| Internet-Draft | SCION CP | August 2023 |
| de Kater, et al. | Expires 24 February 2024 | [Page] |
This document describes the control plane of the path-aware, inter-domain network architecture SCION (Scalability, Control, and Isolation On Next-generation networks). One of the basic characteristics of SCION is that it gives path control to SCION-capable endpoints. In fact, endpoints can choose between multiple path options, enabling the optimization of network paths. The SCION control plane is responsible for discovering these paths and making them available to the endpoints.¶
The main goal of SCION's control plane is to create and manage path segments, which can then be combined into forwarding paths to transmit packets in the data plane. This document first discusses how path exploration is realized through beaconing and how path segments are created and registered. Each SCION autonomous system (AS) can register segments according to its own policy - it is free to specify which path properties and algorithm(s) to use in the selection procedure. The document then describes the path lookup process, where endpoints obtain path segments - a fundamental building block for the construction of end-to-end paths.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://scionassociation.github.io/scion-cp_I-D/draft-dekater-scion-controlplane.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-dekater-scion-controlplane/.¶
Source for this draft and an issue tracker can be found at https://github.com/scionassociation/scion-cp_I-D.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 February 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The SCION control plane is responsible for discovering path segments and making them available to endpoints. This process includes path exploration, registration, and lookup. This section explains the basic concepts of the control plane in SCION and introduces SCION's routing concept.¶
As SCION is an inter-domain network architecture, it only deals with inter-domain routing. One feature of SCION is the decoupling of inter-domain routing from endpoint addressing. This Introduction section provides a description of the SCION addressing system in more detail.¶
Note: It is assumed that readers of this draft are familiar with the basic concepts of the SCION next-generation inter-domain network architecture. If not, please find more detailed information in the IETF Internet Drafts [I-D.scion-overview], [I-D.scion-components], and [I-D.scion-cppki], as well as in [CHUAT22], especially Chapter 2. A short description of the SCION basic terms and elements can be found in Section 1.1 below.¶
Autonomous System (AS): An autonomous system is a network under a common administrative control. For example, the network of an Internet service provider, company, or university can constitute an AS.¶
Beaconing: The control-plane process where an AS discovers paths to other ASes.¶
Control Plane: The SCION control plane is responsible for the propagation and discovery of network paths, i.e., for the exchange of routing information between network nodes. The control plane thus determines where traffic can be sent and deals with questions such as how paths are discovered, which paths exist, what quality individual links offer, etc. Within a SCION AS, such functionalities are carried out by the control service. Packet forwarding is instead a task pertaining to the data plane.¶
Control Service: The control service is the main control-plane infrastructure component within a SCION AS. It is responsible for the path exploration and registration processes that take place within the control plane.¶
Core AS: Each isolation domain (ISD) is administered by a set of distinguished autonomous systems (ASes) called core ASes, which are responsible for initiating the path-discovery and -construction process (in SCION called "beaconing").¶
Endpoint: An endpoint is the start- or the endpoint of a SCION path. For example, an endpoint can be a host as defined in [RFC1122], or a gateway bridging a SCION and an IP domain. This definition is based on the definition in [I-D.path-properties-voc].¶
Forwarding Path: A forwarding path is a complete end-to-end path between two SCION hosts, which is used to transmit packets in the data plane and can be created with a combination of up to three path segments (an up-segment, a core-segment, and a down-segment).¶
Hop Field (HF): As they traverse the network, path-segment construction beacons (PCBs) accumulate cryptographically protected AS-level path information in the form of hop fields. In the data plane, hop fields are used for packet forwarding: they contain the incoming and outgoing interface IDs of the ASes on the forwarding path.¶
Info Field (INF): Each path-segment construction beacon (PCB) contains a single info field, which provides basic information about the PCB. Together with hop fields (HFs), info fields are used to create forwarding paths.¶
Isolation Domain (ISD): In SCION, autonomous systems (ASes) are organized into logical groups called isolation domains or ISDs. Each ISD consists of ASes that span an area with a uniform trust environment (i.e., a common jurisdiction). A possible model is for ISDs to be formed along national boundaries or federations of nations.¶
Leaf AS: An AS at the "edge" of an ISD, with no other downstream ASes.¶
Packet-Carried Forwarding State (PCFS): Rather than relying on costly inter-domain forwarding tables, SCION data packets contain all the necessary path information. We refer to this property as packet-carried forwarding state or PCFS.¶
Path Segment: Path segments are derived from path-segment construction beacons (PCBs) and registered at control services. A path segment can be (1) an up-segment (i.e., a path between a non-core AS and a core AS in the same ISD), (2) a down-segment (i.e., the same as an up-segment, but in the opposite direction), or (3) a core-segment (i.e., a path between core ASes). Up to three path segments can be used to create a forwarding path.¶
Path-Segment Construction Beacon (PCB): Core ASes generate PCBs to explore paths within their isolation domain (ISD) and among different ISDs. ASes further propagate selected PCBs to their neighboring ASes. As a PCB traverses the network, it carries path segments, which can subsequently be used for traffic forwarding.¶
Trust Root Configuration (TRC): A trust root configuration or TRC is a signed collection of certificates pertaining to an isolation domain (ISD). TRCs also contain ISD-specific policies.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
SCION routers and endpoints connect to each other via links. A SCION path between two endpoints essentially traverses one or more links.¶
In SCION, autonomous systems (ASes) are organized into logical groups called isolation domains or ISDs. Each ISD consists of ASes that span an area with a uniform trust environment (i.e., a common jurisdiction). An ISD is administered by a set of distinguished ASes called core ASes. Within and between ISDs, SCION supports three types of links: (1) core links, (2) parent-child links, and (3) peering links.¶
The following figure shows the three types of links for one small ISD with the two core ASes A and C, and the four non-core ASes D,E,F, and G.¶
+-------------------------+
| | #
| ISD Core | | parent-child
| .---. .---. | | link
| ( A )*-------*( C ) | |
| `-#-' `-#-' | 0
| | | |
+----|---------------|----+ *-------* core link
| |
| | < - - - > peering link
.-0-. .-0-.
( D )< - - - >( E )
`-#-' `-#-'
| |
| |
| |
.-0-. .-0-.
