<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Junxiao mentioned yesterday that sometimes it takes some time to retrieve the certificate for the validation. And he mentioned setting a higher retransmission count for the remote registration request if I remember correctly. <br class="">
<div class=""><br class="">
</div>
<div class="">But it’s also possible the naming of your data and keys may not fit the hierarchical model. This is just a guess. I don’t remember the specific definition of the hierarchical model.
<div class=""><br class="">
</div>
<div class="">
<div style="font-size: 12.8px;" class=""> checker</div>
<div style="font-size: 12.8px;" class=""> {</div>
<div style="font-size: 12.8px;" class=""> type hierarchical ; the certificate name of the signing key and</div>
<div style="font-size: 12.8px;" class=""> ; the data name must follow the hierarchical model</div>
<div style="font-size: 12.8px;" class=""> sig-type ecdsa-sha256 ; data must have a ecdsa-sha256 signature</div>
<div style="font-size: 12.8px;" class=""> }</div>
<div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">
<span class="Apple-style-span" style="border-collapse: separate; font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; border-spacing: 0px;">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class="">
<div class=""><br class="Apple-interchange-newline">
Lan</div>
</div>
</span></div>
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 10, 2017, at 3:02 PM, Haitao Zhang <<a href="mailto:zhtaoxiang@gmail.com" class="">zhtaoxiang@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">
<div class="">Hi Dev team,</div>
<div class=""><br class="">
</div>
<div class="">
<div style="font-size:12.8px" class="">My NDNFit Android app needs to do remote prefix registration on the testbed, so Interests can be forwarded to the Android device, then the NDNFit Android app. </div>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class="">To do it, I did the following steps. But it failed, could you help to take a look if I did something wrong?</div>
<div style="font-size:12.8px" class="">(0) John configured NDNFit trust anchor <span style="font-size:13px;color:rgb(38,50,56)" class="">/org/openmhealth/KEY/<wbr class="">ksk-</span><span style="font-size:13px;color:rgb(38,50,56)" class="">1490231565751/ID-CERT/%FD%<wbr class="">00%</span><span style="font-size:13px;color:rgb(38,50,56)" class="">00%01Z%F8%B9%1Et</span> to
be a new trust anchor on the testbed. The configuration has been verified to be correct (details at the end of the email).</div>
<div style="font-size:12.8px" class="">(1) I configured NDN-Android to <span style="font-size:12.8px" class="">connect to</span><span style="font-size:12.8px" class=""> </span><a href="http://spurs.ucla.edu/" target="_blank" style="font-size:12.8px" class="">spurs.ucla.edu</a><span style="font-size:12.8px" class="">,
and register prefix "/localhop" on udp://</span><a href="http://spurs.cs.ucla.edu/" target="_blank" style="font-size:12.8px" class="">spurs.cs.ucla.edu</a><span style="font-size:12.8px" class=""> </span><span style="font-size:12.8px" class="">(UCLA node).
