Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 1 | ; The general section contains settings of nfd process. |
Steve DiBenedetto | 24b9a64 | 2014-04-07 15:45:39 -0600 | [diff] [blame] | 2 | general |
| 3 | { |
| 4 | ; Specify a user and/or group for NFD to drop privileges to |
| 5 | ; when not performing privileged tasks. NFD does not drop |
| 6 | ; privileges by default. |
| 7 | |
| 8 | ; user ndn-user |
| 9 | ; group ndn-user |
| 10 | } |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 11 | |
Steve DiBenedetto | bf6a93d | 2014-03-21 14:03:02 -0600 | [diff] [blame] | 12 | log |
| 13 | { |
| 14 | ; default_level specifies the logging level for modules |
| 15 | ; that are not explicitly named. All debugging levels |
| 16 | ; listed above the selected value are enabled. |
| 17 | ; |
| 18 | ; Valid values: |
| 19 | ; |
| 20 | ; NONE ; no messages |
| 21 | ; ERROR ; error messages |
| 22 | ; WARN ; warning messages |
| 23 | ; INFO ; informational messages (default) |
| 24 | ; DEBUG ; debugging messages |
| 25 | ; TRACE ; trace messages (most verbose) |
| 26 | ; ALL ; all messages |
| 27 | |
Alexander Afanasyev | 885a85b | 2014-04-12 21:01:13 -0700 | [diff] [blame] | 28 | default_level INFO |
Steve DiBenedetto | bf6a93d | 2014-03-21 14:03:02 -0600 | [diff] [blame] | 29 | |
| 30 | ; You may override default_level by assigning a logging level |
| 31 | ; to the desired module name. Module names can be found in two ways: |
| 32 | ; |
| 33 | ; Run: |
| 34 | ; nfd --modules |
Alexander Afanasyev | 89cf5e0 | 2014-04-17 12:08:57 -0700 | [diff] [blame] | 35 | ; nrd --modules |
Steve DiBenedetto | bf6a93d | 2014-03-21 14:03:02 -0600 | [diff] [blame] | 36 | ; |
| 37 | ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files |
| 38 | ; |
| 39 | ; Example module-level settings: |
| 40 | ; |
| 41 | ; FibManager DEBUG |
| 42 | ; Forwarder INFO |
| 43 | } |
| 44 | |
Steve DiBenedetto | 3a4f83d | 2014-06-02 14:58:54 -0600 | [diff] [blame^] | 45 | ; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements |
| 46 | tables |
| 47 | { |
| 48 | |
| 49 | ; ContentStore size limit in number of packets |
| 50 | ; default is 65536, about 500MB with 8KB packet size |
| 51 | cs_max_packets 65536 |
| 52 | } |
| 53 | |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 54 | ; The face_system section defines what faces and channels are created. |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 55 | face_system |
| 56 | { |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 57 | ; The unix section contains settings of UNIX stream faces and channels. |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 58 | unix |
| 59 | { |
| 60 | listen yes ; set to 'no' to disable UNIX stream listener, default 'yes' |
| 61 | path /var/run/nfd.sock ; UNIX stream listener path |
| 62 | } |
| 63 | |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 64 | ; The tcp section contains settings of TCP faces and channels. |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 65 | tcp |
| 66 | { |
| 67 | listen yes ; set to 'no' to disable TCP listener, default 'yes' |
| 68 | port 6363 ; TCP listener port number |
Steve DiBenedetto | 9515287 | 2014-04-11 12:40:59 -0600 | [diff] [blame] | 69 | enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' |
| 70 | enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 71 | } |
| 72 | |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 73 | ; The udp section contains settings of UDP faces and channels. |
Steve DiBenedetto | 9515287 | 2014-04-11 12:40:59 -0600 | [diff] [blame] | 74 | ; UDP channel is always listening; delete udp section to disable UDP |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 75 | udp |
| 76 | { |
| 77 | port 6363 ; UDP unicast port number |
Steve DiBenedetto | 9515287 | 2014-04-11 12:40:59 -0600 | [diff] [blame] | 78 | enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' |
| 79 | enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 80 | idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face |
| 81 | keep_alive_interval 25; interval (seconds) between keep-alive refreshes |
| 82 | |
Alexander Afanasyev | 885a85b | 2014-04-12 21:01:13 -0700 | [diff] [blame] | 83 | ; UDP multicast settings |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 84 | ; NFD creates one UDP multicast face per NIC |
Giulio Grassi | 6d7176d | 2014-04-16 16:08:48 +0200 | [diff] [blame] | 85 | ; |
| 86 | ; In multi-homed Linux machines these settings will NOT work without |
| 87 | ; root or settings the appropriate permissions: |
| 88 | ; |
| 89 | ; sudo setcap cap_net_raw=eip /full/path/nfd |
| 90 | ; |
