ANET 2021: SCION exercise
This optional exercise introduces you to SCION and shows how one of SCION’s features, path selection, can be used to re-route your connection to avoid a hostile network. The hostile network will be ran by us. We will perform a man in the middle and leak communication to the projector in the classroom.
Form groups of two. One person will be sending data via SCION the other will receive that data. This excercise will not be graded.
Prerequisites
- Vagrant (hint: use your favourite package manager) https://www.vagrantup.com/.
- VirtualBox (hint: use your favourite package manager) https://www.virtualbox.org/.
- A working internet connection.
Topology
Set-up
We will be using the SCIONLab infrastructure to do this exercise.
Create an account at: https://www.scionlab.org/registration/register/
Create an SCION AS:
One student in group will set up a connection to anet-student-gw-1, the other will use anet-student-gw-2. Use VPN to set up these connections.
Instructions can be found at: https://docs.scionlab.org/content/config/create_as.html
Download the Vagrantfile and connect to your VM:
Instructions at: https://docs.scionlab.org/content/install/vm.html
Exercises (inside the VM)
1. Test basic SCION connectivity and orientation
You can perform some basic SCION connectivity tests by pinging some hosts and requesting paths to some hosts. For example:
$ scion ping 17-ffaa:0:1108,[127.0.0.1]
$ scion ping 19-ffaa:0:1309,[127.0.0.1]
$ scion showpaths 17-ffaa:0:1108
$ scion showpaths 19-ffaa:0:130917-ffaa:0:1108 is an AS in the Swiss ISD whereas 19-ffaa:0:1309 is an AS in the EU ISD.
Some questions to answer for yourself (they are not graded and we won’t check them):
- What are the components of a SCION address?
- What ISD are you part of?
- How do https://www.scionlab.org/topology.png and the output of
scion showpathsfrom earlier compare?
2. Communicate with your fellow student via scion-netcat
NOTE We will use a modified scion-netcat for this exercise which supports path selection.
netcat can be used to set up simple communication on a socket. One person will be listening for connection and after the other user connects to it, it can be used to transfer data. In the simplest case you can just type on one side and the text will appear at the other side of the connection.
Keep it civil Some of the data you will send to each other may appear on the projector, therefore, we ask to you to NOT send any text or data that may be offensive to others. Also limit it to small ASCII messages only. The goal of the exersice is to avoid sending your data to the screen while communicating in plain text, its NOT to flood links and terminals with garbage data.
Download (modified) scion-netcat
$ wget https://check.sidnlabs.nl/ralph/anet-lab/scion-netcat.gz
$ gunzip scion-netcat.gz
$ chmod +x scion-netcatInstructions
- One student of the group will run the netcat server.
- The other student will try to connect to the server over SCION.
- When you are successful you can type to each other.
- Make sure you communicate via UDP.
3. Path selection
- The student on the client side has full control over the routing in the network.
- Restart the server and reconnect the client using the shortest path.
- You should notice that your communication is visible on the projector because of the MITM.
- Of course, you want to communicate in private. Find a path that is not being watched.
4. Cleanup
- Free up your resources at the scionlab website!
- Destroy your vm using
vagrant destroy.
Synopsis
By completing this excercise you learned how to connect to the SCIONLab network, an existing network running the SCION protocol. You got introduced to the SCION equivalents of ping and traceroute and you have familiarised yourself with SCION adresses. You used scion-netcat to communicate with a fellow student. Finally, we demonstrated the path selection capabilities of SCION to bypass the AS that is performing a man-in-the-middle attack.
Credits
- This SCION exercise by Ralph Koning and Caspar Schutijser from SIDN Labs.
- Using template https://github.com/tajmone/pandoc-goodies/tree/master/templates/html5/github.
- SCIONLab https://www.scionlab.org for their amazing infrastructure.