Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / d36dd55e3b14ca2cb7ff085db1f5b450ebfa8254 / . / docs / tutorials / security-validator-config.rst
blob: 905c0874a3f540ba529428836567ebf9405759ca [file] [log] [blame]
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]1Validator Configuration File Format
2===================================
3
4You can set up a ``Validator`` via a configuration file. Next, we will
5show you how to write a configuration file.
6
7The configuration file consists of **rules** and **trust-anchors** that
8will be used in validation. **Rules** tell the validator how to validate
9a packet, while **trust-anchors** tell the validator which certificates
10are valid immediately. Here is an example of configuration file
11containing two rules.
12
13::
14
15 rule
16 {
17 id "Simple Rule"
18 for data
19 filter
20 {
21 type name
22 name /localhost/example
23 relation is-prefix-of
24 }
25 checker
26 {
27 type customized
28 sig-type rsa-sha256
29 key-locator
30 {
31 type name
32 name /ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT
33 relation equal
34 }
35 }
36 }
37 rule
38 {
39 id "Testbed Validation Rule"
40 for data
41 checker
42 {
43 type hierarchical
44 sig-type rsa-sha256
45 }
46 }
47 trust-anchor
48 {
49 type file
50 file-name "testbed-trust-anchor.cert"
51 }
52
53- \ **ATTENTION: The order of rules MATTERS!**\
54
55A rule can be broken into two parts:
56
57- The first part is to qualify packets to which the rule can be
58 applied;
59- The second part is to check whether further validation process is
60 necessary.
61
62When receiving a packet, the validator will apply rules in the
63configuration file one-by-one against the packet, until finding a rule
64that the packet qualifies for. And the second part of the matched rule
65will be used to check the validity of the packet. If the packet cannot
66qualify for any rules, it is treated as an invalid packet. Once a packet
67has been matched by a rule, the rest rules will not be applied against
68the packet. Therefore, you should always put the most specific rule to
69the top, otherwise it will become useless.
70
71In the example configuration, the first rule indicates that all the data
72packets under the name prefix "/localhost/example" must be signed by a
73key whose certificate name is
74"/ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT". If a packet does not have a
75name under prefix "/localhost/example", validator will skip the first
76rule and apply the second rule. The second rule indicates that any data
77packets must be validated along a hierarchy. And a certificate stored in
78a file "testbed-trust-anchor.cert" is valid.
79
80Rules in general
81----------------
82
83A rule has four types of properties: **id**, **for**, **filter**, and
84**checker**.
85
86The property **id** uniquely identifies the rule in the configuration
87file. As long as being unique, any name can be given to a rule, e.g.,
88"Simple Rule", "Testbed Validation Rule". A rule must have one and only
89one **id** property.
90
91A rule is either used to validate an interest packet or a data packet.
92This information is specified in the property **for**. Only two value
93can be specified: **data** and **interest**. A rule must have one and
94only one **for** property.
95
96The property **filter** further constrains the packets that can be
97checked by the rule. Filter property is not required in a rule, in this
98case, the rule will capture all the packets passed to it. A rule may
99contain more than one filters, in this case, a packet can be checked by
100a rule only if the packet satisfies all the filters.
101
102- \ **ATTENTION: A packet that satisfies all the filters may not be
103 valid**\ .
104
105The property **checker** defines the conditions that a matched packet
106must fulfill to be treated as a valid packet. A rule must have at least
107one **checker** property, a packet is treated as invalid if it cannot
108pass none of the checkers.
109
110**filter** and **checker** have their own properties. Next, we will
111introduce them separately.
112
113Filter Property
114---------------
115
116Filter has its own **type** property. Although a rule may contain more
117than one filters, there is at most one filter of each type. So far, only
118one type of filter is defined: **name**. In other word, only one filter
119can be specified in a rule for now.
120
121Name Filter
122~~~~~~~~~~~
123
124There are two ways to express the conditions on name. The first way is
125to specify a relationship between the packet name and a particular name.
126In this case, two more properties are required: **name** and
127**relation**. A packet can fulfill the condition if the **name** has a
128**relation\* to the packet name. Three types of **\ relation\*\* has
129been defined: **equal**, **is-prefix-of**, **is-strict-prefix-of**. For
130example, a filter
131
132::
133
134 filter
135 {
136 type name
137 name /localhost/example
138 relation equal
139 }
140
141shall only capture a packet with the exact name "/localhost/example".
