1.5.2. Discovery Performance¶
This document describes discovery performance for certain scenarios that use RTI Security Plugins. The methodology and the tests are similar to the ones explained in the Discovery Performance section for the Core Libraries. The “No Security Libraries” values in the graphs below are equivalent to the Core Libraries (multicast) numbers, so you can compare Connext performance with and without the Security Plugins.
These numbers should only be used as a first rough approximation, since the results are highly dependent on the hardware, software configuration, and network infrastructure of the tested system. These numbers are taken with multicast enabled, since this is the default mode used by Connext for discovery.
Note
This scenario is likely not the optimal design solution for a real-life architecture. The purpose of the test is to demonstrate how powerful the Connext discovery protocol is even in a flat configuration.
1.5.2.1. Testing Different Security Governance Configuration Levels¶
Endpoint Discovery
The following graph displays the time it takes to complete endpoint discovery, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum times that the participants took to complete endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
The following graphs display the amount of bytes sent and received until the discovery process completes, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum bytes reported by the participants until the completion of endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
Sent Bytes
Received Bytes
Sent Packets
Received Packets
Packet Sent
Packet Received
Packet Receive Errors
The following graphs display the amount of memory required by the application after completing the discovery process, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum bytes reported by the participants until the completion of endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
The following graphs represent the time, network usage and memory it takes to complete discovery for SPDP and SPDP2.
As mentioned in the note above, this is a flat configuration: A single LAN with one single endpoint per participant, one participant per application and a single topic across the system. Even though this configuration can be useful for benchmarking purposes, it is not recommended for real-life applications and it does not take advantages of our new SPDP2 protocol.
In particular, in this scenario that uses security, SPDP2 is more CPU intensive as it also protects the configuration messages. SPDP2 makes use of an extra set of crypto tokens that the participants need to exchange before being able to send or receive configuration messages. The participant must then encrypt and decrypt these messages, further contributing to the discovery time. Endpoint discovery cannot begin until the configuration messages have been exchanged. Though SPDP participants do have a secure channel to send and receive updates to the participant’s configuration, this does not contribute to the initial discovery time as all of the participant’s information is included in the original participant announcement. For more information on secure entities see RTI Security Plugins User’s Manual.
Endpoint Discovery
The following graph displays the time it takes to complete endpoint discovery, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum times that the participants took to complete endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
The following graphs display the amount of bytes sent and received until the discovery process completes, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum bytes reported by the participants until the completion of endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
Sent Bytes
Received Bytes
Sent Packets
Received Packets
Packet Sent
Packet Received
Packet Receive Errors
The following graphs display the amount of memory required by the application after completing the discovery process, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum bytes reported by the participants until the completion of endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
The parameters for testing this scenario are:
Number of hosts: 12
Participants in the system: <Variable we increase>
Topics in the system: 1
Readers per topic: Half of the Participants
Writers per topic: Half of the Participants
QoS profiles used: DynamicProfile_security.
Software Information
RTI developed a testing framework specifically designed for discovery benchmarking. This framework was used to perform the tests detailed in this section. This framework is capable of distributing and executing the different DDS entities across the different machines available in RTI’s Performance and Discovery Lab. It will also gather information about the discovery time as well as network usage and memory usage.
The Middleware version used to perform these tests is:
RTI Connext DDS 7.3.0 Host and Target Libraries for x64 Linux (x64Linux4gcc7.3.0)
Hardware Information
Linux Nodes
Dell R340 Servers (13 Units)
Processor: Intel Xeon E-2278G (3.4-5GHz, 8c/16t, 16MB cache, 2 memory channels @2666MHz)
RAM: 4x 16GB 2666MHz DIMM (64GB RAM)
HD: 480GB SATA SSD
NIC 1: Intel 710 dual port 10Gbps SFP
OS: Ubuntu 20.04 -- gcc 9.3.0
Switch
Dell 2048 -- 10Gbps switch (10Gbps and 1Gbps interfaces)
QoS Used
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 | <?xml version="1.0"?> <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://community.rti.com/schema/7.2.0/rti_dds_qos_profiles.xsd"> <qos_library name="QosLibrary"> <qos_profile name="FactoryDefault" is_default_participant_factory_profile="true"> <participant_factory_qos> <entity_factory> <autoenable_created_entities>$(autoenable_created_entities)</autoenable_created_entities> </entity_factory> <!-- <logging> <verbosity>WARNING</verbosity> </logging> --> </participant_factory_qos> <participant_qos> <discovery_config> <builtin_discovery_plugins>$(qos_discovery_protocol)</builtin_discovery_plugins> </discovery_config> </participant_qos> </qos_profile> <qos_profile name="DynamicProfile_DefaultQoS" base_name="QosLibrary::FactoryDefault"> <participant_qos> <!-- This does not affect performance, but it is needed for > 1000 participants --> <wire_protocol> <rtps_well_known_ports> <domain_id_gain>500</domain_id_gain> </rtps_well_known_ports> </wire_protocol> <!-- To make the test a bit more fair --> <transport_builtin> <mask>UDPv4</mask> </transport_builtin> <property> <value> <element> <name>dds.transport.UDPv4.builtin.parent.allow_interfaces_list</name> <value>$(interface_name)</value> </element> <element> <name>dds.transport.UDPv4.builtin.parent.max_interface_count</name> <value>2</value> </element> <element> <name>dds.participant.property_validation_action</name> <value>1</value> </element> <element> <name>dds.transport.UDPv4.builtin.gather_detailed_statistics</name> <value>$(gather_detailed_statistics)</value> </element> </value> </property> </participant_qos> </qos_profile> <qos_profile name="DynamicProfile" base_name="QosLibrary::DynamicProfile_DefaultQoS" is_default_qos="true"> <participant_qos> <resource_limits> <type_object_max_serialized_length>0</type_object_max_serialized_length> <type_code_max_serialized_length>0</type_code_max_serialized_length> <remote_writer_hash_buckets>625</remote_writer_hash_buckets> <remote_reader_hash_buckets>625</remote_reader_hash_buckets> <remote_participant_hash_buckets>625</remote_participant_hash_buckets> <matching_reader_writer_pair_hash_buckets>625</matching_reader_writer_pair_hash_buckets> <matching_writer_reader_pair_hash_buckets>625</matching_writer_reader_pair_hash_buckets> </resource_limits> <discovery_config> <initial_participant_announcements>5</initial_participant_announcements> <participant_liveliness_lease_duration> <sec>500</sec> <nanosec>0</nanosec> </participant_liveliness_lease_duration> <participant_liveliness_assert_period> <sec>5</sec> <nanosec>0</nanosec> </participant_liveliness_assert_period> <remote_participant_purge_kind>LIVELINESS_BASED_REMOTE_PARTICIPANT_PURGE</remote_participant_purge_kind> <max_liveliness_loss_detection_period> <sec>10</sec> <nanosec>0</nanosec> </max_liveliness_loss_detection_period> </discovery_config> <property> <value> <element> <name>dds.transport.UDPv4.builtin.recv_socket_buffer_size</name> <value>5048576</value> </element> </value> </property> </participant_qos> </qos_profile> <qos_profile name="Unicast_10Gbps_lab_snippet"> <participant_qos> <discovery> <initial_peers> <element>$(initial-peers)</element> </initial_peers> <multicast_receive_addresses></multicast_receive_addresses> </discovery> </participant_qos> </qos_profile> <qos_profile name="Unicast_1Gbps_lab_snippet"> <participant_qos> <discovery> <initial_peers> <element>$(initial-peers)</element> </initial_peers> <multicast_receive_addresses></multicast_receive_addresses> </discovery> </participant_qos> </qos_profile> <qos_profile