2.2. Discovery Performance for Security¶

This document describes discovery performance for certain scenarios that use RTI Security Plugins. The metodology and the tests are similar to the ones explained in the Discovery Performance section for RTI Connext DDS Professional.

These numbers should only be used as a first rough approximation, since the results are highly dependent on the hardware, software configuration, and network infrastructure of the tested system.

2.2.1. Time to Complete Discovery¶

The following graph shows the time it takes to complete endpoint discovery measured for different numbers of DomainParticipants (each with a single endpoint). See the detailed information about the tests below.

Detailed test input

The input parameters chosen for these tests are designed to go through a set of descriptive scenarios, in increasing complexity. These parameters are:

Number of hosts: 7
Participants in the system: [50 to 300 in steps of 25 participants]
Topics in the system: 1
Readers per topic: 0.5 * Participants in the system
Writers per topic: 0.5 * Participants in the system

Therefore, in this test the number of endpoints is the same as the number of participants, half of them DataReaders and half of them DataWriters.

Detailed results

Time to complete Discovery in 6.1.0 (Seconds)

Participants	No Security	Authentication Only	Secure Discovery	Secure Discovery + Sign
50	2.643	2.985	3.116	3.103
75	3.085	3.518	3.783	3.830
100	3.333	4.278	6.617	6.516
125	4.274	8.262	8.781	8.587
150	5.241	11.253	10.644	10.232
175	6.462	13.509	13.224	13.281
200	7.177	17.660	17.201	17.438
225	8.167	19.420	20.404	21.887
250	9.971	24.857	26.537	27.286
275	12.268	28.274	32.436	33.087
300	13.923	32.830	37.668	38.899

Software information

RTI developed a testing framework specifically designed for discovery benchmarking. This framework was used to perform the tests detailed in this document. This framework (named internally as Polygraph) is capable of running simultaneously different application loads and commands in all the hosts in the experiment. It can collect all of the results and monitor the resource usage of the hosts.

Polygraph is composed of four main applications: the Manager, Monitor, Agent and Test Application.

The Manager is the initial process to be run. This process launches and coordinates the Agents on each of the test hosts. The Agents are in charge of launching as many Test Applications as the Manager requests. The Manager also requests the Agents to start the tests and shut down.

The Polygraph Monitor tool is used to visualize the memory, CPU, and discovery data from the Agent and the Test Application. It also indicates problems in the communication (hosts not connected, missed deadlines, etc.).

RTI Connext DDS 6.1.0 is used for compiling and linking. The architecture chosen for the libraries is x64Linux3gcc4.8.2.

Security Profiles

In this set of tests, we compared the discovery times, increasing the number of endpoints, for different levels of security. We will differentiate among four levels:

No Security: This test will use RTI Connext DDS Professional without Security Plugins.

Secure Libraries, Authentication Only: This test uses Security Plugins and requires authentication, but doesn’t protect any messages (no encryption and no “MAC’ing”). This test uses this governance file:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
        <enable_join_access_control>FALSE</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>NONE</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>FALSE</enable_discovery_protection>
            <enable_read_access_control>FALSE</enable_read_access_control>
            <enable_write_access_control>FALSE</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

Secure Libraries, Secure Discovery In this test, we enable security restrictions for discovery. This is the governance file used:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants>
        <enable_join_access_control>TRUE</enable_join_access_control>
        <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
        <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
        <rtps_protection_kind>NONE</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>TRUE</enable_discovery_protection>
            <enable_read_access_control>TRUE</enable_read_access_control>
            <enable_write_access_control>TRUE</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

Secure Libraries, Secure Discovery + Sign This test is similar to Secure Discovery but also adds an rtps_protection_kind of SIGN. This is the governance file used:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>FALSE</allow_unauthenticated_participants>
        <enable_join_access_control>TRUE</enable_join_access_control>
        <discovery_protection_kind>ENCRYPT</discovery_protection_kind>
        <liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>TRUE</enable_discovery_protection>
            <enable_read_access_control>TRUE</enable_read_access_control>
            <enable_write_access_control>TRUE</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

Hardware information

Eight hosts were used to run the tests: seven to run the discovery applications and one to monitor and log the output information.

All these hosts have the following characteristics:

CPU Intel Core Xeon (12 Cores) 3.6GHz
Memory (RAM): 12 GB
OS: CentOS 7

All the hosts were connected to the same Gigabit Ethernet switch.