( G ) ( F )
`---' `---'
Each link connecting SCION routers is bidirectional and identified by its corresponding egress and ingress interface IDs. These interface IDs only need to be unique within each AS. Therefore, they can be chosen and encoded by each AS independently and without any need for coordination.¶
SCION provides path-aware inter-domain routing between ASes across the Internet. The SCION control plane is responsible for discovering these inter-domain paths and making them available to the endpoints within the ASes. SCION inter-domain routing operates on two levels: Within a SCION isolation domain (ISD), which is called intra-ISD routing, and between ISDs, called inter-ISD routing. Both levels use the so-called path-segment construction beacons (PCBs) to explore network paths. A PCB is initiated by a core AS and then disseminated either within an ISD to explore intra-ISD paths, or among core ASes, to explore core paths across different ISDs.¶
The PCBs accumulate cryptographically protected path and forwarding information on AS-level, and store this information in the form of hop fields. Endpoints use information from these hop fields to create end-to-end forwarding paths for data packets, who carry this information in their packet headers. This concept is called packet-carried forwarding state. The concept also supports multi-path communication among endpoints.¶
The creation of an end-to-end forwarding path consists of the following processes:¶
All processes operate concurrently.¶
Figure 2 below shows the SCION routing processes and their relation to each other.¶
+-------------------------+ +-------------------------+
| Exploration (Beaconing) |------>| Registration |
+-------------------------+ +-----------+-------------+
|
+---------------+
|
+------------------------v------------------------+
| Path Resolution |
| |
| +----------------+ +----------------+ |
| | Lookup +------>| Combination | |
| | | | (Data Plane)| |
| +----------------+ +----------------+ |
+-------------------------------------------------+
The control service is responsible for the path exploration and registration processes in the control plane. It is the main control-plane infrastructure component within each SCION AS. The control service of an AS has the following tasks:¶
Note: The control service of an AS must not be confused with a border router. The control service of a specific AS is part of the control plane and responsible for finding and registering suitable paths. It can be deployed anywhere inside the AS. A border router belongs to the data plane; its main task is to forward data packets. Border routers are deployed at the edge of an AS.¶
As described previously, the main goal of SCION's control plane is to create and manage path segments, which can then be combined into forwarding paths to transmit packets in the data plane. SCION distinguishes the following types of path segments:¶
So each path segment either ends at a core AS, or starts at a core AS, or both.¶
Note: There are no SCION path segments that start and end at a non-core AS. However, when combining path segments into an end-to-end SCION path, it is possible to use peering links. For more information on SCION and peering links, see Section 2.¶
All path segments are invertible: A core-segment can be used bidirectionally, and an up-segment can be converted into a down-segment, or vice versa, depending on the direction of the end-to-end path. This means that all path segments can be used to send data traffic in both directions.¶
The inter-domain SCION routing is based on the <ISD, AS> tuple. Although a complete SCION address is composed of the <ISD, AS, endpoint address> 3-tuple, the endpoint address is not used for inter-domain routing or forwarding. The endpoint address can be of variable length, does not need to be globally unique, and can thus be an IPv4, IPv6, or MAC address, for example - in fact, the endpoint address is the "normal", currently used, non-SCION-specific endpoint address.¶
However, the ISD-AS number is a SCION-specific number. It consists of 64-bits, with the top 16 bits indicating the ISD, and the bottom 48 bits indicating the AS. The text representation uses a dash-separator between the ISD and AS numbers, for example: 4-ff00:1:f. This section provides more details about the numbering scheme for SCION ISD and AS numbers.¶
Note: As a consequence of the fact that SCION relies on existing routing protocols (e.g., IS-IS, OSPF, SR) and communication fabric (e.g., IP, MPLS) for intra-domain forwarding, existing internal routers do not need to be changed to support SCION.¶
An ISD number is the 16-bit global identifier for an ISD. It MUST be globally unique. The following table gives an overview of the ISD number allocation.¶
| ISD | Description |
|---|---|
| 0 | The wildcard ISD. |
| 1 - 15 | Reserved for documentation and sample code (analogous to [RFC5398]). |
| 16 - 63 | Private use (analogous to [RFC6996]). Can be used for testing and private deployments. |
| 64 - 4094 | Public ISDs. Should be allocated in ascending order, without gaps and "vanity" numbers. |
| 4095 - 65535 | Reserved for future use. |
A suitable mechanism to globally coordinate the assignation of ISD numbers does not yet exist. However, we hope that in the future an organization such as ICANN or a regional Internet registry (e.g., RIPE NCC) will take on the responsibility of assigning ISD and AS numbers.¶
Currently, ISD numbers are allocated by Anapaya, the Swiss-based provider of SCION-based networking software and solutions.¶
An AS number is the 48-bit identifier for an AS. SCION inherits the existing 32-bit AS numbers from RFC4893, but provides an extended 48-bit space, allowing for additional SCION-only AS numbers beyond the 32-bit space in use today.¶
The default formatting for AS numbers in SCION is very similar to IPv6 (see [RFC5952]). It uses a 16-bit colon-separated lower-case hex encoding with leading 0's omitted: 0:0:0 to ffff:ffff:ffff.¶
In SCION, the following rules apply:¶
:: zero-compression feature of IPv6 is NOT allowed. The feature has very limited use in a 48-bit address space and would only add more complexity.¶
0:1:f, it should display the number as "65551".¶
0:0:0/16.¶
The next table gives an overview of the AS number allocation.¶
| AS | Size | Description |
|---|---|---|
| 0 | 1 | The wildcard AS |
| 1-4294967295 | ~4.3 bill. | 32-bit BGP AS numbers, formatted as decimal. If a BGP AS deploys SCION, it has the same AS number for both BGP and SCION.1 |
1:0:0
|
1 | Reserved |
2:0:0/16
|
~4.3 bill. | Public SCION-only ASes (i.e., ASes that are created for SCION, and are no existing BGP ASes). They should be allocated in ascending order, without gaps and "vanity" numbers. |
ff00:0:0/32
|
65535 | Reserved for documentation and test/sample code (analogous to [RFC5398]). |
ff00:0:0/24
|
~16.8 mill. | Reserved for private use (analogous to [RFC6996]). These numbers can be used for testing/private deployments. |
ffff:ffff:ffff
|
1 | Reserved |
1) Some 32-bit AS numbers are reserved for special purposes. For more details, see "IANA: Special-Purpose Autonomous System (AS) Numbers".¶
The rest of the space is currently unallocated.¶
SCION allows endpoints to use wildcard addresses in the control-plane routing, to designate any core AS, e.g., to place requests for core- or down-segments during path lookup. These wildcard addresses are of the form I-0, to designate any AS in ISD I. Here, "0" is the wildcard for the AS. For more information, see Section 4.2.1.¶
A secure and reliable routing architecture must be designed specifically to avoid circular dependencies during network initialization. One goal of SCION is that the Internet can start up even after large outages or attacks, in addition to avoiding cascades of outages caused by fragile interdependencies. This section lists the concepts SCION uses to prevent circular dependencies.¶
Besides inter-dependencies, another threat to the Internet is network partition. Partition occurs when one network is split into two because of a link failure. However, partition of the global SCION inter-domain network is much less likely to happen: During normal operation, the full network fabric is available, offering multiple paths between all ASes. Even during failures there is no special failure mode required, as SCION-enabled ASes could always switch to otherwise unused links.¶
Recovering (also called healing) from a partitioned network is also seamless, as only coarse time synchronization between the partitions is required to resume normal operation and move forward with updates of the cryptographic material.¶
All communication between the control services in different ASes is expressed in terms of gRPC remote procedure calls (for details, see [gRPC]). Service interfaces and messages are defined in the Protocol Buffer "proto3" interface definition language (for details, see [proto3]).¶
Note: The details of how gRPC is mapped to the SCION data plane will be described in a separate document.¶
Path exploration is the process where an AS discovers paths to other ASes. In SCION, this process is referred to as beaconing. This section gives a detailed explanation of the SCION beaconing process.¶
In SCION, the control service of each AS is responsible for the beaconing process. The control service generates, receives, and propagates so-called path-segment construction beacons (PCBs) on a regular basis, to iteratively construct path segments. PCBs contain topology and authentication information, and can also include additional metadata that helps with path management and selection. The beaconing process itself is divided into routing processes on two levels, where inter-ISD or core beaconing is based on the (selective) sending of PCBs without a defined direction, and intra-ISD beaconing on top-to-bottom propagation.¶
On its way, a PCB accumulates cryptographically protected path- and forwarding information per traversed AS. At every AS, metadata as well as information about the AS's ingress and egress interfaces are added to the PCB.¶
PCBs do not traverse peering links. Instead, peering links are announced along with a regular path in a PCB. If both ASes at either end of a peering link have registered path segments that include this specific peering link, then it is possible to use this peering link during segment combination to create the end-to-end path.¶
Every propagation period (as configured by the AS), the control service¶
For every selected PCB and egress interface combination, the AS extends the PCB by adding a so-called AS entry to the selected PCB. Such an AS entry includes a hop field that specifies the incoming (ingress) and outgoing (egress) interface for the packet forwarding through this AS, in the beaconing direction. The AS entry can also contain peer entries.¶
The following three figures show how intra-ISD PCB propagation works, from the ISD's core AS down to child ASes. For the sake of illustration, the interfaces of each AS are numbered with integer values.¶
In Figure 3 below, core AS X sends the two different PCBs "a" and "b" via two different links to child AS Y: PCB "a" leaves core AS X via egress interface "2", whereas PCB "b" is sent over egress interface "1". Core AS X adds the respective egress information to the PCBs when sending them off, as can be seen in the figure (the entries "Core - Out:2" and "Core - Out:1", respectively).¶
+-------------+
| Core AS X |
| |
| 2 1 |
+----#---#----+
+--------+ | | +--------+
|PCB | +-----+ | | +-----+ |PCB |
|========|-----|PCB a| | | |PCB b|=====|++++++++|
|Core | +-----+ | | +-----+ |Core |
|- Out:2 | | | | | |- Out:1 |
+--------+ v | | v +--------+
v v
+----#---#----+
| AS Y |
AS Y receives the two PCBs "a" and "b" through two different (ingress) interfaces, namely "2" and "3", respectively (see Figure 4 below). Additionally, AS Y forwards to AS Z four PCBs that were previously sent by core AS X. For this, AS Y uses the two different (egress) links "5" and "6". AS Y extends the four PCBs with the corresponding ingress and egress interface information. As can be seen in the figure, AS Y also has two peering links to its neighboring peers V and W, through the interfaces "1" and "4", respectively - AS Y includes this information in the PCBs, as well. Thus, each forwarded PCB cumulates path information on its way "down" from core AS X.¶
+-----+ | | +-----+
|PCB a| | | |PCB b|
+-----+ | | +-----+
| | | |
v | | v
v v
+----#---#----+
.---. | 2 3 |
( V )- --# 1 |
`---' | AS Y | .---.
