PANRG K. Meynell
Internet-Draft N. Rustignoli
Intended status: Informational SCION Association
Expires: 9 January 2025 8 July 2024
SCION Deployment Issues
draft-meynell-panrg-scion-deployment-00
Abstract
TODO Abstract here
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://scionassociation.github.io/scion-deployment_I-D/draft-
meynell-panrg-scion-deployment.html. Status information for this
document may be found at https://datatracker.ietf.org/doc/draft-
meynell-panrg-scion-deployment/.
Discussion of this document takes place on the WG Working Group
mailing list (mailto:panrg@irtf.org), which is archived at
https://datatracker.ietf.org/rg/panrg. Subscribe at
https://www.ietf.org/mailman/listinfo/panrg/.
Source for this draft and an issue tracker can be found at
https://github.com/scionassociation/scion-deployment_I-D.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 9 January 2025.
Meynell & Rustignoli Expires 9 January 2025 [Page 1]
�
Internet-Draft SCION DI July 2024
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Deployment Models . . . . . . . . . . . . . . . . . . . . . . 3
3.1. SCION Network - How to roll it out. . . . . . . . . . . . 3
3.2. SCION-IP Gateway . . . . . . . . . . . . . . . . . . . . 4
3.3. SCION-enabled Applications/Native SCION Endpoint . . . . 4
3.4. Implications for the transport layer . . . . . . . . . . 4
4. Establishing and running an Isolation Domain . . . . . . . . 4
4.1. Description and use case . . . . . . . . . . . . . . . . 4
4.2. Governance . . . . . . . . . . . . . . . . . . . . . . . 4
4.3. Core Members - TRC signers . . . . . . . . . . . . . . . 4
4.4. Issuing Members - issuers of AS certifications . . . . . 4
4.5. Non-Core Members . . . . . . . . . . . . . . . . . . . . 4
4.6. Coordination . . . . . . . . . . . . . . . . . . . . . . 4
4.7. Required contact information . . . . . . . . . . . . . . 4
4.8. Methods of Communication and Authentication
requirements . . . . . . . . . . . . . . . . . . . . . . 4
4.9. ISD Policy Development & Maintenance . . . . . . . . . . 4
4.10. Assignment and registration of ISD numbers . . . . . . . 4
4.11. Assignment and registration of SCION AS numbers . . . . . 4
4.12. Trust Root Configuration . . . . . . . . . . . . . . . . 4
5. Establishing and running a SCION network . . . . . . . . . . 5
5.1. Prerequisites - e.g. AS number, running existing
intra-domain protocol if applicable . . . . . . . . . . . 5
5.2. How to join an ISD . . . . . . . . . . . . . . . . . . . 5
5.3. Obtaining a SCION AS number and AS certificate . . . . . 5
5.4. Setting up the Control Services (Beacon, Path and
Certificate servers) . . . . . . . . . . . . . . . . . . 5
5.5. Setting up SCION border routers . . . . . . . . . . . . . 5
5.6. Configuring path (segment) attributes/parameters . . . . 5
5.7. SCION & Network Address Translation . . . . . . . . . . . 5
5.8. Software Change Management . . . . . . . . . . . . . . . 5
6. Adding and removing networks from an Isolation Domain . . . . 5
6.1. Adding a new Core network . . . . . . . . . . . . . . . . 5
6.2. Removing an existing Core network . . . . . . . . . . . . 5
Meynell & Rustignoli Expires 9 January 2025 [Page 2]
�
Internet-Draft SCION DI July 2024
6.3. Changes between existing Core networks . . . . . . . . . 5
6.4. Adding a new non-Core network . . . . . . . . . . . . . . 5
6.5. Removing an existing non-Core network . . . . . . . . . . 5
6.6. Changes between Core network and non-core network . . . . 5
7. Connecting to other Isolation Domains . . . . . . . . . . . . 5
7.1. Inter-ISD Governance . . . . . . . . . . . . . . . . . . 5
8. Performance Monitoring . . . . . . . . . . . . . . . . . . . 6
9. Security Considerations . . . . . . . . . . . . . . . . . . . 6
9.1. Security Incident Handling . . . . . . . . . . . . . . . 6
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
11. Normative References . . . . . . . . . . . . . . . . . . . . 6
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
The goal of this draft is two-fold: it tries to document lessons
learned in deploying SCION to some if its productive early adopters,
and it tries to tries to answer questions 2.7 - Operating a Path-
Aware Network, and 2.8 - Deploying a Path-Aware Network posed in
[RFC9217].
