Consider that you are an international company with multiple branches in different countries. Your IT infrastructure is large: you maintain several data centres and outsource some functionality to the cloud.
Your offices exchange gigabytes of data daily, but your various business applications require different traffic channel properties. Your video conferencing depends on low latency, personal medical records demand secrecy, while the exchange of large files requires high throughput.
SD-WAN (Software-Defined Wide Area Network) addresses this issue by connecting branches of your enterprise through a virtual network. Every office is equipped with an edge node (a router), and all traffic passes through it. The edge node routes the traffic also based on business needs, in addition to the IP-addresses. This means that video conferences get the fastest channel, while the backup process utilise the rest of the circuit or another “cheaper” circuit. A central controller manages the entire virtual network, and policy updates automatically spread across the branches. Businesses benefit in terms of security, time and cost.
The problem with SD-WAN today
The edge nodes in SD-WAN are often connected via the public internet which is not secure. The internet consists of thousands of interconnected routers that belong to various internet service providers (ISPs). A data packet travels through dozens of routers before it reaches its destination. Each router on the way receives a data packet and forwards it to the next hop based on its internal logic. Thus, neither the sender nor the receiver control the path of each data packet.
From an SD-WAN point of view, the particular end-to-end path is not particularly important. The edge router in SD-WAN controls only the first hop of the data traffic. For the rest, SD-WAN virtualises all underlying transport services and treats them as a single resource pool. However, data paths are essential for businesses that use SD-WAN for many reasons.
Some data is protected by law: it must remain within a certain jurisdiction and is not allowed to pass through any outside routers. Although this data is encrypted, cryptography is not enough. Computational power increases yearly, and today’s robust cryptography will be broken by tomorrow’s decoders. It is up to businesses to protect their in-transit data.
Performance of the data path depends on every single connection it passes through. Once a single connection is disrupted, or a router is congested, latency dramatically increases or packets are dropped. Therefore, to guarantee high performance, one needs to control the entire end-to-end path.
Routing on the internet is error-prone and not secure
The problem arises from the heart of the internet. The Border Gateway Protocol (BGP) is how routers define where to forward incoming data packets. Each router keeps its routing table – a rule-book which neighbouring routers to use to transmit a data packet with a specified destination IP address. The internet is constantly evolving: new interconnections emerge, and existing interconnections could be broken or hindered at any time. The routing tables need to be accurate and updated regularly. Neighbouring routers permanently exchange information about respective destinations (IP addresses) they can reach and update their routing tables. This procedure relies on the honesty of internet infrastructure members and has no resilience against malicious actions, because BGP was defined in 1989 when the internet participants formed trustworthy community, like research institutes in the US, and security was not a concern.
One of the problems is malicious rerouting of the traffic, also known as BGP hijacking. This is when a malicious router deceives its neighbours and sends out fake routing tables showing that it can send data packets to a certain destination faster than other routers. Misguided honest routers update their routing tables and forward data packets to the malicious router, which in turn routes them to malicious servers. The person behind the BGP hijack could steal credentials, eavesdrop or record the traffic, and then send the traffic to its final destination, without the sender nor receiver noticing the attack.
A better way to connect
Here is where SCION enters the scene. SCION provides a set of pre-defined path segments that the sender uses to construct an end-to-end path, much like using Lego bricks. This allows the sender to avoid specific ISPs or geographic locations.
Different segments have different properties. The sender is flexible to construct a path appropriate to its business needs, whether they are based on latency, bandwidth, cost or geopolitical area avoidance. Paths are interchangeable, making SCION connections resilient to the failure of individual connections.
Ultimately, SCION is not a substitute, but a supplement to SD-WAN. SCION can connect SD-WAN edge nodes in a more secure, reliable and transparent way. With SCION, virtual connections are as secure as leased lines, at a lower cost.