Skip to main content

SCION Secure Access Groups

SCION Secure Access Groups (SAG) introduce a new paradigm of private networking over the public SCION Internet. This feature allows an organization to create and manage invite-only groups of trusted Autonomous Systems (ASes). SCION path segments published within a group are only visible to and accessible by other members of that same group, effectively creating an invisible, private network overlay.

This is achieved by leveraging the Anapaya Hidden Segment Directory (HSD) and is managed through the Anapaya CONSOLE.

Architecture overview

The diagram above illustrates how Secure Access Groups isolate your network traffic and protect your infrastructure:

  • The Secure Access Group (Green Area): Trusted endpoints, such as your Headquarters (HQ), Branch Offices, and Cloud environments, are placed into an invite-only group. Because their path segments are published privately to the HSD, they can seamlessly communicate with each other over the core SCION Internet providers (ISPs).
  • Isolation from Non-Members: Other legitimate participants operating on the SCION Internet (shown with orange connections) are completely unaware of your Secure Access Group. Because they are not members, they cannot discover your topology, find network paths, or communicate with the group's internal resources.
  • Protection from the Public Internet: Malicious actors operating on the standard Public Internet are structurally blocked. They cannot scan, access, or launch attacks against your invisible SCION infrastructure.

Key features of Secure Access Groups

  • True Network Privatization: Build truly private and invisible networks for connecting branch offices, headquarters, and multi-cloud environments over the public SCION Internet.
  • Undiscoverable Topology: Unauthorized entities cannot discover your network topology or endpoints.
  • Secure Partner & Supply Chain Connectivity: Establish secure, isolated communication channels with partners, suppliers, and customers without exposing network paths or infrastructure to the public.
  • Modern Alternative to Legacy Tech: Replace rigid MPLS VPNs and SD-WAN systems with a SCION-powered architecture that delivers simplified management and reduced exposure to vulnerabilities.

How it works

  1. Hidden Segment Directory (HSD): Instead of publishing path segments publicly, member ASes register their private path segments to a specialized network service called the Hidden Segment Directory. These segments are strictly hidden from public view and standard lookup queries.
  2. Centralized Policy Management: Administrators use the Anapaya CONSOLE as a centralized management interface for creating groups, inviting members, and defining access policies. For each AS they manage, administrators can configure which SCION path segments to publish to specific groups.
  3. Cryptographic Root of Trust: Access control is cryptographically enforced by the HSD using the SCION AS certificate as the ultimate root of trust for authentication.
  4. Isolated Routing & Path Resolution: When a member AS queries the HSD for path segments, it receives the private path segments of other group members. An AS that is not a member of the group will receive no results when querying for path segments within that group.

Frequently Asked Questions (FAQ)

What is required to create and use Secure Access Groups?

Any Anapaya EDGE appliance that wishes to participate in a Secure Access Group (either publishing or looking up path segments) must have an Anapaya EDGE Pro license. Additionally, creating and administering a group requires an active subscription for the Secure Access Groups service.

Can an AS belong to multiple Secure Access Groups?

Yes, an appliance can publish its path segments to multiple Secure Access Groups. An AS can be a member of multiple groups and publish different path segments to different groups.

How are external partners added to our Secure Access Group?

A group administrator can invite a SCION AS to join by specifying its ISD-AS number. For an inter-organization invitation to be accepted, a user with the role of Operator (or higher) within the receiving organization must approve the request in their own Anapaya Console.

Can a participant leave a group without the administrator's permission?

Yes, an organization Operator (or higher role) can remove their own ASes from any Secure Access Group at any time, even without being an administrator of that group.

Can I configure Secure Access Groups without using the Anapaya CONSOLE?

The simple answer is no, however, if you have a use case for Secure Access Groups but do not want to or cannot use the Anapaya CONSOLE, please contact support@anapaya.net.