ndn::security::v2::ValidationPolicySignedInterest::Options Class Reference

#include <ndn-cxx/security/validation-policy-signed-interest.hpp>

Public Member Functions

 Options ()
 

Public Attributes

ssize_t maxNonceRecordCount = 1000
 Number of previous nonces to track for each public key. More...
 
ssize_t maxRecordCount = 1000
 Max number of distinct public keys to track. More...
 
bool shouldValidateNonces = true
 Whether to validate nonces by ensuring that they are present and do not overlap with one of the last n nonces for a given public key. More...
 
bool shouldValidateSeqNums = false
 Whether to validate sequence numbers in signed Interests by ensuring they are present and are strictly increasing for a given public key. More...
 
bool shouldValidateTimestamps = true
 Whether to validate timestamps in signed Interests by ensuring they are not reordered for a given public key and are within a given grace period of the current time. More...
 
time::nanoseconds timestampGracePeriod = 2_min
 Tolerance of timestamp differences from the current time. More...
 

Detailed Description

Definition at line 52 of file validation-policy-signed-interest.hpp.

Constructor & Destructor Documentation

◆ Options()

ndn::security::v2::ValidationPolicySignedInterest::Options::Options ( )
inline

Definition at line 55 of file validation-policy-signed-interest.hpp.

Member Data Documentation

◆ maxNonceRecordCount

ssize_t ndn::security::v2::ValidationPolicySignedInterest::Options::maxNonceRecordCount = 1000

Number of previous nonces to track for each public key.

If nonce checks are enabled, incoming Interests will be dropped if their nonce matches one of the last n nonces for their associated public key, where n is the value of this option.

Setting this option to -1 allows an unlimited number of nonces to be tracked for each public key. Setting this option to 0 will cause last-n nonce matching to not be performed. However, if shouldValidateNonces is set to true, signed Interests will still fail validation if they do not contain a nonce.

Definition at line 113 of file validation-policy-signed-interest.hpp.

◆ maxRecordCount

ssize_t ndn::security::v2::ValidationPolicySignedInterest::Options::maxRecordCount = 1000

Max number of distinct public keys to track.

The validator records a "last" timestamp and sequence number, along with the last n nonces, for every public key. For subsequent signed Interest associated with the same public key, depending upon the other validator options, their timestamps, sequence numbers, and/or nonces will be compared to the last timestamp, last sequence number, and last n nonces observed from signed Interests using that public key. Depending upon the enabled checks, a signed Interest will be rejected if its timestamp or sequence number is less than or equal to the respective last value for the associated public key, or if its nonce matches of the last n nonces observed for the associated public key.

This option limits the number of distinct public keys that can be tracked. If this limit is exceeded, the records will be deleted until the number of records is less than or equal to this limit in LRU order (by the time the record was last refreshed).

Setting this option to -1 allows an unlimited number of public keys to be tracked. Setting this option to 0 disables last timestamp, sequence number, and nonce records and will cause every signed Interest to be treated as being associated with a previously-unobserved public key – this is not recommended for obvious security reasons.

Definition at line 135 of file validation-policy-signed-interest.hpp.

◆ shouldValidateNonces

bool ndn::security::v2::ValidationPolicySignedInterest::Options::shouldValidateNonces = true

Whether to validate nonces by ensuring that they are present and do not overlap with one of the last n nonces for a given public key.

If set to false, nonce checks will be skipped when validating signed Interests.

The number of previous nonces to check for uniqueness against is controlled by maxNonceRecordCount.

Definition at line 100 of file validation-policy-signed-interest.hpp.

◆ shouldValidateSeqNums

bool ndn::security::v2::ValidationPolicySignedInterest::Options::shouldValidateSeqNums = false

Whether to validate sequence numbers in signed Interests by ensuring they are present and are strictly increasing for a given public key.

If set to false, sequence numbers checks will be skipped when validating signed Interests.

Definition at line 90 of file validation-policy-signed-interest.hpp.

◆ shouldValidateTimestamps

bool ndn::security::v2::ValidationPolicySignedInterest::Options::shouldValidateTimestamps = true

Whether to validate timestamps in signed Interests by ensuring they are not reordered for a given public key and are within a given grace period of the current time.

If set to false, timestamps checks will be skipped when validating signed Interests.

The grace period is controlled by timestampGracePeriod.

Definition at line 68 of file validation-policy-signed-interest.hpp.

◆ timestampGracePeriod

time::nanoseconds ndn::security::v2::ValidationPolicySignedInterest::Options::timestampGracePeriod = 2_min

Tolerance of timestamp differences from the current time.

A signed Interest is considered "initial" if the validator does not currently store a record for its associated public key – entries may be erased due to age or storage limitations. For such "initial" signed Interests, their timestamp will be compared with the current system clock, and a signed Interest will be rejected if the absolute difference of its timestamp from the clock time is greater than this grace interval.

This value should be positive. Setting this option to 0 or to a negative value causes the validator to require exactly the same timestamp as the system clock, which will most likely reject all signed Interests due to network delay and clock skew. Therefore, it is not recommended to set this value to zero or less or to a very small interval.

Definition at line 83 of file validation-policy-signed-interest.hpp.