name="DynamicProfile_unicast_cds" base_name="QosLibrary::DynamicProfile"> <participant_qos> <transport_builtin> <mask>UDPv4</mask> </transport_builtin> <discovery> <initial_peers> <element>rtps@udpv4://$(CDS_IP):7400</element> </initial_peers> <multicast_receive_addresses></multicast_receive_addresses> </discovery> </participant_qos> </qos_profile> <qos_profile name="StaticProfile" base_name="QosLibrary::DynamicProfile"> <participant_qos> <discovery_config> <builtin_discovery_plugins>SPDP</builtin_discovery_plugins> </discovery_config> <property> <value> <element> <name>dds.discovery.endpoint.lbediscovery.library</name> <value>rtilbedisc</value> </element> <element> <name>dds.discovery.endpoint.lbediscovery.create_function</name> <value>DDS_LBEDiscoveryPlugin_create</value> </element> <element> <name>dds.discovery.endpoint.load_plugins</name> <value>dds.discovery.endpoint.lbediscovery</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- Security --> <qos_profile name="DynamicProfileSecurity" base_name="QosLibrary::DynamicProfile"> <participant_qos> <property> <value> <element> <name>com.rti.serv.load_plugin</name> <value>com.rti.serv.secure</value> </element> <element> <name>com.rti.serv.secure.library</name> <value>nddssecurity</value> </element> <element> <name>com.rti.serv.secure.create_function</name> <value>RTI_Security_PluginSuite_create</value> </element> <element> <name>com.rti.serv.secure.authentication.ca_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/ca/$(discovery_security_algo)RootCaCert.pem</value> </element> <element> <name>com.rti.serv.secure.authentication.private_key_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/identities/$(discovery_security_algo)Peer01Key.pem</value> </element> <element> <name>com.rti.serv.secure.authentication.certificate_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/identities/$(discovery_security_algo)Peer01Cert.pem</value> </element> <element> <name>com.rti.serv.secure.access_control.permissions_authority_file</name> <value>resources/secure/certAuthority/$(discovery_permissions_authority_file_algo)/ca/$(discovery_permissions_authority_file_algo)RootCaCert.pem</value> </element> <element> <name>com.rti.serv.secure.access_control.governance_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/governances/signed_governance_$(security_governance).xml</value> </element> <element> <name>com.rti.serv.secure.access_control.permissions_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/signed_myPermissions.xml</value> </element> <element> <name>com.rti.serv.secure.authentication.key_establishment_algorithm</name> <value>auto</value> </element> <element> <name>dds.participant.trust_plugins.authentication_timeout.sec</name> <value>$(discovery_security_authentication_timeout)</value> </element> <element> <name>dds.participant.trust_plugins.authentication_request_delay.sec</name> <value>$(discovery_security_authentication_request_delay)</value> </element> <element> <name>dds.participant.trust_plugins.authentication_request_timeout.sec</name> <value>$(discovery_security_authentication_request_timeout)</value> </element> <element> <name>com.rti.serv.secure.authentication.enable_custom_algorithms</name> <value>true</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- Security Unicast 10Gbps--> <qos_profile name="DynamicProfileSecurity_unicast" base_name="QosLibrary::DynamicProfileSecurity"> <base_name> <element>QosLibrary::Unicast_10Gbps_lab_snippet</element> </base_name> </qos_profile> <!-- Security Unicast 10Gbps--> <qos_profile name="DynamicProfileSecurity_unicast_enp1s0f0" base_name="QosLibrary::DynamicProfileSecurity_unicast"> </qos_profile> <!-- Security Unicast 1Gbps --> <qos_profile name="DynamicProfileSecurity_unicast_eno1" base_name="QosLibrary::DynamicProfileSecurity"> <base_name> <element>QosLibrary::Unicast_1Gbps_lab_snippet</element> </base_name> </qos_profile> <!