NFD

; The general section contains settings of nfd process.

general

{

; Specify a user and/or group for NFD to drop privileges to

; when not performing privileged tasks. NFD does not drop

; privileges by default.

; user ndn-user

; group ndn-user

}

log

{

; default_level specifies the logging level for modules

; that are not explicitly named. All debugging levels

; listed above the selected value are enabled.

;

; Valid values:

;

; NONE ; no messages

; ERROR ; error messages

; WARN ; warning messages

; INFO ; informational messages (default)

; DEBUG ; debugging messages

; TRACE ; trace messages (most verbose)

; ALL ; all messages

default_level INFO

; You may override default_level by assigning a logging level

; to the desired module name. Module names can be found in two ways:

;

; Run:

; nfd --modules

;

; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files

;

; Example module-level settings:

;

; FibManager DEBUG

; Forwarder INFO

}

; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements

tables

{

; ContentStore size limit in number of packets

; default is 65536, about 500MB with 8KB packet size

cs_max_packets 65536

; Set the forwarding strategy for the specified prefixes:

; <prefix> <strategy>

strategy_choice

{

/ /localhost/nfd/strategy/best-route

/localhost /localhost/nfd/strategy/broadcast

/localhost/nfd /localhost/nfd/strategy/best-route

/ndn/broadcast /localhost/nfd/strategy/broadcast

}

}

; The face_system section defines what faces and channels are created.

face_system

{

; The unix section contains settings of Unix stream faces and channels.

; Unix channel is always listening; delete unix section to disable

; Unix stream faces and channels.

;

; The ndn-cxx library expects unix:///var/run/nfd.sock

; to be used as the default transport option. Please change

; the "transport" field in client.conf to an appropriate tcp4 FaceUri

; if you need to disable unix sockets.

unix

{

path /var/run/nfd.sock ; Unix stream listener path

}

; The tcp section contains settings of TCP faces and channels.

tcp

{

listen yes ; set to 'no' to disable TCP listener, default 'yes'

port 6363 ; TCP listener port number

enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'

enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'

}

; The udp section contains settings of UDP faces and channels.

; UDP channel is always listening; delete udp section to disable UDP

udp

{

port 6363 ; UDP unicast port number

enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'

enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'

; idle time (seconds) before closing a UDP unicast face, the actual timeout would be

; anywhere within [idle_timeout, 2*idle_timeout), default is 600

idle_timeout 600

keep_alive_interval 25; interval (seconds) between keep-alive refreshes

; UDP multicast settings

; NFD creates one UDP multicast face per NIC

;

; In multi-homed Linux machines these settings will NOT work without

; root or settings the appropriate permissions:

;

; sudo setcap cap_net_raw=eip /full/path/nfd

;

mcast yes ; set to 'no' to disable UDP multicast, default 'yes'

mcast_port 56363 ; UDP multicast port number

mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)

}

; The ether section contains settings of Ethernet faces and channels.

; These settings will NOT work without root or setting the appropriate

; permissions:

;

; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd

;

; You may need to install a package to use setcap:

;

; **Ubuntu:**

;

; sudo apt-get install libcap2-bin

;

; **Mac OS X:**

;

; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz

; tar zxvf ChmodBPF.tar.gz

; open ChmodBPF/Install\ ChmodBPF.app

;

; or manually:

;

; sudo chgrp admin /dev/bpf*

; sudo chmod g+rw /dev/bpf*

ether

{

; Ethernet multicast settings

; NFD creates one Ethernet multicast face per NIC

mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'

mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group

}

; The websocket section contains settings of WebSocket faces and channels.

websocket

{

listen yes ; set to 'no' to disable WebSocket listener, default 'yes'

port 9696 ; WebSocket listener port number

enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'

enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'

}

}

; The authorizations section grants privileges to authorized keys.

authorizations

{

; An authorize section grants privileges to a NDN certificate.

authorize

{

; If you do not already have NDN certificate, you can generate

; one with the following commands.

