RTI Secure Wan Transport  Version 6.1.2
Secure WAN Transport for RTI Connext
rti_logo.gif
Real-Time Innovations, Inc.

The Secure WAN Transport allows RTI Connext applications that are running on private networks to communicate securely over a Wide-Area Network (WAN).

Available Documentation

This document contains:

For additional information, please see the following PDF documents:

Overview

RTI Secure WAN Transport is an optional package that provides transport plugins which can be used by developers of RTI Connext applications. These transport plugins allow RTI Connext applications that are running on private networks to communicate securely over a Wide-Area Network (WAN), such the internet. There are two primary components of the package, which may be used independently or together:

  • WAN Transport : This transport provides a way to communicate over Wide-Area Networks that involve Network Address Translators (NATs).
  • Secure Transport : This transport, also known as DTLS Transport, provides secure communication with support for peer authentication and encrypted data transport.

The RTI Connext core is transport-agnostic. RTI Connext offers three built-in transports: UDP/IPv4, UDP/IPv6, and inter-process shared memory. The implementation of NAT traversal and secure communication is done at the transport level so that the DDS core is not affected and does not need to be changed, although there is additional on-the-wire traffic.

Refer to the RTI Connext DDS Core Libraries User's Manual for further information.

The basic problem to overcome in a WAN environment is that messages sent from an application on a private local-area network (LAN) appear to come from the LAN's router address, and not from the internal IP address of the host running the application. This is due to the existence of a Network Address Translator (NAT) at the gateway. This does not cause problems for client-server systems because only the server needs to be globally addressable; it is only a problem for systems with peer-to-peer communication models, such as DDS. RTI Secure WAN Transport solves this problem, allowing communication between peers that are in separate LAN networks, using a UDP hole-punching mechanism based on the STUN protocol (IETF RFC 3489bis) for NAT traversal. This requires the use of an additional rendezvous server application, the RTI WAN Server.

Once the transport has enabled traffic to cross the NAT gateway to the WAN, it is flowing on network hardware that is shared (in some cases, over the public internet). In this context, it is important to consider the security of data transmission. There are three primary issues involved: a) authenticating the communication peer (source or destination) as a trusted partner; b) encrypting the data to hide it from other parties that may have access to the network; and c) validating the received data to ensure that it was not modified in transmission. RTI Secure WAN Transport addresses these problems by wrapping all RTPS-encoded data using the DTLS protocol (IETF RFC 4347), which is a variant of SSL/TLS that can be used over a datagram network-layer transport such as UDP.

The security features of the WAN Transport may also be used on an untrusted local-area network with the Secure Transport.

In summary, the package includes two transports:

  • The WAN Transport is for use on a WAN and includes security. It must be used with the WAN Server, a rendezvous server that provides the ability to discover public addresses and to register and look up peer addresses based on a unique WAN ID. The WAN Server is based on the STUN (Session Traversal Utilities for NAT) protocol [draft-ietf-behave-rfc3489bis], with some extensions. Once information about public addresses for the application and its peers has been obtained and connections have been initiated, the server is no longer required to maintain communication with a peer. (Note: security is disabled by default.)
  • The Secure Transport is an alternate transport that provides security on an untrusted LAN. Use of the RTI WAN Server is not required.

Configuring the Secure WAN Transports

There are two ways in which these transports can be configured:

  1. By setting up predefined strings in the Property QoS Policy of the DomainParticipant.

    With this first approach, RTI Connext will dynamically load 
    the WAN or Secure Transport libraries at run time and then implicitly create 
    and register the transport plugin.
    

  2. By instantiating a new transport and registering it with the DomainParticipant (available in C/C++ API only, see NDDS_Transport_Support_register_transport())

    To use this second approach, you need access to the Secure WAN Transport API at compile time. Therefore, you must include additional header files and libraries. Refer to the RTI Connext DDS Core Libraries User's Manual and the RTI Core Libraries Platform Notes for further information.

Refer to the C/C++ API online documentation for details on these two approaches.

Example Applications

A simple example is available to show how to configure the WAN transport. It includes example settings to enable communication over WAN, and optional settings to enable security (along with example certificate files to use for secure communication).

  • C: See the example in <rti_workspace>/examples/connext_dds/c/hello_world_wan.
  • C++: See the example in <rti_workspace>/examples/connext_dds/c++/hello_world_wan.
  • Java: See the example in <rti_workspace>/examples/connext_dds/java/hello_world_wan.

Additionally, a simple example is available to show how to configure the Secure Transport. It includes example settings to enable secure communication.

  • C: See the example in <rti_workspace>/examples/connext_dds/c/hello_world_dtls.
  • C++: See the example in <rti_workspace>/examples/connext_dds/c++/hello_world_dtls.
  • Java: See the example in <rti_workspace>/examples/connext_dds/java/hello_world_dtls.