20 May 2024
Overcoming BGP’s limitations with SCION
Share this post
Overcoming BGP’s limitations with SCION
The Border Gateway Protocol (BGP) has long been the backbone of Internet routing, but its flaws have become increasingly apparent in today’s interconnected world. From security vulnerabilities to inefficient routing decisions, BGP’s limitations have led to efforts to address these.
The BGP dilemma
The current Internet relies on BGP for global routing, a protocol developed in the 1980s over lunch, often referred to as the “two-napkin protocol.”
Today’s Internet comprises thousands of interconnected public and private networks running the TCP/IP protocols. These networks are grouped into Autonomous Systems (ASes), each controlled by a single administrative entity such as a network operator (ISP), content provider, or enterprise. Each AS is identified by a unique 32-bit AS number (ASN) and is associated with one or more blocks of IP address space identified by their prefixes.
These networks connect using routers that dynamically build a map of the Internet based on the exchange of information about reachable networks using BGP. Each router builds a routing table, allowing traffic to be forwarded from router to router to its final destination, typically using the most optimal path.
The problem with BGP is that it was designed in an era when security was not a significant consideration. The smaller number of participating networks could be expected to cooperate to maintain network health. BGP is therefore based on unverified trust between networks—assuming that an ASN will only advertise prefixes it legitimately holds, will only announce routes to reachable ASNs, or send packets with correct source IP addresses. While many Internet protocols have incorporated security mechanisms over time (such as TLS for secure web browsing), BGP does not have security features built in and whilst security extensions have been developed, these are not currently universally deployed.
Routing security challenges today
It is, unfortunately, common for ASes participating in the global routing system to announce incorrect information, whether accidentally or maliciously, and/or allow packets with forged (or spoofed) IP source addresses. This can lead to service disruption, traffic interception, redirection, modification, and large-scale Distributed Denial-of-Service (DDoS) attacks, posing significant security risks to enterprises, governments, and end-users.
Activists and criminals have increasingly targeted the routing system to steal data and cause disruption, while state-level actors have manipulated it to impose censorship, undertake espionage, and conduct cyberwarfare.
Another problem with BGP is that it typically selects routes based on the fewest number of logical hops to the destination and doesn’t consider other factors such as physical distances, congested links, or geopolitical considerations. This can impact reliable data transmission and data security. Furthermore, when the reachability of one or more ASNs changes, BGP needs to recalculate traffic paths, and this convergence can take several minutes, delaying and potentially losing traffic. While traffic engineering techniques such as policy routing or MPLS can help, they add complexity, require manual configuration, and still cannot always ensure or verify that traffic follows specific paths through the Internet.
The quest for better Internet routing solutions
Over the years, various solutions have been proposed to enhance Internet routing security and reliability. However, achieving widespread adoption of these solutions remains a challenge due to various limitations and complexities in implementation.
- Internet Routing Registries (IRRs): These databases aim to provide a platform where network operators can share routing information, allowing access lists to be generated for routers. However, they suffer from accuracy and reliability issues, as anyone can add information without stringent checks on validity.
- Resource Public Key Infrastructure (RPKI): RPKI enables the cryptographic verification of route ownership, with Resource Origin Authorization (ROAs) allowing networks to state which Autonomous System Number (ASN) may originate a particular IP prefix. While promising, RPKI faces challenges in achieving widespread deployment and adoption, with only around 50% of IP prefixes having valid ROAs.
- BGP Security (BGPSEC): BGPSEC builds on RPKI to provide cryptographic assertions for every router en-route to a destination, preventing unauthorized insertion of ASNs into a route. However, deployment of BGPSEC is challenging and computationally intensive, with routers needing explicit support for its full benefits.
- Autonomous System Provider Authorization (ASPA): ASPA aims to address some of the limitations of BGPSEC by allowing ASNs to authorize other ASNs to carry their traffic through the Internet. While ASPA reduces incidences of route leaks and hijacks, it still has limitations in addressing attacks and cannot enable explicit path selection across the Internet.
SCION: A paradigm shift
SCION (Scalability, Control, and Isolation On Next-Generation Networks) is an Internet path-aware technology that supports trusted inter-domain multipath routing. It discovers path segments between participating networks (Autonomous Systems) that can be combined into cryptographically validated end-to-end paths selectable by endpoints. Paths are authenticated at discovery and verified when traffic is forwarded, providing higher assurances that packets will follow particular paths, preventing routing security problems, and ensuring geofencing.
SCION networks can use existing Internet infrastructure but can select how and where their traffic is sent to other SCION networks. Applications can choose paths based on optimal characteristics or other parameters. Applications can also switch quickly (within 1 or 2 seconds) to alternative paths in the event of link failure, congestion, or denial-of-service attacks, providing higher levels of availability and reliability.
How SCION works
The SCION trust model is based on Isolation Domains (ISDs) that are logical groupings of ASNs sharing a uniform trust environment—namely a common jurisdiction with agreed trust policies. Each ISD is administered by one or more core ASNs that collectively generate a trust root called the Trust Root Configuration (a collection of X.509 certificates with ISD information). This is used to establish a standalone CA (i.e., one that is not reliant on third-party CAs) to issue certificates to each ASN in the ISD, which can then be validated by the SCION Control Plane. By grouping ASNs into ISDs, this isolates their control planes and reduces communications overhead with the rest of the Internet, while only explicitly allowed traffic is exchanged between ISDs.
The SCION Control Plane utilizes a beaconing mechanism to discover path segments between ASNs, which are then assembled into available routing paths that are cryptographically validated using the certificates issued to each ASN in an ISD. Each ASN in an ISD must run beaconing, path mapping, and certificate/key management services, typically provided by dedicated hardware or run in a Docker container.
SCION uses simplified routers set up on the borders of an AS without needing changes to its internal structure. These SCION-enabled routers peer with other SCION-enabled routers to forward and receive customer traffic and do not need to undertake control plane operations, which are handled by the control services for each ISD. Endpoints can either run a SCION-aware stack or utilize a SCION gateway.
SCION is a unique solution that allows trusted, highly resilient, and path-aware inter-domain routing infrastructure to be built by ISPs, CDN/cloud providers, and enterprises on the existing Internet. It allows operators and users to establish and manage their own trust criteria, choose with whom to send, receive, and transit traffic, and allows for traffic to be sent over multiple paths while offering high availability and fast failover.
SCION: The path forward
In conclusion, SCION represents a significant advancement in Internet routing technology, offering unparalleled security, reliability, and control. By addressing the failures of BGP head-on and providing a viable alternative to existing solutions like IRRs, RPKI, BGPSEC, and ASPA, SCION has the potential to revolutionize the way we connect and communicate online, ushering in a new era of trust and stability on the Internet.
Ready to embrace the future of Internet routing with SCION? Learn more about how SCION can benefit your organization.
Join the movement: embrace SCION and forge a path to a safer, more reliable Internet