Frequently Asked Questions

Joining a SCION Network

How can my organization join the Secure Swiss Finance Network (SSFN)?

To join the SSFN the following process must be followed:

  1. The interested organization needs to order SCION access from a SCIONabled provider. For more information on SCIONabled providers that are also part of the SSFN, please refer to our official page.

  2. The interested organization needs to be SSFN certified by SIX. For further information on the certification process, please refer to the SIX’s official SSFN page.

  3. Once the contracts are ready, the providers can schedule the installation and configuration of the Anapaya appliances on the customer premises.

How can my organization join the HIN Vertrauensraum (HVR)?

To join the HVR the following process must be followed:

  1. The interested organization needs to order SCION access from a SCIONabled provider. For more information on SCIONabled providers, please refer to our official page.

  2. The interested organization needs to be HVR certified by HIN. For further information on the certification process, please contact HIN.

  3. Once the contracts are ready, the providers can schedule the installation and configuration of the Anapaya appliances on the customer premises.

How can my organization join the Swiss ISD?

To join the SSFN the following process must be followed:

  1. The interested organization needs to order SCION access from a SCIONabled provider. For more information on SCIONabled providers, please refer to our official page.

  2. Once the contracts are ready, the providers can schedule the installation and configuration of the Anapaya appliances on the customer premises.

Anapaya Products

What is Anapaya EDGE?

Anapaya EDGE is the gateway that connects users to the SCION Internet. The Anapaya EDGE is installed physically or in a virtual environment at the edge of a customer’s network. The Anapaya EDGE is connected to the SCION network through a SCIONabled ISP. Through Anapaya’s IP-in-SCION tunneling mechanism, the EDGE can tunnel IP traffic from the customer’s LAN and communicate with remote destinations through the SCION network.

For information on Anapaya EDGEs and common setups, please refer to Overview and Deployment Examples.

What is Anapaya CORE?

Anapaya CORE is a router that is part of the SCION backbone. It is placed at the border of the network of Internet Service Providers and connects to other SCIONabled ISPs and customers.

For information on Anapaya COREs and common setups, please refer to Overview and Deployment Example.

What is Anapaya GATE?

Anapaya GATE is the gateway that connects end-users to the SCION Internet. It allows users of SCIONabled ISPs to connect to remote locations, such as a company’s headquarter network using the SCION Internet even if the user does not have an EDGE at home. It is located at the edge of SCIONabled ISPs and advertises the ISP user prefixes to SCIONabled organizations and vice versa. This solution protects remote access, e.g., VPN connections, and access to other workloads by an organization’s remote workforce.

For information on Anapaya GATEs and common setups, please refer to Overview and Deployment Example.

Processes

How can my organization get a SCION AS number?

Depending on the ISD, there are different entities that are responsible for assigning the AS numbers. Please refer to ISD and AS Assignments for further information.

IP-in-SCION Tunneling

What is the IP-in-SCION Tunneling mechanism?

IP-in-SCION tunneling is a mechanism that allows tunneling IP packets between two IP-in-SCION tunneling endpoints, i.e., Anapaya EDGE appliances. This mechanism enables any type of application and communication to take advantage of SCION-based networking without the need to update any application, client, or server.

For more information, please refer to IP-in-SCION Tunneling.

What kind of prefixes can I configure to announce through IP-in-SCION tunneling?

In most setups, Autonomous Systems can announce private or public IP prefix ranges depending on their setup. There are special cases such as the SSFN, where participants are required to only announce public IP prefix ranges, which are not routed through the public Internet.

In general, IP-in-SCION tunneling is used to enable communication between the local site and a remote destination. Our implementation supports tunneling with IPv4 and IPv6 prefixes.

Can a prefix range be advertised by multiple ASes?

Yes, it is possible for a prefix range to be advertised by multiple ASes. In such cases, the appliances in the AS receiving the prefix announcement need to configure policies for which remote AS to prioritize when sending packets to that prefix range.

How are IP prefixes coordinated between entities in the SCION network?

The coordination of IP prefixes between Autonomous Systems in the SCION network is up to the entities that aim to communicate with each other. When ASes that communicate with each other through IP-in-SCION tunneling are managed by the same organization, the coordination of IP prefixes is done internally. When ASes are managed by different organizations, the coordination of IP prefixes needs to be done between the organizations. An easy way to coordinate IP prefixes is to use public IP ranges that belong to the organization. This automatically ensures that there is no overlap between the IP prefixes of different ASes.

Additionally, it can be beneficial to use IP prefixes that are not routed through the public Internet. This makes it easier to distinguish between traffic that goes through the public Internet and traffic that goes through the SCION network.

Control Plane

How long is an AS certificate valid?

By default, AS certificates are valid for three days and are automatically renewed after 1/4 of the validity period. This means that the AS certificate is renewed roughly every 18 hours. Note that initial certificates might be valid for a longer period of time, depending on the certificate authority.

How often does the SCION control plane create new paths (beaconing)?

The beaconing process is initiated by core ASes every 30 seconds by default. This enables the network to detect topology changes fast enough, without adding a serious overhead to the network. The frequency with which the Beaconing process happens can be configured to other values if desired.

For how long are SCION paths valid?

