2.1. Network Performance for Security¶
The following one-to-one tests have been performed by executing an RTI Perftest C++98 Publisher and Subscriber between two nodes, connected to a switch via Ethernet. The communication has been restricted to a single interface and the transport has been set to UDPv4.
These tests are equivalent to the ones performed in the RTI Connext DDS Professional UDPv4 section (Unkeyed, UDPv4 10Gbps Network, C++98), but additionally enabling different Security Profiles.
Find information about the hardware, network, and command-line parameters after each of the tests.
The graph below shows the one-way latency without load between a Publisher and a Subscriber running in two Linux nodes in a 10Gbps network. The numbers have been taken using strict reliable reliability for all the different Security Profiles (described below).
Note
We use the median (50th percentile) instead of the average in order to get a more stable measurement that does not account for spurious outliers. We also calculate the average value and other percentile values, which can be seen in the Detailed Statistics section below.
Detailed Statistics
The following tables contain the raw numbers presented by RTI Perftest. These numbers are the exact output with no further processing.
Not using security libraries
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
21 |
0.7 |
20 |
50 |
21 |
22 |
24 |
31 |
50 |
64 |
21 |
0.8 |
20 |
199 |
21 |
22 |
25 |
31 |
199 |
128 |
22 |
0.8 |
20 |
47 |
22 |
22 |
25 |
32 |
47 |
256 |
22 |
0.7 |
21 |
143 |
22 |
23 |
26 |
31 |
143 |
512 |
23 |
0.6 |
22 |
49 |
23 |
23 |
26 |
33 |
49 |
1024 |
24 |
0.7 |
23 |
52 |
24 |
25 |
27 |
34 |
52 |
8192 |
44 |
0.8 |
43 |
67 |
44 |
45 |
48 |
53 |
67 |
63000 |
109 |
1.2 |
107 |
245 |
109 |
110 |
115 |
126 |
245 |
No protection
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
21 |
0.7 |
20 |
50 |
21 |
22 |
24 |
31 |
50 |
64 |
21 |
0.7 |
20 |
200 |
21 |
22 |
25 |
31 |
200 |
128 |
22 |
0.7 |
20 |
57 |
22 |
22 |
25 |
31 |
47 |
256 |
22 |
0.7 |
20 |
133 |
22 |
22 |
26 |
31 |
133 |
512 |
23 |
0.7 |
21 |
49 |
23 |
24 |
26 |
32 |
49 |
1024 |
24 |
0.5 |
22 |
52 |
24 |
25 |
26 |
33 |
52 |
8192 |
44 |
0.7 |
43 |
67 |
43 |
44 |
44 |
52 |
67 |
63000 |
109 |
1.1 |
107 |
245 |
109 |
110 |
115 |
125 |
245 |
RTPS Sign
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
25 |
0.8 |
23 |
55 |
25 |
25 |
29 |
34 |
55 |
64 |
25 |
0.7 |
24 |
54 |
25 |
25 |
28 |
35 |
54 |
128 |
25 |
0.8 |
24 |
209 |
25 |
26 |
29 |
35 |
209 |
256 |
26 |
0.7 |
24 |
57 |
26 |
26 |
30 |
35 |
57 |
512 |
27 |
0.8 |
25 |
65 |
27 |
27 |
30 |
36 |
65 |
1024 |
28 |
0.8 |
27 |
177 |
28 |
29 |
32 |
37 |
177 |
8192 |
50 |
0.7 |
49 |
86 |
50 |
50 |
52 |
59 |
86 |
63000 |
128 |
2.0 |
125 |
186 |
127 |
129 |
137 |
148 |
186 |
RTPS Encrypt
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
25 |
0.7 |
24 |
59 |
25 |
26 |
29 |
35 |
59 |
64 |
26 |
0.8 |
24 |
55 |
26 |
26 |
29 |
34 |
55 |
128 |
26 |
0.7 |
24 |
58 |
26 |
26 |
30 |
35 |
58 |
256 |
26 |
0.8 |
25 |
56 |
26 |
27 |
30 |
35 |
56 |
512 |
27 |
0.8 |
26 |
180 |
27 |
28 |
31 |
37 |
180 |
1024 |
29 |
0.7 |
28 |
63 |
29 |
29 |
32 |
38 |
63 |
8192 |
52 |
0.8 |
51 |
81 |
52 |
52 |
55 |
61 |
81 |
63000 |
139 |
1.6 |
137 |
195 |
139 |
140 |
147 |
158 |
195 |
RTPS Sign with Original Auth, Data Encrypt
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
31 |
0.9 |
29 |
187 |
30 |
31 |
34 |
41 |
187 |
64 |
31 |
0.9 |
29 |
64 |
30 |
31 |
34 |
41 |
64 |
128 |
31 |
0.8 |
30 |
73 |
31 |
32 |
35 |
42 |
73 |
256 |
32 |
0.9 |
30 |
61 |
32 |
32 |
35 |
41 |
61 |
512 |
33 |
0.9 |
31 |
65 |
32 |
33 |
36 |
43 |
65 |
1024 |
34 |
0.9 |
33 |
62 |
34 |
35 |
38 |
45 |
62 |
8192 |
59 |
0.9 |
57 |
106 |
59 |
59 |
63 |
69 |
106 |
63000 |
158 |
2.4 |
154 |
312 |
158 |
161 |
167 |
177 |
312 |
RTPS Sign, Submessage Encrypt with Original Auth, Data Encrypt
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
34 |
1.0 |
32 |
73 |
33 |
34 |
38 |
44 |
73 |
64 |
34 |
1.0 |
32 |
222 |
33 |
34 |
38 |
44 |
222 |
128 |
34 |
0.9 |
32 |
80 |
33 |
35 |
38 |
44 |
80 |
256 |
34 |
0.9 |
32 |
65 |
34 |
35 |
38 |
45 |
65 |
512 |
35 |
0.9 |
34 |
59 |
35 |
36 |
39 |
46 |
59 |
1024 |
37 |
0.9 |
35 |
64 |
35 |
38 |
41 |
48 |
64 |
8192 |
65 |
1.0 |
63 |
86 |
64 |
65 |
69 |
74 |
86 |
63000 |
186 |
2.2 |
181 |
254 |
186 |
188 |
194 |
205 |
254 |
RTPS Sign, Submessage Encrypt
