blob: c35cb9e2d7b25b3661a3c046c8d9e468ce10d56b [file] [log] [blame]
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07001Validator Configuration File Format
2===================================
3
Yingdi Yu4e99f532014-08-25 19:40:57 -07004.. contents::
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -07005
Yingdi Yu4e99f532014-08-25 19:40:57 -07006You can set up a ``Validator`` via a configuration file. Next, we will show you how to
7write a configuration file.
8
9The configuration file consists of **rules** and **trust-anchors** that will be used in
10validation. **Rules** tell the validator how to validate a packet, while **trust-anchors**
11tell the validator which certificates are valid immediately. Here is an example of
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080012configuration file containing two rules and a trust anchor.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070013
14::
15
16 rule
17 {
18 id "Simple Rule"
19 for data
20 filter
21 {
22 type name
23 name /localhost/example
24 relation is-prefix-of
25 }
26 checker
27 {
28 type customized
29 sig-type rsa-sha256
30 key-locator
31 {
32 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -040033 name /ndn/edu/ucla/yingdi/KEY/1234
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070034 relation equal
35 }
36 }
37 }
38 rule
39 {
40 id "Testbed Validation Rule"
41 for data
42 checker
43 {
44 type hierarchical
45 sig-type rsa-sha256
46 }
47 }
48 trust-anchor
49 {
50 type file
51 file-name "testbed-trust-anchor.cert"
52 }
53
Davide Pesavento933a5672020-07-03 22:32:43 -040054.. attention:: **The order of rules MATTERS!**
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070055
56A rule can be broken into two parts:
57
58- The first part is to qualify packets to which the rule can be
59 applied;
60- The second part is to check whether further validation process is
61 necessary.
62
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080063When a packet is presented for validation, the validator will check the rules one-by-one
64in the configuration file using **for** and **filter** conditions against the packet,
65until finding a rule for which the packet qualifies. After that, the **checker**
66conditions of the matched rule will be used to check the validity of the packet. If the
67packet does not match any rules, it is treated as an invalid packet. Once a packet has
68been matched by a rule, the remaining rules are not applied to the packet (i.e., the
69matched rule "captures" the packet). Therefore, you should always put the most specific
70rule first.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070071
Yingdi Yu4e99f532014-08-25 19:40:57 -070072In the example configuration, the first rule indicates that all the data packets under the
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080073name prefix ``/localhost/example`` must be signed by a certificate whose name (the key
Alexander Afanasyevc381bca2017-10-15 14:51:49 -040074part) is ``/ndn/edu/ucla/yingdi/KEY/1234``. If a packet does not have a name under
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080075prefix ``/localhost/example``, the validator will skip the first rule and apply the second
76rule. The second rule indicates that all other data packets must be validated using the
77hierarchical policy (data name should be prefix or equal to the identity part of the
78certificate name). The example configuration defines that all certificate chains must be
79rooted in the certificate defined in the file "testbed-trust-anchor.cert".
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070080
81Rules in general
82----------------
83
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080084A rule has four properties: **id**, **for**, **filter**, and **checker**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070085
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080086The **id** property uniquely identifies the rule in the configuration file. As long as
Yingdi Yu4e99f532014-08-25 19:40:57 -070087being unique, any name can be given to a rule, e.g., "Simple Rule", "Testbed Validation
88Rule". A rule must have one and only one **id** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070089
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080090A rule is either used to validate a data packet or an interest packet. This information
91is specified in the **for** property, which can be either **data** or **interest**. A
92rule must have exactly one **for** property.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070093
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080094The **filter** property further constrains the packets that can be checked by the
95rule. The filter property is not required in a rule; if omitted, the rule will capture all
96packets passed to it. A rule may contain multiple filters, in this case, a packet
97is captured by the rule only if all filters are satisfied.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -070098
Davide Pesavento933a5672020-07-03 22:32:43 -040099.. attention:: **A packet that satisfies all the filters may not be valid.**
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700100
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800101The **checker** property defines the conditions that a matched packet must fulfill to be
Zhiyi Zhang044bb7e2016-06-10 00:02:37 -0700102treated as a valid packet. A rule must have at least one **checker** property. A packet is
103treated as valid if it can pass at least one of the checkers and as invalid when it cannot
104pass any checkers.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700105
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700106Filter Property
107---------------
108
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800109Filter has a **type** property and type-specific properties. Although a rule can contain
110more than one filters, there can be at most one filter of each type.
