NDN Certification Framework (ndncert)¶

Prerequisites:¶

• ndn-cxx, NFD

  sudo apt-get install ndn-cxx ndn-cxx-dev nfd
  

• repo-ng with proper config

  Repo will hold/serve issued certificates for the site:

  sudo apt-get install repo-ng
  

  Make sure that repo's config (/etc/ndn/repo-ng.conf) looks like the following (only repo.data needs to be changed, the rest should be the same).

  repo
  {
    data
    {
      prefix "ndn:/ndn/edu/ucla/KEY"
      ; prefix "ndn:/ndn/<site-name>/KEY"
    }
  
    command
    {
      prefix "ndn:/localhost/repo-ng"
    }
  
    storage
    {
      method "sqlite"             ; Currently, only sqlite storage engine is supported
      path "/var/lib/ndn/repo-ng"  ; path to repo-ng storage folder
      max-packets 1000000
    }
  
    tcp_bulk_insert {
      host "localhost"  ; Set to listen on different IP address or hostname
      port 7376  ; Set to listen on different port number
    }
  
    validator
    {
      trust-anchor {
          type any
      }
    }
  }
  

  Restart repo-ng after making changes to config file (or the system)

  sudo restart repo-ng
  

• Installed custom fork of PyNDN2 (! using python 2.7)

  git clone https://github.com/cawka/PyNDN2
  cd PyNDN2
  sudo python setup.py install
  

• ndnop-process-requests script installed somewhere in security operator's PATH

  sudo curl -L https://raw.githubusercontent.com/named-data/ndncert/master/ndnop-process-requests > /usr/local/bin/ndnop-process-requests
  sudo chmod +x /usr/local/bin/ndnop-process-requests
  

Certificate generation¶

"Ideally", the procedure has to be done by the designated security operator himself.
Performing this procedure on testbed hub is just a "convenience" for the time being and at all signing "ideally" should be performed elsewhere.

NOTE: The following commands must be performed under a designated ndncert user.
If ssh logic is different, sudo su - ndncert must be used to switch to the account (! not just sudo ndncert).

1. Generate key pair and certification request:

   ndnsec-keygen /ndn/edu/<name>
   

   <name> is sometime like: wustl, colostate, umich, ...

   The output of this command is certification request. If signing request needs to be recreated for the existing identity (one from the ndnsec-ls-identity list), the following command can be used:

   ndnsec-sign-req /ndn/edu/<name>
   

   Singing request should be sent to NDN trust root (Alex Afanasyev right now).

2. Root operator will return signed certificate (e.g., umich.ndncert). Do the following with the file:

   ndnsec-install-cert <received-file>
   

Security operator actions¶

When a user requests a certificate the operator gets an email alerting them and instructing them to run ndnop-process-requests on their node.
Operator just need to ssh to the node, sudo su - ndncert, and issue

ndnop-process-requests

If there are pending requests, the script will guide the process to accept/reject.
When accepted, the certificate will be created, published to local repo (using tcp-bulk-insert protocol---make sure that repo-ng is running before ndnop-process-requests is run), and uploaded to WEB system for the user to download it.