<div dir="ltr"><div>Hi Dev team,</div><div><br></div><div><div style="font-size:12.8px">My NDNFit Android app needs to do remote prefix registration on the testbed, so Interests can be forwarded to the Android device, then the NDNFit Android app. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">To do it, I did the following steps. But it failed, could you help to take a look if I did something wrong?</div><div style="font-size:12.8px">(0) John configured NDNFit trust anchor <span style="font-size:13px;color:rgb(38,50,56)">/org/openmhealth/KEY/<wbr>ksk-</span><span style="font-size:13px;color:rgb(38,50,56)">1490231565751/ID-CERT/%FD%<wbr>00%</span><span style="font-size:13px;color:rgb(38,50,56)">00%01Z%F8%B9%1Et</span> to be a new trust anchor on the testbed. The configuration has been verified to be correct (details at the end of the email).</div><div style="font-size:12.8px">(1) I configured NDN-Android to <span style="font-size:12.8px">connect to</span><span style="font-size:12.8px"> </span><a href="http://spurs.ucla.edu/" target="_blank" style="font-size:12.8px">spurs.ucla.edu</a><span style="font-size:12.8px">, and register prefix "/localhop" on udp://</span><a href="http://spurs.cs.ucla.edu/" target="_blank" style="font-size:12.8px">spurs.cs.ucla.edu</a><span style="font-size:12.8px"> </span><span style="font-size:12.8px">(UCLA node). Notice that, b</span><span style="color:rgb(38,50,56);font-size:13px">y default, NDN-Android doesn't register "/localhop"</span></div><div style="font-size:12.8px">(2) Create an interest <span style="color:rgb(0,128,0);font-weight:bold;font-family:Menlo;font-size:9pt">/localhop/nfd/rib/reg<wbr>ister/<control parameter including the prefix I want to register></span>, sign it using </div><span style="font-size:12.8px">/org/openmhealth/KEY/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">uLsLn5csbB/ksk-1502352233531/</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">ID-CERT/%FD%00%00%01%5D%CB+%</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">E5S</span><br style="font-size:12.8px"><span style="font-size:12.8px">which is further signed by </span><br style="font-size:12.8px"><span style="font-size:12.8px">NDNFit trust anchor /org/openmhealth/KEY/ksk-</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">1490231565751/ID-CERT/%FD%00%</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">00%01Z%F8%B9%1Et</span><br style="font-size:12.8px"><span style="font-size:12.8px">(Those two certs are publicly available, you can connect to any NDN testbed node, then do ndnpeek to fetch those two certs)</span><div style="font-size:12.8px"><span style="color:rgb(38,50,56);font-size:13px"><br></span></div><div style="font-size:12.8px"><div style="font-size:12.8px">Java code:</div>Name remotePrefixRegisterPrefix = new Name("/localhop/nfd/rib/<wbr>register");<br>ControlParameters params = new ControlParameters();<br>params.setName(new Name(prefix));<br>remotePrefixRegisterPrefix.<wbr>append(params.wireEncode());<br>Interest remotePrefixRegisterInterest = new Interest(<wbr>remotePrefixRegisterPrefix);<br>keyChain.sign(<wbr>remotePrefixRegisterInterest, keyChain.<wbr>getDefaultCertificateName());</div><div style="font-size:12.8px"><br><div style="font-size:12.8px">I set the default certificate to be <span style="font-family:arial,helvetica,sans-serif;font-size:small">/</span><span style="font-family:arial,helvetica,sans-serif;font-size:small">org/openmhealth/KEY/<wbr>uLsLn5csbB/ksk-1502352233531/<wbr>ID-CERT/%FD%00%00%01%5D%CB+%<wbr>E5S</span></div></div><div style="font-size:12.8px"><span style="color:rgb(38,50,56);font-size:13px"><br></span></div><div style="font-size:12.8px"><div style="font-size:12.8px"><span style="color:rgb(38,50,56);font-size:13px">(3) Send it out. As I registered "/localhop" on UCLA node, the interest should go to UCLA node.</span></div><div style="font-size:12.8px"><span style="font-size:13px;color:rgb(38,50,56)">(4) I got an data packet containing a message "</span><font color="#263238">authorization rejected</font><span style="font-size:13px;color:rgb(38,50,56)">".