--- title: "SCION vs SD-WAN: The Infrastructure Reality" subtitle: "What actually runs under the hood of Switzerland's \"next-generation internet\"" category: "Investigation" date: 2025-01-15 tags: ["SCION", "SD-WAN", "SRv6", "Swiss Tech", "Infrastructure"] --- ## Market Reality Check | Metric | SCION | SD-WAN | |--------|-------|--------| | Market size | Unmeasured (Swiss niche) | $6-9 billion (2024) | | Active vendors | 1 (Anapaya) + open source | 70+ vendors | | Enterprise customers | ~300 (SSFN) | 40,000+ (Fortinet alone) | | Development timeline | 16 years (since 2009) | ~10 years | | Gartner Magic Quadrant | Not evaluated | Full quadrant, 6 leaders | | Pricing transparency | "Book a demo" | Published pricing | ## The Underlay: What Actually Carries SCION Traffic? ### SCION Transport Layer SCION packets are encapsulated in **UDP/IPv4 or UDP/IPv6** between SCION nodes: > "SCION is using a UDP/IP underlay to transport SCION packets between SCION nodes. These UDP/IP packets are only valid between two SCION nodes and change after every SCION hop." > > — IETF Draft: draft-dekater-scion-dataplane ### The Dirty Secret: Dedicated Infrastructure Required Here's the critical point that marketing materials gloss over: > "When it comes to inter-domain communication, **an overlay deployment on top of today's Internet is not desirable**, as SCION would inherit issues from its weak underlay. Thus, **inter-AS SCION links are usually deployed in parallel to existing links**, in order to preserve its security properties." > > — IETF SCION Overview & Official Documentation {{< irony >}} Production SCION deployments require dedicated/parallel physical infrastructure between ISPs — just like the expensive MPLS VPNs that SD-WAN was designed to replace. {{< /irony >}} ### SSFN: Replaced MPLS With... More Private Infrastructure The Swiss Secure Finance Network is touted as SCION's flagship deployment. What it actually did: > "SSFN replacing multiple existing MPLS networks" > > — SIX Group & Swisscom SCION didn't eliminate expensive private infrastructure — it replaced one private network (MPLS) with another (dedicated SCION links between Swisscom, Sunrise, and SWITCH). ## Encryption: The Missing Layer Unlike SD-WAN's mandatory IPSec encryption, SCION does **not encrypt payload by default**: - **SPAO** (SCION Packet Authenticator Option) — authenticates packets using DRKey - **Path validation** via cryptographic signatures - **No mandatory payload encryption** — applications must handle this themselves > "This option is primarily intended to be used in conjunction with DRKey which provides shared secrets without explicit key exchange... analogous to IPSec" > > — SCION SPAO Documentation Note the word "analogous" — it's authentication, not encryption. ## Infrastructure Comparison | Aspect | SCION (Production) | SD-WAN | |--------|-------------------|--------| | Inter-site transport | UDP/IP over **dedicated parallel links** | IPSec tunnels over public internet + optional MPLS | | Payload encryption | Optional (app layer) | Mandatory IPSec (AES-256) | | Can use public internet? | Not recommended for production | Yes (primary use case) | | Private infrastructure needed? | Required for security guarantees | Optional (MPLS for premium) | | Intra-AS transport | Existing IP/MPLS | Existing IP/MPLS | | Path control | Full end-to-end | First hop only | ## The SCIONLab Admission The research network that runs over public internet explicitly states: > "The security, availability, and performance properties of SCION are **not fully realized**" > > — SCIONLab Documentation ## The Elephant in the Room: SRv6 While ETH Zurich spent 16 years building a clean-slate internet replacement, the IETF quietly standardized **Segment Routing over IPv6 (SRv6)** — which delivers end-to-end path control over the existing internet. ### What is SRv6? SRv6 (RFC 8986) encodes routing instructions directly in the IPv6 header using a Segment Routing Header (SRH). The critical difference from SCION: > "A transit node is a node along the path of the SRv6 packet. **The transit node does not inspect the SRH.