From kelvin_liang at outlook.com Thu Mar 13 09:03:20 2014 From: kelvin_liang at outlook.com (Kelvin Leung) Date: Fri, 14 Mar 2014 00:03:20 +0800 Subject: [Ndn-interest] NDN Signature Verification Message-ID: Dear all, Our team is now deploying 2 different ICNs (i.e., NDN & PURSUIT) over SDN which is designed for communications between these two ICN protocols. But now we encounter a problem that we cannot TRANSFER the content data from PURSUIT to NDN because of the strict signature verification. So I wonder is it possible that NDN skips the verification step while still receiving the content ? I know that it is a dangerous design without considering the security issues but we want to build up a prototype first and it is supposed to combine the security scheme into it in a long term. Thanks & Regards, Kelvin Leung -------------- next part -------------- An HTML attachment was scrubbed... URL: From shijunxiao at email.arizona.edu Thu Mar 13 09:11:27 2014 From: shijunxiao at email.arizona.edu (Junxiao Shi) Date: Thu, 13 Mar 2014 09:11:27 -0700 Subject: [Ndn-interest] NDN Signature Verification In-Reply-To: References: Message-ID: Hi Kelvin You can use DigestSha256 signature type http://named-data.net/doc/ndn-tlv/signature.html#digestsha256 This signature type is a checksum over the Data packet which can be easily generated without requiring a key. Yours, Junxiao -------------- next part -------------- An HTML attachment was scrubbed... URL: From briggs at parc.com Thu Mar 13 09:14:22 2014 From: briggs at parc.com (Nick Briggs) Date: Thu, 13 Mar 2014 09:14:22 -0700 Subject: [Ndn-interest] NDN Signature Verification In-Reply-To: References: Message-ID: Or you could sign it with a key issued for the gateway service... that way you can know how much to trust the data. On Mar 13, 2014, at 9:11 AM, Junxiao Shi wrote: > Hi Kelvin > > You can use DigestSha256 signature type http://named-data.net/doc/ndn-tlv/signature.html#digestsha256 > This signature type is a checksum over the Data packet which can be easily generated without requiring a key. > > Yours, Junxiao > _______________________________________________ > Ndn-interest mailing list > Ndn-interest at lists.cs.ucla.edu > http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4100 bytes Desc: not available URL: From Ignacio.Solis at parc.com Thu Mar 13 09:26:04 2014 From: Ignacio.Solis at parc.com (Ignacio.Solis at parc.com) Date: Thu, 13 Mar 2014 16:26:04 +0000 Subject: [Ndn-interest] NDN Signature Verification In-Reply-To: References: Message-ID: In the case of CCN 1.x (probably does not apply to NDN) here is what you can expect: * The forwarding path of CCN 1.x does not check signatures. (There might be a firewall that might check signatures, but in regular operation the forwarding path will not check them). * If an interest has a KeyID restriction the forwarding path will check that the KeyID field in the content object matches that of the interest. * Caches/ContentStores WILL check the signature if an interest has a KeyID restriction. In this case, if the signature does not verify the caches are not allowed to reply. This is important to prevent attack amplification. * Caches/ContentStores may not check the signature if the interest does not include a KeyID restriction. * The forwarding path and Caches/ContentStores will check the content object hash if the Interest has a con ten object hash restriction. This hash is over the Content Object completely, this includes the signature. So if an interest includes this restriction it must match the correct hash (potentially with the incorrect signature?). As Nick stated you can sign content with the key of the proxy. This might be a good solution given that it?s the proxy who is generating the content objects. One obvious approach is to encapsulate either CCN/NDN in PURSUIT or the other way around. In either of these cases you are really just doing a tunnel and not a conversion. Nacho -- Nacho (Ignacio) Solis Senior Research Scientist Palo Alto Research Center (PARC) +1(650)812-4458 Ignacio.Solis at parc.com On 3/13/14, 9:03 AM, "Kelvin Leung" > wrote: Dear all, Our team is now deploying 2 different ICNs (i.e., NDN & PURSUIT) over SDN which is designed for communications between these two ICN protocols. But now we encounter a problem that we cannot TRANSFER the content data from PURSUIT to NDN because of the strict signature verification. So I wonder is it possible that NDN skips the verification step while still receiving the content ? I know that it is a dangerous design without considering the security issues but we want to build up a prototype first and it is supposed to combine the security scheme into it in a long term. Thanks & Regards, Kelvin Leung -------------- next part -------------- An HTML attachment was scrubbed... URL: From alexander.afanasyev at ucla.edu Wed Mar 19 09:21:09 2014 From: alexander.afanasyev at ucla.edu (Alex Afanasyev) Date: Wed, 19 Mar 2014 09:21:09 -0700 Subject: [Ndn-interest] about Content items (data) are split into packets In-Reply-To: <1403191655121a4713322955f87565180f0a3e92258b@bjtu.edu.cn> References: <1403191655121a4713322955f87565180f0a3e92258b@bjtu.edu.cn> Message-ID: <2B4456A3-7CC7-45BB-B50D-C95117B105A7@ucla.edu> Hi Chen, Each data packet is always unique and has unique name. If you're splitting a big content into multiple packets, you (=application) is making this decision and you (=application) assign specific names for each individual packet. Normally, you would add segment numbers as a last component. --- Alex On Mar 19, 2014, at 1:55 AM, ??? <12120051 at bjtu.edu.cn> wrote: > Hello?Nick? > If a Content item (data) is too big and is split into packets, As it is sent by a name. When CCNx split it into packets. How does the CCNx distinguish them if I only request a part of them? > Best Wishes > Pengfei Chen From briggs at parc.com Wed Mar 19 10:14:35 2014 From: briggs at parc.com (Nick Briggs) Date: Wed, 19 Mar 2014 10:14:35 -0700 Subject: [Ndn-interest] about Content items (data) are split into packets In-Reply-To: <2B4456A3-7CC7-45BB-B50D-C95117B105A7@ucla.edu> References: <1403191655121a4713322955f87565180f0a3e92258b@bjtu.edu.cn> <2B4456A3-7CC7-45BB-B50D-C95117B105A7@ucla.edu> Message-ID: <2FBF0181-F2F1-4ADB-B7CD-4292D47AFA8F@parc.com> As Alex says -- each ContentObject is uniquely named, typically using the segmentation profile. If you're doing CCN over IP, and the ContentObject is larger than the underlying physical transport layer can dal with then it will get fragmented by the transport (IP) layer. On Mar 19, 2014, at 9:21 AM, Alex Afanasyev wrote: > Hi Chen, > > Each data packet is always unique and has unique name. If you're splitting a big content into multiple packets, you (=application) is making this decision and you (=application) assign specific names for each individual packet. Normally, you would add segment numbers as a last component. > > --- > Alex > > > On Mar 19, 2014, at 1:55 AM, ??? <12120051 at bjtu.edu.cn> wrote: > >> Hello?Nick? >> If a Content item (data) is too big and is split into packets, As it is sent by a name. When CCNx split it into packets. How does the CCNx distinguish them if I only request a part of them? >> Best Wishes >> Pengfei Chen > > > _______________________________________________ > Ndn-interest mailing list > Ndn-interest at lists.cs.ucla.edu > http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4100 bytes Desc: not available URL: