Specify SCION-IP Gateways - outline

[nicorusti]

Harald Alvestrand (meeting notes 26.07.2024) Document SCION-IP gateways: If the goal is to document existing deployment, the gateways must be specified. This could be an additional ISE draft. The overall SCION draft “package” must have enough information to make a connection over scion

• [x] Prepare a description of the SIG (try in terms of functionality rather than how they work)
• [x] Send text to Eliot
• [ ] Decide if this needs to be a separate draft (or if it can be a paragraph in one of the other drafts)

Feedback received:

Harald Alvestrand The payload of a packet can be anything (does not affect SCION operation), but the header contains an integer saying which content it is, with the defined values being “UDP”, “TCP”, and some numbers for internal use. The process for constructing an IP packet from the SCION packet (or vice versa) is not described, but presumably involves mangling checksums - -dataplane describes a “virtual header” for constructing the checksum of things that require it, which implies that a gateway to non-SCION IP would mangle checksums inside the UDP or TCP packet. (There are references in -overview to docs describing gateways. However, I can’t see them at the moment.)

My response: Yes, we don’t yet have a draft describing gateways in detail. There was a presentation by my co-author Sam Hitz at PANRG at 119 about it. Essentially gateways run an encapsulation protocol and exchange IP routes among each other. They use a custom protocol for that, so we felt for now it was best to leave this part out and treat gateways as a normal SCION endpoint. This checksums is used, for example, by UDP on top of SCION. Gateways encapsulate the whole IP packet, so they don’t mangle UDP/TCP checksums in them. However, the gateway encapsulation protocol itself runs on top of UDP on top of SCION, therefore there is a ckechsum in the encapsulating UDP packet, and this uses the “virtual header”.

Lunch discussion Document SCION-IP gateways: If the goal is to document existing deployment, the gateways must be specified. This could be an additional ISE draft. The overall SCION draft “package”. The must have enough information to make a connection over scion

Potential sources:

• Anapaya Docs for SGRP, tunneling, also called "Prefix discovery" in open source
• SCIONproto for SIG framing
• Scion book section 13.3 The SCION–IP Gateway (SIG)
• component analysis draft section 3.1

[nicorusti]

On 7 Sep 2024, at 02:16, Harald Alvestrand harald@alvestrand.no wrote:

I still don't think you have enough info on the IP gateway.

In particular - does the IP gateway pair (entry + exit) act like a NAT box, matching the source address in the source domain to the gateway address in the destination domain, or is it an one-way tunnel of unchanged bits?

In both cases - where are the IP addresses (or equivalent) carried through the tunnel? As part of the SCION address (as the presence of those forms of address in the endpoint scheme seems to indicate), or as part of the packet?

And if the addresses are mapped, who takes care of the payload modifications that any NAT needs to do?

Harald (I still haven't gotten around to reading the -controlplane and -pki drafts, but I have not forgotten them...)