swissfini/content/articles/scion-vs-sdwan.md

---
title: "SCION vs SD-WAN: The Infrastructure Reality"
subtitle: "What actually runs under the hood of Switzerland's \"next-generation internet\""
category: "Investigation"
date: 2025-01-15
tags: ["SCION", "SD-WAN", "SRv6", "Swiss Tech", "Infrastructure"]
---

## Market Reality Check

| Metric | SCION | SD-WAN |
|--------|-------|--------|
| Market size | Unmeasured (Swiss niche) | $6-9 billion (2024) |
| Active vendors | 1 (Anapaya) + open source | 70+ vendors |
| Enterprise customers | ~300 (SSFN) | 40,000+ (Fortinet alone) |
| Development timeline | 16 years (since 2009) | ~10 years |
| Gartner Magic Quadrant | Not evaluated | Full quadrant, 6 leaders |
| Pricing transparency | "Book a demo" | Published pricing |

## The Underlay: What Actually Carries SCION Traffic?

### SCION Transport Layer

SCION packets are encapsulated in **UDP/IPv4 or UDP/IPv6** between SCION nodes:

> "SCION is using a UDP/IP underlay to transport SCION packets between SCION nodes. These UDP/IP packets are only valid between two SCION nodes and change after every SCION hop."
>
> — IETF Draft: draft-dekater-scion-dataplane

### The Dirty Secret: Dedicated Infrastructure Required

Here's the critical point that marketing materials gloss over:

> "When it comes to inter-domain communication, **an overlay deployment on top of today's Internet is not desirable**, as SCION would inherit issues from its weak underlay. Thus, **inter-AS SCION links are usually deployed in parallel to existing links**, in order to preserve its security properties."
>
> — IETF SCION Overview & Official Documentation

{{< irony >}}
Production SCION deployments require dedicated/parallel physical infrastructure between ISPs — just like the expensive MPLS VPNs that SD-WAN was designed to replace.
{{< /irony >}}

### SSFN: Replaced MPLS With... More Private Infrastructure

The Swiss Secure Finance Network is touted as SCION's flagship deployment. What it actually did:

> "SSFN replacing multiple existing MPLS networks"
>
> — SIX Group & Swisscom

SCION didn't eliminate expensive private infrastructure — it replaced one private network (MPLS) with another (dedicated SCION links between Swisscom, Sunrise, and SWITCH).

## Encryption: The Missing Layer

Unlike SD-WAN's mandatory IPSec encryption, SCION does **not encrypt payload by default**:

- **SPAO** (SCION Packet Authenticator Option) — authenticates packets using DRKey
- **Path validation** via cryptographic signatures
- **No mandatory payload encryption** — applications must handle this themselves

> "This option is primarily intended to be used in conjunction with DRKey which provides shared secrets without explicit key exchange... analogous to IPSec"
>
> — SCION SPAO Documentation

Note the word "analogous" — it's authentication, not encryption.

## Infrastructure Comparison

| Aspect | SCION (Production) | SD-WAN |
|--------|-------------------|--------|
| Inter-site transport | UDP/IP over **dedicated parallel links** | IPSec tunnels over public internet + optional MPLS |
| Payload encryption | Optional (app layer) | Mandatory IPSec (AES-256) |
| Can use public internet? | Not recommended for production | Yes (primary use case) |
| Private infrastructure needed? | Required for security guarantees | Optional (MPLS for premium) |
| Intra-AS transport | Existing IP/MPLS | Existing IP/MPLS |
| Path control | Full end-to-end | First hop only |

## The SCIONLab Admission

The research network that runs over public internet explicitly states:

> "The security, availability, and performance properties of SCION are **not fully realized**"
>
> — SCIONLab Documentation

## The Elephant in the Room: SRv6

While ETH Zurich spent 16 years building a clean-slate internet replacement, the IETF quietly standardized **Segment Routing over IPv6 (SRv6)** — which delivers end-to-end path control over the existing internet.

