Project

General

Profile

ConfigFileFormat » History » Version 14

Davide Pesavento, 06/18/2017 09:19 PM

1 2 Junxiao Shi
# Config file format
2 1 Alex Afanasyev
3 14 Davide Pesavento
Initial state of NFD daemon is configured using an [INFO file](http://www.boost.org/doc/libs/1_54_0/doc/html/boost_propertytree/parsers.html#boost_propertytree.parsers.info_parser).
4 1 Alex Afanasyev
5 11 Alex Afanasyev
    ; The general section contains settings of nfd process.
6 1 Alex Afanasyev
    general
7
    {
8 11 Alex Afanasyev
      ; Specify a user and/or group for NFD to drop privileges to
9
      ; when not performing privileged tasks. NFD does not drop
10
      ; privileges by default.
11
    
12
      ; user ndn-user
13
      ; group ndn-user
14 12 Vince Lehman
15
      ; The router_name section specifies the name components used
16
      ; to build this router's name. The router name is constructed
17
      ; using the configuration options in the following manner:
18
      ;   /<network>/<site>/<%C1.Router>/<router>
19
20
      ; router_name
21
      ; {
22
      ;   network ndn ; the network to which this router belongs
23
      ;   site    edu/site ; the site to which this router belongs
24
      ;   router  router/name ; name used to uniquely identify this router under the site
25
      ; }
26 1 Alex Afanasyev
    }
27
    
28
    log
29
    {
30 11 Alex Afanasyev
      ; default_level specifies the logging level for modules
31
      ; that are not explicitly named. All debugging levels
32
      ; listed above the selected value are enabled.
33
      ;
34
      ; Valid values:
35
      ;
36
      ;  NONE ; no messages
37
      ;  ERROR ; error messages
38
      ;  WARN ; warning messages
39
      ;  INFO ; informational messages (default)
40
      ;  DEBUG ; debugging messages
41
      ;  TRACE ; trace messages (most verbose)
42
      ;  ALL ; all messages
43
    
44
      default_level INFO
45
    
46
      ; You may override default_level by assigning a logging level
47
      ; to the desired module name. Module names can be found in two ways:
48
      ;
49
      ; Run:
50
      ;   nfd --modules
51
      ;   nrd --modules
52
      ;
53
      ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
54
      ;
55
      ; Example module-level settings:
56
      ;
57
      ; FibManager DEBUG
58
      ; Forwarder INFO
59 1 Alex Afanasyev
    }
60 11 Alex Afanasyev
    
61
    ; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
62
    tables
63
    {
64
    
65
      ; ContentStore size limit in number of packets
66
      ; default is 65536, about 500MB with 8KB packet size
67
      cs_max_packets 65536
68
    }
69
    
70
    ; The face_system section defines what faces and channels are created.
71 1 Alex Afanasyev
    face_system
72
    {
73 11 Alex Afanasyev
      ; The unix section contains settings of UNIX stream faces and channels.
74 1 Alex Afanasyev
      unix
75
      {
76
        listen yes ; set to 'no' to disable UNIX stream listener, default 'yes'
77
        path /var/run/nfd.sock ; UNIX stream listener path
78
      }
79 11 Alex Afanasyev
    
80
      ; The tcp section contains settings of TCP faces and channels.
81 1 Alex Afanasyev
      tcp
82
      {
83
        listen yes ; set to 'no' to disable TCP listener, default 'yes'
84
        port 6363 ; TCP listener port number
85 11 Alex Afanasyev
        enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
86
        enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
87 1 Alex Afanasyev
      }
88 11 Alex Afanasyev
    
89
      ; The udp section contains settings of UDP faces and channels.
90
      ; UDP channel is always listening; delete udp section to disable UDP
91 1 Alex Afanasyev
      udp
92
      {
93
        port 6363 ; UDP unicast port number
94 11 Alex Afanasyev
        enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
95
        enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
96
        idle_timeout 600 ; idle time (seconds) before closing a UDP unicast face
97 10 Alex Afanasyev
        keep_alive_interval 25; interval (seconds) between keep-alive refreshes
98 11 Alex Afanasyev
    
