Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / e63eaf6df05daaf5174984aa02b87ceebb2b6b5c / . / docs / tutorials / security-validator-config.rst
blob: 7abcc4c7c55a75144c9d7b71a04bcc56c9773c90 [file] [log] [blame]
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]1Validator Configuration File Format
2===================================
3
4You can set up a ``Validator`` via a configuration file. Next, we will
5show you how to write a configuration file.
6
7The configuration file consists of **rules** and **trust-anchors** that
8will be used in validation. **Rules** tell the validator how to validate
9a packet, while **trust-anchors** tell the validator which certificates
10are valid immediately. Here is an example of configuration file
11containing two rules.
12
13::
14
15 rule
16 {
17 id "Simple Rule"
18 for data
19 filter
20 {
21 type name
22 name /localhost/example
23 relation is-prefix-of
24 }
25 checker
26 {
27 type customized
28 sig-type rsa-sha256
29 key-locator
30 {
31 type name
32 name /ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT
33 relation equal
34 }
35 }
36 }
37 rule
38 {
39 id "Testbed Validation Rule"
40 for data
41 checker
42 {
43 type hierarchical
44 sig-type rsa-sha256
45 }
46 }
47 trust-anchor
48 {
49 type file
50 file-name "testbed-trust-anchor.cert"
51 }
52
53- \ **ATTENTION: The order of rules MATTERS!**\
54
55A rule can be broken into two parts:
56
57- The first part is to qualify packets to which the rule can be
58 applied;
59- The second part is to check whether further validation process is
60 necessary.
61
62When receiving a packet, the validator will apply rules in the
63configuration file one-by-one against the packet, until finding a rule
64that the packet qualifies for. And the second part of the matched rule
65will be used to check the validity of the packet. If the packet cannot
66qualify for any rules, it is treated as an invalid packet. Once a packet
67has been matched by a rule, the rest rules will not be applied against
68the packet. Therefore, you should always put the most specific rule to
69the top, otherwise it will become useless.
70
71In the example configuration, the first rule indicates that all the data
72packets under the name prefix "/localhost/example" must be signed by a
73key whose certificate name is
74"/ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT". If a packet does not have a
75name under prefix "/localhost/example", validator will skip the first
76rule and apply the second rule. The second rule indicates that any data
77packets must be validated along a hierarchy. And a certificate stored in
78a file "testbed-trust-anchor.cert" is valid.
79
80Rules in general
81----------------
82
83A rule has four types of properties: **id**, **for**, **filter**, and
84**checker**.
85
86The property **id** uniquely identifies the rule in the configuration
87file. As long as being unique, any name can be given to a rule, e.g.,
88"Simple Rule", "Testbed Validation Rule". A rule must have one and only
89one **id** property.
90
91A rule is either used to validate an interest packet or a data packet.
92This information is specified in the property **for**. Only two value
93can be specified: **data** and **interest**. A rule must have one and
94only one **for** property.
95
96The property **filter** further constrains the packets that can be
97checked by the rule. Filter property is not required in a rule, in this
98case, the rule will capture all the packets passed to it. A rule may
99contain more than one filters, in this case, a packet can be checked by
100a rule only if the packet satisfies all the filters.
101
102- \ **ATTENTION: A packet that satisfies all the filters may not be
103 valid**\ .
104
105The property **checker** defines the conditions that a matched packet
106must fulfill to be treated as a valid packet. A rule must have at least
107one **checker** property, a packet is treated as invalid if it cannot
108pass none of the checkers.
109
110**filter** and **checker** have their own properties. Next, we will
111introduce them separately.
112
113Filter Property
114---------------
115
116Filter has its own **type** property. Although a rule may contain more
117than one filters, there is at most one filter of each type. So far, only
118one type of filter is defined: **name**. In other word, only one filter
119can be specified in a rule for now.
120
121Name Filter
122~~~~~~~~~~~
123
124There are two ways to express the conditions on name. The first way is
125to specify a relationship between the packet name and a particular name.
126In this case, two more properties are required: **name** and
127**relation**. A packet can fulfill the condition if the **name** has a
128**relation\* to the packet name. Three types of **\ relation\*\* has
129been defined: **equal**, **is-prefix-of**, **is-strict-prefix-of**. For
130example, a filter
131
132::
133
134 filter
135 {
136 type name
137 name /localhost/example
138 relation equal
139 }
140
141shall only capture a packet with the exact name "/localhost/example".
