[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Zhiyi Zhang zhiyi at cs.ucla.edu
Mon Feb 1 14:03:36 PST 2021 

Thank Prof. John Dehart for issuing a new certificate to us.
I just restarted the service with the new certificate.

Best,
Zhiyi

On Sun, Jan 31, 2021 at 10:10 AM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:

> The issue has been resolved. We now need to get a new certificate from
> Prof. John Dehart. Once I get it, I will restart the deployment with new
> code and new cert.
>
> Best,
> Zhiyi
>
> On Fri, Jan 29, 2021 at 8:40 PM Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
>> Hi Zhiyi
>>
>> It's been a week. I saw some commits related to these items. Have you
>> updated the deployment?
>>
>> Yours, Junxiao
>>
>> On Sat, Jan 23, 2021, 04:17 Junxiao Shi <shijunxiao at email.arizona.edu>
>> wrote:
>>
>>> Hi Zhiyi
>>>
>>> I can confirm that the routes for /ndn/CA are correct now.
>>> If you delete packets from repo-ng's database, you do have to restart
>>> the service. repo-ng can pick up changes and unregister the prefix only if
>>> you delete Data through its API.
>>>
>>> However, it seems that the CA certificate has expired:
>>> $ NDNTS_UPLINK=tcp://192.168.5.10 ndncat get-segmented /ndn/CA/INFO |
>>> ndn-dissect | awk '$1>=253 && $1<=255'
>>>       253 (RESERVED_3) (size: 38)
>>>         254 (RESERVED_3) (size: 15) [[20171220T001939]]
>>>         255 (RESERVED_3) (size: 15) [[20201231T235959]]
>>> You'll need to use an unexpired CA certificate for certificate request
>>> to succeed, according to section "2.3.3 ValidityPeriod" requirements.
>>>
>>> This did expose an NDNts bug that I'm still creating a request, with a
>>> ValidityPeriod that has NotBefore later than NotAfter, like this:
>>> 0000   fd 00 fd 26 fd 00 fe 0f 32 30 32 31 30 31 32 33   ...&....20210123
>>> 0010   54 30 38 35 38 33 37 fd 00 ff 0f 32 30 32 30 31   T085837....20201
>>> 0020   32 33 31 54 32 33 35 39 35 39                     231T235959
>>> I'll get it fixed.
>>>
>>> Your CA implementation is also lacking necessary checks for CA
>>> certificate validity period, according to section "2.3.3 ValidityPeriod"
>>> requirements.
>>>
>>> https://github.com/Zhiyi-Zhang/ndncert/blob/d35bc5f78dae76cc3f56479336845cb1aeb6c9f3/src/ca-module.cpp#L270-L272
>>> This must be checked during NEW command processing and possibly also
>>> before issuing each certificate. It's insufficient to only check at CA
>>> startup, because the CA certificate could become expired while the CA is
>>> running.
>>>
>>> Yours, Junxiao
>>>
>>> On Fri, Jan 22, 2021 at 6:53 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>
>>>> *External Email*
>>>>
>>>>
>>>> On Fri, Jan 22, 2021 at 12:55 PM Junxiao Shi <
>>>> shijunxiao at email.arizona.edu> wrote:
>>>>
>>>>> Hi Zhiyi
>>>>>
>>>>> There are still erroneous packets starting with /ndn/CA in the
>>>>> /localhost/repo-ng repository.
>>>>> To check that, go to https://suns.cs.ucla.edu/n/ , on "Routes" tab
>>>>> select "/ndn/CA" prefix. It should show only one nexthop pointing to the CA
>>>>> program.
>>>>> Currently it's showing two nexthops: a repo-ng instance and the CA
>>>>> program.
>>>>>
>>>>> Please delete the erroneous packets.
>>>>> If you are sure no erroneous packet exists, try restarting the repo-ng
>>>>> service and see whether the prefix registration clears up.
>>>>>
>>>>
>>>> I delete the packet from the SQLite database operation.
>>>> I think I will need to restart it to reflect the change.
>>>>
>>>>
>>>>> Another problem is, the CA program is not responding to certificate
>>>>> retrieval Interests that carry the implicit digest component.
>>>>> This needs to be fixed in the CA program.
>>>>>
>>>>> https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152
>>>>>
>>>>
>>>> Okay. I think I will need to use getFullName instead of getName()
>>>>
>>>> Best,
>>>> Zhiyi
>>>>
>>>>>
>>>>>
>>>>> Yours, Junxiao
>>>>>
>>>>> On Fri, Jan 22, 2021 at 2:18 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>>
>>>>>> *External Email*
