1.5.1.2. Encryption Algorithms

RTI Connext 7.3 allows changing the encryption algorithm. The default value is AES256+GCM (as opposed to previous releases where it was AES128+GCM). In this test we compare the differences in latency and throughput for these 2 encryption algorithms.

In order to modify this parameter we used the following property in the xml qos profile:

<element>
      <name>com.rti.serv.secure.cryptography.encryption_algorithm</name>
      <value>AES256+GCM</value>
</element>
Perftest Scripts

To produce these tests, we executed RTI Perftest for C++98. The script used to execute the tests can be found here:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
#!/bin/bash
filename=$0
script_location=$(cd "$(dirname "$filename")" || exit 255; pwd)

export datasizes="32 64 128 256 512 1024 2048 4096 8192 16384 32768 63000"
export datasizes_extended="${datasizes} 100000 500000 1048576 1548576 4194304 10485760"

export domain="2"
export exec_time=20
export num_reps=1
export instance_number=100000
export core=0

# We will use some colors to improve visibility of errors and info messages.
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
LIGHTBLUE='\033[0;36m'
NC='\033[0m'
INFO_TAG="${GREEN}[INFO]:${NC}"
WARNING_TAG="${YELLOW}[WARNING]:${NC}"
ERROR_TAG="${RED}[ERROR]:${NC}"

export ip_machine_1="10.2.78.20"
export ip_machine_2="10.2.78.21"
export if10Gbps="enp1s0f0"
export if1Gbps="eno1"

################################################################################

function disable_colors() {
    export RED=""
    export GREEN=""
    export YELLOW=""
    export NC=""
    export BLUE=""
    export LIGHTBLUE=""
    export INFO_TAG="${GREEN}[INFO]:${NC}"
    export WARNING_TAG="${YELLOW}[WARNING]:${NC}"
    export ERROR_TAG="${RED}[ERROR]:${NC}"
}

function change_domain() {
    if [[ "$domain" == "1" ]]; then
        export domain="2"
    else
        export domain="1"
    fi
}

# Usage: execute_test <keyed/unkeyed> <rel/be> <datasizes> <batchSize>
function execute_test() {

    local keyed_unkeyed=$1
    local rel_be=$2
    local datasizes_test=$3
    local other_args=$4
    local name_suffix=$5

    local commands_string_test=$commands_string
    local tag=""

    if [[ "${keyed_unkeyed}" == "keyed" ]]; then
        commands_string_test="${commands_string_test} -keyed -instances $instance_number"
        tag="[${YELLOW}${transport}${NC}|${BLUE}K${NC}|"
    else
        tag="[${YELLOW}${transport}${NC}|${LIGHTBLUE}UK${NC}|"
    fi

    if [[ "${rel_be}" == "be" ]]; then
        commands_string_test="${commands_string_test} -bestEffort"
        tag="${tag}${YELLOW}BE${NC}]"
    else
        tag="${tag}${RED}REL${NC}]"
    fi

    tag="${tag}[${LIGHTBLUE}${lat_thr}${NC}]"

    local output_file=$output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}.csv

    if [[ "$role" == "pub" ]]; then
        echo -e "${YELLOW}[TEST]: $keyed_unkeyed, $rel_be. ${NC}"
    fi

    if [[ "$NO_TASKSET" == "" ]]; then
        if [[ "$LANGUAGE" != "java" && "$LANGUAGE" != "cs" ]]; then
            export pre_command_string="taskset -c $core"
        fi
    fi

    if [[ "$LANGUAGE" == "python" ]]; then
        export pre_command_string="python3 "
    fi

    if [[ "$DOCKER" == "1" ]]; then
        export pre_command_string="taskset -c $core docker run --net=host -v /home/perfuser/rti_license_connextpro.dat:/opt/rti.com/rti_connext_dds-7.3.0/rti_license.dat rticom/perftest:7.3.0-EAR "
        executable=""
    fi