Some extra tuning was done to improve the network and memory capabilities of the hosts:

net.core.rmem_default=65536
net.core.rmem_max=10485760
net.core.wmem_default=65536
net.core.wmem_max=10485760
net.ipv4.ipfrag_high_thresh=8388608
net.core.netdev_max_backlog=30000

You can find more information about this tuning for a better Connext DDS response on RTI Community here.

QOS used

These are the QoS settings used for the Test Applications and Agents. In these QoS settings, we avoid sending the type code and TypeObject during discovery, relax the lease duration settings for participant discovery, and increase the buffer size of the UDPv4 receive sockets.

<dds>
    <qos_library name="PolygraphLibrary">
        <qos_profile name="BasePolygraphProfile">
            <participant_qos name="BaseParticipantQos">
                <transport_builtin>
                    <mask>UDPv4</mask>
                </transport_builtin>
                <resource_limits>
                    <type_code_max_serialized_length>0</type_code_max_serialized_length>
                    <type_object_max_serialized_length>0</type_object_max_serialized_length>
                </resource_limits>
                <discovery_config>
                    <participant_liveliness_lease_duration>
                        <sec>200</sec>
                        <nanosec>0</nanosec>
                    </participant_liveliness_lease_duration>
                    <participant_liveliness_assert_period>
                        <sec>10</sec>
                        <nanosec>0</nanosec>
                    </participant_liveliness_assert_period>
                    <remote_participant_purge_kind>LIVELINESS_BASED_REMOTE_PARTICIPANT_PURGE
                    </remote_participant_purge_kind>
                    <max_liveliness_loss_detection_period>
                        <sec>10</sec>
                        <nanosec>0</nanosec>
                    </max_liveliness_loss_detection_period>
                </discovery_config>
                <property>
                    <value>
                        <element>
                            <name>dds.transport.UDPv4.builtin.recv_socket_buffer_size</name>
                            <value>1048576</value>
                        </element>
                    </value>
                </property>
            </participant_qos>
        </qos_profile>
    </qos_library>
</dds>

2.2.2. Comparison between 6.1.0 and 6.0.1¶

Due to several improvements added in Connext DDS and Security Plugins in 6.1.0, you will see big improvements in discovery time in 6.1.0. The following graph and tables show the results of the tests above done for both 6.0.1 and 6.1.0.

Time to complete Discovery (Seconds)

Participants	No Security	Authentication Only	Secure Discovery	Secure Discovery + Sign
50	2.643	2.985	3.116	3.103
75	3.085	3.518	3.783	3.830
100	3.333	4.278	6.617	6.516
125	4.274	8.262	8.781	8.587
150	5.241	11.253	10.644	10.232
175	6.462	13.509	13.224	13.281
200	7.177	17.660	17.201	17.438
225	8.167	19.420	20.404	21.887
250	9.971	24.857	26.537	27.286
275	12.268	28.274	32.436	33.087
300	13.923	32.830	37.668	38.899

Participants	No Security	Authentication Only	Secure Discovery	Secure Discovery + Sign
50	2.630	3.101	5.071	5.093
75	3.446	3.766	5.706	7.085
100	4.011	4.541	9.122	9.024
125	5.165	10.544	14.980	15.788
150	6.148	11.256	23.689	25.663
175	8.081	14.872	38.195	39.401
200	9.589	18.650	56.997	59.554
225	12.328	21.932	78.655	80.577
250	17.073	27.133	102.576	106.598
275	18.369	35.549	129.574	135.227
300	21.289	39.642	160.880	165.835

Participants	No Security	Authentication Only	Secure Discovery	Secure Discovery + Sign
50	0.01	-0.12	-1.95	-1.99
75	-0.36	-0.25	-1.92	-3.25
100	-0.68	-0.26	-2.50	-2.51
125	-0.89	-2.28	-6.20	-7.20
150	-0.91	-0.00	-13.04	-15.43
175	-1.62	-1.36	-24.97	-26.12
200	-2.41	-0.99	-39.80	-42.12
225	-4.16	-2.51	-58.25	-58.69
250	-7.10	-2.28	-76.04	-79.31
275	-6.10	-7.27	-97.14	-102.14
300	-7.37	-6.81	-123.21	-126.94

For more information about the improvements that account for these gains, see:

“Improved support for concurrency in data reception events in DataReaders in a DomainParticipant” in the Core Libraries’s Performance Improvements
“Improved discovery scalability when using BuiltinQosLib::Generic.Security profile” in the Security Plugins’s Changes Related to Scalability
“Endpoint state transition improvements for key distribution” in the Security Plugins’s Changes Related to Scalability
“Potentially very long recovery times for timed-out authentications” in the Security Plugins’s Fixes Related to Scalability