blob: a9ec70e901160cdb9ef14bea92829dadc1ae4446 [file] [log] [blame]
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07001Validator Configuration File Format
2===================================
3
Yingdi Yu4e99f532014-08-25 19:40:57 -07004.. contents::
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07005
Yingdi Yu4e99f532014-08-25 19:40:57 -07006You can set up a ``Validator`` via a configuration file. Next, we will show you how to
7write a configuration file.
8
9The configuration file consists of **rules** and **trust-anchors** that will be used in
10validation. **Rules** tell the validator how to validate a packet, while **trust-anchors**
11tell the validator which certificates are valid immediately. Here is an example of
12configuration file containing two rules.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070013
14::
15
16 rule
17 {
18 id "Simple Rule"
19 for data
20 filter
21 {
22 type name
23 name /localhost/example
24 relation is-prefix-of
25 }
26 checker
27 {
28 type customized
29 sig-type rsa-sha256
30 key-locator
31 {
32 type name
33 name /ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT
34 relation equal
35 }
36 }
37 }
38 rule
39 {
40 id "Testbed Validation Rule"
41 for data
42 checker
43 {
44 type hierarchical
45 sig-type rsa-sha256
46 }
47 }
48 trust-anchor
49 {
50 type file
51 file-name "testbed-trust-anchor.cert"
52 }
53
Yingdi Yu4e99f532014-08-25 19:40:57 -070054.. note::
55 **ATTENTION: The order of rules MATTERS!**
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070056
57A rule can be broken into two parts:
58
59- The first part is to qualify packets to which the rule can be
60 applied;
61- The second part is to check whether further validation process is
62 necessary.
63
Yingdi Yu4e99f532014-08-25 19:40:57 -070064When receiving a packet, the validator will apply rules in the configuration file
65one-by-one against the packet, until finding a rule that the packet qualifies for. And the
66second part of the matched rule will be used to check the validity of the packet. If the
67packet cannot qualify for any rules, it is treated as an invalid packet. Once a packet has
68been matched by a rule, the rest rules will not be applied against the packet. Therefore,
69you should always put the most specific rule to the top, otherwise it will become useless.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070070
Yingdi Yu4e99f532014-08-25 19:40:57 -070071In the example configuration, the first rule indicates that all the data packets under the
72name prefix ``/localhost/example`` must be signed by a key whose certificate name is
73``/ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT``. If a packet does not have a name under prefix
74``/localhost/example``, validator will skip the first rule and apply the second rule. The
75second rule indicates that any data packets must be validated along a hierarchy. And a
76certificate stored in a file "testbed-trust-anchor.cert" is valid.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070077
78Rules in general
79----------------
80
Yingdi Yu4e99f532014-08-25 19:40:57 -070081A rule has four types of properties: **id**, **for**, **filter**, and **checker**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070082
Yingdi Yu4e99f532014-08-25 19:40:57 -070083The property **id** uniquely identifies the rule in the configuration file. As long as
84being unique, any name can be given to a rule, e.g., "Simple Rule", "Testbed Validation
85Rule". A rule must have one and only one **id** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070086
Yingdi Yu4e99f532014-08-25 19:40:57 -070087A rule is either used to validate an interest packet or a data packet. This information
88is specified in the property **for**. Only two value can be specified: **data** and
89**interest**. A rule must have one and only one **for** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070090
Yingdi Yu4e99f532014-08-25 19:40:57 -070091The property **filter** further constrains the packets that can be checked by the
92rule. Filter property is not required in a rule, in this case, the rule will capture all
93the packets passed to it. A rule may contain more than one filters, in this case, a packet
94can be checked by a rule only if the packet satisfies all the filters.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070095
Yingdi Yu4e99f532014-08-25 19:40:57 -070096.. note::
97 **ATTENTION: A packet that satisfies all the filters may not be valid**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070098
Yingdi Yu4e99f532014-08-25 19:40:57 -070099The property **checker** defines the conditions that a matched packet must fulfill to be
100treated as a valid packet. A rule must have at least one **checker** property, a packet is
101treated as invalid if it cannot pass none of the checkers.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700102
Yingdi Yu4e99f532014-08-25 19:40:57 -0700103**filter** and **checker** have their own properties. Next, we will introduce them
