Configuring a SCION Link¶
In this user guide, we will configure a SCION link between two Anapaya appliances. Note that it does not matter whether the two appliances are EDGE, CORE, or a combination of both. The configuration is largely the same and we will point out the differences.
Determining SCION Link Parameters¶
A SCION link is a connection between two SCION ASes and as such constitutes a contract between the two ASes. As part of this contract, the two ASes agree on the following:
The relationship between the two ASes.
The SCION interface identifiers used by each AS.
The SCION Maximum Transition Unit (MTU) of the link.
The IP underlay network of the link.
The network endpoints of the link, i.e., the IP address and UDP port that the SCION routers on each AS use to communicate with each other.
(Optional) Custom Bidirectional Forwarding Detection (BFD) configuration.
Note
A SCION link connects two SCION ASes identified by their ISD-AS number. In a multi-ISD configuration, i.e., when multiple ISDs are configured on the same CORE or EDGE appliance, there are multiple ISD-AS identities (one for each ISD while the AS number is the same for all ISDs). Consequently, there are multiple SCION links CORE and EDGE appliances in a multi-ISD configuration, namely one SCION link for each ISD-AS identity.
Relationship¶
The relationship between the two ASes indicates the hierarchy on the network level. The relationship can be either parent-child, peer, or core. A parent-child relationship indicates that the parent AS is upstream of the child (or downstream AS). This is usually the case when the parent AS sells a service to the child AS. A peer relationship indicates that the two ASes are on the same level of the hierarchy, i.e., neither is a customer of the other. A core relationship is a special case of a peer relationship where the two ASes involved are core ASes.
Note
The current implementation of Anapaya EDGE and CORE appliances do not
support the peer
relationship.
SCION Interface Identifiers¶
The SCION interface identifier uniquely identifies a SCION interface of an AS. They are used in the SCION packet header to define the network path of a SCION packet.
The SCION interface identifier is a 16-bit number (1-65535) and must be unique within the AS. Interface ID 0 is reserved and cannot be used. How a network operator assigns interface IDs is up to them as long as each interface ID is only used once within the AS.
Note
The SCION interface ID is part of the “public contract” of a SCION AS. Other SCION ASes might use the interface IDs in their path policies, e.g., to perform traffic engineering. Thus, it is highly discouraged to change SCION interface IDs once they have been assigned.
SCION MTU¶
The SCION MTU is the maximum size of a SCION packet including the SCION header. It usually depends on the underlying IP network. Assuming a common IP MTU of 1500 bytes, the SCION MTU is either set to 1472 bytes (IPv4) or 1452 bytes (IPv6).
IP Underlay Network¶
SCION uses an IP underlay network to transport SCION packets. SCION packets are transported as UDP datagrams between two SCION routers. This has the benefit of reusing as much as possible of the existing IP infrastructure.
Anapaya EDGE and CORE appliances support IPv4 and IPv6 underlay networks. There are no restrictions on the IP underlay network, however, it is recommended to use a range from the private IP address space. Furthermore, it is common that the two endpoints of the SCION link are in the same IP subnet, e.g., a point-to-point link:
IPv4:
169.254.0.0/16
, e.g.,169.254.0.2/30
IPv6:
fe80::/10
, e.g.,fe80::2/64
However, it is also possible for the two endpoints to be on different IP networks, i.e., there is a routed network between the two endpoints. This is commonly used by SCION service providers to connect their customer’s EDGE appliances to their CORE appliances on their routed access network.
SCION Interface Endpoints¶
The SCION interface endpoints are the IP address and UDP port on which the CORE
or EDGE appliance sends and receives SCION packets for the SCION link. The IP
address must be chosen from the IP underlay network of the SCION link. The UDP
port can be chosen freely as long as the combination <ip>:<port>
is unique
on the appliance.
Tip
The default port range we use for SCION interfaces is 30100 - 39999. Documentation of our default port ranges can be found in Default Port Allocations.
