SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich

Similar documents
SCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich

Verified Secure Routing

SCION Project Testbed Trials. David Hausheer, Youssef El Biad, Kurt Baumann, Adrian Perrig

Towards Deployment of a Next- Generation Secure Internet Architecture

SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

Network Layer (Routing)

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

SCION: Scalability, Control and Isolation On Next-Generation Networks

CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud

On the State of the Inter-domain and Intra-domain Routing Security

Cisco Group Encrypted Transport VPN

CS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal

Network in the Cloud: a Map-and-Encap Approach

Internet Infrastructure

Never Drop a Call With TecInfo SIP Proxy White Paper

Inter-domain routing validator based spoofing defence system

Our Virtual Intelligent Network Overlay (VINO) solutions bring next-generation performance and efficiency to business networks throughout North

Improving Network Agility with Seamless BGP Reconfigurations

Active BGP Measurement with BGP-Mux. Ethan Katz-Bassett (USC) with testbed and some slides hijacked from Nick Feamster and Valas Valancius

Adding Path Awareness to the Internet Architecture

Network Security. Thierry Sans

Network Service Description

Hochverfügbarkeit in Campusnetzen

2 The SCION Architecture

Overview of the Juniper Networks Mobile Cloud Architecture

Hijacking Bitcoin: Routing Attacks on Cryptocurrencies

Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.

Dynamics of Hot-Potato Routing in IP Networks

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Multicast Technology White Paper

MANRS Mutually Agreed Norms for Routing Security

Security in inter-domain routing

SENSS: Software-defined Security Service

MULTINATIONAL BANKING CORPORATION INVESTS IN ROUTE ANALYTICS TO AVOID OUTAGES

Virtual Private Networks.

Topic. How rou=ng protocols work with IP. The Host/Router dis=nc=on. I don t! I route. CSE 461 University of Washington 1

IPv6 tutorial. RedIRIS Miguel Angel Sotos

Cisco SD-WAN. Securely connect any user to any application across any platform, all with a consistent user experience.

ICS 351: Today's plan. OSPF BGP Routing in general

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Lecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture

C. The ESP that is installed in the Cisco ASR 1006 Router does not support SSO.

How SD-WAN will Transform the Network. And lead to innovative, profitable business outcomes

A Routing Infrastructure for XIA

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

Module: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Network Configuration Example

Core of Multicast VPNs: Rationale for Using mldp in the MVPN Core

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

ICN & 5G. Dr.-Ing. Dirk Kutscher Chief Researcher Networking. NEC Laboratories Europe

Lecture 13: Traffic Engineering

BGP Anomaly Detection. Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage.

Juniper Networks M Series and J Series Routers

Overview of the Juniper Mobile Cloud Architecture Laying the Foundation for a Next-gen Secure Distributed Telco Cloud. Mobile World Congress 2017

BGP Security. Kevin s Attic for Security Research

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

DDoS Mitigation & Case Study Ministry of Finance

Running A Highly Scaled Registry DNS Platform. ICANN 55 Tech Day Anycast Panel Chris Griffiths -

Robust Networking with IPv6

Securing BGP Networks using Consistent Check Algorithm

ENTERPRISE MPLS. Kireeti Kompella

Impactful Routing Research with the PEERING Testbed

Auto-Detecting Hijacked Prefixes?

WAN VPN Solutions. How Cisco Uses VPN Solutions to Extend the WAN. A Cisco on Cisco Case Study: Inside Cisco IT

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Network Design with latest VPN Technologies

Scalable Multipath Routing (towards)

Overlay and P2P Networks. Introduction and unstructured networks. Prof. Sasu Tarkoma

CS4700/CS5700 Fundamentals of Computer Networks

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

COMP/ELEC 429 Introduction to Computer Networks

Virtual Private Networks (VPNs)

Exam Questions

Link State Routing & Inter-Domain Routing

Building Infrastructure for Private Clouds Cloud InterOp 2014"

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

Dissemination of Paths in Path-Aware Networks

Routing Security Security Solutions

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Networking Review & Grand Challenges

The Top 10 Reasons to Replace Your Branch Router with SD-WAN. An ebook presented by Silver Peak Systems

