blob: fa229b42bd9039de526eecd09d90fb7986094ab3 [file] [log] [blame]
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -06001; The general section contains settings of nfd process.
Steve DiBenedetto24b9a642014-04-07 15:45:39 -06002general
3{
4 ; Specify a user and/or group for NFD to drop privileges to
5 ; when not performing privileged tasks. NFD does not drop
6 ; privileges by default.
7
8 ; user ndn-user
9 ; group ndn-user
10}
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060011
Steve DiBenedettobf6a93d2014-03-21 14:03:02 -060012log
13{
14 ; default_level specifies the logging level for modules
15 ; that are not explicitly named. All debugging levels
16 ; listed above the selected value are enabled.
17 ;
18 ; Valid values:
19 ;
20 ; NONE ; no messages
21 ; ERROR ; error messages
22 ; WARN ; warning messages
23 ; INFO ; informational messages (default)
24 ; DEBUG ; debugging messages
25 ; TRACE ; trace messages (most verbose)
26 ; ALL ; all messages
27
Alexander Afanasyev885a85b2014-04-12 21:01:13 -070028 default_level INFO
Steve DiBenedettobf6a93d2014-03-21 14:03:02 -060029
30 ; You may override default_level by assigning a logging level
31 ; to the desired module name. Module names can be found in two ways:
32 ;
33 ; Run:
34 ; nfd --modules
35 ;
36 ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
37 ;
38 ; Example module-level settings:
39 ;
40 ; FibManager DEBUG
41 ; Forwarder INFO
42}
43
Steve DiBenedetto3a4f83d2014-06-02 14:58:54 -060044; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
45tables
46{
47
48 ; ContentStore size limit in number of packets
49 ; default is 65536, about 500MB with 8KB packet size
50 cs_max_packets 65536
Steve DiBenedettoc0640f52014-11-03 15:55:43 -070051
52 ; Set the forwarding strategy for the specified prefixes:
53 ; <prefix> <strategy>
54 strategy_choice
55 {
56 / /localhost/nfd/strategy/best-route
57 /localhost /localhost/nfd/strategy/broadcast
58 /localhost/nfd /localhost/nfd/strategy/best-route
59 /ndn/broadcast /localhost/nfd/strategy/broadcast
60 }
Steve DiBenedetto3a4f83d2014-06-02 14:58:54 -060061}
62
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060063; The face_system section defines what faces and channels are created.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060064face_system
65{
Steve DiBenedettodbcb1a12014-11-17 11:04:21 -070066 ; The unix section contains settings of Unix stream faces and channels.
67 ; Unix channel is always listening; delete unix section to disable
68 ; Unix stream faces and channels.
Steve DiBenedetto158f73f2014-12-22 14:46:12 -070069 ;
70 ; The ndn-cxx library expects unix:///var/run/nfd.sock
71 ; to be used as the default transport option. Please change
72 ; the "transport" field in client.conf to an appropriate tcp4 FaceUri
73 ; if you need to disable unix sockets.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060074 unix
75 {
Steve DiBenedettodbcb1a12014-11-17 11:04:21 -070076 path /var/run/nfd.sock ; Unix stream listener path
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060077 }
78
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060079 ; The tcp section contains settings of TCP faces and channels.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060080 tcp
81 {
82 listen yes ; set to 'no' to disable TCP listener, default 'yes'
83 port 6363 ; TCP listener port number
Steve DiBenedetto95152872014-04-11 12:40:59 -060084 enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
85 enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060086 }
87
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060088 ; The udp section contains settings of UDP faces and channels.
Steve DiBenedetto95152872014-04-11 12:40:59 -060089 ; UDP channel is always listening; delete udp section to disable UDP
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -060090 udp
91 {
92 port 6363 ; UDP unicast port number
Steve DiBenedetto95152872014-04-11 12:40:59 -060093 enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
94 enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
Chengyu Fanaddecff2015-02-10 14:09:01 -070095
96 ; idle time (seconds) before closing a UDP unicast face, the actual timeout would be
97 ; anywhere within [idle_timeout, 2*idle_timeout), default is 600
98 idle_timeout 600
99
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600100 keep_alive_interval 25; interval (seconds) between keep-alive refreshes
101
Alexander Afanasyev885a85b2014-04-12 21:01:13 -0700102 ; UDP multicast settings
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600103 ; NFD creates one UDP multicast face per NIC
Giulio Grassi6d7176d2014-04-16 16:08:48 +0200104 ;
105 ; In multi-homed Linux machines these settings will NOT work without
106 ; root or settings the appropriate permissions:
107 ;
108 ; sudo setcap cap_net_raw=eip /full/path/nfd
109 ;
Alexander Afanasyev885a85b2014-04-12 21:01:13 -0700110 mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
111 mcast_port 56363 ; UDP multicast port number
112 mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600113 }
114
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600115 ; The ether section contains settings of Ethernet faces and channels.
116 ; These settings will NOT work without root or setting the appropriate
117 ; permissions:
118 ;
119 ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
120 ;
121 ; You may need to install a package to use setcap:
122 ;
123 ; **Ubuntu:**
124 ;
125 ; sudo apt-get install libcap2-bin
126 ;
127 ; **Mac OS X:**
128 ;
129 ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
130 ; tar zxvf ChmodBPF.tar.gz
131 ; open ChmodBPF/Install\ ChmodBPF.app
132 ;
133 ; or manually:
134 ;
135 ; sudo chgrp admin /dev/bpf*
136 ; sudo chmod g+rw /dev/bpf*
137
Alexander Afanasyev885a85b2014-04-12 21:01:13 -0700138 @IF_HAVE_LIBPCAP@ether
139 @IF_HAVE_LIBPCAP@{
140 @IF_HAVE_LIBPCAP@ ; Ethernet multicast settings
141 @IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC
142 @IF_HAVE_LIBPCAP@
143 @IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
144 @IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
145 @IF_HAVE_LIBPCAP@}
Wentao Shang53df1632014-04-21 12:01:32 -0700146
147 ; The websocket section contains settings of WebSocket faces and channels.
148
149 @IF_HAVE_WEBSOCKET@websocket
150 @IF_HAVE_WEBSOCKET@{
151 @IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
152 @IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number
153 @IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
154 @IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
155 @IF_HAVE_WEBSOCKET@}
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600156}
157
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600158; The authorizations section grants privileges to authorized keys.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600159authorizations
160{
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600161 ; An authorize section grants privileges to a NDN certificate.
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600162 authorize
163 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600164 ; If you do not already have NDN certificate, you can generate
165 ; one with the following commands.
166 ;
167 ; 1. Generate and install a self-signed identity certificate:
168 ;
169 ; ndnsec-keygen /`whoami` | ndnsec-install-cert -
170 ;
171 ; Note that the argument to ndnsec-key will be the identity name of the
172 ; new key (in this case, /your-username). Identities are hierarchical NDN
173 ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
174 ; You may create additional keys and identities as you see fit.
175 ;
176 ; 2. Dump the NDN certificate to a file:
177 ;
178 ; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
179 ; ndnsec-cert-dump -i /`whoami` > default.ndncert
180 ; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
181 ;
182 ; The "certfile" field below specifies the default key directory for
183 ; your machine. You may move your newly created key to the location it
184 ; specifies or path.
185
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700186 ; certfile keys/default.ndncert ; NDN identity certificate file
187 certfile any ; "any" authorizes command interests signed under any certificate,
188 ; i.e., no actual validation.
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600189 privileges ; set of privileges granted to this identity
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600190 {
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600191 faces
192 fib
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600193 strategy-choice
194 }
195 }
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600196
197 ; You may have multiple authorize sections that specify additional
198 ; certificates and their privileges.