</span></div></div><br clear="all" style="font-size:12.8px"><div style="font-size:12.8px"><div class="gmail-m_-4688405733903218696gmail_signature"><div dir="ltr"><div>Best,<br></div>-Haitao<br></div><div dir="ltr"><br></div><div><b>To make NDNFit another trust anchor on testbed, nfd.conf file is modified (the red part is added)</b></div><div dir="ltr"><div style="font-size:12.8px">localhop_security</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> ; This section defines the trust model for NFD RIB Management. It consists of rules and</div><div style="font-size:12.8px"> ; trust-anchors, which are briefly defined in this file. For more information refer to</div><div style="font-size:12.8px"> ; manpage of ndn-validator.conf:</div><div style="font-size:12.8px"> ;</div><div style="font-size:12.8px"> ; man ndn-validator.conf</div><div style="font-size:12.8px"> ;</div><div style="font-size:12.8px"> ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the</div><div style="font-size:12.8px"> ; root of certification chain (e.g., NDN testbed root certificate) or an existing</div><div style="font-size:12.8px"> ; default system certificate `default.ndncert`.</div><div style="font-size:12.8px"> ;</div><div style="font-size:12.8px"> ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the</div><div style="font-size:12.8px"> ; rules defined here. A rule can be broken into two parts: matching & checking. A packet</div><div style="font-size:12.8px"> ; will be matched against rules from the first to the last until a matched rule is</div><div style="font-size:12.8px"> ; encountered. The matched rule will be used to check the packet. If a packet does not</div><div style="font-size:12.8px"> ; match any rule, it will be treated as invalid. The matching part of a rule consists</div><div style="font-size:12.8px"> ; of `for` and `filter` sections. They collectively define which packets can be checked</div><div style="font-size:12.8px"> ; with this rule. `for` defines packet type (data or interest) and `filter` defines</div><div style="font-size:12.8px"> ; conditions on other properties of a packet. Right now, you can only define conditions</div><div style="font-size:12.8px"> ; on packet name, and you can only specify ONLY ONE filter for packet name. The</div><div style="font-size:12.8px"> ; checking part of a rule consists of `checker`, which defines the conditions that a</div><div style="font-size:12.8px"> ; VALID packet MUST have. See comments in checker section for more details.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"> rule</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> id "NRD Prefix Registration Command Rule"</div><div style="font-size:12.8px"> for interest ; rule for Interests (to validate CommandInterests)</div><div style="font-size:12.8px"> filter</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type name ; condition on interest name (w/o signature)</div><div style="font-size:12.8px"> regex ^[<localhop><localhost>]<nfd><<wbr>rib>[<register><unregister>]<><wbr>$ ; prefix before</div><div style="font-size:12.8px"> ; timestamp</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> checker</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type customized</div><div style="font-size:12.8px"> sig-type rsa-sha256 ; interest must have a rsa-sha256 signature</div><div style="font-size:12.8px"> key-locator</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type name ; key locator must be the certificate name of the</div><div style="font-size:12.8px"> ; signing key</div><div style="font-size:12.8px"> regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-<wbr>CERT>$</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> checker</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type customized</div><div style="font-size:12.8px"> sig-type ecdsa-sha256 ; interest must have a ecdsa-sha256 signature</div><div style="font-size:12.8px"> key-locator</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type name ; key locator must be the certificate name of the</div><div style="font-size:12.8px"> ; signing key</div><div style="font-size:12.8px"> regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-<wbr>CERT>$</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> rule</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> id "NDN Testbed Hierarchy Rule"</div><div style="font-size:12.8px"> for data ; rule for Data (to validate NDN certificates)</div><div style="font-size:12.8px"> filter</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type name ; condition on data name</div><div style="font-size:12.8px"> regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-<wbr>CERT><>$</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> checker</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type