<div dir="auto"><div>Hi Zhiyi</div><div dir="auto"><br></div><div dir="auto">It's been a week. I saw some commits related to these items. Have you updated the deployment?</div><div dir="auto"><br></div><div dir="auto">Yours, Junxiao<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Sat, Jan 23, 2021, 04:17 Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu">shijunxiao@email.arizona.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi Zhiyi</div><div><br></div><div>I can confirm that the routes for /ndn/CA are correct now.</div><div>If you delete packets from repo-ng's database, you do have to restart the service. repo-ng can pick up changes and unregister the prefix only if you delete Data through its API.</div><div><br></div><div>However, it seems that the CA certificate has expired:</div><div><span style="font-family:monospace">$ NDNTS_UPLINK=tcp://<a href="http://192.168.5.10" target="_blank" rel="noreferrer">192.168.5.10</a> ndncat get-segmented /ndn/CA/INFO | ndn-dissect | awk '$1>=253 && $1<=255'<br> 253 (RESERVED_3) (size: 38)<br> 254 (RESERVED_3) (size: 15) [[20171220T001939]]<br> 255 (RESERVED_3) (size: 15) [[<span style="background-color:rgb(255,255,0)">20201231T235959</span>]]</span></div><div>You'll need to use an unexpired CA certificate for certificate request to succeed, according to section "2.3.3 ValidityPeriod" requirements.</div><div><br></div>This did expose an NDNts bug that I'm still creating a request, with a ValidityPeriod that has NotBefore later than NotAfter, like this:<br><div><span style="font-family:monospace">0000 fd 00 fd 26 fd 00 fe 0f 32 30 32 31 30 31 32 33 ...&....20210123<br>0010 54 30 38 35 38 33 37 fd 00 ff 0f 32 30 32 30 31 T085837....20201<br>0020 32 33 31 54 32 33 35 39 35 39 231T235959</span><br></div><div>I'll get it fixed.<br></div><div><br></div><div>Your CA implementation is also lacking necessary checks for CA certificate validity period, according to section "2.3.3 ValidityPeriod" requirements.
</div><div><a href="https://github.com/Zhiyi-Zhang/ndncert/blob/d35bc5f78dae76cc3f56479336845cb1aeb6c9f3/src/ca-module.cpp#L270-L272" target="_blank" rel="noreferrer">https://github.com/Zhiyi-Zhang/ndncert/blob/d35bc5f78dae76cc3f56479336845cb1aeb6c9f3/src/ca-module.cpp#L270-L272</a></div><div>This must be checked during NEW command processing and possibly also before issuing each certificate. It's insufficient to only check at CA startup, because the CA certificate could become expired while the CA is running.<br></div><div><br></div><div>Yours, Junxiao<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 22, 2021 at 6:53 PM Zhiyi Zhang <<a href="mailto:zhiyi@cs.ucla.edu" target="_blank" rel="noreferrer">zhiyi@cs.ucla.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p style="text-align:center"><font color="red"><b>External Email</b><br></font></p><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 22, 2021 at 12:55 PM Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu" target="_blank" rel="noreferrer">shijunxiao@email.arizona.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Zhiyi<div><br></div><div>There are still erroneous packets starting with /ndn/CA in the /localhost/repo-ng repository.</div><div>To check that, go to <a href="https://suns.cs.ucla.edu/n/" target="_blank" rel="noreferrer">https://suns.cs.ucla.edu/n/</a> , on "Routes" tab select "/ndn/CA" prefix. It should show only one nexthop pointing to the CA program.</div><div>Currently it's showing two nexthops: a repo-ng instance and the CA program.</div><div><div><br></div><div>Please delete the erroneous packets.</div><div>If you are sure no
erroneous packet exists, try restarting the repo-ng service and see whether the prefix registration clears up.</div></div></div></blockquote><div><br></div><div>I delete the packet from the SQLite database operation. </div><div>I think I will need to restart it to reflect the change.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><br></div><div>Another problem is, the CA program is not responding to certificate retrieval Interests that carry the implicit digest component.</div><div>This needs to be fixed in the CA program.</div><div><a href="https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152" target="_blank" rel="noreferrer">https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152</a></div></div></div></blockquote><div><br></div><div>Okay. I think I will need to use getFullName instead of getName()</div><div><br></div><div>Best,</div><div>Zhiyi </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><br></div><div><br></div><div>Yours, Junxiao</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 22, 2021 at 2:18 PM Zhiyi Zhang <<a href="mailto:zhiyi@cs.ucla.edu" target="_blank" rel="noreferrer">zhiyi@cs.ucla.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p style="text-align:center"><font color="red"><b>External Email</b><br></font></p><div dir="ltr"><div>Hi Junxiao and John,</div><div><br></div>As discussed during the NFD call: <div>* I just brought the NDNCERT back online without the dependencies on the repo.