[Nfd-dev] PIB service causes remote registration of every prefix

Dave Oran (oran) oran at cisco.com
Thu May 7 06:12:55 PDT 2015 

> On May 6, 2015, at 6:26 PM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> Dear folks
> 
> 20150506 conference call discussed this problem.
> We conclude that it's acceptable to remote register prefixes for all certificates, because certificates should be made available on the networks so that others can verify previously generated Data that references those certificates.
> No design change is needed.
> 
Does this open up a cache poisoning attack?
Or a DoS attack against the routing to certificate stores?

> Yours, Junxiao
> 
> On Thu, Apr 30, 2015 at 12:19 PM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> Dear folks
> This message alerts a potential conflict between PIB service and remote registration.
> 
> PIB service
> PIB service publishes one or more certificates owned by a laptop user, by answering Interests that requesting for those certificate.
> In order to receive those Interests, PIB service needs to register prefixes on laptop NFD.
> PIB service may either (1) register the root prefix "ndn:/", or (2) register one prefix per certificate.
> 
> The advantage of registering the root prefix is that PIB service only needs one entry in NFD RIB and FIB.
> The drawback is (a) PIB service will receive many unrelated Interests (b) route inheritance flags 'CAPTURE' used by another app would prevent PIB service from receive Interests for some certificate.
> 
> Due to those drawbacks, PIB service is designed to register one prefix per certificate.
> 
> Remote registration
> In order for a laptop to receive Interests from the network, NFD RIB service can be configured to register local prefixes onto a connected gateway router.
> When a local app registers a route in RIB, the RIB will send a registration command to the gateway if it is authorized to do so.
> 
> The conflict
> When reading #2201 note-12, I realize that same issue can happen with PIB service.
> 
> In hierarchical trust model, the user must own a certificate for a certain namespace in order to register a prefix under that namespace.
> And then, this certificate is expected to be published in PIB service, which means PIB service is going to register a prefix for this certificate.
> The route registered by PIB service in turn triggers NFD RIB service to perform remote prefix registration.
> 
> The result is: every prefix owned by the user will be registered onto the gateway router, even if no other app is using those prefixes.
> 
> Is it good or bad?
> Argument can go both ways on whether the result above is good or bad.
> 
> Good: The network may want to retrieve those certificates, so it's correct to register those prefixes onto the gateway router.
> Bad: Remote registration is designed to register prefixes on demand when an app wants to publish. PIB service could be perceived as "not a real app". If every prefix is registered, it's no longer "on demand".
> 
> Possible solution
> If we want to avoid remote registration for PIB service routes, we could add NO_REMOTE_REGISTRATION flag in rib/register command.
> 
> 
> Yours, Junxiao
> 
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev

More information about the Nfd-dev mailing list