1.4.1.2. Encryption Algorithms

RTI Connext 7.1 allows changing the encryption algorithm. The default value is AES256+GCM (as opposed to previous releases where it was AES128+GCM). In this test we compare the differences in latency and throughput for these 2 encryption algorithms.

In order to modify this parameter we used the following property in the xml qos profile:

<element>
      <name>com.rti.serv.secure.cryptography.encryption_algorithm</name>
      <value>AES256+GCM</value>
</element>
Perftest Scripts

To produce these tests, we executed RTI Perftest for C++98. The script used to execute the tests can be found here:

  1#!/bin/bash
  2filename=$0
  3script_location=$(cd "$(dirname "$filename")" || exit 255; pwd)
  4
  5export datasizes="32 64 128 256 512 1024 2048 4096 8192 16384 32768 63000"
  6export datasizes_extended="${datasizes} 100000 500000 1048576 1548576 4194304 10485760"
  7
  8export domain="2"
  9export exec_time=20
 10export num_reps=1
 11export instance_number=100000
 12export core=0
 13
 14# We will use some colors to improve visibility of errors and info messages.
 15RED='\033[0;31m'
 16GREEN='\033[0;32m'
 17YELLOW='\033[0;33m'
 18BLUE='\033[0;34m'
 19LIGHTBLUE='\033[0;36m'
 20NC='\033[0m'
 21INFO_TAG="${GREEN}[INFO]:${NC}"
 22WARNING_TAG="${YELLOW}[WARNING]:${NC}"
 23ERROR_TAG="${RED}[ERROR]:${NC}"
 24
 25export ip_machine_1="10.2.75.20"
 26export ip_machine_2="10.2.75.21"
 27export if10Gbps="enp1s0f0"
 28export if1Gbps="eno1"
 29
 30################################################################################
 31
 32function disable_colors() {
 33    export RED=""
 34    export GREEN=""
 35    export YELLOW=""
 36    export NC=""
 37    export BLUE=""
 38    export LIGHTBLUE=""
 39    export INFO_TAG="${GREEN}[INFO]:${NC}"
 40    export WARNING_TAG="${YELLOW}[WARNING]:${NC}"
 41    export ERROR_TAG="${RED}[ERROR]:${NC}"
 42}
 43
 44function change_domain() {
 45    if [[ "$domain" == "1" ]]; then
 46        export domain="2"
 47    else
 48        export domain="1"
 49    fi
 50}
 51
 52# Usage: execute_test <keyed/unkeyed> <rel/be> <datasizes> <batchSize>
 53function execute_test() {
 54
 55    local keyed_unkeyed=$1
 56    local rel_be=$2
 57    local datasizes_test=$3
 58    local other_args=$4
 59    local name_suffix=$5
 60
 61    local commands_string_test=$commands_string
 62    local tag=""
 63
 64    if [[ "${keyed_unkeyed}" == "keyed" ]]; then
 65        commands_string_test="${commands_string_test} -keyed -instances $instance_number"
 66        tag="[${YELLOW}${transport}${NC}|${BLUE}K${NC}|"
 67    else
 68        tag="[${YELLOW}${transport}${NC}|${LIGHTBLUE}UK${NC}|"
 69    fi
 70
 71    if [[ "${rel_be}" == "be" ]]; then
 72        commands_string_test="${commands_string_test} -bestEffort"
 73        tag="${tag}${YELLOW}BE${NC}]"
 74    else
 75        tag="${tag}${RED}REL${NC}]"
 76    fi
 77
 78    tag="${tag}[${LIGHTBLUE}${lat_thr}${NC}]"
 79
 80    local output_file=$output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}.csv
 81
 82    if [[ "$role" == "pub" ]]; then
 83        echo -e "${YELLOW}[TEST]: $keyed_unkeyed, $rel_be. ${NC}"
 84    fi
 85
 86    if [[ "$LANGUAGE" != "java" && "$LANGUAGE" != "cs" ]]; then
 87        export pre_command_string="taskset -c $core"
 88    fi
 89
 90    # Get the aprox time this will take:
 91    total_tests=$((`wc -w <<< "$datasizes_test"` * num_reps))
 92    total_time=$((total_tests * exec_time))
 93
 94    touch $output_file
 95    local no_headers=""
 96    local current_test=0
 97    for index in $(seq 1 ${num_reps}); do
 98        for DATALEN in ${datasizes_test}; do
 99            current_test=$((current_test + 1))
100            export command="$pre_command_string $executable -domain $domain -dataLen $DATALEN $commands_string_test $other_args $no_headers"
101            if [[ "$role" == "pub" ]]; then
102                echo -e "Test ${tag} (${current_test}/${total_tests}) -- Total time = ${total_time}s"
103                echo -e ${BLUE}$command${NC}
104            else
105                echo -e ${LIGHTBLUE}$command${NC}
106            fi
107            if [[ "$LANGUAGE" == "cs" && "$role" == "pub" ]]; then
108                sleep 3
109            fi
110            $command >> $output_file;
111            no_headers=" -noOutputHeaders"
112            change_domain
113        done
114    done
115}
116
117################################################################################
118# PARSE COMMAND LINE OPTIONS:
119
120while [ "$1" != "" ]; do
121    case $1 in
122        --executable)
123            executable=$2
124            shift
125            ;;
126        --output-folder)
127            output_folder=$2
128            shift
129            ;;
130        --role)
131            export role=$2
132            shift
133            ;;
134        --core)
135            export core=$2
136            shift
137            ;;
138        --test-kind)
