Switzerland built a secure alternative to BGP: SCION

theregister.com · defrost · 17 days ago · view on HN
0 net
Tags
Switzerland built an alternative to BGP. Nobody noticed • The Register Sign in / up The Register Topics Special Features Special Features Vendor Voice Resources Resources Networks 58 Switzerland built a secure alternative to BGP. The rest of the world hasn't noticed yet 58 SCION: Proven in banking and healthcare, slow to spread everywhere else Kim Loohuis Tue 17 Mar 2026 // 08:15 UTC Feature BGP, the Border Gateway Protocol, was not designed to be secure. It was designed to work – to route packets between the thousands of autonomous systems that make up the internet, quickly and at scale. For four decades, it has done exactly that. It has also, throughout those four decades, been exploited, misconfigured, and abused in ways that were predictable from the start. Route hijacks reroute traffic through hostile networks. Route leaks knock services offline. Nation-state cyber crews weaponize BGP to intercept communications at scale. These are not theoretical threats. They are documented, recurring events, and they remain possible today for one simple reason: BGP has no native way to verify that a network claiming to own a block of addresses actually does. Log files that describe the history of the internet are disappearing. A new project hopes to save them READ MORE A series of patches and extensions like Resource Public Key Infrastructure (RPKI), BGPsec, and RPKI-based Route Origin Authorization (ROA) have been layered over the original protocol in an attempt to address the worst of these vulnerabilities. They help at the margins. They do not solve the underlying problem. There is, however, a system that does, or at least claims to. SCION, which stands for Scalability, Control, and Isolation On Next-Generation Networks, is an internet routing architecture developed at ETH Zürich. Unlike the patches applied to BGP, SCION does not attempt to retrofit security onto a 40-year-old foundation. It replaces the foundation entirely. That redesign is the life's work of Adrian Perrig, professor of computer science at ETH Zürich and the principal architect of SCION. The boat full of holes Perrig has been worrying about internet security since 1991, when he first worked with Cisco routers before starting his bachelor's degree at EPFL. He has spent most of the intervening years trying to make the internet more secure. Eventually, he concluded it was the wrong approach. "You cannot bolt on security," says Perrig. "You cannot get to a truly secure global network unless you actually change the design. It's like saying you want to go to the Moon, so let's put rocket boosters on an airplane. No, you have to design the vehicle differently." Perrig launched SCION in 2009 after gaining tenure and the freedom to pursue something most of his colleagues told him was career suicide. His core frustration was simple: the same vulnerabilities had been documented since the 1980s, and nobody had tried to fix them at the architectural level. "The best security companies in the world are still being exploited through them," he says. "There has not even been an attempt to address them properly." Kevin Curran, a cybersecurity professor at Ulster University who has been teaching computer networks for 27 years, offers an independent assessment that lands in the same place. The internet, he says, was built without security in mind, and what followed was a succession of workarounds. "What we have had over 40 years is a series of Band-Aids," says Curran. "Nothing has come close to addressing the need for truly secure paths across an adversarial network." Dijkstra's algorithm won't be replaced in production routers any time soon READ MORE Perrig's metaphor for the current state of internet security is a boat full of holes: people run around with buckets, throwing water out and plugging gaps, but the hull remains compromised. Security today, he argues, works the same way: patches get applied, vulnerabilities get closed, and new ones open up elsewhere. SCION, in his framing, is a fundamentally redesigned vessel. Water might splash in from outside, but it doesn't pour through structural gaps. A different kind of routing To understand what SCION actually does differently, it helps to understand what BGP gets wrong. In today's internet, there is no cryptographic chain of custody for a packet's journey from source to destination. And if a network somewhere along the path fails, the rerouting process – which involves detecting the failure, finding a new path, establishing a new session, and reconciling in-flight transactions – can take minutes. SCION addresses this problem through three interlocking mechanisms. The first is multi-path routing. Where today's internet offers a single path between two points, SCION establishes tens or even hundreds of parallel paths simultaneously. If one fails, the system reroutes within milliseconds. Perrig is precise about the threshold: "Human reaction time for auditory stimulus is roughly 150 milliseconds, and for visual, it's 250 milliseconds. When outages are on the order of milliseconds, the human brain cannot notice it. That's how fast SCION switches." The second mechanism is isolation domains – ISDs in SCION terminology. Rather than relying on a small number of global trust anchors, or a sprawling ecosystem of over a thousand certificate authorities that all must be trusted simultaneously, SCION lets countries, regions, or organizations define their own local trust roots. An error or compromise in one isolation domain cannot propagate to another. Perrig offers a concrete historical example: an entity in Australia made a configuration mistake that caused ATMs across France, Norway, and continental Europe to fail simultaneously. That kind of cascading failure is structurally impossible in a SCION network. The third mechanism is cryptographic path validation. Every router along a SCION path provides a cryptographic signature. Packets cannot be silently rerouted through a network that wasn't part of the agreed path. The sender and receiver specify which paths they want to use, and those choices are enforced at the protocol level. Curran, who has no stake in SCION's commercial success, independently validates these technical claims. The isolated domains and cryptographic signing, he says, are the core of what makes the protocol meaningful: "A genuine attempt to give senders and receivers control over the path their data takes, rather than leaving it to intermediate routers whose behavior cannot be verified." 