| ; The general section contains settings of nfd process. |
| general |
| { |
| ; Specify a user and/or group for NFD to drop privileges to |
| ; when not performing privileged tasks. NFD does not drop |
| ; privileges by default. |
| |
| ; user ndn-user |
| ; group ndn-user |
| } |
| |
| log |
| { |
| ; default_level specifies the logging level for modules |
| ; that are not explicitly named. All debugging levels |
| ; listed above the selected value are enabled. |
| ; |
| ; Valid values: |
| ; |
| ; NONE ; no messages |
| ; ERROR ; error messages |
| ; WARN ; warning messages |
| ; INFO ; informational messages (default) |
| ; DEBUG ; debugging messages |
| ; TRACE ; trace messages (most verbose) |
| ; ALL ; all messages |
| |
| default_level INFO |
| |
| ; You may override default_level by assigning a logging level |
| ; to the desired module name. Module names can be found in two ways: |
| ; |
| ; Run: |
| ; nfd --modules |
| ; nrd --modules |
| ; |
| ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files |
| ; |
| ; Example module-level settings: |
| ; |
| ; FibManager DEBUG |
| ; Forwarder INFO |
| } |
| |
| ; The face_system section defines what faces and channels are created. |
| face_system |
| { |
| ; The unix section contains settings of UNIX stream faces and channels. |
| unix |
| { |
| listen yes ; set to 'no' to disable UNIX stream listener, default 'yes' |
| path /var/run/nfd.sock ; UNIX stream listener path |
| } |
| |
| ; The tcp section contains settings of TCP faces and channels. |
| tcp |
| { |
| listen yes ; set to 'no' to disable TCP listener, default 'yes' |
| port 6363 ; TCP listener port number |
| enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' |
| enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' |
| } |
| |
| ; The udp section contains settings of UDP faces and channels. |
| ; UDP channel is always listening; delete udp section to disable UDP |
| udp |
| { |
| port 6363 ; UDP unicast port number |
| enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' |
| enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' |
| idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face |
| keep_alive_interval 25; interval (seconds) between keep-alive refreshes |
| |
| ; UDP multicast settings |
| ; NFD creates one UDP multicast face per NIC |
| ; |
| ; In multi-homed Linux machines these settings will NOT work without |
| ; root or settings the appropriate permissions: |
| ; |
| ; sudo setcap cap_net_raw=eip /full/path/nfd |
| ; |
| mcast yes ; set to 'no' to disable UDP multicast, default 'yes' |
| mcast_port 56363 ; UDP multicast port number |
| mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only) |
| } |
| |
| ; The ether section contains settings of Ethernet faces and channels. |
| ; These settings will NOT work without root or setting the appropriate |
| ; permissions: |
| ; |
| ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd |
| ; |
| ; You may need to install a package to use setcap: |
| ; |
| ; **Ubuntu:** |
| ; |
| ; sudo apt-get install libcap2-bin |
| ; |
| ; **Mac OS X:** |
| ; |
| ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz |
| ; tar zxvf ChmodBPF.tar.gz |
| ; open ChmodBPF/Install\ ChmodBPF.app |
| ; |
| ; or manually: |
| ; |
| ; sudo chgrp admin /dev/bpf* |
| ; sudo chmod g+rw /dev/bpf* |
| |
| @IF_HAVE_LIBPCAP@ether |
| @IF_HAVE_LIBPCAP@{ |
| @IF_HAVE_LIBPCAP@ ; Ethernet multicast settings |
| @IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC |
| @IF_HAVE_LIBPCAP@ |
| @IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes' |
| @IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group |
| @IF_HAVE_LIBPCAP@} |
| } |
| |
| ; The authorizations section grants privileges to authorized keys. |
| authorizations |
| { |
| ; An authorize section grants privileges to a NDN certificate. |
| authorize |
| { |
| ; If you do not already have NDN certificate, you can generate |
| ; one with the following commands. |
| ; |
| ; 1. Generate and install a self-signed identity certificate: |
| ; |
| ; ndnsec-keygen /`whoami` | ndnsec-install-cert - |
| ; |
| ; Note that the argument to ndnsec-key will be the identity name of the |
