Prefix Insertion Support in dv

dv/config/config.go

@@ -17,6 +17,7 @@ const CostPfxInfinity = uint64(0xFFFFFFFF)
 
 // NlsrOrigin is the origin to use for local registration.
 const NlsrOrigin = uint64(mgmt.RouteOriginNLSR)
+const PrefixInjOrigin = uint64(mgmt.RouteOriginPrefixInj)
 
 var MulticastStrategy = enc.LOCALHOST.
 	Append(enc.NewGenericComponent("nfd")).
@@ -39,6 +40,12 @@ type Config struct {
 	KeyChainUri string `json:"keychain"`
 	// List of trust anchor full names.
 	TrustAnchors []string `json:"trust_anchors"`
+	// Path to trust schema for prefix injection.
+	PrefixInjectionSchemaPath string `json:"prefix_injection_schema"`
+	// URI specifying KeyChain location for prefix injection verifier.
+	PrefixInjectionKeychainUri string `json:"prefix_injection_keychain"`
+	// List of trust anchor full names for prefix injection.
+	PrefixInjectionTrustAnchors []string `json:"prefix_injection_trust_anchors"`
 	// List of permanent neighbors.
 	Neighbors []Neighbor `json:"neighbors"`
 
@@ -60,6 +67,8 @@ type Config struct {
 	mgmtPrefix enc.Name
 	// Trust anchor names
 	trustAnchorsN []enc.Name
+	// Prefix Injection trust anchor names
+	prefixInjectionTrustAnchorsN []enc.Name
 }
 
 type Neighbor struct {
@@ -81,6 +90,8 @@ func DefaultConfig() *Config {
 		AdvertisementSyncInterval_ms: 5000,
 		RouterDeadInterval_ms:        30000,
 		KeyChainUri:                  "undefined",
+		PrefixInjectionSchemaPath:    "deny",
+		PrefixInjectionKeychainUri:   "undefined",
 	}
 }
 
@@ -136,6 +147,15 @@ func (c *Config) Parse() (err error) {
 		c.trustAnchorsN = append(c.trustAnchorsN, name)
 	}
 
+	c.prefixInjectionTrustAnchorsN = make([]enc.Name, 0, len(c.PrefixInjectionTrustAnchors))
+	for _, anchor := range c.PrefixInjectionTrustAnchors {
+		name, err := enc.NameFromStr(anchor)
+		if err != nil {
+			return err
+		}
+		c.prefixInjectionTrustAnchorsN = append(c.prefixInjectionTrustAnchorsN, name)
+	}
+
 	// Advertisement sync and data prefixes
 	c.advSyncPfxN = enc.LOCALHOP.
 		Append(c.networkNameN...).
@@ -206,6 +226,10 @@ func (c *Config) TrustAnchorNames() []enc.Name {
 	return c.trustAnchorsN
 }
 
+func (c *Config) PrefixInjectionTrustAnchorNames() []enc.Name {
+	return c.prefixInjectionTrustAnchorsN
+}
+
 func (c *Config) SchemaBytes() []byte {
 	return SchemaBytes
 }

dv/dv.sample.yml

@@ -12,6 +12,17 @@ dv:
   trust_anchors:
     - "/ndn/KEY/%27%C4%B2%2A%9F%7B%81%27/ndn/v=1651246789556"
 
+  # [optional] Trust schema for prefix injection
+  # - If "insecure" is specified, security is disabled
+  # - If "deny" is specified, the prefix injection handler will be turned off
+  # - Example: /absolute/path/to/schema.tlv
+  prefix_injection_schema: "insecure"
+  # [optional] Keychain URI for prefix injection
+  prefix_injection_keychain: "insecure"
+  # [optional] List of full names of all prefix injection trust anchors
+  # - There should be at least one trust anchor if the schema is not "insecure" or "deny"
+  prefix_injection_trust_anchors: []
+
   # [optional] List of permanent neighbors
   # Example with all options:
   #   - uri: udp4://suns.cs.ucla.edu:6363   # required

