SCION-based Internet Architecture

• SCION-based Internet Architecture is a clean-slate, path-aware inter-domain routing system that uses cryptographically verified paths and Isolation Domains to enhance security, availability, and operational control.
• Its packet-carried forwarding state and stateless router design eliminate traditional routing tables, ensuring secure, policy-compliant forwarding with built-in loop control and prevention of hijacks.
• Host-driven multipath selection empowers endpoints to choose among diverse routes, achieving throughput improvements up to 48% and enhanced censorship resilience.

The Scalability, Control, and Isolation On Next-generation networks (SCION) Internet architecture is a clean-slate, path-aware, inter-domain routing and data-plane system designed to address limitations of availability, security, scalability, censorship resilience, and operational control in the traditional BGP/IP Internet. SCION targets a fundamental re-architecting of wide-area communication: introducing verifiable, cryptographically bound forwarding paths, source-driven multipath selection, and a trust model rooted in administrative entities called Isolation Domains (ISDs). The architecture is characterized by explicit control/data-plane separation, packet-carried forwarding state, and architectural mechanisms that furnish both path diversity and policy transparency at Internet scale.

1. Isolation Domains, Trust Model, and Path Discovery

SCION introduces the concept of ISDs—sets of Autonomous Systems (ASes) grouped under a common Trust Root Configuration (TRC), often aligned with legal, geographic, or policy boundaries. Each ISD is governed by a set of Core ASes responsible for control-plane coordination and inter-ISD path exchanges. Non-Core ASes within an ISD are free to peer arbitrarily but rely on the Core for globally verifiable path discovery and routing information (Barrera et al., 2015).

Control-plane operation is fundamentally beacon-based. Core and non-Core ASes operate beacon servers that flood Path Construction Beacons (PCBs) within ISDs for local path discovery, and across ISD boundaries for inter-domain connectivity. Each PCB accumulates hop-specific information, cryptographically protected by per-AS signatures and MACs, yielding authenticated path segments. Three segment types are distinguished:

• Up-segments (U): from an AS up to a Core AS within its ISD.
• Core-segments (C): between Core ASes of distinct ISDs.
• Down-segments (D): from a Core AS down to a target leaf AS.

Path servers catalogue published segments. End-hosts assemble full paths by querying local and remote path servers for segment combinations, constructing end-to-end sequences as $U_i \Vert C_j \Vert D_k$ (Gartner et al., 2023, Rossi et al., 8 Sep 2025).

2. Packet-Carried Forwarding State and Secure Data Plane

The data plane in SCION dispenses with distributed routing tables in border routers. Instead, each packet header carries a complete, immutable sequence of hop fields (per-AS segments) encoding the forwarding state. Each hop field states the ingress/egress interface IDs and is authenticated using a MAC computed with the AS’s control-plane key (Barrera et al., 2015).

Routers operate as stateless data-plane elements: upon packet receipt, a router

1. Verifies that the packet arrived on the correct local interface as specified by the hop field,
2. Authenticates the hop field by verifying the MAC,
3. Consumes the hop field and forwards the packet to the specified egress interface.

This model ensures that only paths constructed and authorized during control-plane discovery may be traversed, prohibiting route hijacks, unauthorized detours, and spurious path injections. Loop-freedom and “valley-free” (policy-compliant) forwarding are enforced by construction. Formal verification efforts in Isabelle/HOL and Gobra have proven that these invariants are maintained down to production router code, providing strong guarantees against both protocol-level and implementation-level exploits (Pereira et al., 2024).

3. Path-Aware Networking, Multipath, and Host-Driven Control

SCION exposes all policy-compliant, control-plane–authorized paths to end-hosts, contrasting sharply with BGP/IP, where routers propagate solely their preferred best path. Endpoints can thus retrieve, evaluate, and select from a diverse set of disjoint or partially overlapping paths for communication (Gartner et al., 2023, Barrera et al., 2015).

This host-centric path control enables multipath transport at the application or end-host transport layer. For example, in BitTorrent over SCION, the client differentiates between address-level and path-level peers, opening a QUIC connection for each distinct end-to-end path to the same peer address. A Disjoint Path Selection heuristic is used to minimize shared bottlenecks: given candidate paths $\{ \pi_1, \pi_2, \ldots \}$ and interface sets $I(\pi)$, the conflict score $$conflicts(\pi_i) = \sum_{j\ne i} | I(\pi_i) \cap I(\pi_j) |$$ is computed to select $k$ most disjoint paths efficiently (Gartner et al., 2023).

