[Nfd-dev] [EXT]Re: Try NDNCERT (based on Interest-Data exchange) and get an NDN certificate today

Junxiao Shi shijunxiao at email.arizona.edu
Fri Jan 29 20:40:46 PST 2021 

Hi Zhiyi

It's been a week. I saw some commits related to these items. Have you
updated the deployment?

Yours, Junxiao

On Sat, Jan 23, 2021, 04:17 Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Hi Zhiyi
>
> I can confirm that the routes for /ndn/CA are correct now.
> If you delete packets from repo-ng's database, you do have to restart the
> service. repo-ng can pick up changes and unregister the prefix only if you
> delete Data through its API.
>
> However, it seems that the CA certificate has expired:
> $ NDNTS_UPLINK=tcp://192.168.5.10 ndncat get-segmented /ndn/CA/INFO |
> ndn-dissect | awk '$1>=253 && $1<=255'
>       253 (RESERVED_3) (size: 38)
>         254 (RESERVED_3) (size: 15) [[20171220T001939]]
>         255 (RESERVED_3) (size: 15) [[20201231T235959]]
> You'll need to use an unexpired CA certificate for certificate request to
> succeed, according to section "2.3.3 ValidityPeriod" requirements.
>
> This did expose an NDNts bug that I'm still creating a request, with a
> ValidityPeriod that has NotBefore later than NotAfter, like this:
> 0000   fd 00 fd 26 fd 00 fe 0f 32 30 32 31 30 31 32 33   ...&....20210123
> 0010   54 30 38 35 38 33 37 fd 00 ff 0f 32 30 32 30 31   T085837....20201
> 0020   32 33 31 54 32 33 35 39 35 39                     231T235959
> I'll get it fixed.
>
> Your CA implementation is also lacking necessary checks for CA certificate
> validity period, according to section "2.3.3 ValidityPeriod" requirements.
>
> https://github.com/Zhiyi-Zhang/ndncert/blob/d35bc5f78dae76cc3f56479336845cb1aeb6c9f3/src/ca-module.cpp#L270-L272
> This must be checked during NEW command processing and possibly also
> before issuing each certificate. It's insufficient to only check at CA
> startup, because the CA certificate could become expired while the CA is
> running.
>
> Yours, Junxiao
>
> On Fri, Jan 22, 2021 at 6:53 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>
>> *External Email*
>>
>>
>> On Fri, Jan 22, 2021 at 12:55 PM Junxiao Shi <
>> shijunxiao at email.arizona.edu> wrote:
>>
>>> Hi Zhiyi
>>>
>>> There are still erroneous packets starting with /ndn/CA in the
>>> /localhost/repo-ng repository.
>>> To check that, go to https://suns.cs.ucla.edu/n/ , on "Routes" tab
>>> select "/ndn/CA" prefix. It should show only one nexthop pointing to the CA
>>> program.
>>> Currently it's showing two nexthops: a repo-ng instance and the CA
>>> program.
>>>
>>> Please delete the erroneous packets.
>>> If you are sure no erroneous packet exists, try restarting the repo-ng
>>> service and see whether the prefix registration clears up.
>>>
>>
>> I delete the packet from the SQLite database operation.
>> I think I will need to restart it to reflect the change.
>>
>>
>>> Another problem is, the CA program is not responding to certificate
>>> retrieval Interests that carry the implicit digest component.
>>> This needs to be fixed in the CA program.
>>>
>>> https://github.com/Zhiyi-Zhang/ndncert/blob/aa60c96f609ba4a3c92344c77bbb63e6d7e116fa/tools/ndncert-ca-server.cpp#L152
>>>
>>
>> Okay. I think I will need to use getFullName instead of getName()
>>
>> Best,
>> Zhiyi
>>
>>>
>>>
>>> Yours, Junxiao
>>>
>>> On Fri, Jan 22, 2021 at 2:18 PM Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>
>>>> *External Email*
>>>> Hi Junxiao and John,
>>>>
>>>> As discussed during the NFD call:
>>>> * I just brought the NDNCERT back online without the dependencies on
>>>> the repo.