Sample Size (Bytes) |
Avg (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
28 |
0.7 |
27 |
67 |
28 |
29 |
32 |
38 |
67 |
64 |
28 |
0.8 |
27 |
56 |
28 |
29 |
33 |
37 |
56 |
128 |
29 |
0.8 |
27 |
55 |
29 |
29 |
33 |
37 |
55 |
256 |
29 |
0.7 |
28 |
59 |
29 |
30 |
33 |
39 |
59 |
512 |
30 |
0.8 |
29 |
65 |
30 |
31 |
33 |
40 |
65 |
1024 |
32 |
0.8 |
30 |
64 |
32 |
32 |
36 |
41 |
64 |
8192 |
56 |
0.8 |
55 |
95 |
56 |
57 |
59 |
65 |
95 |
63000 |
155 |
1.8 |
153 |
365 |
155 |
157 |
163 |
174 |
365 |
Perftest Scripts
To produce these tests, we executed RTI Perftest for C++98. The exact commands used can be found here:
Publisher Side
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | sudo /set_lat_mode.sh
echo EXECUTABLE IS $1
export executable=$1
echo OUTPUT PATH IS $2
export output_folder=$2
export PATH_TO_GOVERNANCE_FILES_FOLDER=/performance/validation/resources/resource/secure
export exec_time=30
export nic=172.16.0.1
export pub_string="-pub \
-transport UDPv4 \
-nic $nic \
-noPrint \
-noOutputHeaders \
-exec $exec_time \
-noXML\
-latencyTest"
mkdir -p $output_folder
echo ">> No Security"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_none.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> No Protection"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_no_protection.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_rtps_sign.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Encrypt"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_rtps_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign, Submessage Encrypt"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_rtps_sign_submessage_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_rtps_sign_submessage_encrypt_orig_data_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign with Original auth, Data Encrypt"
export my_file=$output_folder/lat_udpv4_pub_unkeyed_rel_security_rtps_sign_orig_data_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $pub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
|
Subscriber Side
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | sudo /set_lat_mode.sh
echo EXECUTABLE IS $1
export executable=$1
echo OUTPUT PATH IS $2
export output_folder=$2
export PATH_TO_GOVERNANCE_FILES_FOLDER=/performance/validation/resources/resource/secure
export nic=172.16.0.2
export sub_string="-sub \
-transport UDPv4 \
-nic $nic \
-noPrint \
-noOutputHeaders \
-noXML"
mkdir -p $output_folder
echo ">> No Security"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_none.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> No Protection"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_no_protection.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_rtps_sign.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Encrypt"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_rtps_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign, Submessage Encrypt"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_rtps_sign_submessage_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_rtps_sign_submessage_encrypt_orig_data_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> RTPS Sign with Original auth, Data Encrypt"
export my_file=$output_folder/lat_udpv4_sub_unkeyed_rel_security_rtps_sign_orig_data_encrypt.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -datalen $DATALEN $sub_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
|
Security Profiles
To test different levels of security, we have selected a well-known set
of configurations. These configurations have been defined in the Governance
files
used by RTI Perftest. With these configurations, we have tested the minimum
latency and maximum throughput achievable in different scenarios. The scenarios are
described below.
The profiles we have used are the following:
Not using security libraries
In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what RTI Connext DDS Professional provides in Unkeyed, UDPv4 10Gbps Network, C++98.
No protection
In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
<enable_join_access_control>FALSE</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>FALSE</enable_discovery_protection>
<enable_read_access_control>FALSE</enable_read_access_control>
<enable_write_access_control>FALSE</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign’
This scenario sets the rtps_protection_kind
to SIGN
.