111
112Currently, only the packet name filter is defined.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700113
114Name Filter
115~~~~~~~~~~~
116
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800117There are two ways to express the conditions on packet name:
118
119- relationship between the packet name and the specified name
120- :doc:`NDN regular expression <utils-ndn-regex>` match.
121
122Name and Relation
123^^^^^^^^^^^^^^^^^
124
125In the first case, two more properties are required: **name** and **relation**. A packet
126can fulfill the condition if the **name** has a **relation** to the packet's name. Three
127types of **relation** has been defined: **equal**, **is-prefix-of**,
128**is-strict-prefix-of**. For example, the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700129
130::
131
132 filter
133 {
134 type name
135 name /localhost/example
136 relation equal
137 }
138
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800139will capture only a packet with the exact name ``/localhost/example``.
140
141The filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700142
143::
144
145 filter
146 {
147 type name
148 name /localhost/example
149 relation is-prefix-of
150 }
151
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800152will capture a packet with name ``/localhost/example`` or ``/localhost/example/data``, but
153will not capture a packet with name ``/localhost/another_example``. And the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700154
155::
156
157 filter
158 {
159 type name
160 name /localhost/example
161 relation is-strict-prefix-of
162 }
163
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800164will capture a packet with name ``/localhost/example/data``, but will not capture a packet
Yingdi Yu4e99f532014-08-25 19:40:57 -0700165with name ``/localhost/example``.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700166
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800167NDN Regular Expression Match
168^^^^^^^^^^^^^^^^^^^^^^^^^^^^
169
Yingdi Yu4e99f532014-08-25 19:40:57 -0700170The second way is to specify an :doc:`utils-ndn-regex` that can match the packet. In this
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800171case, only one property **regex** is required. For example, the filter
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700172
173::
174
175 filter
176 {
177 type name
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800178 regex ^<>*<KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700179 }
180
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800181will capture all certificates.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700182
183Checker Property
184----------------
185
Yingdi Yu4e99f532014-08-25 19:40:57 -0700186Passing all the filters in a rule only indicates that a packet can be checked using the
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800187rule, and it does not necessarily imply that the packet is valid. The validity of a
Yingdi Yu4e99f532014-08-25 19:40:57 -0700188packet is determined by the property **checker**, which defines the conditions that a
189valid packet must fulfill.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700190
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800191Same as **filter**, **checker** has a property **type**. We have defined two types of
192checkers:
193
194- **customized** is a checker that allows customization of the conditions according to specific
195 requirements;
196
197- **hierarchical** is a checker with pre-defined hierarchical trust model.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700198
199Customized Checker
200~~~~~~~~~~~~~~~~~~
201
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400202The customized checker can include optional **sig-type** property, which specifies the acceptable signature
203type. If not specified, the checker will only accept ECDSA signature. Possible values for **sig-type** are:
204
205- **ecdsa-sha256**: ECDSA signature required (default if **sig-type** not specified)
206- **rsa-sha256**: RSA signature required
207- **sha256** (not recommended, as it is not a real signature): SHA256 digest is required
208
209If sig-type is **rsa-sha256** or **ecdsa-sha256**, the customized checker requires
210**key-locator** property. If sig-type is **sha256**, **key-locator** property can be
211specified, but is optional.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700212
213::
214
215 checker
216 {
217 type customized
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400218 sig-type rsa-sha256
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700219 key-locator
220 {
221 ...