142And a filter
143
144::
145
146 filter
147 {
148 type name
149 name /localhost/example
150 relation is-prefix-of
151 }
152
153shall capture a packet with name "/localhost/example" or
154"/localhost/example/data", but cannot catch a packet with name
155"/localhost/another\_example". And a filter
156
157::
158
159 filter
160 {
161 type name
162 name /localhost/example
163 relation is-strict-prefix-of
164 }
165
166shall capture a packet with name "/localhost/example/data", but cannot
167catch a packet with name "/localhost/example".
168
169The second way is to specify an [[Regex\|NDN Regular Expression]] that
170can match the packet. In this case, only one property **regex** is
171required. For example, a filter
172
173::
174
175 filter
176 {
177 type name
178 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
179 }
180
181shall capture all the identity certificates.
182
183Checker Property
184----------------
185
186Passing all the filters in a rule only indicates that a packet can be
187checked using the rule, and it does not necessarily implies that the
188packet is valid. The validity of a packet is determined by the property
189**checker**, which defines the conditions that a valid packet must
190fulfill.
191
192Same as **filter**, **checker** has a property **type**. We have defined
193three types of checkers: **customized**, and **hierarchical**, and
194**fixed-signer**. As suggested by its name, **customized** checker
195allows you to customize the conditions according to specific
196requirements. **hierarchical** checker and **fixed-signer** checker are
197pre-defined shortcuts, which specify specific trust models separately.
198
199Customized Checker
200~~~~~~~~~~~~~~~~~~
201
202So far, we only allow three customized properties in a customized
203checker: **sig-type**, **key-locator**. All of them are related to the
204``SignatureInfo`` of a packet.
205
206::
207
208 checker
209 {
210 type customized
211 sig-type ...
212 key-locator
213 {
214 ...
215 }
216 }
217
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]218The property **sig-type** specifies the acceptable signature type.
219Right now three signature types have been defined: **rsa-sha256** and
220**ecdsa-sha256** (which are strong signature types) and **sha256**
221(which is a weak signature type).
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]222If sig-type is sha256, then **key-locator** will be ignored. Validator
223will simply calculate the digest of a packet and compare it with the one
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]224in ``SignatureValue``. If sig-type is rsa-sha256 or ecdsa-sha256, you
225have to further customize the checker with **key-locator**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]226
227The property **key-locator** which specifies the conditions on
228``KeyLocator``. If the **key-locator** property is specified, it
229requires the existence of the ``KeyLocator`` field in ``SignatureInfo``.
230Although there are more than one types of ``KeyLocator`` defined in the
231`Packet Format <http://named-data.net/doc/ndn-tlv/signature.html>`__,
232**key-locator** property only supports one type: **name**:
233
234::
235
236 key-locator
237 {
238 type name
239 ...
240 }
241
242Such a key-locator property specifies the conditions on the certificate
243name of the signing key. Since the conditions are about name, they can
244be specified in the same way as the name filter. For example, a checker
245could be:
246
247::
248
249 checker
250 {
251 type customized
252 sig-type rsa-sha256
253 key-locator
254 {
255 type name
256 name /ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT
257 relation equal
258 }
259 }
260
261This checker property requires that the packet must have a rsa-sha256
262signature generated by a key whose certificate name is
263"/ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT".
264
265Besides the two ways to express conditions on the ``KeyLocator`` name
266(name and regex), you can further constrain the ``KeyLocator`` name
267using the information extracted from the packet name. This third type of
268condition is expressed via a property **hyper-relation**. The
269**hyper-relation** property consists of three parts:
270
271- an NDN regular expression that can extract information from packet
272 name
273- an NDN regular expression that can extract information from
274 ``KeyLocator`` name
275- relation from the part extracted from ``KeyLocator`` name to the one
276 extracted from the packet name
277
278For example, a checker:
279
280::
281
282 checker
283 {
284 type customized
285 sig-type rsa-sha256
286 key-locator
287 {
288 type name
289 hyper-relation
290 {
291 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
292 k-expand \\1\\2
293 h-relation is-prefix-of
294 p-regex ^(<>*)$
295 p-expand \\1
296
297 }
298 }
299 }
300
301requires the packet name must be under the corresponding namespace of
302the ``KeyLocator`` name.