99
        ; UDP multicast settings
100 1 Alex Afanasyev
        ; NFD creates one UDP multicast face per NIC
101 11 Alex Afanasyev
        ;
102
        ; In multi-homed Linux machines these settings will NOT work without
103
        ; root or settings the appropriate permissions:
104
        ;
105
        ;    sudo setcap cap_net_raw=eip /full/path/nfd
106
        ;
107 1 Alex Afanasyev
        mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
108
        mcast_port 56363 ; UDP multicast port number
109
        mcast_group 224.0.23.170 ; UDP multicast group (IPv4 only)
110
      }
111 11 Alex Afanasyev
    
112
      ; The ether section contains settings of Ethernet faces and channels.
113
      ; These settings will NOT work without root or setting the appropriate
114
      ; permissions:
115
      ;
116
      ;    sudo setcap cap_net_raw,cap_net_admin=eip /full/path/nfd
117
      ;
118
      ; You may need to install a package to use setcap:
119
      ;
120
      ; **Ubuntu:**
121
      ;
122
      ;    sudo apt-get install libcap2-bin
123
      ;
124
      ; **Mac OS X:**
125
      ;
126
      ;    curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
127
      ;    tar zxvf ChmodBPF.tar.gz
128
      ;    open ChmodBPF/Install\ ChmodBPF.app
129
      ;
130
      ; or manually:
131
      ;
132
      ;    sudo chgrp admin /dev/bpf*
133
      ;    sudo chmod g+rw /dev/bpf*
134
    
135 1 Alex Afanasyev
      ether
136
      {
137 11 Alex Afanasyev
        ; Ethernet multicast settings
138 1 Alex Afanasyev
        ; NFD creates one Ethernet multicast face per NIC
139 11 Alex Afanasyev
      
140 1 Alex Afanasyev
        mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
141
        mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
142
      }
143 11 Alex Afanasyev
    
144
      ; The websocket section contains settings of WebSocket faces and channels.
145
    
146
      websocket
147
      {
148
        listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
149
        port 9696 ; WebSocket listener port number
150
        enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
151
        enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
152
      }
153 1 Alex Afanasyev
    }
154 11 Alex Afanasyev
    
155
    ; The authorizations section grants privileges to authorized keys.
156 1 Alex Afanasyev
    authorizations
157
    {
158 11 Alex Afanasyev
      ; An authorize section grants privileges to a NDN certificate.
159 1 Alex Afanasyev
      authorize
160
      {
161 11 Alex Afanasyev
        ; If you do not already have NDN certificate, you can generate
162
        ; one with the following commands.
163
        ;
164
        ; 1. Generate and install a self-signed identity certificate:
165
        ;
166
        ;      ndnsec-keygen /`whoami` | ndnsec-install-cert -
167
        ;
168
        ; Note that the argument to ndnsec-key will be the identity name of the
169
        ; new key (in this case, /your-username). Identities are hierarchical NDN
170
        ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
171
        ; You may create additional keys and identities as you see fit.
172
        ;
173
        ; 2. Dump the NDN certificate to a file:
174
        ;
175
        ;      sudo mkdir -p /usr/local/etc/ndn/keys/
176
        ;      ndnsec-cert-dump -i /`whoami` >  default.ndncert
177
        ;      sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert
178
        ;
179
        ; The "certfile" field below specifies the default key directory for
180
        ; your machine. You may move your newly created key to the location it
181
        ; specifies or path.
182
    
183
        ; certfile keys/default.ndncert ; NDN identity certificate file
184
        certfile any ; "any" authorizes command interests signed under any certificate,
185
                     ; i.e., no actual validation.
186 10 Alex Afanasyev
        privileges ; set of privileges granted to this identity
187
        {
188 11 Alex Afanasyev
          faces
189 10 Alex Afanasyev
          fib
190 11 Alex Afanasyev
          strategy-choice
191 10 Alex Afanasyev
        }
192
      }
193 11 Alex Afanasyev
    
194
      ; You may have multiple authorize sections that specify additional
195
      ; certificates and their privileges.
196
    
197
      ; authorize
198
      ; {
199
      ;   certfile keys/this_cert_does_not_exist.ndncert
200
      ;   authorize
201
      ;   privileges
202
      ;   {
203
      ;     faces
204
      ;   }
205
      ; }
206 10 Alex Afanasyev
    }
207
    