220 billion francs a day White House thinks it's time to fix the insecure glue of the internet: Yup, BGP READ MORE Fritz Steinmann has spent 30 years as a network engineer in the Swiss financial sector. Since 2009, he has worked for SIX Group, the operator of the Swiss Stock Exchange, Swiss securities clearing, and – critically – the interbank payment infrastructure used by around 120 Swiss financial institutions. In 2015, his management asked him to develop a replacement strategy for Finance IPNet, the 20-year-old MPLS network that connected those institutions. "Interbank clearing in Switzerland is around 220 billion Swiss francs per day," Steinmann says. "So it's not an option to fail, yet I had to give up, because there was no alternative." The options were unappealing. The public internet was not acceptable to Swiss banks for transaction settlement. SD-WAN required either a single operator – politically impossible given the multiple carriers already involved – or proprietary vendor lock-in that no one wanted. Steinmann first encountered SCION in 2017 through a partnership between SIX and ETH Zürich. He approached it with the skepticism of someone who had seen academic network projects fail to survive contact with operational reality. "Academia and industry usually don't fit so well together," he says. "They do great things but then usability is the challenge. However, what Adrian told us was really an eye-opener. It was the first time somebody had something that did not just make sense from an academic point of view, but where I immediately also saw real-world applications." The Swiss National Bank (SNB) had already been using SCION for some internal use cases. Given that SCION was being asked to carry payments settled between commercial banks and the central bank, this was a significant signal. In 2019, SIX and SNB joined forces to design what would become the Secure Swiss Finance Network (SSFN). It would take two years of security assessments, governance design, and testing before the network was ready. Building the SSFN turned out to be as much a governance project as a technology project. The network needed to admit banks, exclude miscreants, and handle the issuance of short-lived certificates, valid for three days to allow rapid revocation if a participant is expelled. It also needed to operate its own certificate authority (CA). No commercial CA was willing to take on the risk. The challenge wasn't technical, Steinmann explains. It was about process. How do you verify that UBS is actually UBS? How do you quantify the liability if you get it wrong? No existing CA had answers, so SIX built its own and has been running it in production for five years now. SCION's Trust Root Configuration – the mechanism for encoding which entities are permitted to participate and under what conditions – embeds the governance decisions of the network's voting members into the cryptographic foundation itself. The rules about who can join, and when they can be expelled, are not policies in a database. They are enforced by the protocol. Steinmann notes, with some satisfaction, that enforcement has already been exercised. Euro firms must ditch Uncle Sam's clouds and go EU-native READ MORE Performance metrics, when they arrived in testing, exceeded expectations. When a carrier failed, the old Finance IPNet required a sequence of steps – detection, failover, path discovery, reconnection, authentication, session re-establishment, transaction reconciliation – that could take three to four minutes in total. During SSFN testing, Steinmann conducted a carrier shutdown exercise. He had asked his team to stand by before shutting down one of the network providers. Before he could give the signal, his colleague reported back: Oh, I already did it. I thought you had given the go-ahead. "We didn't notice a thing," Steinmann says. "Failover had been below one millisecond. Applications had no awareness that the underlying network topology had changed entirely." The SSFN went live in November 2021. In September 2024, Finance IPNet began its sunset. The old infrastructure, which had run for 20 years, is being phased out. The foundation nobody wants to renew So SCION works. The evidence is not a vendor whitepaper or a lab proof of concept. It is 220 billion Swiss francs settled daily on infrastructure that replaced a network Swiss banks trusted for two decades, with the predecessor in the process of being phased out. Then why, nearly nine years after first production deployment, has it not spread beyond Switzerland at scale? The barriers are several, and they compound each other. The first is standardization. BGP is an IETF standard. SCION is not. An IETF Independent Stream RFC is in progress – a formally published informational document that sits outside the IETF standardization track. Full standardization through the IETF working group process has not yet begun. For large organizations, that distinction