[Nfd-dev] delegate prefix registration

Junxiao Shi shijunxiao at email.arizona.edu
Wed Jun 15 04:38:47 PDT 2016 

Hi Jeff

As indicated in #3568 <http://redmine.named-data.net/issues/3568> issue
description, ndncert certificates will be required until #2766
<http://redmine.named-data.net/issues/2766> and related functions are
available.
#2766 itself is blocked by KeyChain refactoring, so it's unlikely to be
available in next 6 months.

For now, you have to request a user certificate for each and every machine.
You could use subaddressing (see RFC5233
<https://tools.ietf.org/html/rfc5233>) to request certificates for each
machine, such as peter+freeculture at remap.ucla.edu
peter+confbridge at remap.ucla.edu , instead of creating whole new mailboxes.
Note that although you can request multiple user certificates with the same
email address ( peter at remap.ucla.edu ) or copy the same user certificate
onto multiple machines, doing so would cause those machines to register the
same prefix on the router and rely on strategy to determine the correct
route, which can worsen forwarding performance.

I do have a method to create delegated certificates like what Peter is
trying to do, using only supported software.
The basic idea is to publish certificates on an always-on server, so that
testbed router can retrieve it.
I'll write a blog post about this soon.

Yours, Junxiao

On Wed, Jun 15, 2016 at 3:34 AM, Burke, Jeff <jburke at remap.ucla.edu> wrote:

> How / when are we going to be able to delegate in this way?
> We have many machines that are not directly associated with a user cert.
>
> Jeff
>
>
>
> *From: *Nfd-dev <nfd-dev-bounces at lists.cs.ucla.edu> on behalf of Junxiao
> Shi <shijunxiao at email.arizona.edu>
> *Date: *Monday, June 13, 2016 at 9:53 PM
> *To: *"Gusev, Peter" <peter at remap.ucla.edu>
> *Cc: *"<nfd-dev at lists.cs.ucla.edu>" <nfd-dev at lists.cs.ucla.edu>
> *Subject: *Re: [Nfd-dev] [ndn] NDN Seminar: Practical Congestion Control
> for NDN
>
>
>
> These sequence are incorrect. You cannot use any certificate other than
> the one directly requested from ndncert.
>
> On Jun 13, 2016 12:22 PM, "Gusev, Peter" <peter at remap.ucla.edu> wrote:
>
> Hi Junxiao,
>
> I generated a cert request on freeculture like this:
>
>         $ ndnsec-keygen /ndn/edu/ucla/remap/peter/freeculture >
> freeculture.pub
>
> Then, I signed it on my machine:
>
>         $ ndnsec-certgen -N freeculture -p /ndn/edu/ucla/remap/peter -r
> freeculture.pub > freeculture.signed
>
> I sent freeculture.signed back to freeculture machine, as long as my
> certificate (previously dumped):
>
>         $ ndnsec-cert-dump /ndn/edu/ucla/remap/peter > peter.cert
>
> Finally, I installed both certificates on freeculture machine:
>
> $ ndnsec-install-cert peter.cert
> $ ndnsec-install-cert freeculture.signed
>
> Both ended successfully. I then switched default identity to
> /ndn/edu/ucla/remap/peter/freeculture on freeculture machine:
>
> $ ndnsec set-default /ndn/edu/ucla/remap/peter/freeculture
>
> However, I don’t see connectivity to the testbed after running
> ndn-autoconfig.
>
> Was the above sequence correct?
>
> Thanks,
>
> --
> Peter Gusev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20160615/716d9343/attachment.html>

More information about the Nfd-dev mailing list