199
Alexander Afanasyev885a85b2014-04-12 21:01:13 -0700200 ; authorize
201 ; {
202 ; certfile keys/this_cert_does_not_exist.ndncert
203 ; authorize
204 ; privileges
205 ; {
206 ; faces
207 ; }
208 ; }
Steve DiBenedetto84da5bf2014-03-11 14:51:29 -0600209}
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700210
Yingdi Yue5224e92014-04-29 18:04:02 -0700211rib
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700212{
Yingdi Yue5224e92014-04-29 18:04:02 -0700213 ; The following localhost_security allows anyone to register routing entries in local RIB
214 localhost_security
215 {
216 trust-anchor
217 {
218 type any
219 }
220 }
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700221
Yingdi Yue5224e92014-04-29 18:04:02 -0700222 ; localhop_security should be enabled when NFD runs on a hub.
223 ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
224 ; localhop_security
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700225 ; {
Yingdi Yue5224e92014-04-29 18:04:02 -0700226 ; ; This section defines the trust model for NFD RIB Management. It consists of rules and
227 ; ; trust-anchors, which are briefly defined in this file. For more information refer to
228 ; ; manpage of ndn-validator.conf:
229 ; ;
230 ; ; man ndn-validator.conf
231 ; ;
232 ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
233 ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
234 ; ; default system certificate `default.ndncert`.
235 ; ;
236 ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
237 ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
238 ; ; will be matched against rules from the first to the last until a matched rule is
239 ; ; encountered. The matched rule will be used to check the packet. If a packet does not
240 ; ; match any rule, it will be treated as invalid. The matching part of a rule consists
241 ; ; of `for` and `filter` sections. They collectively define which packets can be checked
242 ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
243 ; ; conditions on other properties of a packet. Right now, you can only define conditions
244 ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
245 ; ; checking part of a rule consists of `checker`, which defines the conditions that a
246 ; ; VALID packet MUST have. See comments in checker section for more details.
247 ;
248 ; rule
249 ; {
250 ; id "NRD Prefix Registration Command Rule"
251 ; for interest ; rule for Interests (to validate CommandInterests)
252 ; filter
253 ; {
254 ; type name ; condition on interest name (w/o signature)
Yingdi Yu676a55a2014-06-18 21:09:09 -0700255 ; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before
256 ; ; timestamp
Yingdi Yue5224e92014-04-29 18:04:02 -0700257 ; }
258 ; checker
259 ; {
260 ; type customized
261 ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
262 ; key-locator
263 ; {
264 ; type name ; key locator must be the certificate name of the
265 ; ; signing key
266 ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
267 ; }
268 ; }
269 ; }
270 ; rule
271 ; {
272 ; id "NDN Testbed Hierarchy Rule"
273 ; for data ; rule for Data (to validate NDN certificates)
274 ; filter
275 ; {
276 ; type name ; condition on data name
277 ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
278 ; }
279 ; checker
280 ; {
281 ; type hierarchical ; the certificate name of the signing key and
282 ; ; the data name must follow the hierarchical model
283 ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
284 ; }
285 ; }
286 ; trust-anchor
287 ; {
288 ; type file
289 ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
290 ; ; same folder as this config file.
291 ; }
292 ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
293 ; ; {
294 ; ; type file
295 ; ; file-name keys/ndn-testbed.ndncert
296 ; ; }
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700297 ; }
Yanbiao Lic17de832014-11-21 17:51:45 -0800298
Yanbiao Lib9d439d2014-12-11 16:12:32 -0800299 ; The following localhop_security should be enabled when NFD runs on a hub,
300 ; which accepts all remote registrations and is a short-term solution.
301 ; localhop_security
302 ; {
303 ; trust-anchor
304 ; {
305 ; type any
306 ; }
307 ; }
308
Yanbiao Lic17de832014-11-21 17:51:45 -0800309 remote_register
310 {
311 cost 15 ; forwarding cost of prefix registered on remote router
312 timeout 10000 ; timeout (in milliseconds) of remote prefix registration command
313 retry 0 ; maximum number of retries for each remote prefix registration command
314
315 refresh_interval 300 ; interval (in seconds) before refreshing the registration
316 ; This setting should be less than face_system.udp.idle_time,
317 ; so that the face is kept alive on the remote router.
318 }
Alexander Afanasyev89cf5e02014-04-17 12:08:57 -0700319}