SCION: Data Plane Overview Adrian Perrig Network Security Group, - PowerPoint PPT Presentation

SCION: Data Plane Overview Adrian Perrig Network Security Group, ETH Zürich

SCION Data Plane Overview ▪ Data plane: How to send packets 
 [Chapter 2.2, Chapter 8] ▪ Path lookup ▪ Path combination ▪ Path encoding in packet 2

Path Lookup ▪ Steps of a host to obtain path segments ▪ Host contacts RAINS server with a name 
 H → RAINS: www.scion-architecture.net 
 RAINS → H: ISD X, AS Y, local address Z ▪ Host contacts local path server to query path segments 
 H → PS: ISD X, AS Y 
 PS → H: up-path, core-path, down-path segments ▪ Host combines path segments to obtain end-to-end paths, which are added to packets 3

Path Lookup: Local ISD ▪ Client requests path segments to <ISD, AS> from local path server ▪ If down-path segments are not locally K M cached, local path server send request L to core path server ▪ Local path server replies N P O ▪ Up-path segments to local ISD core ASes S Q ▪ Down-path segments to <ISD, AS> ▪ Core-path segments as needed to R connect up-path and down-path segments 4

Path Lookup: Remote ISD ▪ Host contacts local path server requesting <ISD, T AS> U ▪ If path segments are not cached, local path server K M V will contact core path Y Z server W L X ▪ If core path server does not have path segments C’ N P B’ cached, it will contact O A’ remote core path server E’ ▪ Finally, host receives up-, D’ S Q core-, and down-segments Border router R Beacon server Path server 5

Path Combination 1a 1b 1c 1d 1e 2 3 4 c c c p Control-plane path segments: Data-plane paths: Core AS Regular path segment Up- down-path segment Non-core AS Peering link path segment Source/destination Core-path segment 6

Path Combination Example (1) ▪ Core-segment combination: 
 Up-path segment + 
 K M core-path segment + 
 L down-path segment N P O c S Q R 7

Path Combination Example (2) ▪ Peering shortcut: up-path segment and down-path M K segment offer same peering L link N P O S Q p R 8

Path Combination Example (3) ▪ Peering shortcut: up- path segment and down-path segment T U offer same peering link K M V Y Z W L X C’ N P B’ O A’ p E’ D’ S Q R 9

Path Combination Example (4) ▪ AS shortcut path through common AS on up-path and K M down-path segment L N P O S Q R 10

Path Construction ISD core A B C D E source destination up-segment core-segment down-segment (intra-ISD PCB) (core PCB) (intra-ISD PCB) INF INF INF AS C ’s entry AS D ’s entry AS D ’s entry … … … CONTROL PLANE HF HF HF … … … AS B ’s entry AS C ’s entry AS E ’s entry … … … HF HF HF … … … AS A ’s entry … forwarding path HF (in SCION header) … INF HF DATA PLANE HF HF INF HF HF INF HF 11 HF

SCION Packet Header ▪ SCION common header encodes: ▪ Version ▪ Destination and Source address types ▪ Total packet and header length ▪ Pointer to current info and hop field ▪ Next header type field ▪ SCION source and destination address encoding ▪ ISD-AS of source and destination are listed first to simplify parsing (constant offset) ▪ Destination local address is also at a fixed location ▪ Source local address is at a variable location 12

Info and Hop Field Contents ▪ An info field provides information about a path segment, which consists of one or multiple hop fields ▪ An info field contains ▪ Flags: PEER, SHORTCUT, UP ▪ Timestamp containing the creation time ▪ ISD identifier ▪ Path segment length ▪ A hop field contains ▪ Flags: CONTINUE/STOP , FWD-ONLY, VRFY-ONLY, XOVER ▪ Expiration time, relative to timestamp in info field ▪ Ingress and egress interface identifiers ▪ Message Authentication Code (MAC) 13

Ingress and Egress Interface Identifiers ▪ Each AS assigns a unique integer identifier to each interface that connects to a neighboring AS K M 1 2 ▪ The interface identifiers identify L 3 5 4 ingress/egress links for traversing AS N P ▪ ASes use internal routing protocol to 1 2 3 O 9 4 8 find route from ingress SCION border 5 7 6 router to egress SCION border router S Q ▪ Examples 2 1 R ▪ Yellow path: L:4, O:3,6, R:1 ▪ Orange path: L:5, O:2,6, R:1 14

Path Encoding in Packet Path segments: Links: core parent – child INF2 INF1 INF3 peering G H AS H AS G AS H’s AS H AS G’s AS G’s constructed path entry entry entry HF H ● G HF G ● D HF H ● F AS G AS D AS F AS G’s D E F entry HF G H ● HF D GA HF F HC AS D’s AS F’s entry entry Peer: E Peer: E HF D EA HF F EC B C A AS A AS C AS A’s AS C’s entry entry src dst HF A D ● HF C F ● source to destination path UP DOWN XOVER XOVER UP INF1 HF A D ● HF D GA HF G ● D INF2 HF G H ● HF H ● G INF3 HF H ● F HF F HC HF C F ● HF A D ● HF D GA HF G ● D INF1 HF G H ● HF H ● G INF2 HF H ● F HF F HC HF C F ● INF3 DOWN UP XOVER DOWN XOVER destination to source path (reversed path) 15

Path Encoding in Packet Path segments: INF5 INF3 Links: core parent – child AS G AS G AS G’s AS G’s peering G entry entry HF G ● E HF G ● F constructed path AS E AS F HF E GB HF F GC AS F’s entry Peer: D Peer: E AS E’s D E F entry HF E DB HF F EC Peer: F AS C AS C’s entry HF E FB B C HF C F ● A AS B AS B’s src dst entry HF B E ● source to destination path PEER PEER UP XOVER VRFY-ONLY XOVER DOWN VRFY-ONLY INF5 HF B E ● HF E FB HF E GB INF3 HF F GC HF F EC HF C F ● HF B E ● HF E FB HF E GB INF5 HF F GC HF F EC HF C F ● INF3 VRFY-ONLY VRFY-ONLY XOVER PEER XOVER PEER DOWN UP destination to source path (reversed path) 16

Hop Field MAC Verification ▪ Message Authentication Code (MAC) computation and verification of Hop Field MAC value based on local AS secret key ▪ Key is not shared with any external entity ▪ Computation: MAC K ( Timestamp, Flags’ HF , ExpTime, Ingress, Egress, HF’ ) ▪ HF’ is hop field of previous AS ▪ In most cases, HF’ size is 8 bytes, so MAC computation can be done over 128 bits: with CMAC and AES, only a single encryption operation is needed ▪ With AESni HW crypto, only ~50 cycles are needed to compute MAC! ▪ Note that a DRAM memory lookup takes ~200 cycles ▪ AES operation requires less energy than TCAM lookup ▪ Thus, SCION forwarding can be faster and require less energy than IP forwarding 17

For More Information … ▪ … please see our web page: 
 www.scion-architecture.net ▪ Chapter 8 of our book “SCION: A secure Internet Architecture” ▪ Available from Springer this Summer 2017 ▪ PDF available on our web site 18