Project Coordinator (EU) :
Otto-von-Guericke-University MagdeburgCountry of the EU Coordinator :
GermanyOrganisation Type :
AcademiaProject participants :
Otto-von-Guericke-University Magdeburg:
Prof. Dr. David Hausheer is a Professor at the Faculty of Computer Science at Otto-von-Guericke-University Magdeburg since May 2017. He holds a diploma degree in electrical engineering and a Ph.D. degree in technical sciences from ETH Zurich. Prof. Hausheer will be leading the project and guiding the corresponding work.
M.Sc. Marten Gartner is a Ph.D. student in the team of Prof. Hausheer at the Faculty of Computer Science at Otto-von-Guericke-University Magdeburg since February 2021. He holds an M.Sc. degree in digital engineering from OVGU Magdeburg. Marten Gartner will contribute both to the setup of SCIONLab over BRIDGES as well as to the experiments.
M.Sc. Tony John is a Ph.D. student in the team of Prof. Hausheer at the Faculty of Computer Science at Otto-von-Guericke-University Magdeburg since January 2021. He holds an M.Sc. degree in computer science from OVGU Magdeburg. Tony John will be mainly contributing experiments in terms of bandwidth and latency measurements of SCION over BRIDGES.
M.Sc. Thorben Krüger is a Ph.D. student in the team of Prof. Hausheer at the Faculty of Computer Science at Otto-von-Guericke-University Magdeburg since May 2020. He holds an M.Sc. degree in system and network engineering from the University of Amsterdam. Thorben Krüger will be mainly contributing to the experiment evaluation. He will be joining the project team from October 2022.
George Mason University:
Jerry Sobieski is a Co-Principle Investigator of the BRIDGES Project (NSF and GMU). Prior to this, he was a CRO at NORDUnet driving advanced networking research efforts between NORDUnet, the European R&E community, and the Global R&E Networks internationally. Jerry Sobieski will be leading the US-side of the project team and strongly support the SCION setup over the BRIDGES infrastructure.
Dr. Liang Zhang is a postdoctoral research fellow at GMU. He received his M.S. degree in information and communication engineering, University of Science and Technology of China (USTC), China, in 2014, and his Ph.D. degree in electrical engineering from New Jersey Institute of Technology (NJIT), USA, in 2020. Liang Zhang will also support the SCION setup over the BRIDGES infrastructure.
State of US partner :
VirginiaStarting date :
Leveraging Path Diversity to Enhance Resilience, Scalability and Energy-Efficiency with SCION
Experiment description
SCION is a clean-slate Next-Generation Internet (NGI) architecture (http://scion- architecture.net/pdf/SCION-book.pdf) designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. SCION organizes existing Autonomous Systems (ASes) into groups of independent routing planes, called isolation domains, which interconnect to provide global connectivity. Isolation domains naturally isolate routing failures and misconfiguration, give endpoints strong control over both inbound and outbound traffic, and provide meaningful and enforceable trust. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design.
Besides high security, SCION also provides a scalable routing infrastructure and highly efficient packet forwarding. As a path-based architecture, SCION end hosts learn about available network path segments, and combine them into end-to-end paths that are carried in packet headers. Thanks to embedded cryptographic mechanisms, path construction is constrained to the route policies of Internet Service Providers (ISPs) and receivers, offering path choice to all parties: senders, receivers, and ISPs. This approach enables path-aware communication, an emerging trend in networking. These features also enable multipath communication, which enhances privacy by obfuscating traffic over multiple paths, facilitates high availability, rapid failover in case of network failures, increased end-to-end bandwidth, dynamic traffic optimization, and resilience to DDoS attacks.
Since the start, the research on improving the SCION architecture has been complemented by implementation and deployment. Since 2014, an operational SCION network has been in operation in Switzerland. The current maturity of the software has been achieved through professional and experienced developers, which have recently built the 5th generation of the software. Moreover, this has been complemented by substantial efforts in formally modelling and verifying key parts of the SCION architecture, such that SCION has reached a level of maturity, which renders it ready today for large-scale deployment.