dv/dv/injection.go

@@ -0,0 +1,231 @@
+package dv
+
+import (
+	"time"
+
+	"github.com/named-data/ndnd/dv/config"
+	"github.com/named-data/ndnd/dv/nfdc"
+	"github.com/named-data/ndnd/dv/tlv"
+	enc "github.com/named-data/ndnd/std/encoding"
+	"github.com/named-data/ndnd/std/log"
+	"github.com/named-data/ndnd/std/ndn"
+	mgmt "github.com/named-data/ndnd/std/ndn/mgmt_2022"
+	spec "github.com/named-data/ndnd/std/ndn/spec_2022"
+	sig "github.com/named-data/ndnd/std/security/signer"
+	"github.com/named-data/ndnd/std/types/optional"
+)
+
+func (dv *Router) onInjection(args ndn.InterestHandlerArgs) {
+	resError := &mgmt.ControlResponse{
+		Val: &mgmt.ControlResponseVal{
+			StatusCode: 400,
+			StatusText: "Failed to execute prefix injection",
+			Params:     nil,
+		},
+	}
+
+	reply := func(res *mgmt.ControlResponse) {
+		signer := sig.NewSha256Signer()
+		data, err := dv.engine.Spec().MakeData(
+			args.Interest.Name(),
+			&ndn.DataConfig{
+				ContentType: optional.Some(ndn.ContentTypeBlob),
+				Freshness:   optional.Some(1 * time.Second),
+			},
+			res.Encode(),
+			signer)
+		if err != nil {
+			log.Warn(dv, "Failed to make inject response Data", "err", err)
+			return
+		}
+		args.Reply(data.Wire)
+	}
+
+	// If there is no incoming face ID, we can't use this
+	if !args.IncomingFaceId.IsSet() {
+		log.Warn(dv, "Received Prefix Injection with no incoming face ID, ignoring")
+		reply(resError)
+		return
+	}
+
+	// Check if app param is present
+	if args.Interest.AppParam() == nil {
+		log.Warn(dv, "Received Prefix Injection with no AppParam, ignoring")
+		reply(resError)
+		return
+	}
+
+	paParams, err := tlv.ParsePrefixInjection(enc.NewWireView(args.Interest.AppParam()), true)
+	if err != nil {
+		log.Warn(dv, "Failed to parse Prefix Injection AppParam", "err", err)
+		reply(resError)
+		return
+	}
+
+	// Decode Prefix Injection Object
+	dCtx := spec.DataParsingContext{}
+	dCtx.Init()
+	data, err := dCtx.Parse(enc.NewBufferView(paParams.ObjectWire), true)
+	if err != nil {
+		log.Warn(dv, "Failed to parse Prefix Injection inner data", "err", err)
+		reply(resError)
+		return
+	}
+	sigCov := dCtx.SigCovered()
+
+	var stapledCertCallbacks []ndn.ExpressCallbackArgs
+	for _, certWire := range paParams.StapledCertificates {
+		data, sigCov, err := spec.Spec{}.ReadData(enc.NewBufferView(certWire))
+		if err != nil {
+			log.Warn(dv, "Stapled malformed certificate", "err", err)
+			reply(resError)
+			return
+		}
+
+		stapledCertCallbacks = append(stapledCertCallbacks,
+			ndn.ExpressCallbackArgs{
+				Result:     ndn.InterestResultData,
+				Data:       data,
+				RawData:    enc.Wire{certWire},
+				SigCovered: sigCov,
+				IsLocal:    true,
+			})
+	}
+
+	// Validate signature
+	dv.prefixInjectionClient.ValidateExt(ndn.ValidateExtArgs{
+		Data:       data,
+		SigCovered: sigCov,
+		Fetch: optional.Some(func(name enc.Name, config *ndn.InterestConfig, callback ndn.ExpressCallbackFunc) {
+			for _, certCallback := range stapledCertCallbacks {
+				if certCallback.Data.Name().Equal(name) {
+					dv.prefixInjectionClient.Engine().Post(func() {
+						callback(certCallback)
