blob: fcd49dc0deb56f9e70bf8bd07055329ec6b0c314 [file] [log] [blame]
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07001Validator Configuration File Format
2===================================
3
Yingdi Yu4e99f532014-08-25 19:40:57 -07004.. contents::
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07005
Yingdi Yu4e99f532014-08-25 19:40:57 -07006You can set up a ``Validator`` via a configuration file. Next, we will show you how to
7write a configuration file.
8
9The configuration file consists of **rules** and **trust-anchors** that will be used in
10validation. **Rules** tell the validator how to validate a packet, while **trust-anchors**
11tell the validator which certificates are valid immediately. Here is an example of
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080012configuration file containing two rules and a trust anchor.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070013
14::
15
16 rule
17 {
18 id "Simple Rule"
19 for data
20 filter
21 {
22 type name
23 name /localhost/example
24 relation is-prefix-of
25 }
26 checker
27 {
28 type customized
29 sig-type rsa-sha256
30 key-locator
31 {
32 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -040033 name /ndn/edu/ucla/yingdi/KEY/1234
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070034 relation equal
35 }
36 }
37 }
38 rule
39 {
40 id "Testbed Validation Rule"
41 for data
42 checker
43 {
44 type hierarchical
45 sig-type rsa-sha256
46 }
47 }
48 trust-anchor
49 {
50 type file
51 file-name "testbed-trust-anchor.cert"
52 }
53
Yingdi Yu4e99f532014-08-25 19:40:57 -070054.. note::
55 **ATTENTION: The order of rules MATTERS!**
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070056
57A rule can be broken into two parts:
58
59- The first part is to qualify packets to which the rule can be
60 applied;
61- The second part is to check whether further validation process is
62 necessary.
63
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080064When a packet is presented for validation, the validator will check the rules one-by-one
65in the configuration file using **for** and **filter** conditions against the packet,
66until finding a rule for which the packet qualifies. After that, the **checker**
67conditions of the matched rule will be used to check the validity of the packet. If the
68packet does not match any rules, it is treated as an invalid packet. Once a packet has
69been matched by a rule, the remaining rules are not applied to the packet (i.e., the
70matched rule "captures" the packet). Therefore, you should always put the most specific
71rule first.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070072
Yingdi Yu4e99f532014-08-25 19:40:57 -070073In the example configuration, the first rule indicates that all the data packets under the
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080074name prefix ``/localhost/example`` must be signed by a certificate whose name (the key
Alexander Afanasyevc381bca2017-10-15 14:51:49 -040075part) is ``/ndn/edu/ucla/yingdi/KEY/1234``. If a packet does not have a name under
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080076prefix ``/localhost/example``, the validator will skip the first rule and apply the second
77rule. The second rule indicates that all other data packets must be validated using the
78hierarchical policy (data name should be prefix or equal to the identity part of the
79certificate name). The example configuration defines that all certificate chains must be
80rooted in the certificate defined in the file "testbed-trust-anchor.cert".
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070081
82Rules in general
83----------------
84
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080085A rule has four properties: **id**, **for**, **filter**, and **checker**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070086
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080087The **id** property uniquely identifies the rule in the configuration file. As long as
Yingdi Yu4e99f532014-08-25 19:40:57 -070088being unique, any name can be given to a rule, e.g., "Simple Rule", "Testbed Validation
89Rule". A rule must have one and only one **id** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070090
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080091A rule is either used to validate a data packet or an interest packet. This information
92is specified in the **for** property, which can be either **data** or **interest**. A
93rule must have exactly one **for** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070094
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080095The **filter** property further constrains the packets that can be checked by the
96rule. The filter property is not required in a rule; if omitted, the rule will capture all
97packets passed to it. A rule may contain multiple filters, in this case, a packet
98is captured by the rule only if all filters are satisfied.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070099
Yingdi Yu4e99f532014-08-25 19:40:57 -0700100.. note::
101 **ATTENTION: A packet that satisfies all the filters may not be valid**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700102
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800103The **checker** property defines the conditions that a matched packet must fulfill to be
Zhiyi Zhang044bb7e2016-06-10 00:02:37 -0700104treated as a valid packet. A rule must have at least one **checker** property. A packet is
105treated as valid if it can pass at least one of the checkers and as invalid when it cannot
106pass any checkers.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700107
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700108Filter Property
109---------------
110
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800111Filter has a **type** property and type-specific properties. Although a rule can contain
112more than one filters, there can be at most one filter of each type.
113
114Currently, only the packet name filter is defined.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700115
116Name Filter
117~~~~~~~~~~~
118
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800119There are two ways to express the conditions on packet name:
120
121- relationship between the packet name and the specified name
122- :doc:`NDN regular expression <utils-ndn-regex>` match.