Empirical results indicate that path-aware, multipath transport can substantially outperform both single-path BGP and static ECMP multipathing in terms of goodput (up to +48%), download time (−31%), and bandwidth aggregation. Application-level multipath exploits global network capacity in ways not possible under router-optimized, best-path–only regimes (Gartner et al., 2023, Rossi et al., 8 Sep 2025).

4. Security and Formal Verification

Security is a foundational principle. All path construction, segment announcement, and forwarding is rooted in cryptographically authenticated state:

• Control-plane: PCBs are signed per-AS, and each hop is MAC-verified. TRCs define verifiable trust roots for segment authentication.
• Data-plane: Hop fields are immutable; forging or modifying a path requires knowledge of all on-path AS secret keys.
• Policy compliance and loop-freedom: The architecture enforces that a packet can traverse only paths assembled from authorized segments, with no duplicate links or Valley violations (Barrera et al., 2015, Pereira et al., 2024).

Formal verification of the SCION router, as realized in Go, proves memory safety, crash freedom, and data-race–freedom, and demonstrates trace refinement between protocol models and concrete implementation. Protocol bugs (e.g., path-splicing, loop/reflection, and source-routing attacks) were discovered and resolved in the course of these efforts (Pereira et al., 2024).

5. Path Dynamics, Measurement, and Multipath Protocol Design

Longitudinal studies on the SCIONLab testbed reveal significant control-plane churn and short path lifetimes (median ≈45 minutes). The mean path churn rate is ≈1.1 events/hour, occasionally peaking at 3/hour during traffic shifts. Path diversity is high but asymmetric (average path discrepancy $\Delta \approx 0.28$), typically due to policy differences or core-segment filtering (Rossi et al., 8 Sep 2025).

Multipath transport (e.g., MPQUIC over SCION) yields gains in aggregate throughput (+34%) but at the expense of increased per-path latency and a slight reduction in reliability, primarily attributable to exposure to transient churn and asymmetric path failure. These properties challenge protocol designers who must employ continuous, lightweight path monitoring and adaptive subflow management. ML-based failure and performance prediction models (F1≈0.86 for failure, MAE≈3.9 ms for latency prediction) are necessary to realize robust multipath under path-aware dynamics (Rossi et al., 8 Sep 2025).

6. Censorship Resilience, Global Reachability, and Carbon Efficiency

SCION’s architecture natively supports policy- and adversary-resilient routing. By enabling endpoints to select among myriad segment combinations, SCION increases Censorship Resilience Potential (CRP) and Global Reachability Potential (GRP) compared to BGP/IP:

• For a single border AS choke point in the U.S., CRP under BGP/IP is 0.74, versus 0.96 under SCION. Across 8 countries and multiple choke sizes $N$, SCION consistently maintains higher CRP values (e.g., CRP_SCION(20)≈0.85, BGP/IP <0.30).
• SCION’s near-unity GRP (e.g., 0.9951 when all U.S. ASes are "leave-out" nodes) demonstrates effective circumvention of historic BGP chokepoints (Ivanović et al., 2024).

The same host-driven, multi-path path selection model underlies recent application extensions—e.g., CIRo for carbon-intelligent routing. By forecasting and disseminating per-path, per-hour carbon intensity metadata via SCION control-plane extensions, endpoints can select the greenest routes, achieving median carbon intensity reductions of 47% and ≥50% footprint reductions for 87% of end domains (Tabaeiaghdaei et al., 2022).

7. Incremental Deployment, Secure Underlay, and Operational Trade-offs

SCION can be incrementally deployed as a secure routing underlay, abstracted as a virtual AS (SBAS), federating multiple operators and delivering secure, path-authenticated routing for customer prefixes. The SBAS appears as a single AS in the BGP Internet, while internally using the SCION underlay for path discovery and encapsulated packet forwarding. Operational deployments demonstrate median resilience improvements up to +61.8% and low processing overhead (<1% of transcontinental RTT). The architecture supports a range of governance models and is compatible with real-world regulatory and business constraints (Birge-Lee et al., 2022).

Trade-offs include greater per-packet header size (≈8 B per AS), higher end-host complexity (for path selection and monitoring), and increased computational demands for complex multipath and policy-compliant routing. However, these are balanced by the elimination of longest-prefix match routing tables, fast path convergence, cryptographically anchored trust, and the ability to integrate new metrics (e.g., green routing), security policies, and multipath extensions without data-plane reengineering (Barrera et al., 2015, Tabaeiaghdaei et al., 2022, Birge-Lee et al., 2022).

---

References:

• (Gartner et al., 2023, Pereira et al., 2024, Tabaeiaghdaei et al., 2022, Birge-Lee et al., 2022, Rossi et al., 8 Sep 2025, Barrera et al., 2015, Ivanović et al., 2024)