142And a filter
143
144::
145
146 filter
147 {
148 type name
149 name /localhost/example
150 relation is-prefix-of
151 }
152
153shall capture a packet with name "/localhost/example" or
154"/localhost/example/data", but cannot catch a packet with name
155"/localhost/another\_example". And a filter
156
157::
158
159 filter
160 {
161 type name
162 name /localhost/example
163 relation is-strict-prefix-of
164 }
165
166shall capture a packet with name "/localhost/example/data", but cannot
167catch a packet with name "/localhost/example".
168
169The second way is to specify an [[Regex\|NDN Regular Expression]] that
170can match the packet. In this case, only one property **regex** is
171required. For example, a filter
172
173::
174
175 filter
176 {
177 type name
178 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
179 }
180
181shall capture all the identity certificates.
182
183Checker Property
184----------------
185
186Passing all the filters in a rule only indicates that a packet can be
187checked using the rule, and it does not necessarily implies that the
188packet is valid. The validity of a packet is determined by the property
189**checker**, which defines the conditions that a valid packet must
190fulfill.
191
192Same as **filter**, **checker** has a property **type**. We have defined
193three types of checkers: **customized**, and **hierarchical**, and
194**fixed-signer**. As suggested by its name, **customized** checker
195allows you to customize the conditions according to specific
196requirements. **hierarchical** checker and **fixed-signer** checker are
197pre-defined shortcuts, which specify specific trust models separately.
198
199Customized Checker
200~~~~~~~~~~~~~~~~~~
201
202So far, we only allow three customized properties in a customized
203checker: **sig-type**, **key-locator**. All of them are related to the
204``SignatureInfo`` of a packet.
205
206::
207
208 checker
209 {
210 type customized
211 sig-type ...
212 key-locator
213 {
214 ...
215 }
216 }
217
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]218The property **sig-type** specifies the acceptable signature type.
219Right now three signature types have been defined: **rsa-sha256** and
220**ecdsa-sha256** (which are strong signature types) and **sha256**
221(which is a weak signature type).
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]222If sig-type is sha256, then **key-locator** will be ignored. Validator
223will simply calculate the digest of a packet and compare it with the one
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]224in ``SignatureValue``. If sig-type is rsa-sha256 or ecdsa-sha256, you
225have to further customize the checker with **key-locator**.
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]226
227The property **key-locator** which specifies the conditions on
228``KeyLocator``. If the **key-locator** property is specified, it
229requires the existence of the ``KeyLocator`` field in ``SignatureInfo``.
230Although there are more than one types of ``KeyLocator`` defined in the
231`Packet Format <http://named-data.net/doc/ndn-tlv/signature.html>`__,
232**key-locator** property only supports one type: **name**:
233
234::
235
236 key-locator
237 {
238 type name
239 ...
240 }
241
242Such a key-locator property specifies the conditions on the certificate
243name of the signing key. Since the conditions are about name, they can
244be specified in the same way as the name filter. For example, a checker
245could be:
246
247::
248
249 checker
250 {
251 type customized
252 sig-type rsa-sha256
253 key-locator
254 {
255 type name
256 name /ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT
257 relation equal
258 }
259 }
260
261This checker property requires that the packet must have a rsa-sha256
262signature generated by a key whose certificate name is
263"/ndn/edu/ucla/KEY/yingdi/ksk-1234/ID-CERT".
264
265Besides the two ways to express conditions on the ``KeyLocator`` name
266(name and regex), you can further constrain the ``KeyLocator`` name
267using the information extracted from the packet name. This third type of
268condition is expressed via a property **hyper-relation**. The
269**hyper-relation** property consists of three parts:
270
271- an NDN regular expression that can extract information from packet
272 name
273- an NDN regular expression that can extract information from
274 ``KeyLocator`` name
275- relation from the part extracted from ``KeyLocator`` name to the one
276 extracted from the packet name
277
278For example, a checker:
279
280::
281
282 checker
283 {
284 type customized
285 sig-type rsa-sha256
286 key-locator
287 {
288 type name
289 hyper-relation
290 {
291 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
292 k-expand \\1\\2
293 h-relation is-prefix-of
294 p-regex ^(<>*)$
295 p-expand \\1
296
297 }
298 }
299 }
300
301requires the packet name must be under the corresponding namespace of
302the ``KeyLocator`` name.
