IP-in-SCION Tunneling: Encryption
Time estimate: 30 minutes
In this exercise, you will learn how to enable EDGE-to-EDGE payload encryption for IP-in-SCION tunneling on an existing domain without causing downtime. Encryption ensures that all tunneled traffic between two Anapaya EDGE appliances is encrypted.
Enabling encryption on a live domain requires a careful rollout strategy. You cannot simply switch all appliances to enforce encryption at once — this would break connectivity because appliances that have not yet been configured for encryption would reject or be unable to process encrypted traffic. Instead, you will follow a phased approach:
- Enable encryption globally on all EDGE appliances to make them capable of encryption.
- Set encryption to OPTIONAL on all appliances in the domain. In this mode, appliances accept both encrypted and unencrypted traffic, allowing a smooth transition while traffic continues to flow.
- Switch to ENABLED (enforced) on one side first, then the other. Since the OPTIONAL side accepts encrypted traffic, connectivity is maintained throughout. Once all sides are ENABLED, all traffic is fully encrypted.
Throughout this exercise, you will verify that traffic continues to flow after each configuration change, confirming a zero-downtime migration to encrypted tunneling.
For more details about the encryption feature, please visit the Encryption Documentation.
For more details on configuring the encryption feature, please check the encryption configuration guide.
Unless stated otherwise, all commands are assumed to be run from the
workspace directory on your training VM. The built-in terminal in
the editor will put you automatically in the right
directory. To open the built-in terminal use the Ctrl+` shortcut.
Alternatively, you can click the Menu button in the top left, then
select View -> Show Terminal . This will bring up the terminal and puts
you in the correct working directory (~/workspace) for all the tasks in
this training.
Task 1. Download the SCION appliance configuration
Start with downloading the SCION appliance configurations for the Corpbank and Stabank AS so that we can inspect and modify them.
Download the current SCION appliance configurations:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli get config > edge.zurich.corpbank.appliance.json
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli get config > edge.geneva.corpbank.appliance.json
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli get config > edge.lugano.stabank.appliance.json
After modifying the configurations, you can push them back to the appliances by running the following commands:
operator@training:~/workspace$ appliance-cli context select APPLIANCE_NAME
operator@training:~/workspace$ appliance-cli put config <APPLIANCE_NAME.appliance.json
It's important to keep the < in the command, for example:
operator@training:~/workspace$ appliance-cli put config <edge.zurich.corpbank.appliance.json
Keep a copy of the configuration files so that you can easily roll back the changes made in the course of this exercise:
operator@training:~/workspace$ cp edge.zurich.corpbank.appliance.json edge.zurich.corpbank.appliance.json.backup
operator@training:~/workspace$ cp edge.geneva.corpbank.appliance.json edge.geneva.corpbank.appliance.json.backup
operator@training:~/workspace$ cp edge.lugano.stabank.appliance.json edge.lugano.stabank.appliance.json.backup
Task 2. Verify existing connectivity
Before making any changes, verify that end-to-end connectivity between the Corpbank and Stabank
networks is working. Start a continuous ping from endhost-zurich-corpbank toward
endhost-lugano-stabank and keep it running throughout the exercise to confirm that traffic is not
disrupted by the configuration changes.
operator@training:~/workspace$ lxc shell endhost-zurich-corpbank
root@endhost-zurich-corpbank:~# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=61 time=45.2 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=61 time=34.1 ms
64 bytes from 10.8.0.2: icmp_seq=3 ttl=61 time=35.0 ms
64 bytes from 10.8.0.2: icmp_seq=4 ttl=61 time=28.0 ms
...
Keep this ping running in a separate terminal for the remainder of the exercise. This lets you immediately detect any connectivity disruptions as you change the encryption configuration.
Also check the current tunneling status on edge.zurich.corpbank to confirm the domain is healthy
and encryption is currently disabled.
Solution
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: stabank
Status: passing ✅
Encryption: disabled
Prefixes Received: 2
Prefixes Announced: 1
Remotes:
- Connection: 1-ff00:1:2 -> 1-ff00:1:3
Endpoints:
- Address: 10.8.0.1:40200
Healthy: yes ✅
Supports Encryption: no
Task 3. Enable EDGE-to-EDGE encryption globally
Enable the encryption feature globally on all three EDGE appliances (edge.zurich.corpbank,
edge.geneva.corpbank, and edge.lugano.stabank) by configuring the
scion_tunneling.endpoint.encryption section. This makes the appliances capable of encrypting
traffic but does not yet enforce encryption on any domain.
Update the edge.zurich.corpbank configuration:
Solution
Upload the configuration and repeat for the other two appliances:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.zurich.corpbank.appliance.json
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.geneva.corpbank.appliance.json
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli put config <edge.lugano.stabank.appliance.json
Verify that the ping is still running and traffic continues to flow.
Task 4. Enable OPTIONAL encryption on edge.zurich.corpbank
Configure encryption for the corpbank-stabank domain on the edge.zurich.corpbank appliance by
setting the scion_tunneling.domains[].encryption field.
There are three modes for encryption:
- DISABLED: Payload encryption is disabled for all remote tunneling endpoints in this domain. This is the default.
- ENABLED: Payload encryption is enabled and enforced for all remote tunneling endpoints in this domain. All packets are sent encrypted and authenticated and only accepted if they are encrypted and authenticated.
- OPTIONAL: Payload encryption is enabled but not enforced. This should only be used for transitioning to ENABLED. In this mode, unencrypted packets from remote endpoints are accepted and sent if the remote endpoint does not support payload encryption. This mode does not provide any security guarantees.
For this step, set the encryption mode to OPTIONAL on edge.zurich.corpbank.