208 11 Alex Afanasyev
    rib
209
    {
210
      ; The following localhost_security allows anyone to register routing entries in local RIB
211
      localhost_security
212 10 Alex Afanasyev
      {
213 11 Alex Afanasyev
        trust-anchor
214 10 Alex Afanasyev
        {
215 11 Alex Afanasyev
          type any
216 10 Alex Afanasyev
        }
217
      }
218 11 Alex Afanasyev
    
219
      ; localhop_security should be enabled when NFD runs on a hub.
220
      ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
221
      ; localhop_security
222 10 Alex Afanasyev
      ; {
223 11 Alex Afanasyev
      ;   ; This section defines the trust model for NFD RIB Management. It consists of rules and
224
      ;   ; trust-anchors, which are briefly defined in this file.  For more information refer to
225
      ;   ; manpage of ndn-validator.conf:
226
      ;   ;
227
      ;   ;     man ndn-validator.conf
228
      ;   ;
229
      ;   ; A trust-anchor is a pre-trusted certificate.  This can be any certificate that is the
230
      ;   ; root of certification chain (e.g., NDN testbed root certificate) or an existing
231
      ;   ; default system certificate `default.ndncert`.
232
      ;   ;
233
      ;   ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
234
      ;   ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
235
      ;   ; will be matched against rules from the first to the last until a matched rule is
236
      ;   ; encountered. The matched rule will be used to check the packet. If a packet does not
237
      ;   ; match any rule, it will be treated as invalid.  The matching part of a rule consists
238
      ;   ; of `for` and `filter` sections. They collectively define which packets can be checked
239
      ;   ; with this rule. `for` defines packet type (data or interest) and `filter` defines
240
      ;   ; conditions on other properties of a packet. Right now, you can only define conditions
241
      ;   ; on packet name, and you can only specify ONLY ONE filter for packet name.  The
242
      ;   ; checking part of a rule consists of `checker`, which defines the conditions that a
243
      ;   ; VALID packet MUST have. See comments in checker section for more details.
244
      ;
245
      ;   rule
246
      ;   {
247
      ;     id "NRD Prefix Registration Command Rule"
248
      ;     for interest                         ; rule for Interests (to validate CommandInterests)
249
      ;     filter
250
      ;     {
251
      ;       type name                          ; condition on interest name (w/o signature)
252
      ;       regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<>$ ; prefix before
253
      ;                                                                           ; timestamp
254
      ;     }
255
      ;     checker
256
      ;     {
257
      ;       type customized
258
      ;       sig-type rsa-sha256                ; interest must have a rsa-sha256 signature
259
      ;       key-locator
260
      ;       {
261
      ;         type name                        ; key locator must be the certificate name of the
262
      ;                                          ; signing key
263
      ;         regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$
264
      ;       }
265
      ;     }
266
      ;   }
267
      ;   rule
268
      ;   {
269
      ;     id "NDN Testbed Hierarchy Rule"
270
      ;     for data                             ; rule for Data (to validate NDN certificates)
271
      ;     filter
272
      ;     {
273
      ;       type name                          ; condition on data name
274
      ;       regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$
275
      ;     }
276
      ;     checker
277
      ;     {
278
      ;       type hierarchical                  ; the certificate name of the signing key and
279
      ;                                          ; the data name must follow the hierarchical model
280
      ;       sig-type rsa-sha256                ; data must have a rsa-sha256 signature
281
      ;     }
282
      ;   }
283
      ;   trust-anchor
284
      ;   {
285
      ;     type file
286
      ;     file-name keys/default.ndncert ; the file name, by default this file should be placed in the
287
      ;                                    ; same folder as this config file.
288
      ;   }
289
      ;   ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
290
      ;   ; {
291
      ;   ;   type file
292
      ;   ;   file-name keys/ndn-testbed.ndncert
293
      ;   ; }
294 1 Alex Afanasyev
      ; }
295 13 Yanbiao Li
296
      auto_prefix_propagate
297
      {
298
          cost 15 ; forwarding cost of prefix registered on remote router
299
          timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation
300
          
301
          refresh_interval 300 ; interval (in seconds) before refreshing the propagation
302
          ; This setting should be less than face_system.udp.idle_time,
303
          ; so that the face is kept alive on the remote router.
304
          
305
          base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
306
          max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
307
          ; for consequent retries, the wait time before each retry is calculated based on the back-off
308
          ; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
309
          ; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
310
      }
311 1 Alex Afanasyev
    }