In order to provide a low entry bar for researchers and application developers who wish to explore and assess the capabilities of SCION, we have developed SCIONLab (https://netsec.ethz.ch/publications/papers/icnp2020_scionlab.pdf), a flexible, scalable, and extensible SCION network running at global scale. SCIONLab provides users with fast setup, enabling them to instantiate a SCION node as a VM in a few clicks, requiring little technical expertise to join the SCION network. Thereby, SCION nodes can contribute to the routing within the SCION topology and researchers can attach their own computing resources anywhere in within the SCIONLab network.
To this end, the objectives of this project are twofold: (a) To interconnect SCIONLab with the BRIDGES infrastructure over two very high-speed transatlantic links, in order to increase the path diversity and bandwidth for SCIONLab experiments and (b) to run experiments between the US and Europe over the SCIONLab testbed to demonstrate the privacy-enhancement (e.g., by splitting traffic over multiple paths) and improved reliability (e.g. with multi-path and seamless path failover) over SCION, as well as to show the scalability of our SCION-based path discovery mechanisms which help to effectively reduce the network’s power consumption and incentivize ISPs and transit providers to shift towards greener electricity.
The SCIONLab testbed has currently a strong basis in Europe, with deployments, a.o., in multiple research networks including GEANT GTS, SWITCH, DFN-GVS, SIDN, and Fed4FIRE+ (VirtualWall, Grid5000). However, it lacks high-bandwidth connectivity and path diversity to their US counterparts, such as Internet2, FABRIC and others. By interconnecting SCIONLab with BRIDGES’ infrastructure, we will be able to increase the path opportunities over the Atlantic and carry out experiments at very high speeds using SCION’s native path-awareness and multipath support. The enhanced SCIONLab network will be maintained even after the end of this project and offered on a continuous basis to experimenters and application developers in other NGI topics.
Impacts :
Our project has addressed and contributed to the impacts in relation to the NGI initiative as follows:
Impact 1: Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation.
The rise of new network services and architecture proposals has led to the success of global network testbeds like PlanetLab or the Peering testbed. Unfortunately, current testbeds have shown shortcomings, e.g., related to the “security” of running your code or using your own configuration, requiring individual vetting by the testbed, the difficulty to evaluate DoS / security in real-world environments, and resource availability (especially computation).
Moreover, these testbeds did not enable important networking aspects, including multipath routing, path-aware networking, security applications requiring per-AS certificates and cryptographic keys, secure routing, etc.
With the SCION deployment over BRIDGES and the experiments proposed in this project, we are able to significantly advance networking research through several experiments over the enhanced SCIONLab testbed across the Atlantic, which provides the possibility to run path-aware networking experiments enabled by the underlying SCION architecture.
Impact 2: Reinforced collaboration and increased synergies between the Next Generation Internet and the US Internet programmes.
Our experiments meet NGI objectives such as privacy-enhancement by leveraging the SCION path diversity provided in a native fashion across the Atlantic. Additionally, experiments with our enhanced SCION-based path discovery mechanisms demonstrate the increased throughput, reliability, and energy-efficiency that can be achieved based on the SCION Internet architecture, thanks to a better utilization of network resources and through SCION’s native multi-path property.
These impacts are well aligned with the objectives of our US partner in this project, GMU, who receives funding from NSF under BRIDGES - Binding Research Infrastructures for the Deployment of Global Experimental Science (Award Number: 2029221). NSF BRIDGES serves two key objectives: First, it is a prototype and demonstrator of a fully virtualized cyber-infrastructure architecture in support of future global science applications and advanced networked services such as SCION. Second, BRIDGES links European research facilities directly to US research facilities by constructing a 100 Gbps research focused network ring spanning the North Atlantic. This BRIDGES facility has the explicit purpose to facilitate collaborative global experiments across a common, contiguous, seamless and fully federated network research infrastructure.
Impact 3: Developing interoperable solutions and joint demonstrators, contributions to standards.
There have already been a number of efforts in standardizing SCION at the IETF, e.g. within PANRG (Path Aware Networking Research Group) and TAPS (Transport Services) working groups. Specifically, Internet Drafts on the SCION overview, the SCION Components Analysis and on DRKey (Dynamically Recreatable Key) have been written up. Additionally, a presentation on PANAPI (Path Aware Networking Application Programming Interface) has been given at a recent IETF TAPS meeting. The results of our experiments will also partially be fed into these ongoing standardization efforts.
