Would RIPE NCC be interested in managing the assignment of, for example, AS numbers for SCION, a (nearly) clean slate internet approach?

2020-11-05 Blog

This is the first article in our RIPE81 series of blogposts by eJournalist, Monika Ermert.

Autonomous system (AS) numbers for a whole new internet

The Swiss research project “Scalability, Control, Isolation on Next-Generation Networks”, SCION, has engaged a growing number of actors around Europe since its inception in 2011. For instance, CENTR member SWITCH is a long-time satisfied contributor to the project. It plans to do away with BGP, an internet routing protocol that has demonstrated vulnerabilities to hijacking over and over in the past years, and to instead establish so-called Isolation Domains (ISDs). Each ISD is equipped with a public key infrastructure (PKI) and can be restricted to a local regulatory domain, or any other form of local domain, which can then be interlinked with other ISDs. As such SCION contrasts with the current organisation of the internet in autonomous systems (AS) interlinked by BGP.

Another CENTR member, SIDN, helped organise a Birds-of-a-Feather (BoF) session at the virtual RIPE meeting on Monday 26 October 2020. One topic was the possibility of starting a RIPE WG, a first logical step to larger internet community involvement in further SCION deployments. As discussed by SIDN in a recent write-up of SCION experiences, the additional layer introduced by ISDs still requires ASs and a corresponding allocation of AS numbers – and the allocation could be managed by “traditional” internet governance bodies, like IP address registry manager RIPE NCC. For the clean slate internet approach to achieve greater adoption the group needs a coordinated registry to distribute AS numbers.

With around 35 permanent ASs, one of which is operated by SIDN, and over 600 user-run ASs, SCIONLab, the SCION research network, still registers autonomous systems locally. The ETH spin-off company Anapaya coordinates a global SCION network for internet service providers and other entities willing to set up a SCION AS. Adrian Perrig (ETH Zurich) and David Hausheer (University of Magdeburg) can point to some networks implementing SCION, namely Swisscom and SWITCH in Switzerland, and DFN in Germany. A group of four banks is also connected for the pilot project Swiss Secure Finance Network. But how clean slate is SCION and is there a chance that the RIPE NCC will become a partner of a non-BGP internet?

Possible new registry

Daniel Karrenberg, the RIPE NCC‘s Chief Scientific Officer, maintained that the involvement of the RIPE NCC would be at the discretion of the broader RIPE community.

The policy implications of SCION are however controversial. Marco Hogewoning, Manager Public Policy and Internet Governance at the RIPE NCC, questioned the need for a new SCION Standards Developing Organization (SDO). The European internet governance community is currently in fact pushing for internet protocol (IP) improvements to working groups in the IETF, rather than the ITU. Perrig and Hausheer however underlined that their presentations at the IETF and the ITU had so far been met coolly.

SIDN expert Joeri de Ruiter argues that RIPE involvement is a good way forward. Even if it is not clear at the moment which organisation will take care of the development of a standard and the management of the relevant identifiers, opening the discussion is important.

The specific place for standardization is additionally not the only controversial point. As Perrig explains:

One possible model is thus for ISDs to be formed along national boundaries or federations of nations, as entities within a legal jurisdiction can enforce contracts and agree on a TRC. ISDs can also overlap, so an AS may be part of several ISDs. Although an ISD ensures isolation from other networks, the central purpose of an ISD is to provide transparency and to support heterogeneous trust environments. While ISDs may seem to lead to “Balkanisation” and prevent an open Internet, they counterintuitively provide openness and transparency.

Perrig acknowledged that the group did receive queries about the risk of censorship resulting from the architectural structure but pointed to further explanations in a book published by the project in 2017 about the possibility for direct peerings, thereby routing around a potentially national core AS. Furthermore, the multipath communication would hamper surveillance, as would TLS 1.3 as well as extensions like HORNET, a low-latency onion routing system and a per packet one time addresses, issued by ASs to their end users/consumer hosts.

Another Internet Naming Service (RAINS)

With pilot projects underway for the routing part, SCION is also set to create an alternative naming system, RAINS. While the DNS remains close to an ideal naming system, the lack of operational security, query anonymity and vulnerability to amplification attacks, on top of diverging support for a variety of extension mechanisms, have sparked interest in formulating a better model for ISDs.

After the knock at RIPE‘s door with regard to a SCION routing registry, it remains to be seen how the DNS community will react to RAINS. Neither SWITCH nor SIDN are currently engaging with the RAINS projects, but stand by to investigate future developments.