[Nfd-dev] Question about doing remote prefix registration using Android app

Mon Aug 14 17:11:12 PDT 2017

Haitao,

Any update on how this is going for you?

John

On Aug 11, 2017, at 4:18 AM, Haitao Zhang <zhtaoxiang at gmail.com<mailto:zhtaoxiang at gmail.com>> wrote:

On Thu, Aug 10, 2017 at 3:19 PM, Junxiao Shi <shijunxiao at email.arizona.edu<mailto:shijunxiao at email.arizona.edu>> wrote:
Hi Haitao

"authorization rejected" can be caused by many reasons. The router cannot tell you the exact cause due to security reason. The router should write the cause into its logs but that is not yet implemented.

Given you have tried an equivalent certificate with NFD-RIB, I assume certificate issuance and trust schema configuration have no problem. You can look at the following possible causes:

  *   Is the Java code creating well-formed command Interests? Is the KeyLocator correct?

You mean the remote prefix registration interest should be command Interest (https://redmine.named-data.net/projects/nfd/wiki/Command_Interests) but not signed interest (https://redmine.named-data.net/projects/ndn-cxx/wiki/SignedInterest), right?

I noticed that jNDN KeyChain.sign(interest, certname) generates signed interest. Here is an example:
/localhop/nfd/rib/register/h%20%07%1E%08%03org%08%0Bopenmhealth%08%0AuLsLn5csbB/%16F%1B%01%01%1CA%07%3F%08%03org%08%0Bopenmhealth%08%03KEY%08%0AuLsLn5csbB%08%11ksk-1502352233531%08%07ID-CERT/%17%FD%01%00%26%B2%93%F0%16e%A0%AA%BC%80%94%1D%04%21z%1D%D6%EEQ%E1K%86%00%D4%27%E0%C9nK%15%C3%9D%B6%3A%9A%1CEX%1E%E3%DC%9B%87%BE4%0AI%90%86%7F%C3%036%8B%FE%F7%C4%92%FC%D1B%A5%E5%A1%E3%F2e%7F%11%E8%10q%F5l%9EZ%B9o%B2%AB+%25%DB%1D+c%5EU%A9%20%E9%F2%F8E%10_%9F%A5%AD%FE%DE%9D%88H%99J%14%3A%25%F2%9D%AD%B7%8E%26%C2G%DF%EB0%95%D8%7DHnL%0C%EF%89G%0En%E7%FA%A38%B1.%D1%D3%9C%B8%A2+%A2%AC+%ED%07%00%A4k%0C%1C%AAH%ADLc%A2%0D%BFLV%9C%0E%9A%F0%D4%40q%F6%D3h1T%06%C0%25O%B0%F4%3E%C8%5DX%D6%EFL1%A2%08rZ%AA0%FB%FCpuKUfT%81%40%9A%86A%14%DDK%5Ek%F7%A6%DC%CB%CBc%E9%C2%01qw%C5%91p%C77%CA%08%15%F5%9C%C4D%1B%15%0F%EE%0E%3F%7E%DE%D1%C6%8C%D8l3%0CfON%09

which is signed by /org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-CERT/%FD%00%00%01%5D%CB+%E5S

  *   Can the router retrieve your certificate?
  *   Is the Java code creating valid signatures?
  *   Is the clock skew between router and end host too great?
NFD-RIB is very sensitive to clock skew and would reject if the time difference is more than 3 seconds. It's also not configurable, but v2 relaxed this to 60 seconds.

How is the clock skew checked by NFD, using timestamp?

If you have access to the router, setting "Forwarder DEBUG" loglevel can help you debug.

Yours, Junxiao

On Thu, Aug 10, 2017 at 1:02 PM, Haitao Zhang <zhtaoxiang at gmail.com<mailto:zhtaoxiang at gmail.com>> wrote:

My NDNFit Android app needs to do remote prefix registration on the testbed, so Interests can be forwarded to the Android device, then the NDNFit Android app.

(2) Create an interest /localhop/nfd/rib/register/<control parameter including the prefix I want to register>, sign it using
/org/openmhealth/KEY/uLsLn5csbB/ksk-1502352233531/ID-CERT/%FD%00%00%01%5D%CB+%E5S
which is further signed by
NDNFit trust anchor /org/openmhealth/KEY/ksk-1490231565751/ID-CERT/%FD%00%00%01Z%F8%B9%1Et

(4) I got an data packet containing a message "authorization rejected".

Best,
-Haitao

To verify that the configuration works, John requested a key from NDNFit cert management website http://128.97.98.8:5001/ (it is ported from ndncert website and works the same way as ndncert website) and did the following (quote his email here):
... I was able to register a prefix and have it propagate on the Testbed with readvertise.

_______________________________________________
Nfd-dev mailing list
Nfd-dev at lists.cs.ucla.edu<mailto:Nfd-dev at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/nfd-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20170815/abe02252/attachment.html>