More recently, SCION was also present at the IETF meeting 115 in London. Specifically, an overview on the ongoing standardization work related to SCION was given during the RTGWG (Routing Area Working Group) and the PANRG meetings and the progress with respect to these efforts was highlighted. In the next steps, the received feedback will be addressed and the existing Internet Drafts on SCION will be improved. Additionally, there will be also new drafts documenting current specifications on the SCION control plane and the SCION data plane.
Impact 4: An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related communities collaborating on the evolution of the Internet
The rapid growth of the Internet is driving the emergence of various new network services (e.g., IoT) at a global scale. The limitations of the existing Internet architecture towards those new requirements has significantly increased the demand for advanced wired networking architectures overcoming those limitations.
SCION is a novel secure Internet architecture which aims to provide route control, failure isolation, and explicit trust information for end-to-end communications. As discussed in detail in the original SCION paper [4], no existing solution simultaneously provides the capabilities as SCION does, although individual aspects are covered by these efforts, which SCION builds upon. SCION has already lead to a new start-up, Anapaya Systems and a quite large SCION community, especially in Europe but also worldwide.
With our joint EU-US SCION setup and experiments over NSF BRIDGES these efforts are strengthened further. Researchers directly benefit from the major performance improvement due to the high bandwidth and low delay capabilities over BRIDGES. Furthermore, users also benefit from additional paths within SCIONLab passing across several transatlantic links. This results in a significantly improved SCIONLab network between the US and Europe to run
sophisticated SCION experiments, which will give a more detailed insight into the SCION infrastructure deployed on native connections at a wide scale. To this end, we will also further disseminate the results of our experiments.
Results :
The primary result of this project is the deployment of SCION over BRIDGES. To achieve this, we had to connect SCION to BRIDGES by deploying servers (including border router instances and SCION control service instances etc.) on both ends (US/EU) and establish underlying network topologies in order to implement an appropriate deployment setup of SCION links across the Atlantic.
On the European side, we have setup six dedicated SCION servers, two each in Paris, Geneva, and Frankfurt. Three of these servers are equipped with SCION high-speed border router licenses purchased from Anapaya Systems AG by OVGU.
On the US side, we have setup three SCION servers (provided by CMU) within BRIDGES: two have been deployed at the BRIDGES cabinet at Equinix DC2 in Ashburn, VA, as well as one will be deployed at MAN LAN (NYC) very soon. These servers are equipped with the open source SCION border router. The BRIDGES infrastructure is connected to MARIA (Mid-Atlantic Research Infrastructure Alliance) and to Internet2. This allowed us to connect the University of Virginia (UVa) over a dedicated VLAN through MARIA to BRIDGES, which determines the first native SCION connection to a university in the US. Additionally, we will also connect Princeton via NJEdge to our SCION deployment at MAN LAN. UVa and Princeton are both new SCION nodes that we hadn’t envisioned at the time of writing the proposal, but which were made possible thanks to the SCION deployment within BRIDGES. Additionally, this deployment enables many more interesting connection opportunities to academic as well as industry customers: via Internet2 exchange points in WIX (Washington IX) and MAN LAN, as well as to the Equinix IX via a local cross-connection at Equinix DC2. We will explore these options further beyond the end of the project.
Future Plan :
The objective of this project was to deploy SCION over the NSF BRIDGES infrastructure in order to demonstrates the SCION benefits by means of experiments across the Atlantic. To this end, the redundant BRIDGES network with dual 100G links enables researchers to select and use multiple paths across the Atlantic as facilitated by SCION. While we have successfully deployed three SCION servers within BRIDGES and six SCION servers with GEANT with native SCION links in the respective networks, the actual connection of BRIDGES with GEANT in order to exchange SCION traffic remains part of our future work, as our deployment will be further expanded. Given the huge number of connection opportunities on both sides, connecting BRIDGES with GEANT will be of great benefit for SCION research.
Key results
- Six new nodes added to the SCION testbed in Europe, and three nodes on BIRDGES in the US (at George Mason University, University of Virginia, and Princeton)
- Results validate the benefit from enhanced privacy, availability, reliability, and energy-efficiency on the SCION network.
- Demonstrate the capability of the SCIONLab testbed by showing its reliability while deliberately interrupting certain connections within the SCIONLab network.
- Pre-standardisation: Presentations at IETF 114 (Path Aware Networking RG meeting) and IETF 115 (Routing Area Working Group, and PANRG)