blob: 9a081e42aeb55c4a1869f13e8ba272973c741b10 [file] [log] [blame]
; The general section contains settings of nfd process.
general
{
; Specify a user and/or group for NFD to drop privileges to
; when not performing privileged tasks. NFD does not drop
; privileges by default.
; user ndn-user
; group ndn-user
}
log
{
; default_level specifies the logging level for modules
; that are not explicitly named. All debugging levels
; listed above the selected value are enabled.
;
; Valid values:
;
; NONE ; no messages
; ERROR ; error messages
; WARN ; warning messages
; INFO ; informational messages (default)
; DEBUG ; debugging messages
; TRACE ; trace messages (most verbose)
; ALL ; all messages
default_level INFO
; You may override default_level by assigning a logging level
; to the desired module name. Module names can be found in two ways:
;
; Run:
; nfd --modules
; nrd --modules
;
; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
;
; Example module-level settings:
;
; FibManager DEBUG
; Forwarder INFO
}
; The face_system section defines what faces and channels are created.
face_system
{
; The unix section contains settings of UNIX stream faces and channels.
unix
{
listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
path /var/run/nfd.sock ; UNIX stream listener path
}
; The tcp section contains settings of TCP faces and channels.
tcp
{
listen yes ; set to 'no' to disable TCP listener, default 'yes'
port 6363 ; TCP listener port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
}
; The udp section contains settings of UDP faces and channels.
; UDP channel is always listening; delete udp section to disable UDP
udp
{
port 6363 ; UDP unicast port number
enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face
keep_alive_interval 25; interval (seconds) between keep-alive refreshes
; UDP multicast settings
; NFD creates one UDP multicast face per NIC
;
; In multi-homed Linux machines these settings will NOT work without
; root or settings the appropriate permissions:
;
; sudo setcap cap_net_raw=eip /full/path/nfd
;
mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
mcast_port 56363 ; UDP multicast port number
mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
}
; The ether section contains settings of Ethernet faces and channels.
; These settings will NOT work without root or setting the appropriate
; permissions:
;
; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
;
; You may need to install a package to use setcap:
;
; **Ubuntu:**
;
; sudo apt-get install libcap2-bin
;
; **Mac OS X:**
;
; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
; tar zxvf ChmodBPF.tar.gz
; open ChmodBPF/Install\ ChmodBPF.app
;
; or manually:
;
; sudo chgrp admin /dev/bpf*
; sudo chmod g+rw /dev/bpf*
@IF_HAVE_LIBPCAP@ether
@IF_HAVE_LIBPCAP@{
@IF_HAVE_LIBPCAP@ ; Ethernet multicast settings
@IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC
@IF_HAVE_LIBPCAP@
@IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
@IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
@IF_HAVE_LIBPCAP@}
}
; The authorizations section grants privileges to authorized keys.
authorizations
{
; An authorize section grants privileges to a NDN certificate.
authorize
{
; If you do not already have NDN certificate, you can generate
; one with the following commands.
;
; 1. Generate and install a self-signed identity certificate:
;
; ndnsec-keygen /`whoami` | ndnsec-install-cert -
;
; Note that the argument to ndnsec-key will be the identity name of the
; new key (in this case, /your-username). Identities are hierarchical NDN
; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
; You may create additional keys and identities as you see fit.
;
; 2. Dump the NDN certificate to a file:
;
; sudo mkdir -p @SYSCONFDIR@/ndn/keys/
; ndnsec-cert-dump -i /`whoami` > default.ndncert
; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert
;
; The "certfile" field below specifies the default key directory for
; your machine. You may move your newly created key to the location it
; specifies or path.
; certfile keys/default.ndncert ; NDN identity certificate file
certfile any ; "any" authorizes command interests signed under any certificate,
; i.e., no actual validation.
privileges ; set of privileges granted to this identity
{
faces
fib
strategy-choice
}
}
; You may have multiple authorize sections that specify additional
; certificates and their privileges.
; authorize
; {
; certfile keys/this_cert_does_not_exist.ndncert
; authorize
; privileges
; {
; faces
; }
; }
}
rib
{
; The following localhost_security allows anyone to register routing entries in local RIB
localhost_security
{
trust-anchor
{
type any
}
}
; localhop_security should be enabled when NFD runs on a hub.
; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
; localhop_security
; {
; ; This section defines the trust model for NFD RIB Management. It consists of rules and
; ; trust-anchors, which are briefly defined in this file. For more information refer to
; ; manpage of ndn-validator.conf:
; ;
; ; man ndn-validator.conf
; ;
; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the
; ; root of certification chain (e.g., NDN testbed root certificate) or an existing
; ; default system certificate `default.ndncert`.
; ;
; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
; ; will be matched against rules from the first to the last until a matched rule is
; ; encountered. The matched rule will be used to check the packet. If a packet does not
; ; match any rule, it will be treated as invalid. The matching part of a rule consists
; ; of `for` and `filter` sections. They collectively define which packets can be checked
; ; with this rule. `for` defines packet type (data or interest) and `filter` defines
; ; conditions on other properties of a packet. Right now, you can only define conditions
; ; on packet name, and you can only specify ONLY ONE filter for packet name. The
; ; checking part of a rule consists of `checker`, which defines the conditions that a
; ; VALID packet MUST have. See comments in checker section for more details.
;
; rule
; {
; id "NRD Prefix Registration Command Rule"
; for interest ; rule for Interests (to validate CommandInterests)
; filter
; {
; type name ; condition on interest name (w/o signature)
; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$
; }
; checker
; {
; type customized
; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature
; key-locator
; {
; type name ; key locator must be the certificate name of the
; ; signing key
; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
; }
; }
; }
; rule
; {
; id "NDN Testbed Hierarchy Rule"
; for data ; rule for Data (to validate NDN certificates)
; filter
; {
; type name ; condition on data name
; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
; }
; checker
; {
; type hierarchical ; the certificate name of the signing key and
; ; the data name must follow the hierarchical model
; sig-type rsa-sha256 ; data must have a rsa-sha256 signature
; }
; }
; trust-anchor
; {
; type file
; file-name keys/default.ndncert ; the file name, by default this file should be placed in the
; ; same folder as this config file.
; }
; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
; ; {
; ; type file
; ; file-name keys/ndn-testbed.ndncert
; ; }
; }
}