; The general section contains settings of nfd process. general { ; Specify a user and/or group for NFD to drop privileges to ; when not performing privileged tasks. NFD does not drop ; privileges by default. ; user ndn-user ; group ndn-user } log { ; default_level specifies the logging level for modules ; that are not explicitly named. All debugging levels ; listed above the selected value are enabled. ; ; Valid values: ; ; NONE ; no messages ; ERROR ; error messages ; WARN ; warning messages ; INFO ; informational messages (default) ; DEBUG ; debugging messages ; TRACE ; trace messages (most verbose) ; ALL ; all messages default_level INFO ; You may override default_level by assigning a logging level ; to the desired module name. Module names can be found in two ways: ; ; Run: ; nfd --modules ; ; Or look for NFD_LOG_INIT() statements in .cpp files ; ; Example module-level settings: ; ; FibManager DEBUG ; Forwarder INFO } ; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements tables { ; ContentStore size limit in number of packets ; default is 65536, about 500MB with 8KB packet size cs_max_packets 65536 ; Set the forwarding strategy for the specified prefixes: ; strategy_choice { / /localhost/nfd/strategy/best-route /localhost /localhost/nfd/strategy/broadcast /localhost/nfd /localhost/nfd/strategy/best-route /ndn/broadcast /localhost/nfd/strategy/broadcast } } ; The face_system section defines what faces and channels are created. face_system { ; The unix section contains settings of Unix stream faces and channels. ; Unix channel is always listening; delete unix section to disable ; Unix stream faces and channels. ; ; The ndn-cxx library expects unix:///var/run/nfd.sock ; to be used as the default transport option. Please change ; the "transport" field in client.conf to an appropriate tcp4 FaceUri ; if you need to disable unix sockets. unix { path /var/run/nfd.sock ; Unix stream listener path } ; The tcp section contains settings of TCP faces and channels. tcp { listen yes ; set to 'no' to disable TCP listener, default 'yes' port 6363 ; TCP listener port number enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' } ; The udp section contains settings of UDP faces and channels. ; UDP channel is always listening; delete udp section to disable UDP udp { port 6363 ; UDP unicast port number enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes' enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes' ; idle time (seconds) before closing a UDP unicast face, the actual timeout would be ; anywhere within [idle_timeout, 2*idle_timeout), default is 600 idle_timeout 600 keep_alive_interval 25; interval (seconds) between keep-alive refreshes ; UDP multicast settings ; NFD creates one UDP multicast face per NIC ; ; In multi-homed Linux machines these settings will NOT work without ; root or settings the appropriate permissions: ; ; sudo setcap cap_net_raw=eip /full/path/nfd ; mcast yes ; set to 'no' to disable UDP multicast, default 'yes' mcast_port 56363 ; UDP multicast port number mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only) } ; The ether section contains settings of Ethernet faces and channels. ; These settings will NOT work without root or setting the appropriate ; permissions: ; ; sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd ; ; You may need to install a package to use setcap: ; ; **Ubuntu:** ; ; sudo apt-get install libcap2-bin ; ; **Mac OS X:** ; ; curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz ; tar zxvf ChmodBPF.tar.gz ; open ChmodBPF/Install\ ChmodBPF.app ; ; or manually: ; ; sudo chgrp admin /dev/bpf* ; sudo chmod g+rw /dev/bpf* ether { ; Ethernet multicast settings ; NFD creates one Ethernet multicast face per NIC mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes' mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group } ; The websocket section contains settings of WebSocket faces and channels. websocket { listen yes ; set to 'no' to disable WebSocket listener, default 'yes' port 9696 ; WebSocket listener port number enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes' enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes' } } ; The authorizations section grants privileges to authorized keys. authorizations { ; An authorize section grants privileges to a NDN certificate. authorize { ; If you do not already have NDN certificate, you can generate ; one with the following commands. ; ; 1. Generate and install a self-signed identity certificate: ; ; ndnsec-keygen /`whoami` | ndnsec-install-cert - ; ; Note that