Security Performance

5 posts / 0 new
Log in or register to post comments
Last post
Wed, 03/31/2021 - 22:26
#1
KKVandy
Offline
Last seen: 2 years 7 months ago
Joined: 08/13/2019
Posts: 14
Security Performance

Hi,

I'm evaluating DTLS and DDS Security plugin's performance using the RTI perftest application on several Raspberry Pi 3B+ boards. Each Pi has 4 cores, and the bandwidth is 100Mbps. The below figures show the command I used in each test and the experiment report. As you can see, DTLS throughput is significantly higher than DDS security plugin. I know DDS Security plugin uses the same security algorithms as DTLS, so given the parameters I set, I'm wondering if DDS Security plugin performed not only data encryption but also some other operations, and whether my parameter settings are properly. 
 
Thanks
 

 

Organization:
Keywords:
Top
Thu, 04/01/2021 - 05:34
jmorales
jmorales's picture
Offline
Last seen: 4 days 20 hours ago
Joined: 08/28/2013
Posts: 61

Hi,

As you suspected, the option you are using is doing way more than what you want it to do: You are specifying the option "-secureEncryptBoth", that was a shortcut to enable both metadata encrypt and data encrypt, which is going to duplicate the work you want to do, therefore results are not comparable with DTLS (which is basically doing a tunnel). That option will lead you to use the following governance file (under ./resouce/secure/)

<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
 
Instead, to find a governance comparable, you need to use only the "metadata_protection_kind ENCRYPT", you can do that by using the option -secureEncryptSM. Alternatively, if you want to be sure of what governance file you are setting, you can do -secureGovernanceFile and then ./resource/secure/signed_PerftestGovernance_SignEncryptSubmessage.xml
 
Hope it helps!
Top
Thu, 04/01/2021 - 12:40
KKVandy
Offline
Last seen: 2 years 7 months ago
Joined: 08/13/2019
Posts: 14

Thank you. That makes sense. But, should I set the governance file as ./resource/secure/signed_PerftestGovernance_RTPSEncrypt.xml? This will encrypt the whole RTPS message, so it seems more reasonable when comparing with DTLS. 

Top
Thu, 04/01/2021 - 14:42
Gerardo Pardo
Gerardo Pardo's picture
Offline
Last seen: 3 weeks 1 day ago
Joined: 06/02/2010
Posts: 602

Yes, I agree that would resemble more closely the DTLS behavior. 

Using  signed_PerftestGovernance_RTPSEncrypt.xml would protect only the overall RTPS message. If you use signed_PerftestGovernance_SignEncryptSubmessage.xml, then each individual submessage inside the RTPS message is sepalately protected.

 

Top
Thu, 04/01/2021 - 23:20
KKVandy
Offline
Last seen: 2 years 7 months ago
Joined: 08/13/2019
Posts: 14

Thank you. And when I run DTLS tests, I noticed subscriber keep claiming bad DTLS packets as shown below. Could you please help me figure out the potential reason that leads to this problem? In the below example, the top terminal is a publisher that sends 1KB-sized payloads at an unlimited rate. And the bottom is a subscriber. The OpenSSL version is 1.1.1d. 

Top