In this user guide, we will configure a SCION link between two Anapaya
appliances. Note that it does not matter whether the two appliances are EDGE,
CORE, or a combination of both. The configuration is largely the same and we
will point out the differences.
Determining SCION Link Parameters
A SCION link is a connection between two SCION ASes and as such constitutes a
contract between the two ASes. As part of this contract, the two ASes agree on
The relationship between the two ASes.
The SCION interface identifiers used by each AS.
The SCION Maximum Transition Unit (MTU) of the link.
The IP underlay network of the link.
The network endpoints of the link, i.e., the IP address and UDP port that the
SCION routers on each AS use to communicate with each other.
(Optional) Custom Bidirectional Forwarding Detection (BFD) configuration.
A SCION link connects two SCION ASes identified by their ISD-AS number. In a
multi-ISD configuration, i.e., when multiple ISDs are configured on the same
CORE or EDGE appliance, there are multiple ISD-AS identities (one for each
ISD while the AS number is the same for all ISDs). Consequently, there are
multiple SCION links CORE and EDGE appliances in a multi-ISD configuration,
namely one SCION link for each ISD-AS identity.
The relationship between the two ASes indicates the hierarchy on the network
level. The relationship can be either parent-child, peer, or core. A
parent-child relationship indicates that the parent AS is upstream of the child
(or downstream AS). This is usually the case when the parent AS sells a service
to the child AS. A peer relationship indicates that the two ASes are on the same
level of the hierarchy, i.e., neither is a customer of the other. A core
relationship is a special case of a peer relationship where the two ASes
involved are core ASes.
The current implementation of Anapaya EDGE and CORE appliances do not
SCION Interface Identifiers
The SCION interface identifier uniquely identifies a SCION interface of an AS.
They are used in the SCION packet header to define the network path of a SCION
The SCION interface identifier is a 16-bit number (1-65535) and must be unique
within the AS. Interface ID 0 is reserved and cannot be used. How a network
operator assigns interface IDs is up to them as long as each interface ID is
only used once within the AS.
The SCION interface ID is part of the “public contract” of a SCION AS. Other
SCION ASes might use the interface IDs in their path policies, e.g., to
perform traffic engineering. Thus, it is highly discouraged to change SCION
interface IDs once they have been assigned.
The SCION MTU is the maximum size of a SCION packet including the SCION header.
It usually depends on the underlying IP network. Assuming a common IP MTU of
1500 bytes, the SCION MTU is either set to 1472 bytes (IPv4) or 1452 bytes
IP Underlay Network
SCION uses an IP underlay network to transport SCION packets. SCION packets are
transported as UDP datagrams between two SCION routers. This has the benefit of
reusing as much as possible of the existing IP infrastructure.
Anapaya EDGE and CORE appliances support IPv4 and IPv6 underlay networks. There
are no restrictions on the IP underlay network, however, it is recommended to
use a range from the private IP address space. Furthermore, it is common that
the two endpoints of the SCION link are in the same IP subnet, e.g., a
However, it is also possible for the two endpoints to be on different IP
networks, i.e., there is a routed network between the two endpoints. This is
commonly used by SCION service providers to connect their customer’s EDGE
appliances to their CORE appliances on their routed access network.
SCION Interface Endpoints
The SCION interface endpoints are the IP address and UDP port on which the CORE
or EDGE appliance sends and receives SCION packets for the SCION link. The IP
address must be chosen from the IP underlay network of the SCION link. The UDP
port can be chosen freely as long as the combination
<ip>:<port> is unique
on the appliance.
The default port range we use for SCION interfaces is 30100 - 39999.
Documentation of our default port ranges can be found in
Default Port Allocations.
Bidirectional Forwarding Detection
If a SCION link becomes unhealthy, the information is signaled to users of the
SCION link via the SCION Control Message Protocol (SCMP). Anapaya CORE and EDGE
appliances use Bidirectional Forwarding Detection (BFD) to determine the health
of a SCION link. In most cases, the default values work well and the BFD
configuration does not need to be explicitly set. In some cases, e.g., if the
underlying network of the SCION link is known to be lossy, or if BFD should be
disabled, the BFD configuration can be set explicitly. Please refer to the
Bidirectional Forwarding Detection section of the configuration manual for more
details and examples.
Network Interface Configuration
A SCION interface is a virtual construct and an operator is free to map them to
physical or virtual network interfaces as they see fit. In the following, we
present some of the common configurations.
One SCION Interface per Physical Network Interface
This is the simplest configuration. Each SCION interface is mapped to a single
physical network interface. It has the advantage that each SCION
interface is completely separated from the others and even has a dedicated
physical link. The disadvantage is that many physical network interfaces are
needed if many SCION interfaces need to be configured.
This option is recommended for EDGE appliances with a single SCION link to an
upstream CORE appliance. It can also be used for important core links between
CORE appliances if it is crucial that the core link can use the full bandwidth
of the underlying physical link.
One SCION Interface per Virtual Network Interface
This is a similar configuration to the previous one but overcomes the main
disadvantage of requiring many physical network interfaces by creating a virtual
network interface for each SCION interface. This is usually done by configuring
a VLAN on a physical network interface. This configuration still achieves
complete separation of the SCION interfaces, but only requires a single physical
interface. The disadvantage is that all the SCION interfaces share the same
physical link and thus the same bandwidth.
This option is recommended for CORE appliances with multiple SCION links to
downstream EDGE appliances.
Multiple SCION Interfaces per Network Interface
Given that a SCION interface only needs a unique
<ip>:<port> combination, it
is straightforward to map multiple SCION interfaces to a single network
interface (virtual or physical). In this configuration, all SCION interfaces
have the same IP address and different UDP ports. The advantage of this
configuration is that it is easy to configure and requires only a single network
interface. The disadvantage is that all SCION interfaces share the same IP
underlay network and thus also the same physical link.
This option is recommended (or even required) for CORE appliances that establish
multiple SCION links at an Internet Exchange Point (IXP), where a single IP
underlay network exists for all participants of the IXP. Furthermore, in
multi-ISD configurations it is also common to have multiple SCION links over the
same underlay network.
Testing a SCION Link
There are multiple ways to test if a SCION link is properly configured. Here, we
present the most common options.
Checking the SCION Link Status
The management API provides various debug endpoints to investigate the status of
an appliance. To check the status of a SCION link, we can use the GET
endpoint. This endpoint returns a list of all SCION links that are configured on
the appliance including their current status. To filter the list of SCION links
interface_id can be used as query parameters.
For example to check the status of the SCION link between
ISP 1 and
2 from above we use the following command using cURL:
or alternatively, using the
appliance-cli get debug/scion/interfaces?remote_isd_as=1-ff00:1:10
state of the SCION link is
UP the SCION link is properly
If a SCION link is properly configured, it will be automatically discovered by
the SCION control plane and SCION paths using this link will be available. We
can use this to test if a SCION link is properly configured by requesting SCION
paths to the direct neighbor of the SCION link.
SCION paths can be requested using the
scion showpaths command available on
every Anapaya EDGE and CORE appliance. To verify that the SCION link between
ISP 1 and
ISP 2 is properly configured, we can use the following command:
scion showpaths 1-ff00:1:10
This command will show all SCION paths from
ISP 1 to
ISP 2. If the SCION
link is properly configured, the output contains a path using the newly added
SCION link. Additionally,
scion showpaths also probes the SCION path and
reports its status.
Alternatively, the management API can be used to request SCION paths. Refer to
the POST /tools/scion/showpaths
documentation for more details.