| ; new key (in this case, /your-username). Identities are hierarchical NDN |
| ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`). |
| ; You may create additional keys and identities as you see fit. |
| ; |
| ; 2. Dump the NDN certificate to a file: |
| ; |
| ; sudo mkdir -p @SYSCONFDIR@/ndn/keys/ |
| ; ndnsec-cert-dump -i /`whoami` > default.ndncert |
| ; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert |
| ; |
| ; The "certfile" field below specifies the default key directory for |
| ; your machine. You may move your newly created key to the location it |
| ; specifies or path. |
| |
| ; certfile keys/default.ndncert ; NDN identity certificate file |
| certfile any ; "any" authorizes command interests signed under any certificate, |
| ; i.e., no actual validation. |
| privileges ; set of privileges granted to this identity |
| { |
| faces |
| fib |
| strategy-choice |
| } |
| } |
| |
| ; You may have multiple authorize sections that specify additional |
| ; certificates and their privileges. |
| |
| ; authorize |
| ; { |
| ; certfile keys/this_cert_does_not_exist.ndncert |
| ; authorize |
| ; privileges |
| ; { |
| ; faces |
| ; } |
| ; } |
| } |
| |
| rib |
| { |
| ; The following localhost_security allows anyone to register routing entries in local RIB |
| localhost_security |
| { |
| trust-anchor |
| { |
| type any |
| } |
| } |
| |
| ; localhop_security should be enabled when NFD runs on a hub. |
| ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing. |
| ; localhop_security |
| ; { |
| ; ; This section defines the trust model for NFD RIB Management. It consists of rules and |
| ; ; trust-anchors, which are briefly defined in this file. For more information refer to |
| ; ; manpage of ndn-validator.conf: |
| ; ; |
| ; ; man ndn-validator.conf |
| ; ; |
| ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the |
| ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing |
| ; ; default system certificate `default.ndncert`. |
| ; ; |
| ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the |
| ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet |
| ; ; will be matched against rules from the first to the last until a matched rule is |
| ; ; encountered. The matched rule will be used to check the packet. If a packet does not |
| ; ; match any rule, it will be treated as invalid. The matching part of a rule consists |
| ; ; of `for` and `filter` sections. They collectively define which packets can be checked |
| ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines |
| ; ; conditions on other properties of a packet. Right now, you can only define conditions |
| ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The |
| ; ; checking part of a rule consists of `checker`, which defines the conditions that a |
| ; ; VALID packet MUST have. See comments in checker section for more details. |
| ; |
| ; rule |
| ; { |
| ; id "NRD Prefix Registration Command Rule" |
| ; for interest ; rule for Interests (to validate CommandInterests) |
| ; filter |
| ; { |
| ; type name ; condition on interest name (w/o signature) |
| ; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$ |
| ; } |
| ; checker |
| ; { |
| ; type customized |
| ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature |
| ; key-locator |
| ; { |
| ; type name ; key locator must be the certificate name of the |
| ; ; signing key |
| ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$ |
| ; } |
| ; } |
| ; } |
| ; rule |
| ; { |
| ; id "NDN Testbed Hierarchy Rule" |
| ; for data ; rule for Data (to validate NDN certificates) |
| ; filter |
| ; { |
| ; type name ; condition on data name |
| ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$ |
| ; } |
| ; checker |
| ; { |
| ; type hierarchical ; the certificate name of the signing key and |
| ; ; the data name must follow the hierarchical model |
| ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature |
| ; } |
| ; } |
| ; trust-anchor |
| ; { |
| ; type file |
| ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the |
| ; ; same folder as this config file. |
| ; } |
| ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors |
| ; ; { |
| ; ; type file |
| ; ; file-name keys/ndn-testbed.ndncert |
| ; ; } |
| ; } |
| } |