SCION: Switzerland's Secure Alternative to BGP Routing Protocol

What SCION Actually Does Differently

SCION addresses BGP's fundamental security flaws through three interlocking mechanisms. First is multi-path routing - where today's internet offers a single path between two points, SCION establishes tens or even hundreds of parallel paths simultaneously. If one fails, the system reroutes within milliseconds. Perrig is precise about the threshold: "Human reaction time for auditory stimulus is roughly 150 milliseconds. We can reroute in less than that."

The second mechanism is cryptographic path validation. Every packet in a SCION network carries cryptographic proof that its route has been authorized by the networks along the path. This prevents route hijacks and leaks at the architectural level, rather than through add-ons like RPKI or BGPsec.

Current Deployment Status

SCION is already proven in banking and healthcare sectors but has been slow to spread everywhere else. The system has been operational in Switzerland's financial networks since 2016 and handles billions in daily transactions. Major Swiss banks use it for inter-bank transfers, and Swiss healthcare networks use it for patient data.

Adrian Perrig, professor of computer science at ETH Zürich and principal architect of SCION, launched the project in 2009 after gaining tenure. His core frustration was simple: the same vulnerabilities had been documented since the 1980s, and nobody had tried to fix them at the architectural level. "The best security companies in the world are still being exploited through them," he says. "There has not even been an attempt to address them properly."

Technical Architecture

SCION replaces BGP's trust-based routing with cryptographic path validation. Unlike BGP's incremental patches (RPKI, BGPsec, ROA), SCION redesigns the routing foundation entirely. Kevin Curran, a cybersecurity professor at Ulster University who has been teaching computer networks for 27 years, offers an independent assessment: "What we have had over 40 years is a series of Band-Aids. Nothing has come close to addressing the need for truly secure paths across an adversarial network."

The system's isolation properties allow networks to operate independently while still participating in global routing. This addresses BGP's lack of cryptographic chain of custody for packet journeys and its slow rerouting process that can take minutes during network failures.