Project

General

Profile

ConfigFileFormat » History » Version 17

Davide Pesavento, 04/21/2020 10:54 AM

1 15 Davide Pesavento
# Configuration file format
2 1 Alex Afanasyev
3 17 Davide Pesavento
The initial state of NFD is configured using a textual file in [Boost INFO](https://www.boost.org/doc/libs/1_65_1/doc/html/property_tree/parsers.html#property_tree.parsers.info_parser) format.
4 1 Alex Afanasyev
5 11 Alex Afanasyev
    ; The general section contains settings of nfd process.
6 1 Alex Afanasyev
    general
7
    {
8 11 Alex Afanasyev
      ; Specify a user and/or group for NFD to drop privileges to
9
      ; when not performing privileged tasks. NFD does not drop
10
      ; privileges by default.
11
    
12
      ; user ndn-user
13
      ; group ndn-user
14 1 Alex Afanasyev
    }
15
    
16
    log
17
    {
18 11 Alex Afanasyev
      ; default_level specifies the logging level for modules
19
      ; that are not explicitly named. All debugging levels
20
      ; listed above the selected value are enabled.
21
      ;
22
      ; Valid values:
23
      ;
24
      ;  NONE ; no messages
25
      ;  ERROR ; error messages
26
      ;  WARN ; warning messages
27
      ;  INFO ; informational messages (default)
28
      ;  DEBUG ; debugging messages
29
      ;  TRACE ; trace messages (most verbose)
30
      ;  ALL ; all messages
31
    
32
      default_level INFO
33
    
34
      ; You may override default_level by assigning a logging level
35
      ; to the desired module name. Module names can be found in two ways:
36
      ;
37
      ; Run:
38
      ;   nfd --modules
39
      ;
40
      ; Or look for NFD_LOG_INIT(<module name>) statements in .cpp files
41 1 Alex Afanasyev
      ;
42
      ; Example module-level settings:
43
      ;
44
      ; FibManager DEBUG
45
      ; Forwarder INFO
46
    }
47
    
48
    ; The tables section configures the CS, PIT, FIB, Strategy Choice, and Measurements
49
    tables
50
    {
51
      ; ContentStore size limit in number of packets
52
      ; default is 65536, about 500MB with 8KB packet size
53
      cs_max_packets 65536
54 16 Davide Pesavento
    
55
      ; Set the CS replacement policy.
56
      ; Available policies are: priority_fifo, lru
57
      cs_policy priority_fifo
58
    
59
      ; Set a policy to decide whether to cache or drop unsolicited Data.
60
      ; Available policies are: drop-all, admit-local, admit-network, admit-all
61
      cs_unsolicited_policy drop-all
62
    
63
      ; Set the forwarding strategy for the specified prefixes:
64
      ;   <prefix> <strategy>
65
      strategy_choice
66
      {
67
        /               /localhost/nfd/strategy/best-route
68
        /localhost      /localhost/nfd/strategy/multicast
69
        /localhost/nfd  /localhost/nfd/strategy/best-route
70
        /ndn/broadcast  /localhost/nfd/strategy/multicast
71
      }
72
    
73
      ; Declare network region names
74
      ; These are used for mobility support.  An Interest carrying a Link object is
75
      ; assumed to have reached the producer region if any delegation name in the
76
      ; Link object is a prefix of any region name.
77
      network_region
78
      {
79
        ; /example/region1
80
        ; /example/region2
81
      }
82 11 Alex Afanasyev
    }
83
    
84
    ; The face_system section defines what faces and channels are created.
85
    face_system
86 1 Alex Afanasyev
    {
87 16 Davide Pesavento
      ; The unix section contains settings of Unix stream faces and channels.
88
      ; A Unix channel is always listening; delete the unix section to disable
89
      ; Unix stream faces and channels.
90
      ;
91
      ; The ndn-cxx library expects unix:///var/run/nfd.sock to be used as
92
      ; the default transport option. Please change the "transport" field
93
      ; in client.conf to an appropriate tcp4 FaceUri if you want to
94
      ; disable Unix sockets and use TCP instead.
95 1 Alex Afanasyev
      unix
96
      {
97 16 Davide Pesavento
        path /var/run/nfd.sock ; Unix stream listener path
98 1 Alex Afanasyev
      }
99
    
100
      ; The tcp section contains settings of TCP faces and channels.
101
      tcp
102
      {
103
        listen yes ; set to 'no' to disable TCP listener, default 'yes'
104
        port 6363 ; TCP listener port number
105
        enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
106 11 Alex Afanasyev
        enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
107 1 Alex Afanasyev
      }
108
    
