran-bgp-hijacking/ "Telegram traffic from around the world took a detour through Iran"

[18]: https://www.forbes.com/sites/zakdoffman/2020/04/18/russia-and-china-behind-internet-hijack-risk-heres-how-to-check-youre-now-secure/ "Russia And China ‘Hijack’ Your Internet Traffic: Here’s What You Do"