[Nfd-dev] Has the testbed changed?

Nikos Fotiou fotiou at aueb.gr
Fri Jan 29 02:38:44 PST 2021 

Problem solved.
TL;DR
The code had a bug but it appeared to work because the certificate was cached. Here is how I now use python-ndn to advertise a certificate

prefix = "/ndn/edu/colostate/%40GUEST/nikosft%40gmail.com"
app = NDNApp()
cert = app.keychain[prefix].default_key().default_cert()

@app.route(cert.key)
def cert_interest(name: FormalName, param: InterestParam, _app_param: Optional[BinaryStr]):
    app.put_raw_packet(cert.data)


Longer version
I used ndn6-serve-certs to serve a certificate. The certificate was advertised correctly. Then I tried to implement the functionality in python-ndn. My code was wrong but it appeared it worked because the correct certificate was cached. When I tried with a new certificate, my code was sending wrong data. This had a dual impact: the advertised interests were rejected, the ndn6-serve-certs tool had no effect since the wrong data was cached.

Thanks for you help
Nikos

--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr

> On 28 Jan 2021, at 8:27 PM, Junxiao Shi <shijunxiao at email.arizona.edu> wrote:
> 
> Hi Nikos
> 
> Prefix propagation is a finicky part of the testbed.
> See https://talks.ndn.today PersonalCA_20200529.pptx page 32-37 and page 19 for explanation. 
> 
> Your end host must be able to satisfy Interests for not only your own certificates, but also every certificate in the certificate chain, in order to ensure a successful registration.
> To confirm whether certificate retrieval is a problem:
> 	• Stop NFD.
> 	• Start a traffic capture: sudo tcpdump -i eth0 -w 1.pcap 'port 6363'
> Substitute eth0 with the network interface name that you are using to access the testbed.
> 	• Start NFD, connect to the testbed, and attempt a registration.
> 	• Stop the traffic capture by pressing CTRL+C on the tcpdump.
> Then analyze the traffic trace:
> 	• Download NDN dissector for Wireshark from https://github.com/named-data/ndn-tools/tree/master/tools/dissect-wireshark
> 	• Start Wireshark with this command: wireshark -Xlua_script:ndn.lua 1.pcap
> 	• Look at the certificate retrieval Interests from the router to your end host: is there any Interest not satisfied?
> You can also send the traffic trace to this mailing list thread so that others can have a look.
> 
> 
> Other problematic situations include:
> 	• Your certificate or one of the intermediate certificates has expired.
> 	• The clock skew between your end host and the connected router must be sufficiently small (I think the limit is 120 seconds). This problem can be prevented by using NTP synchronization. You can view the testbed clock skew situation at https://ndndemo.arl.wustl.edu page.
> 	• You are sharing the same key across multiple end hosts. This would trigger replay attack protection in Signed Interest validation. You need a unique key for each end host.
> 	• If a self-signed, expired, or otherwise invalid certificate is somehow published in the network and exists in the cache, the validator could receive that certificate and then return an authorization rejected error.
> See https://talks.ndn.today PersonalCA_20200529.pptx page 22 for explanation. The solution is #5112 but it wouldn't happen anytime soon.
> 
> I have been wanting to make a chatbot that automatically diagnoses prefix propagation problems. See ideas in Slack:
> https://named-data.slack.com/archives/C8EUCRW81/p1557570826066700
> https://named-data.slack.com/archives/C8P74KF2A/p1568140527179100
> Maybe this could happen at one of the future hackathons.
> 
> Yours, Junxiao
> 
> On Thu, Jan 28, 2021 at 12:19 PM Nikos Fotiou via Nfd-dev <nfd-dev at lists.cs.ucla.edu> wrote:
> Hi,
> 
> I have some code that used to make prefix propagation successfully but now I receive an error like the following and my code have stopped working.
> 
> DEBUG: [nfd.Readvertise] advertise /ndn/edu/colostate/%40GUEST/fotiou%40aueb.gr failure authorization rejected
> 
> Moreover, I receive the same error when trying to use ndn6-serve-certs from https://github.com/yoursunny/ndn6-tools
> 
> Is there any change to the testbed? Or can you guess what might have changed?
> 
> I have tried to attach to udp://ndn.netsec.colostate.edu as well as to udp://mmlab-aueb-1.mmlab.edu.gr and I receive the same error. I have also tried to create fresh keys but I still get the same error. Finally, I have received keys for /ndn/gr/aueb/fotiou but neither this works.
> 
> Best,
> Nikos
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4602 bytes
Desc: not available
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210129/1a15b2e1/attachment-0001.p7s>

More information about the Nfd-dev mailing list