109
      ; The udp section contains settings of UDP faces and channels.
110
      udp
111
      {
112 16 Davide Pesavento
        ; UDP unicast settings.
113
        ; UDP channels are always listening; delete the udp section to disable them
114 1 Alex Afanasyev
        port 6363 ; UDP unicast port number
115
        enable_v4 yes ; set to 'no' to disable IPv4 channels, default 'yes'
116
        enable_v6 yes ; set to 'no' to disable IPv6 channels, default 'yes'
117 16 Davide Pesavento
    
118
        ; Time (in seconds) before closing an idle UDP unicast face.
119
        ; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
120
        ; The default is 600 (10 minutes).
121
        idle_timeout 600
122
    
123 1 Alex Afanasyev
        keep_alive_interval 25; interval (seconds) between keep-alive refreshes
124
    
125 16 Davide Pesavento
        ; UDP multicast settings.
126
        ; By default, NFD creates one UDP multicast face per NIC.
127 1 Alex Afanasyev
        ;
128 11 Alex Afanasyev
        ; In multi-homed Linux machines these settings will NOT work without
129 16 Davide Pesavento
        ; root or setting the appropriate permissions:
130 1 Alex Afanasyev
        ;
131 16 Davide Pesavento
        ;    sudo setcap cap_net_raw=eip /path/to/nfd
132 11 Alex Afanasyev
        ;
133 1 Alex Afanasyev
        mcast yes ; set to 'no' to disable UDP multicast, default 'yes'
134 16 Davide Pesavento
        mcast_group 224.0.23.170 ; UDP multicast group (IPv4)
135
        mcast_port 56363 ; UDP multicast port number (IPv4)
136
        mcast_group_v6 ff02::1234 ; UDP multicast group (IPv6)
137
        mcast_port_v6 56363 ; UDP multicast port number (IPv6)
138
        mcast_ad_hoc no ; set to 'yes' to make all UDP multicast faces "ad hoc", default 'no'
139
    
140
        ; Whitelist and blacklist can contain, in no particular order:
141
        ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
142
        ; - mac addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
143
        ; - subnets (e.g., 'subnet 192.0.2.0/24', note that only IPv4 is supported here)
144
        ; - a single asterisk ('*') that matches all interfaces
145
        ; By default, all interfaces are whitelisted.
146
        whitelist
147
        {
148
          *
149
        }
150
        blacklist
151
        {
152
        }
153 11 Alex Afanasyev
      }
154 1 Alex Afanasyev
    
155
      ; The ether section contains settings of Ethernet faces and channels.
156
      ; These settings will NOT work without root or setting the appropriate
157
      ; permissions:
158
      ;
159 16 Davide Pesavento
      ;    sudo setcap cap_net_raw,cap_net_admin=eip /path/to/nfd
160 1 Alex Afanasyev
      ;
161 11 Alex Afanasyev
      ; You may need to install a package to use setcap:
162
      ;
163 1 Alex Afanasyev
      ; **Ubuntu:**
164
      ;
165
      ;    sudo apt-get install libcap2-bin
166
      ;
167
      ; **Mac OS X:**
168
      ;
169
      ;    curl https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3373 -o ChmodBPF.tar.gz
170
      ;    tar zxvf ChmodBPF.tar.gz
171
      ;    open ChmodBPF/Install\ ChmodBPF.app
172
      ;
173
      ; or manually:
174
      ;
175
      ;    sudo chgrp admin /dev/bpf*
176
      ;    sudo chmod g+rw /dev/bpf*
177 16 Davide Pesavento
      ;
178 11 Alex Afanasyev
      ether
179
      {
180 16 Davide Pesavento
        ; Ethernet unicast settings.
181
        listen yes ; set to 'no' to disable Ethernet listener, default 'yes'
182 11 Alex Afanasyev
      
183 16 Davide Pesavento
        ; Time (in seconds) before closing an idle Ethernet unicast face.
184
        ; The actual timeout will occur anytime between idle_timeout and 2*idle_timeout.
185
        ; The default is 600 (10 minutes).
186
        idle_timeout 600
187
      
188
        ; Ethernet multicast settings.
189
        ; By default, NFD creates one Ethernet multicast face per NIC.
190 11 Alex Afanasyev
        mcast yes ; set to 'no' to disable Ethernet multicast, default 'yes'
191
        mcast_group 01:00:5E:00:17:AA ; Ethernet multicast group
192 16 Davide Pesavento
        mcast_ad_hoc no ; set to 'yes' to make all Ethernet multicast faces "ad hoc", default 'no'
193
      