-- Security HMAC ONLY --> <qos_profile name="DynamicProfileSecurity_HMAC" base_name="QosLibrary::DynamicProfile"> <participant_qos> <property> <value> <element> <name>com.rti.serv.load_plugin</name> <value>com.rti.serv.secure</value> </element> <element> <name>com.rti.serv.secure.library</name> <value>nddssecurity</value> </element> <element> <name>com.rti.serv.secure.create_function</name> <value>RTI_Security_PluginSuite_create</value> </element> <element> <name>com.rti.serv.secure.hmac_only.enabled</name> <value>1</value> </element> <element> <name>com.rti.serv.secure.hmac_only.cryptography.key</name> <value>str:SecretKey</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- Security + PSK--> <qos_profile name="DynamicProfileSecurity_PSK" base_name="QosLibrary::DynamicProfileSecurity"> <participant_qos> <discovery_config> <default_domain_announcement_period> <sec>DURATION_INFINITE_SEC</sec> <nanosec>DURATION_INFINITE_NSEC</nanosec> </default_domain_announcement_period> </discovery_config> <property> <value> <element> <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key</name> <!-- <value>str:1:SecretKey</value> --> <value>data:,1:SecretKey</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- LW Security + PSK --> <qos_profile name="DynamicProfileLWS_PSK" base_name="QosLibrary::DynamicProfile"> <participant_qos> <discovery_config> <default_domain_announcement_period> <sec>DURATION_INFINITE_SEC</sec> <nanosec>DURATION_INFINITE_NSEC</nanosec> </default_domain_announcement_period> </discovery_config> <property> <value> <element> <name>com.rti.serv.load_plugin</name> <value>com.rti.serv.secure</value> </element> <element> <name>com.rti.serv.secure.library</name> <value>nddslightweightsecurity</value> </element> <element> <name>com.rti.serv.secure.create_function</name> <value>RTI_SecurityLightweight_PluginSuite_create</value> </element> <element> <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key</name> <!-- <value>str:1:SecretKey</value> --> <value>data:,1:SecretKey</value> </element> <element> <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key_algorithm</name> <value>$(lws_psk_algorithm)</value> </element> </value> </property> </participant_qos> </qos_profile> </qos_library> </dds> |
Security Profiles
In this set of tests, we compared the discovery times, increasing the number of endpoints, for different levels of security. We will differentiate among four levels:
No Security Libraries: This test will use RTI Connext Professional without Security Plugins.
Secure Libraries, RTPS None + Discovery None: This test uses Security Plugins and requires authentication, but doesn’t protect any messages (no encryption and no “MAC’ing”). This test uses this governance file:
<dds> <domain_access_rules> <domain_rule> <domains> <id_range> <min>0</min> </id_range> </domains> <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants> <enable_join_access_control>TRUE</enable_join_access_control> <discovery_protection_kind>NONE</discovery_protection_kind> <liveliness_protection_kind>NONE</liveliness_protection_kind> <rtps_protection_kind>NONE</rtps_protection_kind> <topic_access_rules> <topic_rule> <topic_expression>*</topic_expression> <enable_discovery_protection>FALSE</enable_discovery_protection> <enable_read_access_control>TRUE</enable_read_access_control> <enable_write_access_control>TRUE</enable_write_access_control> <metadata_protection_kind>NONE</metadata_protection_kind> <data_protection_kind>NONE</data_protection_kind> </topic_rule> </topic_access_rules> </domain_rule> </domain_access_rules> </dds>
Secure Libraries, RTPS Sign + Discovery None This test is similar to the one above but setting the
rtps_protection_kindtoSIGN:<dds> <domain_access_rules> <domain_rule> <domains> <id_range> <min>0</min> </id_range> </domains> <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants> <enable_join_access_control>TRUE</enable_join_access_control> <discovery_protection_kind>NONE</discovery_protection_kind> <liveliness_protection_kind>NONE</liveliness_protection_kind> <rtps_protection_kind>SIGN</rtps_protection_kind> <topic_access_rules> <topic_rule> <topic_expression>*</topic_expression> <enable_discovery_protection>FALSE</enable_discovery_protection> <enable_read_access_control>TRUE</enable_read_access_control> <enable_write_access_control>TRUE</enable_write_access_control> <metadata_protection_kind>NONE</metadata_protection_kind> <data_protection_kind>NONE</data_protection_kind> </topic_rule> </topic_access_rules> </domain_rule> </domain_access_rules> </dds>