139            export lat_thr=$2
140            shift
141            ;;
142        --interface1)
143            export interface=$2
144            shift
145            ;;
146        --interface2)
147            export interface2=$2
148            shift
149            ;;
150        --ip1)
151            export ip1=$2
152            shift
153            ;;
154        --ip2)
155            export ip2=$2
156            shift
157            ;;
158        --repetitions)
159            export num_reps=$2
160            shift
161            ;;
162        --domain)
163            export domain=$2
164            shift
165            ;;
166        --execution-time)
167            export exec_time=$2
168            shift
169            ;;
170        --transport)
171            export transport=$2
172            shift
173            ;;
174        --datalen)
175            export datalen_input=$2
176            shift
177            ;;
178        --file-suffix)
179            export file_suffix=$2
180            shift
181            ;;
182        --executable-suffix)
183            export executable_suffix=$2
184            shift
185            ;;
186        --extra-arguments)
187            export extra_arguments=$2
188            shift
189            ;;
190        --extra-arguments-pub)
191            export extra_arguments_pub=$2
192            shift
193            ;;
194        --extra-arguments-sub)
195            export extra_arguments_sub=$2
196            shift
197            ;;
198        --skip-no-batching)
199            export skip_no_batching="1"
200            ;;
201        --skip-be)
202            export skip_be_tests="1"
203            ;;
204        --skip-rel)
205            export skip_rel_tests="1"
206            ;;
207        --skip-keyed)
208            export skip_keyed_data="1"
209            ;;
210        --skip-large-data)
211            export skip_large_data="1"
212            ;;
213        --large-data)
214            export large_data="1"
215            ;;
216        --keyed)
217            export skip_unkeyed="1"
218            ;;
219        --unkeyed)
220            export skip_keyed_data="1"
221            ;;
222        --no-batching)
223            export no_batching_only="1"
224            ;;
225        --reliable)
226            export skip_be_tests="1"
227            ;;
228        --best-effort)
229            export skip_rel_tests="1"
230            ;;
231        --security)
232            export security_only="$2"
233            shift
234            ;;
235        --micro)
236            export micro="1"
237            ;;
238        --tss)
239            export tss="1"
240            ;;
241        --no-colors)
242            export NO_COLORS="1"
243            ;;
244        --language)
245            export LANGUAGE=$2
246            shift
247            ;;
248        *)
249            echo -e "unknown parameter \"$1\""
250            exit 255
251            ;;
252    esac
253    shift
254done
255
256if [[ "$NO_COLORS" == "1" ]]; then
257    disable_colors
258fi
259
260export folder_base="$(dirname "${executable}")"/../../..
261
262if [[ $LANGUAGE == "java"  || "$LANGUAGE" == "cs" ]]; then
263    export folder_base="$(dirname "${executable}")"/../..
264fi
265if [[ $tss == "1" ]]; then
266    export folder_base="$(dirname "${executable}")"/../../../../..
267fi
268
269if [[ "${executable_suffix}" != "" ]]; then
270    export executable="${executable}${executable_suffix}"
271fi
272
273echo -e "${INFO_TAG} Perftest executable is: $executable"
274echo -e "${INFO_TAG} Output folder is: $output_folder"
275
276################################################################################
277
278if [[ "${skip_large_data}" == "1" ]]; then
279    export datasizes_extended=${datasizes}
280elif [[ "${large_data}" == "1" ]]; then
281    export datasizes=${datasizes_extended}
282fi
283
284if [[ "${datalen_input}" != "" ]]; then
285    echo -e "${YELLOW}[TEST] Testing only for ${datalen_input}${NC}"
286    export datasizes=${datalen_input}
287    export datasizes_extended=${datalen_input}
288    if [[ "${no_batching_only}" != "1" ]]; then
289        export skip_large_data="1"
290    fi
291fi
292
293if [[ "$role" != "pub" && "$role" != "sub" ]]; then
294    echo -e "${ERROR_TAG} It must be either publisher or subscriber"
295    exit 255
296fi
297
298if [[ "$lat_thr" != "thr" && "$lat_thr" != "lat" ]]; then
299    echo -e "${ERROR_TAG} It must be either lat or thr"
300    exit 255
301fi
302
303if [[ "${interface}" == "" ]]; then
304    echo "Using default nics"
305    export nic_publisher=${ip_machine_1}
306    export nic_subscriber=${ip_machine_2}
307else
308    export nic_publisher=$interface
309    echo -e "${INFO_TAG} Using nic_publisher: ${nic_publisher}"
310
311    if [[ "${interface2}" == "" ]]; then
312        export nic_subscriber=$interface
313    else
314        export nic_subscriber=$interface2
315    fi
