IP-in-SCION Tunneling

This guide explains how to troubleshoot IP-in-SCION tunneling related aspects of the Anapaya appliances.

Current configuration and state

The current IP-in-SCION tunneling configuration can be retrieved from the appliance using the following command:

appliance-cli get config -f body.config.scion_tunneling

To get the current SCION state of the appliance, use the following command:

appliance-cli inspect scion-tunneling summary

This lists all the active tunneling domains where prefixes are currently received from a remote SCION ISD-AS.

Example:

appliance-cli inspect scion-tunneling summary
DOMAIN: domain-name
  PREFIXES: 192.0.2.0/24
            198.51.100.48/28
    TRAFFIC MATCHER: default
      PATH FILTER: default
        REMOTE: 1-ff00:1:1,10.10.0.1:30856
              STATE LATENCY JITTER DROPS EXPIRY   PATH
          --> alive 2.73ms  0.37ms 0.00% 5h51m30s 1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1
          [more paths available, use the --all-paths flag to display them]
        REMOTE: 1-ff00:1:1,10.10.0.2:30856
              STATE LATENCY JITTER DROPS EXPIRY   PATH
            > alive 2.81ms  0.10ms 0.00% 5h51m31s 1-ff00:1:100 2>45 1-ff00:2:11 6>3 1-ff00:1:1
          [more paths available, use the --all-paths flag to display them]

--> Indicates the active path for a traffic matcher within its domain.
  > Indicates the candidate path for a currently unused remote.

Are local prefixes advertised?

Check whether your local prefixes are advertised:

appliance-cli get debug/scion-tunneling/sgrp/local-prefixes
{
  local-prefixes: {
    bgp: {
      prefixes: null
    }
    static: {
      prefixes: ["203.0.113.96/27"]
    }
    static-probed: null
  }
}

If you have a BGP session to the LAN, the BGP prefixes that are received from the LAN show show up in the bgp section. If they do not show up, refer to the BGP troubleshooting guide.

If you do not have a BGP intergration with your LAN, you need to statically announce your prefixes. In this case, if the prefixes are not listed in the static section, then the static announcements are not configured correctly.

Are remote SCION ASes discovered?

Check whether remote SCION ASes are discovered:

appliance-cli get debug/scion-tunneling/discovery
{
  sessions: [
    {
      last-success: "2024-02-13T13:41:33Z"
      local-isd-as: "1-ff00:1:100"
      path: "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1"
      peers: [
        {
          control: "10.10.0.1:30256"
          data: "10.10.0.1:30056"
          interfaces: [1, 2]
          probe: "10.10.0.1:30856"
        }
        {
          control: "10.10.0.1:30256"
          data: "10.10.0.1:30056"
          interfaces: [3, 4]
          probe: "10.10.0.2:30856"
        }
      ]
      remote-isd-as: "1-ff00:1:1"
    }
  ]
}

If the remote ISD-AS is not discovered, then the remote ISD-AS might be missing from the remotes config or the domains[].remote_isd_ases does not list it.

Are prefixes received from remotes?

Check whether prefixes are received:

appliance-cli get debug/scion-tunneling/sgrp/peers
{
  peers: [
    {
      announced: ["203.0.113.96/27"]
      last-received: "2024-02-13T13:41:33Z"
      local-isd-as: "1-ff00:1:100"
      path: "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1"
      received: ["192.0.2.0/24", "198.51.100.48/28"]
      remote-address: "10.10.0.1:30056"
      remote-isd-as: "1-ff00:1:1"
    }
    {
      announced: ["203.0.113.96/27"]
      last-received: "2024-02-13T13:41:33Z"
      local-isd-as: "1-ff00:1:100"
      path: "1-ff00:1:100 3>41 1-ff00:56:1 4>1 1-ff00:1:1"
      received: ["192.0.2.0/24", "198.51.100.48/28"]
      remote-address: "10.10.0.2:30056"
      remote-isd-as: "1-ff00:1:1"
    }
  ]
}

If the expected peers are present and last-received is recent, but the expected prefixes are missing, then the remote SCION ISD-AS is not announcing the expected prefixes.

In this case reach out to your communication partner to check their configuration.

If the expected peers are missing, then the remote ISD-AS is not discovered. Check Are remote SCION ASes discovered? for more information.

Are prefixes received as part of the domain?

appliance-cli get debug/scion-tunneling/sgrp/domains
{
  domains: {
    domain-name: {
      announced: ["203.0.113.96/27"]
      received: ["192.0.2.0/24", "198.51.100.48/28"]
    }
  }
}

This shows the prefixes that are announced and received in a specific domain.

• If the announced prefix is missing but it was present in Are local prefixes advertised?, then the domain’s announce_filter might be misconfigured.

• If the received prefix is missing but it was present in Are prefixes received from remotes?, then the domain’s accept_filter might be misconfigured.

Common problems

End to end connectivity does not work

Go through the following steps to find out why end to end connectivity does not work:

• Check your tunneling configuration

  • Is there a domain configured for the remote ISD-AS?

  • Does the domain have accept_filter (or is configured as default) and announce_filter configured?

• Check your SCION connectivity.

• Check whether prefixes are received and announced Are prefixes received as part of the domain?

• Check whether the communication partner receives your traffic.