| 4 #- --( W )
| | `---'
| 6 5 |
+--------+ +----#---#----+ +--------+
|PCB | | | |PCB |
|========| | | |========|
|Core X | | | |Core X |
|- Out:2 | | | |- Out:2 |
+--------+ |--------| +-----+ | | +-----+ |--------| +--------+
|PCB | |AS Y |--|PCB c| | | |PCB d|--|AS Y | |PCB |
|++++++++| |-In:2 | +-----+ | | +-----+ |-In:2 | |++++++++|
|Core X | |-Out:6 | | | | | |-Out:5 | |Core X |
|- Out:1 | |-PeerV:1| v | | v |-PeerV:1| |- Out:1 |
|--------| |-PeerW:4| | | |-PeerW:4| |--------|
|AS Y | +--------+ | | +--------+ |AS Y |
|-In:3 | +-----+ | | +-----+ |-In:3 |
|-Out:6 |==============|PCB e| | | |PCB f|==============|-Out:5 |
|-PeerV:1| +-----+ | | +-----+ |-PeerV:1|
|-PeerW:4| | | | | |-PeerW:4|
+--------+ v | | v +--------+
v v
+----#---#----+
| AS Z |
The following figure shows how the four PCBs "c", "d", "e", and "f", coming from AS Y, are received by AS Z over two different links: PCBs "c" and "e" reach AS Z over ingress interface "5", whereas PCBs "d" and "f" enter AS Z via ingress interface "1". Additionally, AS Z propagates PCBs "g", "h", "i", and "j" further down, all over the same link (egress interface "3"). AS Z extends the PCBs with the relevant information, so that each of these PCBs now includes AS hop entries from core AS X, AS Y, and AS Z.¶
+-----+ | | +-----+
|PCB c| | | |PCB d|
+-----+ | | +-----+
| +-----+ | | +-----+ |
v |PCB e| | | |PCB f| v
+-----+ | | +-----+
| | | |
v | | v
v v
+------#---#------+
| 5 1 |
| |
| AS Z |
+--------+ | 3 | +--------+
|PCB | +--------#--------+ |PCB |
|========| | |========|
|Core X | | |Core X |
+--------+ |- Out:2 | | |- Out:2 | +--------+
|PCB | |--------| | |--------| |PCB |
|++++++++| |AS Y | | |AS Y | |++++++++|
|Core X | |-In:2 | | |-In:2 | |Core X |
|- Out:1 | |-Out:6 | +-----+ | +-----+ |-Out:5 | |- Out:1 |
|--------| |-PeerV:1|---|PCB g| | |PCB h|---|-PeerV:1| |--------|
|AS Y | |-PeerW:4| +-----+ | +-----+ |-PeerW:4| |AS Y |
|-In:3 | |--------| | | | |--------| |-In:3 |
|-Out:6 | |AS Z | v | v |AS Z | |-Out:5 |
|-PeerV:1| |-In:5 | | |-In:1 | |-PeerV:1|
|-PeerW:4| |-Out:3 | | |-Out:3 | |-PeerW:4|
|--------| +--------+ | +--------+ |--------|
|AS Z | +-----+ | +-----+ |AS Z |
|-In:5 |===============|PCB i| | |PCB j|===============|-In:1 |
|-Out:3 | +-----+ | +-----+ |-Out:3 |
+--------+ | | | +--------+
v | v
v
Based on the figures above, one could say that a PCB represents a single path segment. However, there is a difference between a PCB and a (registered) path segment. A PCB is a so-called "travelling path segment" that accumulates AS entries when traversing the Internet. A (registered) path segment, instead, is a "snapshot" of a travelling PCB at a given time T and from the vantage point of a particular AS A. This is illustrated by Figure 6. This figure shows several possible path segments to reach AS Z, based on the PCBs "g", "h", "i", and "j" from Figure 5 above. It is up to AS Z to use all of these path segments or just a selection of them.¶
AS Entry Core AS Entry Y AS Entry Z
+-------------+ +-------------+ +-------------+
| Core AS X | | AS Y | | AS Z |
path segment 1 | 1# #3 5 #1 |
| | | | | |
| 2#-----#2----------- 6-----#5 |
| | | | | |
+-------------+ +-------------+ +-------------+
egress 2 ingress 2 - egress 6 ingress 5
----------------------------------------------------------------------
+-------------+ +-------------+ +-------------+
| Core AS X | | AS Y | | AS Z |
| 1# #3 +-----5#-----#1 |
path segment 2 | | | | | | |
| 2#-----#2-----+ 6# #5 |
| | | | | |
+-------------+ +-------------+ +-------------+
egress 2 ingress 2 - egress 5 ingress 1
------------------------------------------------------------------------
+-------------+ +-------------+ +-------------+
| Core AS X | | AS Y | | AS Z |
| 1#-----#3-----+ 5# #1 |
path segment 3 | | | | | | |
| 2# #2 +-----6#-----#5 |
| | | | | |
+-------------+ +-------------+ +-------------+
egress 1 ingress 3 - egress 6 ingress 5
------------------------------------------------------------------------
+-------------+ +-------------+ +-------------+
| Core AS X | | AS Y | | AS Z |
| 1#-----#3-----------5#-----#1 |
path segment 4 | | | | | |
| 2# #2 6# #5 |
| | | | | |
+-------------+ +-------------+ +-------------+
egress 1 ingress 3 - egress 5 ingress 1
This section provides a detailed specification of a single PCB and its message format.¶
Note: The SCION open-source implementation makes use of Protobuf (Protocol Buffers), a free and open-source cross-platform data format developed by Google and used to serialize structured data. The messages and remote procedure calls described below are in "proto3" language. For more information on Protobuf, see the official "Protocol Buffers Documentation".¶
Figure 7 graphically represents the PCB message format:¶
PCB / PATH SEGMENT
+-------------+------------+------------+--------+--------------------+
|Segment Info | AS Entry 0 | AS Entry 1 | ... | AS Entry N |
+-------------+------------+------------+--------+--------------------+
*- - - - # - -* *- - - # - - *
| |
*- - - - v - - - * |
+---------+------+ |
|Timestamp|Seg ID| |
+---------+------+ |
|
*- - - - - - - - - - - - - - - - -v- - - - - - - - - - - - - - - - - - *
+-----------------------+----------------------------------------------+
| Unsigned Ext. | Signed AS Entry |
+-----------------------+----------------------------------------------+
*- - - - - - - - - - - - # - - - - - - - - - - *
|
|
*- - - - - - - - - - - - - - - - - - - - - - - - v - - - - - - - - - - *
+--------------------+-----------------++------------------------------+
| Signature | Header || Body |
+--------------------+-----------------++------------------------------+
*- - - - # - - - -**- - - - - - - - # - - - - - - *
| |
*- - - - - - - - - - - - - - -v- - - - * |
+----------------+---------------------+ |
| Signature Alg. | Verification Key ID | |
+----------------+---------------------+ |
*- - - - - # - - - - -* |
| |
*- - - - - - - - - - - - - -v- - - - - - - - - -* |
+---------+---------+------------+--------------+ |
| ISD-AS |TRC Base | TRC Serial |Subject Key ID| |
+---------+---------+------------+--------------+ |
|
*- - - - - - - - - - - - - - - - - - - - - - - - - - - - v - - - - - - *
+------+-----------+---------++------------+----+------------++---+----+
