Blame - docs/SECURITY-CONFIG.rst - NLSR

Vince Lehman

b722b10

2014-08-24 16:33:49 -0500

[diff] [blame]

1

Security Configuration

2

=======================

.. toctree::

..

The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:

::

root

|

+--------------+---------------+

14

site1 site2

15

| |

16

+---------+---------+ +

17

operator1 operator2 operator3

18

| | |

19

+-----+-----+ +----+-----+ +-----+-----+--------+

20

router1 router2 router3 router4 router5 router6 router7

21

| | | | | | |

22

+ + + + + + +

Ashlesh Gawande

39cf81a

2018-02-22 13:37:07 -0600

[diff] [blame]

23

NLSR NLSR NLSR NLSR NLSR NLSR NLSR

Vince Lehman

b722b10

2014-08-24 16:33:49 -0500

[diff] [blame]

24

Alexander Afanasyev

7decbbf

2014-08-24 21:29:01 -0700

[diff] [blame]

25

Each entity's name and corresponding certificate name follow the

Vince Lehman

b722b10

2014-08-24 16:33:49 -0500

[diff] [blame]

26

convention below:

27

28

======== ===================================================== ================================= ===============================================

29

Entity Identity Name Example Certificate Name Example

30

-------- ----------------------------------------------------- --------------------------------- -----------------------------------------------

Ashlesh Gawande

39cf81a

2018-02-22 13:37:07 -0600

[diff] [blame]

31

root /\<network\> /ndn /ndn/KEY/1/%00/%01

32

site /\<network\>/\<site\> /ndn/edu/ucla /ndn/edu/ucla/KEY/2/%00/%01

33

operator /\<network\>/\<site\>/%C1.Operator/\<operator-name\> /ndn/edu/ucla/%C1.Operator/op1 /ndn/edu/ucla/%C1.Operator/op1/KEY/3/%00/%01

34

router /\<network\>/\<site\>/%C1.Router/\<router-name\> /ndn/edu/ucla/%C1.Router/rt1 /ndn/edu/ucla/%C1.Router/rt1/KEY/4/%00/%01

35

NLSR /\<network\>/\<site\>/%C1.Router/\<router-name\>/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR /ndn/edu/ucla/%C1.Router/rt1/NLSR/KEY/5/%00/%01

Vince Lehman

b722b10

2014-08-24 16:33:49 -0500

[diff] [blame]

36

======== ===================================================== ================================= ===============================================

37

David Arjona

2fa23ea

2018-11-28 11:50:38 -0600

[diff] [blame]

38

Users should create keys according to the naming and signing hierarchies above. The

39

``%C1.Operator`` and ``%C1.Router`` labels are NDN keywords that should not be modified

40

by the user.

Vince Lehman

b722b10

2014-08-24 16:33:49 -0500

[diff] [blame]

41

Ashlesh Gawande

b4567f4

2017-04-28 14:40:39 -0500

[diff] [blame]

.. note::

David Arjona

2018-11-28 11:50:38 -0600

[diff] [blame]

45

Detailed information about key setup is given in NLSR Developer's Guide and the

46

:doc:`beginners-guide`.

Ashlesh Gawande

b4567f4

2017-04-28 14:40:39 -0500

[diff] [blame]

47

Vince Lehman

b722b10

2014-08-24 16:33:49 -0500

[diff] [blame]

48

Certificate Publishing

49

----------------------

50

51

In a network, every router should have the root certificate configured as a trust

52

anchor. For each site, at least one router should publish the site certificate, and at

53

least one router should publish the certificate of the site operator. Each router should

54

publish its own certificate. All this information should be explicitly specified in the

55

nlsr.conf file. For example, the following configuration file indicates that NLSR should

56

publish the site certificate and the router certificate:

::

...

security

{

validator

{

...

}

cert-to-publish "site.cert" ; name of the file which contains the site certificate (optional).

68

cert-to-publish "router.cert" ; name of the file which contains the router certificate (required).

69

...

70

}