The European IP Address Management Agent Ripe has received an unusual request: for the construction of a "New internet" Need the creators of Scalabilty, Control, and Isolation on Next Generation Networks, (Scion) also new addresses. Could this spend the European IP Address Registry Ripe?
The Border Gateway Protocol (BGP), via the Internet subnets of companies and providers connect to each other to the coarse Internet, has some security. For example, false BGP routes with little effort can be published so that the traffic is led to false targets (BGP hijacking, also called prefix or route hijacking). The traffic can then be spied on its way over the foreign subnetworks. Wistance to this scenario was specified in the form of cryptographic protection of the routes via RPKI (BGP Route Origin Validation, ROV), but RPKI spreads only gradually. And from a comprehensive protection of the entire path through the old best-effort Internet you are far away.
BGP-free internet
At this point SCION starts (originally under the label "Secure Communication Infrastructure for A Future Internet", SCI-Fi started). Instead of best-effort routing, the transmission paths are set between the subnets before. The makers around the Swiss computer scientist Adrian Perry speak of the Path-Aware Routing. The Preparation of the Routes Take Central Autonomous Systems (Core AS) for all participants within one of them managed partial network (isolation domain, ISD), the root of a trusted domain.
The Core as in the ISD works as an intermediary, which calls the routes for users in the ISD and propose appropriate to choose from. Which can be ISD internal routes or external routes to other ISDs. The makers see it as an advantage that the internal traffic can be handled strictly locally and no circumstances must take over external ISDs.
In general, isolation domains (ISDs) are there to increase transparency and freedom of choice and did not conduct as well as more censorship or walls than in today’s internet. A Scion AS can participate in several ISDs, for example, in addition to a global ISD, on a Google ISD, EU ISD, ICANN ISD and so on. Adrian Perry Fugt added: "During ISDS the highness for a network allows you to offer more freedom of choice and transparency, because you know exactly which confidence anchors must be familiar with every process. Thanks to this freedom of choice, Scion also has a risk that the communication could be braced".
Address format with an additional field
The scion addresses differ from IPv4 and IPv6 addresses, pierced the administrators and network developers at the 81. RIPE conference in late October. They consist of three parts: The first part of the address is the number of the ISD, the second the number of the AS and the last refers to the end system (simplified Example: 1, 10, 1.2.3.4).
Scion does not replace today’s IPv4 / IPv6 addressing for endhosts, but supplements them through an explicit Scion AS addressing. Scion works without public addresses, all hosts sit behind the ISDS of their provider. Positive servers would therefore have to address the address of their ISDS. You need a few bits more than classic IPv4 / IPv6 addresses. The communication between today’s IP Internet and Scion could convey gateways.
Souverane net islands
Promise the scion developers "More security and a new sovereignty for the independent ISD subnetworks". And they also advertise that scion could be built up with national subnets: "A possible model for ISDS would be a design along national borders or along the boundaries of confesses, because parties within their own jurisdiction can be prepared and agree on a Trusted Root Configuration (TRC)."
What from the point of view of the makers is an advantage for the operators, namely the jerking of the sovereignty over their subnets and about the paths that takes their own traffic, makes others worried. Because the in the ISDs "ruler" Core AS, for example, were only able to offer selected routes and restrict the incoming and outgoing traffic according to their own ideas. It arises, such as the former routing expert of DTAG, Rudiger people, new control points.
The question of censorship by governments are obtained by the oler, confirmed pierce. But the scion was prepared. The end systems could bypass the Core AS by direct peerings (using Local Path servers of the provider). The eaviation prevents the already geared TLS shutter. Anonymity could assist additional extensions, so promise.
David Hausheer, also involved in the scion project, also contributed: "Openness and transparency are two of the central properties that can be ensured by Scion." The book Scion is also dedicated to this topic: A Secure Internet Architecture. Among other things, it is called there: "Although an ISD guarantees isolation in front of other networks, the central purpose of an ISD is to create transparency and support heterogeneous confidence environments. While it seems that ISDs drove to a Balkanization and could prevent an open internet, preserve contra-intuitive openness and transparency."
Help from the IP address managers?
Currently around 600 scion end users are active in 36 ISDs. The ETH Aufung Anapaya supplies data centers with Scion access points. In pilot operation, the Swisscom, the Swiss research network Switch, the DFN and four Swiss banks are included. So far, Anapaya shares the required AS addresses itself. The scion scientists are looking for support. At the RIPE conference, David Hausheer asked by the Otto-von-Guericke-Universitat Magdeburg, whether the NCC, the RIPE’s operative arm, spend such new addresses.
Daniel Karrenberg, chief scientist of Ripe NCC replied: "Whether the RIPE NCC participates in a pilot project must decide the RIPE members." But it is not bothered by the fact that Scion wants to open his own standardization organization in the form of a foundation, criticized Karrenberg’s colleague Marco Hewoving. Both in the direction of IETF and in the direction of International Telecommunication Union (ITU) the Fuhler outstretched, the Scion developers reported. Dear you want to keep the new internet in your own hand.
[Update]: 17.11.2020, 15:10, Concept Isolation Domains and Core As Extended Extended, Scion Addressing Corrected