|ISD-AS|Next ISD-AS|Hop Entry||Peer Entry 0| ...|Peer Entry N||MTU|Ext.|
+------+-----------+---------++------------+----+------------++---+----+
*- - # - -**- - - # - - *
| |
| |
*- - - - - - - - - - - -v- * *- - - v - - - - - - - - - - - - - - - - *
+-------------+------------+ +--------+--------+----------+-----------+
| Ingress MTU | Hop Field | |HopField|PeerMTU |PeerISD-AS|PeerInterf.|
+-------------+--------+---+ +----+---+--------+----------+-----------+
*- - -#- - -*
|
|
*- - - - - - - - - - - - - - v - - - - - - - - - - - - - - *
+------------+-------------+-------------------+-----------+
| Ingress | Egress | Expiration Time | MAC |
+------------+-------------+-------------------+-----------+
The following sections provide detailed specifications of the PCB messages, starting with the top-level message of one PCB, and then diving deeper into each of the PCB's message components.¶
Note: For a full example of one PCB in the Protobuf message format, please see Appendix "PCB Protobuf Messages - Full Example".¶
+-------------+-------------+------------+------+------------+ |Segment Info | AS Entry 0 | AS Entry 1 | ... | AS Entry N | +-------------+-------------+------------+------+------------+¶
Each PCB at least consists of:¶
The following code block defines the PCB on top level in Protobuf message format.¶
message PathSegment {
bytes segment_info = 1;
repeated ASEntry as_entries = 2;
}
¶
segment_info: This field is used as input for the PCB signature. It is the encoded version of the component SegmentInformation, which provides basic information about the PCB. The SegmentInformation component is specified in detail in Section 2.2.1.2.¶
as_entries: Contains the ASEntry component of all ASes on the path segment represented by this PCB.¶
ASEntry: The ASEntry component contains the complete path information of a specific AS that is part of the path segment represented by the PCB. The ASEntry component is specified in detail in Section 2.2.1.3.¶
+----------------------------+
| Segment Info |
+----------------------------+
*- - - - - - - # - - - - - - *
|
|
*- - - - - - - v - - - - - - *
+--------------+-------------+
| Timestamp | Seg ID |
+--------------+-------------+
¶
Each PCB MUST include an information component with basic information about the PCB.¶
In the Protobuf message format, the information component of a PCB is called the SegmentInformation message. The following code block shows the Protobuf message definition for the SegmentInformation message.¶
message SegmentInformation {
int64 timestamp = 1;
uint32 segment_id = 2;
}
¶
timestamp: The 32-bit timestamp indicates the creation time of this PCB. It is set by the originating core AS. The expiration time of the corresponding path segment is computed relative to this timestamp. The timestamp is encoded as the number of seconds elapsed since the POSIX Epoch (1970-01-01 00:00:00 UTC).¶
segment_id: The 16-bit identifier of this PCB and the corresponding path segment. The segment ID is required for the computation of the message authentication code (MAC) of an AS's hop field. The MAC is used for hop field verification in the data plane. The originating core AS MUST fill this field with a cryptographically random number.¶
Note: See Section 2.2.1.6 for more information on the hop field message format. The SCION Data Plane Specification provides a detailed description of the computation of the MAC and the verification of the hop field in the data plane.¶
+--------------+
| AS Entry |
+--------------+
*- - - -#- - - *
|
|
|
*- - - - - - - - - - - - - - - - - v - - - - - - - - - - - - - - - *
+-----------------------+------------------------------------------+
| Unsigned Ext. | Signed AS Entry |
+-----------------------+------------------------------------------+
¶
Beside the basic information component, each PCB MUST also contain the entries of all ASes included in the corresponding path segment. This means that the originating core AS MUST add its AS entry to each PCB it creates. During the beaconing process, also each traversed AS MUST attach its AS entry to the PCB.¶
One AS entry contains the complete hop information for this specific AS in this specific path segment. It consists of a signed and an unsigned component.¶
The code block below defines an AS entry ASEntry in Protobuf message format.¶
message ASEntry {
SignedMessage signed = 1;
PathSegmentUnsignedExtensions unsigned = 2;
}
¶
It includes the following components:¶
SignedMessage: The signed component of an AS entry. For the specification of this part of the AS entry, see Section 2.2.1.4 below.¶
PathSegmentUnsignedExtensions: The unsigned and thus unprotected part of the AS entry. These are extensions with metadata that need no explicit protection.¶
+------------------------------------------------------+
| Signed AS Entry |
+------------------------------------------------------+
*- - - - - - - - - - - - -#- - - - - - - - - - - - - - *
|
|
*- - - - - - - - - - - - - - - - -v- - - - - - - - - - - - - - - - - -*
+--------------------+-----------------+------------------------------+
| Header | Body | Signature |
+--------------------+-----------------+------------------------------+
¶
Each AS entry of a PCB MUST include a signed component as well as a signature computed over the signed component. Each AS entry MUST be signed with a private key that corresponds to the public key certified by the AS's certificate.¶
This section specifies the signed component of an AS entry. The signed component of an AS entry MUST include the following elements:¶
In the Protobuf message-format implementation, the signed component of an AS entry is specified by the SignedMessage. It consists of a header-and-body part (header_and_body) and a raw signature (signature). See also the code block below.¶
message SignedMessage {
bytes header_and_body = 1;
bytes signature = 2;
}
¶
The following code block shows the low-level representation of the HeaderAndBodyInternal message used for signature computation input. This message should not be used by external code.¶
message HeaderAndBodyInternal {
// Encoded header suitable for signature computation.
bytes header = 1;
// Raw payload suitable for signature computation.
