[Ndn-interest] NDN Signature Verification

Ignacio.Solis at parc.com Ignacio.Solis at parc.com
Thu Mar 13 09:26:04 PDT 2014

In the case of CCN 1.x (probably does not apply to NDN) here is what you can expect:

  *   The forwarding path of CCN 1.x does not check signatures.  (There might be a firewall that might check signatures, but in regular operation the forwarding path will not check them).
  *   If an interest has a KeyID restriction the forwarding path will check that the KeyID field in the content object matches that of the interest.
  *   Caches/ContentStores WILL check the signature if an interest has a KeyID restriction. In this case, if the signature does not verify the caches are not allowed to reply.  This is important to prevent attack amplification.
  *   Caches/ContentStores may not check the signature if the interest does not include a KeyID restriction.
  *   The forwarding path and Caches/ContentStores will check the content object hash if the Interest has a con ten object hash restriction. This hash is over the Content Object completely, this includes the signature.  So if an interest includes this restriction it must match the correct hash (potentially with the incorrect signature?).

As Nick stated you can sign content with the key of the proxy. This might be a good solution given that it’s the proxy who is generating the content objects.  One obvious approach is to encapsulate either CCN/NDN in PURSUIT or the other way around. In either of these cases you are really just doing a tunnel and not a conversion.


Nacho (Ignacio) Solis
Senior Research Scientist
Palo Alto Research Center (PARC)
Ignacio.Solis at parc.com

On 3/13/14, 9:03 AM, "Kelvin Leung" <kelvin_liang at outlook.com<mailto:kelvin_liang at outlook.com>> wrote:

Dear all,

Our team is now deploying 2 different ICNs (i.e., NDN & PURSUIT) over SDN which is designed for communications between these two ICN protocols.

But now we encounter a problem that we cannot TRANSFER the content data from PURSUIT to NDN because of the strict signature verification. So I wonder is it possible that NDN skips the verification step while still receiving the content ? I know that it is a dangerous design without considering the security issues but we want to build up a prototype first and it is supposed to combine the security scheme into it in a long term.

Thanks & Regards,

Kelvin Leung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20140313/cfc82893/attachment.html>

More information about the Ndn-interest mailing list