** The destination address of the IPv6 packet does not correspond to the transit node." > > — Cisco SRv6 Configuration Guide {{< irony >}} Any standard IPv6 router in the middle of the path just forwards SRv6 packets normally — no upgrade required. Only the endpoints need SRv6 capability. It works transparently over the existing internet. {{< /irony >}} ### SRv6 + SD-WAN = End-to-End Path Control Modern SD-WAN platforms integrate with SRv6 to provide the path control that SCION claims as its unique advantage: > "This integration allows SD-WAN policies to leverage SRv6 paths to meet specific application requirements, such as low latency or high reliability. Unified visibility across SD-WAN overlays and SRv6 underlays simplifies troubleshooting." > > — Cisco SD-WAN for Critical Networks ### Production Deployment Scale While SCION serves ~300 Swiss financial institutions, SRv6 is deployed at global scale: - **85,000+ Cisco routers** deployed with SRv6 (2025) - **Reliance Jio** — 600 million mobile customers, 100 million homes - **Rakuten Mobile** — largest SRv6 uSID migration in Japan - **SoftBank Japan** — production SRv6 with network slicing - **Bell Canada** — simplified data center operations - **vivo Brazil** — multi-vendor SRv6 on live network - **Swisscom** — yes, the same Swisscom promoting SCION ### Multi-Vendor, Standards-Based Unlike SCION's single commercial vendor (Anapaya), SRv6 has full ecosystem support: - **Cisco, Juniper, Nokia, Huawei** — all major vendors - **IETF standardized** — RFC 8986, not a draft or research project - **SONiC integration** — open source switch OS (Alibaba, Microsoft, Nvidia) - **Interoperability tested** — EANTC multi-vendor validation ### The Compression Advantage: uSID SRv6 micro-segments (uSID) compress up to 6 segment instructions into a single 128-bit IPv6 address, minimizing overhead while maintaining full path programmability. ## Case Study: Axpo Systems & ASTRA The contradictions of Swiss SCION promotion are perfectly illustrated by **Axpo Systems AG**. ### Who is Axpo Systems? - Subsidiary of Axpo Group, headquartered in Lupfig, ~140 employees - Self-described as "The neural system of system-relevant Switzerland runs through us" - Operates critical OT (Operational Technology) networks for Swiss infrastructure ### Their SCION Involvement Axpo Systems is deeply invested in SCION: - **March 2024:** Joined SCION Association as newest member - **January 2025:** Launched "first OT Security Operations Center with SCION connectivity" with Anapaya - Markets SCION as "the safest routing protocol for the Internet of the future" - Sells "Secure WAN Service" based on SCION for enterprise customers > "SCION combines the flexibility and accessibility of the public Internet with the security and reliability of a private MPLS network." > > — Axpo Systems marketing ### What They Actually Use for Critical Infrastructure In November 2023, Axpo Systems won the contract to design, build, and operate **ASTRA's IP-Netz BSA** — the backbone network connecting Switzerland's national highway infrastructure (traffic management, safety systems, tunnel controls). **Contract value:** CHF 1,514,100 The IP-Netz BSA is a dedicated network separate from Axpo's own aXbone infrastructure. It spans all of Switzerland, connecting ASTRA's regional units (Gebietseinheiten) with redundant fiber optic infrastructure routed along national road corridors. ### The Technology Choice: SRv6 When Axpo Systems designed and rolled out the ASTRA BSA network — critical infrastructure for Swiss highway safety — **they chose SRv6 (Segment Routing over IPv6)**. Not SCION. Not the "revolutionary Swiss technology" they actively promote. They deployed the IETF-standard SRv6 for Switzerland's highway backbone. {{< irony title="The Ultimate Hypocrisy" >}} Axpo Systems — a SCION Association member since March 2024, promoter of SCION as "the safest routing protocol for the Internet of the future" — chose SRv6 over SCION when building critical Swiss infrastructure. If SCION were truly superior, why didn't they use it for ASTRA's highway network? {{< /irony >}} ### Meanwhile, Their Own Backbone... Axpo Systems' internal production infrastructure (the **aXbone** network serving their own customers) runs on traditional MPLS: > "The crisis-proof and highly available **MPLS-based data network** of Axpo Systems is characterised by redundant line routing and comprehensive network monitoring." > > — Axpo Systems, aXbone Infrastructure ### The Three-Way Contradiction | Network | Technology | Status | |---------|------------|--------| | ASTRA BSA (highways) | **SRv6** | Production — designed by Axpo Systems | | aXbone (Axpo's backbone) | **MPLS** | Production — Axpo's own infrastructure | | SCION | **SCION** | Marketing — what they sell to others | When it matters — when Swiss highway safety depends on it — Axpo Systems deploys SRv6. When it's their own money — they run MPLS. When it's customer money — they sell SCION. ## The axboneNG Evolution: What's Actually Being Built Axpo Systems is replacing the current aXbone with **axboneNG** — a next-generation backbone. The technology choice is revealing: ### axboneNG Platform | Component | Technology | Purpose | |-----------|------------|---------| | Hardware | **Ribbon Neptune 1800 + NPT-1250** | Metro aggregation & access routing | | Legacy OT services | **MPLS-TP** | TDM-based operational technology | | Modern services | **FlexE + FlexAlgo + SR-MPLS** | Network slicing, traffic engineering | The Ribbon Neptune platform supports IP/MPLS, MPLS-TP, Segment Routing, FlexE, and EVPN — all **industry-standard technologies**. Not SCION. ### SCION as an Overlay Service Where does SCION fit in axboneNG? As a **service carried on top** of the real backbone: - **SSUN ISD76 backbone:** Dedicated L3 VPN for Swiss Secure Utility Network core-to-core inter-AS links - **SwissIX SCION VLAN:** Dedicated DWDM links from Axpo servers to SwissIX SCION peering — *parallel to* their regular internet exchange connectivity {{< irony title="The Architecture Tells the Truth" >}} SCION doesn't replace the backbone — it rides on top of it. Axpo Systems is building axboneNG on SR-MPLS and FlexE (industry standards), then carrying SCION as just another VPN service. The "revolutionary internet replacement" is an overlay on conventional infrastructure. {{< /irony >}} ### Swiss Secure Utility Network (SSUN) The SSUN, launched August 2025, is the SCION network for Swiss energy utilities. Key details: - Partners: VSE, Anapaya, Axpo Systems, Cyberlink, Litecom, Sunrise, Swisscom - ISD76 — the isolation domain for Swiss utilities - By 2030, connection becomes "gradually mandatory" for utility market partners But look at how SSUN is actually delivered: as a **dedicated L3 VPN** on Axpo's SR-MPLS backbone, with **dedicated DWDM links** to SwissIX for SCION peering. The underlying transport is conventional technology. ### SwissIX SCION Peering SwissIX offers a dedicated SCION VLAN — the first IXP in the world to do so. But note the infrastructure: - SCION runs as a **separate VLAN** alongside regular internet peering - Participants need **dedicated ports** or spare capacity on existing ports - Pricing: CHF 200-350/month per port - Traffic must stay below 80% of paid port capacity SCION at SwissIX isn't replacing internet peering — it's an **additional overlay service** requiring separate infrastructure and fees. ## The Ultimate Irony | Capability | SCION | SD-WAN + SRv6 | |------------|-------|---------------| | End-to-end path control | Yes | Yes | | Works over public internet | No (security degraded) | Yes (encrypted) | | Transit router upgrade needed | Yes (SCION routers) | No (standard IPv6) | | Dedicated inter-ISP links | Required for production | Not required | | IETF