222 }
223 }
224
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400225 checker
226 {
227 type customized
228 sig-type sha256
229 }
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700230
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400231The **key-locator** property is a nested configuration property that can appear exactly once
232and specifies conditions on ``KeyLocator``. It requires **type** property that currently
233supports only one value: **name**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700234
235::
236
237 key-locator
238 {
239 type name
240 ...
241 }
242
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400243``KeyLocator`` conditions can be specified in the same way as the name filter. For example, a
244checker that requires ``SignatureSha256WithRsa`` signature type with ``KeyLocator`` to be exactly
245``/ndn/edu/ucla/yingdi/KEY/1234`` can be written as follows:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700246
247::
248
249 checker
250 {
251 type customized
252 sig-type rsa-sha256
253 key-locator
254 {
255 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400256 name /ndn/edu/ucla/yingdi/KEY/1234
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700257 relation equal
258 }
259 }
260
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400261Similarly, a checker that requires ``SignatureSha256WithEcdsa`` signature with ``KeyLocator``
262that follows a regular expression pattern ``<ndn><>*<KEY><>{1,3}`` can be written as follows:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700263
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400264::
265
266 checker
267 {
268 type customized
269 sig-type ecdsa-sha256
270 key-locator
271 {
272 type name
273 regex <ndn><>*<KEY><>{1,3}
274 relation equal
275 }
276 }
277
278
279In addition, ``KeyLocator`` can be further constrained using information extracted from the
280packet name using the **hyper-relation** property.
281The **hyper-relation** property consists of three parts:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700282
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800283- an NDN regular expression that extracts information from the packet name
284- an NDN regular expression that extracts information from the ``KeyLocator`` name
285- relation from the part extracted from the ``KeyLocator`` name to the one extracted from
286 the packet name
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700287
288For example, a checker:
289
290::
291
292 checker
293 {
294 type customized
295 sig-type rsa-sha256
296 key-locator
297 {
298 type name
299 hyper-relation
300 {
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400301 k-regex ^(<>*)<KEY><>{1,3}$
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800302 k-expand \\1
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700303 h-relation is-prefix-of
304 p-regex ^(<>*)$
305 p-expand \\1
306
307 }
308 }
309 }
310
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800311requires the packet name must be under the corresponding namespace (identity part) of the
312``KeyLocator`` name.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700313
314Hierarchical Checker
315~~~~~~~~~~~~~~~~~~~~
316
Yingdi Yu4e99f532014-08-25 19:40:57 -0700317As implied by its name, hierarchical checker requires that the packet name must be under
318the namespace of the packet signer. A hierarchical checker:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700319
320::
321
322 checker
323 {
324 type hierarchical
325 sig-type rsa-sha256
326 }
327
328is equivalent to a customized checker:
329
330::
331
332 checker
333 {
334 type customized
335 sig-type rsa-sha256
336 key-locator
337 {
338 type name
339 hyper-relation
340 {
Junxiao Shi5dc75602021-02-19 11:33:00 -0700341 k-regex ^(<>*)<KEY><>{1,3}$
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800342 k-expand \\1
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700343 h-relation is-prefix-of
344 p-regex ^(<>*)$
345 p-expand \\1
346 }
347 }
348 }
349
Alexander Afanasyevd36dd552014-06-30 12:42:46 -0700350.. _validator-conf-trust-anchors:
351
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700352Trust Anchors
353-------------
354
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800355**trust-anchor** is a necessary option in order to properly validate packets. A
356configuration file may contain more than one trust anchors and the order of trust anchors
357does not matter. The structure of trust-anchor is as follows:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700358
359::
360
361 trust-anchor
362 {
363 type file
364 file-name "trusted-signer.cert"
365 }
366 trust-anchor
367 {
368 type base64
369 base64-string "Bv0DGwdG...amHFvHIMDw=="
370 }
371
Yingdi Yu4e99f532014-08-25 19:40:57 -0700372You may also specify a trust-anchor directory. All certificates under this directory are
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800373taken as static trust anchors. For example, if all trust anchors are put into
Yingdi Yu4e99f532014-08-25 19:40:57 -0700374``/usr/local/etc/ndn/keys``.