bytes body = 2;
}
¶
signature field, see Section 2.2.1.4.3.¶
+-----------------+
| Header |
+-----------------+
*- - - - # - - - -*
|
- - - - - - - - - -v- - - - - - - - - *
+----------------+---------------------+
| Signature Alg. | Verification Key ID |
+----------------+---------------------+
*- - - - - # - - - - -*
|
- - - - - - - - - - - - - -v- - - - - - - - - -
+---------+---------+------------+--------------+
| ISD-AS |TRC Base | TRC Serial |Subject Key ID|
+---------+---------+------------+--------------+
¶
The header part defines metadata that is relevant to (the computation and verification of) the signature. It MUST at least include the following metadata:¶
The following code block defines the signed header of an AS entry in Protobuf message format (called the Header message).¶
message Header {
SignatureAlgorithm signature_algorithm = 1;
bytes verification_key_id = 2;
// Optional
google.protobuf.Timestamp timestamp = 3;
// Optional
bytes metadata = 4;
int32 associated_data_length = 5;
}
message VerificationKeyID {
uint64 isd_as = 1;
bytes subject_key_id = 2;
uint64 trc_base = 3;
uint64 trc_serial = 4;
}
¶
signature_algorithm: Specifies the algorithm to compute the signature.¶
verification_key_id: Holds the serialized data defined by the VerificationKeyID message type. The VerificationKeyID message contains more information that is relevant to signing and verifying PCBs and other control-plane messages. The VerificationKeyID message type includes the following fields (see also the above code block):¶
isd_as: The ISD-AS number of the current AS.¶
subject_key_id: Refers to the certificate that contains the public key needed to verify this PCB's signature.¶
trc_base: Defines the base number of the latest Trust Root Configuration (TRC) available to the signer at the time of the signature creation.¶
trc_serial: Defines the serial number of the latest TRC available to the signer at the time of the signature creation.¶
Note: For more information on signing and verifying control-plane messages (such as PCBs), see the chapter Signing and Verifying Control-Plane Messages of the SCION Control-Plane PKI Specification [I-D.scion-cppki]. For more information on the TRC base and serial number, see the chapter Trust Root Configuration Specification of the SCION Control-Plane PKI Specification [I-D.scion-cppki].¶
timestamp: Defines the signature creation timestamp. This field is optional.¶
metadata: Can be used to include arbitrary per-protocol metadata. This field is optional.¶
associated_data_length: Specifies the length of associated data that is covered by the signature, but is not included in the header and body. The value of this field is zero, if no associated data is covered by the signature.¶
+--------------------------------------+
| Body |
+--------------------------------------+
*- - - - - - - - - -#- - - - - - - - - *
|
|
*- - - - - - - - - - - - - - - - - -v- - - - - - - - - - - - - - - - -*
+------+-----------+---------++------------+---+------------++---+----+
|ISD-AS|Next ISD-AS|Hop Entry||Peer Entry 0|...|Peer Entry N||MTU|Ext.|
+------+-----------+---------++------------+---+------------++---+----+
¶
The body of an AS entry consists of the signed component ASEntrySignedBody of all ASes in the path segment represented by the PCB, up until and including the current AS.¶
The following code block defines the signed body of one AS entry in Protobuf message format (called the ASEntrySignedBody message).¶
message ASEntrySignedBody {
uint64 isd_as = 1;
uint64 next_isd_as = 2;
HopEntry hop_entry = 3;
repeated PeerEntry peer_entries = 4;
uint32 mtu = 5;
PathSegmentExtensions extensions = 6;
}
¶
isd_as: The ISD-AS number of the AS that created this AS entry.¶
next_isd_as: The ISD-AS number of the downstream AS to which the PCB should be forwarded.¶
hop_entry: The hop entry (HopEntry) with the information required to forward this PCB through the current AS to the next AS. This information is used in the data plane. For a specification of the hop entry, see Section 2.2.1.5.¶
peer_entries: The list of optional peer entries (PeerEntry). For a specification of one peer entry, see Section 2.2.1.7.¶
mtu: The size of the maximum transmission unit (MTU) within the current AS's network.¶
extensions: List of (signed) extensions (optional). PCB extensions defined here are part of the signed AS entry. This field should therefore only contain extensions that include important metadata for which cryptographic protection is required. For more information on PCB extensions, see Section 2.2.2.¶
Each AS entry is signed with a private key Ki that corresponds to the public key certified by the AS's certificate. The signature Sigi of an AS entry ASEi is computed over the AS entry's signed component. This is the input for the computation of the signature:¶
header_and_body).¶
segment_info component of the current AS. This is the encoded version of the SegmentInformation component containing basic information about the path segment represented by the PCB. For the specification of SegmentInformation, see Section 2.2.1.2.¶
header_and_body/signature combination of each previous AS on this specific path segment.¶
The signature Sigi of an AS entry ASEi is now computed as follows:¶
Sigi = Ki( SegInfo || ASE0(signed) || Sig0 || ... || ASEi-1(signed) || Sigi-1 || ASEi(signed) )¶
The signature metadata minimally contains the ISD-AS number of the signing entity and the key identifier of the public key that should be used to verify the message. For more information on signing and verifying control-plane messages, see the chapter "Signing and Verifying Control-Plane Messages" of the SCION Control-Plane PKI Specification [I-D.scion-cppki].¶
The following code block shows how the signature input is defined in the SCION Protobuf implementation ("ps" stands for path segment). Note that the signature has a nested, onion-like structure.¶
input(ps, i) = signed.header_and_body || associated_data(ps, i)
associated_data(ps, i) = ps.segment_info ||
ps.as_entries[1].signed.header_and_body ||
ps.as_entries[1].signed.signature ||
...
ps.as_entries[i-1].signed.header_and_body ||
ps.as_entries[i-1].signed.signature
¶
+-----------+
| Hop Entry |
+-----------+
*- - -#- - -*
|
- - - - - - v - - - - - - *
+-------------+------------+
| Ingress MTU | Hop Field |
+-------------+------------+
¶
Each body of an AS entry MUST contain exactly one hop entry component. The hop entry component specifies forwarding information for the data plane. The data plane requires this information to create the hop through the current AS (in the direction of the beaconing).¶
The following code block defines the hop entry component HopEntry in Protobuf message format:¶
message HopEntry {
HopField hop_field = 1;
uint32 ingress_mtu = 2;
}
¶
hop_field: Contains the authenticated information about the ingress and egress interfaces in the direction of beaconing. The data plane needs this information to forward packets through the current AS. For further specifications, see Section 2.2.1.6.¶
ingress_mtu: Specifies the maximum transmission unit (MTU) of the ingress interface of the current AS.¶
+-----------+
| Hop Field |
+-----------+
*- - -#- - -*
|
|
*- - - - - - - - - - - - - -v- - - - - - - - - - - - - - - *
+-------------+-------------+-------------------+----------+
| Ingress | Egress | Expiration Time | MAC |
+-------------+-------------+-------------------+----------+
¶
The hop field, part of both hop entries and peer entries, is used directly in the data plane for packet forwarding: It specifies the incoming and outgoing interfaces of the ASes on the forwarding path. To prevent forgery, this information is authenticated with a message authentication code (MAC).¶
The following code block defines the hop field component HopField in Protobuf message format:¶
message HopField {
uint64 ingress = 1;
uint64 egress = 2;
uint32 exp_time = 3;
bytes mac = 4;
}
¶
ingress: The 16-bit ingress interface identifier (in the direction of the path construction, that is, in the direction of beaconing through the current AS).¶
Note: For the AS that initiates the PCB, the ingress interface identifier MUST NOT be specified. This initiating AS is a core AS.¶
egress: The 16-bit egress interface identifier (in the direction of beaconing).¶
exp_time: The 8-bit encoded expiration time of the hop field, indicating how long the hop field is valid. This value is an offset relative to the PCB creation timestamp set in the PCB's segment information component (see also Section 2.2.1.2). By combining these two values, the AS can compute the absolute expiration time of the hop field. Data-plane packets that use the hop field after the expiration time MUST be dropped.¶
mac: The message authentication code (MAC) used in the data plane to verify the hop field. The SCION Data Plane Specification provides a detailed description of the computation of the MAC and the verification of the hop field in the data plane.¶
+--------------+
| Peer Entry |
+--------------+
*- - - -#- - - *
|
*- - - - - - - - - - - - - - -v- - - - - - - - - - - - - - *
+-------------+------------+--------------+----------------+
| Hop Field | Peer MTU | Peer ISD-AS | Peer Interface |
+-------------+------------+--------------+----------------+
¶