316    echo -e "${INFO_TAG} Using nic_subscriber: ${nic_subscriber}"
317
318    if [[ "${ip1}" != "" ]]; then
319        export ip_publisher=$ip1
320        echo "Using ip_publisher: ${ip_publisher}"
321    fi
322
323    if [[ "${ip2}" != "" ]]; then
324        export ip_subscriber=$ip2
325        echo "Using ip_subscriber: ${ip_subscriber}"
326    fi
327
328fi
329
330export transport_string="-transport $transport"
331
332if [[ "$transport" == "UDPv4" ]]; then
333
334    export transport_string_pub="$transport_string -nic $nic_publisher"
335    export transport_string_sub="$transport_string -nic $nic_subscriber"
336
337    if [[ "$micro" == "1" ]]; then
338        export transport_string_pub="$transport_string_pub -peer ${ip_subscriber}"
339        export transport_string_sub="$transport_string_sub -peer ${ip_publisher}"
340    fi
341
342elif [[ "$transport" == "TCP" ]]; then
343    export transport_string_pub="$transport_string \
344        -nic $nic_publisher \
345        -peer 0@tcpv4_lan://${ip_subscriber}:7400"
346    export transport_string_sub="$transport_string \
347        -nic $nic_subscriber \
348        -peer 0@tcpv4_lan://${ip_publisher}:7400"
349elif [[ "$transport" == "TLS" ]]; then
350    export transport_string_pub="$transport_string \
351        -nic $nic_publisher \
352        -peer tlsv4_lan://${ip_subscriber}:7400"
353    export transport_string_sub="$transport_string \
354        -nic $nic_subscriber \
355        -peer tlsv4_lan://${ip_publisher}:7400"
356elif [[ "$transport" == "UDPv4_WAN" ]]; then
357    export transport_string_pub="$transport_string \
358        -nic $nic_publisher \
359        -transportPublicAddress $ip_publisher:7400"
360    export transport_string_sub="$transport_string \
361        -nic $nic_subscriber \
362        -peer 0@udpv4_wan://${ip_publisher}:7400"
363else
364    export transport_string_pub="$transport_string"
365    export transport_string_sub="$transport_string"
366fi
367
368################################################################################
369
370export pub_string="-pub \
371        ${transport_string_pub} \
372        -noPrintIntervals \
373        -executionTime $exec_time"
374
375if [[ ${lat_thr} == "lat" ]]; then
376    export pub_string="$pub_string \
377        -latencyTest"
378fi
379
380export sub_string="-sub \
381        ${transport_string_sub} \
382        -noPrintIntervals"
383
384if [[ "$role" == "pub" ]]; then
385    echo -e "$INFO_TAG Publisher side running"
386    export commands_string=${pub_string}
387    export extra_arguments="${extra_arguments} ${extra_arguments_pub}"
388else
389    echo -e "$INFO_TAG Subscriber side running"
390    export commands_string=${sub_string}
391    export extra_arguments="${extra_arguments} ${extra_arguments_sub}"
392fi
393
394###############################################################################
395
396echo -e "${INFO_TAG} Executing: /set_${lat_thr}_mode.sh"
397sudo /set_${lat_thr}_mode.sh
398sleep 5
399
400cd $folder_base
401echo -e "${INFO_TAG} Folder Base is: $PWD"
402mkdir -p $output_folder
403
404# Tests that may use batching (when doing throughput tests)
405if [[ ${no_batching_only} != "1" ]]; then
406
407    # UNKEYED
408    if [[ "${skip_unkeyed}" == "" ]]; then
409
410        # RELIABLE
411        if [[ "${skip_rel_tests}" == "" ]]; then
412            execute_test "unkeyed" "rel" "${datasizes_extended}" "${extra_arguments}" "$file_suffix"
413        fi
414
415        # BEST EFFORT
416        if [[ "${skip_be_tests}" == "" ]]; then
417            execute_test "unkeyed" "be" "${datasizes}" "${extra_arguments}" "$file_suffix"
418        fi
419    fi
420
421    # KEYED
422    if [[ "${skip_keyed_data}" == "" ]]; then
423
424        # RELIABLE
425        if [[ "${skip_rel_tests}" == "" ]]; then
426            execute_test "keyed" "rel" "${datasizes}" "${extra_arguments}" "$file_suffix"
427        fi
428
429        # BEST EFFORT
430        if [[ "${skip_be_tests}" == "" ]]; then
431            execute_test "keyed" "be" "${datasizes}" "${extra_arguments}" "$file_suffix"
432        fi
433    fi
434
435fi
436
437if [[ "${skip_no_batching}" == "" || "${no_batching_only}" == "1" ]]; then
438    no_batching_tests="1"
439fi
440
441# Tests that will not use batching
442if [[ "${lat_thr}" == "thr" && "${no_batching_tests}" == "1" ]]; then
443
444    if [[ "$role" == "pub" ]]; then
445        export commands_string="${commands_string} -batchSize 0"
446    fi
447
448    # UNKEYED
449    if [[ "${skip_unkeyed}" == "" ]]; then
450
451        # RELIABLE
452        if [[ "${skip_rel_tests}" == "" ]]; then
453            execute_test "unkeyed" "rel" "${datasizes}" "${extra_arguments}" "_noBatch${file_suffix}"
454        fi
455
456        # BEST EFFORT
457        if [[ "${skip_be_tests}" == "" ]]; then
458            execute_test "unkeyed" "be" "${datasizes}" "${extra_arguments}" "_noBatch${file_suffix}"
459        fi
460    fi
461fi