Secure Libraries, RTPS Sign + Discovery Encrypt In this test we set the
rtps_protection_kindtoSIGNand thediscovery_protection_kindandliveliness_protection_kindtoENCRYPT:<dds> <domain_access_rules> <domain_rule> <domains> <id_range> <min>0</min> </id_range> </domains> <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants> <enable_join_access_control>TRUE</enable_join_access_control> <discovery_protection_kind>ENCRYPT</discovery_protection_kind> <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind> <rtps_protection_kind>SIGN</rtps_protection_kind> <topic_access_rules> <topic_rule> <topic_expression>*</topic_expression> <enable_discovery_protection>TRUE</enable_discovery_protection> <enable_read_access_control>TRUE</enable_read_access_control> <enable_write_access_control>TRUE</enable_write_access_control> <metadata_protection_kind>NONE</metadata_protection_kind> <data_protection_kind>NONE</data_protection_kind> </topic_rule> </topic_access_rules> </domain_rule> </domain_access_rules> </dds>
Secure Libraries, RTPS None + Discovery Encrypt In this test we set the
discovery_protection_kindandliveliness_protection_kindtoENCRYPT:<dds> <domain_access_rules> <domain_rule> <domains> <id_range> <min>0</min> </id_range> </domains> <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants> <enable_join_access_control>TRUE</enable_join_access_control> <discovery_protection_kind>ENCRYPT</discovery_protection_kind> <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind> <rtps_protection_kind>NONE</rtps_protection_kind> <topic_access_rules> <topic_rule> <topic_expression>*</topic_expression> <enable_discovery_protection>TRUE</enable_discovery_protection> <enable_read_access_control>TRUE</enable_read_access_control> <enable_write_access_control>TRUE</enable_write_access_control> <metadata_protection_kind>NONE</metadata_protection_kind> <data_protection_kind>NONE</data_protection_kind> </topic_rule> </topic_access_rules> </domain_rule> </domain_access_rules> </dds>
1.5.2.2. Testing Different Digital Signature and Key Establishment Algorithms¶
Endpoint Discovery
The following graph displays the time it takes to complete endpoint discovery, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum times that the participants took to complete endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
The following graphs display the amount of bytes sent and received until the discovery process completes, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum bytes reported by the participants until the completion of endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
Sent
Received
The following graphs display the amount of memory required by the application after completing the discovery process, per number of participants. There is one endpoint for each participant; across all participants, half the endpoints are DataWriters and half are DataReaders. For each scenario, we graph three values: the maximum, median, and minimum bytes reported by the participants until the completion of endpoint discovery. (Maximums and minimums are the dashed lines; medians are the solid lines.)
The parameters for testing this scenario are:
Number of hosts: 12
Participants in the system: <Variable we increase>
Topics in the system: 1
Readers per topic: Half of the Participants
Writers per topic: Half of the Participants
QoS profiles used: DynamicProfile_security.
Software Information
RTI developed a testing framework specifically designed for discovery benchmarking. This framework was used to perform the tests detailed in this section. This framework is capable of distributing and executing the different DDS entities across the different machines available in RTI’s Performance and Discovery Lab. It will also gather information about the discovery time as well as network usage and memory usage.
