Feature #3161
Updated by Junxiao Shi about 9 years ago
Logically partition the ContentStore by the Link object used to retrieve Data packets. **Necessity** Forwarding with Link leads to concerns about cache poisoning. For example, Eve may express an Interest ndn:/victim/index.html with Link [{10,ndn:/eve2}], and setup a producer at ndn:/eve2 network to return fake Data for ndn:/victim/index.html. NFD does not validate signatures on this Data because it lacks the trust model to do so, and will admit this Data into the ContentStore. After that, Interests for ndn:/victim/index.html will match the cached Data, even if it has no Link object, or the Link object points to a different routable prefix. **Solution** The ContentStore should be logically partitioned according to the Link object. A cached Data is stored along with the Link object used to retrieve it; this applies to consumer region and Internet, but not within producer region where Link delegations are ignored. An incoming Interest with a Link object can be satisfied by a cached Data if the cached Data has no Link object or has the same Link object. This solution reduces cache poisoning to be no worse than a network without Link objects, because each Link object has its own logical ContentStore, so that Eve's fake Data cannot affect Interests without Eve's Link object. The cost of this solution is that the same Data may be stored multiple times with different Link objects, but this can happen only during an attack with Eve's Link object, or when the producer has published multiple Link objects. This issue includes: * CS index: logically partition the index by Link object * CS insert: accept "Link object used for Data retrieval" as a parameter * CS lookup: if Interest has Link object, match a Data only if it has no Link object or has the same Link object; special case: if Interest Name ends with an implicit digest, it can match any Data that satisfies the implicit digest object NFD Developer Guide should be updated as part of this issue. Changes in forwarding are necessary to pass a Link object to CS insert procedure, but they are not part of this issue.