 1#!/bin/bash
 2filename=$0
 3script_location=$(cd "$(dirname "$filename")" || exit 255; pwd)
 4
 5export input_params=$@
 6
 7while [ "$1" != "" ]; do
 8    case $1 in
 9        --executable)
10            executable=$2
11            shift
12            ;;
13        --security)
14            export security_only=$2
15            shift
16            ;;
17        *)
18            ;;
19    esac
20    shift
21done
22
23echo $security_only
24
25export folder_base="$(dirname "${executable}")"/../../..
26export PATH_TO_GOVERNANCE_FILES_FOLDER=$folder_base/resource/secure
27
28if [[ "${security_only}" == "none" || "${security_only}" == "" ]]; then
29    echo -e "[Calling base_script/script.sh] -- No Security"
30    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
31        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
32        --file-suffix "_security_none"
33    sleep 5;
34fi
35
36if [[ "${security_only}" == "no_protection" || "${security_only}" == "" ]]; then
37    echo -e "[Calling base_script/script.sh] -- No Protection"
38    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
39        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
40        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml " \
41        --file-suffix "_security_no_protection"
42fi
43
44if [[ "${security_only}" == "rtps_sign" || "${security_only}" == "" ]]; then
45    echo -e "[Calling base_script/script.sh] -- RTPS Sign"
46    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
47        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
48        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml " \
49        --file-suffix "_security_rtps_sign"
50fi
51
52if [[ "${security_only}" == "rtps_encrypt" || "${security_only}" == "" ]]; then
53    echo -e "[Calling base_script/script.sh] -- RTPS Encrypt"
54    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
55        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
56        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml " \
57        --file-suffix "_security_rtps_encrypt"
58fi
59
60if [[ "${security_only}" == "rtps_sign_submessage_encrypt" || "${security_only}" == "" ]]; then
61    echo -e "[Calling base_script/script.sh] -- RTPS Sign, Submessage Encrypt"
62    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
63        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
64        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml " \
65        --file-suffix "_security_rtps_sign_submessage_encrypt"
66fi
67
68if [[ "${security_only}" == "rtps_sign_submessage_encrypt_orig_data_encrypt" || "${security_only}" == "" ]]; then
69    echo -e "[Calling base_script/script.sh] -- RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
70    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
71        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
72        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml " \
73        --file-suffix "_security_rtps_sign_submessage_encrypt_orig_data_encrypt"
74fi
75
76if [[ "${security_only}" == "rtps_sign_orig_data_encrypt" || "${security_only}" == "" ]]; then
77    echo -e "[Calling base_script/script.sh] -- RTPS Sign with Original auth, Data Encrypt"
78    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
79        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
80        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml " \
81        --file-suffix "_security_rtps_sign_orig_data_encrypt"
82    sleep 5;
83fi