The Middleware version used to perform these tests is:
RTI Connext DDS 7.3.0 Host and Target Libraries for x64 Linux (x64Linux4gcc7.3.0)
Hardware Information
Linux Nodes
Dell R340 Servers (13 Units)
Processor: Intel Xeon E-2278G (3.4-5GHz, 8c/16t, 16MB cache, 2 memory channels @2666MHz)
RAM: 4x 16GB 2666MHz DIMM (64GB RAM)
HD: 480GB SATA SSD
NIC 1: Intel 710 dual port 10Gbps SFP
OS: Ubuntu 20.04 -- gcc 9.3.0
Switch
Dell 2048 -- 10Gbps switch (10Gbps and 1Gbps interfaces)
QoS Used
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 | <?xml version="1.0"?> <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://community.rti.com/schema/7.2.0/rti_dds_qos_profiles.xsd"> <qos_library name="QosLibrary"> <qos_profile name="FactoryDefault" is_default_participant_factory_profile="true"> <participant_factory_qos> <entity_factory> <autoenable_created_entities>$(autoenable_created_entities)</autoenable_created_entities> </entity_factory> <!-- <logging> <verbosity>WARNING</verbosity> </logging> --> </participant_factory_qos> <participant_qos> <discovery_config> <builtin_discovery_plugins>$(qos_discovery_protocol)</builtin_discovery_plugins> </discovery_config> </participant_qos> </qos_profile> <qos_profile name="DynamicProfile_DefaultQoS" base_name="QosLibrary::FactoryDefault"> <participant_qos> <!-- This does not affect performance, but it is needed for > 1000 participants --> <wire_protocol> <rtps_well_known_ports> <domain_id_gain>500</domain_id_gain> </rtps_well_known_ports> </wire_protocol> <!-- To make the test a bit more fair --> <transport_builtin> <mask>UDPv4</mask> </transport_builtin> <property> <value> <element> <name>dds.transport.UDPv4.builtin.parent.allow_interfaces_list</name> <value>$(interface_name)</value> </element> <element> <name>dds.transport.UDPv4.builtin.parent.max_interface_count</name> <value>2</value> </element> <element> <name>dds.participant.property_validation_action</name> <value>1</value> </element> <element> <name>dds.transport.UDPv4.builtin.gather_detailed_statistics</name> <value>$(gather_detailed_statistics)</value> </element> </value> </property> </participant_qos> </qos_profile> <qos_profile name="DynamicProfile" base_name="QosLibrary::DynamicProfile_DefaultQoS" is_default_qos="true"> <participant_qos> <resource_limits> <type_object_max_serialized_length>0</type_object_max_serialized_length> <type_code_max_serialized_length>0</type_code_max_serialized_length> <remote_writer_hash_buckets>625</remote_writer_hash_buckets> <remote_reader_hash_buckets>625</remote_reader_hash_buckets> <remote_participant_hash_buckets>625</remote_participant_hash_buckets> <matching_reader_writer_pair_hash_buckets>625</matching_reader_writer_pair_hash_buckets> <matching_writer_reader_pair_hash_buckets>625</matching_writer_reader_pair_hash_buckets> </resource_limits> <discovery_config> <initial_participant_announcements>5</initial_participant_announcements> <participant_liveliness_lease_duration> <sec>500</sec> <nanosec>0</nanosec> </participant_liveliness_lease_duration> <participant_liveliness_assert_period> <sec>5</sec> <nanosec>0</nanosec> </participant_liveliness_assert_period> <remote_participant_purge_kind>LIVELINESS_BASED_REMOTE_PARTICIPANT_PURGE</remote_participant_purge_kind> <max_liveliness_loss_detection_period> <sec>10</sec> <nanosec>0</nanosec> </max_liveliness_loss_detection_period> </discovery_config> <property> <value> <element> <name>dds.transport.UDPv4.builtin.recv_socket_buffer_size</name> <value>5048576</value> </element> </value> </property> </participant_qos> </qos_profile> <qos_profile name="Unicast_10Gbps_lab_snippet"> <participant_qos> <discovery> <initial_peers> <element>$(initial-peers)</element> </initial_peers> <multicast_receive_addresses></multicast_receive_addresses> </discovery> </participant_qos> </qos_profile> <qos_profile