### What is SRv6?

SRv6 (RFC 8986) encodes routing instructions directly in the IPv6 header using a Segment Routing Header (SRH). The critical difference from SCION:

> "A transit node is a node along the path of the SRv6 packet. **The transit node does not inspect the SRH.** The destination address of the IPv6 packet does not correspond to the transit node."
>
> — Cisco SRv6 Configuration Guide

{{< irony >}}
Any standard IPv6 router in the middle of the path just forwards SRv6 packets normally — no upgrade required. Only the endpoints need SRv6 capability. It works transparently over the existing internet.
{{< /irony >}}

### SRv6 + SD-WAN = End-to-End Path Control

Modern SD-WAN platforms integrate with SRv6 to provide the path control that SCION claims as its unique advantage:

> "This integration allows SD-WAN policies to leverage SRv6 paths to meet specific application requirements, such as low latency or high reliability. Unified visibility across SD-WAN overlays and SRv6 underlays simplifies troubleshooting."
>
> — Cisco SD-WAN for Critical Networks

### Production Deployment Scale

While SCION serves ~300 Swiss financial institutions, SRv6 is deployed at global scale:

- **85,000+ Cisco routers** deployed with SRv6 (2025)
- **Reliance Jio** — 600 million mobile customers, 100 million homes
- **Rakuten Mobile** — largest SRv6 uSID migration in Japan
- **SoftBank Japan** — production SRv6 with network slicing
- **Bell Canada** — simplified data center operations
- **vivo Brazil** — multi-vendor SRv6 on live network
- **Swisscom** — yes, the same Swisscom promoting SCION

### Multi-Vendor, Standards-Based

Unlike SCION's single commercial vendor (Anapaya), SRv6 has full ecosystem support:

- **Cisco, Juniper, Nokia, Huawei** — all major vendors
- **IETF standardized** — RFC 8986, not a draft or research project
- **SONiC integration** — open source switch OS (Alibaba, Microsoft, Nvidia)
- **Interoperability tested** — EANTC multi-vendor validation

### The Compression Advantage: uSID

SRv6 micro-segments (uSID) compress up to 6 segment instructions into a single 128-bit IPv6 address, minimizing overhead while maintaining full path programmability.

## Case Study: Axpo Systems & ASTRA

The contradictions of Swiss SCION promotion are perfectly illustrated by **Axpo Systems AG**.

### Who is Axpo Systems?

- Subsidiary of Axpo Group, headquartered in Lupfig, ~140 employees
- Self-described as "The neural system of system-relevant Switzerland runs through us"
- Operates critical OT (Operational Technology) networks for Swiss infrastructure

### Their SCION Involvement

Axpo Systems is deeply invested in SCION:

- **March 2024:** Joined SCION Association as newest member
- **January 2025:** Launched "first OT Security Operations Center with SCION connectivity" with Anapaya
- Markets SCION as "the safest routing protocol for the Internet of the future"
- Sells "Secure WAN Service" based on SCION for enterprise customers

> "SCION combines the flexibility and accessibility of the public Internet with the security and reliability of a private MPLS network."
>
> — Axpo Systems marketing

### What They Actually Use for Critical Infrastructure

In November 2023, Axpo Systems won the contract to design, build, and operate **ASTRA's IP-Netz BSA** — the backbone network connecting Switzerland's national highway infrastructure (traffic management, safety systems, tunnel controls).

**Contract value:** CHF 1,514,100

The IP-Netz BSA is a dedicated network separate from Axpo's own aXbone infrastructure. It spans all of Switzerland, connecting ASTRA's regional units (Gebietseinheiten) with redundant fiber optic infrastructure routed along national road corridors.

### The Technology Choice: SRv6

When Axpo Systems designed and rolled out the ASTRA BSA network — critical infrastructure for Swiss highway safety — **they chose SRv6 (Segment Routing over IPv6)**.

Not SCION. Not the "revolutionary Swiss technology" they actively promote. They deployed the IETF-standard SRv6 for Switzerland's highway backbone.

