Vince Lehman | b722b10 | 2014-08-24 16:33:49 -0500 | [diff] [blame] | 1 | Security Configuration |
| 2 | ======================= |
| 3 | |
| 4 | .. toctree:: |
| 5 | .. |
| 6 | |
| 7 | The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is: |
| 8 | |
| 9 | :: |
| 10 | |
| 11 | root |
| 12 | | |
| 13 | +--------------+---------------+ |
| 14 | site1 site2 |
| 15 | | | |
| 16 | +---------+---------+ + |
| 17 | operator1 operator2 operator3 |
| 18 | | | | |
| 19 | +-----+-----+ +----+-----+ +-----+-----+--------+ |
| 20 | router1 router2 router3 router4 router5 router6 router7 |
| 21 | | | | | | | | |
| 22 | + + + + + + + |
Ashlesh Gawande | 39cf81a | 2018-02-22 13:37:07 -0600 | [diff] [blame] | 23 | NLSR NLSR NLSR NLSR NLSR NLSR NLSR |
Vince Lehman | b722b10 | 2014-08-24 16:33:49 -0500 | [diff] [blame] | 24 | |
Alexander Afanasyev | 7decbbf | 2014-08-24 21:29:01 -0700 | [diff] [blame] | 25 | Each entity's name and corresponding certificate name follow the |
Vince Lehman | b722b10 | 2014-08-24 16:33:49 -0500 | [diff] [blame] | 26 | convention below: |
| 27 | |
| 28 | ======== ===================================================== ================================= =============================================== |
| 29 | Entity Identity Name Example Certificate Name Example |
| 30 | -------- ----------------------------------------------------- --------------------------------- ----------------------------------------------- |
Ashlesh Gawande | 39cf81a | 2018-02-22 13:37:07 -0600 | [diff] [blame] | 31 | root /\<network\> /ndn /ndn/KEY/1/%00/%01 |
| 32 | site /\<network\>/\<site\> /ndn/edu/ucla /ndn/edu/ucla/KEY/2/%00/%01 |
| 33 | operator /\<network\>/\<site\>/%C1.Operator/\<operator-name\> /ndn/edu/ucla/%C1.Operator/op1 /ndn/edu/ucla/%C1.Operator/op1/KEY/3/%00/%01 |
| 34 | router /\<network\>/\<site\>/%C1.Router/\<router-name\> /ndn/edu/ucla/%C1.Router/rt1 /ndn/edu/ucla/%C1.Router/rt1/KEY/4/%00/%01 |
| 35 | NLSR /\<network\>/\<site\>/%C1.Router/\<router-name\>/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR/KEY/5/%00/%01 |
Vince Lehman | b722b10 | 2014-08-24 16:33:49 -0500 | [diff] [blame] | 36 | ======== ===================================================== ================================= =============================================== |
| 37 | |
| 38 | Users should create keys according to the naming and signing hierarchies above. |
| 39 | |
Ashlesh Gawande | b4567f4 | 2017-04-28 14:40:39 -0500 | [diff] [blame] | 40 | |
| 41 | .. note:: |
| 42 | |
| 43 | Detailed information about key setup is given in NLSR Developer's Guide. |
| 44 | |
Vince Lehman | b722b10 | 2014-08-24 16:33:49 -0500 | [diff] [blame] | 45 | Certificate Publishing |
| 46 | ---------------------- |
| 47 | |
| 48 | In a network, every router should have the root certificate configured as a trust |
| 49 | anchor. For each site, at least one router should publish the site certificate, and at |
| 50 | least one router should publish the certificate of the site operator. Each router should |
| 51 | publish its own certificate. All this information should be explicitly specified in the |
| 52 | nlsr.conf file. For example, the following configuration file indicates that NLSR should |
| 53 | publish the site certificate and the router certificate: |
| 54 | |
| 55 | :: |
| 56 | |
| 57 | ... |
| 58 | security |
| 59 | { |
| 60 | validator |
| 61 | { |
| 62 | ... |
| 63 | } |
| 64 | cert-to-publish "site.cert" ; name of the file which contains the site certificate (optional). |
| 65 | cert-to-publish "router.cert" ; name of the file which contains the router certificate (required). |
| 66 | ... |
| 67 | } |