20141119 conference call discussed this topic.
Suppose unroutable prefix /ndnsim is hosted on routable prefix /att/my-company/ndnsim-web.
There are two alternative designs for an encapsulated Data.
Design A:
Data /att/my-company/ndnsim-web/fileA
Signature: digest only
Content: "/ndnsim is reachable at /att/my-company/ndnsim-web" signed by ndnsim
Data /ndnsim/fileA signed by ndnsim
Design B:
Data /att/my-company/ndnsim-web/fileA
Signature: digest only
Content: "/att/my-company/ndnsim-web hosts /ndnsim" signed by att
Data /ndnsim/fileA signed by ndnsim
Design B requires a signature from att (the ISP) to generate a signature for what a customer wants to host.
This sounds unappealing.
However, the following attack is possible with Design A: eve can inject this packet into att's caches:
Data /att/my-company/ndnsim-web/fileA
Signature: digest only
Content: "/eve is reachable at /att/my-company/ndnsim-web" signed by eve
Data /eve/fileA signed by eve
This Data looks as good as the legitimate Data from ndnsim.
To inject this Data and poison the cache, eve needs two customer links: send Interest on the first customer link; when att routers have this Interest in the PIT, send Data on the second customer link.
On the other hand, Design B is able to prevent this attack.
In addition, Design B doesn't require att to sign every unroutable prefix that a customer wants to host.
att just needs to sign one certificate for identity /att/my-company, and that identity could be used to sign "/att/my-company/ndnsim-web hosts /ndnsim" and similar messages for other websites that is hosted under /att/my-company.
Updated by