By means of a peer entry, an AS can announce that it has a peering link to another AS. A peer entry is an optional component of a PCB - it is only included if there is a peering link to a peer AS.¶
The following code block defines the peer entry component PeerEntry in Protobuf message format:¶
message PeerEntry {
uint64 peer_isd_as = 1;
uint64 peer_interface = 2;
uint32 peer_mtu = 3;
HopField hop_field = 4;
}
¶
peer_isd_as: The ISD-AS number of the peer AS. This number is used to match peering segments during path construction.¶
peer_interface: The 16-bit interface identifier of the peering link on the peer AS side. This identifier is used to match peering segments during path construction.¶
peer_mtu: Specifies the maximum transmission unit MTU on the peering link.¶
hop_field: Contains the authenticated information about the ingress and egress interfaces in the current AS (coming from the peering link, in the direction of beaconing - see also Figure 8). The data plane needs this information to forward packets through the current AS. For further specifications, see Section 2.2.1.6.¶
+-----------+
| |
| parent AS |
| |
+-----------+
|
|
| ASE.HF.ingress_interface
+--------#-----------+ +-----------------+
| | | PE.peer_ | |
| | interface| |
| | + - - - - #------------------# peer AS |
| |PE.HF.ingress_ | |
| | | |interface | |
| | +-----------------+
| v v |
+---------#----------+
| PE.HF.egress_interface
| ASE.HF.egress_interface
|
|
+-----------+
| |
| child AS |
| |
+-----------+
In addition to basic routing information like hop entries and peer entries, PCBs can be used to communicate additional metadata, in its extensions. Extensions can be signed and unsigned. Signed extensions are protected by the AS signature, whereas unsigned extensions are not.¶
On code-level and in Protobuf message format, extensions are specified as follows:¶
PathSegmentUnsignedExtensions are part of the AS entry component (the ASEntry message, see also Section 2.2.1.3).¶
PathSegmentExtensions are part of the signed body component of an AS entry (the ASEntrySignedBody message, see also Section 2.2.1.4.2).¶
Note: SCION also supports so-called "detachable extensions". The detachable extension itself is part of a PCB's unsigned extensions, but a cryptographic hash of the detachable extension data is added to the signed extensions. Thus, a PCB with a detachable extension can be signed and verified without actually including the detachable extension in the signature. This prevents a possible processing overhead caused by large cryptographically-protected extensions.¶
This section describes how PCBs are selected and propagated in the path exploration process.¶
As an AS receives a series of intra-ISD or core PCBs, it must select the PCBs it will use to continue beaconing. Each AS must specify a local policy on the basis of which PCBs are evaluated, selected or eliminated. The selection process can be based on path properties (e.g., length, disjointness across different paths) as well as on PCB properties (e.g., age, remaining lifetime of sent instances) - each AS is free to use those properties that suit the AS best. The control service can then compute the overall quality of each candidate PCB based on these properties. For this, the AS should use a selection algorithm or metric that reflects its needs and requirements and identifies the best PCBs or paths segments for this AS.¶
When receiving a PCB, an AS first stores the PCB in a temporary storage for candidate PCBs, called the beacon store.¶
PCBs are propagated in batches to each connected downstream AS at a fixed frequency, the propagation interval. At each propagation event, each AS selects a set of the best PCBs from the candidates in the beacon store, according to the AS's selection policy. This set should have a fixed size, the best PCBs set size.¶
Note: Depending on the selection criteria, it may be necessary to keep more candidate PCBs than the best PCBs set size in the beacon store, to be able to determine the best set of PCBs. If this is the case, an AS should have a suitable pre-selection of candidate PCBs in place, in order to keep the beacon store capacity limited.¶
Note: Note that during bootstrapping and if the AS obtains a PCB containing a previously unknown path, the AS should forward the PCB immediately, to ensure quick connectivity establishment.¶
Figure 9 below illustrates the selection of path segments in three networks. Each network uses a different path property to select path segments.¶
Selected path segment: #------# or *------*
Peering Link: PL
ISD A: Path Length ISD B: Peering Links
+----------------------+ +---------------------------+
| ISD Core | | ISD Core |
| .---. .---. | | .---. .---. |
|( A ) - - - ( C ) | | ( A ) - - - - - ( C ) |
| `-#-' `---' | + --- `---' `---' |
| || .---. | | | | | .---. - - - - - |
| | - ( B ) - | | | | -( B ) |
| | `-+-' | | | `-#-|| |
+---|--------------|---+ | | | | - - - - - - - - +
| | | | | | | |
| | +----|------|-|-------------+ |
| | .-+-. | + - - - - +
| .-+-. ( E ) | | | |
| ( D ) `---' | |
| `-+-' | .-+-. | .-#-. .-+-. |
| .-+-. ( D )-PL-----( E )--PL-( F )
| | ( F ) `---' | `-#-' `-+-' .-+-.
.-#-. `-+-' | ( G )
( G ) - + | - - + | | `-+-'
`---- - - - - - - | |
.---. .-#-. .-+-. |
( H )-PL--( I )--PL-( J )
`---' `-#-' `---' .-+-.
| | ( K )
ISD C: Disjointness | `---'
+---------------------------+ .-#-. | |
| ISD Core | ( L ) - - - -
| | `---' - - - - - - - - +
| .---. .---. |
|( A ) - - - - - - ( C )|
| `-*-' `-#-' |
| | | .---. | | |
| | - - ( B ) - - | |
| | `---' | |
+---|-------------------|---+
| |
.----*. .-#---.
( D ) ( E )
`----*' `-#---'
| | | |
#---------------------#
| | | |
| *------------------*
| | | |
.--#--. .*----.
( F #-------# ( G )
`-----' | `*----|
| *------------*
| | |
|-----. | | .-----.
( H *----* #------# I )
`---*-' `-#---'
| |
| .---. |
*------* J #-------#
`---'
As mentioned above, once per propagation period (determined by each AS), an AS propagates selected PCBs to its neighboring ASes. This happens on the level of both intra-ISD beaconing and core beaconing. This section describes both processes in more detail.¶
To bootstrap the initial communication with a neighboring beacon service, ASes use so-called one-hop paths. This special kind of path handles beaconing between neighboring ASes for which no forwarding path may be available yet. In fact, it is the task of beaconing to discover such forwarding paths. The purpose of one-hop paths is thus to break this circular dependency. The One-Hop Path Type will be described in more detail in the SCION Data Plane specification.¶
The following first steps of the propagation procedure are the same for both intra-ISD and core beaconing:¶
The propagation process in intra-ISD beaconing includes the following steps:¶
The control service adds a new AS entry to every selected PCB. This AS entry MUST at least include:¶
SegmentCreationService.Beacon remote procedure call (RPC) in the control services of the neighboring ASes (see also Section 2.3.2.4).¶
Note:¶
The propagation process in core beaconing includes the following steps:¶
The service adds a new AS entry to every selected PCB. This AS entry MUST at least include:¶
SegmentCreationService.Beacon remote procedure call (RPC) in the control services of the neighboring core ASes (see also Section 2.3.2.4).¶
The last step of the above described core and intra-ISD propagation procedures is implemented as follows in Protobuf message format:¶
service SegmentCreationService {
rpc Beacon(BeaconRequest) returns (BeaconResponse) {}
}
message BeaconRequest {
PathSegment segment = 1;
}
message BeaconResponse {}
¶
The propagation procedure includes the following elements:¶
SegmentCreationService: Specifies the service via which the extended PCB is propagated to the control service of the neighboring AS.¶
Beacon: Specifies the method that calls the control service at the neighboring AS in order to propagate the extended PCB.¶
BeaconRequest: Specifies the request message sent by the Beacon method to the control service of the neighboring AS. It contains the following element:¶
PathSegment: Specifies the path segment to propagate to the neighboring AS. For more information on the Protobuf message type PathSegment, see Section 2.2.1.1.¶
BeaconResponse: Specifies the response message from the neighboring AS.¶
Path registration is the process where an AS transforms selected PCBs into path segments, and adds these segments to the relevant path databases, thus making them available to other ASes.¶
As mentioned previously, a non-core AS typically receives several PCBs representing several path segments to the core ASes of the ISD the AS belongs to. Out of these PCBs, the non-core AS selects those down-path segments through which it wants to be reached, based on AS-specific selection criteria. The next step is to register the selected down-segments with the control service of the relevant core ASes, according to a process called intra-ISD path-segment registration. As a result, a core AS's control service contains all intra-ISD path segments registered by the non-core ASes of its ISD. In addition, each core AS control service also stores preferred core-path segments to other core ASes, in the core-segment registration process. Both processes are described below.¶
