13. What’s Different Between the RTI Security Plugins and the OMG Security Specification

This chapter describes differences between RTI Security Plugins 6.1.1 and the OMG DDS Security specification (version 1.1). This section does not include additional features, but differences that can be considered as known issues (either missing functionality or behaviors from the RTI Security Plugins that conflict the DDS Security specification).

13.1. Differences Affecting Builtin Plugins to be Addressed by Next DDS Security Specification

13.1.1. Access Control Mutability of Publisher PartitionQosPolicy

The DDS Security specification, Section 7.3.5 Immutability of Publisher Partition Qos in combination with non-volatile Durability kind, defines the kind of DataWriters that a Publisher must contain in order for its PartitionQosPolicy to be immutable. These DataWriters meet the following two criteria:

  1. The DataWriter either encrypts the SerializedPayload submessage element or encrypts the Data or DataFrag submessage elements.

  2. The DataWriter has the DurabilityQosPolicy kind set to something other than VOLATILE.

The next version of the specification will change the first criterion to be the following:

  1. The TopicSecurityAttributes for that DataWriter have is_read_protected set to TRUE.

The second criterion still applies. The Security Plugins use this new criterion to determine PartitionQosPolicy immutability. (is_read_protected corresponds to enable_read_access_control in the Governance Document, see enable_read_access_control (topic_rule).)

13.2. Differences Affecting Builtin Plugins

13.2.1. General Support for Infrastructure Services

The DDS Security specification, Section Unauthorized Access to Data by Infrastructure Services, describes the mechanism for preventing unauthorized access to data by infrastructure services. To support this capability, certain functions have an output parameter called relay_only. While Security Plugins functions include this additional parameter, the Security Plugins do not implement this mechanism, and the parameter is currently not used or populated. As such, the relay tag under the Permissions File’s allow_rule and deny_rule is ignored.

13.2.2. Access Control Placement of the <default> rule in the Permissions File

The DDS Security specification, Rules Section, specifies that the default rule, if present, must appear after all allow and deny rules. The Security Plugins do not check the default rule’s placement.

13.3. Differences Affecting Custom Plugins

13.3.1. Authentication Revocation

The DDS Security specification, Section AuthenticationListener, describes the mechanism for revoking identities. The Security Plugins do not implement this mechanism. This release supports looking up a certificate revocation list (CRL) during DomainParticipant creation and discovery (see Certificate Revocation). Discovery Failure If Exchanging Fewer Than Two Handshake Messages

If two DomainParticipants use a custom authentication plugin in which at least one DomainParticipant does not send any handshake messages, then the endpoints of the DomainParticipants may fail to discover each other. Such a plugin is possible according to the DDS Security specification, Figure 9 - Authentication plugin interaction state machine (if validate_remote_identity() returns VALIDATION_OK in at least one DomainParticipant), and the specification gives no indication that such a plugin should result in discovery failure.

The DDS Security specification, Table 55 - Description of built-in authentication protocol indicates that the builtin authentication plugin uses three total handshake messages: two from one DomainParticipant and one from the other DomainParticipant. The Security Plugins builtin authentication plugin follows this approach, so the discovery failure will not happen unless you are using a custom authentication plugin.

13.3.2. Access Control check_local_datawriter_register_instance

The DDS Security specification, Section Operation: check_local_datawriter_register_instance, describes the check_local_datawriter_register_instance() operation. The Security Plugins do not implement this operation. check_local_datawriter_dispose_instance

The DDS Security specification, Section Operation: check_local_datawriter_dispose_instance, describes the check_local_datawriter_dispose_instance() operation. The Security Plugins do not implement this operation. check_remote_datawriter_register_instance

The DDS Security specification, Section Operation: check_remote_datawriter_register_instance, describes the check_remote_datawriter_register_instance() operation. The Security Plugins do not implement this operation. check_remote_datawriter_dispose_instance

The DDS Security specification, Section Operation: check_remote_datawriter_dispose_instance, describes the check_remote_datawriter_dispose_instance() operation. The Security Plugins do not implement this mechanism. check_local_datawriter_match / check_local_datareader_match

When calling check_local_datawriter_match() / check_local_datareader_match(), the subscription_data and publication_data parameters are not set. Revocation

The DDS Security specification, Section AccessControlListener interface, describes the mechanism for revoking permissions. The Security Plugins do not implement this mechanism. PermissionsToken

The DDS Security specification, Table 10 Additional parameter IDs in ParticipantBuiltinTopicData, mentions PermissionsToken as a new parameter in ParticipantBuiltinTopicData. The Security Plugins send this parameter, but when receiving this parameter, it is not used in any Access Control functionality. The builtin Access Control Plugin is specified to use PermissionsToken to validate the Access Control plugin name and version of previously authenticated remote participants. check_remote_topic

The DDS Security specification, Section Operation: check_remote_topic, describes the check_remote_topic() operation, which receives a TopicBuiltinTopicData as an input. Instead of invoking this operation when the remote DomainParticipant creates a certain Topic, Connext DDS invokes this operation when discovering the first DataWriter or DataReader belonging to that Topic-DomainParticipant combination.

This distinction matters if the implementation of check_remote_topic() considers any of the QosPolicies within the TopicBuiltinTopicData structure. (The builtin plugins do not consider these QosPolicies.) For example, if a DomainParticipant, P1, creates two DataReaders of the same topic, another DomainParticipant, P2, will call check_remote_topic() only when it discovers the first DataReader. If the second DataReader’s DeadLineQosPolicy matches that of P1’s TopicQos and the first DataReader’s DeadlineQosPolicy does not match, then check_remote_topic() will receive the wrong DeadlineQosPolicy as part of the input TopicBuiltinTopicData. This problem will only occur if check_remote_topic() considers the DeadlineQosPolicy when deciding whether to return TRUE or FALSE.

13.3.3. Cryptography inline_qos for encode/decode_serialized_payload

The DDS Security specification, Table 38 - CryptoTransform interface, indicates that the encode_serialized_payload() operation outputs an extra_inline_qos parameter and that the decode_serialized_payload() operation inputs an inline_qos. Connext DDS does not support either of these parameters.