Traditional Network Architecture

Border Gateway Protocol (BGP) is responsible for routing data between devices in the current internet system. Think of BGP as the postal service of the internet: when data is sent through the network, BGP finds all the possible routes to the destination and picks the best one.

Each device connected to the internet belongs to an Autonomous System (AS), a small network that connects multiple devices and is usually managed by a single organization, such as a school, company, or government. Devices in the same AS share the same routing policies, meaning that if two devices in the same AS want to connect to an external server, their data will follow the same path. Essentially, ASs act like regional post offices, organizing and routing data packets to their destinations using BGP.

However, ASs are not fully peer-to-peer networks. Each AS connects only to its neighbors and announces the routes it can reach. For example, if a data packet needs to travel from AS1 to AS4, there are two possible routes:

1. AS1 → AS2 → AS3 → AS4
2. AS1 → AS5 → AS5

Since the path through Route 2 is shorter, BGP will automatically choose this route. If route 2 is interrupted for any reason, BGP will recalculate and select a new best route to transmit the data. BGP functions like an automatic navigator, recording the best routes to other ASs, so once the terminal initiates data transmission, BGP can automatically send it to the destination at the fastest speed.

However, BGP was initially developed to allow only a few computers to exchange data, without considering issues like security and traffic. As a result, there are some concerns about its usage. Firstly, from a security perspective, since the transmission path is automatically selected by BGP and users cannot adjust it proactively, it becomes vulnerable to attacks. For example, attackers can set up a malicious AS and announce incorrect routing information, leading data to the wrong destination, and resulting in data interception or network disruption.

From an efficiency perspective, once there are changes in the overall configuration of an AS, BGP needs some time to update all routing information. Some paths may become unavailable during this process, leading to delays and packet loss. Additionally, BGP does not have a built-in traffic load balancing mechanism. Although it selects the shortest path, if the throughput of that path exceeds its capacity, BGP will not distribute the traffic evenly across other paths unless the AS configuration changes.

The potential issues with BGP have caused significant network events. For instance, in 2008, Pakistan Telecommunications, under government jurisdiction, attempted to censor YouTube’s IP within the country. Its upstream ISP mistakenly broadcasted incorrect routing information to the internet, causing all global YouTube traffic to be directed to Pakistan Telecommunications, resulting in a global YouTube service outage.

Additionally, besides Web2 companies, attackers can also steal users’ cryptocurrency assets through BGP attacks. In 2018, attackers launched a BGP hijacking attack that redirected traffic visiting MyEther wallet to a malicious server, tricking users into a phishing website, stealing their wallet assets, and transferring them to the attackers’ wallets. This attack lasted for about two hours and resulted in the theft of 214 Ether, valued at over $150,000. This shows that BGP has become one of the biggest issues enterprises and companies face, leading to the development of a new network protocol, SCION.

What is SCION?

SCION (Scalability, Control, and Isolation On Next-Generation Networks) is a network architecture that improves internet security and performance. It was developed by ETH Zurich and its affiliate Anapaya Systems to address various security issues in existing network architectures.

Firstly, SCION introduces the concept of Isolation Domains (ISDs), where each ISD is composed of several ASs within the same jurisdiction or geographical area, and a trusted entity is selected to operate the core AS managing the ISD. Each ISD has its public key infrastructure (PKI) for verifying the identities between ASs, ensuring that no malicious AS is included, and enabling encrypted communication to improve security. Besides ensuring that the ASs within an ISD are trustworthy, ISDs act like firewalls on the internet. If a security breach occurs, its impact is limited to the affected ISD and will not spread throughout the network, effectively preventing large-scale network attacks or outages.

For data transmission, SCION features a Proof-of-Path mechanism, where each path’s information is encrypted and signed, and each AS in the path verifies the authenticity of the route it participates in, preventing any unauthorized alterations. Additionally, SCION provides multiple route choices for data transmission, allowing users to assess different paths based on latency, bandwidth, security, etc., and choose the most suitable route. This way, network traffic will not be congested on a single path, effectively improving data transmission efficiency.

Compared to BGP, SCION’s ISDs allow for auditing each AS’s origin and authenticity, and security issues are contained within a small scope, greatly enhancing network security and stability. Moreover, unlike BGP, which automatically selects routes for users, SCION gives users full control over the transmission path, offering multiple route options. Users can see which ASs the path will pass through and embed the selected path in the data packets, making each AS along the way aware of the next hop, thereby freeing up router storage space and avoiding delays caused by updating the routing table.

SCION’s Impact on the Sui Network

Currently, all blockchain networks, whether Layer 1, Layer 2, or modular blockchains, rely on the BGP protocol for communication between nodes. This means that all blockchains are exposed to the potential security risks of BGP. Over the years, there have been several high-profile BGP attacks. For instance, in 2018, attackers hijacked BGP to redirect traffic to malicious servers, tricking users into visiting phishing websites and stealing assets from their MyEther wallets, transferring the stolen funds to the attackers. This attack lasted for two hours and resulted in the theft of 214 Ether, worth over $150,000 at the time. In 2022, KLAYswap was hacked through a BGP hijacking attack that altered third-party links on the front end, causing users to authorize malicious addresses and stealing about $1.9 million in assets.

Beyond asset theft, attackers can manipulate BGP to control routing, increase communication delays between nodes, or even completely block transmission paths. This can severely impact the speed of blockchain consensus, causing network halts and undermining consensus security. Consensus is essential for the functioning of blockchains, preventing issues like double-spending and ledger tampering, and ensuring the network remains reliable. Solana, for example, faced significant downtime in the past, leading to questions about its security.

To mitigate the risks posed by BGP, Sui has decided to collaborate with Anapaya Systems to implement SCION infrastructure, which is now running on their testnet. This upgrade is expected to bring several benefits to Sui:

1.More Flexible Consensus Participation

If one network is attacked, full nodes can quickly switch to another unaffected network, providing flexibility to choose an alternative path for data transmission and ensuring consensus isn’t disrupted by attacks that attempt to take validators offline.

2.Faster State Synchronization

SCION allows full nodes multiple connection paths to other nodes and validators. This enables faster state synchronization by avoiding distant nodes and bypassing network bottlenecks, speeding up overall network synchronization.

3.Improved Resistance to IP DDoS Attacks

In the event of a DDoS attack, the ISD structure limits the scope of the attack to a single network. Nodes and validators can easily select alternate paths to bypass malicious traffic, preventing the DDoS attack from impacting them.

In general, SCION’s multi-path routing and path isolation provide Sui’s network with greater security and flexibility when handling external network attacks, reducing the likelihood of downtime. Additionally, SCION’s embedding path information directly into data packets improves network speed. Official tests have shown that delays between distant nodes can be reduced by more than 10%, enhancing network performance, which positions Sui as a leading public chain in the industry.

Conclusion

Sui, a rising Layer 1 public chain, is built with the unique MOVE language and represents the first object-oriented public chain. It will become the first blockchain protocol to implement SCION architecture, reflecting Mysten Lab’s commitment to technological innovation and continuous improvement of Sui’s performance and security. If the SCION upgrade proves successful, it could encourage other public chains to adopt similar technology, marking a significant leap forward for blockchain technology and laying the foundation for large-scale adoption in the future.