[Ndn-interest] How to set up an NDN testbed

Junxiao Shi shijunxiao at email.arizona.edu
Wed Jul 12 14:12:57 PDT 2017

Hi C

> * What was in $(man ndn-validator.conf)? It's mentioned in the NFD configuration but I can't find that manpage in NFD nor ndn-cxx.

Thanks for reporting. This is filed as NFD Bug 4184 <https://redmine.named-data.net/issues/4184>.
I believe it refers to ValidatorConfig file format <https://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html>.

> * How should I establish a trust anchor, in terms of key management?

You can create a certificate chain, including the trust anchor, with ndnsec commands.
This nfd-dev thread <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/2014-November/000616.html> may be helpful.

I also have a blog post on how to issue and publish certificates <https://yoursunny.com/t/2016/ndncert/> once you have the trust anchor.

> What does key rotation look like?

There’s no key rotation. The testbed operator has to manually renew certificate <http://lists.named-data.net/mailman/private/operators/2017-March/001181.html>, then restart affected nodes.

> * How local is localhop? In terms of topology, I gather that localhop is a neighborhood of the node, but I don't get exactly how big that should be. Should it be per-datacenter, per-country, or literally just the star of all reachable routers?

/localhop scope refers to one network hop as seen on NDN layer.
This is defined in namespace-based scope control <https://redmine.named-data.net/projects/nfd/wiki/ScopeControl> spec. It is a convention rather than a protocol requirement.

> * Obviously hub/backbone routers shouldn't form too-heavily-connected graphs. How practical is automatic RIB management for backbone layout? Should I hand-craft the RIBs for each backbone server instead? (Pardon the puns!)

The routing protocol <https://named-data.net/publications/techreports/ndn-0042-1-asf/> takes care of populating RIBs for global network.

> * Where is $(ndnsec cert-install) putting certs? Are they going into the local NFD's CS, or are they on-disk somewhere? For configuration management purposes, it'd be nice to understand that better.

The certificates are stored in the PIB. The filesystem path for the PIB can be seen in ‘pib’ option of $HOME/.ndn/client.conf or /etc/ndn/client.conf . The default is $HOME/.ndn .

> * How does priv-drop on NFD work?


> Does NFD re-assume root as needed somehow?

Yes. It’s needed to create a new libpcap handle when a new network interface comes up.

> I figure that NFD can run as user 100% of the time if I'm only asking it to listen on the local UNIX socket and high-port-numbered UDP/TCP, right?

Kinda. The default path of Unix socket is /var/run/nfd.sock which is usually only accessible by root. This path is chosen so that an untrusted program cannot pretend to be NFD and intercept traffic from local apps. If you change this socket path in nfd.conf and client.conf, you can use Unix socket without root.
There are also limitations with Ethernet faces. See nfd.conf on workarounds.

Yours, Junxiao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20170712/8809c5c8/attachment.html>

More information about the Ndn-interest mailing list