
<div dir="ltr">Hi John,<div><br></div><div>It works. Thanks to John and Junxiao.</div><div><br></div><div>To help others, here are the problems:</div><div>(1) T<span style="font-size:12.8px">he remote prefix registration interest should be</span><font color="#ff0000" style="font-size:12.8px"> command Interest</font><span style="font-size:12.8px"> (</span><a href="https://redmine.named-data.net/projects/nfd/wiki/Command_Interests" target="_blank" style="font-size:12.8px">https://redmine.named-data.<wbr>net/projects/nfd/wiki/Command_<wbr>Interests</a><span style="font-size:12.8px">) but not </span><font color="#ff0000" style="font-size:12.8px">signed interest</font><span style="font-size:12.8px"> (</span><a href="https://redmine.named-data.net/projects/ndn-cxx/wiki/SignedInterest" target="_blank" style="font-size:12.8px">https://redmine.named-data.<wbr>net/projects/ndn-cxx/wiki/<wbr>SignedInterest</a><span style="font-size:12.8px">)</span></div><div><span style="font-size:12.8px">(2) Some certs cannot be fetched due to hacker attack. Specifically, t</span><span style="font-size:12.8px">he database used by ndnfit(openmhealth) trust anchor</span><span style="font-size:12.8px"> is mongo db; it was set to accept all connections from all IPs, hackers connected to the database from some onion routers, and deleted all the data. </span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">I haven't solved the second problem, will check mongo db's manual to restrict remote connects.</span></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Best,<br></div>-Haitao<br></div></div></div>

<br><div class="gmail_quote">On Tue, Aug 15, 2017 at 11:34 AM, Haitao Zhang <span dir="ltr"><<a href="mailto:zhtaoxiang@gmail.com" target="_blank">zhtaoxiang@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi John,<div><br></div><div>During yesterday' ndn call, Junxiao clarified that I should use command interest but not signed Interest to do remote prefix registration. I didn't have time to try it last night. Let me try it today and provide more feedbacks.</div><div class="gmail_extra"><br clear="all"><div><div class="m_8182305429430097572gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Best,<br></div>-Haitao<br></div></div></div><div><div class="h5">

<br><div class="gmail_quote">On Mon, Aug 14, 2017 at 5:11 PM, Dehart, John <span dir="ltr"><<a href="mailto:jdd@wustl.edu" target="_blank">jdd@wustl.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div style="word-wrap:break-word">

<div><br>

</div>

Haitao,

<div><br>

</div>

<div>Any update on how this is going for you?</div><span class="m_8182305429430097572HOEnZb"><font color="#888888">

<div><br>

</div>

<div>John</div>

</font></span><div><br>

<div>

<blockquote type="cite"><div><div class="m_8182305429430097572h5">

<div>On Aug 11, 2017, at 4:18 AM, Haitao Zhang <<a href="mailto:zhtaoxiang@gmail.com" target="_blank">zhtaoxiang@gmail.com</a>> wrote:</div>

<br class="m_8182305429430097572m_7761882355060008342Apple-interchange-newline">

</div></div><div><div><div class="m_8182305429430097572h5">

<div dir="ltr">

<div class="gmail_extra">

<div>

<div class="m_8182305429430097572m_7761882355060008342gmail_signature">

<div dir="ltr"><br>

</div>

</div>

</div>

<br>

<div class="gmail_quote">On Thu, Aug 10, 2017 at 3:19 PM, Junxiao Shi <span dir="ltr">

<<a href="mailto:shijunxiao@email.arizona.edu" target="_blank">shijunxiao@email.arizona.edu</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div dir="ltr">

<div>Hi Haitao</div>

<div><br>

</div>

<div>"authorization rejected" can be caused by many reasons. The router cannot tell you the exact cause due to security reason. The router should write the cause into its logs but that is not yet implemented.</div>

<div><br>

</div>

<div>Given you have tried an equivalent certificate with NFD-RIB, I assume certificate issuance and trust schema configuration have no problem. You can look at the following possible causes:</div>

<ul>

<li>Is the Java code creating well-formed command Interests? Is the KeyLocator correct?</li></ul>