Yingdi Yub4650652014-04-17 10:19:59 -0700375
376::
377
378 trust-anchor
379 {
380 type dir
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800381 dir /usr/local/etc/ndn/keys
Yingdi Yub4650652014-04-17 10:19:59 -0700382 }
383
Yingdi Yu4e99f532014-08-25 19:40:57 -0700384If certificates under the directory might be changed during runtime, you can set a refresh
385period, such as
Yingdi Yub4650652014-04-17 10:19:59 -0700386
387::
388
389 trust-anchor
390 {
391 type dir
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800392 dir /usr/local/etc/ndn/keys
Yingdi Yub4650652014-04-17 10:19:59 -0700393 refresh 1h ; refresh certificates every hour, other units include m (for minutes) and s (for seconds)
394 }
395
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800396There is also a special trust anchor **any**. As long as such a trust-anchor is defined
Yingdi Yu4e99f532014-08-25 19:40:57 -0700397in config file, packet validation will be turned off.
Yingdi Yu44d190c2014-04-16 17:05:46 -0700398
Davide Pesavento933a5672020-07-03 22:32:43 -0400399.. danger::
400 This type of trust anchor is dangerous. You should used it only when you
401 want to disable packet validation temporarily (e.g., debugging code, building a demo).
Yingdi Yu44d190c2014-04-16 17:05:46 -0700402
403::
404
405 trust-anchor
406 {
407 type any
408 }
409
Yingdi Yub4650652014-04-17 10:19:59 -0700410
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700411Example Configuration For NLSR
412------------------------------
413
Yingdi Yu4e99f532014-08-25 19:40:57 -0700414The trust model of NLSR is semi-hierarchical. An example certificate signing hierarchy is:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700415
416::
417
418 root
419 |
420 +--------------+---------------+
421 site1 site2
422 | |
423 +---------+---------+ +
424 operator1 operator2 operator3
425 | | |
426 +-----+-----+ +----+-----+ +-----+-----+--------+
427 router1 router2 router3 router4 router5 router6 router7
428 | | | | | | |
429 + + + + + + +
430 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
431
432However, entities name may not follow the signing hierarchy, for
433example:
434
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700435+------------+-------------------------------------------------------------------------------------+
436| Entity | Identity name and examples |
437+============+=====================================================================================+
438| root | ``/<network>`` |
439| | |
440| | Identity example: ``/ndn`` |
441| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400442| | Certificate name example: ``/ndn/KEY/1/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700443+------------+-------------------------------------------------------------------------------------+
444| site | ``/<network>/<site>`` |
445| | |
446| | Identity example: ``/ndn/edu/ucla`` |
447| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400448| | Certificate name example: ``/ndn/edu/ucla/KEY/2/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700449+------------+-------------------------------------------------------------------------------------+
450| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
451| | |
452| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
453| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400454| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/3/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700455+------------+-------------------------------------------------------------------------------------+
456| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
457| | |
458| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
459| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400460| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/4/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700461+------------+-------------------------------------------------------------------------------------+
462| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
463| | |
464| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
465| | |
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400466| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/5/%00/%01`` |
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700467+------------+-------------------------------------------------------------------------------------+
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700468
469Assume that a typical NLSR data name is
Yingdi Yu4e99f532014-08-25 19:40:57 -0700470``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then, the exception of naming
471hierarchy is "operator-router". So we can write a configuration file with three rules. The
