<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div>Hi Guangyu
<div><br>
</div>
<div>This feature is still in design phase. </div>
<div>See prior discussion here:</div>
<div>https://redmine.named-data.net/issues/1285</div>
<div><br>
</div>
<div><span style="font-size: inherit;">> creating all faces via management Interests and disabling automatic face creation from passive TCP accepts</span><br>
</div>
<div><span style="font-size: inherit;"><br>
</span></div>
<div><span style="font-size: inherit;">That's the approach taken by NDN-DPDK, which uses an out of band management protocol.</span></div>
<div><br>
</div>
Yours, Junxiao<br>
</div>
<br>
<div></div>
<br>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Nfd-dev <nfd-dev-bounces@lists.cs.ucla.edu> on behalf of 郝广宇 <haoguangyu@chorustek.com><br>
<b>Sent:</b> Saturday, May 23, 2026 1:59 AM<br>
<b>To:</b> nfd-dev <nfd-dev@lists.cs.ucla.edu><br>
<b>Subject:</b> [EXT] [Nfd-dev] How to restrict NFD data plane face creation (via nfdc face create tcp://) only to nodes with trusted certificates?</font>
<div> </div>
</div>
<div>
<div><font>
<div>
<div class="x_mc-ip-hide" style="display:block!important; height:auto!important; background:#FFFFFF!important; opacity:1!important; visibility:visible!important; color:#000000!important; font-size:12px!important; font-family:Helvetica,Arial,sans-serif!important; text-align:left!important">
<strong style="display:block!important; height:auto!important; background:#FFFFFF!important; opacity:1!important; visibility:visible!important; color:#000000!important; font-size:12px!important; font-family:Helvetica,Arial,sans-serif!important; text-align:left!important">
<p style="text-align:center"><font color="red"><strong>External Email</strong><br>
</font></p>
</strong><br>
<hr>
</div>
Dear NDN community,</div>
<div><br>
</div>
<div>We are facing an access control issue in our NDN testbed and would appreciate your advice.</div>
<div><br>
</div>
<div>Environment:</div>
<div><br>
</div>
<div>We have an NFD node C3 (IP address c3ip) listening on TCP port 6363.</div>
<div><br>
</div>
<div>Multiple remote nodes (e.g., A, B, …) exist. Some possess NDN certificates issued by a trusted CA, others do not.</div>
<div><br>
</div>
<div>On C3, we have configured trust anchors in the authorizations and rib sections to trust only a specific certificate (e.g., /ndn/cedge). Remote management Interests (e.g., nfdc -r tcp://c3ip face create ...) are correctly validated – only nodes with the
trusted certificate can succeed.</div>
<div><br>
</div>
<div>Problem:</div>
<div>We observe that even a remote node without any trusted certificate can still run nfdc face create tcp://c3ip:6363 (without -r) and successfully create a data plane face on C3. This is because nfdc face create tcp://... instructs the local NFD to actively
initiate a TCP connection to C3:6363, and C3, acting as a TCP server, accepts the connection and automatically creates a face – without any NDN signature or certificate check.</div>
<div><br>
</div>
<div>Desired behavior:</div>
<div>We want C3 to reject TCP connections from unauthorized remote nodes. Only nodes that hold a certificate trusted by C3 (i.e., have the private key of /ndn/cedge) should be able to successfully create a face using nfdc face create tcp://c3ip:6363. In other
words, we would like to enforce certificate-based authorization for data‑plane face creation, or at least implement IP‑based whitelisting.</div>
<div><br>
</div>
<div>Questions:</div>
<div><br>
</div>
<div>Does NFD natively support certificate verification for incoming TCP data‑plane connections? If yes, how should we configure it?</div>
<div><br>
</div>
<div>If not, is the recommended solution to use network‑layer firewalls (e.g., iptables) to restrict access by source IP? Are there any more NDN‑idiomatic approaches (e.g., creating all faces via management Interests and disabling automatic face creation from
passive TCP accepts)?</div>
<div><br>
</div>
<div>Thank you for your insights.</div>
</font></div>
<div></div>
</div>
</body>
</html>