By default, SCION paths have a validity period of six hours. In other words, when a sender, e.g., an Anapaya EDGE, requests a path from the network, the path can be used for six hours until it needs to be renewed. In practice, paths are updated every few minutes when the beaconing process leads to the creation of new path segments.

It is worth noting that the default validity period of paths is configurable.

Data Plane

How are paths chosen by the sender?

A sender selects a path toward its destination depending on the available paths, the static policies configured and dynamic criteria such as latency and jitter.

The frequency with which the chosen path changes depends on the user configured policies and the application.

In the Anapaya EDGE, the sender will use the same path toward the same destination for as long as the path remains alive and the performance is not degraded. Additionally, by default, a single path is used to reach a destination. However, the sender can configure smart policies to differentiate traffic and use different paths.

Setup

On what kind of platform can I run the Anapaya software?

The Anapaya software can run both on physical hardware and virtual environments. For details on computing requirements, please refer to our Computing resources guide.

How can an Anapaya EDGE connect to a SCIONabled provider?

The recommended way to connect to a SCIONabled provider is through the ISP’s access network. Please contact your SCIONabled access provider for further details.

How can an Anapaya appliance be connected to the internal network of an organization?

An Anapaya appliance can connect to the internal network of the organization it belongs to through a variety of connection types. Specifically, supported setups include static routing, eBGP, VRRP (in case of redundant setups). For more information, refer to Deployment Examples and Deployment Example.

What is the difference between MTU and SCION MTU?

Due to the fact that every SCION packet uses an IP/UDP underlay, a SCION packet has an overhead of 24 bytes for IPv4 and 48 bytes for IPv6. For this reason, the SCION protocol defines the SCION MTU which is equal to the difference of the underlay MTU minus the overhead bytes. This means that effectively slightly fewer bytes can be communicated through a single SCION packet compared to a non-SCION packet. Note also that the size of the payload additionally depends on the length of the chosen SCION path since the latter is included in the packet’s SCION header.

Security guarantees

How can SCION and Anapaya appliances offer protection against DDoS attacks?

There are a few different scenarios in which Anapaya appliances and SCION can protect against DDoS attacks.

Scenario 1: The attacker is not part of the SCION network and tries to attack the target through the public Internet. The target uses prefixes that are not routed in the public Internet, but only in the SCION network.

Protection: Since the target’s prefix range is not accessible through the public Internet, the target is basically “invisible” to the attacker. In other words, the attacker cannot carry out the attack as it has no way of reaching the target’s network.

Scenario 2: The attacker is not part of the SCION network and tries to attack the target through the public Internet. The target uses prefixes that are routed through the public and the SCION Internet.

Protection: The attacker can reach the target’s network only through the public Internet. This means that users connecting through the public Internet to the target can suffer from availability problems of the service in case of an attack. However, users connecting through the SCION network use a different entry point to the service which will remain unaffected.

Scenario 3: The attacker is part of the SCION network.

Protection: In this case, the user needs to resort to other defense mechanisms such as SCION Hidden Paths. With Hidden Paths, an organization can control which other SCION ASes can retrieve SCION paths leading to the organization’s network. That way, the organization is in control of which entities can send it traffic.

To learn more about the possibilities of using SCION Hidden Paths for additional DDoS protection within a SCION network, please contact customer-support@anapaya.net.

Scenario 4: The attacker has a target and due to the network topology, there are other organizations affected as collateral damage (e.g. an ISP is under attack).

Protection: If the organizations affected by the attack as collateral damage are part of the SCION network, traffic will automatically be rerouted to avoid congested areas under attack. This is one of the benefits of the SCION protocol, as path selection depends on static data, such as the user-defined policies, and real-time performance data, such as latency and jitter. In other words, in case of an attack on an ISP, paths through that ISP will be de-prioritized due to their bad performance.

Do Anapaya appliances encrypt the payload information?

Anapaya appliances do not encrypt the payload information. SCION is a network protocol so the primary focus is protecting the network and topology information. If the users desire to have their payload encrypted, then they must configure it in the applications they use. Please note that in the future, payload encryption might be added as a feature.

Why is the GATE solution secure and preferable to using a normal VPN connection?

Security has three aspects: Confidentiality, Integrity and Availability (CIA). Current VPN solutions can provide confidentiality and integrity as they encrypt traffic and perform integrity checks. However, they cannot guarantee availability because traffic is still routed through the public Internet. The Anapaya GATE solution guarantees availability by hiding the VPN connection from the Internet. In other words, the combination of VPN and the Anapaya GATE can provide full CIA security.

Another aspect in which the Anapaya GATE fortifies the system is routing security. As VPN traffic goes through the public Internet, it is susceptible to BGP hijacking attacks. With the Anapaya GATE solution, traffic goes from an ISP’s internal network to the SCION network and vice versa, which offers BGP hijack resilience by design.

For further information, you can also refer to the How to protect company data while working from home and VPN connections need protection blog posts.

SCION Questions

How can I communicate with entities in ISDs my organization is not part of and I do not have trust?

For a host within an AS to be able and get paths to a remote ISD, it needs to have the valid Trust Root Configuration (TRC) for that ISD (and the ISDs it needs to traverse until it reaches the destination). The TRC of an ISD defines the trusted entities within an ISD, such as the core ASes and the Certificate Authorities. Based on this, the ASes can then fetch the necessary information to validate the received paths.