Alexander Afanasyev | 885a85b | 2014-04-12 21:01:13 -0700 | [diff] [blame] | 91 | mcast yes ; set to 'no' to disable UDP multicast, default 'yes' |
| 92 | mcast_port 56363 ; UDP multicast port number |
| 93 | mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only) |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 94 | } |
| 95 | |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 96 | ; The ether section contains settings of Ethernet faces and channels. |
| 97 | ; These settings will NOT work without root or setting the appropriate |
| 98 | ; permissions: |
| 99 | ; |
| 100 | ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd |
| 101 | ; |
| 102 | ; You may need to install a package to use setcap: |
| 103 | ; |
| 104 | ; **Ubuntu:** |
| 105 | ; |
| 106 | ; sudo apt-get install libcap2-bin |
| 107 | ; |
| 108 | ; **Mac OS X:** |
| 109 | ; |
| 110 | ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz |
| 111 | ; tar zxvf ChmodBPF.tar.gz |
| 112 | ; open ChmodBPF/Install\ ChmodBPF.app |
| 113 | ; |
| 114 | ; or manually: |
| 115 | ; |
| 116 | ; sudo chgrp admin /dev/bpf* |
| 117 | ; sudo chmod g+rw /dev/bpf* |
| 118 | |
Alexander Afanasyev | 885a85b | 2014-04-12 21:01:13 -0700 | [diff] [blame] | 119 | @IF_HAVE_LIBPCAP@ether |
| 120 | @IF_HAVE_LIBPCAP@{ |
| 121 | @IF_HAVE_LIBPCAP@ ; Ethernet multicast settings |
| 122 | @IF_HAVE_LIBPCAP@ ; NFD creates one Ethernet multicast face per NIC |
| 123 | @IF_HAVE_LIBPCAP@ |
| 124 | @IF_HAVE_LIBPCAP@ mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes' |
| 125 | @IF_HAVE_LIBPCAP@ mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group |
| 126 | @IF_HAVE_LIBPCAP@} |
Wentao Shang | 53df163 | 2014-04-21 12:01:32 -0700 | [diff] [blame] | 127 | |
| 128 | ; The websocket section contains settings of WebSocket faces and channels. |
| 129 | |
| 130 | @IF_HAVE_WEBSOCKET@websocket |
| 131 | @IF_HAVE_WEBSOCKET@{ |
| 132 | @IF_HAVE_WEBSOCKET@ listen yes ; set to 'no' to disable WebSocket listener, default 'yes' |
| 133 | @IF_HAVE_WEBSOCKET@ port 9696 ; WebSocket listener port number |
| 134 | @IF_HAVE_WEBSOCKET@ enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes' |
| 135 | @IF_HAVE_WEBSOCKET@ enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes' |
| 136 | @IF_HAVE_WEBSOCKET@} |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 137 | } |
| 138 | |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 139 | ; The authorizations section grants privileges to authorized keys. |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 140 | authorizations |
| 141 | { |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 142 | ; An authorize section grants privileges to a NDN certificate. |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 143 | authorize |
| 144 | { |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 145 | ; If you do not already have NDN certificate, you can generate |
| 146 | ; one with the following commands. |
| 147 | ; |
| 148 | ; 1. Generate and install a self-signed identity certificate: |
| 149 | ; |
| 150 | ; ndnsec-keygen /`whoami` | ndnsec-install-cert - |
| 151 | ; |
| 152 | ; Note that the argument to ndnsec-key will be the identity name of the |
| 153 | ; new key (in this case, /your-username). Identities are hierarchical NDN |
| 154 | ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`). |
| 155 | ; You may create additional keys and identities as you see fit. |
| 156 | ; |
| 157 | ; 2. Dump the NDN certificate to a file: |
| 158 | ; |
| 159 | ; sudo mkdir -p @SYSCONFDIR@/ndn/keys/ |
| 160 | ; ndnsec-cert-dump -i /`whoami` > default.ndncert |
| 161 | ; sudo mv default.ndncert @SYSCONFDIR@/ndn/keys/default.ndncert |
| 162 | ; |
| 163 | ; The "certfile" field below specifies the default key directory for |
| 164 | ; your machine. You may move your newly created key to the location it |
| 165 | ; specifies or path. |
| 166 | |
Yingdi Yu | c8f214c | 2014-04-29 20:39:37 -0700 | [diff] [blame] | 167 | ; certfile keys/default.ndncert ; NDN identity certificate file |
| 168 | certfile any ; "any" authorizes command interests signed under any certificate, |
| 169 | ; i.e., no actual validation. |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 170 | privileges ; set of privileges granted to this identity |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 171 | { |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 172 | faces |
| 173 | fib |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 174 | strategy-choice |
| 175 | } |
| 176 | } |
Steve DiBenedetto | 1a3c673 | 2014-03-13 06:44:05 -0600 | [diff] [blame] | 177 | |
| 178 | ; You may have multiple authorize sections that specify additional |