>>>> * Now the profile and published certs are kept by the NDNCERT CA tool.
>>>> I replaced map with a fixed size queue to prevent the cache from going
>>>> infinitely large.
>>>> * I've deleted the profile data from the repo
>>>>
>>>> @John Then, there is no need to set up a new repo-ng.
>>>> Thank you so much.
>>>>
>>>> Best,
>>>> Zhiyi
>>>>
>>>> On Fri, Jan 22, 2021 at 10:01 AM Junxiao Shi <
>>>> shijunxiao at email.arizona.edu> wrote:
>>>>
>>>>> Hi Zhiyi
>>>>>
>>>>> repo-ng at /localhost/repo-ng listens on TCP port 7376.
>>>>>
>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng.conf.j2#L35
>>>>> It has registration-subset=3.
>>>>>
>>>>> repo-ng at /localhost/repo-ng-2 listens on TCP port 7377.
>>>>>
>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/repo-ng/templates/repo-ng-2.conf.j2#L32
>>>>> It has registration-subset disabled.
>>>>>
>>>>> ndn-python-repo listens on TCP port 7378.
>>>>>
>>>>> https://github.com/WU-ARL/NDN_Ansible/blob/da31ed28c65c1e94a688070fc9be4ae74e4f6645/roles/ndn-python-repo/templates/ndn-python-repo.conf.j2#L26
>>>>>
>>>>> As explained in
>>>>> https://www.lists.cs.ucla.edu/pipermail/nfd-dev/2021-January/004238.html
>>>>> , you need another instance of repo-ng with registration-subset=0 to
>>>>> publish your CA profile and issued certificates.
>>>>>
>>>>> Yours, Junxiao
>>>>>
>>>>> On Fri, Jan 22, 2021 at 12:54 PM Zhiyi Zhang <zhiyi at cs.ucla.edu>
>>>>> wrote:
>>>>>
>>>>>> *External Email*
>>>>>> Hi John,
>>>>>>
>>>>>> Could you also let me know the port number of different running
>>>>>> instances of repo? because NDNCERT is using TCP Bulk to insert packets to
>>>>>> repo.
>>>>>>
>>>>>> Best,
>>>>>> Zhiyi
>>>>>>
>>>>>> On Fri, Jan 22, 2021 at 8:34 AM Dehart, John <jdd at wustl.edu> wrote:
>>>>>>
>>>>>>>
>>>>>>> Looks like there was no ‘Restart’  entry in the systemd file for the
>>>>>>> python repo.
>>>>>>> I’ve added that and we’ll see if it does better.
>>>>>>>
>>>>>>> John
>>>>>>>
>>>>>>>
>>>>>>> On Jan 22, 2021, at 10:21 AM, Dehart, John via Nfd-dev <
>>>>>>> nfd-dev at lists.cs.ucla.edu> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I’ll take a look at the repo issue. All testbed nodes should be
>>>>>>> running both repo-ng and python repo.
>>>>>>> Maybe its a systemd issue.
>>>>>>>
>>>>>>> John
>>>>>>>
>>>>>>> On Jan 20, 2021, at 9:38 PM, Zhiyi Zhang <zhiyi at cs.ucla.edu> wrote:
>>>>>>>
>>>>>>> Yeah. I found the repo is not running on the Suns: ERROR: Cannot
>>>>>>> publish certificate to repo-ng (Connection refused)
>>>>>>>
>>>>>>> @Lixia do you know who should I contact to deploy the repo? and
>>>>>>> which repo should be used?
>>>>>>>
>>>>>>> I just bring back the NDNCERT without the parameter to publish to
>>>>>>> the repo. After people figure out the repo deployment, I will update the
>>>>>>> parameter used in NDNCERT service.
>>>>>>>
>>>>>>> Best,
>>>>>>> Zhiyi
>>>>>>>
>>>>>>> On Wed, Jan 20, 2021 at 11:11 AM Junxiao Shi <
>>>>>>> shijunxiao at email.arizona.edu> wrote:
>>>>>>>
>>>>>>>> Hi Zhiyi
>>>>>>>>
>>>>>>>> As you mentioned on the 2021-01-15 NFD call, you have updated the
>>>>>>>> deployment to use 2019 Naming Convention.
>>>>>>>> However, I'm now unable to retrieve the CA profile - the CA is not
>>>>>>>> responding at all.
>>>>>>>>
>>>>>>>> $ ndnpeek -Pf /ndn/CA/INFO/32=metadata
>>>>>>>> $ echo $?
>>>>>>>> 3
>>>>>>>>
>>>>>>>> Wireshark and NFD counters indicate that the Interest has arrived
>>>>>>>> on suns.cs.ucla.edu, but there's no response.
>>>>>>>>
>>>>>>>> Yours, Junxiao
>>>>>>>>
>>>>>>>
>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20210129/baca25f9/attachment-0001.html>

More information about the Nfd-dev mailing list