Every registration period (determined by each AS), the AS's control service selects two sets of PCBs to transform into two types of path segments:¶
The up- and down-segments do not have to be equal. An AS may want to communicate with core ASes via one or more up-segments that differ from the down-segment(s) through which it wants to be reached. Therefore, an AS can define different selection policies for the up- and down-segment sets. Also, the processes of transforming a PCB in an up-segment or a down-segment differ slightly. Both processes are described below.¶
Both the up- and down-segments end at the AS. One could therefore say that by transforming a PCB into a path segment, an AS "terminates" the PCB for this AS ingress interface and at this moment in time.¶
The control service of a non-core AS must perform the following steps to "terminate" a PCB:¶
The control service adds a new AS entry to the PCB. This new AS entry MUST be defined as follows:¶
The next AS MUST NOT be specified.¶
next_isd_as field in the ASEntrySignedBody component MUST be "0".¶
The egress interface in the hop field component MUST NOT be specified.¶
egress field in the HopField component MUST be "0".¶
If the AS has peering links, the control service should add corresponding peer entry components to the signed body of the AS entry - one peer entry component for each peering link that the AS wants to advertise. The egress interface ID in the hop field component of each added peer entry MUST NOT be specified.¶
egress field in the HopField component MUST be "0".¶
Note:¶
Every registration period, the control service of a non-core AS performs the following steps to transform PCBs into up-segments:¶
Note: For more information on possible selection strategies of PCBs, see Section 2.3.1.¶
Every registration period, the control service of a non-core AS performs the following steps to transform PCBs into down-segments:¶
SegmentRegistrationService.SegmentsRegistration remote procedure call (RPC) in the control services of the relevant core ASes (see also Section 3.3).¶
Note: For more information on possible selection strategies of PCBs, see Section 2.3.1.¶
The core beaconing process creates path segments from core AS to core AS. These core-segments are then added to the control service path database of the core AS that created the segment, so that local and remote endpoints can obtain and use these core-segments. In contrast to the intra-ISD registration procedure, there is no need to register core-segments with other core ASes (as each core AS will receive PCBs originated from every other core AS).¶
In every registration period, the control service of a core AS performs the following operations:¶
Note: For more information on possible selection strategies of PCBs, see Section 2.3.1.¶
The control service of a non-core AS has to register the newly created down-segments with the control services of the core ASes that originated the corresponding PCBs. This registration step is implemented as follows in Protobuf message format:¶
enum SegmentType {
SEGMENT_TYPE_UNSPECIFIED = 0;
SEGMENT_TYPE_UP = 1;
SEGMENT_TYPE_DOWN = 2;
SEGMENT_TYPE_CORE = 3;
}
service SegmentRegistrationService {
rpc SegmentsRegistration(SegmentsRegistrationRequest) returns (SegmentsRegistrationResponse) {}
}
message SegmentsRegistrationRequest {
message Segments {
repeated PathSegment segments = 1;
}
map<int32, Segments> segments = 1;
}
message SegmentsRegistrationResponse {}
¶
SegmentType: Specifies the type of the path segment that must be registered. Currently, only the following type is used:¶
SEGMENT_TYPE_DOWN: Specifies a down-segment.¶
map<int32, Segments> segments: Represents a separate list of segments for each path segment type. The key is the integer representation of the corresponding SegmentType.¶
The path lookup is a fundamental building block of SCION's path management, as it enables endpoints to obtain path segments found during path exploration and registered during path registration. This allows the endpoints to construct end-to-end paths from the set of possible path segments returned by the path lookup process. The lookup of paths still happens in the control plane, whereas the construction of the actual end-to-end paths happens in the data plane.¶
An endpoint (source) that wants to start communication with another endpoint (destination), requires up to three path segments:¶
a core-path segment to reach¶
Note: The actual number of required path segments depends on the location of the destination AS as well as on the availability of shortcuts and peering links. More information on combining and constructing paths will be provided by the SCION Data Plane Specification document.¶
The process to look up and fetch path segments consists of the following steps:¶
Table 3 below shows which control service provides the source endpoint with which type of path segment.¶
| Segment Type | Responsible control service(s) |
|---|---|
| Up-segment | Control service of the source AS |
| Core-segment | Control service of core ASes in source ISD |
| Down-segment | Control service of core ASes in destination ISD (either the local ISD or a remote ISD) |
The overall sequence of requests to resolve a path should be as follows:¶
For the sake of efficiency, the control service of the source AS should cache each returned path segment request. Caching ensures that path lookups are fast for frequently used destinations. The use of caching is also essential to ensure that the path-lookup process is scalable and can be performed with low latency.¶
In general, to improve overall efficiency, the control services of all ASes should do the following:¶
As described above, the source endpoint resolves paths with a sequence of segment requests to the control service of the source AS. The control service in the source AS answers directly, or forwards these requests to the responsible control services of core ASes. In SCION, the instances that handle these segment requests at the control services are called source AS segment-request handler and core AS segment-request handler, respectively. This section specifies the behavior of the segment-request handlers in the lookup process. First, the use of wildcards in the lookup process is briefly addressed.¶
Endpoints can use wildcard addresses to designate any core AS in path-segment requests. The segment-request handlers must expand these wildcard addresses and translate them into one or more actual addresses. Table 4 below shows who is responsible for what.¶
Note: For general information on the use of wildcard addresses in SCION, see Section 1.5.3.¶
| Segment Request | Wildcard Represents | Expanded/Translated By | Translated Into |
|---|---|---|---|
| Up-segment | "Destination" core AS (where up-segment ends) | Control service of the source AS | Actual address destination core AS in source ISD |
| Core-segment | Source core AS (where core-segment starts)1 | Control service of the source AS | Actual address source core AS in source ISD |
| Core-segment | Destination core AS (where core-segment ends) | Control service of the source core AS | Actual address destination core AS in destination ISD |
| Down-segment | "Source" core AS (where down-segment starts)2 | Control service of the source AS | Actual address source core AS in destination ISD |
1) Includes all core ASes for which an up-segment from the source AS exists.
2) Includes all core ASes in destination ISD with a down-segment to destination AS.¶
When the segment-request handler of the control service of a non-core source AS receives a path segment request, it MUST proceed as follows:¶
In the case of a core-segment request from a source core AS to a destination core AS:¶
In the case of a down-segment request:¶
For each segment request,¶
When the segment-request handler of a core AS control service receives a path segment request, it MUST proceed as follows:¶
Validate the request:¶
Appendix "Path-Lookup Examples" shows by means of an illustration how the lookup of path segments in SCION works.¶
One of the fundamental objectives that guided the design of SCION is security, in particular network security. See chapter 7 of the SCION book (Security Analysis), which states the precise security goals of various network participants and how SCION achieves these goals in the presence of different types of adversaries [CHUAT22].¶
To be precised.¶
TODO IANA considerations.¶
Many thanks go to William Boye (Swiss National Bank), Juan A. Garcia Prado (ETH Zurich), Samuel Hitz (Anapaya), and Roger Lapuh (Extreme Networks) for reviewing this document. We are also very grateful to Adrian Perrig (ETH Zurich), for providing guidance and feedback about each aspect of SCION. Finally, we are indebted to the SCION development teams of Anapaya and ETH Zurich, for their practical knowledge and for the documentation about the SCION Control Plane, as well as to the authors of [CHUAT22] - the book is an important source of input and inspiration for this draft.¶
The following code block provides a full example of one PCB in the Protobuf message format.¶
message PathSegment {
bytes segment_info = 1;
repeated ASEntry as_entries = 2;
}
message SegmentInformation {
int64 timestamp = 1;
uint32 segment_id = 2;
}
message ASEntry {
// The signed part of the AS entry. The body of the SignedMessage
// is the serialized ASEntrySignedBody.