standard | Draft stage | RFC 8986 (2021) | | Vendor support | 1 (Anapaya) | All major vendors | | Production scale | ~300 customers | Billions of endpoints | {{< conclusion >}} SCION's marketing claims "virtual connections just as secure as leased lines" — but achieving this requires deploying on **parallel dedicated infrastructure**, not the public internet. Meanwhile, **SRv6 delivers the same end-to-end path control** that SCION touts as revolutionary — but it works transparently over any IPv6 network, is an IETF standard (not a draft), and is already deployed at billion-user scale. The supposed SCION advantages are rendered a costly exercise in academic empire-building: - **Path control?** SRv6 does it over standard IPv6. - **No BGP dependency?** SRv6 source routing bypasses BGP path selection. - **Multi-path?** SD-WAN + SRv6 provides it with encryption included. **SD-WAN + SRv6:** Encrypts everything, works over public internet, end-to-end path control, IETF standard, all major vendors. **SCION:** No encryption, requires dedicated links, single vendor, 16 years in development, still a draft. {{< /conclusion >}}
### Sources - [IETF: SCION Data Plane Draft](https://datatracker.ietf.org/doc/draft-dekater-scion-dataplane/) - [IETF: SCION Overview](https://www.ietf.org/archive/id/draft-dekater-panrg-scion-overview-03.html) - [SCION Packet Authenticator Option](https://docs.scion.org/en/latest/protocols/authenticator-option.html) - [DRKey Infrastructure](https://docs.scion.org/en/latest/cryptography/drkey.html) - [SIX: Secure Swiss Finance Network](https://www.six-group.com/en/products-services/banking-services/ssfn.html) - [Swisscom: SCION & SSFN](https://www.swisscom.ch/en/business/enterprise/themen/security/resilienz-cyberattacken-scion.html) - [Anapaya: SCION & SD-WAN](https://www.anapaya.net/blog/the-full-picture-scion-sd-wan) - [SCIONLab Research Network](https://www.scionlab.org/) - [RFC 8986: SRv6 Network Programming](https://datatracker.ietf.org/doc/rfc8986/) - [Cisco: SRv6 Configuration Guide](https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-6/segment-routing/configuration/guide/b-segment-routing-cg-asr9000-66x.html) - [Cisco: SD-WAN for Critical Networks](https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-branch-wan/sd-wan-for-critical-networks-infrastructure-wp.html) - [Segment Routing News: SRv6 Deployments](https://www.segment-routing.net/srv6-news) - [Cisco: The Case for SRv6 (2025)](https://news-blogs.cisco.com/apjc/2025/01/22/the-case-for-srv6-simplifying-networks-for-a-complex-future/) - [Anapaya: SCION vs Segment Routing](https://www.anapaya.net/blog/scion-vs.-segment-routing) - [SCION Association: Axpo Systems Membership](https://www.scion.org/welcome-to-axpo-systems-the-newest-member-of-the-scion-association/) - [Anapaya: Axpo Systems OT SOC](https://www.anapaya.net/news/the-first-ot-security-operation-center-with-scion-connectivity-is-launched-by-axpo-systems) - [Axpo Systems: SCION Marketing](https://www.axpo.com/ch/en/energy/digital-solutions/cyber-security-connectivity/ot-innovation/scion.html) - [Axpo Systems: aXbone MPLS](https://www.axpo.com/ch/en/energy/digital-solutions/cyber-security-connectivity/ot-networks/ip-mpls.html) - [IT-Beschaffung: ASTRA Contracts](https://www.it-beschaffung.ch/list/it/a/2326/all/bundesamt-fuer-strassen-astra) - [ASTRA 13040: IP-Netz BSA](https://www.astra.admin.ch/dam/astra/de/dokumente/standards_fuer_nationalstrassen/astra%2013040%20ipnetzbsa.pdf.download.pdf/astra_13040d.pdf) - [Ribbon: Neptune NPT 1800](https://ribboncommunications.com/products/service-provider-products/ip-routing/access-aggregation-routers/npt-1800) - [Anapaya: Secure Swiss Utility Network](https://www.anapaya.net/secure-swiss-utility-network-by-anapaya) - [SwissIX: SCION Peering](https://www.swissix.ch/services/scion-peering-mesh/) - [VSE: SSUN for National Security](https://www.strom.ch/en/perspective/protecting-utility-ecosystem-foundation-national-security)