303
304In some cases, you can even customize checker with another property For
305example:
306
307::
308
309 checker
310 {
311 type customized
312 sig-type rsa-sha256
313 key-locator
314 {
315 type name
316 hyper-relation
317 {
318 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
319 k-expand \\1\\2
320 h-relation is-prefix-of
321 p-regex ^(<>*)$
322 p-expand \\1
323 }
324 }
325 }
326
327Hierarchical Checker
328~~~~~~~~~~~~~~~~~~~~
329
330As implied by its name, hierarchical checker requires that the packet
331name must be under the namespace of the packet signer. A hierarchical
332checker:
333
334::
335
336 checker
337 {
338 type hierarchical
339 sig-type rsa-sha256
340 }
341
342is equivalent to a customized checker:
343
344::
345
346 checker
347 {
348 type customized
349 sig-type rsa-sha256
350 key-locator
351 {
352 type name
353 hyper-relation
354 {
355 k-regex ^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$
356 k-expand \\1\\2
357 h-relation is-prefix-of
358 p-regex ^(<>*)$
359 p-expand \\1
360 }
361 }
362 }
363
364Fixed-Signer Checker
365~~~~~~~~~~~~~~~~~~~~
366
367In some cases, you only accept packets signed with pre-trusted
368certificates, i.e. "one-step validation". Such a trust model can be
369expressed with **fixed-signer** checker. And you only need to specify
370the trusted certificate via property **signer**. The definition of
371**signer** is the same as **trust-anchor**. For example:
372
373::
374
375 checker
376 {
377 type fixed-signer
378 sig-type rsa-sha256
379 signer
380 {
381 type file
382 file-name "trusted-signer.cert"
383 }
384 signer
385 {
386 type base64
387 base64-string "Bv0DGwdG...amHFvHIMDw=="
388 }
389 }
390
391Trust Anchors
392-------------
393
394Although **trust-anchor** is always not required in the configuration
395file (for example, if fixed-signer checker is used), it is very common
396to have a few trust-anchors in the configuration file, otherwise most
397packets cannot be validated. A configuration file may contain more than
398one trust anchors, but the order of trust anchors does not matter. The
399structure of trust-anchor is same as the **signer** in fixed-signer
400checker, for example:
401
402::
403
404 trust-anchor
405 {
406 type file
407 file-name "trusted-signer.cert"
408 }
409 trust-anchor
410 {
411 type base64
412 base64-string "Bv0DGwdG...amHFvHIMDw=="
413 }
414
Yingdi Yub4650652014-04-17 10:19:59 -0700[diff] [blame]415You may also specify a trust-anchor directory. All certificates under this
416directory are taken as trust anchors. For example, if all trust anchors are
417put into ``/usr/local/etc/ndn/keys``.
418
419::
420
421 trust-anchor
422 {
423 type dir
424 file-name /usr/local/etc/ndn/keys
425 }
426
427If certificates under the directory might be changed during runtime, you can
428set a refresh period, such as
429
430::
431
432 trust-anchor
433 {
434 type dir
435 file-name /usr/local/etc/ndn/keys
436 refresh 1h ; refresh certificates every hour, other units include m (for minutes) and s (for seconds)
437 }
438
439There is another special trust anchor **any**.
Yingdi Yu44d190c2014-04-16 17:05:46 -0700[diff] [blame]440As long as such a trust-anchor is defined in config file,
441packet validation will be turned off.
442
443- **ATTENTION: This type of trust anchor is dangerous.
444 You should used it only when you want to disable packet validation temporarily
445 (e.g, debugging code, building a demo).**
446
447::
448
449 trust-anchor
450 {
451 type any
452 }
453
Yingdi Yub4650652014-04-17 10:19:59 -0700[diff] [blame]454
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]455Example Configuration For NLSR
456------------------------------
457
458The trust model of NLSR is semi-hierarchical. An example certificate
459signing hierarchy is:
460
461::
462
463 root
464 |
465 +--------------+---------------+
466 site1 site2
467 | |
468 +---------+---------+ +
469 operator1 operator2 operator3
470 | | |
471 +-----+-----+ +----+-----+ +-----+-----+--------+
472 router1 router2 router3 router4 router5 router6 router7
473 | | | | | | |
474 + + + + + + +
475 NLSR NSLR NSLR NSLR NSLR NSLR NSLR
476
477However, entities name may not follow the signing hierarchy, for
478example:
479
Alexander Afanasyev3aeeaeb2014-04-22 23:34:23 -0700[diff] [blame]480+------------+-------------------------------------------------------------------------------------+
481| Entity | Identity name and examples |
482+============+=====================================================================================+
483| root | ``/<network>`` |
