Advanced Networking 2022: SCION exercise

This exercise introduces you to SCION and shows how one of SCION’s features, path selection, can be used to re-route your connection to avoid a hostile network. The hostile network will be ran by us. We will perform a man in the middle and leak communication to the projector in the classroom.

Form groups of two. One person will be sending data via SCION the other will receive that data. This excercise will not be graded.

Prerequisites

• Vagrant (hint: use your favourite package manager) https://www.vagrantup.com/.
• VirtualBox (hint: use your favourite package manager) https://www.virtualbox.org/.
• Wireshark.
• A working internet connection.

Note: Later Debian versions don’t include VirtualBox by default, see: https://wiki.debian.org/VirtualBox for installation instructions.

Topology

Set-up

We will be using the SCIONLab infrastructure to do this exercise.

Create an account at: https://www.scionlab.org/registration/register/

Create an SCION AS:

One student in group will set up a connection to an-student-gw1, the other will use an-student-gw2. Use VPN to set up these connections.

Instructions can be found at: https://docs.scionlab.org/content/config/create_as.html

Download the Vagrantfile and connect to your VM:

Instructions at: https://docs.scionlab.org/content/install/vm.html

Exercises (inside the VM)

1. Test basic SCION connectivity and orientation

You can perform some basic SCION connectivity tests by pinging some hosts and requesting paths to some hosts. For example:

$ scion ping 17-ffaa:0:1108,[127.0.0.1]
$ scion ping 19-ffaa:0:1309,[127.0.0.1]
$ scion showpaths 17-ffaa:0:1108
$ scion showpaths 19-ffaa:0:1309

17-ffaa:0:1108 is an AS in the Swiss ISD whereas 19-ffaa:0:1309 is an AS in the EU ISD.

Some questions to answer for yourself (they are not graded and we won’t check them):

• What are the components of a SCION address?
• What ISD are you part of?
• How do https://www.scionlab.org/topology.png and the output of scion showpaths from earlier compare?

2. Communicate with your fellow student via scion-netcat

NOTE We will use a modified scion-netcat for this exercise which supports path selection.

netcat can be used to set up simple communication on a socket. One person will be listening for connection and after the other user connects to it, it can be used to transfer data. In the simplest case you can just type on one side and the text will appear at the other side of the connection.

Keep it civil Some of the data you will send to each other may appear on the projector, therefore, we ask to you to NOT send any text or data that may be offensive to others. Also limit it to small ASCII messages only. The goal of the exersice is to avoid sending your data to the screen while communicating in plain text, its NOT to flood links and terminals with garbage data.

Download (modified) scion-netcat

$ wget https://check.sidnlabs.nl/ralph/anet-lab/scion-netcat.gz
$ gunzip scion-netcat.gz
$ chmod +x scion-netcat

Instructions

• One student of the group will run the netcat server.
• The other student will try to connect to the server over SCION.
• When you are successful you can type to each other.
• Make sure you communicate via UDP.

Path selection

• The student on the client side has full control over the routing in the network.
• Restart the server and reconnect the client using the shortest path.
• You should notice that your communication is visible on the projector because of the MITM.
• Of course, you want to communicate in private. Find a path that is not being watched.

3. Path analysis using packet dumps

In this exercise we will capture some traffic while pinging various destinations and we will investigate the packet traces to learn more about paths in SCION.

Make sure you have Wireshark installed on your workstation and install the SCION dissector from https://docs.scionlab.org/content/tools/wireshark.html. Hint: put the scion.lua file in the ~/.config/wireshark/plugins directory and restart Wireshark.

• Use tshark (inside the Vagrant box) to make a PCAP file on the network interface that connects to SCIONLab.
• https://www.scionlab.org/ has a map of their network with nodes.
• Ping an AS in your own ISD.
• Ping a core AS in another ISD.
• Ping a regular AS in another ISD.
• Copy the PCAP file to a local workstation to analyse the pings with Wireshark (with SCION dissector).

Analysis:

• Filter out unnecessary packets. Hint: the ICMP equivalent in SCION is called SCMP.
• Compare the hop fields of the different pings and discuss the differences with your fellow student:
  • Pay special attention to the path metadata, hop, and info fields. Explain why they differ based on destination.
  • From the hop and info fields, try to construct (on paper) the full path your ping travels over the network and divide them by path segment. Explain the SCION limit of a maximum of 3 info fields and how they relate to the network topology.
  • What are the advantages of this system in comparison with regular routing? What are the disadvantages?
  • Can you think of a way to manipulate routing? Will this work? What mechanism prevents you from doing so?

Protocol reference: https://scion.docs.anapaya.net/en/latest/protocols/scion-header.html

4. (Optional) IP compatibility

SCION provides an IP gateway to carry IP traffic over SCION enabled links. This would be useful to if an ISP wants to facilitate communications between IP based customers over a SCION backbone. This setup also allows the IP communication to benefit from some SCION advantages, such as its anti-spoofing security properties or their built in multipath routing.

Obtaining the SCION IP gateway

We built a precompiled version of the multipath enabled SIG for you to download it:

$ wget https://check.sidnlabs.nl/ralph/anet-lab/sig.tgz
$ tar xfvz sig.tgz
$ chmod +x sig

Configure an extra connection to the SCIONLab

• In the SCIONlab portal configure a extra connection to the SCIONLab via the hell user AS.
• restart the scionlab-config service inside the vagrant box: sudo systemctl restart scionlab-config.service
• The extra connection should be set-up automatically, verify this (another tun interface).

Configuring the SIG

This version of the SIG is not the same as provided via the scion-ip-gateway package. This is an older version with multipath support.

• Both students: Create a dummy interface inside the vagrant machine with an ip and a subnet that you will (eventually) route to your fellow student.
• Both students: Download the sig and change the presupplied config files to your setup make sure you edit both configuration files.
• Now run the sig ./sig --config=sig.toml and hopefully you will now see cheerful debug messages of sigs discovering each other and exchanging prefixes.
• Are you able to ping each other on the IPs configured on the dummy interfaces? What happens if you bring down one of the connections to SCIONLab?

5. (Optional) Done and bored?

Have a look at https://docs.scionlab.org/content/apps/ for some apps to play around with. Or try some of the (SCION programming) exercises here: https://scion-architecture.net/pages/education/ (note: we have not tested these and seem kinda old).

6. Cleanup

• Free up your resources at the SCIONLab website!
• Destroy your VM using vagrant destroy.

Synopsis

By completing this excercise you learned how to connect to the SCIONLab network, an existing network running the SCION protocol. You got introduced to the SCION equivalents of ping and traceroute and you have familiarised yourself with SCION adresses. You used scion-netcat to communicate with a fellow student and used the path selection capabilities of SCION to bypass the AS that is performing a man-in-the-middle attack. Finally, you analyzed SCION data plane packets and discoverd how packets are routed on a SCION network. Optionally, you also played with multipath connections in SCION which is another feature supported by the protocol.

Credits

• This SCION exercise is developed by Ralph Koning and Caspar Schutijser from SIDN Labs.
• Using template https://github.com/tajmone/pandoc-goodies/tree/master/templates/html5/github.
• SCIONLab https://www.scionlab.org for their amazing infrastructure.