olaf
89fa8e4262
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
16 KiB
title, subtitle, category, date, tags
| title | subtitle | category | date | tags | |||||
|---|---|---|---|---|---|---|---|---|---|
| SCION vs SD-WAN: The Infrastructure Reality | What actually runs under the hood of Switzerland's "next-generation internet" | Investigation | 2025-12-15 |
|
Market Reality Check
| Metric | SCION | SD-WAN |
|---|---|---|
| Market size | Unmeasured (Swiss niche) | $6-9 billion (2024) |
| Active vendors | 1 (Anapaya) + open source | 70+ vendors |
| Enterprise customers | ~300 (SSFN) | 40,000+ (Fortinet alone) |
| Development timeline | 16 years (since 2009) | ~10 years |
| Gartner Magic Quadrant | Not evaluated | Full quadrant, 6 leaders |
| Pricing transparency | "Book a demo" | Published pricing |
The Underlay: What Actually Carries SCION Traffic?
SCION Transport Layer
SCION packets are encapsulated in UDP/IPv4 or UDP/IPv6 between SCION nodes:
"SCION is using a UDP/IP underlay to transport SCION packets between SCION nodes. These UDP/IP packets are only valid between two SCION nodes and change after every SCION hop."
— IETF Draft: draft-dekater-scion-dataplane
The Dirty Secret: Dedicated Infrastructure Required
Here's the critical point that marketing materials gloss over:
"When it comes to inter-domain communication, an overlay deployment on top of today's Internet is not desirable, as SCION would inherit issues from its weak underlay. Thus, inter-AS SCION links are usually deployed in parallel to existing links, in order to preserve its security properties."
— IETF SCION Overview & Official Documentation
{{< irony >}} Production SCION deployments require dedicated/parallel physical infrastructure between ISPs — just like the expensive MPLS VPNs that SD-WAN was designed to replace. {{< /irony >}}
SSFN: Replaced MPLS With... More Private Infrastructure
The Swiss Secure Finance Network is touted as SCION's flagship deployment. What it actually did:
"SSFN replacing multiple existing MPLS networks"
— SIX Group & Swisscom
SCION didn't eliminate expensive private infrastructure — it replaced one private network (MPLS) with another (dedicated SCION links between Swisscom, Sunrise, and SWITCH).
Encryption: The Missing Layer
Unlike SD-WAN's mandatory IPSec encryption, SCION does not encrypt payload by default:
- SPAO (SCION Packet Authenticator Option) — authenticates packets using DRKey
- Path validation via cryptographic signatures
- No mandatory payload encryption — applications must handle this themselves
"This option is primarily intended to be used in conjunction with DRKey which provides shared secrets without explicit key exchange... analogous to IPSec"
— SCION SPAO Documentation
Note the word "analogous" — it's authentication, not encryption.
Infrastructure Comparison
| Aspect | SCION (Production) | SD-WAN |
|---|---|---|
| Inter-site transport | UDP/IP over dedicated parallel links | IPSec tunnels over public internet + optional MPLS |
| Payload encryption | Optional (app layer) | Mandatory IPSec (AES-256) |
| Can use public internet? | Not recommended for production | Yes (primary use case) |
| Private infrastructure needed? | Required for security guarantees | Optional (MPLS for premium) |
| Intra-AS transport | Existing IP/MPLS | Existing IP/MPLS |
| Path control | Full end-to-end | First hop only |
The SCIONLab Admission
The research network that runs over public internet explicitly states:
"The security, availability, and performance properties of SCION are not fully realized"
— SCIONLab Documentation
The Elephant in the Room: SRv6
While ETH Zurich spent 16 years building a clean-slate internet replacement, the IETF quietly standardized Segment Routing over IPv6 (SRv6) — which delivers end-to-end path control over the existing internet.
What is SRv6?
SRv6 (RFC 8986) encodes routing instructions directly in the IPv6 header using a Segment Routing Header (SRH). The critical difference from SCION:
"A transit node is a node along the path of the SRv6 packet. The transit node does not inspect the SRH. The destination address of the IPv6 packet does not correspond to the transit node."
— Cisco SRv6 Configuration Guide
{{< irony >}} Any standard IPv6 router in the middle of the path just forwards SRv6 packets normally — no upgrade required. Only the endpoints need SRv6 capability. It works transparently over the existing internet. {{< /irony >}}
SRv6 + SD-WAN = End-to-End Path Control
Modern SD-WAN platforms integrate with SRv6 to provide the path control that SCION claims as its unique advantage:
"This integration allows SD-WAN policies to leverage SRv6 paths to meet specific application requirements, such as low latency or high reliability. Unified visibility across SD-WAN overlays and SRv6 underlays simplifies troubleshooting."
