[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Fri Jan 22 12:55:48 PST 2021

Hi Zhiyi

There are still erroneous packets starting with /ndn/CA in the
/localhost/repo-ng repository.
To check that, go to https://suns.cs.ucla.edu/n/ , on "Routes" tab select
"/ndn/CA" prefix. It should show only one nexthop pointing to the CA
program.
Currently it's showing two nexthops: a repo-ng instance and the CA program.

Please delete the erroneous packets.
If you are sure no erroneous packet exists, try restarting the repo-ng
service and see whether the prefix registration clears up.

Another problem is, the CA program is not responding to certificate
retrieval Interests that carry the implicit digest component.
This needs to be fixed in the CA program.
https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152

Yours, Junxiao

On Fri, Jan 22, 2021 at 2:18 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:

> *External Email*
> Hi Junxiao and John,
>
> As discussed during the NFD call:
> * I just brought the NDNCERT back online without the dependencies on the
> repo.
> * Now the profile and published certs are kept by the NDNCERT CA tool. I
> replaced map with a fixed size queue to prevent the cache from going
> infinitely large.
> * I've deleted the profile data from the repo
>
> @John Then, there is no need to set up a new repo-ng.
> Thank you so much.
>
> Best,
> Zhiyi
>
> On Fri, Jan 22, 2021 at 10:01 AM Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
>> Hi Zhiyi
>>
>> repo-ng at /localhost/repo-ng listens on TCP port 7376.
>>
>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35
>> It has registration-subset=3.
>>
>> repo-ng at /localhost/repo-ng-2 listens on TCP port 7377.
>>
>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32
>> It has registration-subset disabled.
>>
>> ndn-python-repo listens on TCP port 7378.
>>
>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26
>>
>> As explained in
>> https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html
>> , you need another instance of repo-ng with registration-subset=0 to
>> publish your CA profile and issued certificates.
>>
>> Yours, Junxiao
>>
>> On Fri, Jan 22, 2021 at 12:54 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>
>>> *External Email*
>>> Hi John,
>>>
>>> Could you also let me know the port number of different running
>>> instances of repo? because NDNCERT is using TCP Bulk to insert packets to
>>> repo.
>>>
>>> Best,
>>> Zhiyi
>>>
>>> On Fri, Jan 22, 2021 at 8:34 AM Dehart, John <jdd at wustl.edu> wrote:
>>>
>>>>
>>>> Looks like there was no ‘Restart’  entry in the systemd file for the
>>>> python repo.
>>>> I’ve added that and we’ll see if it does better.
>>>>
>>>> John
>>>>
>>>>
>>>> On Jan 22, 2021, at 10:21 AM, Dehart, John via Nfd-dev <
>>>> nfd-dev at lists.cs.ucla.edu> wrote:
>>>>
>>>>
>>>>
>>>> I’ll take a look at the repo issue. All testbed nodes should be running
>>>> both repo-ng and python repo.
>>>> Maybe its a systemd issue.
>>>>
>>>> John
>>>>
>>>> On Jan 20, 2021, at 9:38 PM, Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>
>>>> Yeah. I found the repo is not running on the Suns: ERROR: Cannot
>>>> publish certificate to repo-ng (Connection refused)
>>>>
>>>> @Lixia do you know who should I contact to deploy the repo? and which
>>>> repo should be used?
>>>>
>>>> I just bring back the NDNCERT without the parameter to publish to the
>>>> repo. After people figure out the repo deployment, I will update the
>>>> parameter used in NDNCERT service.
>>>>
>>>> Best,
>>>> Zhiyi
>>>>
>>>> On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <
>>>> shijunxiao at email.arizona.edu> wrote:
>>>>
>>>>> Hi Zhiyi
>>>>>
>>>>> As you mentioned on the 2021-01-15 NFD call, you have updated the
>>>>> deployment to use 2019 Naming Convention.
>>>>> However, I'm now unable to retrieve the CA profile - the CA is not
>>>>> responding at all.
>>>>>
>>>>> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata
>>>>> $ echo $?
>>>>> 3
>>>>>
>>>>> Wireshark and NFD counters indicate that the Interest has arrived on
>>>>> suns.cs.ucla.edu, but there's no response.
>>>>>
>>>>> Yours, Junxiao
>>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210122/2cc7362e/attachment.html>