The Complete Guide to Scion: From Design Principles to Formal Verification

Foreword by Jol Mesot xi

Foreword by Fritz Steinmann xiii

Preface xv

How to Read This Book xvii

Acknowledgments xix

1 Introduction 1

1.1 Today's Internet . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Goals for a Secure Internet Architecture . . . . . . . . . . . 9

I SCION Core Components 15

2 Overview 17

2.1 Infrastructure Components . . . . . . . . . . . . . . . . . . 20

2.2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . 21

2.3 Control Plane . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.4 Data Plane . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.5 ISD and AS Numbering . . . . . . . . . . . . . . . . . . . 31

3 Authentication 35

3.1 The Control-Plane PKI (CP-PKI) . . . . . . . . . . . . . . 36

3.2 DRKey: Dynamically Recreatable Keys . . . . . . . . . . . 52

3.3 SCION Packet Authenticator Option . . . . . . . . . . . . . 61

4 Control Plane 65

4.1 Path-Segment Construction Beacons (PCBs) . . . . . . . . 66

4.2 Path Exploration (Beaconing) . . . . . . . . . . . . . . . . 69

4.3 Path-Segment Registration . . . . . . . . . . . . . . . . . . 71

4.4 PCB and Path-Segment Selection . . . . . . . . . . . . . . 73

4.5 Path Lookup . . . . . . . . . . . . . . . . . . . . . . . . . 80

4.6 Service Discovery . . . . . . . . . . . . . . . . . . . . . . 87

4.7 SCION Control Message Protocol (SCMP) . . . . . . . . . 89

5 Data Plane 93

5.1 Inter- and Intra-domain Forwarding . . . . . . . . . . . . . 94

5.2 Packet Format . . . . . . . . . . . . . . . . . . . . . . . . 95

5.3 Path Authorization . . . . . . . . . . . . . . . . . . . . . . 96

5.4 The SCION Path Type . . . . . . . . . . . . . . . . . . . . 101

5.5 Path Construction (Segment Combinations) . . . . . . . . . 104

5.6 Packet Initialization and Forwarding . . . . . . . . . . . . . 115

5.7 Path Revocation . . . . . . . . . . . . . . . . . . . . . . . 120

5.8 Data-Plane Extensions . . . . . . . . . . . . . . . . . . . . 124

II Analysis of the Core Components 127

6 Functional Properties and Scalability 129

6.1 Dependency Analysis . . . . . . . . . . . . . . . . . . . . . 130

6.2 SCION Path Policy . . . . . . . . . . . . . . . . . . . . . . 135

6.3 Scalability Analysis . . . . . . . . . . . . . . . . . . . . . 148

6.4 Beaconing Overhead and Path Quality . . . . . . . . . . . . 150

7 Security Analysis 157

7.2 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . 161

7.3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

7.4 Control-Plane Security . . . . . . . . . . . . . . . . . . . . 165

7.5 Path Authorization . . . . . . . . . . . . . . . . . . . . . . 170

7.6 Data-Plane Security . . . . . . . . . . . . . . . . . . . . . 172

7.7 Source Authentication . . . . . . . . . . . . . . . . . . . . 174

7.8 Absence of Kill Switches . . . . . . . . . . . . . . . . . . . 176

7.9 Other Security Properties . . . . . . . . . . . . . . . . . . . 179

7.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

III Achieving Global Availability Guarantees 183

8 Extensions for the Control Plane 185

8.1 Hidden Paths . . . . . . . . . . . . . . . . . . . . . . . . . 185

8.2 Time Synchronization . . . . . . . . . . . . . . . . . . . . 190

8.3 Path Metadata in PCBs . . . . . . . . . . . . . . . . . . . . 197

9 Monitoring and Filtering 203

9.1 Replay Suppression . . . . . . . . . . . . . . . . . . . . . . 204

9.2 High-Speed Traffic Filtering with LightningFilter . . . . . . 207

9.