Introduction to IP Routing. Geoff Huston

Optimised redundancy for Security Gateway deployments

SaaS Providers. ThousandEyes for. Summary

TBGP: A more scalable and functional BGP. Paul Francis Jan. 2004

Vol. 1 Technical RFP No. QTA0015THA

A Survey of BGP Security: Issues and Solutions

SD-WAN Transform Your Agency

MASERGY S MANAGED SD-WAN

ICS 351: Today's plan. OSPF BGP Routing in general routing protocol comparison encapsulation network dynamics

Transform your network and your customer experience. Introducing SD-WAN Concierge

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Cisco Cisco ADVDESIGN. Download Full Version :

Inter-Domain Routing: BGP

GRE and DM VPNs. Understanding the GRE Modes Page CHAPTER

Interdomain Routing Reading: Sections P&D 4.3.{3,4}

Pluribus Data Center Interconnect Validated

Transcription:

SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich March 2019

Internet: The network of networks The Internet is a network of Autonomous Systems (ASes). Each AS is itself a network of routers run by an institution (e.g., Telco, ISP, company, or university). There are 50,000+ ASes in the world.

Who controls Internet routing? Routers on path can read and modify data Control over paths is completely distributed NSA data storage center Utah Border Gateway Protocol (BGP): all nodes flood path announcements Easy to hijack traffic due to lacking security mechanisms in BGP

BGP Hijacking in the wild

5

SCION in a Nutshell Path-based Network Architecture Packet Control Plane - Routing F D B Constructs and Disseminates B K L I J Path Segments L O S Payload A B K M Data Plane - Packet forwarding L Combine Path Segments to Path Packets contain Paths Routers forward packets based on Path C F D G E H N Q O R P S Simple routers, stateless operation Isolation Domains 7

Network Paths Current Internet No assurance on and control over packets path across the internet Frequent prefix hijacking Geo-Fencing Ensure that packet stays within certain juristiction Resilience against hijacking attacks

Routing & Forwarding Current Internet BGP slow to converge to stable state Lack of separation between control and dataplane leads to outages Clean separation of controland data-plane Increased availability of the Internet 9

Trust Models & Network Sovereignty Current Internet Either no trust model or global roots of trust Whoever controls the global root of trust can shutdown parts of the Internet Autonomy/Sovereignty for network infrastructure, e.g. at national level through isolation domains No global kill switches 10

Attacks on the Network Current Internet DDoS or routing attacks prevent communication No communication guarantees on today s internet Resilient to network DDoS attacks due to multipath communication and source authentication Global, dynamic bandwidth allocation system can ensure minimum bandwidth guarantees 11

How to Deploy SCION Core Network ISP SCION Core Services Interdomain Connection Existing network infrastructure SCION Border Router SCION IP Gateway Customers Two components: SCION core services (control plane) and SCION border routers (dataplane) SCION reuses existing intradomain networking infrastructure no need to upgrade all networking hardware

How to Deploy SCION End-Domains Endhosts Firewall VPN Endpoint SCION IP Gateway Broadband SCION IP Gateway enables seemless integration of SCION TCP/IP data IPSec TCP/IP data SCION IPSec TCP/IP data MPLS Mobile capbilities in end-domain networks No upgrades of endhosts or applications needed SCION is transport-agnostic thus can work over many different Local branch network underlaying networks

Current Deployment Status Commercial (Anapaya) ISPs: Deutsche Telekom, Swisscom, SWITCH, Init7 Bank deployment: 4 major Swiss banks, some in production use Swiss Foreign Department: Interconnecting Swiss Embassies Research (SCIONLab) ISPs: Swisscom, SWITCH, KDDI, GEANT, DFN Deployed 50 ASes worldwide Everyone can join the network 14

SCION Commercialization Anapaya Systems founded in June 2017 as ETH Zurich Spinoff Mission: Build highly available, secure, flexible, and affordable wide-area networks based on SCION technology Current customers include ISPs, Banks, and Governments https://www.anapaya.net

Conclusion: SCION is a Disruptive Technology That Can Be Deployed Today Clean-slate Internet architecture built on solid security foundations New security properties Geofencing Network path verification Verified protocols and code Improved communication efficiency Increased bandwidth via multi-path communication Decreased latency thanks to path optimization Fast failover provides business continuity

SCION Resources SCION project website: https://www.scion-architecture.net SCION Book: PDF online https://www.scion-architecture.net/pdf/scion-book.pdf or available at Springer (ISBN 978-3-319-67080-5) Open Source implementation: https://github.com/scionproto/scion Sponsors:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback