blob: a517020f8fb525926777a40e97d4b298cda0e8ba [file] [log] [blame]
Alexander Afanasyev8e986f82016-03-21 14:19:15 -07001; The general section contains settings of nfd process.
2general
3{
4 ; Specify a user and/or group for NFD to drop privileges to
5 ; when not performing privileged tasks. NFD does not drop
6 ; privileges by default.
7
8 ; user ndn-user
9 ; group ndn-user
10}
11
12log
13{
14 ; default_level specifies the logging level for modules
15 ; that are not explicitly named. All debugging levels
16 ; listed above the selected value are enabled.
17 ;
18 ; Valid values:
19 ;
20 ; NONE ; no messages
21 ; ERROR ; error messages
22 ; WARN ; warning messages
23 ; INFO ; informational messages (default)
24 ; DEBUG ; debugging messages
25 ; TRACE ; trace messages (most verbose)
26 ; ALL ; all messages
27
28 default_level INFO
29
30 ; You may override default_level by assigning a logging level
31 ; to the desired module name. Module names can be found in two ways:
32 ;
33 ; Run:
34 ; nfd --modules
35 ;
36 ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
37 ;
38 ; Example module-level settings:
39 ;
40 ; FibManager DEBUG
41 ; Forwarder INFO
42}
43
44; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
45tables
46{
47
48 ; ContentStore size limit in number of packets
49 ; default is 65536, about 500MB with 8KB packet size
50 cs_max_packets 65536
51
52 ; Set the forwarding strategy for the specified prefixes:
53 ; <prefix> <strategy>
54 strategy_choice
55 {
56 / /localhost/nfd/strategy/best-route
57 /localhost /localhost/nfd/strategy/multicast
58 /localhost/nfd /localhost/nfd/strategy/best-route
59 /ndn/broadcast /localhost/nfd/strategy/multicast
60 }
61
62 ; Declare network region names
63 ; These are used for mobility support. An Interest carrying a Link object is
64 ; assumed to have reached the producer region if any delegation name in the
65 ; Link object is a prefix of any region name.
66 network_region
67 {
68 ; /example/region1
69 ; /example/region2
70 }
71}
72
73; The face_system section defines what faces and channels are created.
74face_system
75{
76 ; The unix section contains settings of Unix stream faces and channels.
77 ; Unix channel is always listening; delete unix section to disable
78 ; Unix stream faces and channels.
79 ;
80 ; The ndn-cxx library expects unix:///var/run/nfd.sock
81 ; to be used as the default transport option. Please change
82 ; the "transport" field in client.conf to an appropriate tcp4 FaceUri
83 ; if you need to disable unix sockets.
84 unix
85 {
86 path /tmp/nfd.sock ; Unix stream listener path
87 }
88
89 ; The tcp section contains settings of TCP faces and channels.
90 tcp
91 {
92 listen yes ; set to 'no' to disable TCP listener, default 'yes'
93 port 6363 ; TCP listener port number
94 enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
95 enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
96 }
97
98 ; The udp section contains settings of UDP faces and channels.
99 ; UDP channel is always listening; delete udp section to disable UDP
100 udp
101 {
102 port 6363 ; UDP unicast port number
103 enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
104 enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
105
106 ; idle time (seconds) before closing a UDP unicast face, the actual timeout would be
107 ; anywhere within [idle_timeout, 2*idle_timeout), default is 600
108 idle_timeout 600
109
110 keep_alive_interval 25; interval (seconds) between keep-alive refreshes
111
112 ; UDP multicast settings
113 ; NFD creates one UDP multicast face per NIC
114 ;
115 ; In multi-homed Linux machines these settings will NOT work without
116 ; root or settings the appropriate permissions:
117 ;
118 ; sudo setcap cap_net_raw=eip /full/path/nfd
119 ;
120 mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
121 mcast_port 56363 ; UDP multicast port number
122 mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
123 }
124
125 ; The ether section contains settings of Ethernet faces and channels.
126 ; These settings will NOT work without root or setting the appropriate
127 ; permissions:
128 ;
129 ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
130 ;
131 ; You may need to install a package to use setcap:
132 ;
133 ; **Ubuntu:**
134 ;
135 ; sudo apt-get install libcap2-bin
136 ;
137 ; **Mac OS X:**
138 ;
139 ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
140 ; tar zxvf ChmodBPF.tar.gz
141 ; open ChmodBPF/Install\ ChmodBPF.app
142 ;
143 ; or manually:
144 ;
145 ; sudo chgrp admin /dev/bpf*
146 ; sudo chmod g+rw /dev/bpf*
147
148 ; ether
149 ; {
150 ; ; Ethernet multicast settings
151 ; ; NFD creates one Ethernet multicast face per NIC
152 ;
153 ; mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
154 ; mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
155 ; }
156
157 ; The websocket section contains settings of WebSocket faces and channels.
158
159 websocket
160 {
161 listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
162 port 9696 ; WebSocket listener port number
163 enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
164 enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
165 }
166}
167
168; The authorizations section grants privileges to authorized keys.
169authorizations
170{
171 ; An authorize section grants privileges to a NDN certificate.
172 authorize
173 {
174 ; If you do not already have NDN certificate, you can generate
175 ; one with the following commands.
176 ;
177 ; 1. Generate and install a self-signed identity certificate:
178 ;
179 ; ndnsec-keygen /`whoami` | ndnsec-install-cert -
180 ;
181 ; Note that the argument to ndnsec-key will be the identity name of the
182 ; new key (in this case, /your-username). Identities are hierarchical NDN
183 ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
184 ; You may create additional keys and identities as you see fit.
185 ;
186 ; 2. Dump the NDN certificate to a file:
187 ;
188 ; sudo mkdir -p /Users/cawka/Devel/ndn/NFD-Control-Center/build/deps/etc/ndn/keys/
189 ; ndnsec-cert-dump -i /`whoami` > default.ndncert
190 ; sudo mv default.ndncert /Users/cawka/Devel/ndn/NFD-Control-Center/build/deps/etc/ndn/keys/default.ndncert
191 ;
192 ; The "certfile" field below specifies the default key directory for
193 ; your machine. You may move your newly created key to the location it
194 ; specifies or path.
195
196 ; certfile keys/default.ndncert ; NDN identity certificate file
197 certfile any ; "any" authorizes command interests signed under any certificate,
198 ; i.e., no actual validation.
199 privileges ; set of privileges granted to this identity
200 {
201 faces
202 fib
203 strategy-choice
204 }
205 }
206
207 ; You may have multiple authorize sections that specify additional
208 ; certificates and their privileges.
209
210 ; authorize
211 ; {
212 ; certfile keys/this_cert_does_not_exist.ndncert
213 ; authorize
214 ; privileges
215 ; {
216 ; faces
217 ; }
218 ; }
219}
220
221rib
222{
223 ; The following localhost_security allows anyone to register routing entries in local RIB
224 localhost_security
225 {
226 trust-anchor
227 {
228 type any
229 }
230 }
231
232 ; localhop_security should be enabled when NFD runs on a hub.
233 ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
234 ; localhop_security
235 ; {
236 ; ; This section defines the trust model for NFD RIB Management. It consists of rules and
237 ; ; trust-anchors, which are briefly defined in this file. For more information refer to
238 ; ; manpage of ndn-validator.conf:
239 ; ;
240 ; ; man ndn-validator.conf
241 ; ;
242 ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
243 ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
244 ; ; default system certificate `default.ndncert`.
245 ; ;
246 ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
247 ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
248 ; ; will be matched against rules from the first to the last until a matched rule is
249 ; ; encountered. The matched rule will be used to check the packet. If a packet does not
250 ; ; match any rule, it will be treated as invalid. The matching part of a rule consists
251 ; ; of `for` and `filter` sections. They collectively define which packets can be checked
252 ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
253 ; ; conditions on other properties of a packet. Right now, you can only define conditions
254 ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
255 ; ; checking part of a rule consists of `checker`, which defines the conditions that a
256 ; ; VALID packet MUST have. See comments in checker section for more details.
257 ;
258 ; rule
259 ; {
260 ; id "NRD Prefix Registration Command Rule"
261 ; for interest ; rule for Interests (to validate CommandInterests)
262 ; filter
263 ; {
264 ; type name ; condition on interest name (w/o signature)
265 ; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before
266 ; ; timestamp
267 ; }
268 ; checker
269 ; {
270 ; type customized
271 ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
272 ; key-locator
273 ; {
274 ; type name ; key locator must be the certificate name of the
275 ; ; signing key
276 ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
277 ; }
278 ; }
279 ; }
280 ; rule
281 ; {
282 ; id "NDN Testbed Hierarchy Rule"
283 ; for data ; rule for Data (to validate NDN certificates)
284 ; filter
285 ; {
286 ; type name ; condition on data name
287 ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
288 ; }
289 ; checker
290 ; {
291 ; type hierarchical ; the certificate name of the signing key and
292 ; ; the data name must follow the hierarchical model
293 ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
294 ; }
295 ; }
296 ; trust-anchor
297 ; {
298 ; type file
299 ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
300 ; ; same folder as this config file.
301 ; }
302 ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
303 ; ; {
304 ; ; type file
305 ; ; file-name keys/ndn-testbed.ndncert
306 ; ; }
307 ; }
308
309 ; The following localhop_security should be enabled when NFD runs on a hub,
310 ; which accepts all remote registrations and is a short-term solution.
311 ; localhop_security
312 ; {
313 ; trust-anchor
314 ; {
315 ; type any
316 ; }
317 ; }
318
319 auto_prefix_propagate
320 {
321 cost 15 ; forwarding cost of prefix registered on remote router
322 timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation
323
324 refresh_interval 300 ; interval (in seconds) before refreshing the propagation
325 ; This setting should be less than face_system.udp.idle_time,
326 ; so that the face is kept alive on the remote router.
327
328 base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
329 max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
330 ; for consequent retries, the wait time before each retry is calculated based on the back-off
331 ; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
332 ; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
333 }
334}