// The signature input is defined as following:
//
// input(ps, i) = signed.header_and_body || associated_data(ps,i)
//
// associated_data(ps, i) =
// ps.segment_info ||
// ps.as_entries[1].signed.header_and_body ||
// ps.as_entries[1].signed.signature ||
// ...
// ps.as_entries[i-1].signed.header_and_body ||
// ps.as_entries[i-1].signed.signature
//
SignedMessage signed = 1;
// Optional
PathSegmentUnsignedExtensions unsigned = 2;
}
message SignedMessage {
// Encoded header and body.
bytes header_and_body = 1;
// Raw signature. The signature is computed over the
// concatenation of the header and body, and the optional
// associated data.
bytes signature = 2;
}
message HeaderAndBodyInternal {
// Encoded header suitable for signature computation.
bytes header = 1;
// Raw payload suitable for signature computation.
bytes body = 2;
}
message Header {
SignatureAlgorithm signature_algorithm = 1;
bytes verification_key_id = 2;
// Optional
google.protobuf.Timestamp timestamp = 3;
// Optional
bytes metadata = 4;
int32 associated_data_length = 5;
}
message VerificationKeyID {
uint64 isd_as = 1;
bytes subject_key_id = 2;
uint64 trc_base = 3;
uint64 trc_serial = 4;
}
message ASEntrySignedBody {
uint64 isd_as = 1;
uint64 next_isd_as = 2;
HopEntry hop_entry = 3;
repeated PeerEntry peer_entries = 4;
uint32 mtu = 5;
// Optional
PathSegmentExtensions extensions = 6;
}
message HopEntry {
HopField hop_field = 1;
uint32 ingress_mtu = 2;
}
message PeerEntry {
uint64 peer_isd_as = 1;
uint64 peer_interface = 2;
uint32 peer_mtu = 3;
HopField hop_field = 4;
}
message HopField {
uint64 ingress = 1;
uint64 egress = 2;
uint32 exp_time = 3;
bytes mac = 4;
}
¶
To illustrate how the path lookup works, we show two path-lookup examples in sequence diagrams. The network topology of the examples is represented in Figure 10 below. In both examples, the source endpoint is in AS A. Figure 11 shows the sequence diagram for the path lookup process in case the destination is in AS D, whereas Figure 12 shows the path lookup sequence diagram if the destination is in AS G. ASes B and C are core ASes in the source ISD, while E and F are core ASes in a remote ISD. Core AS B is a provider of the local AS, but AS C is not, i.e., there is no up-segment from A to C. "CS" stands for controle service.¶
+----------------------------+ +----------------------------+ | | | | | | | | | +------------------+ | | +------------------+ | | | Core | | | | Core | | | | | | | | | | | | .---. .---. | | | | .---. | | | |( C )---( B )-----------------------------( F )| | | | `+--' `+-+'---------+ | | .---. `+-+' | | | | | | | | | +------------( E ) | | | | | | | | | | | | | `-+-'----+ | | | | +--|---------|-|---+ | | +------|--------|--+ | | | | | | | | | | | | | | | | | | | | |+--------+ | | | | | | | || | | | | | | | || | | | | | | | .-++. | | | .-+-. | | | ( D ) .-+-. | | ( G )-----+ | | `---' ( A ) | | `---' | | `---' | | | | ISD 1 | | ISD 2 | +----------------------------+ +----------------------------+
+---------+ +---------+ +---------+ +---------+
|Endpoint | |Source AS| | Core AS | | Core AS |
| | | CS (A) | | CS (B) | | CS (C) |
+----+----+ +----+----+ +----+----+ +-----+---+
+++ | | |
| | | | |
+---+-+-------+ | | |
|send requests| | | |
| in parallel | | | |
+---+-+-------+ | | |
| | | | |
| | request (up) | | |
| +----------------->+++ | |
| |< -- -- -- -- -- -+++ | |
| | reply (up,[A->B]) | | |
| | | | |
| | | | |
| | | | |
| |request (core,*,*) | | |
| +----------------->+++ | |
| | | |request (core,B,*) | |
| | | +----------------->+++ |
| | | |<-- -- -- -- -- --+++ |
| | | | reply(core,[B->C])| |
| |< -- -- -- -- -- -+++ | |
| |reply (core,[B->C])| | |
| | | | |
| | | | |
| |request (down,*,D) | | |
| +----------------->+++ | |
| | +-----+-+-----+ | |
| | |send requests| | |
| | | in parallel | | |
| | +-----+-+-----+ | |
| | | | | |
| | | |request (down,B,D) | |
| | | +----------------->+++ |
| | | |<-- -- -- -- -- --+++ |
| | | | reply(down,[B->D])| |
| | | | | |
| | | | |request (down,C,D) |
| | | +-------------------+----------------->+++
| | | <-- -- -- -- -- -- -+ -- -- -- -- -- --+++
| | reply (down, | | | reply(down,[C->D])|
| | [B->D, C->D]) | | | |
| |< -- -- -- -- -- -+++ | |
| | | | |
+---+-+----------+ | | |
|combine segments| | | |
+---+-+----------+ | | |
| | | | |
+++ | | |
| | | |
+---+----+ +---+----+ +----+---+ +----+---+
+--------+ +--------+ +--------+ +--------+
+---------+ +---------+ +---------+ +---------+ +---------+
|Endpoint | |Source AS| | Core AS | | Core AS | | Core AS |
| | | CS (A) | | CS (B) | | CS (E) | | CS (F) |
+---+-----+ +----+----+ +----+----+ +----+----+ +----+----+
| | | | |
+++ | | | |
| | | | | |
+--+-+------+ | | | |
| send | | | | |
|requests in| | | | |
| parallel | | | | |
+--+-+------+ | | | |
| | | | | |
| | request (up) | | | |
| +------------->+++ | | |
| |<- -- -- -- --+++ | | |
| | reply | | | |
| | (up,[A->B]) | | | |
| | | | | |
| | | | | |
| | request | | | |
| |(core,*,(2,*)) | | | |
| +------------->+++ request | | |
| | | |(core,B,(2,*)) | | |
| | | +------------->+++ | |
| | | |<- -- -- -- --+++ | |
| | | | reply (core, | | |
| | | | [B->E,B->F]) | | |
| |<- -- -- -- --+++ | | |
| | reply (core, | | | |
| | [B->E,B->F]) | | | |
| | | | | |
| | | | | |
| | | | | |
| | request | | | |
| |(down,(2,*),G) | | | |
| +------------->+++ | | |
| | +-----+-+-----+ | | |
| | |send requests| | | |
| | | in parallel | | | |
| | +-----+-+-----+ | request | |
| | | | | (down,E,G) | |
| | | +---------------+----------->+++ |
| | | <- -- -- -- -- -+ -- -- -- --+++ |
| | | | | reply | |
| | | | |(down,[E->G])| |
| | | | | | request |
| | | | | | (down,F,G) |
| | | +---------------+-------------+----------->+++
| | | < -- -- -- -- --|-- -- -- -- -+ -- -- -- --+++
| | | | | | reply |
| | reply (down, | | | |(down,[F->G])|
| | [E->G,F->G]) | | | | |
| |<- -- -- -- --+++ | | |
| | | | | |
+--+-+----+ | | | |
| combine | | | | |
|segments | | | | |
+--+-+----+ | | | |
| | | | | |
+++ | | | |
| | | | |
+---+----+ +---+----+ +---+----+ +---+----+ +---+----+
+--------+ +--------+ +--------+ +--------+ +--------+