104separately.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700105
106Filter Property
107---------------
108
Yingdi Yu4e99f532014-08-25 19:40:57 -0700109Filter has its own **type** property. Although a rule may contain more than one filters,
110there is at most one filter of each type. So far, only one type of filter is defined:
111**name**. In other word, only one filter can be specified in a rule for now.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700112
113Name Filter
114~~~~~~~~~~~
115
Yingdi Yu4e99f532014-08-25 19:40:57 -0700116There are two ways to express the conditions on name. The first way is to specify a
117relationship between the packet name and a particular name. In this case, two more
118properties are required: **name** and **relation**. A packet can fulfill the condition if
119the **name** has a **relation\* to the packet name. Three types of **\ relation\*\* has
120been defined: **equal**, **is-prefix-of**, **is-strict-prefix-of**. For example, a filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700121
122::
123
124 filter
125 {
126 type name
127 name /localhost/example
128 relation equal
129 }
130
Yingdi Yu4e99f532014-08-25 19:40:57 -0700131shall only capture a packet with the exact name ``/localhost/example``.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700132And a filter
133
134::
135
136 filter
137 {
138 type name
139 name /localhost/example
140 relation is-prefix-of
141 }
142
Yingdi Yu4e99f532014-08-25 19:40:57 -0700143shall capture a packet with name ``/localhost/example`` or ``/localhost/example/data``, but
144cannot catch a packet with name ``/localhost/another_example``. And a filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700145
146::
147
148 filter
149 {
150 type name
151 name /localhost/example
152 relation is-strict-prefix-of
153 }
154
Yingdi Yu4e99f532014-08-25 19:40:57 -0700155shall capture a packet with name ``/localhost/example/data``, but cannot catch a packet
156with name ``/localhost/example``.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700157
Yingdi Yu4e99f532014-08-25 19:40:57 -0700158The second way is to specify an :doc:`utils-ndn-regex` that can match the packet. In this
159case, only one property **regex** is required. For example, a filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700160
161::
162
163 filter
164 {
165 type name
166 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
167 }
168
169shall capture all the identity certificates.
170
171Checker Property
172----------------
173
Yingdi Yu4e99f532014-08-25 19:40:57 -0700174Passing all the filters in a rule only indicates that a packet can be checked using the
175rule, and it does not necessarily implies that the packet is valid. The validity of a
176packet is determined by the property **checker**, which defines the conditions that a
177valid packet must fulfill.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700178
Yingdi Yu4e99f532014-08-25 19:40:57 -0700179Same as **filter**, **checker** has a property **type**. We have defined three types of
180checkers: **customized**, and **hierarchical**, and **fixed-signer**. As suggested by its
181name, **customized** checker allows you to customize the conditions according to specific
182requirements. **hierarchical** checker and **fixed-signer** checker are pre-defined
183shortcuts, which specify specific trust models separately.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700184
185Customized Checker
186~~~~~~~~~~~~~~~~~~
187
188So far, we only allow three customized properties in a customized
189checker: **sig-type**, **key-locator**. All of them are related to the
190``SignatureInfo`` of a packet.
191
192::
193
194 checker
195 {
196 type customized
197 sig-type ...
198 key-locator
199 {
200 ...
201 }
202 }
203
Yingdi Yu4e99f532014-08-25 19:40:57 -0700204The property **sig-type** specifies the acceptable signature type. Right now three
205signature types have been defined: **rsa-sha256** and **ecdsa-sha256** (which are strong
206signature types) and **sha256** (which is a weak signature type). If sig-type is sha256,
207then **key-locator** will be ignored. Validator will simply calculate the digest of a
208packet and compare it with the one in ``SignatureValue``. If sig-type is rsa-sha256 or
209ecdsa-sha256, you have to further customize the checker with **key-locator**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700210
Yingdi Yu4e99f532014-08-25 19:40:57 -0700211The property **key-locator** which specifies the conditions on ``KeyLocator``. If the
212**key-locator** property is specified, it requires the existence of the ``KeyLocator``
213field in ``SignatureInfo``. Although there are more than one types of ``KeyLocator``
214defined in the `Packet Format <http://named-data.net/doc/ndn-tlv/signature.html>`__,
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700215**key-locator** property only supports one type: **name**:
216
217::
218
219 key-locator
220 {
221 type name
222 ...