— Cisco SD-WAN for Critical Networks
Production Deployment Scale
While SCION serves ~300 Swiss financial institutions, SRv6 is deployed at global scale:
- 85,000+ Cisco routers deployed with SRv6 (2025)
- Reliance Jio — 600 million mobile customers, 100 million homes
- Rakuten Mobile — largest SRv6 uSID migration in Japan
- SoftBank Japan — production SRv6 with network slicing
- Bell Canada — simplified data center operations
- vivo Brazil — multi-vendor SRv6 on live network
- Swisscom — yes, the same Swisscom promoting SCION
Multi-Vendor, Standards-Based
Unlike SCION's single commercial vendor (Anapaya), SRv6 has full ecosystem support:
- Cisco, Juniper, Nokia, Huawei — all major vendors
- IETF standardized — RFC 8986, not a draft or research project
- SONiC integration — open source switch OS (Alibaba, Microsoft, Nvidia)
- Interoperability tested — EANTC multi-vendor validation
The Compression Advantage: uSID
SRv6 micro-segments (uSID) compress up to 6 segment instructions into a single 128-bit IPv6 address, minimizing overhead while maintaining full path programmability.
Case Study: Axpo Systems & ASTRA
The contradictions of Swiss SCION promotion are perfectly illustrated by Axpo Systems AG.
Who is Axpo Systems?
- Subsidiary of Axpo Group, headquartered in Lupfig, ~140 employees
- Self-described as "The neural system of system-relevant Switzerland runs through us"
- Operates critical OT (Operational Technology) networks for Swiss infrastructure
Their SCION Involvement
Axpo Systems is deeply invested in SCION:
- March 2024: Joined SCION Association as newest member
- January 2025: Launched "first OT Security Operations Center with SCION connectivity" with Anapaya
- Markets SCION as "the safest routing protocol for the Internet of the future"
- Sells "Secure WAN Service" based on SCION for enterprise customers
"SCION combines the flexibility and accessibility of the public Internet with the security and reliability of a private MPLS network."
— Axpo Systems marketing
What They Actually Use for Critical Infrastructure
In November 2023, Axpo Systems won the contract to design, build, and operate ASTRA's IP-Netz BSA — the backbone network connecting Switzerland's national highway infrastructure (traffic management, safety systems, tunnel controls).
Contract value: CHF 1,514,100
The IP-Netz BSA is a dedicated network separate from Axpo's own aXbone infrastructure. It spans all of Switzerland, connecting ASTRA's regional units (Gebietseinheiten) with redundant fiber optic infrastructure routed along national road corridors.
The Technology Choice: SRv6
When Axpo Systems designed and rolled out the ASTRA BSA network — critical infrastructure for Swiss highway safety — they chose SRv6 (Segment Routing over IPv6).
Not SCION. Not the "revolutionary Swiss technology" they actively promote. They deployed the IETF-standard SRv6 for Switzerland's highway backbone.
{{< irony title="The Ultimate Hypocrisy" >}} Axpo Systems — a SCION Association member since March 2024, promoter of SCION as "the safest routing protocol for the Internet of the future" — chose SRv6 over SCION when building critical Swiss infrastructure. If SCION were truly superior, why didn't they use it for ASTRA's highway network? {{< /irony >}}
Meanwhile, Their Own Backbone...
Axpo Systems' internal production infrastructure (the aXbone network serving their own customers) runs on traditional MPLS:
"The crisis-proof and highly available MPLS-based data network of Axpo Systems is characterised by redundant line routing and comprehensive network monitoring."
— Axpo Systems, aXbone Infrastructure
The Three-Way Contradiction
| Network | Technology | Status |
|---|---|---|
| ASTRA BSA (highways) | SRv6 | Production — designed by Axpo Systems |
| aXbone (Axpo's backbone) | MPLS | Production — Axpo's own infrastructure |
| SCION | SCION | Marketing — what they sell to others |
When it matters — when Swiss highway safety depends on it — Axpo Systems deploys SRv6. When it's their own money — they run MPLS. When it's customer money — they sell SCION.
The axboneNG Evolution: What's Actually Being Built
Axpo Systems is replacing the current aXbone with axboneNG — a next-generation backbone. The technology choice is revealing:
axboneNG Platform
| Component | Technology | Purpose |
|---|---|---|
| Hardware | Ribbon Neptune 1800 + NPT-1250 | Metro aggregation & access routing |
| Legacy OT services | MPLS-TP | TDM-based operational technology |
| Modern services | FlexE + FlexAlgo + SR-MPLS | Network slicing, traffic engineering |
The Ribbon Neptune platform supports IP/MPLS, MPLS-TP, Segment Routing, FlexE, and EVPN — all industry-standard technologies. Not SCION.