name="Unicast_1Gbps_lab_snippet"> <participant_qos> <discovery> <initial_peers> <element>$(initial-peers)</element> </initial_peers> <multicast_receive_addresses></multicast_receive_addresses> </discovery> </participant_qos> </qos_profile> <qos_profile name="DynamicProfile_unicast_cds" base_name="QosLibrary::DynamicProfile"> <participant_qos> <transport_builtin> <mask>UDPv4</mask> </transport_builtin> <discovery> <initial_peers> <element>rtps@udpv4://$(CDS_IP):7400</element> </initial_peers> <multicast_receive_addresses></multicast_receive_addresses> </discovery> </participant_qos> </qos_profile> <qos_profile name="StaticProfile" base_name="QosLibrary::DynamicProfile"> <participant_qos> <discovery_config> <builtin_discovery_plugins>SPDP</builtin_discovery_plugins> </discovery_config> <property> <value> <element> <name>dds.discovery.endpoint.lbediscovery.library</name> <value>rtilbedisc</value> </element> <element> <name>dds.discovery.endpoint.lbediscovery.create_function</name> <value>DDS_LBEDiscoveryPlugin_create</value> </element> <element> <name>dds.discovery.endpoint.load_plugins</name> <value>dds.discovery.endpoint.lbediscovery</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- Security --> <qos_profile name="DynamicProfileSecurity" base_name="QosLibrary::DynamicProfile"> <participant_qos> <property> <value> <element> <name>com.rti.serv.load_plugin</name> <value>com.rti.serv.secure</value> </element> <element> <name>com.rti.serv.secure.library</name> <value>nddssecurity</value> </element> <element> <name>com.rti.serv.secure.create_function</name> <value>RTI_Security_PluginSuite_create</value> </element> <element> <name>com.rti.serv.secure.authentication.ca_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/ca/$(discovery_security_algo)RootCaCert.pem</value> </element> <element> <name>com.rti.serv.secure.authentication.private_key_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/identities/$(discovery_security_algo)Peer01Key.pem</value> </element> <element> <name>com.rti.serv.secure.authentication.certificate_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/identities/$(discovery_security_algo)Peer01Cert.pem</value> </element> <element> <name>com.rti.serv.secure.access_control.permissions_authority_file</name> <value>resources/secure/certAuthority/$(discovery_permissions_authority_file_algo)/ca/$(discovery_permissions_authority_file_algo)RootCaCert.pem</value> </element> <element> <name>com.rti.serv.secure.access_control.governance_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/governances/signed_governance_$(security_governance).xml</value> </element> <element> <name>com.rti.serv.secure.access_control.permissions_file</name> <value>resources/secure/certAuthority/$(discovery_security_algo)/signed_myPermissions.xml</value> </element> <element> <name>com.rti.serv.secure.authentication.key_establishment_algorithm</name> <value>auto</value> </element> <element> <name>dds.participant.trust_plugins.authentication_timeout.sec</name> <value>$(discovery_security_authentication_timeout)</value> </element> <element> <name>dds.participant.trust_plugins.authentication_request_delay.sec</name> <value>$(discovery_security_authentication_request_delay)</value> </element> <element> <name>dds.participant.trust_plugins.authentication_request_timeout.sec</name> <value>$(discovery_security_authentication_request_timeout)</value> </element> <element> <name>com.rti.serv.secure.authentication.enable_custom_algorithms</name> <value>true</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- Security Unicast 10Gbps--> <qos_profile name="DynamicProfileSecurity_unicast" base_name="QosLibrary::DynamicProfileSecurity"> <base_name> <element>QosLibrary::Unicast_10Gbps_lab_snippet</element> </base_name> </qos_profile> <!