[Nfd-dev] Question about doing remote prefix registration using Android app

Haitao Zhang zhtaoxiang at gmail.com
Wed Aug 16 12:26:54 PDT 2017 

Hi John,

It works. Thanks to John and Junxiao.

To help others, here are the problems:
(1) The remote prefix registration interest should be command Interest (
https://redmine.named-data.net/projects/nfd/wiki/Command_Interests)
but not signed
interest (https://redmine.named-data.net/projects/ndn-cxx/wiki/
SignedInterest)
(2) Some certs cannot be fetched due to hacker attack. Specifically, the
database used by ndnfit(openmhealth) trust anchor is mongo db; it was set
to accept all connections from all IPs, hackers connected to the database
from some onion routers, and deleted all the data.

I haven't solved the second problem, will check mongo db's manual to
restrict remote connects.

Best,
-Haitao

On Tue, Aug 15, 2017 at 11:34 AM, Haitao Zhang <zhtaoxiang at gmail.com> wrote:

> Hi John,
>
> During yesterday' ndn call, Junxiao clarified that I should use command
> interest but not signed Interest to do remote prefix registration. I didn't
> have time to try it last night. Let me try it today and provide more
> feedbacks.
>
> Best,
> -Haitao
>
> On Mon, Aug 14, 2017 at 5:11 PM, Dehart, John <jdd at wustl.edu> wrote:
>
>>
>> Haitao,
>>
>> Any update on how this is going for you?
>>
>> John
>>
>> On Aug 11, 2017, at 4:18 AM, Haitao Zhang <zhtaoxiang at gmail.com> wrote:
>>
>>
>>
>> On Thu, Aug 10, 2017 at 3:19 PM, Junxiao Shi <
>> shijunxiao at email.arizona.edu> wrote:
>>
>>> Hi Haitao
>>>
>>> "authorization rejected" can be caused by many reasons. The router
>>> cannot tell you the exact cause due to security reason. The router should
>>> write the cause into its logs but that is not yet implemented.
>>>
>>> Given you have tried an equivalent certificate with NFD-RIB, I assume
>>> certificate issuance and trust schema configuration have no problem. You
>>> can look at the following possible causes:
>>>
>>>    - Is the Java code creating well-formed command Interests? Is the
>>>    KeyLocator correct?
>>>
>>>
>> You mean the remote prefix registration interest should be command
>> Interest (https://redmine.named-data.net/projects/nfd/wiki/Command_In
>> terests) but not signed interest (https://redmine.named-data.ne
>> t/projects/ndn-cxx/wiki/SignedInterest), right?
>>
>> I noticed that jNDN KeyChain.sign(interest, certname) generates signed
>> interest. Here is an example:
>> /localhop/nfd/rib/register/h%20%07%1E%08%03org%08%0Bopenmhea
>> lth%08%0AuLsLn5csbB/%16F%1B%01%01%1CA%07%3F%08%03org%08%
>> 0Bopenmhealth%08%03KEY%08%0AuLsLn5csbB%08%11ksk-
>> 1502352233531%08%07ID-CERT/%17%FD%01%00%26%B2%93%F0%16e%
>> A0%AA%BC%80%94%1D%04%21z%1D%D6%EEQ%E1K%86%00%D4%27%E0%C9nK
>> %15%C3%9D%B6%3A%9A%1CEX%1E%E3%DC%9B%87%BE4%0AI%90%86%7F%C3%
>> 036%8B%FE%F7%C4%92%FC%D1B%A5%E5%A1%E3%F2e%7F%11%E8%10q%F5l%
>> 9EZ%B9o%B2%AB+%25%DB%1D+c%5EU%A9%20%E9%F2%F8E%10_%9F%A5%AD%
>> FE%DE%9D%88H%99J%14%3A%25%F2%9D%AD%B7%8E%26%C2G%DF%EB0%95%
>> D8%7DHnL%0C%EF%89G%0En%E7%FA%A38%B1.%D1%D3%9C%B8%A2+%A2%AC+
>> %ED%07%00%A4k%0C%1C%AAH%ADLc%A2%0D%BFLV%9C%0E%9A%F0%D4%40q%
>> F6%D3h1T%06%C0%25O%B0%F4%3E%C8%5DX%D6%EFL1%A2%08rZ%AA0%FB%
>> FCpuKUfT%81%40%9A%86A%14%DDK%5Ek%F7%A6%DC%CB%CBc%E9%C2%
>> 01qw%C5%91p%C77%CA%08%15%F5%9C%C4D%1B%15%0F%EE%0E%3F%7E%
>> DE%D1%C6%8C%D8l3%0CfON%09
>>
>> which is signed by /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-
>> CERT/%FD%00%00%01%5D%CB+%E5S
>>
>>
>>>    - Can the router retrieve your certificate?
>>>    - Is the Java code creating valid signatures?
>>>    - Is the clock skew between router and end host too great?
>>>    NFD-RIB is very sensitive to clock skew and would reject if the time
>>>    difference is more than 3 seconds. It's also not configurable, but v2
>>>    relaxed this to 60 seconds.
>>>
>>> How is the clock skew checked by NFD, using timestamp?
>>
>>
>>> If you have access to the router, setting "Forwarder DEBUG" loglevel can
>>> help you debug.
>>>
>>> Yours, Junxiao
>>>
>>> On Thu, Aug 10, 2017 at 1:02 PM, Haitao Zhang <zhtaoxiang at gmail.com>
>>> wrote:
>>>
>>>>
>>>> My NDNFit Android app needs to do remote prefix registration on the
>>>> testbed, so Interests can be forwarded to the Android device, then the
>>>> NDNFit Android app.
>>>>
>>>> (2) Create an interest /localhop/nfd/rib/register/<control parameter
>>>> including the prefix I want to register>, sign it using
>>>> /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-CERT/%F
>>>> D%00%00%01%5D%CB+%E5S
>>>> which is further signed by
>>>> NDNFit trust anchor /org/openmhealth/KEY/ksk-14902
>>>> 31565751/ID-CERT/%FD%00%00%01Z%F8%B9%1Et
>>>>
>>>> (4) I got an data packet containing a message "authorization rejected".
>>>>
>>>> Best,
>>>> -Haitao
>>>>
>>>>
>>>
>>>> *To verify that the configuration works, John requested a key from
>>>> NDNFit cert management website http://128.97.98.8:5001/
>>>> <http://128.97.98.8:5001/> (it is ported from ndncert website and works the
>>>> same way as ndncert website) and did the following (quote his email here):*
>>>> ... I was able to register a prefix and have it propagate on the
>>>> Testbed with readvertise.
>>>>
>>>>
>>>
>> _______________________________________________
>> Nfd-dev mailing list
>> Nfd-dev at lists.cs.ucla.edu
>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20170816/8b8784a3/attachment.html>

More information about the Nfd-dev mailing list