194
        ; Whitelist and blacklist can contain, in no particular order:
195
        ; - interface names, including wildcard patterns (e.g., 'ifname eth0', 'ifname en*', 'ifname wlp?s0')
196
        ; - mac addresses (e.g., 'ether 85:3b:4d:d3:5f:c2')
197
        ; - subnets (e.g., 'subnet 192.0.2.0/24', note that only IPv4 is supported here)
198
        ; - a single asterisk ('*') that matches all interfaces
199
        ; By default, all interfaces are whitelisted.
200
        whitelist
201
        {
202
          *
203
        }
204
        blacklist
205
        {
206
        }
207 11 Alex Afanasyev
      }
208
    
209
      ; The websocket section contains settings of WebSocket faces and channels.
210
      websocket
211
      {
212
        listen yes ; set to 'no' to disable WebSocket listener, default 'yes'
213
        port 9696 ; WebSocket listener port number
214
        enable_v4 yes ; set to 'no' to disable listening on IPv4 socket, default 'yes'
215
        enable_v6 yes ; set to 'no' to disable listening on IPv6 socket, default 'yes'
216
      }
217 1 Alex Afanasyev
    }
218
    
219 11 Alex Afanasyev
    ; The authorizations section grants privileges to authorized keys.
220
    authorizations
221
    {
222
      ; An authorize section grants privileges to a NDN certificate.
223
      authorize
224
      {
225
        ; If you do not already have NDN certificate, you can generate
226
        ; one with the following commands.
227
        ;
228
        ; 1. Generate and install a self-signed identity certificate:
229
        ;
230
        ;      ndnsec-keygen /`whoami` | ndnsec-install-cert -
231
        ;
232
        ; Note that the argument to ndnsec-key will be the identity name of the
233
        ; new key (in this case, /your-username). Identities are hierarchical NDN
234
        ; names and may have multiple components (e.g. `/ndn/ucla/edu/alice`).
235
        ; You may create additional keys and identities as you see fit.
236
        ;
237
        ; 2. Dump the NDN certificate to a file:
238
        ;
239
        ;      sudo mkdir -p /usr/local/etc/ndn/keys/
240
        ;      ndnsec-cert-dump -i /`whoami` >  default.ndncert
241
        ;      sudo mv default.ndncert /usr/local/etc/ndn/keys/default.ndncert
242 10 Alex Afanasyev
        ;
243
        ; The "certfile" field below specifies the default key directory for
244 11 Alex Afanasyev
        ; your machine. You may move your newly created key to the location it
245 10 Alex Afanasyev
        ; specifies or path.
246 11 Alex Afanasyev
    
247 10 Alex Afanasyev
        ; certfile keys/default.ndncert ; NDN identity certificate file
248
        certfile any ; "any" authorizes command interests signed under any certificate,
249 11 Alex Afanasyev
                     ; i.e., no actual validation.
250
        privileges ; set of privileges granted to this identity
251
        {
252
          faces
253
          fib
254
          strategy-choice
255
        }
256
      }
257
    
258 1 Alex Afanasyev
      ; You may have multiple authorize sections that specify additional
259
      ; certificates and their privileges.
260 11 Alex Afanasyev
    
261 10 Alex Afanasyev
      ; authorize
262
      ; {
263 11 Alex Afanasyev
      ;   certfile keys/this_cert_does_not_exist.ndncert
264
      ;   authorize
265
      ;   privileges
266
      ;   {
267 10 Alex Afanasyev
      ;     faces
268 11 Alex Afanasyev
      ;   }
269
      ; }
270
    }
271
    
272
    rib
273
    {
274
      ; The following localhost_security allows anyone to register routing entries in local RIB
275
      localhost_security
276
      {
277
        trust-anchor
278 1 Alex Afanasyev
        {
279
          type any
280
        }
281 11 Alex Afanasyev
      }
282
    
