| Security Configuration |
| ======================= |
| |
| .. toctree:: |
| .. |
| |
| The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is: |
| |
| :: |
| |
| root |
| | |
| +--------------+---------------+ |
| site1 site2 |
| | | |
| +---------+---------+ + |
| operator1 operator2 operator3 |
| | | | |
| +-----+-----+ +----+-----+ +-----+-----+--------+ |
| router1 router2 router3 router4 router5 router6 router7 |
| | | | | | | | |
| + + + + + + + |
| NLSR NSLR NSLR NSLR NSLR NSLR NSLR |
| |
| Each entity's name and corresponding certificate name follow the |
| convention below: |
| |
| ======== ===================================================== ================================= =============================================== |
| Entity Identity Name Example Certificate Name Example |
| -------- ----------------------------------------------------- --------------------------------- ----------------------------------------------- |
| root /\<network\> /ndn /ndn/KEY/ksk-1/ID-CERT/%01 |
| site /\<network\>/\<site\> /ndn/edu/ucla /ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01 |
| operator /\<network\>/\<site\>/%C1.Operator/\<operator-name\> /ndn/edu/ucla/%C1.Operator/op1 /ndn/edu/ucla/%C1.Operator/op1/KEY/ksk-3/ID-CERT/%01 |
| router /\<network\>/\<site\>/%C1.Router/\<router-name\> /ndn/edu/ucla/%C1.Router/rt1 /ndn/edu/ucla/%C1.Router/rt1/KEY/ksk-4/ID-CERT/%01 |
| NLSR /\<network\>/\<site\>/%C1.Router/\<router-name\>/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR/KEY/ksk-5/ID-CERT/%01 |
| ======== ===================================================== ================================= =============================================== |
| |
| Users should create keys according to the naming and signing hierarchies above. |
| |
| |
| .. note:: |
| |
| Detailed information about key setup is given in NLSR Developer's Guide. |
| |
| Certificate Publishing |
| ---------------------- |
| |
| In a network, every router should have the root certificate configured as a trust |
| anchor. For each site, at least one router should publish the site certificate, and at |
| least one router should publish the certificate of the site operator. Each router should |
| publish its own certificate. All this information should be explicitly specified in the |
| nlsr.conf file. For example, the following configuration file indicates that NLSR should |
| publish the site certificate and the router certificate: |
| |
| :: |
| |
| ... |
| security |
| { |
| validator |
| { |
| ... |
| } |
| cert-to-publish "site.cert" ; name of the file which contains the site certificate (optional). |
| cert-to-publish "router.cert" ; name of the file which contains the router certificate (required). |
| ... |
| } |