| Vince Lehman | b722b10 | 2014-08-24 16:33:49 -0500 | [diff] [blame^] | 1 | Security Configuration |
| 2 | ======================= |
| 3 | |
| 4 | .. toctree:: |
| 5 | .. |
| 6 | |
| 7 | The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is: |
| 8 | |
| 9 | :: |
| 10 | |
| 11 | root |
| 12 | | |
| 13 | +--------------+---------------+ |
| 14 | site1 site2 |
| 15 | | | |
| 16 | +---------+---------+ + |
| 17 | operator1 operator2 operator3 |
| 18 | | | | |
| 19 | +-----+-----+ +----+-----+ +-----+-----+--------+ |
| 20 | router1 router2 router3 router4 router5 router6 router7 |
| 21 | | | | | | | | |
| 22 | + + + + + + + |
| 23 | NLSR NSLR NSLR NSLR NSLR NSLR NSLR |
| 24 | |
| 25 | Each entity’s name and corresponding certificate name follow the |
| 26 | convention below: |
| 27 | |
| 28 | ======== ===================================================== ================================= =============================================== |
| 29 | Entity Identity Name Example Certificate Name Example |
| 30 | -------- ----------------------------------------------------- --------------------------------- ----------------------------------------------- |
| 31 | root /\<network\> /ndn /ndn/KEY/ksk-1/ID-CERT/%01 |
| 32 | site /\<network\>/\<site\> /ndn/edu/ucla /ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01 |
| 33 | operator /\<network\>/\<site\>/%C1.Operator/\<operator-name\> /ndn/edu/ucla/%C1.Operator/op1 /ndn/edu/ucla/%C1.Operator/op1/KEY/ksk-3/ID-CERT/%01 |
| 34 | router /\<network\>/\<site\>/%C1.Router/\<router-name\> /ndn/edu/ucla/%C1.Router/rt1 /ndn/edu/ucla/%C1.Router/rt1/KEY/ksk-4/ID-CERT/%01 |
| 35 | NLSR /\<network\>/\<site\>/%C1.Router/\<router-name\>/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR/KEY/ksk-5/ID-CERT/%01 |
| 36 | ======== ===================================================== ================================= =============================================== |
| 37 | |
| 38 | Users should create keys according to the naming and signing hierarchies above. |
| 39 | |
| 40 | Certificate Publishing |
| 41 | ---------------------- |
| 42 | |
| 43 | In a network, every router should have the root certificate configured as a trust |
| 44 | anchor. For each site, at least one router should publish the site certificate, and at |
| 45 | least one router should publish the certificate of the site operator. Each router should |
| 46 | publish its own certificate. All this information should be explicitly specified in the |
| 47 | nlsr.conf file. For example, the following configuration file indicates that NLSR should |
| 48 | publish the site certificate and the router certificate: |
| 49 | |
| 50 | :: |
| 51 | |
| 52 | ... |
| 53 | security |
| 54 | { |
| 55 | validator |
| 56 | { |
| 57 | ... |
| 58 | } |
| 59 | cert-to-publish "site.cert" ; name of the file which contains the site certificate (optional). |
| 60 | cert-to-publish "router.cert" ; name of the file which contains the router certificate (required). |
| 61 | ... |
| 62 | } |