SCION: Data Plane Overview Adrian Perrig Network Security Group, - - PowerPoint PPT Presentation

SCION: Data Plane Overview

Adrian Perrig Network Security Group, ETH Zürich

SCION Data Plane Overview

▪ Data plane: How to send packets
 [Chapter 2.2, Chapter 8] ▪ Path lookup ▪ Path combination ▪ Path encoding in packet

2

Path Lookup

▪ Steps of a host to obtain path segments ▪ Host contacts RAINS server with a name
 H → RAINS: www.scion-architecture.net
 RAINS → H: ISD X, AS Y, local address Z ▪ Host contacts local path server to query path segments
 H → PS: ISD X, AS Y
 PS → H: up-path, core-path, down-path segments ▪ Host combines path segments to obtain end-to-end paths, which are added to packets

3

Path Lookup: Local ISD

▪ Client requests path segments to <ISD, AS> from local path server ▪ If down-path segments are not locally cached, local path server send request to core path server ▪ Local path server replies ▪ Up-path segments to local ISD core ASes ▪ Down-path segments to <ISD, AS> ▪ Core-path segments as needed to connect up-path and down-path segments

4

Q R N L S K P O M

Path Lookup: Remote ISD

▪ Host contacts local path server requesting <ISD, AS> ▪ If path segments are not cached, local path server will contact core path server ▪ If core path server does not have path segments cached, it will contact remote core path server ▪ Finally, host receives up-, core-, and down-segments

5

Q R V N L S W Z Y X K P O M T U D’ C’ E’ A’ B’

Border router Beacon server Path server

Path Combination

6

p c c c

1a 1b 1c 1d 1e 2 3 4

Core AS Non-core AS Source/destination Up- down-path segment Core-path segment Control-plane path segments: Data-plane paths: Regular path segment Peering link path segment

Path Combination Example (1)

▪ Core-segment combination:
 Up-path segment + 
 core-path segment + 
 down-path segment

7

Q R N L S K P O M

c

Path Combination Example (2)

▪ Peering shortcut: up-path segment and down-path segment offer same peering link

8

Q R N L S K P O M

p

Path Combination Example (3)

▪ Peering shortcut: up- path segment and down-path segment

• ffer same peering

link

9

p

Q R V N L S W Z Y X K P O M T U D’ C’ E’ A’ B’

Path Combination Example (4)

▪ AS shortcut path through common AS on up-path and down-path segment

10

Q R N L S K P O M

Path Construction

11

ISD core

B A C D E

source destination

core-segment (core PCB) down-segment (intra-ISD PCB) up-segment (intra-ISD PCB)

INF HF … AS C’s entry … HF … AS B’s entry … HF … AS A’s entry …

CONTROL PLANE DATA PLANE

INF HF … AS D’s entry … HF … AS C’s entry … INF HF … AS D’s entry … HF … AS E’s entry …

forwarding path (in SCION header)

INF HF HF HF INF HF HF INF HF HF

SCION Packet Header

▪ SCION common header encodes: ▪ Version ▪ Destination and Source address types ▪ Total packet and header length ▪ Pointer to current info and hop field ▪ Next header type field ▪ SCION source and destination address encoding ▪ ISD-AS of source and destination are listed first to simplify parsing (constant offset) ▪ Destination local address is also at a fixed location ▪ Source local address is at a variable location

12

Info and Hop Field Contents

▪ An info field provides information about a path segment, which consists of one

• r multiple hop fields

▪ An info field contains ▪ Flags: PEER, SHORTCUT, UP ▪ Timestamp containing the creation time ▪ ISD identifier ▪ Path segment length ▪ A hop field contains ▪ Flags: CONTINUE/STOP , FWD-ONLY, VRFY-ONLY, XOVER ▪ Expiration time, relative to timestamp in info field ▪ Ingress and egress interface identifiers ▪ Message Authentication Code (MAC)

13

Ingress and Egress Interface Identifiers

▪ Each AS assigns a unique integer identifier to each interface that connects to a neighboring AS ▪ The interface identifiers identify ingress/egress links for traversing AS ▪ ASes use internal routing protocol to find route from ingress SCION border router to egress SCION border router ▪ Examples ▪ Yellow path: L:4, O:3,6, R:1 ▪ Orange path: L:5, O:2,6, R:1

14

Q R N L S K P O M

1 2 3 4 5 6 7 8 9 1 2 3 5 4 2 1

Path Encoding in Packet

15 INF1 HFAD● HFDGA HFG●D INF2 HFGH● HFH●G INF3 HFH●F HFFHC HFCF●

source to destination path

HFAD● HFDGA HFG●D INF1 HFGH● HFH●G INF2 HFH●F HFFHC HFCF● INF3

destination to source path (reversed path) D E F A B C

INF3 AS H HFH●F AS F HFFHC Peer: E HFFEC AS C HFCF●

AS G’s entry AS C’s entry AS F’s entry

src dst Path segments: core

parent – child peering constructed path Links:

H G

UP XOVER UP XOVER DOWN DOWN XOVER DOWN XOVER UP INF1 AS G HFG●D AS D HFDGA Peer: E HFDEA AS A HFAD●

AS G’s entry AS A’s entry AS D’s entry

INF2 AS H HFH●G AS G HFGH●

AS H’s entry AS G’s entry

Path Encoding in Packet

16 INF5 HFBE● HFEFB HFEGB INF3 HFFGC HFFEC HFCF●

source to destination path destination to source path (reversed path) G D E F A B C

INF3 AS G HFG●F AS F HFFGC Peer: E HFFEC AS C HFCF●

AS G’s entry AS C’s entry AS F’s entry

src dst Path segments: core

parent – child peering constructed path Links:

INF5 AS G HFG●E AS E HFEGB Peer: D HFEDB Peer: F HFEFB AS B HFBE●

AS G’s entry AS B’s entry AS E’s entry

HFBE● HFEFB HFEGB INF5 HFFGC HFFEC HFCF● INF3

PEER UP XOVER PEER DOWN VRFY-ONLY PEER DOWN XOVER PEER UP VRFY-ONLY VRFY-ONLY XOVER VRFY-ONLY XOVER

Hop Field MAC Verification

▪ Message Authentication Code (MAC) computation and verification of Hop Field MAC value based on local AS secret key ▪ Key is not shared with any external entity ▪ Computation: MACK( Timestamp, Flags’HF, ExpTime, Ingress, Egress, HF’ ) ▪ HF’ is hop field of previous AS ▪ In most cases, HF’ size is 8 bytes, so MAC computation can be done over 128 bits: with CMAC and AES, only a single encryption operation is needed ▪ With AESni HW crypto, only ~50 cycles are needed to compute MAC! ▪ Note that a DRAM memory lookup takes ~200 cycles ▪ AES operation requires less energy than TCAM lookup ▪ Thus, SCION forwarding can be faster and require less energy than IP forwarding

17

For More Information …

▪ … please see our web page:
 www.scion-architecture.net ▪ Chapter 8 of our book “SCION: A secure Internet Architecture” ▪ Available from Springer this Summer 2017 ▪ PDF available on our web site

18