SCION as an Overlay Service
Where does SCION fit in axboneNG? As a service carried on top of the real backbone:
- SSUN ISD76 backbone: Dedicated L3 VPN for Swiss Secure Utility Network core-to-core inter-AS links
- SwissIX SCION VLAN: Dedicated DWDM links from Axpo servers to SwissIX SCION peering — parallel to their regular internet exchange connectivity
{{< irony title="The Architecture Tells the Truth" >}} SCION doesn't replace the backbone — it rides on top of it. Axpo Systems is building axboneNG on SR-MPLS and FlexE (industry standards), then carrying SCION as just another VPN service. The "revolutionary internet replacement" is an overlay on conventional infrastructure. {{< /irony >}}
Swiss Secure Utility Network (SSUN)
The SSUN, launched August 2025, is the SCION network for Swiss energy utilities. Key details:
- Partners: VSE, Anapaya, Axpo Systems, Cyberlink, Litecom, Sunrise, Swisscom
- ISD76 — the isolation domain for Swiss utilities
- By 2030, connection becomes "gradually mandatory" for utility market partners
But look at how SSUN is actually delivered: as a dedicated L3 VPN on Axpo's SR-MPLS backbone, with dedicated DWDM links to SwissIX for SCION peering. The underlying transport is conventional technology.
SwissIX SCION Peering
SwissIX offers a dedicated SCION VLAN — the first IXP in the world to do so. But note the infrastructure:
- SCION runs as a separate VLAN alongside regular internet peering
- Participants need dedicated ports or spare capacity on existing ports
- Pricing: CHF 200-350/month per port
- Traffic must stay below 80% of paid port capacity
SCION at SwissIX isn't replacing internet peering — it's an additional overlay service requiring separate infrastructure and fees.
The Ultimate Irony
| Capability | SCION | SD-WAN + SRv6 |
|---|---|---|
| End-to-end path control | Yes | Yes |
| Works over public internet | No (security degraded) | Yes (encrypted) |
| Transit router upgrade needed | Yes (SCION routers) | No (standard IPv6) |
| Dedicated inter-ISP links | Required for production | Not required |
| IETF standard | Draft stage | RFC 8986 (2021) |
| Vendor support | 1 (Anapaya) | All major vendors |
| Production scale | ~300 customers | Billions of endpoints |
{{< conclusion >}} SCION's marketing claims "virtual connections just as secure as leased lines" — but achieving this requires deploying on parallel dedicated infrastructure, not the public internet.
Meanwhile, SRv6 delivers the same end-to-end path control that SCION touts as revolutionary — but it works transparently over any IPv6 network, is an IETF standard (not a draft), and is already deployed at billion-user scale.
The supposed SCION advantages are rendered a costly exercise in academic empire-building:
- Path control? SRv6 does it over standard IPv6.
- No BGP dependency? SRv6 source routing bypasses BGP path selection.
- Multi-path? SD-WAN + SRv6 provides it with encryption included.
SD-WAN + SRv6: Encrypts everything, works over public internet, end-to-end path control, IETF standard, all major vendors.
SCION: No encryption, requires dedicated links, single vendor, 16 years in development, still a draft. {{< /conclusion >}}
Sources
- IETF: SCION Data Plane Draft
- IETF: SCION Overview
- SCION Packet Authenticator Option
- DRKey Infrastructure
- SIX: Secure Swiss Finance Network
- Swisscom: SCION & SSFN
- Anapaya: SCION & SD-WAN
- SCIONLab Research Network
- RFC 8986: SRv6 Network Programming
- Cisco: SRv6 Configuration Guide
- Cisco: SD-WAN for Critical Networks
- Segment Routing News: SRv6 Deployments
- Cisco: The Case for SRv6 (2025)
- Anapaya: SCION vs Segment Routing
- SCION Association: Axpo Systems Membership
- Anapaya: Axpo Systems OT SOC
- Axpo Systems: SCION Marketing
- Axpo Systems: aXbone MPLS
- IT-Beschaffung: ASTRA Contracts
- ASTRA 13040: IP-Netz BSA
- Ribbon: Neptune NPT 1800
- Anapaya: Secure Swiss Utility Network
- SwissIX: SCION Peering
- VSE: SSUN for National Security