[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today
Junxiao Shi
shijunxiao at email.arizona.edu
Wed Jan 20 21:04:48 PST 2021
Hi Zhiyi
I read the code. I see that there's a cachedCertificates structure in the
CA profile and it can serve both the CA profile and the issued certificates.
https://github.com/Zhiyi-Zhang/ndncert/blob/276ba786afc52d404188f6c568ebc735e33c5d9b/tools/ndncert-ca-server.cpp#L132
A brief read of this code indicates two problems:
1. cachedCertificates would grow indefinitely until the CA runs out memory.
2. After a successful challenge, issued-cert-name contains implicit digest
and the client would be retrieving the certificate with an Interest that
carry the implicit digest, but the producer code can only handle Interest
with exact name.
>From what I can tell, there are two instances of repo-ng running on suns.
The first instance has command prefix /localhost/repo-ng.
The second instance has command prefix /localhost/repo-ng-2.
You can find their configuration in https://github.com/WU-ARL/NDN_Ansible
repository, roles/repo-ng/templates.
One concerning thing is that, the first repo-ng instance is registering the
prefix /ndn/CA, same as your CA. A likely cause is that, your CA program
uses TCP bulk insertion to ask repo-ng to publish the CA profile. The
registration-subset=3 in
https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L7
causes the repo to register /ndn/CA. This could lead to forwarding problems.
I think you need another instance of repo-ng with registration-subset=0.
Or you can stick with cachedCertificates but you need to delete the CA
profile packet from that repo-ng instance.
You don't need to worry about certificate publishing after the client has
retrieved the certificate. It is producer's responsibility to publish their
certificates.
Regarding PyRepo: it's not running on suns. Even if you install it, it's
unusable for certificate publishing:
1. While PyRepo supports the same TCP bulk insertion protocol, it lacks
prefix registration feature - it would register the root prefix "/", but
the certificate name could match a longer prefix in the network.
2. The only way to make PyRepo register a more specific prefix is to use
its pseudo pubsub API. You could use this, but you'll have to integrate
this protocol in the CA program. Good news is, the protocol is well
document. Bad news is, it's fairly complicated.
3. PyRepo will not answer any Interest with implicit digest. It only
supports prefix and exact names. Read
https://github.com/UCLA-IRL/ndn-python-repo/blob/fc831b9d60fc5feeae438895f9d5ed8d2a80a27f/ndn_python_repo/storage/storage_base.py#L96
and you'll know why.
Thus, don't bother with PyRepo. Stick with repo-ng or cachedCertificates.
Yours, Junxiao
On Wed, Jan 20, 2021, 23:16 Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
*External Email*
With the current NDNCERT implementation, the certificate will still be
fetched and installed on the local keychain.
However, you are right in the sense that, the certificate cannot be fetched
asynchronously after the NDNCERT client command ends.
BTW, shouldn't Repe be installed on all testbed nodes through the operator?
Best,
Zhiyi
On Wed, Jan 20, 2021 at 8:08 PM Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:
Hi Zhiyi
It doesn't make sense to run NDNCERT without a repo.
1. CA profile is not retrievable, so that client cannot initiate.
2. Issued certificate is not retrievable, so that client cannot finish.
Yours, Junxiao
On Wed, Jan 20, 2021, 23:13 Lixia Zhang <lixia at cs.ucla.edu> wrote:
> *External Email*
>
> On Jan 20, 2021, at 7:38 PM, Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>
> Yeah. I found the repo is not running on the Suns: ERROR: Cannot publish
> certificate to repo-ng (Connection refused)
>
> @Lixia do you know who should I contact to deploy the repo? and which repo
> should be used?
>
>
> I dont think people are using repo-ng anymore?
> should be python repo?
> I copied Zhaoning and Zixuan here, both should know the answer
>
>
> I just bring back the NDNCERT without the parameter to publish to the
> repo. After people figure out the repo deployment, I will update the
> parameter used in NDNCERT service.
>
> Best,
> Zhiyi
>
> On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
>> Hi Zhiyi
>>
>> As you mentioned on the 2021-01-15 NFD call, you have updated the
>> deployment to use 2019 Naming Convention.
>> However, I'm now unable to retrieve the CA profile - the CA is not
>> responding at all.
>>
>> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata
>> $ echo $?
>> 3
>>
>> Wireshark and NFD counters indicate that the Interest has arrived on
>> suns.cs.ucla.edu, but there's no response.
>>
>> Yours, Junxiao
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210121/8318a995/attachment.html>
More information about the Nfd-dev
mailing list