nfd.conf.sample.in

; The general section contains settings of nfd process.
; general
; {
; }

log
{
  ; default_level specifies the logging level for modules
  ; that are not explicitly named. All debugging levels
  ; listed above the selected value are enabled.
  ;
  ; Valid values:
  ;
  ;  NONE ; no messages
  ;  ERROR ; error messages
  ;  WARN ; warning messages
  ;  INFO ; informational messages (default)
  ;  DEBUG ; debugging messages
  ;  TRACE ; trace messages (most verbose)
  ;  ALL ; all messages

  default_level INFO

  ; You may override default_level by assigning a logging level
  ; to the desired module name. Module names can be found in two ways:
  ;
  ; Run:
  ;   nfd --modules
  ;   nrd --modules
  ;
  ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
  ;
  ; Example module-level settings:
  ;
  ; FibManager DEBUG
  ; Forwarder INFO
}

; The face_system section defines what faces and channels are created.
face_system
{
  ; The unix section contains settings of UNIX stream faces and channels.
  unix
  {
    listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
    path /var/run/nfd.sock ; UNIX stream listener path
  }

  ; The tcp section contains settings of TCP faces and channels.
  tcp
  {
    listen yes ; set to 'no' to disable TCP listener, default 'yes'
    port 6363 ; TCP listener port number
    enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
    enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
  }

  ; The udp section contains settings of UDP faces and channels.
  ; UDP channel is always listening; delete udp section to disable UDP
  udp
  {
    port 6363 ; UDP unicast port number
    enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
    enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
    idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face
    keep_alive_interval 25; interval (seconds) between keep-alive refreshes

    ; UDP multicast settings
    ; NFD creates one UDP multicast face per NIC
    ;
    ; In multi-homed Linux machines these settings will NOT work without
    ; root or settings the appropriate permissions:
    ;
    ;    sudo setcap cap_net_raw=eip /full/path/nfd
    ;
    mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
    mcast_port 56363 ; UDP multicast port number
    mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
  }

  ; The ether section contains settings of Ethernet faces and channels.
  ; These settings will NOT work without root or setting the appropriate
  ; permissions:
  ;
  ;    sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
  ;
  ; You may need to install a package to use setcap:
  ;
  ; **Ubuntu:**
  ;
  ;    sudo apt-get install libcap2-bin
  ;
  ; **Mac OS X:**
  ;
  ;    curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
  ;    tar zxvf ChmodBPF.tar.gz
  ;    open ChmodBPF/Install\ ChmodBPF.app
  ;
  ; or manually:
  ;
  ;    sudo chgrp admin /dev/bpf*
  ;    sudo chmod g+rw /dev/bpf*

  @IF_HAVE_LIBPCAP@ether
  @IF_HAVE_LIBPCAP@{
  @IF_HAVE_LIBPCAP@  ; Ethernet multicast settings
  @IF_HAVE_LIBPCAP@  ; NFD creates one Ethernet multicast face per NIC
  @IF_HAVE_LIBPCAP@
  @IF_HAVE_LIBPCAP@  mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
  @IF_HAVE_LIBPCAP@  mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
  @IF_HAVE_LIBPCAP@}
}

; The authorizations section grants privileges to authorized keys.
authorizations
{
  ; An authorize section grants privileges to a NDN certificate.
  authorize
  {
    ; If you do not already have NDN certificate, you can generate
    ; one with the following commands.
    ;
    ; 1. Generate and install a self-signed identity certificate:
    ;
    ;      ndnsec-keygen /`whoami` | ndnsec-install-cert -
    ;
    ; Note that the argument to ndnsec-key will be the identity name of the
    ; new key (in this case, /your-username). Identities are hierarchical NDN
    ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
    ; You may create additional keys and identities as you see fit.
    ;
    ; 2. Dump the NDN certificate to a file:
    ;
    ;      sudo mkdir -p @SYSCONFDIR@/ndn/keys/
    ;      ndnsec-cert-dump -i /`whoami` >  default.ndncert
    ;      sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
    ;
    ; The "certfile" field below specifies the default key directory for
    ; your machine. You may move your newly created key to the location it
    ; specifies or path.

    certfile keys/default.ndncert ; NDN identity certificate file
    privileges ; set of privileges granted to this identity
    {
      faces
      fib
      strategy-choice
    }
  }

  ; You may have multiple authorize sections that specify additional
  ; certificates and their privileges.

  ; authorize
  ; {
  ;   certfile keys/this_cert_does_not_exist.ndncert
  ;   authorize
  ;   privileges
  ;   {
  ;     faces
  ;   }
  ; }
}

rib_security
{
  ; This section defines the trust model for NFD RIB Management. It consists of rules and
  ; trust-anchors, which are briefly defined in this file.  For more information refer to
  ; manpage of ndn-validator.conf:
  ;
  ;     man ndn-validator.conf
  ;
  ; A trust-anchor is a pre-trusted certificate.  This can be any certificate that is the
  ; root of certification chain (e.g., NDN testbed root certificate) or an existing
  ; default system certificate `default.ndncert`.
  ;
  ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
  ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
  ; will be matched against rules from the first to the last until a matched rule is
  ; encountered. The matched rule will be used to check the packet. If a packet does not
  ; match any rule, it will be treated as invalid.  The matching part of a rule consists
  ; of `for` and `filter` sections. They collectively define which packets can be checked
  ; with this rule. `for` defines packet type (data or interest) and `filter` defines
  ; conditions on other properties of a packet. Right now, you can only define conditions
  ; on packet name, and you can only specify ONLY ONE filter for packet name.  The
  ; checking part of a rule consists of `checker`, which defines the conditions that a
  ; VALID packet MUST have. See comments in checker section for more details.

  rule
  {
    id "NRD Prefix Registration Command Rule"
    for interest                              ; rule for Interests (to validate CommandInterests)
    filter
    {
      type name                               ; condition on interest name (w/o signature)
      regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$
    }
    checker
    {
      type customized
      sig-type rsa-sha256                     ; interest must have a rsa-sha256 signature
      key-locator
      {
        type name                             ; key locator must be the certificate name of
                                              ; the signing key
        regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
      }
    }
  }
  rule
  {
    id "NDN Testbed Hierarchy Rule"
    for data                                  ; rule for Data (to validate NDN certificates)
    filter
    {
      type name                               ; condition on data name
      regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
    }
    checker
    {
      type hierarchical                       ; the certificate name of the signing key and
                                              ; the data name must follow the hierarchical model
      sig-type rsa-sha256                     ; data must have a rsa-sha256 signature
    }
  }
  trust-anchor
  {
    type file
    file-name keys/default.ndncert ; the file name, by default this file should be placed in the
                                  ; same folder as this config file.
  }
  ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
  ; {
  ;   type file
  ;   file-name keys/ndn-testbed.ndncert
  ; }
}