| 179 | ; certificates and their privileges. |
| 180 | |
Alexander Afanasyev | 885a85b | 2014-04-12 21:01:13 -0700 | [diff] [blame] | 181 | ; authorize |
| 182 | ; { |
| 183 | ; certfile keys/this_cert_does_not_exist.ndncert |
| 184 | ; authorize |
| 185 | ; privileges |
| 186 | ; { |
| 187 | ; faces |
| 188 | ; } |
| 189 | ; } |
Steve DiBenedetto | 84da5bf | 2014-03-11 14:51:29 -0600 | [diff] [blame] | 190 | } |
Alexander Afanasyev | 89cf5e0 | 2014-04-17 12:08:57 -0700 | [diff] [blame] | 191 | |
Yingdi Yu | e5224e9 | 2014-04-29 18:04:02 -0700 | [diff] [blame] | 192 | rib |
Alexander Afanasyev | 89cf5e0 | 2014-04-17 12:08:57 -0700 | [diff] [blame] | 193 | { |
Yingdi Yu | e5224e9 | 2014-04-29 18:04:02 -0700 | [diff] [blame] | 194 | ; The following localhost_security allows anyone to register routing entries in local RIB |
| 195 | localhost_security |
| 196 | { |
| 197 | trust-anchor |
| 198 | { |
| 199 | type any |
| 200 | } |
| 201 | } |
Alexander Afanasyev | 89cf5e0 | 2014-04-17 12:08:57 -0700 | [diff] [blame] | 202 | |
Yingdi Yu | e5224e9 | 2014-04-29 18:04:02 -0700 | [diff] [blame] | 203 | ; localhop_security should be enabled when NFD runs on a hub. |
| 204 | ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing. |
| 205 | ; localhop_security |
Alexander Afanasyev | 89cf5e0 | 2014-04-17 12:08:57 -0700 | [diff] [blame] | 206 | ; { |
Yingdi Yu | e5224e9 | 2014-04-29 18:04:02 -0700 | [diff] [blame] | 207 | ; ; This section defines the trust model for NFD RIB Management. It consists of rules and |
| 208 | ; ; trust-anchors, which are briefly defined in this file. For more information refer to |
| 209 | ; ; manpage of ndn-validator.conf: |
| 210 | ; ; |
| 211 | ; ; man ndn-validator.conf |
| 212 | ; ; |
| 213 | ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the |
| 214 | ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing |
| 215 | ; ; default system certificate `default.ndncert`. |
| 216 | ; ; |
| 217 | ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the |
| 218 | ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet |
| 219 | ; ; will be matched against rules from the first to the last until a matched rule is |
| 220 | ; ; encountered. The matched rule will be used to check the packet. If a packet does not |
| 221 | ; ; match any rule, it will be treated as invalid. The matching part of a rule consists |
| 222 | ; ; of `for` and `filter` sections. They collectively define which packets can be checked |
| 223 | ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines |
| 224 | ; ; conditions on other properties of a packet. Right now, you can only define conditions |
| 225 | ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The |
| 226 | ; ; checking part of a rule consists of `checker`, which defines the conditions that a |
| 227 | ; ; VALID packet MUST have. See comments in checker section for more details. |
| 228 | ; |
| 229 | ; rule |
| 230 | ; { |
| 231 | ; id "NRD Prefix Registration Command Rule" |
| 232 | ; for interest ; rule for Interests (to validate CommandInterests) |
| 233 | ; filter |
| 234 | ; { |
| 235 | ; type name ; condition on interest name (w/o signature) |
| 236 | ; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>{3}$ |
| 237 | ; } |
| 238 | ; checker |
| 239 | ; { |
| 240 | ; type customized |
| 241 | ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature |
| 242 | ; key-locator |
| 243 | ; { |
| 244 | ; type name ; key locator must be the certificate name of the |
| 245 | ; ; signing key |
| 246 | ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$ |
| 247 | ; } |
| 248 | ; } |
| 249 | ; } |
| 250 | ; rule |
| 251 | ; { |
| 252 | ; id "NDN Testbed Hierarchy Rule" |
| 253 | ; for data ; rule for Data (to validate NDN certificates) |
| 254 | ; filter |
| 255 | ; { |
| 256 | ; type name ; condition on data name |
| 257 | ; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$ |
| 258 | ; } |
| 259 | ; checker |
| 260 | ; { |
| 261 | ; type hierarchical ; the certificate name of the signing key and |
| 262 | ; ; the data name must follow the hierarchical model |
| 263 | ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature |
| 264 | ; } |
| 265 | ; } |
| 266 | ; trust-anchor |
| 267 | ; { |
| 268 | ; type file |
| 269 | ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the |
| 270 | ; ; same folder as this config file. |
| 271 | ; } |
| 272 | ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors |
| 273 | ; ; { |
| 274 | ; ; type file |
| 275 | ; ; file-name keys/ndn-testbed.ndncert |
| 276 | ; ; } |
Alexander Afanasyev | 89cf5e0 | 2014-04-17 12:08:57 -0700 | [diff] [blame] | 277 | ; } |
| 278 | } |