rib: Making single configuration file for both nrd and nfd
Change-Id: I4f03896459e8dc8564c44a7b610cd1351473d966
Refs: #1486, #1412
diff --git a/nfd.conf.sample.in b/nfd.conf.sample.in
index ace10e1..b0288e4 100644
--- a/nfd.conf.sample.in
+++ b/nfd.conf.sample.in
@@ -26,6 +26,7 @@
;
; Run:
; nfd --modules
+ ; nrd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
;
@@ -160,3 +161,77 @@
; }
; }
}
+
+rib_security
+{
+ ; This section defines the trust model for NFD RIB Management. It consists of rules and
+ ; trust-anchors, which are briefly defined in this file. For more information refer to
+ ; manpage of ndn-validator.conf:
+ ;
+ ; man ndn-validator.conf
+ ;
+ ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
+ ; root of certification chain (e.g., NDN testbed root certificate) or an existing
+ ; default system certificate `default.ndncert`.
+ ;
+ ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
+ ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
+ ; will be matched against rules from the first to the last until a matched rule is
+ ; encountered. The matched rule will be used to check the packet. If a packet does not
+ ; match any rule, it will be treated as invalid. The matching part of a rule consists
+ ; of `for` and `filter` sections. They collectively define which packets can be checked
+ ; with this rule. `for` defines packet type (data or interest) and `filter` defines
+ ; conditions on other properties of a packet. Right now, you can only define conditions
+ ; on packet name, and you can only specify ONLY ONE filter for packet name. The
+ ; checking part of a rule consists of `checker`, which defines the conditions that a
+ ; VALID packet MUST have. See comments in checker section for more details.
+
+ rule
+ {
+ id "NRD Prefix Registration Command Rule"
+ for interest ; rule for Interests (to validate CommandInterests)
+ filter
+ {
+ type name ; condition on interest name (w/o signature)
+ regex ^[<localhop><localhost>]<nrd>[<register><unregister>]<>{3}$
+ }
+ checker
+ {
+ type customized
+ sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
+ key-locator
+ {
+ type name ; key locator must be the certificate name of
+ ; the signing key
+ regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
+ }
+ }
+ }
+ rule
+ {
+ id "NDN Testbed Hierarchy Rule"
+ for data ; rule for Data (to validate NDN certificates)
+ filter
+ {
+ type name ; condition on data name
+ regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
+ }
+ checker
+ {
+ type hierarchical ; the certificate name of the signing key and
+ ; the data name must follow the hierarchical model
+ sig-type rsa-sha256 ; data must have a rsa-sha256 signature
+ }
+ }
+ trust-anchor
+ {
+ type file
+ file-name keys/default.ndncert ; the file name, by default this file should be placed in the
+ ; same folder as this config file.
+ }
+ ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
+ ; {
+ ; type file
+ ; file-name keys/ndn-testbed.ndncert
+ ; }
+}