So you want to know about SCION - part 3

SCION-IP Gateway for transparent communication over SCION

Even though the ideal way to benefit from SCION would be to use only SCION-native applications, we all know this is not as simple as it sounds, and in reality, we always have numerous legacy technologies to deal with. An example is the SS7, a group of telephony protocols in use since 1975. Even though a lot of work has been done to try and replace it with more modern and secure ones, SS7 is still widely used. To overcome the usually lengthy adoption process, one of the components of SCION is the SCION-IP Gateway (SIG) - a component that when deployed in two separate Autonomous Systems (AS), will wrap incoming IP traffic into a SCION packet, and send it while benefiting from all the perks of path-awareness. Later it unwraps back to the regular traffic at the other end of the tunnel.

This may sound like a simple Site-to-Site VPN and indeed from the perspective of the end-host, its functionalities are very similar. However, the essential difference is that the SCION-IP Gateway allows for the path control described above on top of the VPN-like features. One way of thinking about it is that we are adding all the SCION features on top of the concept of the existing VPN. A simple example would be sending different types of IP traffic via different paths, defined by the so-called traffic policy - a site administrator could decide that video conferencing traffic between both sites has to use the shortest (and the best latency-wise) path, whereas all the file transfers between those sites will be using a path offering much bigger throughput.

SDN - wide support for x86 platform

In one of the previous articles - Demonstrating the reliability and resilience of Secure Swiss Finance Network, we have described one of the existing deployments of SCION in use by the Swiss National Bank and various entities from the financial sector. What is important from a deployment perspective is that the whole infrastructure is running on commodity hardware - when deploying SCION and integrating it with an already existing corporate infrastructure, there is no need for additional, expensive equipment because the entirety of the technology can be run using standard off-the-shelf servers or even integrated into existing virtualised environments.

Whereas the numbers described here are not part of our reference architecture or deployment guide, we can already give some insights. Over the course of 2020, the pilot of Secure Swiss Finance Network (SSFN) has been successfully running on HPE servers with as little as 4 core CPUs and 16 GB of RAM. At the same time our other project, SCION For Education Domain (SCI-ED), has been employed on much more powerful CPUs with as many as 20 threads - reaching throughputs in the 10’s of Gigabits per second.

In our Anapaya CONNECT backbone, we deploy a setup based on virtual machines. As briefly mentioned in the article Extending our Reach with Console Connect by PCCW Global, deploying a global ecosystem would require a giant amount of resources and presence in multiple physical locations. Instead, we have decided to use a flexible and easily scalable cloud-based setup. Such a design allows us to quickly spawn a new Point of Presence without the lengthy process of renting a physical location and creating interconnections with other network providers - something that can easily take up to several weeks. By leveraging cloud providers and virtual machines we have managed to take this time down to only a few days required to deploy SCION in a new location.

IPv6 for underlay networks

One of the locations of our backbone is SwissIX, the largest Internet Exchange Point in Switzerland. Our presence there is another way of making SCION adoption easier by providing a single physical location in which multiple network providers can converge in the SCION Internet. This setup, as opposed to the one described just above, is not cloud-based but follows the classic pattern of deployment using physical servers. Still, we wanted to be innovative and therefore decided to deploy it using an IPv6-only network.

The problem of exhaustion of IPv4 address space is widely known and comes to people's attention on a regular basis. Similar to BGP and other legacy technologies, it's not easy to migrate the whole internet from IPv4 to IPv6. Thus having a chance to deploy a new infrastructure from scratch, we have decided to go with an IPv6-only setup.

Providing a SCION presence in SwissIX allows businesses to perform a bi-lateral peering as well as participate in the Anapaya CONNECT service. As participation in this location requires all the members to be ready to use IPv6, we are contributing to the global movement pushing network providers to support IPv6 as a technology of the future.

Experiments with P4

P4 is a programming language designed for processing network packets directly on the hardware. As opposed to what we have described in the previous chapters, this means using an equipment dedicated specifically for handling network traffic. In such a case, the loss of flexibility caused by using commodity servers is compensated by the ability to achieve much better performance.

Two scientific institutions, ETH Zurich and SIDN Labs have already started exploring the project of implementing SCION for such a platform in order to get early insights from a completely different perspective. Creating a protocol from scratch means making a lot of design decisions, sometimes based on our implicit assumptions and biases. However, by having multiple independent researchers looking into the results of SCION on that platform as early as possible we are able to shorten the feedback cycle and spot potential problems and bottlenecks before it becomes too late to fix them.

This cooperation between Anapaya, ETH Zürich and SIDN Labs has proven to bring useful insights that resulted in improvements to the SCION protocol that have already been implemented and successfully deployed to our customers.

This finishes the series of articles

With this article, we have explained how SCION makes it possible to leverage and co-exist with an already existing infrastructure.

There is always more to write, but with this article, we are finishing this first edition of SCION introductions. We hope this short series managed to prove that SCION indeed has its place in the current world and can bring a breath of fresh air into how the Internet works.

So you want to know more about SCION? Contact us.