the argument to ndnsec-key will be the identity name of the ; new key (in this case, /your-username). Identities are hierarchical NDN ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`). ; You may create additional keys and identities as you see fit. ; ; 2. Dump the NDN certificate to a file: ; ; sudo mkdir -p /usr/local/etc/ndn/keys/ ; ndnsec-cert-dump -i /`whoami` > default.ndncert ; sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert ; ; The "certfile" field below specifies the default key directory for ; your machine. You may move your newly created key to the location it ; specifies or path. ; certfile keys/default.ndncert ; NDN identity certificate file certfile any ; "any" authorizes command interests signed under any certificate, ; i.e., no actual validation. privileges ; set of privileges granted to this identity { faces fib strategy-choice } } ; You may have multiple authorize sections that specify additional ; certificates and their privileges. ; authorize ; { ; certfile keys/this_cert_does_not_exist.ndncert ; authorize ; privileges ; { ; faces ; } ; } } rib { ; The following localhost_security allows anyone to register routing entries in local RIB localhost_security { trust-anchor { type any } } ; localhop_security should be enabled when NFD runs on a hub. ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing. ; localhop_security ; { ; ; This section defines the trust model for NFD RIB Management. It consists of rules and ; ; trust-anchors, which are briefly defined in this file. For more information refer to ; ; manpage of ndn-validator.conf: ; ; ; ; man ndn-validator.conf ; ; ; ; A trust-anchor is a pre-trusted certificate. This can be any certificate that is the ; ; root of certification chain (e.g., NDN testbed root certificate) or an existing ; ; default system certificate `default.ndncert`. ; ; ; ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the ; ; rules defined here. A rule can be broken into two parts: matching & checking. A packet ; ; will be matched against rules from the first to the last until a matched rule is ; ; encountered. The matched rule will be used to check the packet. If a packet does not ; ; match any rule, it will be treated as invalid. The matching part of a rule consists ; ; of `for` and `filter` sections. They collectively define which packets can be checked ; ; with this rule. `for` defines packet type (data or interest) and `filter` defines ; ; conditions on other properties of a packet. Right now, you can only define conditions ; ; on packet name, and you can only specify ONLY ONE filter for packet name. The ; ; checking part of a rule consists of `checker`, which defines the conditions that a ; ; VALID packet MUST have. See comments in checker section for more details. ; ; rule ; { ; id "NRD Prefix Registration Command Rule" ; for interest ; rule for Interests (to validate CommandInterests) ; filter ; { ; type name ; condition on interest name (w/o signature) ; regex ^[][]<>$ ; prefix before ; ; timestamp ; } ; checker ; { ; type customized ; sig-type rsa-sha256 ; interest must have a rsa-sha256 signature ; key-locator ; { ; type name ; key locator must be the certificate name of the ; ; signing key ; regex ^[^]*<>*$ ; } ; } ; } ; rule ; { ; id "NDN Testbed Hierarchy Rule" ; for data ; rule for Data (to validate NDN certificates) ; filter ; { ; type name ; condition on data name ; regex ^[^]*<>*<>$ ; } ; checker ; { ; type hierarchical ; the certificate name of the signing key and ; ; the data name must follow the hierarchical model ; sig-type rsa-sha256 ; data must have a rsa-sha256 signature ; } ; } ; trust-anchor ; { ; type file ; file-name keys/default.ndncert ; the file name, by default this file should be placed in the ; ; same folder as this config file. ; } ; ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors ; ; { ; ; type file ; ; file-name keys/ndn-testbed.ndncert ; ; } ; } ; The following localhop_security should be enabled when NFD runs on a hub, ; which accepts all remote registrations and is a short-term solution. localhop_security { trust-anchor { type any } } remote_register { cost 15 ; forwarding cost of prefix registered on remote router timeout 10000 ; timeout (in milliseconds) of remote prefix registration command retry 0 ; maximum number of retries for each remote prefix registration command refresh_interval 300 ; interval (in seconds) before refreshing the registration ; This setting should be less than face_system.udp.idle_time, ; so that the face is kept alive on the remote router. } }