The First Dutch Free and Open Source SCION Connection - Interview with Hans-Dieter Hiep

Today Centrum Wiskunde & Informatica (CWI) and NLnet are launching the first Dutch public connection to the SCION network, an alternative and more secure internet architecture. NLnet supports the development of the protocol by financing SCION related projects and through the work of our staff members Hans-Dieter Hiep and Ronny Lam. We interviewed Hans-Dieter about the merits of SCION and his collaboration with CWI to establish the link, as well as to deploy SCIERA.

Thanks! It’s quite fitting that the first public SCION connection is established at CWI. The institute made internet history 37 years ago as the first in Europe to connect to the public internet. But networking has changed considerably since 1988. From a time when newcomers were personally welcomed onto the network, we’ve gone through critical cyber incidents such as the disruptive kinetic attacks of 2001, route hijacking, or DDoS attacks. We also had the DigiNotar certificate authority hack of 2011, ransomware attacks on critical infrastructure and vital sectors, and more recently the Dutch Public Prosecution (OM) that was disconnected from the internet.

It is important to know what we can learn from these incidents in the past. And whether there is a way we can ameliorate the most severe and urgent problems currently seen on the internet. As part of my work as Technology Assessor at NLnet, I’m assessing the SCION protocol. It is a novel inter-network routing protocol under development at ETH Zürich, Switzerland, since 2009. My goal is to assess whether SCION is an adequate and appropriate technology for solving the challenges of the internet that we currently face.

First, I’d like to point out that SCION is not a replacement of the internet, and does not cause internet splintering or fragmentation. A better characterization would be a fully ‘backwards compatible’ but more secure inter-network routing protocol. It is especially relevant for use in critical infrastructure and vital sectors such as defence, energy, transportation, industry, finance, healthcare, and education. Currently, there is no scientific proof that the Internet Protocol (IPv4/IPv6) and the Border Gateway Protocol (BGP) satisfy crucial correctness and security properties, that guarantee the safety and liveness of the global interconnected system. What can you expect from a protocol that was designed on two napkins? In contrast, SCION was designed from the ground up employing formal methods, to rigorously prove correctness and security properties, while maintaining compatibility with the internet.

The internet scaled up in optimistic times when there was still a lot of mutual trust in the networking world. It is unlikely that the early internet pioneers, while sketching out the architecture of the system, anticipated any of the subsequent cyber incidents. However, SCION takes into account the lessons we can learn from those past incidents, to avoid route hijacking, to prevent DDoS attacks by reducing the attack surface, and to decentralize certificate roots. SCION is a great tool for the protection of national cyberspace, and has the potential to be used to implement measures for safeguarding digital autonomy and sovereignty.

Another issue is that end-users nowadays have no clue where their data travels when they communicate over the internet. For example: how can doctors or lawyers using the internet actually know where their patient or client data goes? For these specific cases, route control empowers users by letting them choose which routes their data should travel over. But also network administrators can enforce policies, e.g. to ensure medical data takes only sanitized paths and legal data remains within jurisdiction, thereby complying to data protection regulations. For each vital sector, we can imagine a different ‘network of networks’, called a federated network. Federated networks can overlap and possibly span many countries. In the upper limit, taking all federated networks together, we have the same reach as the current internet. But, for each federated network different rules may apply, and maybe in the future even international laws.

I can imagine the frustration and anger of early internet pioneers, looking back at what their dream system has turned into: a Moloch we now have to deal with. One of NLnet’s core activities is to contribute to a well-functioning internet. To do so, we are experimenting with and evaluating new technologies - to better serve the interests of all internet users. But we also keep supporting existing technologies: there are people currently working on important improvements, such as on the BGPsec protocol. However, sometimes it is really difficult to overcome architectural aspects: the internet currently lacks properties such as routing table scalability, end-user route control, and failure isolation. Since SCION is a clean-slate project, it supports these essential and important properties by design, and thus offering a significant improvement of the security of the internet when deployed.

Together with Emil Gorter of CWI’s Information Technology and Facilities department we are deploying the SCIERA (SCION Education, Research and Academic Infrastructure) network. This is one of the production networks, with a quarter million users already, that runs on SCION, specifically aimed at world-wide research institutes, universities, and universities of applied sciences. We also got a helping hand from Marijke Kaat (SURF) and Ralph Koning (SIDN Labs).

SCION is implemented twice: there is a commercial implementation, and a free and open source implementation. NLnet is one of the funders of the free and open source SCION implementation, maintained by the SCION Association. Funds are spread out over several different projects. Each of these projects implement different components. Having access to the inner workings of these components is really important in the academic world, since we want to be able to know precisely how the system works, within all the nitty-gritty details. Moreover, an open source implementation allows curious students to study and scrutinize the novel inter-network routing system, and gives them the freedom to build upon and improve it over time.