Bidirectional Forwarding Detection¶
If a SCION link becomes unhealthy, the information is signaled to users of the SCION link via the SCION Control Message Protocol (SCMP). Anapaya CORE and EDGE appliances use Bidirectional Forwarding Detection (BFD) to determine the health of a SCION link. In most cases, the default values work well and the BFD configuration does not need to be explicitly set. In some cases, e.g., if the underlying network of the SCION link is known to be lossy, or if BFD should be disabled, the BFD configuration can be set explicitly. Please refer to the Bidirectional Forwarding Detection section of the configuration manual for more details and examples.
Network Interface Configuration¶
A SCION interface is a virtual construct and an operator is free to map them to physical or virtual network interfaces as they see fit. In the following, we present some of the common configurations.
One SCION Interface per Physical Network Interface¶
This is the simplest configuration. Each SCION interface is mapped to a single physical network interface. It has the advantage that each SCION interface is completely separated from the others and even has a dedicated physical link. The disadvantage is that many physical network interfaces are needed if many SCION interfaces need to be configured.
This option is recommended for EDGE appliances with a single SCION link to an upstream CORE appliance. It can also be used for important core links between CORE appliances if it is crucial that the core link can use the full bandwidth of the underlying physical link.
One SCION Interface per Virtual Network Interface¶
This is a similar configuration to the previous one but overcomes the main disadvantage of requiring many physical network interfaces by creating a virtual network interface for each SCION interface. This is usually done by configuring a VLAN on a physical network interface. This configuration still achieves complete separation of the SCION interfaces, but only requires a single physical interface. The disadvantage is that all the SCION interfaces share the same physical link and thus the same bandwidth.
This option is recommended for CORE appliances with multiple SCION links to downstream EDGE appliances.
Multiple SCION Interfaces per Network Interface¶
Given that a SCION interface only needs a unique <ip>:<port>
combination, it
is straightforward to map multiple SCION interfaces to a single network
interface (virtual or physical). In this configuration, all SCION interfaces
have the same IP address and different UDP ports. The advantage of this
configuration is that it is easy to configure and requires only a single network
interface. The disadvantage is that all SCION interfaces share the same IP
underlay network and thus also the same physical link.
This option is recommended (or even required) for CORE appliances that establish multiple SCION links at an Internet Exchange Point (IXP), where a single IP underlay network exists for all participants of the IXP. Furthermore, in multi-ISD configurations it is also common to have multiple SCION links over the same underlay network.
Examples¶
Testing a SCION Link¶
There are multiple ways to test if a SCION link is properly configured. Here, we present the most common options.
Checking the SCION Link Status¶
The management API provides various debug endpoints to investigate the status of
an appliance. To check the status of a SCION link, we can use the GET
/debug/scion/interfaces
endpoint. This endpoint returns a list of all SCION links that are configured on
the appliance including their current status. To filter the list of SCION links
remote_isd_as
and interface_id
can be used as query parameters.
For example to check the status of the SCION link between ISP 1
and ISP
2
from above we use the following command using cURL:
appliance-cli get debug/scion/interfaces?remote_isd_as=1-ff00:1:10
# or
curl https://${appliance_ip}/api/v1/debug/scion/interfaces?remote_isd_as=1-ff00:1:10
If the state
of the SCION link is UP
the SCION link is properly
configured.
Testing with scion showpaths
¶
If a SCION link is properly configured, it will be automatically discovered by the SCION control plane and SCION paths using this link will be available. We can use this to test if a SCION link is properly configured by requesting SCION paths to the direct neighbor of the SCION link.
SCION paths can be requested using the scion showpaths
command available on
every Anapaya EDGE and CORE appliance. To verify that the SCION link between
ISP 1
and ISP 2
is properly configured, we can use the following command:
scion showpaths 1-ff00:1:10
This command will show all SCION paths from ISP 1
to ISP 2
. If the SCION
link is properly configured, the output contains a path using the newly added
SCION link. Additionally, scion showpaths
also probes the SCION path and
reports its status.
Alternatively, the management API can be used to request SCION paths. Refer to the POST /tools/scion/showpaths documentation for more details.