ACM ICN 2021, Paris, France

8th ACM Conference on Information-Centric Networking (ICN 2021), Sept. 22–24, 2021

Half-day Tutorial: Power of Trust Schemas for Easy and Secure Deployment of NDN Applications


Preliminary Tutorial Program

  • Wednesday, September 22, 2021, Webex

  • 3pm - 6pm UTC: Half-day Tutorial: Power of Trust Schemas for Easy and Secure Deployment of NDN Applications

  • Tutorial Intro: Secure and Friendly Deployment (Plugging) of NDN Apps

    Alex Afanasyev (FIU)

    • Abstract: We start the tutorial with an overview of NDN security concepts, the principal differences between today’s and NDN applications regarding their deployment requirements, as well as quickly introduce the concept of trust schema, the central piece of the tutorial.


  • VerSec/DCT: Creating and Using Trust Schemas

    Kathleen Nichols (Pollere)

    • Abstract: In this part we will introduce the recent work on defining trust schemas using a domain-specific data modeling language (VerSec) and its features. We will cover both language aspects and how the resulting product (the compiled schema bundled with a trust anchor and identity signing chains) can be used to securely deploy NDN applications to create trust zones that truly zero trust


  • VerSec Language

    Proyash Podder (FIU), Alex Afanasyev (FIU)

  • Securely Deploying NDN Apps: Security Bootstrapping with DCT Identity Bundles

    Tianyuan Yu (UCLA)

  • Q & A

    Lixia Zhang (UCLA)

    • Abstract: In addition to addressing questions in real time during the tutorial, we will also use this dedicated Q & A session to cover the questions collected from the conference Slack channel that touch on broader scope or deserve deeper elaborations. This session will also offer the audience opportunities to share their own work related to NDN API development and configuration challenges as well as solutions.



The biggest challenge facing the Internet today is security problems. The Named Data Networking (NDN) design [1, 2, 6] enables resilient and secure communications by fetching semantically named data. This new way of networking points to a new direction in building secure applications. Instead of viewing networks as interconnections of nodes, NDN views the networked world as interconnections of different namespaces, with various trust relations among each other. Applications developed for NDN secure data directly, and control data authenticity and confidentiality by utilizing application domain-specific trust relations instead of relying on external certificate authorities.

Running in a world of interconnected namespaces, NDN applications need (selected/assigned) hierarchical namespaces with the corresponding (global/local trust-level) certificates, together with application trust models (which keys should be trusted to sign which data) and basis of trust (trust anchors). Having these pieces of information, an NDN application can be dropped in an NDN network and start functioning (either in ad hoc mode or, when infrastructure available, in a more global way).

The mechanics on how such NDN identities and rest of the essential security pieces are configured in the application have been a subject of research and development over the past several years. The initial trust schema work [5] conceptually defined the ability of trust schemas to carry the majority of this information, defining trust relations between data and keys, and attaching trust anchor(s) to define trust scopes. While it was envisioned to use the same trust schema for publisher operations to select appropriate keys to sign the data (and automatically generate key requests to NDNCERT [7] when ones are missing), the practical implementation (in ndn-cxx library) remained limited to the authentication operations, with cumbersome syntax to define the trust relations. The recent work [3, 4] brought another angle on how trust schemas can be defined using a domain-specific data modeling language and used for both signing and authentication processes. Moreover, the “bundled identity” can be used as a single piece of information that needs to installed in an NDN application to provide its identity and all necessary security parameters to function in an NDN world. When this new approach is paired with the use of an NDN Sync protocol, applications are easier to write and application writing can be separated from the design of a namespace and trust rules for the application class.

In this tutorial we plan to give a conceptual overview of the application deployment in NDN networks and which role a trust schema can play in it. We will use a simple application to illustrate how one can configure basic trust policies and deploy them in the application. While we will primarily focus on the new trust schema developments [3, 4], we will also include examples based on other libraries to provide broader coverage, highlighting current features and limitations.


  • Alex Afanasyev

    Florida International University

    • Alex Afanasyev is an Assistant Professor in Florida International University, Miami. He received his Ph.D. degree in computer science from UCLA in 2013. His research focus is on the next-generation Internet architecture as part of the Named Data Networking (NDN) project. His research interests include a variety of topics that are vital for the success of NDN, including scalability of name-based routing, auto-configuration, distributed data synchronization, application and network security. Dr. Afanasyev is also leading the development effort of the overall NDN codebase.


  • Tianyuan Yu


    • Tianyuan Yu is PhD student of Computer Science Department at University of California, Los Angeles (UCLA), under the supervision of Prof. Lixia Zhang. Before coming to UCLA, he received Bachelor degree on Electronic and Information Science and Technology from Sichuan University. Currently his research interests are Named Data Networking (NDN) and Internet of Things, specifically Lightweight Protocols for Named Data Networking of Things, Resilient and Secure Smart Home Systems, and High-level APIs for NDN with Security Built-in.


  • Proyash Podder


    • Proyash Podder is PhD student in the Knights Foundation School of Computing and Information Sciences at Florida International University, working under the supervision of Prof. Alex Afanasyev.


  • Kathleen Nichols

    Pollere, Inc.

    • Kathleen Nichols is CTO of Pollere, Inc. She received her Ph.D in electrical engineering from UC Berkeley and has worked in networking at large companies and start ups. Her current interests are in using NDN to solve edge network problems leading to the development of the open source Data-Centric Toolkit (DCT).


  • Lixia Zhang


    • Lixia Zhang is a Professor in the Computer Science Department of UCLA. She received her Ph.D in computer science from MIT and was a member of the research staff at Xerox PARC before joining UCLA. She is a fellow of ACM and IEEE, the recipient of IEEE Internet Award, and the holder of UCLA Postel Chair in Computer Science. Since 2010 she has been leading the effort on the design and development of the NDN architecture.



[1] Alexander Afanasyev, Tamer Refaei, Lan Wang, and Lixia Zhang. 2018. A Brief Introduction to Named Data Networking. In Proc. of MILCOM.

[2] Van Jacobson, Diana K Smetters, JD Thronton, Michael F Plass, Nicholas H Briggs, and RL Braynard. 2009. Network Named Content. In Proc. of CoNEXT.

[3] Kathleen Nichols. 2019. Lessons Learned Building a Secure Network Measurement Framework using Basic NDN. In Proc. of ACM ICN.

[4] Kathleen Nichols. 2021. Trust Schemas and ICN: Key to Secure IoT. In Proc. of ACM ICN.

[5] Yingdi Yu, Alexander Afanasyev, David Clark, kc claffy, Van Jacobson, and Lixia Zhang. 2015. Schematizing Trust in Named Data Networking. In Proceedings of 2nd ACM Conference on Information-Centric Networking.

[6] Lixia Zhang, Alexander Afanasyev, et al. 2014. Named data networking. ACM SIGCOMM Computer Communication Review 44, 3 (2014), 66–73.

[7] Zhiyi Zhang, Yingdi Yu, Alex Afanasyev, and Lixia Zhang. 2017. NDN Certificate Management Protocol (NDNCERT). Technical Report NDN-0050. NDN.