Security Profiles

To test different levels of security, we have selected a well-known set of configurations. These configurations have been defined in the Governance files used by RTI Perftest. With these configurations, we have tested the minimum latency and maximum throughput achievable in different scenarios. The scenarios are described below.

The profiles we have used are the following:

  • Not using security libraries

In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what the Core Libraries provide in Unkeyed, UDPv4 10Gbps Network, C++98.

  • No protection

In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
        <enable_join_access_control>FALSE</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>NONE</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>FALSE</enable_discovery_protection>
            <enable_read_access_control>FALSE</enable_read_access_control>
            <enable_write_access_control>FALSE</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

  • RTPS ‘Sign’

This scenario sets the rtps_protection_kind to SIGN. This configuration provides protection against outsiders at the lowest cost.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

  • RTPS ‘Encrypt’

This scenario sets the rtps_protection_kind to ENCRYPT. This configuration is similar to the protection TLS provides.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

  • RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN_WITH_ORIGIN_AUTHENTICATION. It also sets the data_protection_kind to ENCRYPT. This configuration is the common choice for intra-domain protection and confidentiality.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

  • RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN. It also sets the data_protection_kind to ENCRYPT and the metadata_protection_kind to ENCRYPT_WITH_ORIGIN_AUTHENTICATION. This configuration offers the most robust protection.

The governance profile used in this scenario is the following:

<?xml version="1.0" encoding="UTF-8"?>

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

  • RTPS ‘Sign,’ Submessage ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN. It also sets the metadata_protection_kind to ENCRYPT. This configuration allows user data confidentiality (with insiders protection) while keeping Wireshark capabilities.

The governance profile used in this scenario is the following:

<?xml version="1.0" encoding="UTF-8"?>

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">

    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

Test Hardware

The following hardware was used to perform these tests:

Linux Nodes

Dell R340 Servers (13 Units)
Processor: Intel Xeon E-2278G (3.4-5GHz, 8c/16t, 16MB cache, 2 memory channels @2666MHz)
RAM: 4x 16GB 2666MHz DIMM (64GB RAM)
HD: 480GB SATA SSD
NIC 1: Intel 710 dual port 10Gbps SFP
OS: Ubuntu 20.04 -- gcc 9.3.0

Switch

Dell 2048 -- 10Gbps switch