Networks Switzerland built a secure alternative to BGP. The rest of the world hasn't noticed yet SCION: Proven in banking and healthcare, slow to spread everywhere else Kim Loohuis Tue 17 Mar 2026 // 08:15 UTC Feature BGP, the Border Gateway Protocol, was not designed to be secure. It was designed to work – to route packets between the thousands of autonomous systems that make up the internet, quickly and at scale. For four decades, it has done exactly that. It has also, throughout those four decades, been exploited, misconfigured, and abused in ways that were predictable from the start. Route hijacks reroute traffic through hostile networks. Route leaks knock services offline. Nation-state cyber crews weaponize BGP to intercept communications at scale. These are not theoretical threats. They are documented, recurring events, and they remain possible today for one simple reason: BGP has no native way to verify that a network claiming to own a block of addresses actually does. Log files that describe the history of the internet are disappearing. A new project hopes to save them READ MORE A series of patches and extensions like Resource Public Key Infrastructure (RPKI), BGPsec, and RPKI-based Route Origin Authorization (ROA) have been layered over the original protocol in an attempt to address the worst of these vulnerabilities. They help at the margins. They do not solve the underlying problem. There is, however, a system that does, or at least claims to. SCION, which stands for Scalability, Control, and Isolation On Next-Generation Networks, is an internet routing architecture developed at ETH Zürich. Unlike the patches applied to BGP, SCION does not attempt to retrofit security onto a 40-year-old foundation. It replaces the foundation entirely. That redesign is the life's work of Adrian Perrig, professor of computer science at ETH Zürich and the principal architect of SCION. The boat full of holes Perrig has been worrying about internet security since 1991, when he first worked with Cisco routers before starting his bachelor's degree at EPFL. He has spent most of the intervening years trying to make the internet more secure. Eventually, he concluded it was the wrong approach. "You cannot bolt on security," says Perrig. "You cannot get to a truly secure global network unless you actually change the design. It's like saying you want to go to the Moon, so let's put rocket boosters on an airplane. No, you have to design the vehicle differently." Perrig launched SCION in 2009 after gaining tenure and the freedom to pursue something most of his colleagues told him was career suicide. His core frustration was simple: the same vulnerabilities had been documented since the 1980s, and nobody had tried to fix them at the architectural level. "The best security companies in the world are still being exploited through them," he says. "There has not even been an attempt to address them properly." Kevin Curran, a cybersecurity professor at Ulster University who has been teaching computer networks for 27 years, offers an independent assessment that lands in the same place. The internet, he says, was built without security in mind, and what followed was a succession of workarounds. "What we have had over 40 years is a series of Band-Aids," says Curran. "Nothing has come close to addressing the need for truly secure paths across an adversarial network." Dijkstra's algorithm won't be replaced in production routers any time soon READ MORE Perrig's metaphor for the current state of internet security is a boat full of holes: people run around with buckets, throwing water out and plugging gaps, but the hull remains compromised. Security today, he argues, works the same way: patches get applied, vulnerabilities get closed, and new ones open up elsewhere. SCION, in his framing, is a fundamentally redesigned vessel. Water might splash in from outside, but it doesn't pour through structural gaps. A different kind of routing To understand what SCION actually does differently, it helps to understand what BGP gets wrong. In today's internet, there is no cryptographic chain of custody for a packet's journey from source to destination. And if a network somewhere along the path fails, the rerouting process – which involves detecting the failure, finding a new path, establishing a new session, and reconciling in-flight transactions – can take minutes. SCION addresses this problem through three interlocking mechanisms. The first is multi-path routing. Where today's internet offers a single path between two points, SCION establishes tens or even hundreds of parallel paths simultaneously. If one fails, the system reroutes within milliseconds. Perrig is precise about the threshold: "Human reaction time for auditory stimulus is roughly 150 milliseconds, and for visual, it's 250 milliseconds. When outages are on the order of milliseconds, the human brain cannot notice it. That's how fast SCION switches." The second mechanism is isolation domains – ISDs in SCION terminology. Rather than relying on a small number of global trust anchors, or a sprawling ecosystem of over a thousand certificate authorities that all must be trusted simultaneously, SCION lets countries, regions, or organizations define their own local trust roots. An error or compromise in one isolation domain cannot propagate to another. Perrig offers a concrete historical example: an entity in Australia made a configuration mistake that caused ATMs across France, Norway, and continental Europe to fail simultaneously. That kind of cascading failure is structurally impossible in a SCION network. The third mechanism is cryptographic path validation. Every router along a SCION path provides a cryptographic signature. Packets cannot be silently rerouted through a network that wasn't part of the agreed path. The sender and receiver specify which paths they want to use, and those choices are enforced at the protocol level. Curran, who has no stake in SCION's commercial success, independently validates these technical claims. The isolated domains and cryptographic signing, he says, are the core of what makes the protocol meaningful: "A genuine attempt to give senders and receivers control over the path their data takes, rather than leaving it to intermediate routers whose behavior cannot be verified." 220 billion francs a day White House thinks it's time to fix the insecure glue of the internet: Yup, BGP READ MORE Fritz Steinmann has spent 30 years as a network engineer in the Swiss financial sector. Since 2009, he has worked for SIX Group, the operator of the Swiss Stock Exchange, Swiss securities clearing, and – critically – the interbank payment infrastructure used by around 120 Swiss financial institutions. In 2015, his management asked him to develop a replacement strategy for Finance IPNet, the 20-year-old MPLS network that connected those institutions. "Interbank clearing in Switzerland is around 220 billion Swiss francs per day," Steinmann says. "So it's not an option to fail, yet I had to give up, because there was no alternative." The options were unappealing. The public internet was not acceptable to Swiss banks for transaction settlement. SD-WAN required either a single operator – politically impossible given the multiple carriers already involved – or proprietary vendor lock-in that no one wanted. Steinmann first encountered SCION in 2017 through a partnership between SIX and ETH Zürich. He approached it with the skepticism of someone who had seen academic network projects fail to survive contact with operational reality. "Academia and industry usually don't fit so well together," he says. "They do great things but then usability is the challenge. However, what Adrian told us was really an eye-opener. It was the first time somebody had something that did not just make sense from an academic point of view, but where I immediately also saw real-world applications." The Swiss National Bank (SNB) had already been using SCION for some internal use cases. Given that SCION was being asked to carry payments settled between commercial banks and the central bank, this was a significant signal. In 2019, SIX and SNB joined forces to design what would become the Secure Swiss Finance Network (SSFN). It would take two years of security assessments, governance design, and testing before the network was ready. Building the SSFN turned out to be as much a governance project as a technology project. The network needed to admit banks, exclude miscreants, and handle the issuance of short-lived certificates, valid for three days to allow rapid revocation if a participant is expelled. It also needed to operate its own certificate authority (CA). No commercial CA was willing to take on the risk. The challenge wasn't technical, Steinmann explains. It was about process. How do you verify that UBS is actually UBS? How do you quantify the liability if you get it wrong? No existing CA had answers, so SIX built its own and has been running it in production for five years now. SCION's Trust Root Configuration – the mechanism for encoding which entities are permitted to participate and under what conditions – embeds the governance decisions of the network's voting members into the cryptographic foundation itself. The rules about who can join, and when they can be expelled, are not policies in a database. They are enforced by the protocol. Steinmann notes, with some satisfaction, that enforcement has already been exercised. Euro firms must ditch Uncle Sam's clouds and go EU-native READ MORE Performance metrics, when they arrived in testing, exceeded expectations. When a carrier failed, the old Finance IPNet required a sequence of steps – detection, failover, path discovery, reconnection, authentication, session re-establishment, transaction reconciliation – that could take three to four minutes in total. During SSFN testing, Steinmann conducted a carrier shutdown exercise. He had asked his team to stand by befor