SCION is already in production in several networks in Switzerland. For example to connect banks in the Secure Swiss Finance Network (SSFN) where 200 billion Swiss francs are transacted daily. But this is a milestone of a different kind: we have the first public access to this new networking technology in the Netherlands. Together with Vera Sarkol of CWI’s Information & Documentation department we have set up a terminal in the library at the heart of CWI where users can try out a demonstration: browsing the Web using SCION that shows exactly which path requests and responses follow. Scientists at CWI can try it out. But the public demonstration can also be interesting to visiting scientists, for example from the United States of America.

The connection to this new SCION network is completely separate from the current internet, or as we like to call it: ‘galvanically isolated’ (a term coined by my colleague, Ronny Lam). This means that we want to ensure that, even when ‘the internet’ is down, for example due to DDoS attacks or BGP route disruptions, this new network remains connected and on-line. Compare it to a house on a dike with a door on lower ground and a door on higher ground. When there is a flood (say, a DDoS attack), you make sure the lower door remains closed and sealed. But you can still leave the house through the other door reaching higher ground to run errands. You only open the lower ground door when the flood water has cleared.

Let us envision how these federated networks can be used to divide cyberspace into different zones - much like the maritime zones as recognized under international law - to regulate how state sovereignty is exercised. The current internet is comparable to all the water on Earth, and that will not change. But, flags on ships can be used to permit or deny entering certain zones or ports. SCION flags special traffic, for example belonging to critical infrastructure and vital sectors. And, similar to air traffic control where each airplane has an associated flight path, so does SCION traffic carry path information. It uses encryption to make sure those ‘flags’ and ‘paths’ cannot be stolen or corrupted.

Note that most ports remain open for business, but some ports must be protected from a national security point of view. Hence it is important to have more tools for zoning and directing special traffic. Being bold, I could even envision a future Geneva convention in which international cyberspace is regulated by law, possibly following the principles of the US Declaration for the Future of the Internet and the European Declaration on Digital Rights and Principles.

This is the main reason why NLnet is making so much effort in funding a free and open source implementation, and scrutinizing the technology and its development. In time, technology assessment reaches consensus and the technology could be deemed ready for the next phase. But we are not there yet as it takes more independent experts to have a look at the technology and build up knowledge.

At the same time, protection against vulnerabilities on the internet should remain top priority. Although SCION can help to ameliorate urgent problems, it is not a silver bullet and cannot solve all cybersecurity issues such as attacks targeting higher layers of the protocol stack. The NLnet portfolio contains many other technologies that could help protecting users on the internet, and these technologies are all provided under free and open source licenses. For example, technologies that allow (collaborating) users to store their data as local as possible, or mesh networking technology.

Currently on the internet we have the Public Key Infrastructure (PKI) and each operating system vendor can choose which trust roots it deems acceptable. Within the internet’s routing infrastructure, you have DNSSEC and RPKI/BGPsec, where resources are protected by such PKI. That is pretty centralized already, and the risk of keys falling in the wrong hands or being used as kill switches is already present on the internet today. Changing trust roots, however, is often done via a remote update functionality, which can also be a source of vulnerabilities if (accidentally or maliciously) compromised - as we have recently seen during the CrowdStrike incident. And how would remote update even work, if you just lost connectivity? Separately, we can learn from the DigiNotar incident, and the subsequent Dutch government’s negotiation with Microsoft to delay a remote deployment of the trust root patch in The Netherlands for a week. Ideally, you want such failures to remain as isolated and localized as possible. That is the whole point of Isolation Domains in SCION. Finally, to bootstrap the whole thing, you need to meet face-to-face to exchange and validate trust in the base Trust Root Configuration in a so-called signing ceremony. For more details, consider reading the Complete Guide to SCION.

Founded in 1946, Centrum Wiskunde & Informatica (CWI) is the national research institute for mathematics and computer science in the Netherlands. It is located at Amsterdam Science Park and is part of the Institutes Organisation of NWO. The institute is internationally renowned. Over 150 researchers conduct pioneering research and share their acquired knowledge with society. Over 30 researchers are also employed as professors at universities. The institute has generated twenty-nine spin-off companies.

NLnet supports organizations and people who contribute to an open internet for all. NLnet funds projects that help fix the internet through open hardware, open software, open standards, open science, and open data. After its historical contribution to the early internet in Europe in the 1980's, NLnet has been financially supporting the open internet since 1997.