484| | |
485| | Identity example: ``/ndn`` |
486| | |
487| | Certificate name example: ``/ndn/KEY/ksk-1/ID-CERT/%01`` |
488+------------+-------------------------------------------------------------------------------------+
489| site | ``/<network>/<site>`` |
490| | |
491| | Identity example: ``/ndn/edu/ucla`` |
492| | |
493| | Certificate name example: ``/ndn/edu/ucla/KEY/ksk-2/ID-CERT/%01`` |
494+------------+-------------------------------------------------------------------------------------+
495| operator | ``/<network>/<site>/%C1.O.N./<operator-id>`` |
496| | |
497| | Identity example: ``/ndn/edu/ucla/%C1.O.N./op1`` |
498| | |
499| | Certificate name example: ``/ndn/edu/ucla/%C1.O.N./op1/KEY/ksk-3/ID-CERT/%01`` |
500+------------+-------------------------------------------------------------------------------------+
501| router | ``/<network>/<site>/%C1.O.R./<router-id>`` |
502| | |
503| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1`` |
504| | |
505| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/KEY/ksk-4/ID-CERT/%01`` |
506+------------+-------------------------------------------------------------------------------------+
507| NLSR | ``/<network>/<site>/%C1.O.R./<router-id>/NLSR`` |
508| | |
509| | Identity example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR`` |
510| | |
511| | Certificate name example: ``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/KEY/ksk-5/ID-CERT/%01`` |
512+------------+-------------------------------------------------------------------------------------+
Alexander Afanasyev7c6aeb02014-04-10 19:59:19 -0700[diff] [blame]513
514Assume that a typical NLSR data name is
515``/ndn/edu/ucla/%C1.O.R./rt1/NLSR/LSA/LSType.1/%01``. Then, the exception
516of naming hierarchy is "operator-router". So we can write a
517configuration file with three rules. The first one is a customized rule
518that capture the normal NLSR data. The second one is a customized rule
519that handles the exception case of the hierarchy (operator->router). And
520the last one is a hierarchical rule that handles the normal cases of the
521hierarchy.
522
523We put the NLSR data rule to the first place, because NLSR data packets
524are the most frequently checked. The hierarchical exception rule is put
525to the second, because it is more specific than the last one.
526
527And here is the configuration file:
528
529::
530
531 rule
532 {
533 id "NSLR LSA Rule"
534 for data
535 filter
536 {
537 type name
538 regex ^[^<NLSR><LSA>]*<NLSR><LSA>
539 }
540 checker
541 {
542 type customized
543 sig-type rsa-sha256
544 key-locator
545 {
546 type name
547 hyper-relation
548 {
549 k-regex ^([^<KEY>]*)<KEY><ksk-.*><ID-CERT>$
550 k-expand \\1
551 h-relation equal
552 p-regex ^([^<NLSR><LSA>]*)<NLSR><LSA><LSType\.\d><>$
553 p-expand \\1
554 }
555 }
556 }
557 }
558 rule
559 {
560 id "NSLR Hierarchy Exception Rule"
561 for data
562 filter
563 {
564 type name
565 regex ^[^<KEY><%C1.O.R.>]*<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
566 }
567 checker
568 {
569 type customized
570 sig-type rsa-sha256
571 key-locator
572 {
573 type name
574 hyper-relation
575 {
576 k-regex ^([^<KEY><%C1.O.N.>]*)<%C1.O.N.><><KEY><ksk-.*><ID-CERT>$
577 k-expand \\1
578 h-relation equal
579 p-regex ^([^<KEY><%C1.O.R.>]*)<%C1.O.R.><><KEY><ksk-.*><ID-CERT><>$
580 p-expand \\1
581 }
582 }
583 }
584 }
585 rule
586 {
587 id "NSLR Hierarchical Rule"
588 for data
589 filter
590 {
591 type name
592 regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$
593 }
594 checker
595 {
596 type hierarchical
597 sig-type rsa-sha256
598 }
599 }
600 trust-anchor
601 {
602 type file
603 file-name "testbed-trust-anchor.cert"
604 }
605
606Example Configuration For NRD
607-----------------------------
608
609Assume NRD allows any valid testbed certificate to register prefix, the
610configuration file could be written as:
611
612::
613
614 rule
615 {
616 id "NRD Prefix Registration Command Rule"
617 for interest
618 filter
619 {
620 type name
621 regex ^<localhost><nrd>[<register><unregister><advertise><withdraw>]
622 }
623 checker
624 {
625 type customized
626 sig-type rsa-sha256
627 key-locator
628 {
629 type name
630 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
631 }
632 }
633 }
634 rule
635 {
636 id "Testbed Hierarchy Rule"
637 for data
638 filter
639 {
640 type name
641 regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
642 }
643 checker
644 {
645 type hierarchical
646 sig-type rsa-sha256
647 }
648 }
649 trust-anchor
650 {
651 type file
652 file-name "testbed-trust-anchor.cert"
653 }