SCION – a state-of-the-art internet architecture?

SCION offers more security, reliability and control for transferring data on the web. However, the secure internet architecture is by no means the cure-all solution for all the problems of the internet.

Text: Daniel Bertolo, published on 14.03.2022

These days, digitalisation requires secure networks that are easy to control. However, the foundation of the internet was laid last century without any special security mechanisms, and it has hardly been updated since. That makes it vulnerable. Nowadays, cybercriminals exploit vulnerabilities to such a degree that IT departments spend the majority of their time trying to prevent and eliminate cyber threats. This observation concerns not only the multitude of security risks, but also aspects of the transport network. It’s high time for an upgrade. SCION – Scalability, Control, and Isolation On Next-Generation Networks – is that upgrade. SCION combines the security, reliability and control of private networks with the flexibility of the public internet. The technology has been undergoing development at ETH in Zurich for over ten years. SWITCH has been part of this development since 2015.

The internet as it should be

SCION promises a lot: greater security, increased reliability and path control in the end systems. In order to properly appreciate these improvements, it is worth taking a closer look at the material. As an important basic concept, you should know what SCION itself is: an inter-domain routing protocol. It interlinks networks (autonomous systems (AS)) on the internet and is seen as a replacement for the Border Gateway Protocol (BGP). BGP is currently the standard protocol used by internet service providers online to exchange routing information. SCION does not offer a routing protocol within an AS. Here, ISPs continue to use established protocols like OSPF or IS-IS. This means that many of the advantages of SCION mentioned below only come into play with connections spanning several networks.

In addition to the actual SCION protocol, many other systems promising additional features have been developed. These include Lightning Filter as a firewall system and COLIBRI, which promises a fairer internet with global bandwidth reservations.

There are many innovative and exciting internet concepts out there. But many lack the capacity to maintain a long-term potential coexistence with the current internet. It is unrealistic to think that we can simply switch off the existing internet and start again with a new concept. This is where SCION offers crucial advantages. SCION can use the existing internet as a transport medium. In the simplest scenario, as an overlay network for the IP network. As use becomes more widespread, increasingly larger sections of the paths can then be realised with SCION connections. Credit must also be given to SCION for an additional conceptual advantage, namely that since the start of development, there has been a focus on ensuring that all actors involved stand to reap certain benefits.

Greater trust and security

One of the important basic concepts of SCION is the introduction of what are known as isolation domains (ISD). An ISD consists of several networks (AS) and creates a basis of mutual trust. The networks of an ISD use a common certificate authority in order to cryptographically sign data traffic. Based on these signatures, the recipient of a package can check whether the package has taken the correct path and whether it has been modified along the way. This root of trust is formed within every ISD and there is no need for a globally trusted authority.

More control and new possibilities

Another task of an ISD is to propagate information about available paths to the ISD networks. This path information enables end systems to determine during the sending phase which path to use for transporting the package. Whereas previously, ISPs were responsible for the optimal routing of traffic as they saw fit, now, with SCION, this control is being moved to the end systems and applications. In addition to this paradigm shift, path control also allows you to select a path according to specific criteria. At present, paths can be selected according to latency, bandwidth or CO2 emissions, though this is conditional upon the ability of the respective applications to speak the SCION protocol language. However, there is still a long way to go until that point is reached.

Alongside path control, SCION also allows multiple paths to be used at the same time. This multi-pathing has some advantages. On the one hand, it ensures better use of existing bandwidth resources on the internet. On the other, the protocol also allows for a rapid switchover if individual paths are down.

SCION not only offers new functionality, but also greater security, such as in the form of protection against certain DDoS attacks. The source-based routing combined with a cryptographic signature makes it impossible, thanks to its design, to fake a sender address. As a result, the widespread amplification attacks can be nipped in the bud.

A long path ahead

However, SCION is not the cure-all solution for all the problems of the internet. The technology is grappling with the usual problems associated with innovative ideas: distribution, expertise and standardisation. Moreover, SCION initially adds further complexity to a basic infrastructure considered indispensable today. These new risks must be carefully weighed up against any benefits gained. In recent years, these concerns have been addressed by the developers working under Adrian Perrig at ETH Zurich.

At present, SCION needs to find a swift solution to the issue of distribution. Because only once large-scale, global distribution is established can a broad user base really reap the benefits of SCION. And only by identifying the advantages do the necessary application scenarios become clear. This chicken-and-egg situation now needs to be tackled. In SWITCH’s university network, for example, we have been offering SCION to affiliated organisations as a service for the existing network connection since last year, setting the barriers to entry as low as possible in order to help boost distribution. Until then, SCION remains a suitable option for closed user groups consisting of a heterogeneous base. This is the case, for example, with the Secure Swiss Finance Network (SSFN).

Despite all the difficulties faced, I believe that SCION has the potential to overcome these obstacles. There are many good reasons to test SCION and explore its possibilities. And this will also help us uncover new and useful application cases.




Secure Swiss Finance Network

About the author
Daniel   Bertolo

Daniel Bertolo

Daniel Bertolo studied Computer Science at the HSR in Rapperswil and joined SWITCH in 2007. He worked as a System Engineer on the Network Team and was responsible for the optical transport systems as well as SWITCHconnect. In March 2013, he became Team Leader of the Network Team.



This article was first published at and (in German only) as part of SWITCH's #Security column. The column appears six times a year. Experts from SWITCH independently express their opinions on topics relating to politics, technology and awareness of IT security.