223 }
224
Yingdi Yu4e99f532014-08-25 19:40:57 -0700225Such a key-locator property specifies the conditions on the certificate name of the
226signing key. Since the conditions are about name, they can be specified in the same way as
227the name filter. For example, a checker could be:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700228
229::
230
231 checker
232 {
233 type customized
234 sig-type rsa-sha256
235 key-locator
236 {
237 type name
238 name /ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT
239 relation equal
240 }
241 }
242
Yingdi Yu4e99f532014-08-25 19:40:57 -0700243This checker property requires that the packet must have a ``rsa-sha256`` signature generated
244by a key whose certificate name is ``/ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT``.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700245
Yingdi Yu4e99f532014-08-25 19:40:57 -0700246Besides the two ways to express conditions on the ``KeyLocator`` name (name and regex),
247you can further constrain the ``KeyLocator`` name using the information extracted from the
248packet name. This third type of condition is expressed via a property
249**hyper-relation**. The **hyper-relation** property consists of three parts:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700250
Yingdi Yu4e99f532014-08-25 19:40:57 -0700251- an NDN regular expression that can extract information from packet name
252- an NDN regular expression that can extract information from ``KeyLocator`` name
253- relation from the part extracted from ``KeyLocator`` name to the one extracted from the
254 packet name
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700255
256For example, a checker:
257
258::
259
260 checker
261 {
262 type customized
263 sig-type rsa-sha256
264 key-locator
265 {
266 type name
267 hyper-relation
268 {
269 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
270 k-expand \\1\\2
271 h-relation is-prefix-of
272 p-regex ^(<>*)$
273 p-expand \\1
274
275 }
276 }
277 }
278
Yingdi Yu4e99f532014-08-25 19:40:57 -0700279requires the packet name must be under the corresponding namespace of the ``KeyLocator``
280name.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700281
Yingdi Yu4e99f532014-08-25 19:40:57 -0700282In some cases, you can even customize checker with another property For example:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700283
284::
285
286 checker
287 {
288 type customized
289 sig-type rsa-sha256
290 key-locator
291 {
292 type name
293 hyper-relation
294 {
295 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
296 k-expand \\1\\2
297 h-relation is-prefix-of
298 p-regex ^(<>*)$
299 p-expand \\1
300 }
301 }
302 }
303
304Hierarchical Checker
305~~~~~~~~~~~~~~~~~~~~
306
Yingdi Yu4e99f532014-08-25 19:40:57 -0700307As implied by its name, hierarchical checker requires that the packet name must be under
308the namespace of the packet signer. A hierarchical checker:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700309
310::
311
312 checker
313 {
314 type hierarchical
315 sig-type rsa-sha256
316 }
317
318is equivalent to a customized checker:
319
320::
321
322 checker
323 {
324 type customized
325 sig-type rsa-sha256
326 key-locator
327 {
328 type name
329 hyper-relation
330 {
331 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
332 k-expand \\1\\2
333 h-relation is-prefix-of
334 p-regex ^(<>*)$
335 p-expand \\1
336 }
337 }
338 }
339
340Fixed-Signer Checker
341~~~~~~~~~~~~~~~~~~~~
342
Yingdi Yu4e99f532014-08-25 19:40:57 -0700343In some cases, you only accept packets signed with pre-trusted certificates,
344i.e. "one-step validation". Such a trust model can be expressed with **fixed-signer**
345checker. And you only need to specify the trusted certificate via property **signer**. The
346definition of **signer** is the same as **trust-anchor**. For example:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700347
348::
349
350 checker
351 {
352 type fixed-signer
353 sig-type rsa-sha256
354 signer
355 {
356 type file
357 file-name "trusted-signer.cert"
358 }
359 signer
360 {
361 type base64
362 base64-string "Bv0DGwdG...amHFvHIMDw=="
363 }
364 }
365