matters. Deploying a protocol before it is standardized means accepting the risk that implementations diverge, that the eventual standard requires costly changes, or that the protocol never achieves the critical mass that would make standardization meaningful. Cloudflare pours cold water on 'BGP weirdness preceded US attack on Venezuela' theory BGP's security problems are notorious. Attempts to fix that are a work in progress The fix for BGP's weaknesses has big, scary, issues of its own, boffins find White House thinks it's time to fix the insecure glue of the internet: Yup, BGP The second is the chicken-and-egg problem inherent in any network technology. Nobody wants to be first. The pain of running traditional networks – the latency spikes, the route hijacks, the three-minute failover windows – is, as Steinmann puts it, known and bearable. Organizations have adapted to it. "We have gotten a bit numb," he says. "We are OK with the way it works, and not really thrilled to see the advantages of a new foundation." Microsoft's Azure mishap betrays an industry blind to a big problem READ MORE The third barrier is vendor concentration. A single company, Anapaya – a spin-off of ETH Zürich that packages SCION into deployable network products for carriers and enterprises – currently provides the only commercial implementation. Steinmann is frank about the catch-22 this creates. Cisco has told him directly that if SCION isn't a $20 billion business, they're not interested. But it cannot become a $20 billion business without companies like Cisco. The fourth barrier is the most fundamental, and the one Steinmann returns to repeatedly. Infrastructure renewal is psychologically different from other kinds of technology adoption. Nobody notices when it works. Everyone notices when it fails. And the effort of replacing something that is, by most metrics, still functioning is almost impossible to justify to a board focused on the house rather than its foundations. "When was the last time you renewed your house foundation?" Steinmann asks. "You don't. You would tear down the house first. But what we're doing here is renewing the foundation without tearing down the house." Perrig's view of adoption timelines is optimistic. He believes that within three to five years, SCION will be embedded in the fundamental network libraries used by thousands of applications – meaning developers won't need to think about it, it will just be there. ISPs in Benelux are already offering SCION connectivity. Some customers are switching providers specifically because their current ISP doesn't offer it. Perrig describes a self-reinforcing flywheel beginning to turn. "Two years ago I wouldn't have said this confidently," he says. "Now I can see it. I'm confident in five years, but hopefully three." Steinmann is more measured. He credits Perrig's optimism as necessary – without it, the project would never have reached this point – but does not share the timeline. "He's endlessly optimistic, which is necessary," says Steinmann. "But I have my doubts, because of the slowness of adoption and the willingness of people to experiment. The willingness to adopt something new that is unknown is just not there." Curran, approaching SCION from the outside, offers what may be the most useful framing. The technology is sound, its architecture addresses real weaknesses, and whether SCION itself becomes the dominant protocol or seeds a closely related successor matters less than the direction of travel. What would accelerate adoption, he suggests, is not incremental evidence but a sufficiently dramatic failure of the existing infrastructure. "If we see nation-states doing attacks which reroute traffic and take down national infrastructure – acts of war at the low level in the network, something where SCION would have provided the solution – then it will quickly be adopted," Curran says. "We have to see how state-sponsored attacks work in the next year or so. That would be the prime mover." Sovereignty, optionality, and the risk of the same coin SCION is increasingly discussed in the context of European digital sovereignty. Its architecture has obvious relevance to that project. Isolation domains allow countries or regions to define their own trust roots, independent of US-based certificate authorities. The theoretical kill switch that a hostile state actor might pull on conventional internet routing does not exist in a well-designed SCION deployment. Europe's cloud challenge: Building an Airbus for the digital age READ MORE Perrig is deliberately careful with the sovereignty framing. He prefers the term optionality – the freedom to choose which paths to use, which trust roots to rely on, which networks to connect to – and resists the political weight that comes with sovereignty language. He is not wrong to be careful. The sovereignty framing overpromises what network architecture alone can deliver. Steinmann uses the sovereignty language directly, but without prompting introduces the caveat that most sovereignty advocates leave out. "Yes, it is a sovereign alternative, there is no central kill switch beyond your own jurisdiction's capabilities," he says. "But the same controllability could be misused by totalitarian approaches to government. It's then fully controllable. It will help reduce dependencies on allies who might turn evil. But it could also be misused as a weapon against a free internet. That's the drawback, and I won't judge what's better." Curran adds a constraint that is architectural rather than political: any network that wants to have value must interconnect globally. A sovereign SCION deployment that cannot route traffic to the rest of the internet is not a useful network. The technology enables meaningful control over path and trust, but