;

; 1. Generate and install a self-signed identity certificate:

;

; ndnsec-keygen /`whoami` | ndnsec-install-cert -

;

; Note that the argument to ndnsec-key will be the identity name of the

; new key (in this case, /your-username). Identities are hierarchical NDN

; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).

; You may create additional keys and identities as you see fit.

;

; 2. Dump the NDN certificate to a file:

;

; sudo mkdir -p /usr/local/etc/ndn/keys/

; ndnsec-cert-dump -i /`whoami` > default.ndncert

; sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert

;

; The "certfile" field below specifies the default key directory for

; your machine. You may move your newly created key to the location it

; specifies or path.

; certfile keys/default.ndncert ; NDN identity certificate file

certfile any ; "any" authorizes command interests signed under any certificate,

; i.e., no actual validation.

privileges ; set of privileges granted to this identity

{

faces

fib

strategy-choice

}

}

; You may have multiple authorize sections that specify additional

; certificates and their privileges.

; authorize

; {

; certfile keys/this_cert_does_not_exist.ndncert

; authorize

; privileges

; {

; faces

; }

; }

}

rib

{

; The following localhost_security allows anyone to register routing entries in local RIB

localhost_security

{

trust-anchor

{

type any

}

}

; localhop_security should be enabled when NFD runs on a hub.

; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.

; localhop_security

; {

; ; This section defines the trust model for NFD RIB Management. It consists of rules and

; ; trust-anchors, which are briefly defined in this file. For more information refer to

; ; manpage of ndn-validator.conf:

; ;

; ; man ndn-validator.conf

; ;

; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the

; ; root of certification chain (e.g., NDN testbed root certificate) or an existing

; ; default system certificate `default.ndncert`.

; ;

; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the

; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet

; ; will be matched against rules from the first to the last until a matched rule is

; ; encountered. The matched rule will be used to check the packet. If a packet does not

; ; match any rule, it will be treated as invalid. The matching part of a rule consists

; ; of `for` and `filter` sections. They collectively define which packets can be checked

; ; with this rule. `for` defines packet type (data or interest) and `filter` defines

; ; conditions on other properties of a packet. Right now, you can only define conditions

; ; on packet name, and you can only specify ONLY ONE filter for packet name. The

; ; checking part of a rule consists of `checker`, which defines the conditions that a

; ; VALID packet MUST have. See comments in checker section for more details.

;

; rule

; {

; id "NRD Prefix Registration Command Rule"

; for interest ; rule for Interests (to validate CommandInterests)

; filter

; {

; type name ; condition on interest name (w/o signature)

; regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before

; ; timestamp

; }

; checker

; {

; type customized

; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature

; key-locator

; {

; type name ; key locator must be the certificate name of the

; ; signing key

; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$

; }

; }

; }

; rule

; {

; id "NDN Testbed Hierarchy Rule"

; for data ; rule for Data (to validate NDN certificates)

; filter

; {

; type name ; condition on data name

; regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$

; }

; checker

; {

; type hierarchical ; the certificate name of the signing key and

; ; the data name must follow the hierarchical model

; sig-type rsa-sha256 ; data must have a rsa-sha256 signature

; }

; }

; trust-anchor

; {

; type file

; file-name keys/default.ndncert ; the file name, by default this file should be placed in the

; ; same folder as this config file.

; }

; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors

; ; {

; ; type file

; ; file-name keys/ndn-testbed.ndncert

; ; }

; }

; The following localhop_security should be enabled when NFD runs on a hub,

; which accepts all remote registrations and is a short-term solution.

localhop_security

{

trust-anchor

{

type any

}

}

remote_register

{

cost 15 ; forwarding cost of prefix registered on remote router

timeout 10000 ; timeout (in milliseconds) of remote prefix registration command

retry 0 ; maximum number of retries for each remote prefix registration command

refresh_interval 300 ; interval (in seconds) before refreshing the registration

; This setting should be less than face_system.udp.idle_time,

; so that the face is kept alive on the remote router.

}

}