>>>>>> Hi Junxiao and John,
>>>>>>
>>>>>> As discussed during the NFD call:
>>>>>> * I just brought the NDNCERT back online without the dependencies on
>>>>>> the repo.
>>>>>> * Now the profile and published certs are kept by the NDNCERT CA
>>>>>> tool. I replaced map with a fixed size queue to prevent the cache from
>>>>>> going infinitely large.
>>>>>> * I've deleted the profile data from the repo
>>>>>>
>>>>>> @John Then, there is no need to set up a new repo-ng.
>>>>>> Thank you so much.
>>>>>>
>>>>>> Best,
>>>>>> Zhiyi
>>>>>>
>>>>>> On Fri, Jan 22, 2021 at 10:01 AM Junxiao Shi <
>>>>>> shijunxiao at email.arizona.edu> wrote:
>>>>>>
>>>>>>> Hi Zhiyi
>>>>>>>
>>>>>>> repo-ng at /localhost/repo-ng listens on TCP port 7376.
>>>>>>>
>>>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35
>>>>>>> It has registration-subset=3.
>>>>>>>
>>>>>>> repo-ng at /localhost/repo-ng-2 listens on TCP port 7377.
>>>>>>>
>>>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32
>>>>>>> It has registration-subset disabled.
>>>>>>>
>>>>>>> ndn-python-repo listens on TCP port 7378.
>>>>>>>
>>>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26
>>>>>>>
>>>>>>> As explained in
>>>>>>> https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html
>>>>>>> , you need another instance of repo-ng with registration-subset=0 to
>>>>>>> publish your CA profile and issued certificates.
>>>>>>>
>>>>>>> Yours, Junxiao
>>>>>>>
>>>>>>> On Fri, Jan 22, 2021 at 12:54 PM Zhiyi Zhang <zhiyi at cs.ucla.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> *External Email*
>>>>>>>> Hi John,
>>>>>>>>
>>>>>>>> Could you also let me know the port number of different running
>>>>>>>> instances of repo? because NDNCERT is using TCP Bulk to insert packets to
>>>>>>>> repo.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Zhiyi
>>>>>>>>
>>>>>>>> On Fri, Jan 22, 2021 at 8:34 AM Dehart, John <jdd at wustl.edu> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Looks like there was no ‘Restart’  entry in the systemd file for
>>>>>>>>> the python repo.
>>>>>>>>> I’ve added that and we’ll see if it does better.
>>>>>>>>>
>>>>>>>>> John
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Jan 22, 2021, at 10:21 AM, Dehart, John via Nfd-dev <
>>>>>>>>> nfd-dev at lists.cs.ucla.edu> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I’ll take a look at the repo issue. All testbed nodes should be
>>>>>>>>> running both repo-ng and python repo.
>>>>>>>>> Maybe its a systemd issue.
>>>>>>>>>
>>>>>>>>> John
>>>>>>>>>
>>>>>>>>> On Jan 20, 2021, at 9:38 PM, Zhiyi Zhang <zhiyi at cs.ucla.edu>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Yeah. I found the repo is not running on the Suns: ERROR: Cannot
>>>>>>>>> publish certificate to repo-ng (Connection refused)
>>>>>>>>>
>>>>>>>>> @Lixia do you know who should I contact to deploy the repo? and
>>>>>>>>> which repo should be used?
>>>>>>>>>
>>>>>>>>> I just bring back the NDNCERT without the parameter to publish to
>>>>>>>>> the repo. After people figure out the repo deployment, I will update the
>>>>>>>>> parameter used in NDNCERT service.
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>> Zhiyi
>>>>>>>>>
>>>>>>>>> On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <
>>>>>>>>> shijunxiao at email.arizona.edu> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Zhiyi
>>>>>>>>>>
>>>>>>>>>> As you mentioned on the 2021-01-15 NFD call, you have updated the
>>>>>>>>>> deployment to use 2019 Naming Convention.
>>>>>>>>>> However, I'm now unable to retrieve the CA profile - the CA is
>>>>>>>>>> not responding at all.
>>>>>>>>>>
>>>>>>>>>> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata
>>>>>>>>>> $ echo $?
>>>>>>>>>> 3
>>>>>>>>>>
>>>>>>>>>> Wireshark and NFD counters indicate that the Interest has arrived
>>>>>>>>>> on suns.cs.ucla.edu, but there's no response.
>>>>>>>>>>
>>>>>>>>>> Yours, Junxiao
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210201/5b1721af/attachment.html>

More information about the Nfd-dev mailing list