hierarchical ; the certificate name of the signing key and</div><div style="font-size:12.8px"> ; the data name must follow the hierarchical model</div><div style="font-size:12.8px"> sig-type rsa-sha256 ; data must have a rsa-sha256 signature</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> checker</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type hierarchical ; the certificate name of the signing key and</div><div style="font-size:12.8px"> ; the data name must follow the hierarchical model</div><div style="font-size:12.8px"> sig-type ecdsa-sha256 ; data must have a ecdsa-sha256 signature</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> }</div><div style="font-size:12.8px"> trust-anchor</div><div style="font-size:12.8px"> {</div><div style="font-size:12.8px"> type file</div><div style="font-size:12.8px"> file-name keys/ndn-testbed-root.ndncert.<wbr>base64</div><div class="gmail-m_-4688405733903218696gmail-adL" style="font-size:12.8px"><div class="gmail-m_-4688405733903218696gmail-adm"></div><div class="gmail-m_-4688405733903218696gmail-im"><div> }</div><div><font color="#ff0000"> <span style="font-size:12.8px"> trust-anchor</span></font></div><div style="font-size:12.8px"><font color="#ff0000"> {</font></div><div style="font-size:12.8px"><font color="#ff0000"> type file</font></div><div style="font-size:12.8px"><font color="#ff0000"> file-name keys/openmhealth.cert</font></div><div style="font-size:12.8px"><font color="#ff0000"> }</font></div><div> }</div></div></div></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div><b>To verify that the configuration works, John requested a key from NDNFit cert management website <a href="http://128.97.98.8:5001/" target="_blank">http://128.97.98.8:<wbr>5001/</a> (it is ported from ndncert website and works the same way as ndncert website) and did the following (quote his email here):</b></div><div><div style="font-size:12.8px">... I was able to register a prefix and have it propagate on the Testbed with readvertise.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I ran this script to start NFD and set my identity:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div>#!/bin/bash</div><div><br></div><div># make sure any old nfd is stopped:</div><div>nfd-stop</div><div>sleep 5</div><div><br></div><div># start a new nfd:</div><div>nfd-start >& nfd-start.log</div><div>sleep 5</div><div><br></div><div># use WU as gateway router:</div><div>nfdc register / <a>udp://wundngw.arl.wustl.edu</a></div><div><br></div><div># configure for prefix registration at WU:</div><div>nfdc register /localhop/nfd <a>udp4://wundngw.<wbr>arl.wustl.edu</a></div><div><br></div><div>sleep 5</div><div><br></div><div># test connection to WU gateway with ndnping</div><div>ndnping -c 5 /ndn/edu/wustl</div><div><br></div><div># set identity to WU based name:</div><div>ndnsec-set-default /org/openmhealth/m8rP9jdjKp</div><div><br></div><div><br></div><div>Then I ran ndnpingserver like this:</div><div><br></div><div>ndnpingserver /org/openmhealth/m8rP9jdjKp/jd<wbr>d</div><div><br></div><div><br></div><div>Then I checked WU and UCLA:</div><div><br></div><div>WU:</div><div><div>ndnops@wundngw:~$ nfdc fib list | grep mhealth</div><div> /org/openmhealth nexthops={faceid=259 (cost=22132), faceid=261 (cost=24334), faceid=277 (cost=36283)}</div><div> /org/openmhealth/m8rP9jdjKp nexthops={faceid=259 (cost=20674), faceid=261 (cost=21391), faceid=277 (cost=34642)}</div><div>ndnops@wundngw:~$</div></div><div><br></div><div><br></div><div>UCLA:</div><div><div>ndnops@spurs:~$ nfdc fib list | grep m8rP9jdjKp</div><div> /org/openmhealth/m8rP9jdjKp nexthops={faceid=278 (cost=19669), faceid=260 (cost=22128), faceid=259 (cost=22252), faceid=276 (cost=23762), faceid=279 (cost=28847)}</div><div>ndnops@spurs:~$ nfdc fib list | grep m8rP9jdjKp</div><div> /org/openmhealth/m8rP9jdjKp nexthops={faceid=278 (cost=19669), faceid=260 (cost=22128), faceid=259 (cost=22252), faceid=276 (cost=23762), faceid=279 (cost=28847)}</div><div>ndnops@spurs:~$</div></div><div><br></div><div><br></div><div>And I show up on both!</div><div><br></div><div>So, it appears to me to be working from a normal end host. So I think the certificate/key/trust-anchor part must</div><div>be working, right?</div></div></div></div></div></div>
</div>