123
124Name and Relation
125^^^^^^^^^^^^^^^^^
126
127In the first case, two more properties are required: **name** and **relation**. A packet
128can fulfill the condition if the **name** has a **relation** to the packet's name. Three
129types of **relation** has been defined: **equal**, **is-prefix-of**,
130**is-strict-prefix-of**. For example, the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700131
132::
133
134 filter
135 {
136 type name
137 name /localhost/example
138 relation equal
139 }
140
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800141will capture only a packet with the exact name ``/localhost/example``.
142
143The filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700144
145::
146
147 filter
148 {
149 type name
150 name /localhost/example
151 relation is-prefix-of
152 }
153
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800154will capture a packet with name ``/localhost/example`` or ``/localhost/example/data``, but
155will not capture a packet with name ``/localhost/another_example``. And the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700156
157::
158
159 filter
160 {
161 type name
162 name /localhost/example
163 relation is-strict-prefix-of
164 }
165
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800166will capture a packet with name ``/localhost/example/data``, but will not capture a packet
Yingdi Yu4e99f532014-08-25 19:40:57 -0700167with name ``/localhost/example``.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700168
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800169NDN Regular Expression Match
170^^^^^^^^^^^^^^^^^^^^^^^^^^^^
171
Yingdi Yu4e99f532014-08-25 19:40:57 -0700172The second way is to specify an :doc:`utils-ndn-regex` that can match the packet. In this
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800173case, only one property **regex** is required. For example, the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700174
175::
176
177 filter
178 {
179 type name
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800180 regex ^<>*<KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700181 }
182
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800183will capture all certificates.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700184
185Checker Property
186----------------
187
Yingdi Yu4e99f532014-08-25 19:40:57 -0700188Passing all the filters in a rule only indicates that a packet can be checked using the
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800189rule, and it does not necessarily imply that the packet is valid. The validity of a
Yingdi Yu4e99f532014-08-25 19:40:57 -0700190packet is determined by the property **checker**, which defines the conditions that a
191valid packet must fulfill.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700192
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800193Same as **filter**, **checker** has a property **type**. We have defined two types of
194checkers:
195
196- **customized** is a checker that allows customization of the conditions according to specific
197 requirements;
198
199- **hierarchical** is a checker with pre-defined hierarchical trust model.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700200
201Customized Checker
202~~~~~~~~~~~~~~~~~~
203
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800204The customized checker requires two properties: **sig-type**, **key-locator**. Both must
205appear exactly once and are related to the ``SignatureInfo`` of a packet.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700206
207::
208
209 checker
210 {
211 type customized
212 sig-type ...
213 key-locator
214 {
215 ...
216 }
217 }
218
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800219The property **sig-type** specifies the acceptable signature type and can be
220**rsa-sha256**, **ecdsa-sha256** (strong signature types), or **sha256** (weak signature
221type). If sig-type is sha256, **key-locator** is ignored, and the validator will simply
222calculate the digest of a packet and compare it with the one in ``SignatureValue``. If
223sig-type is rsa-sha256 or ecdsa-sha256, you have to further customize the checker with
224**key-locator**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700225
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800226The property **key-locator** specifies the conditions on ``KeyLocator``. If the
Yingdi Yu4e99f532014-08-25 19:40:57 -0700227**key-locator** property is specified, it requires the existence of the ``KeyLocator``
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800228field in ``SignatureInfo``. **key-locator** property only supports one type: **name**:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700229
230::
231
232 key-locator
233 {
234 type name
235 ...