{{< irony title="The Ultimate Hypocrisy" >}}
Axpo Systems — a SCION Association member since March 2024, promoter of SCION as "the safest routing protocol for the Internet of the future" — chose SRv6 over SCION when building critical Swiss infrastructure. If SCION were truly superior, why didn't they use it for ASTRA's highway network?
{{< /irony >}}

### Meanwhile, Their Own Backbone...

Axpo Systems' internal production infrastructure (the **aXbone** network serving their own customers) runs on traditional MPLS:

> "The crisis-proof and highly available **MPLS-based data network** of Axpo Systems is characterised by redundant line routing and comprehensive network monitoring."
>
> — Axpo Systems, aXbone Infrastructure

### The Three-Way Contradiction

| Network | Technology | Status |
|---------|------------|--------|
| ASTRA BSA (highways) | **SRv6** | Production — designed by Axpo Systems |
| aXbone (Axpo's backbone) | **MPLS** | Production — Axpo's own infrastructure |
| SCION | **SCION** | Marketing — what they sell to others |

When it matters — when Swiss highway safety depends on it — Axpo Systems deploys SRv6. When it's their own money — they run MPLS. When it's customer money — they sell SCION.

## The axboneNG Evolution: What's Actually Being Built

Axpo Systems is replacing the current aXbone with **axboneNG** — a next-generation backbone. The technology choice is revealing:

### axboneNG Platform

| Component | Technology | Purpose |
|-----------|------------|---------|
| Hardware | **Ribbon Neptune 1800 + NPT-1250** | Metro aggregation & access routing |
| Legacy OT services | **MPLS-TP** | TDM-based operational technology |
| Modern services | **FlexE + FlexAlgo + SR-MPLS** | Network slicing, traffic engineering |

The Ribbon Neptune platform supports IP/MPLS, MPLS-TP, Segment Routing, FlexE, and EVPN — all **industry-standard technologies**. Not SCION.

### SCION as an Overlay Service

Where does SCION fit in axboneNG? As a **service carried on top** of the real backbone:

- **SSUN ISD76 backbone:** Dedicated L3 VPN for Swiss Secure Utility Network core-to-core inter-AS links
- **SwissIX SCION VLAN:** Dedicated DWDM links from Axpo servers to SwissIX SCION peering — *parallel to* their regular internet exchange connectivity

{{< irony title="The Architecture Tells the Truth" >}}
SCION doesn't replace the backbone — it rides on top of it. Axpo Systems is building axboneNG on SR-MPLS and FlexE (industry standards), then carrying SCION as just another VPN service. The "revolutionary internet replacement" is an overlay on conventional infrastructure.
{{< /irony >}}

### Swiss Secure Utility Network (SSUN)

The SSUN, launched August 2025, is the SCION network for Swiss energy utilities. Key details:

- Partners: VSE, Anapaya, Axpo Systems, Cyberlink, Litecom, Sunrise, Swisscom
- ISD76 — the isolation domain for Swiss utilities
- By 2030, connection becomes "gradually mandatory" for utility market partners

But look at how SSUN is actually delivered: as a **dedicated L3 VPN** on Axpo's SR-MPLS backbone, with **dedicated DWDM links** to SwissIX for SCION peering. The underlying transport is conventional technology.

### SwissIX SCION Peering

SwissIX offers a dedicated SCION VLAN — the first IXP in the world to do so. But note the infrastructure:

- SCION runs as a **separate VLAN** alongside regular internet peering
- Participants need **dedicated ports** or spare capacity on existing ports
- Pricing: CHF 200-350/month per port
- Traffic must stay below 80% of paid port capacity

SCION at SwissIX isn't replacing internet peering — it's an **additional overlay service** requiring separate infrastructure and fees.

## The Ultimate Irony

| Capability | SCION | SD-WAN + SRv6 |
|------------|-------|---------------|
| End-to-end path control | Yes | Yes |
| Works over public internet | No (security degraded) | Yes (encrypted) |
| Transit router upgrade needed | Yes (SCION routers) | No (standard IPv6) |
| Dedicated inter-ISP links | Required for production | Not required |
| IETF standard | Draft stage | RFC 8986 (2021) |
| Vendor support | 1 (Anapaya) | All major vendors |
| Production scale | ~300 customers | Billions of endpoints |

{{< conclusion >}}
SCION's marketing claims "virtual connections just as secure as leased lines" — but achieving this requires deploying on **parallel dedicated infrastructure**, not the public internet.

