[Nfd-dev] Question about doing remote prefix registration using Android app

Haitao Zhang zhtaoxiang at gmail.com
Tue Aug 15 11:34:58 PDT 2017 

Hi John,

During yesterday' ndn call, Junxiao clarified that I should use command
interest but not signed Interest to do remote prefix registration. I didn't
have time to try it last night. Let me try it today and provide more
feedbacks.

Best,
-Haitao

On Mon, Aug 14, 2017 at 5:11 PM, Dehart, John <jdd at wustl.edu> wrote:

>
> Haitao,
>
> Any update on how this is going for you?
>
> John
>
> On Aug 11, 2017, at 4:18 AM, Haitao Zhang <zhtaoxiang at gmail.com> wrote:
>
>
>
> On Thu, Aug 10, 2017 at 3:19 PM, Junxiao Shi <shijunxiao at email.arizona.edu
> > wrote:
>
>> Hi Haitao
>>
>> "authorization rejected" can be caused by many reasons. The router cannot
>> tell you the exact cause due to security reason. The router should write
>> the cause into its logs but that is not yet implemented.
>>
>> Given you have tried an equivalent certificate with NFD-RIB, I assume
>> certificate issuance and trust schema configuration have no problem. You
>> can look at the following possible causes:
>>
>>    - Is the Java code creating well-formed command Interests? Is the
>>    KeyLocator correct?
>>
>>
> You mean the remote prefix registration interest should be command
> Interest (https://redmine.named-data.net/projects/nfd/wiki/Command_
> Interests) but not signed interest (https://redmine.named-data.
> net/projects/ndn-cxx/wiki/SignedInterest), right?
>
> I noticed that jNDN KeyChain.sign(interest, certname) generates signed
> interest. Here is an example:
> /localhop/nfd/rib/register/h%20%07%1E%08%03org%08%
> 0Bopenmhealth%08%0AuLsLn5csbB/%16F%1B%01%01%1CA%07%3F%08%
> 03org%08%0Bopenmhealth%08%03KEY%08%0AuLsLn5csbB%08%
> 11ksk-1502352233531%08%07ID-CERT/%17%FD%01%00%26%B2%93%F0%
> 16e%A0%AA%BC%80%94%1D%04%21z%1D%D6%EEQ%E1K%86%00%D4%27%E0%
> C9nK%15%C3%9D%B6%3A%9A%1CEX%1E%E3%DC%9B%87%BE4%0AI%90%86%
> 7F%C3%036%8B%FE%F7%C4%92%FC%D1B%A5%E5%A1%E3%F2e%7F%11%E8%
> 10q%F5l%9EZ%B9o%B2%AB+%25%DB%1D+c%5EU%A9%20%E9%F2%F8E%10_%
> 9F%A5%AD%FE%DE%9D%88H%99J%14%3A%25%F2%9D%AD%B7%8E%26%C2G%
> DF%EB0%95%D8%7DHnL%0C%EF%89G%0En%E7%FA%A38%B1.%D1%D3%9C%B8%
> A2+%A2%AC+%ED%07%00%A4k%0C%1C%AAH%ADLc%A2%0D%BFLV%9C%0E%9A%
> F0%D4%40q%F6%D3h1T%06%C0%25O%B0%F4%3E%C8%5DX%D6%EFL1%A2%
> 08rZ%AA0%FB%FCpuKUfT%81%40%9A%86A%14%DDK%5Ek%F7%A6%DC%CB%
> CBc%E9%C2%01qw%C5%91p%C77%CA%08%15%F5%9C%C4D%1B%15%0F%EE%
> 0E%3F%7E%DE%D1%C6%8C%D8l3%0CfON%09
>
> which is signed by /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/
> ID-CERT/%FD%00%00%01%5D%CB+%E5S
>
>
>>    - Can the router retrieve your certificate?
>>    - Is the Java code creating valid signatures?
>>    - Is the clock skew between router and end host too great?
>>    NFD-RIB is very sensitive to clock skew and would reject if the time
>>    difference is more than 3 seconds. It's also not configurable, but v2
>>    relaxed this to 60 seconds.
>>
>> How is the clock skew checked by NFD, using timestamp?
>
>
>> If you have access to the router, setting "Forwarder DEBUG" loglevel can
>> help you debug.
>>
>> Yours, Junxiao
>>
>> On Thu, Aug 10, 2017 at 1:02 PM, Haitao Zhang <zhtaoxiang at gmail.com>
>> wrote:
>>
>>>
>>> My NDNFit Android app needs to do remote prefix registration on the
>>> testbed, so Interests can be forwarded to the Android device, then the
>>> NDNFit Android app.
>>>
>>> (2) Create an interest /localhop/nfd/rib/register/<control parameter
>>> including the prefix I want to register>, sign it using
>>> /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-CERT/%F
>>> D%00%00%01%5D%CB+%E5S
>>> which is further signed by
>>> NDNFit trust anchor /org/openmhealth/KEY/ksk-14902
>>> 31565751/ID-CERT/%FD%00%00%01Z%F8%B9%1Et
>>>
>>> (4) I got an data packet containing a message "authorization rejected".
>>>
>>> Best,
>>> -Haitao
>>>
>>>
>>
>>> *To verify that the configuration works, John requested a key from
>>> NDNFit cert management website http://128.97.98.8:5001/
>>> <http://128.97.98.8:5001/> (it is ported from ndncert website and works the
>>> same way as ndncert website) and did the following (quote his email here):*
>>> ... I was able to register a prefix and have it propagate on the Testbed
>>> with readvertise.
>>>
>>>
>>
> _______________________________________________
> Nfd-dev mailing list
> Nfd-dev at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20170815/be5e01d1/attachment.html>

More information about the Nfd-dev mailing list