it does not deliver sovereignty automatically or completely – and it doesn't pretend to. What SCION does offer – and what Switzerland has demonstrated in production – is a network in which operators know precisely whom they are trusting, where their traffic is going, and what the conditions are for participation. That is a form of control the public internet does not provide, regardless of what sovereignty framework you attach to it. The question nobody has answered The gap between what SCION can do and what it is currently used for is not, at its core, a technical problem. The technology has been validated under conditions most infrastructure operators will never face. The governance framework required to run it has been designed, tested, and operated at scale. The old network it replaced has been turned off. Not paused. Turned off. What has not happened is the leap from Switzerland to the rest of the world. SCION's deployment model – build the governance first, get the key parties committed, define the trust roots, enforce the rules – is precisely the kind of process that works in Switzerland and struggles almost everywhere else. Whether standardization, the European digital sovereignty agenda, or a sufficiently serious BGP incident changes that calculation remains, for now, an open question. Steinmann's final point was simple: nobody thinks about foundations until they crack. He is right that nobody renews a house foundation without being forced to. He is also right that it can be done without tearing the house down. Whether that is a reason to act now, or to wait until the structure starts to shift, is a decision the rest of the world has not yet made. ® Share More about Network Security More like these × More about Network Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat Black Hole Broadband Broadcom BSides Bug Bounty Cellular network Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Dynamic Host Configuration Protocol Email Encryption End Point Protection Ericsson Ethernet Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft IETF Incident response InfiniBand Infosec Infrastructure Security IPv4 IPv6 Kenna Security NCSAM NCSC Network interface card Network switch Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Radio Access Network Ransomware Remote Access Trojan REvil Router RSA Conference SmartNIC Software Bill of Materials Software-defined network Spamming Spyware Streaming video Submarine cable Surveillance Systems Approach TLS Trojan Trusted Platform Module VPN Vulnerability Wannacry World Wide Web Zero trust More about Share 58 COMMENTS More about Network Security More like these × More about Network Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat Black Hole Broadband Broadcom BSides Bug Bounty Cellular network Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Dynamic Host Configuration Protocol Email Encryption End Point Protection Ericsson Ethernet Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft IETF Incident response InfiniBand Infosec Infrastructure Security IPv4 IPv6 Kenna Security NCSAM NCSC Network interface card Network switch Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Radio Access Network Ransomware Remote Access Trojan REvil Router RSA Conference SmartNIC Software Bill of Materials Software-defined network Spamming Spyware Streaming video Submarine cable Surveillance Systems Approach TLS Trojan Trusted Platform Module VPN Vulnerability Wannacry World Wide Web Zero trust TIP US OFF Send us news Other stories you might like Tencent says small clouds can’t get hardware, so big clouds can hike prices Baidu joins the Chinese cloud price rise party Off-Prem 19 Mar 2026 | 1 Anthropic's Claude claws its way towards the top of the AI market Who knew questioning authority and signaling virtue would lead to growth? AI + ML 19 Mar 2026 | Okta made a nightmare micromanager for your AI agents Where are you? What are you working on? Why are you doing that? AI + ML 18 Mar 2026 | 3 Unlocking the hidden power of unstructured data with AI Hyland is helping enterprises turn their fragmented, unstructured data into governed, AI-ready intelligence Sponsored Feature State snoops and spyware vendors planting info-stealing malware on iPhones, Google warns Darksword is the second iOS exploit chain in a month Research 18 Mar 2026 | 5 Chatbot Romeos keep users talking longer, but harm their mental health Flattery and delusional talk have negative outcomes AI + ML 18 Mar 2026 | 6 ChatGPT advised exec on how to fire Subnautica founders to avoid payout, court ruling says The law is the law, no matter who tells you to break it Legal 18 Mar 2026 | 4 Microsoft promises all-in-one database wrangling hub on Fabric PostgreSQL, MySQL, SQL Server all handled via Database Hub, vendor says Databases 18 Mar 2026 | 1 Amazon security boss says crims abused max-security Cisco firewall flaw weeks before disclosure Interlock's post-exploit toolkit exposed Security 18 Mar 2026 | Ohio citizens tell hyperscalers to take their supersized datacenters elsewhere Residents looking to ban server farms with capacity over 25 MW On-Prem 18 Mar 2026 | 9 Microsoft publishes a workaround for Samsung's C:\ drive woes Friends and family support techs: get ready for permission changing and batch file creating Applications 18 Mar 2026 | 21 Meatbags vs machines: DeepMind plans hackathon to draw line between human and AI brains What exactly is AGI? Nobody knows, but Google's AI lab is asking for help trying to define it AI + ML 18 Mar 2026 | 2 The Register Biting the hand that feeds IT About Us Contact us Advertise with us Who we are Our Websites The Next Platform DevClass Blocks and Files Your Privacy Cookies Policy Privacy Policy Ts & Cs Copyright. All rights reserved © 1998–2026
← Back to stories