SCION Deployment Issues

SCION Deployment Issues SCION Association

kme@scion.org

SCION Association

nic@scion.org

IRTF PANRG Internet-Draft TODO Abstract here About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the WG Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The goal of this draft is two-fold: it tries to document lessons learned in deploying SCION to some if its productive early adopters, and it tries to tries to answer questions 2.7 - Operating a Path-Aware Network, and 2.8 - Deploying a Path-Aware Network posed in . Note: This is the very first version of the SCION deployment draft, and it merely contains a skeleton of potential topics to be further discussed in this draft. Any feedback is welcome and much appreciated. Thanks!

This draft assumes the reader is familiar with the overall core SCION specification, outlined in , , .

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Deployment Models

SCION Network - How to roll it out.

SCION-IP Gateway Introduction to IP in SCION tunneling for ecosystems. See S. Hitz IETF118 presentation: https://datatracker.ietf.org/meeting/118/materials/slides-118-panrg-operational-aspects-of-scion-00

SCION-enabled Applications/Native SCION Endpoint

Implications for the transport layer Address section 2.5 of .

Establishing and running an Isolation Domain See F. Steinmann presentation IETF118 - https://datatracker.ietf.org/meeting/118/materials/slides-118-panrg-scion-deployment-experience-the-secure-swiss-finance-network-ssfn

Description and use case

Governance

Core Members - TRC signers

Issuing Members - issuers of AS certifications (may be the same as Core Members)

Non-Core Members

Coordination

Required contact information

Methods of Communication and Authentication requirements

ISD Policy Development & Maintenance

Assignment and registration of ISD numbers

Assignment and registration of SCION AS numbers

Trust Root Configuration

TRC signing
TRC distribution & installation
Maintaining cryptographic material
Certificate issuance

Establishing and running a SCION network

Prerequisites - e.g. AS number, running existing intra-domain protocol if applicable

How to join an ISD

Obtaining a SCION AS number and AS certificate

Setting up the Control Services (Beacon, Path and Certificate servers) Also cover Availability & scalability of such services.

Setting up SCION border routers

Configuring path (segment) attributes/parameters How do customers select paths?

SCION & Network Address Translation

Software Change Management

Adding and removing networks from an Isolation Domain

Adding a new Core network

Removing an existing Core network

Changes between existing Core networks

Adding a new non-Core network

Removing an existing non-Core network

Changes between Core network and non-core network

Connecting to other Isolation Domains

Inter-ISD Governance

Inter-ISD Governance (is this applicable?)
Inter-ISD Policy Development & Maintenance
Inter-ISD Path selection

Performance Monitoring

Security Considerations

Security Incident Handling

IANA Considerations This document has no IANA actions.

Normative References Current Open Questions in Path-Aware Networking In contrast to the present Internet architecture, a path-aware internetworking architecture has two important properties: it exposes the properties of available Internet paths to endpoints, and it provides for endpoints and applications to use these properties to select paths through the Internet for their traffic. While this property of "path awareness" already exists in many Internet-connected networks within single domains and via administrative interfaces to the network layer, a fully path-aware internetwork expands these concepts across layers and across the Internet. This document poses questions in path-aware networking, open as of 2021, that must be answered in the design, development, and deployment of path-aware internetworks. It was originally written to frame discussions in the Path Aware Networking Research Group (PANRG), and has been published to snapshot current thinking in this space. SCION Control Plane SCION Association SCION Association Anapaya Systems SCION Control-Plane PKI SCION Association SCION Association Anapaya Systems SCION Data Plane SCION Association SCION Association Anapaya Systems Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.

Acknowledgments TODO acknowledge.