*Note:* This is the very first version of the SCION deployment draft,
and it merely contains a skeleton of potential topics to be further
discussed in this draft. Any feedback is welcome and much
appreciated. Thanks!
* This draft assumes the reader is familiar with the overall core
SCION specification, outlined in [I-D.scion-dataplane],
[I-D.scion-cppki], [I-D.scion-cp].
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Deployment Models
3.1. SCION Network - How to roll it out.
Meynell & Rustignoli Expires 9 January 2025 [Page 3]
�
Internet-Draft SCION DI July 2024
3.2. SCION-IP Gateway
Introduction to IP in SCION tunneling for ecosystems. See S. Hitz
IETF118 presentation:
https://datatracker.ietf.org/meeting/118/materials/slides-118-panrg-
operational-aspects-of-scion-00
3.3. SCION-enabled Applications/Native SCION Endpoint
3.4. Implications for the transport layer
Address section 2.5 of [RFC9217].
4. Establishing and running an Isolation Domain
See F. Steinmann presentation IETF118 -
https://datatracker.ietf.org/meeting/118/materials/slides-118-panrg-
scion-deployment-experience-the-secure-swiss-finance-network-ssfn
4.1. Description and use case
4.2. Governance
4.3. Core Members - TRC signers
4.4. Issuing Members - issuers of AS certifications
(may be the same as Core Members)
4.5. Non-Core Members
4.6. Coordination
4.7. Required contact information
4.8. Methods of Communication and Authentication requirements
4.9. ISD Policy Development & Maintenance
4.10. Assignment and registration of ISD numbers
4.11. Assignment and registration of SCION AS numbers
4.12. Trust Root Configuration
* TRC signing
* TRC distribution & installation
Meynell & Rustignoli Expires 9 January 2025 [Page 4]
�
Internet-Draft SCION DI July 2024
* Maintaining cryptographic material
* Certificate issuance
5. Establishing and running a SCION network
5.1. Prerequisites - e.g. AS number, running existing intra-domain
protocol if applicable
5.2. How to join an ISD
5.3. Obtaining a SCION AS number and AS certificate
5.4. Setting up the Control Services (Beacon, Path and Certificate
servers)
Also cover Availability & scalability of such services.
5.5. Setting up SCION border routers
5.6. Configuring path (segment) attributes/parameters
How do customers select paths?
5.7. SCION & Network Address Translation
5.8. Software Change Management
6. Adding and removing networks from an Isolation Domain
6.1. Adding a new Core network
6.2. Removing an existing Core network
6.3. Changes between existing Core networks
6.4. Adding a new non-Core network
6.5. Removing an existing non-Core network
6.6. Changes between Core network and non-core network
7. Connecting to other Isolation Domains
7.1. Inter-ISD Governance
* Inter-ISD Governance (is this applicable?)
Meynell & Rustignoli Expires 9 January 2025 [Page 5]
�
Internet-Draft SCION DI July 2024
* Inter-ISD Policy Development & Maintenance
* Inter-ISD Path selection
8. Performance Monitoring
9. Security Considerations
9.1. Security Incident Handling
10. IANA Considerations
This document has no IANA actions.
11. Normative References
[I-D.scion-cp]
de Kater, C., Rustignoli, N., and S. Hitz, "SCION Control
Plane", 2023, <https://datatracker.ietf.org/doc/draft-
dekater-scion-controlplane/>.
[I-D.scion-cppki]
de Kater, C., Rustignoli, N., and S. Hitz, "SCION Control-
Plane PKI", 2023, <https://datatracker.ietf.org/doc/draft-
dekater-scion-pki/>.
[I-D.scion-dataplane]
de Kater, C., Rustignoli, N., and S. Hitz, "SCION Data
Plane", 2023, <https://datatracker.ietf.org/doc/draft-
dekater-scion-dataplane/>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC9217] Trammell, B., "Current Open Questions in Path-Aware
Networking", RFC 9217, DOI 10.17487/RFC9217, March 2022,
<https://www.rfc-editor.org/rfc/rfc9217>.
Acknowledgments
TODO acknowledge.
Meynell & Rustignoli Expires 9 January 2025 [Page 6]
�
Internet-Draft SCION DI July 2024
Authors' Addresses
Kevin Meynell
SCION Association
Email: kme@scion.org
Nicola Rustignoli
SCION Association
Email: nic@scion.org
Meynell & Rustignoli Expires 9 January 2025 [Page 7]