blob: a0101139dd00e765f7101fe193f92be55df83409 [file] [log] [blame]
Vince Lehmanb722b102014-08-24 16:33:49 -05001Security Configuration
2=======================
3
4.. toctree::
5..
6
7The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:
8
9::
10
11 root
12 |
13 +--------------+---------------+
14 site1 site2
15 | |
16 +---------+---------+ +
17 operator1 operator2 operator3
18 | | |
19 +-----+-----+ +----+-----+ +-----+-----+--------+
20 router1 router2 router3 router4 router5 router6 router7
21 | | | | | | |
22 + + + + + + +
23 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
24
25Each entitys name and corresponding certificate name follow the
26convention below:
27
28======== ===================================================== ================================= ===============================================
29Entity Identity Name Example Certificate Name Example
30-------- ----------------------------------------------------- --------------------------------- -----------------------------------------------
31root /\<network\> /ndn /ndn/KEY/ksk-1/ID-CERT/%01
32site /\<network\>/\<site\> /ndn/edu/ucla /ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01
33operator /\<network\>/\<site\>/%C1.Operator/\<operator-name\> /ndn/edu/ucla/%C1.Operator/op1 /ndn/edu/ucla/%C1.Operator/op1/KEY/ksk-3/ID-CERT/%01
34router /\<network\>/\<site\>/%C1.Router/\<router-name\> /ndn/edu/ucla/%C1.Router/rt1 /ndn/edu/ucla/%C1.Router/rt1/KEY/ksk-4/ID-CERT/%01
35NLSR /\<network\>/\<site\>/%C1.Router/\<router-name\>/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR/KEY/ksk-5/ID-CERT/%01
36======== ===================================================== ================================= ===============================================
37
38Users should create keys according to the naming and signing hierarchies above.
39
40Certificate Publishing
41----------------------
42
43In a network, every router should have the root certificate configured as a trust
44anchor. For each site, at least one router should publish the site certificate, and at
45least one router should publish the certificate of the site operator. Each router should
46publish its own certificate. All this information should be explicitly specified in the
47nlsr.conf file. For example, the following configuration file indicates that NLSR should
48publish the site certificate and the router certificate:
49
50::
51
52 ...
53 security
54 {
55 validator
56 {
57 ...
58 }
59 cert-to-publish "site.cert" ; name of the file which contains the site certificate (optional).
60 cert-to-publish "router.cert" ; name of the file which contains the router certificate (required).
61 ...
62 }