[DV] How to get started?

[yoursunny]

To deploy a network with ndnd dv routing daemon:

• What keys and certificates are required, and where to put them?
• How to configure neighbor routers?
• Is it necessary to manually create faces and strategies?
• How to announce and withdraw prefixes?

[pulsejet]

Some basic docs now in place. There's no security at the moment

To use DV, just start two instances on different forwarders, then follow docs here to add neighbor links.
https://github.com/named-data/ndnd/blob/main/tools/dvc/README.md

No further config is needed.

To announce prefix, register route to NFD with origin=65

[yoursunny]

There's no security at the moment

Looks like I'd hold off deployment until security validation is in place.

[pulsejet]

Yes, this isn't production code by any means yet. Though if you have a test setup and can give it a trial run that'll be very helpful

[yoursunny]

DV has a keychain option now:

ndnd/dv/dv.sample.yml

Lines 12 to 18 in 64d1486

	# [required] Keychain URI for security
	# - If "insecure" is specified, security is disabled
	# - Example: dir:///absolute/path/to/keychain
	keychain: "insecure"
	# [required] List of full names of all trust anchors
	trust_anchors:
	- "/ndn/KEY/%27%C4%B2%2A%9F%7B%81%27/ndn/v=1651246789556"

What should I put in the keychain?

[pulsejet]

Please wait, this is still wip

[pulsejet]

An example is now available at https://github.com/named-data/ndnd/blob/main/docs/daemon-example.md

Still rough around the edges and subject to change

[yoursunny]

ndnd/docs/daemon-example.md

Lines 119 to 121 in c542c2a

	Next, create a directory on each node to store the keys and certificates.
	Copy the keys and certificates to the respective nodes.
	The trust anchor certificate must be copied to all nodes in the network.

ndnd/docs/daemon-example.md

Lines 130 to 132 in c542c2a

	keychain: dir:///etc/ndnd/keys # absolute path to the keys directory
	trust_anchors:
	- /testnet/KEY/D%8E%F1%9C%82%19%A6a/NA/v=1737840838071 # root cert name

I don't see a field that specifies the filename of own private key.
How does DV instance know which file is its own private key?
Or is it the expectation that exactly one private key is present in the folder?

[pulsejet]

The trust schema is used to identify usable private keys. If multiple keys are matching, the one with the newest available certificate (by version) is used.

[yoursunny]

DV with security is finally working as of 1cf08f0, using #115 (comment) configuration.

Retrieval is very slow and eventually fails:

$ time docker run --rm --cap-drop ALL --network none --user $(id -u):$(id -g) -v run-ndn:/run/nfd docker.yoursunny.dev/ndnd cat /yoursunny/vno/1.bin >1.bin
time=2025-01-26T18:04:48.850Z level=FATAL msg="Error fetching object" tag=cat err="consume: fetch seg failed with result: Timeout"

real	21m51.307s
user	0m0.147s
sys	0m0.974s

In contrast, ndncatchunks is reasonably fast (producer and forwarders are still ndnd):

$ time docker run --rm --cap-drop ALL --network none -v run-ndn:/run/nfd ghcr.io/named-data/ndn-tools ndncatchunks /yoursunny/vno/1.bin >2.bin


All segments have been received.
Time elapsed: 230.131 seconds
Segments received: 134218
Transferred size: 1.07374e+06 kB
Goodput: 37.326309 Mbit/s
Congestion marks: 24 (caused 22 window decreases)
Timeouts: 714 (caused 53 window decreases)
Retransmitted segments: 709 (0.525469%), skipped: 5
RTT min/avg/max = 117.819/122.114/203.534 ms

real	3m50.580s
user	0m1.686s
sys	0m3.869s

[pulsejet]

Likely because there's no congestion control (#97)

ndncatchunks is reasonably fast

That still looks pretty awful. By any chance, any numbers with NFD and/or tcp face?