Notice that, b</span><span style="color:rgb(38,50,56);font-size:13px" class="">y default, NDN-Android doesn't register "/localhop"</span></div>
<div style="font-size:12.8px" class="">(2) Create an interest <span style="color:rgb(0,128,0);font-weight:bold;font-family:Menlo;font-size:9pt" class="">/localhop/nfd/rib/reg<wbr class="">ister/<control parameter including the prefix I want to register></span>,
sign it using </div>
<span style="font-size:12.8px" class="">/org/openmhealth/KEY/</span><wbr style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">uLsLn5csbB/ksk-1502352233531/</span><wbr style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">ID-CERT/%FD%00%00%01%5D%CB+%</span><wbr style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">E5S</span><br style="font-size:12.8px" class="">
<span style="font-size:12.8px" class="">which is further signed by </span><br style="font-size:12.8px" class="">
<span style="font-size:12.8px" class="">NDNFit trust anchor /org/openmhealth/KEY/ksk-</span><wbr style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">1490231565751/ID-CERT/%FD%00%</span><wbr style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">00%01Z%F8%B9%1Et</span><br style="font-size:12.8px" class="">
<span style="font-size:12.8px" class="">(Those two certs are publicly available, you can connect to any NDN testbed node, then do ndnpeek to fetch those two certs)</span>
<div style="font-size:12.8px" class=""><span style="color:rgb(38,50,56);font-size:13px" class=""><br class="">
</span></div>
<div style="font-size:12.8px" class="">
<div style="font-size:12.8px" class="">Java code:</div>
Name remotePrefixRegisterPrefix = new Name("/localhop/nfd/rib/<wbr class="">register");<br class="">
ControlParameters params = new ControlParameters();<br class="">
params.setName(new Name(prefix));<br class="">
remotePrefixRegisterPrefix.<wbr class="">append(params.wireEncode());<br class="">
Interest remotePrefixRegisterInterest = new Interest(<wbr class="">remotePrefixRegisterPrefix);<br class="">
keyChain.sign(<wbr class="">remotePrefixRegisterInterest, keyChain.<wbr class="">getDefaultCertificateName());</div>
<div style="font-size:12.8px" class=""><br class="">
<div style="font-size:12.8px" class="">I set the default certificate to be <span style="font-family:arial,helvetica,sans-serif;font-size:small" class="">/</span><span style="font-family:arial,helvetica,sans-serif;font-size:small" class="">org/openmhealth/KEY/<wbr class="">uLsLn5csbB/ksk-1502352233531/<wbr class="">ID-CERT/%FD%00%00%01%5D%CB+%<wbr class="">E5S</span></div>
</div>
<div style="font-size:12.8px" class=""><span style="color:rgb(38,50,56);font-size:13px" class=""><br class="">
</span></div>
<div style="font-size:12.8px" class="">
<div style="font-size:12.8px" class=""><span style="color:rgb(38,50,56);font-size:13px" class="">(3) Send it out. As I registered "/localhop" on UCLA node, the interest should go to UCLA node.</span></div>
<div style="font-size:12.8px" class=""><span style="font-size:13px;color:rgb(38,50,56)" class="">(4) I got an data packet containing a message "</span><font color="#263238" class="">authorization rejected</font><span style="font-size:13px;color:rgb(38,50,56)" class="">".</span></div>
</div>
<br clear="all" style="font-size:12.8px" class="">
<div style="font-size:12.8px" class="">
<div class="gmail-m_-4688405733903218696gmail_signature">
<div dir="ltr" class="">
<div class="">Best,<br class="">
</div>
-Haitao<br class="">
</div>
<div dir="ltr" class=""><br class="">
</div>
<div class=""><b class="">To make NDNFit another trust anchor on testbed, nfd.conf file is modified (the red part is added)</b></div>
<div dir="ltr" class="">
<div style="font-size:12.8px" class="">localhop_security</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> ; This section defines the trust model for NFD RIB Management. It consists of rules and</div>
<div style="font-size:12.8px" class=""> ; trust-anchors, which are briefly defined in this file. For more information refer to</div>
<div style="font-size:12.8px" class=""> ; manpage of ndn-validator.conf:</div>
<div style="font-size:12.8px" class=""> ;</div>
<div style="font-size:12.8px" class=""> ; man ndn-validator.conf</div>
<div style="font-size:12.8px" class=""> ;</div>
<div style="font-size:12.8px" class=""> ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the</div>
<div style="font-size:12.8px" class=""> ; root of certification chain (e.g., NDN testbed root certificate) or an existing</div>
<div style="font-size:12.8px" class=""> ; default system certificate `default.ndncert`.</div>
<div style="font-size:12.8px" class=""> ;</div>
<div style="font-size:12.8px" class=""> ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the</div>
<div style="font-size:12.8px" class=""> ; rules defined here. A rule can be broken into two parts: matching & checking. A packet</div>
<div style="font-size:12.8px" class=""> ; will be matched against rules from the first to the last until a matched rule is</div>
<div style="font-size:12.8px" class=""> ; encountered. The matched rule will be used to check the packet. If a packet does not</div>
<div style="font-size:12.8px" class=""> ; match any rule, it will be treated as invalid. The matching part of a rule consists</div>
<div style="font-size:12.8px" class=""> ; of `for` and `filter` sections. They collectively define which packets can be checked</div>
<div style="font-size:12.8px" class=""> ; with this rule. `for` defines packet type (data or interest) and `filter` defines</div>
<div style="font-size:12.8px" class=""> ; conditions on other properties of a packet. Right now, you can only define conditions</div>
<div style="font-size:12.8px" class=""> ; on packet name, and you can only specify ONLY ONE filter for packet name. The</div>
<div style="font-size:12.8px" class=""> ; checking part of a rule consists of `checker`, which defines the conditions that a</div>
<div style="font-size:12.8px" class=""> ; VALID packet MUST have. See comments in checker section for more details.</div>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class=""> rule</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> id "NRD Prefix Registration Command Rule"</div>
<div style="font-size:12.8px" class=""> for interest ; rule for Interests (to validate CommandInterests)</div>
<div style="font-size:12.8px" class=""> filter</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type name ; condition on interest name (w/o signature)</div>
<div style="font-size:12.8px" class=""> regex ^[<localhop><localhost>]<nfd><<wbr class="">rib>[<register><unregister>]<><wbr class="">$ ; prefix before</div>
<div style="font-size:12.8px" class=""> ; timestamp</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> checker</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type customized</div>
<div style="font-size:12.8px" class=""> sig-type rsa-sha256 ; interest must have a rsa-sha256 signature</div>
<div style="font-size:12.8px" class=""> key-locator</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type name ; key locator must be the certificate name of the</div>
<div style="font-size:12.8px" class=""> ; signing key</div>
<div style="font-size:12.8px" class=""> regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-<wbr class="">CERT>$</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> checker</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type customized</div>
<div style="font-size:12.8px" class=""> sig-type ecdsa-sha256 ; interest must have a ecdsa-sha256 signature</div>
<div style="font-size:12.8px" class=""> key-locator</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type name ; key locator must be the certificate name of the</div>
<div style="font-size:12.8px" class=""> ; signing key</div>
<div style="font-size:12.8px" class=""> regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-<wbr class="">CERT>$</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> rule</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> id "NDN Testbed Hierarchy Rule"</div>
<div style="font-size:12.8px" class=""> for data ; rule for Data (to validate NDN certificates)</div>
<div style="font-size:12.8px" class=""> filter</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type name ; condition on data name</div>
<div style="font-size:12.8px" class=""> regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-<wbr class="">CERT><>$</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> checker</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type hierarchical ; the certificate name of the signing key and</div>
<div style="font-size:12.8px" class=""> ; the data name must follow the hierarchical model</div>
<div style="font-size:12.8px" class=""> sig-type rsa-sha256 ; data must have a rsa-sha256 signature</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> checker</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type hierarchical ; the certificate name of the signing key and</div>
<div style="font-size:12.8px" class=""> ; the data name must follow the hierarchical model</div>
<div style="font-size:12.8px" class=""> sig-type ecdsa-sha256 ; data must have a ecdsa-sha256 signature</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> }</div>
<div style="font-size:12.8px" class=""> trust-anchor</div>
<div style="font-size:12.8px" class=""> {</div>
