A Secure Underlay for the Internet

Coach Name

Jordi Bosch Garcia

EU Organization

OVGU Magdeburg

Members

David Hausheer
Marten Gartner
Thorben Krüger

US Organization

University of Virginia

Members

Yixin Sun
Anxiao He

Project Overview

The SBAS project tackles the limited deployment of secure Internet routing solutions, aiming to make robust routing security accessible to hundreds of thousands of users. By integrating SBAS as a unified, virtual Autonomous System (AS) within the Border Gateway Protocol (BGP)-based Internet, SBAS leverages the SCION (Scalability, Control, and Isolation On Next-generation networks) infrastructure to bring enhanced privacy, security, and performance to the broader Internet. Designed to prevent DDoS attacks, BGP hijacking, and support strict data jurisdiction control, SBAS is particularly suited for academic and research institutions handling sensitive data.

SBAS builds upon SCION’s innovative network architecture to address modern routing challenges, creating a “path-aware” Internet infrastructure that maintains user privacy and data sovereignty. Users can benefit from SCION’s secure routing even without a native SCION connection, thanks to tools like the SCION-enabled reverse proxy and Chrome plugin. The project established SBAS Points of Presence (PoPs) across SCION networks, including leading institutions like the University of Virginia and Princeton, enabling extensive testing and evaluation.

Methods and approaches

SCION Virtual Autonomous System (AS)

By establishing a virtual AS through SCION, SBAS improves routing security without the need for a fully SCION-native network, making it easier to adopt across traditional BGP networks.

Enhanced Data Sovereignty and Security

SCION’s ability to geofence data transfers prevents sensitive information from leaving specified jurisdictions, crucial for researchers working with sensitive data.

High-Performance Infrastructure

Using tools like LightningFilter and Hercules, SBAS provides high-speed data transfer (over 100 Gbps) while maintaining firewall compliance, supporting efficient data management for academia and research.

Key Achievements

Deployment of SBAS Over the SCION Network

SBAS has been successfully deployed in several SCION Education network locations, including OVGU, University of Virginia, Princeton, and more, establishing a secure, resilient routing backbone.

Mitigation of BGP Hijacking Attacks

Through rigorous testing, SBAS demonstrated its effectiveness in thwarting BGP hijacking attacks, a critical concern for organizations relying on secure data routes.

High-Speed, Low-Cost Connectivity

SBAS offers an alternative to traditional leased lines, with a single SCION connection offering equivalent properties at a fraction of the cost, allowing secure, efficient communication between distant campuses.

User-Centric Security and Privacy Enhancements

SBAS provides institutions with improved DDoS defense, geofencing, and a reliable, secure network even during attacks, essential for applications involving sensitive data, such as medical records.

Comprehensive Performance Testing and Measurement

The team conducted long-term performance and reliability tests, showing significant improvements in latency, packet loss, and overall performance for SBAS users compared to conventional BGP routes.

Impact & Results

Security and Privacy for Academic Networks

SBAS enhances routing security for research institutions, protecting sensitive data from common attacks such as DDoS and BGP hijacking. This resilience allows users to access secure resources reliably, even during network outages or attacks.

Expanded SCION Adoption

SBAS’s seamless integration with BGP has expanded SCION’s adoption, providing Internet users outside SCION’s native network with secure routing, thereby supporting sustainable and secure Internet infrastructure growth.

Economic Impact

By providing high-speed, cost-effective alternatives to traditional leased lines, SBAS offers institutions a sustainable, energy-efficient network solution, reducing the Internet’s carbon footprint.

Social Impact

SBAS’s deployment across major academic networks creates a foundation for continued research in secure, scalable routing solutions, promoting global advancements in Internet security.

Publications and Open-Source Contributions

Open Source Contributions and Technical Paper on Secure Network Experimentation

Technical Paper: A comprehensive report summarizing SBAS deployment and performance will be submitted to a scientific conference.

Open Source Contributions: Contributions to the SCION open-source community, including the integration of SBAS into the SEED Emulator for experimentation.

GitHub Repositories:

SBAS in SEED Emulator

SCION Education Network Mapping in SEED

Additional Contributions: DNS-over-QUIC, SCION applications (BitTorrent, Hercules, IPFS over SCION), and more at netsys-lab GitHub.

Future directions

SBAS Team Leads Effort to Scale SCION Deployment in Research Networks

With a foundation in secure routing established, the SBAS team, led by OVGU Magdeburg, is exploring the formation of a startup to support SCION deployment within research networks. This initiative would provide products, services, and training to further secure Internet routing for academic institutions and beyond. Ongoing collaborations with the University of Virginia and other partners will ensure continued research and scaling of SBAS across global academic networks.