+					})
+					return
+				}
+			}
+
+			config.NextHopId = optional.None[uint64]()
+			dv.prefixInjectionClient.ExpressR(ndn.ExpressRArgs{
+				Name:     name,
+				Config:   config,
+				Retries:  3,
+				Callback: callback,
+				TryStore: dv.prefixInjectionClient.Store(),
+			})
+		}),
+		Callback: func(valid bool, err error) {
+			if !valid || err != nil {
+				log.Warn(dv, "Failed to validate signature", "name", data.Name(), "valid", valid, "err", err)
+				reply(resError)
+				return
+			}
+
+			res := dv.onPrefixInjectionObject(data, args.IncomingFaceId.Unwrap())
+			reply(res)
+		},
+	})
+}
+
+func (dv *Router) onPrefixInjectionObject(object ndn.Data, faceId uint64) *mgmt.ControlResponse {
+	resError := &mgmt.ControlResponse{
+		Val: &mgmt.ControlResponseVal{
+			StatusCode: 400,
+			StatusText: "Failed to execute prefix injection",
+			Params:     nil,
+		},
+	}
+
+	if contentType, set := object.ContentType().Get(); !set || contentType != ndn.ContentTypePrefixInjection {
+		log.Warn(dv, "Prefix Injection Object does not have the correct content type",
+			"contentType", object.ContentType())
+		return resError
+	}
+
+	// TODO: reject already seen injections (using version)
+	var prefix enc.Name
+	found := false
+
+	for i, c := range object.Name() {
+		if c.IsKeyword("inject") {
+			prefix = object.Name().Prefix(i)
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		log.Warn(dv, "Prefix Injection Object name not in correct format", "name", object.Name())
+		return resError
+	}
+
+	piWire := object.Content()
+	params, err := tlv.ParsePrefixInjectionInnerContent(enc.NewWireView(piWire), true)
+	if err != nil {
+		log.Warn(dv, "Failed to parse prefix injection object", "err", err)
+		return resError
+	}
+
+	var shouldRemove bool
+	var cost uint64
+	if params.ExpirationPeriod == 0 {
+		// Remove the RIB entry
+		shouldRemove = true
+		cost = config.CostInfinity
+	} else {
+		// Add or update RIB entry
+		shouldRemove = false
+		cost = params.Cost.GetOr(0)
+		if cost > config.CostInfinity {
+			log.Warn(dv, "Invalid Cost value", "Cost", cost)
+			return resError
+		}
+	}
+
+	if shouldRemove {
+		dv.nfdc.Exec(nfdc.NfdMgmtCmd{
+			Module: "rib",
+			Cmd:    "unregister",
+			Args: &mgmt.ControlArgs{
+				Name:   prefix,
+				FaceId: optional.Some(faceId),
+			},
+			Retries: 3,
+		})
+	} else {
+		dv.nfdc.Exec(nfdc.NfdMgmtCmd{
+			Module: "rib",
+			Cmd:    "register",
+			Args: &mgmt.ControlArgs{
+				Name:   prefix,
+				FaceId: optional.Some(faceId),
+				Origin: optional.Some(config.PrefixInjOrigin),
+				Cost:   optional.Some(cost),
+			},
+			Retries: 3,
+		})
+	}
+
+	dv.mutex.Lock()
+	defer dv.mutex.Unlock()
+
+	if shouldRemove {
+		dv.pfx.Withdraw(prefix, faceId)
+	} else {
+		dv.pfx.Announce(prefix, faceId, cost)
+	}
+
+	return &mgmt.ControlResponse{
+		Val: &mgmt.ControlResponseVal{
+			StatusCode: 200,
+			StatusText: "Prefix Injection command successful",
+			Params: &mgmt.ControlArgs{
+				Name:   prefix,
+				FaceId: optional.Some(faceId),
+				Origin: optional.Some(config.PrefixInjOrigin),
+				Cost:   optional.Some(cost),
+			},
+		},
+	}
+}