    # Get the aprox time this will take:
    total_tests=$((`wc -w <<< "$datasizes_test"` * num_reps))
    total_time=$((total_tests * exec_time))

    touch $output_file
    local no_headers=""
    local current_test=0
    for index in $(seq 1 ${num_reps}); do
        for DATALEN in ${datasizes_test}; do
            current_test=$((current_test + 1))
            export command="$pre_command_string $executable -domain $domain -dataLen $DATALEN $commands_string_test $other_args $no_headers"
            if [[ "$role" == "pub" ]]; then
                echo -e "Test ${tag} (${current_test}/${total_tests}) -- Total time = ${total_time}s"
                echo -e ${BLUE}$command${NC}
            else
                echo -e ${LIGHTBLUE}$command${NC}
            fi
            if [[ "$LANGUAGE" == "cs" && "$role" == "pub" ]]; then
                sleep 3
            fi
            if [[ "$raw" == "1" && "$role" == "sub" ]]; then
                sleep 5
            fi
            if [[ "${get_netstat_info}" == "1" ]]; then
                echo -e "${INFO_TAG} Getting netstat info before"
                netstat -s -u | grep -e "error" -e "packet" > $output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat_before.txt
            fi
            eval $command >> $output_file;
            if [[ "${get_netstat_info}" == "1" ]]; then
                echo -e "${INFO_TAG} Getting netstat info after"
                netstat -s -u | grep -e "error" -e "packet" > $output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat_after.txt
                touch "$output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat.csv"
                python3 $script_location/../../../tools/diff_netstat_output.py \
                    -n $output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat_after.txt \
                    -o $output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat_before.txt \
                    -d $DATALEN $no_header_netstat \
                    -csv >> "$output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat.csv"
                rm -rf $output_folder/${lat_thr}_${role}_${keyed_unkeyed}_${rel_be}${name_suffix}_netstat_*.txt
                no_header_netstat=" -nh"
            fi
            no_headers=" -noOutputHeaders"

            change_domain
        done
    done
}

################################################################################
# PARSE COMMAND LINE OPTIONS:

while [ "$1" != "" ]; do
    case $1 in
        --executable)
            executable=$2
            shift
            ;;
        --docker)
            DOCKER="1"
            ;;
        --output-folder)
            output_folder=$2
            shift
            ;;
        --sub-folder)
            sub_folder=$2
            shift
            ;;
        --role)
            export role=$2
            shift
            ;;
        --core)
            export core=$2
            shift
            ;;
        --test-kind)
            export lat_thr=$2
            shift
            ;;
        --interface1)
            export interface=$2
            shift
            ;;
        --interface2)
            export interface2=$2
            shift
            ;;
        --ip1)
            export ip1=$2
            shift
            ;;
        --ip2)
            export ip2=$2
            shift
            ;;
        --repetitions)
            export num_reps=$2
            shift
            ;;
        --domain)
            export domain=$2
            shift
            ;;
        --execution-time)
            export exec_time=$2
            shift
            ;;
        --transport)
            export transport=$2
            shift
            ;;
        --datalen)
            export datalen_input=$2
            shift
            ;;
        --file-suffix)
            export file_suffix=$2
            shift
            ;;
        --executable-suffix)
            export executable_suffix=$2
            shift
            ;;
        --extra-arguments)
            export extra_arguments=$2
            shift
            ;;
        --extra-arguments-pub)
            export extra_arguments_pub=$2
            shift
            ;;
        --extra-arguments-sub)
            export extra_arguments_sub=$2
            shift
            ;;
        --skip-no-batching)
            export skip_no_batching="1"
            ;;
        --skip-be)
            export skip_be_tests="1"
            ;;
        --skip-rel)
            export skip_rel_tests="1"
            ;;
        --skip-keyed)
            export skip_keyed_data="1"
            ;;
        --skip-large-data)
            export skip_large_data="1"
            ;;
        --large-data)
            export large_data="1"
            ;;
        --keyed)
            export skip_unkeyed="1"
            ;;
        --unkeyed)
            export skip_keyed_data="1"
            ;;
        --no-batching | --skip-batching)
            export no_batching_only="1"
            ;;
        --reliable)
            export skip_be_tests="1"
            ;;
        --best-effort)
            export skip_rel_tests="1"
            ;;
        --security)
            export security_only="$2"
            shift
            ;;
        --micro)
            export micro="1"
            ;;
        --raw | --raw-transport)
            export raw="1"
            ;;
        --tss)
            export tss="1"
            ;;
        --no-colors)
            export NO_COLORS="1"
            ;;
        --language)
            export LANGUAGE=$2
            shift
            ;;
        --loss-rate)
            export loss_rate=$2
            shift
            ;;
        --get-netstat-info | --netstat)
            export get_netstat_info="1"
            ;;
        --no-taskset)
            export NO_TASKSET="1"
            ;;
        *)
            echo -e "unknown parameter \"$1\""
            exit 255
            ;;
    esac
    shift
done

if [[ "$NO_COLORS" == "1" ]]; then
    disable_colors
fi

export folder_base="$(dirname "${executable}")"/../../..

