[Nfd-dev] PIB service causes remote registration of every prefix

[Dave Oran (oran)]

> On May 7, 2015, at 10:02 AM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> Hi Dave
> 
> There's no risk of cache poisoning.
> The gateway router registers a route to the laptop only if the laptop user owns the prefix, as proved by a certificate.
What you are saying is that the route registration is signed by a certificate specifically issued for that prefix to the user holding the corresponding private key, and this was done by a CA with authority over a shorter prefix, right?

What is the exact protocol machinery for registration? (sorry if this is obvious and written down somewhere and I haven’t seen it).

> 
> There's no increased risk of DoS'ing the certificate store (PIB service).
Agree
> The DoS risk is the same when a laptop registers at least one prefix onto the gateway router.
I’m not clear if there’s a hazard here. If the router checks that any prefix registered also has a path to the certificate registered and that the cert has been verified, I can see how this prevents DoS-by-fake-registrations. Is that in fact what’s done?

> 
> Yours, Junxiao
> 
> On Thu, May 7, 2015 at 6:12 AM, Dave Oran (oran) <oran at cisco.com> wrote:
> 
> > On May 6, 2015, at 6:26 PM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> > 20150506 conference call discussed this problem.
> > We conclude that it's acceptable to remote register prefixes for all certificates, because certificates should be made available on the networks so that others can verify previously generated Data that references those certificates.
> > No design change is needed.
> >
> Does this open up a cache poisoning attack?
> Or a DoS attack against the routing to certificate stores?
>