</div>

</blockquote>

<div><br>

</div>

<div>You mean the remote prefix registration interest should be<font color="#ff0000"> command Interest</font> (<a href="https://redmine.named-data.net/projects/nfd/wiki/Command_Interests" target="_blank">https://redmine.named-data.ne<wbr>t/projects/nfd/wiki/Command_In<wbr>terests</a>)

 but not <font color="#ff0000">signed interest</font> (<a href="https://redmine.named-data.net/projects/ndn-cxx/wiki/SignedInterest" target="_blank">https://redmine.named-data.ne<wbr>t/projects/ndn-cxx/wiki/Signed<wbr>Interest</a>), right?</div>

<div><br>

</div>

<div>I noticed that jNDN KeyChain.sign(interest, certname) generates signed interest. Here is an example:</div>

<div>/localhop/nfd/rib/register/h%2<wbr>0%07%1E%08%03org%08%0Bopenmhea<wbr>lth%08%0AuLsLn5csbB/%16F%1B%<wbr>01%01%1CA%07%3F%08%03org%08%<wbr>0Bopenmhealth%08%03KEY%08%<wbr>0AuLsLn5csbB%08%11ksk-<wbr>1502352233531%08%07ID-CERT/%<wbr>17%FD%01%00%26%B2%93%F0%16e%<wbr>A0%AA%BC%80%94%1D%04%21z%1D%<wbr>D6%EEQ%E1K%86%00%D4%27%E0%C9nK<wbr>%15%C3%9D%B6%3A%9A%1CEX%1E%E3%<wbr>DC%9B%87%BE4%0AI%90%86%7F%C3%<wbr>036%8B%FE%F7%C4%92%FC%D1B%A5%<wbr>E5%A1%E3%F2e%7F%11%E8%10q%F5l%<wbr>9EZ%B9o%B2%AB+%25%DB%1D+c%5EU%<wbr>A9%20%E9%F2%F8E%10_%9F%A5%AD%<wbr>FE%DE%9D%88H%99J%14%3A%25%F2%<wbr>9D%AD%B7%8E%26%C2G%DF%EB0%95%<wbr>D8%7DHnL%0C%EF%89G%0En%E7%FA%<wbr>A38%B1.%D1%D3%9C%B8%A2+%A2%AC+<wbr>%ED%07%00%A4k%0C%1C%AAH%ADLc%<wbr>A2%0D%BFLV%9C%0E%9A%F0%D4%40q%<wbr>F6%D3h1T%06%C0%25O%B0%F4%3E%<wbr>C8%5DX%D6%EFL1%A2%08rZ%AA0%FB%<wbr>FCpuKUfT%81%40%9A%86A%14%DDK%<wbr>5Ek%F7%A6%DC%CB%CBc%E9%C2%<wbr>01qw%C5%91p%C77%CA%08%15%F5%<wbr>9C%C4D%1B%15%0F%EE%0E%3F%7E%<wbr>DE%D1%C6%8C%D8l3%0CfON%09<br>

</div>

<div><br>

</div>

<div>which is signed by /org/openmhealth/KEY/uLsLn5<wbr>csbB/ksk-1502352233531/ID-<wbr>CERT/%FD%00%00%01%5D%CB+%E5S</div>

<div><br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div dir="ltr">

<ul>

<li>Can the router retrieve your certificate?<br>

</li><li>Is the Java code creating valid signatures?</li><li>Is the clock skew between router and end host too great?<br>

NFD-RIB is very sensitive to clock skew and would reject if the time difference is more than 3 seconds. It's also not configurable, but v2 relaxed this to 60 seconds.</li></ul>

</div>

</blockquote>

<div>How is the clock skew checked by NFD, using timestamp?</div>

<div> </div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div dir="ltr">

<div>If you have access to the router, setting "Forwarder DEBUG" loglevel can help you debug.<br>

</div>

<div><br>

</div>

<div>Yours, Junxiao<br>

</div>

<div class="gmail_extra"><br>

<div class="gmail_quote"><span class="m_8182305429430097572m_7761882355060008342gmail-">On Thu, Aug 10, 2017 at 1:02 PM, Haitao Zhang