283
      ; localhop_security should be enabled when NFD runs on a hub.
284
      ; "/localhop/nfd/fib" command prefix will be disabled when localhop_security section is missing.
285
      ; localhop_security
286
      ; {
287
      ;   ; This section defines the trust model for NFD RIB Management. It consists of rules and
288
      ;   ; trust-anchors, which are briefly defined in this file.  For more information refer to
289 16 Davide Pesavento
      ;   ; validator configuration file format documentation:
290 11 Alex Afanasyev
      ;   ;
291 16 Davide Pesavento
      ;   ;    https://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html
292 11 Alex Afanasyev
      ;   ;
293
      ;   ; A trust-anchor is a pre-trusted certificate.  This can be any certificate that is the
294
      ;   ; root of certification chain (e.g., NDN testbed root certificate) or an existing
295
      ;   ; default system certificate `default.ndncert`.
296
      ;   ;
297
      ;   ; A rule defines conditions a valid packet MUST have. A packet must satisfy one of the
298
      ;   ; rules defined here. A rule can be broken into two parts: matching & checking. A packet
299 1 Alex Afanasyev
      ;   ; will be matched against rules from the first to the last until a matched rule is
300 11 Alex Afanasyev
      ;   ; encountered. The matched rule will be used to check the packet. If a packet does not
301
      ;   ; match any rule, it will be treated as invalid.  The matching part of a rule consists
302
      ;   ; of `for` and `filter` sections. They collectively define which packets can be checked
303
      ;   ; with this rule. `for` defines packet type (data or interest) and `filter` defines
304
      ;   ; conditions on other properties of a packet. Right now, you can only define conditions
305
      ;   ; on packet name, and you can only specify ONLY ONE filter for packet name.  The
306
      ;   ; checking part of a rule consists of `checker`, which defines the conditions that a
307
      ;   ; VALID packet MUST have. See comments in checker section for more details.
308
      ;
309
      ;   rule
310
      ;   {
311 16 Davide Pesavento
      ;     id "RIB Registration Command Rule"
312 11 Alex Afanasyev
      ;     for interest                         ; rule for Interests (to validate CommandInterests)
313
      ;     filter
314
      ;     {
315 16 Davide Pesavento
      ;       type name                          ; condition on interest name (w/o SignatureInfo/SignatureValue)
316
      ;       regex ^[<localhop><localhost>]<nfd><rib>[<register><unregister>]<><><>$
317 11 Alex Afanasyev
      ;     }
318
      ;     checker
319 1 Alex Afanasyev
      ;     {
320
      ;       type customized
321
      ;       sig-type rsa-sha256                ; interest must have a rsa-sha256 signature
322
      ;       key-locator
323
      ;       {
324
      ;         type name                        ; key locator must be the certificate name of the
325
      ;                                          ; signing key
326 16 Davide Pesavento
      ;         regex ^<>*<KEY><>$
327 1 Alex Afanasyev
      ;       }
328
      ;     }
329
      ;   }
330
      ;   rule
331
      ;   {
332 11 Alex Afanasyev
      ;     id "NDN Testbed Hierarchy Rule"
333 1 Alex Afanasyev
      ;     for data                             ; rule for Data (to validate NDN certificates)
334
      ;     filter
335
      ;     {
336
      ;       type name                          ; condition on data name
337 16 Davide Pesavento
      ;       regex ^<>*<KEY><><><>$
338 11 Alex Afanasyev
      ;     }
339
      ;     checker
340
      ;     {
341
      ;       type hierarchical                  ; the certificate name of the signing key and
342
      ;                                          ; the data name must follow the hierarchical model
343
      ;       sig-type rsa-sha256                ; data must have a rsa-sha256 signature
344
      ;     }
345
      ;   }
346
      ;   trust-anchor
347
      ;   {
348
      ;     type file
349
      ;     file-name keys/default.ndncert ; the file name, by default this file should be placed in the
350
      ;                                    ; same folder as this config file.
351
      ;   }
352
      ;   ; trust-anchor ; Can be repeated multiple times to specify multiple trust anchors
353
      ;   ; {
354
      ;   ;   type file
355
      ;   ;   file-name keys/ndn-testbed.ndncert
356
      ;   ; }
357
      ; }
358 16 Davide Pesavento
    
359
      ; The following localhop_security should be enabled when NFD runs on a hub,
360
      ; which accepts all remote registrations and is a short-term solution.
361
      ; localhop_security
362
      ; {
363
      ;   trust-anchor
364
      ;   {
365
      ;     type any
366
      ;   }
367
      ; }
368
    
369 13 Yanbiao Li
      auto_prefix_propagate
370
      {
371 16 Davide Pesavento
        cost 15 ; forwarding cost of prefix registered on remote router
372
        timeout 10000 ; timeout (in milliseconds) of prefix registration command for propagation
373
    
374
        refresh_interval 300 ; interval (in seconds) before refreshing the propagation
375
        ; This setting should be less than face_system.udp.idle_time,
376
        ; so that the face is kept alive on the remote router.
377
    
378
        base_retry_wait 50 ; base wait time (in seconds) before retrying propagation
379
        max_retry_wait 3600 ; maximum wait time (in seconds) before retrying propagation
380
        ; for consequent retries, the wait time before each retry is calculated based on the back-off
381
        ; policy. Initially, the wait time is set to base_retry_wait, then it will be doubled for every
382
        ; retry unless beyond the max_retry_wait, in which case max_retry_wait is set as the wait time.
383 1 Alex Afanasyev
      }
384 16 Davide Pesavento
    
385
      ; If enabled, routes registered with origin=client (typically from auto_prefix_propagate)
386
      ; will be readvertised into local NLSR daemon.
387
      readvertise_nlsr no
388 1 Alex Afanasyev
    }