security: Add signing and validating process
Change-Id: Ic9edfcf56f044821e167d7e49b75a9023b67fbcd
diff --git a/nlsr.conf b/nlsr.conf
index b3eacb6..b3dbd2f 100644
--- a/nlsr.conf
+++ b/nlsr.conf
@@ -45,7 +45,7 @@
face-uri udp://castor.cs.memphis.edu ; face id of the face connected to the neighbor
link-cost 25 ; cost of the connecting link to neighbor
}
-
+
neighbor
{
name /ndn/memphis.edu/cs/mira ; name prefix of the neighbor router consists
@@ -64,7 +64,7 @@
; commands in this section follows a strict order
; the switch is used to set hyperbolic routing calculation in NLSR
- state off ; default value 'off', set value 'on' to enable hyperbolic routing table
+ state off ; default value 'off', set value 'on' to enable hyperbolic routing table
; calculation which turns link state routing 'off'. set value to 'dry-run"
; to test hyperbolic routing and compare with link state routing.
@@ -86,7 +86,7 @@
}
-; the advertising section contains the configuration settings of the name prefixes
+; the advertising section contains the configuration settings of the name prefixes
; hosted by this router
advertising
@@ -95,5 +95,125 @@
; configure one block of ndnname configuration command for every name prefix.
prefix /ndn/edu/memphis/cs/netlab ; name in ndn URI format
- prefix /ndn/edu/memphis/sports/basketball
+ prefix /ndn/edu/memphis/sports/basketball
+}
+
+security
+{
+ validator
+ {
+ rule
+ {
+ id "NSLR Hello Rule"
+ for data
+ filter
+ {
+ type name
+ regex ^[^<nlsr><INFO>]*<nlsr><INFO><><>$
+ }
+ checker
+ {
+ type customized
+ sig-type rsa-sha256
+ key-locator
+ {
+ type name
+ hyper-relation
+ {
+ k-regex ^([^<KEY><NLSR>]*)<NLSR><KEY><ksk-.*><ID-CERT>$
+ k-expand \\1\\2
+ h-relation equal
+ p-regex ^([^<nlsr><INFO>]*)<nlsr><INFO><><>$
+ p-expand \\1
+ }
+ }
+ }
+ }
+
+ rule
+ {
+ id "NSLR LSA Rule"
+ for data
+ filter
+ {
+ type name
+ regex ^[^<nlsr><LSA>]*<nlsr><LSA>
+ }
+ checker
+ {
+ type customized
+ sig-type rsa-sha256
+ key-locator
+ {
+ type name
+ hyper-relation
+ {
+ k-regex ^([^<KEY><NLSR>]*)<NLSR><KEY><ksk-.*><ID-CERT>$
+ k-expand \\1\\2
+ h-relation equal
+ p-regex ^([^<nlsr><LSA>]*)<nlsr><LSA>(<>*)<><>$
+ p-expand \\1\\2
+ }
+ }
+ }
+ }
+
+ rule
+ {
+ id "NSLR Hierarchy Exception Rule"
+ for data
+ filter
+ {
+ type name
+ regex ^[^<KEY><%C1.O.R.>]*<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
+ }
+ checker
+ {
+ type customized
+ sig-type rsa-sha256
+ key-locator
+ {
+ type name
+ hyper-relation
+ {
+ k-regex ^([^<KEY><%C1.O.N.>]*)<%C1.O.N.><><KEY><ksk-.*><ID-CERT>$
+ k-expand \\1
+ h-relation equal
+ p-regex ^([^<KEY><%C1.O.R.>]*)<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
+ p-expand \\1
+ }
+ }
+ }
+ }
+
+ rule
+ {
+ id "NSLR Hierarchical Rule"
+ for data
+ filter
+ {
+ type name
+ regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$
+ }
+ checker
+ {
+ type hierarchical
+ sig-type rsa-sha256
+ }
+ }
+
+ trust-anchor
+ {
+ type file
+ file-name "root.cert"
+ }
+ }
+ ; cert-to-publish "root.cert" //optional, a file containing the root certificate. only the router
+ //that is designated to publish root cert needs to specify this
+ ; cert-to-publish "site.cert" //optional, a file containing the root certificate. only the router
+ //that is designated to publish site cert need to specify this
+ ; cert-to-publish "operator.cert" //optional, a file containing the root certificate. only the
+ //router that is designated to publish operator cert need to
+ //specify this
+ ; cert-to-publish "router.cert" //required, a file containing the router certificate.
}