303
304In some cases, you can even customize checker with another property For
305example:
306
307::
308
309 checker
310 {
311 type customized
312 sig-type rsa-sha256
313 key-locator
314 {
315 type name
316 hyper-relation
317 {
318 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
319 k-expand \\1\\2
320 h-relation is-prefix-of
321 p-regex ^(<>*)$
322 p-expand \\1
323 }
324 }
325 }
326
327Hierarchical Checker
328~~~~~~~~~~~~~~~~~~~~
329
330As implied by its name, hierarchical checker requires that the packet
331name must be under the namespace of the packet signer. A hierarchical
332checker:
333
334::
335
336 checker
337 {
338 type hierarchical
339 sig-type rsa-sha256
340 }
341
342is equivalent to a customized checker:
343
344::
345
346 checker
347 {
348 type customized
349 sig-type rsa-sha256
350 key-locator
351 {
352 type name
353 hyper-relation
354 {
355 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
356 k-expand \\1\\2
357 h-relation is-prefix-of
358 p-regex ^(<>*)$
359 p-expand \\1
360 }
361 }
362 }
363
364Fixed-Signer Checker
365~~~~~~~~~~~~~~~~~~~~
366
367In some cases, you only accept packets signed with pre-trusted
368certificates, i.e. "one-step validation". Such a trust model can be
369expressed with **fixed-signer** checker. And you only need to specify
370the trusted certificate via property **signer**. The definition of
371**signer** is the same as **trust-anchor**. For example:
372
373::
374
375 checker
376 {
377 type fixed-signer
378 sig-type rsa-sha256
379 signer
380 {
381 type file
382 file-name "trusted-signer.cert"
383 }
384 signer
385 {
386 type base64
387 base64-string "Bv0DGwdG...amHFvHIMDw=="
388 }
389 }
390
Alexander Afanasyevd36dd552014-06-30 12:42:46 -0700[diff] [blame^]391.. _validator-conf-trust-anchors:
392
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]393Trust Anchors
394-------------
395
396Although **trust-anchor** is always not required in the configuration
397file (for example, if fixed-signer checker is used), it is very common
398to have a few trust-anchors in the configuration file, otherwise most
399packets cannot be validated. A configuration file may contain more than
400one trust anchors, but the order of trust anchors does not matter. The
401structure of trust-anchor is same as the **signer** in fixed-signer
402checker, for example:
403
404::
405
406 trust-anchor
407 {
408 type file
409 file-name "trusted-signer.cert"
410 }
411 trust-anchor
412 {
413 type base64
414 base64-string "Bv0DGwdG...amHFvHIMDw=="
415 }
416
Yingdi Yub4650652014-04-17 10:19:59 -0700[diff] [blame]417You may also specify a trust-anchor directory. All certificates under this
418directory are taken as trust anchors. For example, if all trust anchors are
419put into ``/usr/local/etc/ndn/keys``.
420
421::
422
423 trust-anchor
424 {
425 type dir
426 file-name /usr/local/etc/ndn/keys
427 }
428
429If certificates under the directory might be changed during runtime, you can
430set a refresh period, such as
431
432::
433
434 trust-anchor
435 {
436 type dir
437 file-name /usr/local/etc/ndn/keys
438 refresh 1h ; refresh certificates every hour, other units include m (for minutes) and s (for seconds)
439 }
440
441There is another special trust anchor **any**.
Yingdi Yu44d190c2014-04-16 17:05:46 -0700[diff] [blame]442As long as such a trust-anchor is defined in config file,
443packet validation will be turned off.
444
445- **ATTENTION: This type of trust anchor is dangerous.