472first one is a customized rule that capture the normal NLSR data. The second one is a
473customized rule that handles the exception case of the hierarchy (operator->router). And
474the last one is a hierarchical rule that handles the normal cases of the hierarchy.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700475
Yingdi Yu4e99f532014-08-25 19:40:57 -0700476We put the NLSR data rule to the first place, because NLSR data packets are the most
477frequently checked. The hierarchical exception rule is put to the second, because it is
478more specific than the last one.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700479
480And here is the configuration file:
481
482::
483
484 rule
485 {
486 id "NSLR LSA Rule"
487 for data
488 filter
489 {
490 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400491 regex ^<>*<NLSR><LSA><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700492 }
493 checker
494 {
495 type customized
496 sig-type rsa-sha256
497 key-locator
498 {
499 type name
500 hyper-relation
501 {
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400502 k-regex ^(<>*)<KEY><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700503 k-expand \\1
504 h-relation equal
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400505 p-regex ^(<>*)<NLSR><LSA><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700506 p-expand \\1
507 }
508 }
509 }
510 }
511 rule
512 {
513 id "NSLR Hierarchy Exception Rule"
514 for data
515 filter
516 {
517 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400518 regex ^<>*<%C1.O.R.><><KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700519 }
520 checker
521 {
522 type customized
523 sig-type rsa-sha256
524 key-locator
525 {
526 type name
527 hyper-relation
528 {
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400529 k-regex ^(<>*)<%C1.O.N.><><KEY><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700530 k-expand \\1
531 h-relation equal
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400532 p-regex ^(<>*)<%C1.O.R.><><KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700533 p-expand \\1
534 }
535 }
536 }
537 }
538 rule
539 {
540 id "NSLR Hierarchical Rule"
541 for data
542 filter
543 {
544 type name
Alexander Afanasyevc381bca2017-10-15 14:51:49 -0400545 regex ^<>*<KEY><><><>$
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700546 }
547 checker
548 {
549 type hierarchical
550 sig-type rsa-sha256
551 }
552 }
553 trust-anchor
554 {
555 type file
556 file-name "testbed-trust-anchor.cert"
557 }
558
Yingdi Yu4e99f532014-08-25 19:40:57 -0700559Example Configuration For NFD RIB Management
560--------------------------------------------
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700561
Davide Pesavento0530b5b2016-11-07 03:23:58 +0100562Assume `NFD RIB Management <https://redmine.named-data.net/projects/nfd/wiki/RibMgmt>`_
Yingdi Yu4e99f532014-08-25 19:40:57 -0700563allows any valid testbed certificate to register prefix, the configuration file could be
564written as:
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700565
566::
567
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800568 rule
569 {
570 id "RIB Prefix Registration Command Rule"
571 for interest ; rule for Interests (to validate CommandInterests)
572 filter
573 {
574 type name ; condition on interest name (w/o signature)
575 regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<><><>$ ; prefix before
576 ; SigInfo & SigValue
577 }
578 checker
579 {
580 type customized
581 sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
582 key-locator
583 {
584 type name ; key locator must be the certificate name of the
585 ; signing key
586 regex ^<>*<KEY><><><>$
587 }
588 }
589 checker
590 {
591 type customized
592 sig-type ecdsa-sha256 ; interest must have a ecdsa-sha256 signature
593 key-locator
594 {
595 type name ; key locator must be the certificate name of the
596 ; signing key
597 regex ^<>*<KEY><><><>$
598 }
599 }
600 }
601 rule
602 {
603 id "NDN Testbed Hierarchy Rule"
604 for data ; rule for Data (to validate NDN certificates)
605 filter
606 {
607 type name ; condition on data name
608 regex ^<>*<KEY><><><>$
609 }
610 checker
611 {
612 type hierarchical ; the certificate name of the signing key and
613 ; the data name must follow the hierarchical model
614 sig-type rsa-sha256 ; data must have a rsa-sha256 signature
615 }
616 checker
617 {
618 type hierarchical ; the certificate name of the signing key and
619 ; the data name must follow the hierarchical model
620 sig-type ecdsa-sha256 ; data must have a ecdsa-sha256 signature
621 }
622 }
623 trust-anchor
624 {
625 type file
626 file-name keys/ndn-testbed-root.ndncert.base64
627 }