236 }
237
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800238This key-locator property specifies the conditions on the certificate name of the signing
239key. Since the conditions are about name, they can be specified in the same way as the
240name filter. For example, a checker can be:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700241
242::
243
244 checker
245 {
246 type customized
247 sig-type rsa-sha256
248 key-locator
249 {
250 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400251 name /ndn/edu/ucla/yingdi/KEY/1234
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700252 relation equal
253 }
254 }
255
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800256This checker property requires that the packet must have a ``rsa-sha256`` signature that
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400257can be verified with ``/ndn/edu/ucla/yingdi/KEY/1234`` key.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700258
Yingdi Yu4e99f532014-08-25 19:40:57 -0700259Besides the two ways to express conditions on the ``KeyLocator`` name (name and regex),
260you can further constrain the ``KeyLocator`` name using the information extracted from the
261packet name. This third type of condition is expressed via a property
262**hyper-relation**. The **hyper-relation** property consists of three parts:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700263
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800264- an NDN regular expression that extracts information from the packet name
265- an NDN regular expression that extracts information from the ``KeyLocator`` name
266- relation from the part extracted from the ``KeyLocator`` name to the one extracted from
267 the packet name
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700268
269For example, a checker:
270
271::
272
273 checker
274 {
275 type customized
276 sig-type rsa-sha256
277 key-locator
278 {
279 type name
280 hyper-relation
281 {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800282 k-regex ^(<>*)<KEY><>$
283 k-expand \\1
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700284 h-relation is-prefix-of
285 p-regex ^(<>*)$
286 p-expand \\1
287
288 }
289 }
290 }
291
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800292requires the packet name must be under the corresponding namespace (identity part) of the
293``KeyLocator`` name.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700294
295Hierarchical Checker
296~~~~~~~~~~~~~~~~~~~~
297
Yingdi Yu4e99f532014-08-25 19:40:57 -0700298As implied by its name, hierarchical checker requires that the packet name must be under
299the namespace of the packet signer. A hierarchical checker:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700300
301::
302
303 checker
304 {
305 type hierarchical
306 sig-type rsa-sha256
307 }
308
309is equivalent to a customized checker:
310
311::
312
313 checker
314 {
315 type customized
316 sig-type rsa-sha256
317 key-locator
318 {
319 type name
320 hyper-relation
321 {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800322 k-regex ^(<>*)<KEY><>$
323 k-expand \\1
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700324 h-relation is-prefix-of
325 p-regex ^(<>*)$
326 p-expand \\1
327 }
328 }
329 }
330
Alexander Afanasyevd36dd552014-06-30 12:42:46 -0700331.. _validator-conf-trust-anchors:
332
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700333Trust Anchors
334-------------
335
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800336**trust-anchor** is a necessary option in order to properly validate packets. A
337configuration file may contain more than one trust anchors and the order of trust anchors
338does not matter. The structure of trust-anchor is as follows:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700339
340::
341
342 trust-anchor
343 {
344 type file
345 file-name "trusted-signer.cert"
346 }
347 trust-anchor
348 {
349 type base64
350 base64-string "Bv0DGwdG...amHFvHIMDw=="
351 }
352
Yingdi Yu4e99f532014-08-25 19:40:57 -0700353You may also specify a trust-anchor directory. All certificates under this directory are
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800354taken as static trust anchors. For example, if all trust anchors are put into
Yingdi Yu4e99f532014-08-25 19:40:57 -0700355``/usr/local/etc/ndn/keys``.
Yingdi Yub4650652014-04-17 10:19:59 -0700356
357::
358
359 trust-anchor
360 {
361 type dir
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800362 dir /usr/local/etc/ndn/keys
Yingdi Yub4650652014-04-17 10:19:59 -0700363 }
364
Yingdi Yu4e99f532014-08-25 19:40:57 -0700365If certificates under the directory might be changed during runtime, you can set a refresh
366period, such as
Yingdi Yub4650652014-04-17 10:19:59 -0700367
368::
369
370 trust-anchor
371 {
372 type dir
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800373 dir /usr/local/etc/ndn/keys
Yingdi Yub4650652014-04-17 10:19:59 -0700374 refresh 1h ; refresh certificates every hour, other units include m (for minutes) and s (for seconds)
375 }
376
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800377There is also a special trust anchor **any**. As long as such a trust-anchor is defined
Yingdi Yu4e99f532014-08-25 19:40:57 -0700378in config file, packet validation will be turned off.
Yingdi Yu44d190c2014-04-16 17:05:46 -0700379
Yingdi Yu4e99f532014-08-25 19:40:57 -0700380.. note::
381 **ATTENTION: This type of trust anchor is dangerous. You should used it only when you
382 want to disable packet validation temporarily (e.g, debugging code, building a demo).**
Yingdi Yu44d190c2014-04-16 17:05:46 -0700383
384::
385
386 trust-anchor
387 {
388 type any
389 }
390
Yingdi Yub4650652014-04-17 10:19:59 -0700391
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700392Example Configuration For NLSR
393------------------------------
394
Yingdi Yu4e99f532014-08-25 19:40:57 -0700395The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700396
397::
398
399 root
400 |
401 +--------------+---------------+
402 site1 site2
403 | |
404 +---------+---------+ +
405 operator1 operator2 operator3
406 | | |
407 +-----+-----+ +----+-----+ +-----+-----+--------+
408 router1 router2 router3 router4 router5 router6 router7
409 | | | | | | |
410 + + + + + + +
411 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
412
413However, entities name may not follow the signing hierarchy, for
414example:
415
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700416+------------+-------------------------------------------------------------------------------------+
417| Entity | Identity name and examples |
418+============+=====================================================================================+
419| root | ``/<network>`` |
420| | |
421| | Identity example: ``/ndn`` |
422| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400423| | Certificate name example: ``/ndn/KEY/1/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700424+------------+-------------------------------------------------------------------------------------+
425| site | ``/<network>/<site>`` |
426| | |
427| | Identity example: ``/ndn/edu/ucla`` |
428| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400429| | Certificate name example: ``/ndn/edu/ucla/KEY/2/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700430+------------+-------------------------------------------------------------------------------------+
431| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
432| | |
433| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
434| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400435| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/3/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700436+------------+-------------------------------------------------------------------------------------+
437| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
438| | |
439| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
440| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400441| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/4/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700442+------------+-------------------------------------------------------------------------------------+
443| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
444| | |
445| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
446| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400447| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/5/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700448+------------+-------------------------------------------------------------------------------------+
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700449
450Assume that a typical NLSR data name is
Yingdi Yu4e99f532014-08-25 19:40:57 -0700451``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then, the exception of naming
452hierarchy is "operator-router". So we can write a configuration file with three rules. The
453first one is a customized rule that capture the normal NLSR data. The second one is a
454customized rule that handles the exception case of the hierarchy (operator->router). And
455the last one is a hierarchical rule that handles the normal cases of the hierarchy.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700456
Yingdi Yu4e99f532014-08-25 19:40:57 -0700457We put the NLSR data rule to the first place, because NLSR data packets are the most
458frequently checked. The hierarchical exception rule is put to the second, because it is
459more specific than the last one.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700460
461And here is the configuration file:
462
463::
464
465 rule
466 {
467 id "NSLR LSA Rule"
468 for data
469 filter
470 {
471 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400472 regex ^<>*<NLSR><LSA><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700473 }
474 checker
475 {
476 type customized
477 sig-type rsa-sha256
478 key-locator
479 {
480 type name
481 hyper-relation
482 {
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400483 k-regex ^(<>*)<KEY><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700484 k-expand \\1
485 h-relation equal
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400486 p-regex ^(<>*)<NLSR><LSA><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700487 p-expand \\1
488 }
489 }
490 }
491 }
492 rule
493 {
494 id "NSLR Hierarchy Exception Rule"
495 for data
496 filter
497 {
498 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400499 regex ^<>*<%C1.O.R.><><KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700500 }
501 checker
502 {
503 type customized
504 sig-type rsa-sha256
505 key-locator
506 {
507 type name
508 hyper-relation
509 {
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400510 k-regex ^(<>*)<%C1.O.N.><><KEY><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700511 k-expand \\1
512 h-relation equal
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400513 p-regex ^(<>*)<%C1.O.R.><><KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700514 p-expand \\1
515 }
516 }
517 }
518 }
519 rule
520 {
521 id "NSLR Hierarchical Rule"
522 for data
523 filter
524 {
525 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400526 regex ^<>*<KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700527 }
528 checker
529 {
530 type hierarchical
531 sig-type rsa-sha256
532 }
533 }
534 trust-anchor
535 {
536 type file
537 file-name "testbed-trust-anchor.cert"
538 }
539
Yingdi Yu4e99f532014-08-25 19:40:57 -0700540Example Configuration For NFD RIB Management
541--------------------------------------------
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700542
Davide Pesavento0530b5b2016-11-07 03:23:58 +0100543Assume `NFD RIB Management <https://redmine.named-data.net/projects/nfd/wiki/RibMgmt>`_
Yingdi Yu4e99f532014-08-25 19:40:57 -0700544allows any valid testbed certificate to register prefix, the configuration file could be
545written as:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700546
547::
548
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800549 rule
550 {
551 id "RIB Prefix Registration Command Rule"
552 for interest ; rule for Interests (to validate CommandInterests)
553 filter
554 {
555 type name ; condition on interest name (w/o signature)
556 regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<><><>$ ; prefix before
557 ; SigInfo & SigValue
558 }
559 checker
560 {
561 type customized
562 sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
563 key-locator
564 {
565 type name ; key locator must be the certificate name of the
566 ; signing key
567 regex ^<>*<KEY><><><>$
568 }
569 }
570 checker
571 {
572 type customized
573 sig-type ecdsa-sha256 ; interest must have a ecdsa-sha256 signature
574 key-locator
575 {
576 type name ; key locator must be the certificate name of the
577 ; signing key
578 regex ^<>*<KEY><><><>$
579 }
580 }
581 }
582 rule
583 {
584 id "NDN Testbed Hierarchy Rule"
585 for data ; rule for Data (to validate NDN certificates)
586 filter
587 {
588 type name ; condition on data name
589 regex ^<>*<KEY><><><>$
590 }
591 checker
592 {
593 type hierarchical ; the certificate name of the signing key and
594 ; the data name must follow the hierarchical model
595 sig-type rsa-sha256 ; data must have a rsa-sha256 signature
596 }
597 checker
598 {
599 type hierarchical ; the certificate name of the signing key and
600 ; the data name must follow the hierarchical model
601 sig-type ecdsa-sha256 ; data must have a ecdsa-sha256 signature
602 }
603 }
604 trust-anchor
605 {
606 type file
607 file-name keys/ndn-testbed-root.ndncert.base64
608 }