Alexander Afanasyevd36dd552014-06-30 12:42:46 -0700366.. _validator-conf-trust-anchors:
367
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700368Trust Anchors
369-------------
370
Yingdi Yu4e99f532014-08-25 19:40:57 -0700371Although **trust-anchor** is always not required in the configuration file (for example,
372if fixed-signer checker is used), it is very common to have a few trust-anchors in the
373configuration file, otherwise most packets cannot be validated. A configuration file may
374contain more than one trust anchors, but the order of trust anchors does not matter. The
375structure of trust-anchor is same as the **signer** in fixed-signer checker, for example:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700376
377::
378
379 trust-anchor
380 {
381 type file
382 file-name "trusted-signer.cert"
383 }
384 trust-anchor
385 {
386 type base64
387 base64-string "Bv0DGwdG...amHFvHIMDw=="
388 }
389
Yingdi Yu4e99f532014-08-25 19:40:57 -0700390You may also specify a trust-anchor directory. All certificates under this directory are
391taken as trust anchors. For example, if all trust anchors are put into
392``/usr/local/etc/ndn/keys``.
Yingdi Yub4650652014-04-17 10:19:59 -0700393
394::
395
396 trust-anchor
397 {
398 type dir
399 file-name /usr/local/etc/ndn/keys
400 }
401
Yingdi Yu4e99f532014-08-25 19:40:57 -0700402If certificates under the directory might be changed during runtime, you can set a refresh
403period, such as
Yingdi Yub4650652014-04-17 10:19:59 -0700404
405::
406
407 trust-anchor
408 {
409 type dir
410 file-name /usr/local/etc/ndn/keys
411 refresh 1h ; refresh certificates every hour, other units include m (for minutes) and s (for seconds)
412 }
413
Yingdi Yu4e99f532014-08-25 19:40:57 -0700414There is another special trust anchor **any**. As long as such a trust-anchor is defined
415in config file, packet validation will be turned off.
Yingdi Yu44d190c2014-04-16 17:05:46 -0700416
Yingdi Yu4e99f532014-08-25 19:40:57 -0700417.. note::
418 **ATTENTION: This type of trust anchor is dangerous. You should used it only when you
419 want to disable packet validation temporarily (e.g, debugging code, building a demo).**
Yingdi Yu44d190c2014-04-16 17:05:46 -0700420
421::
422
423 trust-anchor
424 {
425 type any
426 }
427
Yingdi Yub4650652014-04-17 10:19:59 -0700428
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700429Example Configuration For NLSR
430------------------------------
431
Yingdi Yu4e99f532014-08-25 19:40:57 -0700432The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700433
434::
435
436 root
437 |
438 +--------------+---------------+
439 site1 site2
440 | |
441 +---------+---------+ +
442 operator1 operator2 operator3
443 | | |
444 +-----+-----+ +----+-----+ +-----+-----+--------+
445 router1 router2 router3 router4 router5 router6 router7
446 | | | | | | |
447 + + + + + + +
448 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
449
450However, entities name may not follow the signing hierarchy, for
451example:
452
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700453+------------+-------------------------------------------------------------------------------------+
454| Entity | Identity name and examples |
455+============+=====================================================================================+
456| root | ``/<network>`` |
457| | |
458| | Identity example: ``/ndn`` |
459| | |
460| | Certificate name example: ``/ndn/KEY/ksk-1/ID-CERT/%01`` |
461+------------+-------------------------------------------------------------------------------------+
462| site | ``/<network>/<site>`` |
463| | |
464| | Identity example: ``/ndn/edu/ucla`` |
465| | |
466| | Certificate name example: ``/ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01`` |
467+------------+-------------------------------------------------------------------------------------+
468| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
469| | |
470| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
471| | |
472| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/ksk-3/ID-CERT/%01`` |
473+------------+-------------------------------------------------------------------------------------+
474| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
475| | |
476| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
477| | |
478| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/ksk-4/ID-CERT/%01`` |
479+------------+-------------------------------------------------------------------------------------+
480| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
481| | |
482| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
483| | |
484| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/ksk-5/ID-CERT/%01`` |
485+------------+-------------------------------------------------------------------------------------+
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700486
487Assume that a typical NLSR data name is
Yingdi Yu4e99f532014-08-25 19:40:57 -0700488``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then, the exception of naming
489hierarchy is "operator-router". So we can write a configuration file with three rules. The
490first one is a customized rule that capture the normal NLSR data. The second one is a
491customized rule that handles the exception case of the hierarchy (operator->router). And
492the last one is a hierarchical rule that handles the normal cases of the hierarchy.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700493
Yingdi Yu4e99f532014-08-25 19:40:57 -0700494We put the NLSR data rule to the first place, because NLSR data packets are the most
495frequently checked. The hierarchical exception rule is put to the second, because it is
496more specific than the last one.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700497
498And here is the configuration file:
499
500::
501
502 rule
503 {
504 id "NSLR LSA Rule"
505 for data
506 filter
507 {
508 type name
509 regex ^[^<NLSR><LSA>]*<NLSR><LSA>
510 }
511 checker
512 {
513 type customized
514 sig-type rsa-sha256
515 key-locator
516 {
517 type name
518 hyper-relation
519 {
520 k-regex ^([^<KEY>]*)<KEY><ksk-.*><ID-CERT>$
521 k-expand \\1
522 h-relation equal
523 p-regex ^([^<NLSR><LSA>]*)<NLSR><LSA><LSType\.\d><>$
524 p-expand \\1
525 }
526 }
527 }
528 }
529 rule
530 {
531 id "NSLR Hierarchy Exception Rule"
532 for data
533 filter
534 {
535 type name
536 regex ^[^<KEY><%C1.O.R.>]*<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
537 }
538 checker
539 {
540 type customized
541 sig-type rsa-sha256
542 key-locator
543 {
544 type name
545 hyper-relation
546 {
547 k-regex ^([^<KEY><%C1.O.N.>]*)<%C1.O.N.><><KEY><ksk-.*><ID-CERT>$
548 k-expand \\1
549 h-relation equal
550 p-regex ^([^<KEY><%C1.O.R.>]*)<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
551 p-expand \\1
552 }
553 }
554 }
555 }
556 rule
557 {
558 id "NSLR Hierarchical Rule"
559 for data
560 filter
561 {
562 type name
563 regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$
564 }
565 checker
566 {
567 type hierarchical
568 sig-type rsa-sha256
569 }
570 }
571 trust-anchor
572 {
573 type file
574 file-name "testbed-trust-anchor.cert"
575 }
576
Yingdi Yu4e99f532014-08-25 19:40:57 -0700577Example Configuration For NFD RIB Management
578--------------------------------------------
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700579
Yingdi Yu4e99f532014-08-25 19:40:57 -0700580Assume `NFD RIB Management <http://redmine.named-data.net/projects/nfd/wiki/RibMgmt>`_
581allows any valid testbed certificate to register prefix, the configuration file could be
582written as:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700583
584::
585
586 rule
587 {
588 id "NRD Prefix Registration Command Rule"
589 for interest
590 filter
591 {
592 type name
593 regex ^<localhost><nrd>[<register><unregister><advertise><withdraw>]
594 }
595 checker
596 {
597 type customized
598 sig-type rsa-sha256
599 key-locator
600 {
601 type name
602 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
603 }
604 }
605 }
606 rule
607 {
608 id "Testbed Hierarchy Rule"
609 for data
610 filter
611 {
612 type name
613 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
614 }
615 checker
616 {
617 type hierarchical
618 sig-type rsa-sha256
619 }
620 }
621 trust-anchor
622 {
623 type file
624 file-name "testbed-trust-anchor.cert"
625 }