Zero Trust

 View Only
  • 1.  SCION - Next-Generation Networks

    Posted Nov 07, 2022 06:34:00 AM
    Hello community,

    I see some traction in Switzerland for SCION. This is most likely due to that it is an invention from the ETH.

    It seems to me like it is aiming to be the next BCG (Border Gateway Protocol). Not sure if their isolation domains will scale.

    Has anybody heard of it and has an opinion about the technology?


    Kindest regards,
    Lars

    Links:
    SCION Internet Architecture (scion-architecture.net)
    The internet architecture of the 1980s is due for an upgrade | World Economic Forum (weforum.org)

    ------------------------------
    Lars Ruddigkeit
    Account Technical Strategist Swiss FedGov
    Microsoft Switzerland
    ------------------------------


  • 2.  RE: SCION - Next-Generation Networks

    Posted Dec 20, 2022 02:26:00 PM

    Hi Lars,

    Thank you for bringing this topic here. It might be difficult to explain to others the relationship between SCION and Zero Trust.

    Yes, I heard about SCION which was designed by ETH Zurich few years ago. But I am not sure if SCION should be considered as an evolution of current Internet or a revolution.

    I think that SCION is not just a replacement of BGP on the Internet but also it is about changing the way we do routing and security in the Internet network.

    Here are the key SCION differentiator in my opinion:

    • SCION is about source routing instead of destination routing like we do with BGP
    • SCION is by design stateless routing so we don't need to care about routing tables consistency through different network nodes in the Internet
    • SCION can be considered as secure by design because routing information's exchanged between nodes are encrypted and signed. This is something that we are trying to do with RPKI to secure BGP to avoid BGP hijacks

    SCION authors defined isolation domains (ISDNs) to group ASes and ensure economic and political relationships between them on the Internet, like we do today with LIRs and RIRs (such as RIPE or APNIC). But I agree that ISDs are also important in SCION design to ensure scalability; I am not sure how this will scale.

    I have some knowledge and expertise about Segment Routing (SR) which was designed to replace BGP in intra-AS networks. IETF is working on multiple extensions of SR and in my understanding SR6 is applicable to inter-AS communications as well. I don't really see a big difference between SR and SCION.

    The only difference I see is: With Segment Routing you need to know the whole topology of the network and select an end-to-end path whereas with SCION and thanks to ISDs you can have multiple segmented paths with the need to know the network topology.

    Should we then spend time and energy to work on a new disruptive technology or should we work to evolve current and already mature technologies such as SR?

    On the other hand, Huawei has submitted to ITU-T a set of proposals to replace IPv4 & v6 to address new use cases and introduce a new way of routing which is very similar to SCION.

    Ps: I heard that many Swiss ISP are now providing SCON services to their customers, any feedback ?

    Thanks

    Zied

     

     

     

     

     

     

     

     

     

     

     



    ------------------------------
    Zied TURKI CISSP #549219
    Technology & Cybersecurity Specialist
    Paris
    ------------------------------



  • 3.  RE: SCION - Next-Generation Networks

    Posted Dec 22, 2022 09:32:00 AM
    Hello Zied,

    thanks for your insights.

    Yes, I agree with you that the Isolation Domains works nicely on a small scale like a company network or intra network like for example banks. Nevertheless, the decision process for all the possible domains must be hard to achieve on a global scale. Still, I find this whitelisting approach quite interesting (who does see you in the internet).

    Regarding your question about Swiss ISPs. Yes, they have rolled it out but I do not see a usage of it except by the SSFN (intra banking network from the Swiss National Bank). So hard to see how this develops. This is also my main reason for raising the question. Is SCION only a Swiss thing or more? 


    Kindest regards,
    Lars

    ------------------------------
    Lars Ruddigkeit
    Account Technical Strategist Swiss FedGov
    Microsoft Switzerland
    ------------------------------



  • 4.  RE: SCION - Next-Generation Networks

    Posted Dec 23, 2022 06:13:00 AM

    Hi Lars

    I am based in Paris, my peers in different vendors and French ISPs are not aware of SCION.

    Here are some discussions about SCION outside Switzerland:

    • SCION was in the agenda of Ripe 81, see here the different questions discussed SCION - A Novel Internet Architecture | RIPE Labs
    • SCION was in the agenda of IETF 113, 114 and London 115; May be it will be discussed again in IETF 116 in Yokohama
    • There are some active Internet draft within IETF as well

    I will share here if I see any update.

    Thanks

    Zied



    ------------------------------
    Zied TURKI CISSP #549219
    Technology & Cybersecurity Specialist
    Paris
    ------------------------------