446 You should used it only when you want to disable packet validation temporarily
447 (e.g, debugging code, building a demo).**
448
449::
450
451 trust-anchor
452 {
453 type any
454 }
455
Yingdi Yub4650652014-04-17 10:19:59 -0700[diff] [blame]456
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]457Example Configuration For NLSR
458------------------------------
459
460The trust model of NLSR is semi-hierarchical. An example certificate
461signing hierarchy is:
462
463::
464
465 root
466 |
467 +--------------+---------------+
468 site1 site2
469 | |
470 +---------+---------+ +
471 operator1 operator2 operator3
472 | | |
473 +-----+-----+ +----+-----+ +-----+-----+--------+
474 router1 router2 router3 router4 router5 router6 router7
475 | | | | | | |
476 + + + + + + +
477 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
478
479However, entities name may not follow the signing hierarchy, for
480example:
481
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700[diff] [blame]482+------------+-------------------------------------------------------------------------------------+
483| Entity | Identity name and examples |
484+============+=====================================================================================+
485| root | ``/<network>`` |
486| | |
487| | Identity example: ``/ndn`` |
488| | |
489| | Certificate name example: ``/ndn/KEY/ksk-1/ID-CERT/%01`` |
490+------------+-------------------------------------------------------------------------------------+
491| site | ``/<network>/<site>`` |
492| | |
493| | Identity example: ``/ndn/edu/ucla`` |
494| | |
495| | Certificate name example: ``/ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01`` |
496+------------+-------------------------------------------------------------------------------------+
497| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
498| | |
499| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
500| | |
501| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/ksk-3/ID-CERT/%01`` |
502+------------+-------------------------------------------------------------------------------------+
503| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
504| | |
505| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
506| | |
507| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/ksk-4/ID-CERT/%01`` |
508+------------+-------------------------------------------------------------------------------------+
509| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
510| | |
511| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
512| | |
513| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/ksk-5/ID-CERT/%01`` |
514+------------+-------------------------------------------------------------------------------------+
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]515
516Assume that a typical NLSR data name is
517``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then, the exception
518of naming hierarchy is "operator-router". So we can write a
519configuration file with three rules. The first one is a customized rule
520that capture the normal NLSR data. The second one is a customized rule
521that handles the exception case of the hierarchy (operator->router). And
522the last one is a hierarchical rule that handles the normal cases of the
523hierarchy.
524
525We put the NLSR data rule to the first place, because NLSR data packets
526are the most frequently checked. The hierarchical exception rule is put
527to the second, because it is more specific than the last one.
528
529And here is the configuration file:
530
531::
532
533 rule
534 {
535 id "NSLR LSA Rule"
536 for data
537 filter
538 {
539 type name
540 regex ^[^<NLSR><LSA>]*<NLSR><LSA>
541 }
542 checker
543 {
544 type customized
545 sig-type rsa-sha256
546 key-locator
547 {
548 type name
549 hyper-relation
550 {
551 k-regex ^([^<KEY>]*)<KEY><ksk-.*><ID-CERT>$
552 k-expand \\1
553 h-relation equal
554 p-regex ^([^<NLSR><LSA>]*)<NLSR><LSA><LSType\.\d><>$
555 p-expand \\1
556 }
557 }
558 }
559 }
560 rule
561 {
562 id "NSLR Hierarchy Exception Rule"
563 for data
564 filter
565 {
566 type name
567 regex ^[^<KEY><%C1.O.R.>]*<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
568 }
569 checker
570 {
571 type customized
572 sig-type rsa-sha256
573 key-locator
574 {
575 type name
576 hyper-relation
577 {
578 k-regex ^([^<KEY><%C1.O.N.>]*)<%C1.O.N.><><KEY><ksk-.*><ID-CERT>$
579 k-expand \\1
580 h-relation equal
581 p-regex ^([^<KEY><%C1.O.R.>]*)<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
582 p-expand \\1
583 }
584 }
585 }
586 }
587 rule
588 {
589 id "NSLR Hierarchical Rule"
590 for data
591 filter
592 {
593 type name
594 regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$
595 }
596 checker
597 {
598 type hierarchical
599 sig-type rsa-sha256
600 }
601 }
602 trust-anchor
603 {
604 type file
605 file-name "testbed-trust-anchor.cert"
606 }
607
608Example Configuration For NRD
609-----------------------------
610
611Assume NRD allows any valid testbed certificate to register prefix, the
612configuration file could be written as:
613
614::
615
616 rule
617 {
618 id "NRD Prefix Registration Command Rule"
619 for interest
620 filter
621 {
622 type name
623 regex ^<localhost><nrd>[<register><unregister><advertise><withdraw>]
624 }
625 checker
626 {
627 type customized
628 sig-type rsa-sha256
629 key-locator
630 {
631 type name
632 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
633 }
634 }
635 }
636 rule
637 {
638 id "Testbed Hierarchy Rule"
639 for data
640 filter
641 {
642 type name
643 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
644 }
645 checker
646 {
647 type hierarchical
648 sig-type rsa-sha256
649 }
650 }
651 trust-anchor
652 {
653 type file
654 file-name "testbed-trust-anchor.cert"
655 }