<div style="font-size:12.8px" class=""> type file</div>
<div style="font-size:12.8px" class=""> file-name keys/ndn-testbed-root.ndncert.<wbr class="">base64</div>
<div class="gmail-m_-4688405733903218696gmail-adL" style="font-size:12.8px">
<div class="gmail-m_-4688405733903218696gmail-adm"></div>
<div class="gmail-m_-4688405733903218696gmail-im">
<div class=""> }</div>
<div class=""><font color="#ff0000" class=""> <span style="font-size:12.8px" class=""> trust-anchor</span></font></div>
<div style="font-size:12.8px" class=""><font color="#ff0000" class=""> {</font></div>
<div style="font-size:12.8px" class=""><font color="#ff0000" class=""> type file</font></div>
<div style="font-size:12.8px" class=""><font color="#ff0000" class=""> file-name keys/openmhealth.cert</font></div>
<div style="font-size:12.8px" class=""><font color="#ff0000" class=""> }</font></div>
<div class=""> }</div>
</div>
</div>
</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class=""><br class="">
</div>
<div class=""><b class="">To verify that the configuration works, John requested a key from NDNFit cert management website <a href="http://128.97.98.8:5001/" target="_blank" class="">http://128.97.98.8:<wbr class="">5001/</a> (it is ported from ndncert website
and works the same way as ndncert website) and did the following (quote his email here):</b></div>
<div class="">
<div style="font-size:12.8px" class="">... I was able to register a prefix and have it propagate on the Testbed with readvertise.</div>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class="">I ran this script to start NFD and set my identity:</div>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class="">
<div class="">#!/bin/bash</div>
<div class=""><br class="">
</div>
<div class=""># make sure any old nfd is stopped:</div>
<div class="">nfd-stop</div>
<div class="">sleep 5</div>
<div class=""><br class="">
</div>
<div class=""># start a new nfd:</div>
<div class="">nfd-start >& nfd-start.log</div>
<div class="">sleep 5</div>
<div class=""><br class="">
</div>
<div class=""># use WU as gateway router:</div>
<div class="">nfdc register / <a class="">udp://wundngw.arl.wustl.edu</a></div>
<div class=""><br class="">
</div>
<div class=""># configure for prefix registration at WU:</div>
<div class="">nfdc register /localhop/nfd <a class="">udp4://wundngw.<wbr class="">arl.wustl.edu</a></div>
<div class=""><br class="">
</div>
<div class="">sleep 5</div>
<div class=""><br class="">
</div>
<div class=""># test connection to WU gateway with ndnping</div>
<div class="">ndnping -c 5 /ndn/edu/wustl</div>
<div class=""><br class="">
</div>
<div class=""># set identity to WU based name:</div>
<div class="">ndnsec-set-default /org/openmhealth/m8rP9jdjKp</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Then I ran ndnpingserver like this:</div>
<div class=""><br class="">
</div>
<div class="">ndnpingserver /org/openmhealth/m8rP9jdjKp/jd<wbr class="">d</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Then I checked WU and UCLA:</div>
<div class=""><br class="">
</div>
<div class="">WU:</div>
<div class="">
<div class="">ndnops@wundngw:~$ nfdc fib list | grep mhealth</div>
<div class=""> /org/openmhealth nexthops={faceid=259 (cost=22132), faceid=261 (cost=24334), faceid=277 (cost=36283)}</div>
<div class=""> /org/openmhealth/m8rP9jdjKp nexthops={faceid=259 (cost=20674), faceid=261 (cost=21391), faceid=277 (cost=34642)}</div>
<div class="">ndnops@wundngw:~$</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">UCLA:</div>
<div class="">
<div class="">ndnops@spurs:~$ nfdc fib list | grep m8rP9jdjKp</div>
<div class=""> /org/openmhealth/m8rP9jdjKp nexthops={faceid=278 (cost=19669), faceid=260 (cost=22128), faceid=259 (cost=22252), faceid=276 (cost=23762), faceid=279 (cost=28847)}</div>
<div class="">ndnops@spurs:~$ nfdc fib list | grep m8rP9jdjKp</div>
<div class=""> /org/openmhealth/m8rP9jdjKp nexthops={faceid=278 (cost=19669), faceid=260 (cost=22128), faceid=259 (cost=22252), faceid=276 (cost=23762), faceid=279 (cost=28847)}</div>
<div class="">ndnops@spurs:~$</div>
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">And I show up on both!</div>
<div class=""><br class="">
</div>
<div class="">So, it appears to me to be working from a normal end host. So I think the certificate/key/trust-anchor part must</div>
<div class="">be working, right?</div>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br class="">
Nfd-dev mailing list<br class="">
<a href="mailto:Nfd-dev@lists.cs.ucla.edu" class="">Nfd-dev@lists.cs.ucla.edu</a><br class="">
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev<br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</body>
</html>