Solution
Upload the new configuration to edge.zurich.corpbank:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.zurich.corpbank.appliance.json
Verify that the ping is still running and traffic continues to flow.
Check the tunneling status on edge.zurich.corpbank. Since only one side has encryption enabled
(in OPTIONAL mode) and the remote appliances do not yet support encryption, the remote endpoints
should show that they do not support encryption.
Solution
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: stabank
Status: passing ✅
Encryption: optional ℹ️ Encryption on a domain should usually either be enabled or disabled. During a transition phase, it is possible to enable optional encryption. This should only be a temporary state, and the domain should eventually run with encryption enabled.
Prefixes Received: 2
Prefixes Announced: 1
Remotes:
- Connection: 1-ff00:1:2 -> 1-ff00:1:3
Endpoints:
- Address: 10.8.0.1:40200
Healthy: yes ✅
Supports Encryption: no
Now configure the OPTIONAL mode for the edge.geneva.corpbank and edge.lugano.stabank EDGE
appliances as well, and upload the configurations:
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.geneva.corpbank.appliance.json
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli put config <edge.lugano.stabank.appliance.json
Now check the encryption state of the domain on all 3 EDGE appliances. Since all appliances are now configured with OPTIONAL encryption, all remote endpoints should report that they support encryption.
Solution
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: corpbank
Status: passing ✅
Encryption: optional ℹ️ All 2 remote gateways support encryption. Consider changing the domain encryption mode to 'enabled'.
Prefixes Received: 1
Prefixes Announced: 2
Remotes:
- Connection: 1-ff00:1:3 -> 1-ff00:1:2
Endpoints:
- Address: 10.2.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
- Address: 10.2.0.2:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: stabank
Status: passing ✅
Encryption: optional ℹ️ All 1 remote gateways support encryption. Consider changing the domain encryption mode to 'enabled'.
Prefixes Received: 2
Prefixes Announced: 1
Remotes:
- Connection: 1-ff00:1:2 -> 1-ff00:1:3
Endpoints:
- Address: 10.8.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: stabank
Status: passing ✅
Encryption: optional ℹ️ All 1 remote gateways support encryption. Consider changing the domain encryption mode to 'enabled'.
Prefixes Received: 2
Prefixes Announced: 1
Remotes:
- Connection: 1-ff00:1:2 -> 1-ff00:1:3
Endpoints:
- Address: 10.8.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
Task 5. Enforce encryption on edge.lugano.stabank
Now switch the encryption mode to ENABLED on the edge.lugano.stabank EDGE appliance. This
enforces encryption for the corpbank domain on the Stabank side. Since the Corpbank appliances are
still in OPTIONAL mode, they will accept encrypted traffic from Stabank and send encrypted traffic
back — connectivity is maintained.
Update the edge.lugano.stabank configuration to set the domain encryption to ENABLED:
Solution
Upload the new configuration to edge.lugano.stabank:
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli put config <edge.lugano.stabank.appliance.json
Verify that the ping is still running and traffic continues to flow.
Check the encryption and domain status on edge.lugano.stabank and edge.zurich.corpbank.
Solution
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: corpbank
Status: passing ✅
Encryption: enabled 🔒
Prefixes Received: 1
Prefixes Announced: 2
Remotes:
- Connection: 1-ff00:1:3 -> 1-ff00:1:2
Endpoints:
- Address: 10.2.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
- Address: 10.2.0.2:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: stabank
Status: passing ✅
Encryption: optional ℹ️ All 1 remote gateways support encryption. Consider changing the domain encryption mode to 'enabled'.
Prefixes Received: 2
Prefixes Announced: 1
Remotes:
- Connection: 1-ff00:1:2 -> 1-ff00:1:3
Endpoints:
- Address: 10.8.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
Task 6. Enforce encryption on all appliances
Now configure the ENABLED mode for the edge.zurich.corpbank and edge.geneva.corpbank EDGE
appliances to complete the encryption rollout. After this step, all traffic in the corpbank-stabank
domain is fully encrypted and enforced on all sides.
Upload the configurations:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.zurich.corpbank.appliance.json
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.geneva.corpbank.appliance.json
Stop the ping and verify that there was no loss while it run.
64 bytes from 10.8.0.2: icmp_seq=1777 ttl=61 time=29.8 ms
64 bytes from 10.8.0.2: icmp_seq=1778 ttl=61 time=36.0 ms
64 bytes from 10.8.0.2: icmp_seq=1779 ttl=61 time=35.3 ms
64 bytes from 10.8.0.2: icmp_seq=1780 ttl=61 time=35.3 ms
^C
--- 10.8.0.2 ping statistics ---
1780 packets transmitted, 1780 received, 0% packet loss, time 1783254ms
rtt min/avg/max/mdev = 19.424/32.771/150.753/7.825 ms
Check the encryption and domain status for the corpbank-stabank domain on all appliances to confirm that encryption is enforced everywhere.
Solution
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: corpbank
Status: passing ✅
Encryption: enabled 🔒
Prefixes Received: 1
Prefixes Announced: 2
Remotes:
- Connection: 1-ff00:1:3 -> 1-ff00:1:2
Endpoints:
- Address: 10.2.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
- Address: 10.2.0.2:40200
Healthy: yes ✅
Supports Encryption: yes 🔒
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli info tunneling
Endpoint:
Status: ✅
Domains:
- Name: stabank
Status: passing ✅
Encryption: enabled 🔒
Prefixes Received: 2
Prefixes Announced: 1
Remotes:
- Connection: 1-ff00:1:2 -> 1-ff00:1:3
Endpoints:
- Address: 10.8.0.1:40200
Healthy: yes ✅
Supports Encryption: yes 🔒