[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Junxiao Shi shijunxiao at email.arizona.edu
Sat Jan 23 01:17:46 PST 2021 

Hi Zhiyi

I can confirm that the routes for /ndn/CA are correct now.
If you delete packets from repo-ng's database, you do have to restart the
service. repo-ng can pick up changes and unregister the prefix only if you
delete Data through its API.

However, it seems that the CA certificate has expired:
$ NDNTS_UPLINK=tcp://192.168.5.10 ndncat get-segmented /ndn/CA/INFO |
ndn-dissect | awk '$1>=253 && $1<=255'
      253 (RESERVED_3) (size: 38)
        254 (RESERVED_3) (size: 15) [[20171220T001939]]
        255 (RESERVED_3) (size: 15) [[20201231T235959]]
You'll need to use an unexpired CA certificate for certificate request to
succeed, according to section "2.3.3 ValidityPeriod" requirements.

This did expose an NDNts bug that I'm still creating a request, with a
ValidityPeriod that has NotBefore later than NotAfter, like this:
0000   fd 00 fd 26 fd 00 fe 0f 32 30 32 31 30 31 32 33   ...&....20210123
0010   54 30 38 35 38 33 37 fd 00 ff 0f 32 30 32 30 31   T085837....20201
0020   32 33 31 54 32 33 35 39 35 39                     231T235959
I'll get it fixed.

Your CA implementation is also lacking necessary checks for CA certificate
validity period, according to section "2.3.3 ValidityPeriod" requirements.
https://github.com/Zhiyi-Zhang/ndncert/blob/d35bc5f78dae76cc3f56479336845cb1aeb6c9f3/src/ca-module.cpp#L270-L272
This must be checked during NEW command processing and possibly also before
issuing each certificate. It's insufficient to only check at CA startup,
because the CA certificate could become expired while the CA is running.

Yours, Junxiao

On Fri, Jan 22, 2021 at 6:53 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:

> *External Email*
>
>
> On Fri, Jan 22, 2021 at 12:55 PM Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
>> Hi Zhiyi
>>
>> There are still erroneous packets starting with /ndn/CA in the
>> /localhost/repo-ng repository.
>> To check that, go to https://suns.cs.ucla.edu/n/ , on "Routes" tab
>> select "/ndn/CA" prefix. It should show only one nexthop pointing to the CA
>> program.
>> Currently it's showing two nexthops: a repo-ng instance and the CA
>> program.
>>
>> Please delete the erroneous packets.
>> If you are sure no erroneous packet exists, try restarting the repo-ng
>> service and see whether the prefix registration clears up.
>>
>
> I delete the packet from the SQLite database operation.
> I think I will need to restart it to reflect the change.
>
>
>> Another problem is, the CA program is not responding to certificate
>> retrieval Interests that carry the implicit digest component.
>> This needs to be fixed in the CA program.
>>
>> https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152
>>
>
> Okay. I think I will need to use getFullName instead of getName()
>
> Best,
> Zhiyi
>
>>
>>
>> Yours, Junxiao
>>
>> On Fri, Jan 22, 2021 at 2:18 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>
>>> *External Email*
>>> Hi Junxiao and John,
>>>
>>> As discussed during the NFD call:
>>> * I just brought the NDNCERT back online without the dependencies on the
>>> repo.
>>> * Now the profile and published certs are kept by the NDNCERT CA tool. I
>>> replaced map with a fixed size queue to prevent the cache from going
>>> infinitely large.
>>> * I've deleted the profile data from the repo
>>>
>>> @John Then, there is no need to set up a new repo-ng.
>>> Thank you so much.
>>>
>>> Best,
>>> Zhiyi
>>>
>>> On Fri, Jan 22, 2021 at 10:01 AM Junxiao Shi <
>>> shijunxiao at email.arizona.edu> wrote:
>>>
>>>> Hi Zhiyi
>>>>
>>>> repo-ng at /localhost/repo-ng listens on TCP port 7376.
>>>>
>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35
>>>> It has registration-subset=3.
>>>>
>>>> repo-ng at /localhost/repo-ng-2 listens on TCP port 7377.
>>>>
>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32
>>>> It has registration-subset disabled.
>>>>
>>>> ndn-python-repo listens on TCP port 7378.
>>>>
>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26
>>>>
>>>> As explained in
>>>> https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html
>>>> , you need another instance of repo-ng with registration-subset=0 to
>>>> publish your CA profile and issued certificates.
>>>>
>>>> Yours, Junxiao
>>>>
>>>> On Fri, Jan 22, 2021 at 12:54 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>
>>>>> *External Email*
>>>>> Hi John,
>>>>>
>>>>> Could you also let me know the port number of different running
>>>>> instances of repo? because NDNCERT is using TCP Bulk to insert packets to
>>>>> repo.
>>>>>
>>>>> Best,
>>>>> Zhiyi
>>>>>
>>>>> On Fri, Jan 22, 2021 at 8:34 AM Dehart, John <jdd at wustl.edu> wrote:
>>>>>
>>>>>>
>>>>>> Looks like there was no ‘Restart’  entry in the systemd file for the
>>>>>> python repo.
>>>>>> I’ve added that and we’ll see if it does better.
>>>>>>
>>>>>> John
>>>>>>
>>>>>>
>>>>>> On Jan 22, 2021, at 10:21 AM, Dehart, John via Nfd-dev <
>>>>>> nfd-dev at lists.cs.ucla.edu> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I’ll take a look at the repo issue. All testbed nodes should be
>>>>>> running both repo-ng and python repo.
>>>>>> Maybe its a systemd issue.
>>>>>>
>>>>>> John
>>>>>>
>>>>>> On Jan 20, 2021, at 9:38 PM, Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>>>
>>>>>> Yeah. I found the repo is not running on the Suns: ERROR: Cannot
>>>>>> publish certificate to repo-ng (Connection refused)
>>>>>>
>>>>>> @Lixia do you know who should I contact to deploy the repo? and which
>>>>>> repo should be used?
>>>>>>
>>>>>> I just bring back the NDNCERT without the parameter to publish to the
>>>>>> repo. After people figure out the repo deployment, I will update the
>>>>>> parameter used in NDNCERT service.
>>>>>>
>>>>>> Best,
>>>>>> Zhiyi
>>>>>>
>>>>>> On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <
>>>>>> shijunxiao at email.arizona.edu> wrote:
>>>>>>
>>>>>>> Hi Zhiyi
>>>>>>>
>>>>>>> As you mentioned on the 2021-01-15 NFD call, you have updated the
>>>>>>> deployment to use 2019 Naming Convention.
>>>>>>> However, I'm now unable to retrieve the CA profile - the CA is not
>>>>>>> responding at all.
>>>>>>>
>>>>>>> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata
>>>>>>> $ echo $?
>>>>>>> 3
>>>>>>>
>>>>>>> Wireshark and NFD counters indicate that the Interest has arrived on
>>>>>>> suns.cs.ucla.edu, but there's no response.
>>>>>>>
>>>>>>> Yours, Junxiao
>>>>>>>
>>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210123/ac423236/attachment-0001.html>

More information about the Nfd-dev mailing list