if [[ $LANGUAGE == "java"  || "$LANGUAGE" == "cs" ]]; then
    export folder_base="$(dirname "${executable}")"/../..
fi
if [[ $tss == "1" ]]; then
    export folder_base="$(dirname "${executable}")"/../../../../..
fi

if [[ "${executable_suffix}" != "" ]]; then
    export executable="${executable}${executable_suffix}"
fi

if [[ "${sub_folder}" != "" ]]; then
    export output_folder="${output_folder}/${sub_folder}"
fi

echo -e "${INFO_TAG} Perftest executable is: $executable"
echo -e "${INFO_TAG} Output folder is: $output_folder"

################################################################################

if [[ "$LANGUAGE" == "python" ]]; then
    export skip_keyed_data="1"
    export skip_large_data="1"
    export skip_be_tests="1"
    export skip_no_batching="1"
fi

if [[ "${skip_large_data}" == "1" ]]; then
    export datasizes_extended=${datasizes}
elif [[ "${large_data}" == "1" ]]; then
    export datasizes=${datasizes_extended}
fi

if [[ "${datalen_input}" != "" ]]; then
    echo -e "${YELLOW}[TEST] Testing only for ${datalen_input}${NC}"
    export datasizes=${datalen_input}
    export datasizes_extended=${datalen_input}
    if [[ "${no_batching_only}" != "1" ]]; then
        export skip_large_data="1"
    fi
fi

if [[ "$role" != "pub" && "$role" != "sub" ]]; then
    echo -e "${ERROR_TAG} It must be either publisher or subscriber"
    exit 255
fi

if [[ "$lat_thr" != "thr" && "$lat_thr" != "lat" ]]; then
    echo -e "${ERROR_TAG} It must be either lat or thr"
    exit 255
fi

if [[ "${interface}" == "" ]]; then
    echo "Using default nics"
    export nic_publisher=${ip_machine_1}
    export nic_subscriber=${ip_machine_2}
elif [[ "${interface}" == "both" ]]; then
    export nic_publisher="enp1s0f0,eno1"
    export nic_subscriber="enp1s0f0,eno1"
    echo -e "${INFO_TAG} Using nic_publisher: ${nic_publisher}"
    echo -e "${INFO_TAG} Using nic_subscriber: ${nic_subscriber}"
else
    export nic_publisher=$interface
    echo -e "${INFO_TAG} Using nic_publisher: ${nic_publisher}"

    if [[ "${interface2}" == "" ]]; then
        export nic_subscriber=$interface
    else
        export nic_subscriber=$interface2
    fi
    echo -e "${INFO_TAG} Using nic_subscriber: ${nic_subscriber}"

    if [[ "${ip1}" != "" ]]; then
        export ip_publisher=$ip1
        echo "Using ip_publisher: ${ip_publisher}"
    fi

    if [[ "${ip2}" != "" ]]; then
        export ip_subscriber=$ip2
        echo "Using ip_subscriber: ${ip_subscriber}"
    fi

fi

export transport_string="-transport $transport"

if [[ "$transport" == "UDPv4" ]]; then

    export transport_string_pub="$transport_string -nic $nic_publisher"
    export transport_string_sub="$transport_string -nic $nic_subscriber"

    if [[ "$micro" == "1" || "$raw" == "1" ]]; then
        export transport_string_pub="$transport_string_pub -peer ${ip_subscriber}"
        export transport_string_sub="$transport_string_sub -peer ${ip_publisher}"
    fi

elif [[ "$transport" == "TCP" ]]; then
    export transport_string_pub="$transport_string \
        -nic $nic_publisher \
        -peer 0@tcpv4_lan://${ip_subscriber}:7400"
    export transport_string_sub="$transport_string \
        -nic $nic_subscriber \
        -peer 0@tcpv4_lan://${ip_publisher}:7400"
elif [[ "$transport" == "TLS" ]]; then
    export transport_string_pub="$transport_string \
        -nic $nic_publisher \
        -peer tlsv4_lan://${ip_subscriber}:7400"
    export transport_string_sub="$transport_string \
        -nic $nic_subscriber \
        -peer tlsv4_lan://${ip_publisher}:7400"
elif [[ "$transport" == "UDPv4_WAN" ]]; then
    export transport_string_pub="$transport_string \
        -nic $nic_publisher \
        -transportPublicAddress $ip_publisher:7400"
    export transport_string_sub="$transport_string \
        -nic $nic_subscriber \
        -peer 0@udpv4_wan://${ip_publisher}:7400"
else
    export transport_string_pub="$transport_string"
    export transport_string_sub="$transport_string"
fi