<div>* Now the profile and published certs are kept by the NDNCERT CA tool. I replaced map with a fixed size queue to prevent the cache from going infinitely large.</div><div>* I've deleted the profile data from the repo</div><div><div><br></div><div>@John Then, there is no need to set up a new repo-ng. </div><div>Thank you so much.<br></div><div><br></div><div>Best,</div><div>Zhiyi</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 22, 2021 at 10:01 AM Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu" target="_blank" rel="noreferrer">shijunxiao@email.arizona.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Zhiyi</div><div><br></div><div>repo-ng at /localhost/repo-ng listens on TCP port 7376.</div><div><a href="https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35" target="_blank" rel="noreferrer">https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35</a><br></div><div>It has registration-subset=3.</div><div><br></div><div>repo-ng at /localhost/repo-ng-2 listens on TCP port 7377.</div><div><a href="https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32" target="_blank" rel="noreferrer">https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32</a><br></div><div>It has registration-subset disabled.</div><div><br></div><div>ndn-python-repo listens on TCP port 7378.</div><div><a href="https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26" target="_blank" rel="noreferrer">https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26</a><br></div><div><br></div><div>As explained in <a href="https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html" target="_blank" rel="noreferrer">https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html</a> , you need another instance of repo-ng with registration-subset=0 to publish your CA profile and issued certificates.</div><div><br></div><div>Yours, Junxiao</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 22, 2021 at 12:54 PM Zhiyi Zhang <<a href="mailto:zhiyi@cs.ucla.edu" target="_blank" rel="noreferrer">zhiyi@cs.ucla.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p style="text-align:center"><font color="red"><b>External Email</b><br></font></p><div dir="ltr">Hi John,<div><br></div><div>Could you also let me know the port number of different running instances of repo? because NDNCERT is using TCP Bulk to insert packets to repo.</div><div><br></div><div>Best,</div><div>Zhiyi</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 22, 2021 at 8:34 AM Dehart, John <<a href="mailto:jdd@wustl.edu" target="_blank" rel="noreferrer">jdd@wustl.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div><br>
</div>
Looks like there was no ‘Restart’ entry in the systemd file for the python repo.
<div>I’ve added that and we’ll see if it does better.</div>
<div><br>
</div>
<div>John</div>
<div><br>
</div>
<div>
<div><br>
<blockquote type="cite">
<div>On Jan 22, 2021, at 10:21 AM, Dehart, John via Nfd-dev <<a href="mailto:nfd-dev@lists.cs.ucla.edu" target="_blank" rel="noreferrer">nfd-dev@lists.cs.ucla.edu</a>> wrote:</div>
<br>
<div>
<div>
<br>
<div><br>
</div>
<div>I’ll take a look at the repo issue. All testbed nodes should be running both repo-ng and python repo.</div>
<div>Maybe its a systemd issue.</div>
<div><br>
</div>
<div>John</div>
<div><br>
<blockquote type="cite">
<div>On Jan 20, 2021, at 9:38 PM, Zhiyi Zhang <<a href="mailto:zhiyi@cs.ucla.edu" target="_blank" rel="noreferrer">zhiyi@cs.ucla.edu</a>> wrote:</div>
<br>
<div>
<div dir="ltr">
<div>Yeah. I found the repo is not running on the Suns: ERROR: Cannot publish certificate to repo-ng (Connection refused)</div>
<div><br>
</div>
<div>@Lixia do you know who should I contact to deploy the repo? and which repo should be used?</div>
<div><br>
</div>
<div>I just bring back the NDNCERT without the parameter to publish to the repo. After people figure out the repo deployment, I will update the parameter used in NDNCERT service.</div>
<div><br>
</div>
<div>Best,</div>
<div>Zhiyi</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <<a href="mailto:shijunxiao@email.arizona.edu" target="_blank" rel="noreferrer">shijunxiao@email.arizona.edu</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Hi Zhiyi</div>
<div><br>
</div>
<div>As you mentioned on the 2021-01-15 NFD call, you have updated the deployment to use 2019 Naming Convention.</div>
<div>However, I'm now unable to retrieve the CA profile - the CA is not responding at all.</div>
<div><br>
</div>
<div><span style="font-family:monospace">$ ndnpeek -Pf /ndn/CA/INFO/32=metadata<br>
$ echo $?<br>
3</span></div>
<div><br>
</div>
<div>Wireshark and NFD counters indicate that the Interest has arrived on
<a href="http://suns.cs.ucla.edu/" target="_blank" rel="noreferrer">suns.cs.ucla.edu</a>, but there's no response.<br>
</div>
<div><br>
</div>
<div>Yours, Junxiao<br>
</div>
</div>
</blockquote>
</div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div><br>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div></div>
</blockquote></div></div></div>