<span dir="ltr"><<a href="mailto:zhtaoxiang@gmail.com" target="_blank">zhtaoxiang@gmail.com</a>></span> wrote:<br>

</span>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">

<div dir="ltr">

<div><br>

</div>

<div><span class="m_8182305429430097572m_7761882355060008342gmail-">

<div style="font-size:12.8px">My NDNFit Android app needs to do remote prefix registration on the testbed, so Interests can be forwarded to the Android device, then the NDNFit Android app. </div>

<div style="font-size:12.8px"><br>

</div>

</span><span class="m_8182305429430097572m_7761882355060008342gmail-">

<div style="font-size:12.8px">(2) Create an interest <span style="color:rgb(0,128,0);font-family:Menlo;font-size:9pt;font-weight:bold">/localhop/nfd/rib/reg<wbr>ister/<control parameter including the prefix I want to register></span>,

 sign it using </div>

<span style="font-size:12.8px">/org/openmhealth/KEY/</span><span style="font-size:12.8px">uLsLn5csb<wbr>B/ksk-1502352233531/</span><span style="font-size:12.8px">ID-CERT/%F<wbr>D%00%00%01%5D%CB+%</span><span style="font-size:12.8px">E5S</span><br style="font-size:12.8px">

<span style="font-size:12.8px">which is further signed by </span><br style="font-size:12.8px">

<span style="font-size:12.8px">NDNFit trust anchor /org/openmhealth/KEY/ksk-</span><span style="font-size:12.8px">14902<wbr>31565751/ID-CERT/%FD%00%</span><span style="font-size:12.8px">00%01Z<wbr>%F8%B9%1Et</span><br style="font-size:12.8px">

<div style="font-size:12.8px"><span style="color:rgb(38,50,56);font-size:13px"><br>

</span></div>

</span><span class="m_8182305429430097572m_7761882355060008342gmail-">

<div style="font-size:12.8px">

<div style="font-size:12.8px"><span style="color:rgb(38,50,56);font-size:13px">(4) I got an data packet containing a message "</span><font color="#263238">authorization rejected</font><span style="color:rgb(38,50,56);font-size:13px">".</span></div>

</div>

<br clear="all" style="font-size:12.8px">

<div style="font-size:12.8px">

<div class="m_8182305429430097572m_7761882355060008342gmail-m_2355754643773266943gmail-m_1052988172326031163gmail-m_-4688405733903218696gmail_signature">

<div dir="ltr">

<div>Best,<br>

</div>

-Haitao</div>

<div dir="ltr"> </div>

</div>

</div>

</span></div>

</div>

</blockquote>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">

<div dir="ltr">

<div>

<div style="font-size:12.8px">

<div class="m_8182305429430097572m_7761882355060008342gmail-m_2355754643773266943gmail-m_1052988172326031163gmail-m_-4688405733903218696gmail_signature">

<div dir="ltr"></div>

<div dir="ltr"><br>

</div>

<span class="m_8182305429430097572m_7761882355060008342gmail-">

<div><b>To verify that the configuration works, John requested a key from NDNFit cert management website <a href="http://128.97.98.8:5001/" target="_blank">http://128.97.98.8:500<wbr>1/</a> (it is ported from ndncert website

 and works the same way as ndncert website) and did the following (quote his email here):</b></div>

<div>

<div style="font-size:12.8px">... I was able to register a prefix and have it propagate on the Testbed with readvertise.<br>

</div>

</div>

</span></div>

</div>

</div>

</div>

<br>

</blockquote>

</div>

<br>

</div>

</div>

</blockquote>

</div>

<br>

</div>

</div></div></div><span>

______________________________<wbr>_________________<br>

Nfd-dev mailing list<br>

<a href="mailto:Nfd-dev@lists.cs.ucla.edu" target="_blank">Nfd-dev@lists.cs.ucla.edu</a><br>

<a href="http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev" target="_blank">http://www.lists.cs.ucla.edu/m<wbr>ailman/listinfo/nfd-dev</a><br>

</span></div>

</blockquote>

</div>

<br>

</div>

</div>


</blockquote></div><br></div></div></div></div>

</blockquote></div><br></div></div>