################################################################################

export pub_string="-pub \
        ${transport_string_pub} \
        -noPrintIntervals \
        -executionTime $exec_time"

if [[ ${lat_thr} == "lat" ]]; then
    export pub_string="$pub_string \
        -latencyTest"
fi

export sub_string="-sub \
        ${transport_string_sub} \
        -noPrintIntervals"

if [[ "$role" == "pub" ]]; then
    echo -e "$INFO_TAG Publisher side running"
    export commands_string=${pub_string}
    export extra_arguments="${extra_arguments} ${extra_arguments_pub}"
else
    echo -e "$INFO_TAG Subscriber side running"
    export commands_string=${sub_string}
    export extra_arguments="${extra_arguments} ${extra_arguments_sub}"
fi

###############################################################################

echo -e "${INFO_TAG} Executing: /set_${lat_thr}_mode.sh"
sudo /set_${lat_thr}_mode.sh
sleep 5

echo -e "${INFO_TAG} Disabling any loss rate"
sudo tc qdisc add dev $nic_publisher root netem loss 0%
sudo tc qdisc del dev $nic_publisher root netem loss 0%

if [[ "$role" == "pub" && "${loss_rate}" != "" ]]; then
    echo -e "${INFO_TAG} Setting loss rate to ${loss_rate}%"
    sudo tc qdisc add dev $nic_publisher root netem loss $loss_rate%
fi

cd $folder_base
echo -e "${INFO_TAG} Folder Base is: $PWD"
mkdir -p $output_folder

# Tests that may use batching (when doing throughput tests)
if [[ ${no_batching_only} != "1" ]]; then

    # UNKEYED
    if [[ "${skip_unkeyed}" == "" ]]; then

        # RELIABLE
        if [[ "${skip_rel_tests}" == "" ]]; then
            execute_test "unkeyed" "rel" "${datasizes_extended}" "${extra_arguments}" "$file_suffix"
        fi

        # BEST EFFORT
        if [[ "${skip_be_tests}" == "" ]]; then
            execute_test "unkeyed" "be" "${datasizes}" "${extra_arguments}" "$file_suffix"
        fi
    fi

    # KEYED
    if [[ "${skip_keyed_data}" == "" ]]; then

        # RELIABLE
        if [[ "${skip_rel_tests}" == "" ]]; then
            execute_test "keyed" "rel" "${datasizes}" "${extra_arguments}" "$file_suffix"
        fi

        # BEST EFFORT
        if [[ "${skip_be_tests}" == "" ]]; then
            execute_test "keyed" "be" "${datasizes}" "${extra_arguments}" "$file_suffix"
        fi
    fi

fi

if [[ "${skip_no_batching}" == "" || "${no_batching_only}" == "1" ]]; then
    no_batching_tests="1"
fi

# Tests that will not use batching
if [[ "${lat_thr}" == "thr" && "${no_batching_tests}" == "1" ]]; then

    if [[ "$role" == "pub" ]]; then
        export commands_string="${commands_string} -batchSize 0"
    fi

    # UNKEYED
    if [[ "${skip_unkeyed}" == "" ]]; then

        # RELIABLE
        if [[ "${skip_rel_tests}" == "" ]]; then
            execute_test "unkeyed" "rel" "${datasizes}" "${extra_arguments}" "_noBatch${file_suffix}"
        fi

