[Nfd-dev] Question about doing remote prefix registration using Android app
Haitao Zhang
zhtaoxiang at gmail.com
Fri Aug 11 02:18:47 PDT 2017
On Thu, Aug 10, 2017 at 3:19 PM, Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:
> Hi Haitao
>
> "authorization rejected" can be caused by many reasons. The router cannot
> tell you the exact cause due to security reason. The router should write
> the cause into its logs but that is not yet implemented.
>
> Given you have tried an equivalent certificate with NFD-RIB, I assume
> certificate issuance and trust schema configuration have no problem. You
> can look at the following possible causes:
>
> - Is the Java code creating well-formed command Interests? Is the
> KeyLocator correct?
>
>
You mean the remote prefix registration interest should be command Interest
(https://redmine.named-data.net/projects/nfd/wiki/Command_Interests) but
not signed interest (
https://redmine.named-data.net/projects/ndn-cxx/wiki/SignedInterest), right?
I noticed that jNDN KeyChain.sign(interest, certname) generates signed
interest. Here is an example:
/localhop/nfd/rib/register/h%20%07%1E%08%03org%08%0Bopenmhealth%08%0AuLsLn5csbB/%16F%1B%01%01%1CA%07%3F%08%03org%08%0Bopenmhealth%08%03KEY%08%0AuLsLn5csbB%08%11ksk-1502352233531%08%07ID-CERT/%17%FD%01%00%26%B2%93%F0%16e%A0%AA%BC%80%94%1D%04%21z%1D%D6%EEQ%E1K%86%00%D4%27%E0%C9nK%15%C3%9D%B6%3A%9A%1CEX%1E%E3%DC%9B%87%BE4%0AI%90%86%7F%C3%036%8B%FE%F7%C4%92%FC%D1B%A5%E5%A1%E3%F2e%7F%11%E8%10q%F5l%9EZ%B9o%B2%AB+%25%DB%1D+c%5EU%A9%20%E9%F2%F8E%10_%9F%A5%AD%FE%DE%9D%88H%99J%14%3A%25%F2%9D%AD%B7%8E%26%C2G%DF%EB0%95%D8%7DHnL%0C%EF%89G%0En%E7%FA%A38%B1.%D1%D3%9C%B8%A2+%A2%AC+%ED%07%00%A4k%0C%1C%AAH%ADLc%A2%0D%BFLV%9C%0E%9A%F0%D4%40q%F6%D3h1T%06%C0%25O%B0%F4%3E%C8%5DX%D6%EFL1%A2%08rZ%AA0%FB%FCpuKUfT%81%40%9A%86A%14%DDK%5Ek%F7%A6%DC%CB%CBc%E9%C2%01qw%C5%91p%C77%CA%08%15%F5%9C%C4D%1B%15%0F%EE%0E%3F%7E%DE%D1%C6%8C%D8l3%0CfON%09
which is signed
by /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-CERT/%FD%00%00%01%5D%CB+%E5S
> - Can the router retrieve your certificate?
> - Is the Java code creating valid signatures?
> - Is the clock skew between router and end host too great?
> NFD-RIB is very sensitive to clock skew and would reject if the time
> difference is more than 3 seconds. It's also not configurable, but v2
> relaxed this to 60 seconds.
>
> How is the clock skew checked by NFD, using timestamp?
> If you have access to the router, setting "Forwarder DEBUG" loglevel can
> help you debug.
>
> Yours, Junxiao
>
> On Thu, Aug 10, 2017 at 1:02 PM, Haitao Zhang <zhtaoxiang at gmail.com>
> wrote:
>
>>
>> My NDNFit Android app needs to do remote prefix registration on the
>> testbed, so Interests can be forwarded to the Android device, then the
>> NDNFit Android app.
>>
>> (2) Create an interest /localhop/nfd/rib/register/<control parameter
>> including the prefix I want to register>, sign it using
>> /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-CERT/%F
>> D%00%00%01%5D%CB+%E5S
>> which is further signed by
>> NDNFit trust anchor /org/openmhealth/KEY/ksk-14902
>> 31565751/ID-CERT/%FD%00%00%01Z%F8%B9%1Et
>>
>> (4) I got an data packet containing a message "authorization rejected".
>>
>> Best,
>> -Haitao
>>
>>
>
>> *To verify that the configuration works, John requested a key from NDNFit
>> cert management website http://128.97.98.8:5001/
>> <http://128.97.98.8:5001/> (it is ported from ndncert website and works the
>> same way as ndncert website) and did the following (quote his email here):*
>> ... I was able to register a prefix and have it propagate on the Testbed
>> with readvertise.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20170811/e0ea6cf6/attachment.html>
More information about the Nfd-dev
mailing list