collapsed into a single PIT entry when
they flow through the same router. For
example, if a router receives Interests
with the same name from five of its
faces, the router only forwards the first
Interest for that name while recording the incoming faces for the other
four Interests in its PIT. When the corresponding data packet comes back,
the router forwards that matching data
back out to all five faces.
PIT state enables control of traffic
load by limiting the number of pending Interests to achieve flow balance.
(Only one Interest and one data need
to traverse any link for all requestors to
be satisfied.) The PIT state can also be
used to mitigate DDoS attacks by setting an upper bound on the number of
PIT entries allowed.
An NDN network is loop-free
because each node keeps an entry for
each outstanding Interest in its PIT,
detecting and discarding duplicates.
Each node forwards an Interest to
multiple upstream nodes simultaneously and uses the feedback loop
created by the request/response
structure to evaluate packet delivery
performance across its faces—for
example, different networks peering with a router or different wireless
links on a mobile handset.
Data signatures for provenance
and security. Another fundamental aspect of NDN is its use of cryptographic
signatures within data packets. NDN requires each data packet to be signed by
a key that binds the content to its name.
A key locator field encodes the name of
the packet’s signing key. NDN does not
dictate how the consuming application
evaluates whether to trust the key. This
data-centric approach secures the data
packet independently of how it is communicated, in contrast with channel-based models such as TLS/SSL on the
An active area of research focuses
on defining a set of well-understood
trust models from which applica-
tion developers can choose. Within a
given trust model, signatures enable
determination of data packet prove-
nance, and serve as the basic building
block of security in NDN,
encryption-based access control.
valid signature by a trusted key is a
strong indication that the data is what
it purports to be, regardless of from
where the data was retrieved. The
NDN research team is experimenting
with a variety of hierarchical, web-of-
trust, and evidentiary trust models
that use features of NDN for efficient
key dissemination and evaluation of
Diverse and pervasive storage at the
network layer. Because NDN applica-
tions do not care from where request-
ed data is retrieved, any NDN node can
answer an Interest if it has correspond-
ing data. This feature enables an NDN
network to take advantage of diverse
and pervasive forms of storage to yield
performance and scalability enhance-
ments, and also provides support for
disruption-tolerant networking (DTN).
NDN networks can republish data
from the local storage of any nearby de-
vice, use router memory as data caches,
and deploy persistent repositories that
work with any NDN content. Through
these means, NDN provides features
similar to today’s content distribution
networkse (CDNs), but at the network
layer, and thus available consistently
for all data, without contractual agree-
ments between content producers and
CDN providers. This is an active area
of exploration; for example, NDN re-
searchers are developing new primi-
tives to interact with repos and sup-
port efficient synchronization among
named data collections.
These four abstractions combine
and interact to form an NDN network.
Naming data necessitates the request/
e CDN services replicate data across a geographically distributed network connected to
the IP Internet, moving content close to high
concentrations of users to provide faster data
access over a broader area (often globally) than
a traditional Web hosting model.
Figure 2. Request/response data exchange.
1 Fetch request via
2 Any NDN node may
respond with matching
a named key.)
3 Interest reaches publisher
if no other node has
4 Data signed by
returns along the path
of pending interests.