-- Security Unicast 10Gbps--> <qos_profile name="DynamicProfileSecurity_unicast_enp1s0f0" base_name="QosLibrary::DynamicProfileSecurity_unicast"> </qos_profile> <!-- Security Unicast 1Gbps --> <qos_profile name="DynamicProfileSecurity_unicast_eno1" base_name="QosLibrary::DynamicProfileSecurity"> <base_name> <element>QosLibrary::Unicast_1Gbps_lab_snippet</element> </base_name> </qos_profile> <!-- Security HMAC ONLY --> <qos_profile name="DynamicProfileSecurity_HMAC" base_name="QosLibrary::DynamicProfile"> <participant_qos> <property> <value> <element> <name>com.rti.serv.load_plugin</name> <value>com.rti.serv.secure</value> </element> <element> <name>com.rti.serv.secure.library</name> <value>nddssecurity</value> </element> <element> <name>com.rti.serv.secure.create_function</name> <value>RTI_Security_PluginSuite_create</value> </element> <element> <name>com.rti.serv.secure.hmac_only.enabled</name> <value>1</value> </element> <element> <name>com.rti.serv.secure.hmac_only.cryptography.key</name> <value>str:SecretKey</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- Security + PSK--> <qos_profile name="DynamicProfileSecurity_PSK" base_name="QosLibrary::DynamicProfileSecurity"> <participant_qos> <discovery_config> <default_domain_announcement_period> <sec>DURATION_INFINITE_SEC</sec> <nanosec>DURATION_INFINITE_NSEC</nanosec> </default_domain_announcement_period> </discovery_config> <property> <value> <element> <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key</name> <!-- <value>str:1:SecretKey</value> --> <value>data:,1:SecretKey</value> </element> </value> </property> </participant_qos> </qos_profile> <!-- LW Security + PSK --> <qos_profile name="DynamicProfileLWS_PSK" base_name="QosLibrary::DynamicProfile"> <participant_qos> <discovery_config> <default_domain_announcement_period> <sec>DURATION_INFINITE_SEC</sec> <nanosec>DURATION_INFINITE_NSEC</nanosec> </default_domain_announcement_period> </discovery_config> <property> <value> <element> <name>com.rti.serv.load_plugin</name> <value>com.rti.serv.secure</value> </element> <element> <name>com.rti.serv.secure.library</name> <value>nddslightweightsecurity</value> </element> <element> <name>com.rti.serv.secure.create_function</name> <value>RTI_SecurityLightweight_PluginSuite_create</value> </element> <element> <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key</name> <!-- <value>str:1:SecretKey</value> --> <value>data:,1:SecretKey</value> </element> <element> <name>com.rti.serv.secure.cryptography.rtps_protection_preshared_key_algorithm</name> <value>$(lws_psk_algorithm)</value> </element> </value> </property> </participant_qos> </qos_profile> </qos_library> </dds> |
Security Profiles
For these specific tests we used the same governance file configuration and we modified the encryption algorithms in use. We used the following governance configuration:
Secure Libraries, RTPS Sign + Discovery Encrypt: In this test we set the
rtps_protection_kindtoSIGNand thediscovery_protection_kindandliveliness_protection_kindtoENCRYPT:<dds> <domain_access_rules> <domain_rule> <domains> <id_range> <min>0</min> </id_range> </domains> <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants> <enable_join_access_control>TRUE</enable_join_access_control> <discovery_protection_kind>ENCRYPT</discovery_protection_kind> <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind> <rtps_protection_kind>SIGN</rtps_protection_kind> <topic_access_rules> <topic_rule> <topic_expression>*</topic_expression> <enable_discovery_protection>TRUE</enable_discovery_protection> <enable_read_access_control>TRUE</enable_read_access_control> <enable_write_access_control>TRUE</enable_write_access_control> <metadata_protection_kind>NONE</metadata_protection_kind> <data_protection_kind>NONE</data_protection_kind> </topic_rule> </topic_access_rules> </domain_rule> </domain_access_rules> </dds>