ACM SIGCOMM 2020, New York City, USA

ACM SIGCOMM 2020 Tutorial on SCION, a Next-Generation Secure Internet Architecture

Tutorial Program (subject to changes)

The tutorial has an associated Slack channel for discussions. Click on the link below to visit it. If you're asked to sign in, use the workspace name "" to sign up or sign in.

Go to tutorial Slack channel
  • Friday, August 14, 2020

  • 1:30pm – 3:00pm Introduction and Overview

  • 1:30pm – 1:50pm

    Introduction: (why) do we want/need a new Internet?

  • 1:50pm – 2:30pm

    SCION overview and use cases

  • 2:30pm – 3:00pm

    SCION implementation and SCIONLab testbed

  • 3:00pm - 3:30pm Break

  • 3:30pm – 5:30pm Hands-on Session

  • 3:30pm – 5:20pm

    Run a SCION AS on your own laptop and interconnect with your colleagues

  • 5:20pm – 5:30pm

    Summary and wrap-up

Call for Participation

In this half-day tutorial, we will give an overview of the SCION architecture [1,2] and its open-source implementation [3], and provide hands-on exercises based on the SCIONLab testbed [4]. You will run a full-fledged AS within a virtual machine on your laptop and connect it to our global research testbed. In several guided exercises you can explore SCION's security features such as its control-plane public-key infrastructure (PKI), observe its routing protocol, and experience its revolutionary multipath capabilities enabled by end-host path selection and packet-carried forwarding state. If time permits, you will be able to extend the topology with additional connections to your colleagues and observe the effects on the available forwarding paths. After the tutorial, you will have a solid understanding of the SCION architecture and its implementation and will be able to continue using and experimenting with it on your own.


SCION (Scalability, Control, and Isolation on Next-Generation Networks) [1,2} is the first clean-slate Internet architecture designed to fundamentally solve many security issues of today's Internet through route control, failure isolation, and explicit trust information for end-to-end communication. A core concept of SCION are its isolation domains (ISDs), which organize multiple autonomous systems (ASes) into independent routing planes and substantially increase both scalability and security properties of the network: On the one hand, ISDs enable a separation of the routing protocol into an intra-ISD and an inter-ISD process, which reduces the overall complexity---similar to the separation if the Internet into ASes or a division of an AS into areas by existing intra-domain routing protocols (e.g., OSPF and IS-IS). On the other hand, by isolating the routing process within an ISD from all external actions, ISDs limit the effect of misconfigurations and routing attacks. Furthermore, all routing messages are authenticated based on a secure but flexible public-key infrastructure (PKI) in which each ISD can independently define its own roots of trust. This allows network entities to select which ISD's trust roots they want to rely upon for verification and rules out global kill switches, which do exist in several of today's PKIs (e.g., DNSSEC and RPKI). As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design.

In contrast to today's Internet, where all routing decisions are taken by the network nodes, SCION also provides path transparency and control to end hosts: End hosts learn about available network path segments, combine them into end-to-end paths according to their own preferences, and embed the corresponding forwarding information into the packet headers. In addition to allowing end hosts to influence the path of their packets and circumvent untrusted ASes, this packet-carried forwarding state enables a robust and efficient forwarding process, as routers no longer need to store large forwarding tables in expensive content-addressable memory. Thanks to embedded cryptographic mechanisms, path construction is constrained to the route policies of Internet service providers (ISPs) and receivers, thus offering path choice to all network entities: senders, receivers, and ISPs. In addition, SCION's path awareness directly enables multi-path communication, which is an important approach for high availability, rapid failover in case of network failures, increased end-to-end bandwidth, dynamic traffic optimization, and resilience to distributed denial-of-service (DDoS) attacks.

SCION is an inter-domain Internet architecture and thus does not restrict the internal infrastructure and networking protocols of ISPs and other ASes. This substantially facilitates SCION's deployment, as only the border routers of an AS need to be upgraded while all other network infrastructure can be reused. SCION has been developed since 2009, and since August 2017 it has been in production use by a large Swiss bank (with over $500 billion in assets), where several branches are connected to the data center exclusively over the SCION network. Today (2020), the native (BGP-free) SCION network spans 7 ISPs (all offering SCION connections to customers) and 2 continents and is in production use by several Swiss banks and the Swiss Federal Department of Foreign Affairs in addition to several blue-chip companies. Furthermore, there exists the global research network SCIONLab [4] with ASes in America, Asia, and Europe, which is freely available to researchers worldwide.

Requirements for Attendees

For the hands-on sessions, tutorial attendees require a computer with a common recent operating system. To avoid delays during the tutorial, we ask all attendees to complete some preparative steps described at


  • Adrian Perrig

    Zurich, Switzerland

    • Bio:

      Adrian Perrig is a professor in the Department of Computer Science at ETH Zurich, Switzerland, where he heads the Network Security Group. His research revolves around building secure and robust network systems, with a particular focus on the design, development, and deployment of the SCION Internet architecture, which he has been working on since 2010. Adrian Perrig received his BSc degree in Computer Engineering from EPFL in 1997, and MS and PhD degrees from Carnegie Mellon University. He was a professor at Carnegie Mellon University from 2002 to 2012 and became a professor at ETH Zurich in 2013.

  • David Hausheer

    Magdeburg, Germany

    • Bio:

      David Hausheer is a professor at the Faculty of Computer Science at Otto-von-Guericke-University Magdeburg since May 2017. He holds a diploma degree in electrical engineering and a PhD degree in technical sciences from ETH Zurich. From 2011 to 2017 he was an assistant professor at TU Darmstadt, Germany. Prior to that he has been employed as a senior researcher and lecturer at University of Zurich, Switzerland from 2005 to 2011, while being on leave as a visiting scholar at EECS, UC Berkeley from October 2009 to April 2011.

  • Juan A. García-Pardo

    Zurich, Switzerland

    • Bio:

      Juan is a researcher in the Network Security Group at ETH Zurich, Switzerland, working to improve the SCION testbed SCIONLab, as well as implementing a QoS system for SCION. He received his MS degree in computer science in 2003 and again a MS degree in machine learning in 2010, both from the Politechnic Univesity of Valencia.

  • Markus Legner

    Zurich, Switzerland

    • Bio:

      Markus Legner is a postdoctoral researcher in the Network Security Group at ETH Zurich, Switzerland. He has contributed to the SCIONLab testbed and conducts research on securing data traffic and achieving high availability in next-generation Internet architectures. Markus Legner received BSc degrees in computer science and physics and a PhD in theoretical physics from ETH Zurich.


[1] A. Perrig, P. Szalachowski, R. M. Reischuk, and L. Chuat, SCION: A Secure Internet Architecture, Springer International Publishing, 2017.
[2] SCION website.
[3] SCION open-source code.
[4] SCIONLab.