[Nfd-dev] Handling new content in app for pending interest in NFD

Wentao Shang wentaoshang at gmail.com
Mon Mar 30 16:50:28 PDT 2015 

Hi Nacho,

I don't have any argument against this rule right now. But it seems more
relevant to "forwarding" data packets, while the problem we were discussing
is about "caching" unsolicited data packets, which cannot be forwarded
anyway because there is no PIT. The simplest solution I would suggest to
the problem is to drop any unsolicited data in the forwarder.

Wentao

On Mon, Mar 30, 2015 at 3:42 PM <Ignacio.Solis at parc.com> wrote:

>  This rule is important, router or not. You can't have "non-priviledged"
>  applications generating replies at servers. Specially important at systems
> with multiple users,  tenants, virtual systems.
>
>  At the local router there are even more restrictions.  We haven't even
> gotten to talking about privileged names and restrictions and end-h out
> behavior.   We have a design  for this for CCN that we'll be talking about
> at CCNxCon.
>
>  Nacho (Ignacio) Solis
> Principal Scientist
> Palo Alto Research Center
>
>  *From:* Wentao Shang <wentaoshang at gmail.com>
> *Sent:* Mar 30, 2015 1:07 PM
> *To:* Mosko, Marc <Marc.Mosko at parc.com>
>
> *Cc:* nfd-dev at lists.cs.ucla.edu
> *Subject:* Re: [Nfd-dev] Handling new content in app for pending interest
> in NFD
>
> On Mon, Mar 30, 2015 at 12:52 PM <Marc.Mosko at parc.com> wrote:
>
>> I’ll add that in addition to the content having a PIT entry, Nacho Solis
>> has suggested that a router should verify that a Content Object came in a
>> face from which it was requested.  Otherwise, there’s a potential for
>> off-path attacks sending content objects that match popular well-known
>> names.  A variation on that, rather than tracking forward paths, would be
>> to at minimum verify that a content object comes from a face for which
>> there’s a corresponding FIB entry for the name.
>>
>
>  This requirement makes sense for transit routers that receive packets
> from other routers. But I'm not sure whether this is necessary for
> forwarding daemons handling local applications... The pushed data should
> never get out of the local forwarder unless there is a PIT entry specifying
> a path pointing to some other router.
>
>  Wentao
>
>
>>
>>  Marc
>>
>>  On Mar 30, 2015, at 12:08 PM, Wentao Shang <wentaoshang at gmail.com>
>> wrote:
>>
>>  I agree with Dave.
>>
>>  In principle, router should not cache unsolicited data. In the
>> situation we are discussing, the application should either just push the
>> data out, which may be dropped by NFD if the interest has expired, or store
>> the data in some application-level cache (or repo) for future fetching.
>>
>>  Wentao
>>
>> On Mon, Mar 30, 2015 at 11:52 AM Dave Oran (oran) <oran at cisco.com> wrote:
>>
>>> Isn’t this what the repo was invented for?
>>>
>>> Holding packets in a router that has forgotten that they were asked for
>>> is a giant invitation to cache pollution/poisoning attacks.
>>>
>>> > On Mar 30, 2015, at 2:24 PM, Haowei Yuan <hyuan at wustl.edu> wrote:
>>> >
>>> > I think as long as the data has actually been requested by an Interest
>>> > packet, it is safe to send the Data packet to NFD. The NFD will either
>>> > forward or drop the Data packet by checking if the Interest has
>>> > expired.
>>> >
>>> > If the Interest has expired, Data packet is dropped, and the consumer
>>> > is still interested in the data, the consumer could resend the
>>> > Interest. Hopefully this time, the Data packet can be generated and
>>> > sent faster by the application so that NFD will forward it.
>>> >
>>> > Haowei
>>> >
>>> >
>>> > On Mon, Mar 30, 2015 at 1:12 PM, Anil Jangam <anilj.mailing at gmail.com>
>>> wrote:
>>> >>
>>> >> On Mar 30, 2015 11:08 AM, "Dehart, John" <jdd at wustl.edu> wrote:
>>> >>>
>>> >>>
>>> >>> Is there any harm in it pushing the data out without knowing for
>>> sure if
>>> >>> the
>>> >>> Interest is still active?
>>> >>>
>>> >> If data is so critical, can the Interest be refreshed proactively
>>> before it
>>> >> expires?
>>> >>
>>> >> /anil
>>> >>
>>> >>> John
>>> >>>
>>> >>>> On Mar 30, 2015, at 1:05 PM, Burke, Jeff <jburke at remap.ucla.edu>
>>> wrote:
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> On Mon, Mar 30, 2015 at 10:28 AM Burke, Jeff <
>>> jburke at remap.ucla.edu>
>>> >>>>> wrote:
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> Hi folks,
>>> >>>>>>
>>> >>>>>> We are facing this scenario in a few applications:
>>> >>>>>>
>>> >>>>>> 1) Interest received by NFD, passed to an application
>>> >>>>>> 2) Application not able to respond to interest, so interest stays
>>> in
>>> >>>>>> NFD PIT
>>> >>>>>> 3) Some time passes, but not enough for the Interest to expire
>>> >>>>>> 4) Application generates data (e.g., from a sensor reading) that
>>> would
>>> >>>>>> answer the Interest in the NFD PIT
>>> >>>>>>
>>> >>>>>> Question: How does app know to inform NFD it has the data after
>>> step 4,
>>> >>>>>> and how should it do that?
>>> >>>>>>
>>> >>>>>> - In this type of app, should it push the data unsolicited to the
>>> NFD
>>> >>>>>> and let it decide if there is something to do?
>>> >>>>>
>>> >>>>>
>>> >>>>> In my opinion, as long as the application is certain that the
>>> Interest
>>> >>>>> has arrived and is stored in NFD's PIT, it can just push the data
>>> out to
>>> >>>>> NFD.
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> How certain does it have to be?  There is a chance it could have
>>> >>>> expired...
>>> >>>> jeff
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>>
>>> >>>>> Wentao
>>> >>>>>
>>> >>>>>>
>>> >>>>>> - Is it recommended to implement an application-level PIT so the
>>> app is
>>> >>>>>> sure this data is solicited?  (Why add another PIT?)
>>> >>>>>>
>>> >>>>>> Thank you,
>>> >>>>>> Jeff
>>> >>>>>>
>>> >>>>>> _______________________________________________
>>> >>>>>> Nfd-dev mailing list
>>> >>>>>> Nfd-dev at lists.cs.ucla.edu
>>> >>>>>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> Nfd-dev mailing list
>>> >>>> Nfd-dev at lists.cs.ucla.edu
>>> >>>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>> >>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Nfd-dev mailing list
>>> >>> Nfd-dev at lists.cs.ucla.edu
>>> >>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>> >>>
>>> > _______________________________________________
>>> > Nfd-dev mailing list
>>> > Nfd-dev at lists.cs.ucla.edu
>>> > http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>>
>>>
>>> _______________________________________________
>>> Nfd-dev mailing list
>>> Nfd-dev at lists.cs.ucla.edu
>>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>>
>>   _______________________________________________
>> Nfd-dev mailing list
>> Nfd-dev at lists.cs.ucla.edu
>> http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20150330/98d95257/attachment.html>

More information about the Nfd-dev mailing list