The European IP address administration office RIPE has received an unusual request: The makers of Scalabilty, Control, And Isolation on Next-Generation Networks, (SCION) also need new addresses to build a “new Internet”. Could this output the European IP address registry RIPE?

The Border Gateway Protocol (BGP), over which Internet subnets of companies and providers are connected connecting with each other to the big internet has some security gaps. For example, wrong BGP routes can be published with little effort so that the traffic is then directed to the wrong destinations (BGP hijacking, also known as prefix or route hijacking). The traffic can then be spied on on its way via the foreign subnets. A remedy for this scenario was specified in the form of cryptographic protection of the routes via RPKI (BGP Route Origin Validation, ROV), but RPKI is only spreading gradually. And one is far from comprehensive protection of the entire path through the old best-effort Internet.

BGP-free Internet This is where SCION comes in (originally under the label “Secure Communication Infrastructure for a Future Internet”, SCI-FI). Instead of best effort routing, the transmission paths between the subnetworks are determined in advance. The makers around the Swiss computer scientist Adrian Perrig speak of path-aware routing. The pre-calculation of the routes is done by central autonomous systems (Core AS) for all participants within a subnetwork they manage (Isolation Domain, ISD), which is the root of a trusted domain.

The classic model, in which every Internet host can connect to any other end point on the Internet, does not exist with SCION. Instead, the Core AS in the ISD works as an intermediary who checks the routes for the users in the ISD and suggests suitable ones for selection. These can be internal ISD routes or external routes to other ISDs. The makers see it as an advantage that internal traffic can be handled strictly locally and does not have to take detours via external ISDs.

No public addresses for end points The SCION addresses differ from IPv4 and IPv6 addresses, Perrig explained to the administrators and network developers at the 81 . RIPE conference at the end of October. They consist of three parts: the first part of the address is the number of the ISD, the second the number of the AS and the last part designates the end system (simplified example: 1, 10, 1.2.3.4).

SCION works without public addresses, all hosts sit behind the ISDs of their providers. Public servers would have to be addressed using the address of their ISD. But you need a few bits more than classic IPv4 / IPv6 addresses. The communication between today’s IP Internet and SCION could be mediated by gateways.

Sovereign network islands The SCION developers promise “more security and a new sovereignty for the independent ISD subnetworks”. And they also advertise that national sub-networks could be set up with SCION: “A possible model for ISDs would be a design along national borders or along the borders of state alliances, because parties within their own jurisdictions can enforce contracts and rely on a trusted root configuration ( TRC) agree. ”

What from the point of view of the makers is an advantage for the operators, namely the regaining of sovereignty over their sub-networks and over the routes that their own traffic takes, makes others concerned. Because the “governing” Core AS in the ISDs could, for example, only offer selected routes and limit incoming and outgoing traffic according to their own ideas. According to DTAG’s former routing expert, Rüdiger Volk, new checkpoints are emerging.

Perrig confirms that the question of censorship by governments is often received. But SCION is prepared for this. The end systems could bypass the core AS through direct peering (using the provider’s local path servers). The TLS encryption, which is already common today, prevents eavesdropping. Anonymity could guarantee additional extensions, so the promise.

Help from the IP address administrators? Currently around 600 SCION end users in 36 ISDs active. The ETH spin-off Anapaya supplies data centers with SCION access points. Swisscom, the Swiss research network SWITCH, DFN and four Swiss banks are involved in the pilot operation. So far, Anapaya has assigned the required AS addresses itself. The SCION scientists are looking for support. At the RIPE conference, David Hausheer from Otto von Guerike University Magdeburg asked whether the NCC, the operational arm of RIPE, could issue such new addresses.

Daniel Karrenberg, chief scientist of RIPE NCC replied: “The RIPE members have to decide whether the RIPE NCC will participate in a pilot project.” Karrenberg’s colleague Marco Hogewoning criticized that one is not happy with the fact that SCION wants to set up its own standardization organization in the form of a foundation. The SCION developers reported that they had put out feelers both in the direction of the IETF and the International Telecommunication Union (ITU). But you’d rather keep the new Internet in your own hands.

(dz)