Meanwhile, **SRv6 delivers the same end-to-end path control** that SCION touts as revolutionary — but it works transparently over any IPv6 network, is an IETF standard (not a draft), and is already deployed at billion-user scale.

The supposed SCION advantages are rendered a costly exercise in academic empire-building:

- **Path control?** SRv6 does it over standard IPv6.
- **No BGP dependency?** SRv6 source routing bypasses BGP path selection.
- **Multi-path?** SD-WAN + SRv6 provides it with encryption included.

**SD-WAN + SRv6:** Encrypts everything, works over public internet, end-to-end path control, IETF standard, all major vendors.

**SCION:** No encryption, requires dedicated links, single vendor, 16 years in development, still a draft.
{{< /conclusion >}}

<div class="sources">

### Sources

- [IETF: SCION Data Plane Draft](https://datatracker.ietf.org/doc/draft-dekater-scion-dataplane/)
- [IETF: SCION Overview](https://www.ietf.org/archive/id/draft-dekater-panrg-scion-overview-03.html)
- [SCION Packet Authenticator Option](https://docs.scion.org/en/latest/protocols/authenticator-option.html)
- [DRKey Infrastructure](https://docs.scion.org/en/latest/cryptography/drkey.html)
- [SIX: Secure Swiss Finance Network](https://www.six-group.com/en/products-services/banking-services/ssfn.html)
- [Swisscom: SCION & SSFN](https://www.swisscom.ch/en/business/enterprise/themen/security/resilienz-cyberattacken-scion.html)
- [Anapaya: SCION & SD-WAN](https://www.anapaya.net/blog/the-full-picture-scion-sd-wan)
- [SCIONLab Research Network](https://www.scionlab.org/)
- [RFC 8986: SRv6 Network Programming](https://datatracker.ietf.org/doc/rfc8986/)
- [Cisco: SRv6 Configuration Guide](https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-6/segment-routing/configuration/guide/b-segment-routing-cg-asr9000-66x.html)
- [Cisco: SD-WAN for Critical Networks](https://www.cisco.com/c/en/us/solutions/enterprise/design-zone-branch-wan/sd-wan-for-critical-networks-infrastructure-wp.html)
- [Segment Routing News: SRv6 Deployments](https://www.segment-routing.net/srv6-news)
- [Cisco: The Case for SRv6 (2025)](https://news-blogs.cisco.com/apjc/2025/01/22/the-case-for-srv6-simplifying-networks-for-a-complex-future/)
- [Anapaya: SCION vs Segment Routing](https://www.anapaya.net/blog/scion-vs.-segment-routing)
- [SCION Association: Axpo Systems Membership](https://www.scion.org/welcome-to-axpo-systems-the-newest-member-of-the-scion-association/)
- [Anapaya: Axpo Systems OT SOC](https://www.anapaya.net/news/the-first-ot-security-operation-center-with-scion-connectivity-is-launched-by-axpo-systems)
- [Axpo Systems: SCION Marketing](https://www.axpo.com/ch/en/energy/digital-solutions/cyber-security-connectivity/ot-innovation/scion.html)
- [Axpo Systems: aXbone MPLS](https://www.axpo.com/ch/en/energy/digital-solutions/cyber-security-connectivity/ot-networks/ip-mpls.html)
- [IT-Beschaffung: ASTRA Contracts](https://www.it-beschaffung.ch/list/it/a/2326/all/bundesamt-fuer-strassen-astra)
- [ASTRA 13040: IP-Netz BSA](https://www.astra.admin.ch/dam/astra/de/dokumente/standards_fuer_nationalstrassen/astra%2013040%20ipnetzbsa.pdf.download.pdf/astra_13040d.pdf)
- [Ribbon: Neptune NPT 1800](https://ribboncommunications.com/products/service-provider-products/ip-routing/access-aggregation-routers/npt-1800)
- [Anapaya: Secure Swiss Utility Network](https://www.anapaya.net/secure-swiss-utility-network-by-anapaya)
- [SwissIX: SCION Peering](https://www.swissix.ch/services/scion-peering-mesh/)
- [VSE: SSUN for National Security](https://www.strom.ch/en/perspective/protecting-utility-ecosystem-foundation-national-security)

</div>