RTI Secure Wan Transport
Version 6.1.1
|
The Secure WAN Transport allows RTI Connext applications that are running on private networks to communicate securely over a Wide-Area Network (WAN).
This document contains:
For additional information, please see the following PDF documents:
RTI Secure WAN Transport is an optional package that provides transport plugins which can be used by developers of RTI Connext applications. These transport plugins allow RTI Connext applications that are running on private networks to communicate securely over a Wide-Area Network (WAN), such the internet. There are two primary components of the package, which may be used independently or together:
The RTI Connext core is transport-agnostic. RTI Connext offers three built-in transports: UDP/IPv4, UDP/IPv6, and inter-process shared memory. The implementation of NAT traversal and secure communication is done at the transport level so that the DDS core is not affected and does not need to be changed, although there is additional on-the-wire traffic.
Refer to the RTI Connext DDS Core Libraries User's Manual for further information.
The basic problem to overcome in a WAN environment is that messages sent from an application on a private local-area network (LAN) appear to come from the LAN's router address, and not from the internal IP address of the host running the application. This is due to the existence of a Network Address Translator (NAT) at the gateway. This does not cause problems for client-server systems because only the server needs to be globally addressable; it is only a problem for systems with peer-to-peer communication models, such as DDS. RTI Secure WAN Transport solves this problem, allowing communication between peers that are in separate LAN networks, using a UDP hole-punching mechanism based on the STUN protocol (IETF RFC 3489bis) for NAT traversal. This requires the use of an additional rendezvous server application, the RTI WAN Server.
Once the transport has enabled traffic to cross the NAT gateway to the WAN, it is flowing on network hardware that is shared (in some cases, over the public internet). In this context, it is important to consider the security of data transmission. There are three primary issues involved: a) authenticating the communication peer (source or destination) as a trusted partner; b) encrypting the data to hide it from other parties that may have access to the network; and c) validating the received data to ensure that it was not modified in transmission. RTI Secure WAN Transport addresses these problems by wrapping all RTPS-encoded data using the DTLS protocol (IETF RFC 4347), which is a variant of SSL/TLS that can be used over a datagram network-layer transport such as UDP.
The security features of the WAN Transport may also be used on an untrusted local-area network with the Secure Transport.
In summary, the package includes two transports:
There are two ways in which these transports can be configured:
By setting up predefined strings in the Property QoS Policy of the DomainParticipant.
With this first approach, RTI Connext will dynamically load the WAN or Secure Transport libraries at run time and then implicitly create and register the transport plugin.
By instantiating a new transport and registering it with the DomainParticipant (available in C/C++ API only, see NDDS_Transport_Support_register_transport())
To use this second approach, you need access to the Secure WAN Transport API at compile time. Therefore, you must include additional header files and libraries. Refer to the RTI Connext DDS Core Libraries User's Manual and the RTI Core Libraries Platform Notes for further information.
Refer to the C/C++ API online documentation for details on these two approaches.
A simple example is available to show how to configure the WAN transport. It includes example settings to enable communication over WAN, and optional settings to enable security (along with example certificate files to use for secure communication).
Additionally, a simple example is available to show how to configure the Secure Transport. It includes example settings to enable secure communication.