        # BEST EFFORT
        if [[ "${skip_be_tests}" == "" ]]; then
            execute_test "unkeyed" "be" "${datasizes}" "${extra_arguments}" "_noBatch${file_suffix}"
        fi
    fi
fi

if [[ "$role" == "pub" && "${loss_rate}" != "" ]]; then
    echo -e "${INFO_TAG} Disabling loss rate"
    sudo tc qdisc del dev $nic_publisher root netem loss $loss_rate%
fi
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash
filename=$0
script_location=$(cd "$(dirname "$filename")" || exit 255; pwd)

export input_params=$@

while [ "$1" != "" ]; do
    case $1 in
        --executable)
            executable=$2
            shift
            ;;
        --security)
            export security_only=$2
            shift
            ;;
        *)
            ;;
    esac
    shift
done

echo $security_only

export folder_base="$(dirname "${executable}")"/../../..
export PATH_TO_GOVERNANCE_FILES_FOLDER=$folder_base/resource/secure

if [[ "${security_only}" == "none" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- No Security"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --file-suffix "_security_none"
    sleep 5;
fi

if [[ "${security_only}" == "no_protection" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- No Protection"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml " \
        --file-suffix "_security_no_protection"
fi

if [[ "${security_only}" == "rtps_sign" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- RTPS Sign"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml " \
        --file-suffix "_security_rtps_sign"
fi

if [[ "${security_only}" == "rtps_encrypt" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- RTPS Encrypt"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml " \
        --file-suffix "_security_rtps_encrypt"
fi

if [[ "${security_only}" == "rtps_sign_submessage_encrypt" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- RTPS Sign, Submessage Encrypt"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml " \
        --file-suffix "_security_rtps_sign_submessage_encrypt"
fi

if [[ "${security_only}" == "rtps_sign_submessage_encrypt_orig_data_encrypt" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml " \
        --file-suffix "_security_rtps_sign_submessage_encrypt_orig_data_encrypt"
fi

if [[ "${security_only}" == "rtps_sign_orig_data_encrypt" || "${security_only}" == "" ]]; then
    echo -e "[Calling base_script/script.sh] -- RTPS Sign with Original auth, Data Encrypt"
    "${script_location}/../base_script/script.sh" $input_params --transport UDPv4 \
        --skip-no-batching --skip-be --skip-keyed --skip-large-data \
        --extra-arguments "-secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml " \
        --file-suffix "_security_rtps_sign_orig_data_encrypt"
    sleep 5;
fi

Security Profiles

To test different levels of security, we have selected a well-known set of configurations. These configurations have been defined in the Governance files used by RTI Perftest. With these configurations, we have tested the minimum latency and maximum throughput achievable in different scenarios. The scenarios are described below.

The profiles we have used are the following:

  • Not using security libraries

In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what the Core Libraries provide in Unkeyed, UDPv4 10Gbps Network, C++98.

  • No protection

In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
        <enable_join_access_control>FALSE</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>NONE</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>FALSE</enable_discovery_protection>
            <enable_read_access_control>FALSE</enable_read_access_control>
            <enable_write_access_control>FALSE</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>
  • RTPS ‘Sign’

This scenario sets the rtps_protection_kind to SIGN. This configuration provides protection against outsiders at the lowest cost.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>
  • RTPS ‘Encrypt’

This scenario sets the rtps_protection_kind to ENCRYPT. This configuration is similar to the protection TLS provides.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>
  • RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN_WITH_ORIGIN_AUTHENTICATION. It also sets the data_protection_kind to ENCRYPT. This configuration is the common choice for intra-domain protection and confidentiality.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>
  • RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN. It also sets the data_protection_kind to ENCRYPT and the metadata_protection_kind to ENCRYPT_WITH_ORIGIN_AUTHENTICATION. This configuration offers the most robust protection.

The governance profile used in this scenario is the following:

<?xml version="1.0" encoding="UTF-8"?>

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>
  • RTPS ‘Sign,’ Submessage ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN. It also sets the metadata_protection_kind to ENCRYPT. This configuration allows user data confidentiality (with insiders protection) while keeping Wireshark capabilities.

The governance profile used in this scenario is the following:

<?xml version="1.0" encoding="UTF-8"?>

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">

    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

Test Hardware

The following hardware was used to perform these tests:

Linux Nodes

Dell R340 Servers (13 Units)
Processor: Intel Xeon E-2278G (3.4-5GHz, 8c/16t, 16MB cache, 2 memory channels @2666MHz)
RAM: 4x 16GB 2666MHz DIMM (64GB RAM)
HD: 480GB SATA SSD
NIC 1: Intel 710 dual port 10Gbps SFP
OS: Ubuntu 20.04 -- gcc 9.3.0

Switch

Dell 2048 -- 10Gbps switch (10Gbps and 1Gbps interfaces)