[Nfd-dev] Has the testbed changed?

Thu Jan 28 10:27:10 PST 2021

Hi Nikos

Prefix propagation is a finicky part of the testbed.
See https://talks.ndn.today PersonalCA_20200529.pptx page 32-37 and page 19
for explanation.

Your end host must be able to satisfy Interests for not only your own
certificates, but also every certificate in the certificate chain, in order
to ensure a successful registration.
To confirm whether certificate retrieval is a problem:

   1. Stop NFD.
   2. Start a traffic capture: sudo tcpdump -i eth0 -w 1.pcap 'port 6363'
   Substitute eth0 with the network interface name that you are using to
   access the testbed.
   3. Start NFD, connect to the testbed, and attempt a registration.
   4. Stop the traffic capture by pressing CTRL+C on the tcpdump.

Then analyze the traffic trace:

   1. Download NDN dissector for Wireshark from
   https://github.com/named-data/ndn-tools/tree/master/tools/dissect-wireshark
   2. Start Wireshark with this command: wireshark -Xlua_script:ndn.lua
   1.pcap
   3. Look at the certificate retrieval Interests from the router to your
   end host: is there any Interest not satisfied?

You can also send the traffic trace to this mailing list thread so that
others can have a look.

Other problematic situations include:

   - Your certificate or one of the intermediate certificates has expired.
   - The clock skew between your end host and the connected router must be
   sufficiently small (I think the limit is 120 seconds). This problem can be
   prevented by using NTP synchronization. You can view the testbed clock skew
   situation at https://ndndemo.arl.wustl.edu page.
   - You are sharing the same key across multiple end hosts. This would
   trigger replay attack protection in Signed Interest validation. You need a
   unique key for each end host.
   - If a self-signed, expired, or otherwise invalid certificate is somehow
   published in the network and exists in the cache, the validator could
   receive that certificate and then return an authorization rejected error.
   See https://talks.ndn.today PersonalCA_20200529.pptx page 22 for
   explanation. The solution is #5112
   <https://redmine.named-data.net/issues/5112> but it wouldn't happen
   anytime soon.

I have been wanting to make a chatbot that automatically diagnoses prefix
propagation problems. See ideas in Slack:
https://named-data.slack.com/archives/C8EUCRW81/p1557570826066700
https://named-data.slack.com/archives/C8P74KF2A/p1568140527179100
Maybe this could happen at one of the future hackathons.

Yours, Junxiao

On Thu, Jan 28, 2021 at 12:19 PM Nikos Fotiou via Nfd-dev <
nfd-dev at lists.cs.ucla.edu> wrote:

> Hi,
>
> I have some code that used to make prefix propagation successfully but now
> I receive an error like the following and my code have stopped working.
>
> DEBUG: [nfd.Readvertise] advertise /ndn/edu/colostate/%40GUEST/fotiou%
> 40aueb.gr failure authorization rejected
>
> Moreover, I receive the same error when trying to use ndn6-serve-certs
> from https://github.com/yoursunny/ndn6-tools
>
> Is there any change to the testbed? Or can you guess what might have
> changed?
>
> I have tried to attach to udp://ndn.netsec.colostate.edu as well as to
> udp://mmlab-aueb-1.mmlab.edu.gr and I receive the same error. I have also
> tried to create fresh keys but I still get the same error. Finally, I have
> received keys for /ndn/gr/aueb/fotiou but neither this works.
>
> Best,
> Nikos
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210128/a9eb3199/attachment.html>