This configuration provides protection against outsiders at the lowest cost.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Encrypt’
This scenario sets the rtps_protection_kind
to ENCRYPT
. This configuration
is similar to the protection TLS
provides.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>ENCRYPT</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN_WITH_ORIGIN_AUTHENTICATION
. It also sets
the data_protection_kind
to ENCRYPT
. This configuration is the common
choice for intra-domain protection and confidentiality.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets
the data_protection_kind
to ENCRYPT
and the metadata_protection_kind
to
ENCRYPT_WITH_ORIGIN_AUTHENTICATION
. This configuration offers the most robust
protection.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets the
metadata_protection_kind
to ENCRYPT
. This configuration allows user data confidentiality
(with insiders protection) while keeping Wireshark capabilities.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
Test Hardware
The following hardware was used to perform these tests:
Linux Nodes
Processor: Intel® Xeon® E-2186G 3.8GHz, 12M cache, 6C/12T, turbo (95W)
RAM: 16GB 2666MT/s DDR4 ECC UDIMM
NIC 1: Intel X550 Dual Port 10GbE BASE-T Adapter, PCIe Full Height
NIC 2: Intel Ethernet I350 Dual Port 1GbE BASE-T Adapter, PCIe Low Profile
OS: Ubuntu 18.04 -- gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Switch
Dell Networking S4048T-ON, 48x 10GBASE-T and 6x 40GbE QSFP+ ports, IO to PSU air, 2x AC PSU, OS9
The graph below shows the expected throughput behavior when performing a 1-1 communication between two Linux nodes in a 10Gbps network. The numbers have been taken using strict reliable reliability for all the different Security Profiles (described below).
Note
By default, RTI Perftest enables batching when performing a Maximum Throughput test. The batching feature allows sending more than one data sample per RTPS packet, improving network performance for small data sizes. See the RTI Connext DDS Core Libraries User’s Manual for more information on batching.
The batch maximum size is set by RTI Perftest to be 8192 bytes; after 8192 bytes, batching is not enabled.
Detailed Statistics
This table contains the raw numbers presented by RTI Perftest. These numbers are the exact output with no further processing.
Not using security libraries
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
100000000 |
4748773 |
1215.7 |
0 |
0.00 |
64 |
100000000 |
4234302 |
2168.0 |
0 |
0.00 |
128 |
100000000 |
3398451 |
3578.1 |
0 |
0.00 |
256 |
82221090 |
2738645 |
5608.7 |
0 |
0.00 |
512 |
55947963 |
1870372 |
7720.1 |
0 |
0.00 |
1024 |
35450688 |
1981076 |
9386.6 |
0 |
0.00 |
8192 |
4506830 |
150221 |
9844.9 |
0 |
0.00 |
63000 |
590286 |
19674 |
9916.0 |
0 |
0.00 |
No protection
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
100000000 |
4780877 |
1223.9 |
0 |
0.00 |
64 |
100000000 |
4264053 |
2183.2 |
0 |
0.00 |
128 |
100000000 |
3630317 |
3717.4 |
0 |
0.00 |
256 |
82279504 |
2740463 |
5612.5 |
0 |
0.00 |
512 |
57049808 |
1900250 |
7783.4 |
0 |
0.00 |
1024 |
34515584 |
1149715 |
9418.5 |
0 |
0.00 |
8192 |
4507199 |
150221 |
9844.9 |
0 |
0.00 |
63000 |
590284 |
19674 |
9916.0 |
0 |
0.00 |
RTPS Sign
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
100000000 |
4560938 |
1167.6 |
0 |
0.00 |
64 |
100000000 |
3980023 |
2037.8 |
0 |
0.00 |
128 |
95277376 |
3173125 |
3249.3 |
0 |
0.00 |
256 |
71457952 |
2380048 |
4874.3 |
0 |
0.00 |
512 |
46605477 |
1552459 |
6358.9 |
0 |
0.00 |
1024 |
27165288 |
904934 |
7413.2 |
0 |
0.00 |
8192 |
4334088 |
144378 |
9462.0 |
0 |
0.00 |
63000 |
589626 |
19652 |
9904.8 |
0 |
0.00 |
RTPS Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
100000000 |
4487161 |
1148.7 |
0 |
0.00 |
64 |
100000000 |
3878225 |
1985.7 |
0 |
0.00 |
128 |
92340817 |
3075298 |
3149.1 |
0 |
0.00 |
256 |
64970365 |
2163952 |
4431.8 |
0 |
0.00 |
512 |
41466201 |
1381264 |
5657.7 |
0 |
0.00 |
1024 |
23716784 |
790062 |
6472.2 |
0 |
0.00 |
8192 |
3918015 |
130519 |
8553.8 |
0 |
0.00 |
63000 |
589575 |
19650 |
9903.6 |
0 |
0.00 |
RTPS Sign with Original Auth, Data Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
44526730 |
1753241 |
361.2 |
0 |
0.00 |
64 |
41598153 |
1385356 |
709.3 |
0 |
0.00 |
128 |
35556554 |
1487521 |
1266.2 |
0 |
0.00 |
256 |
31242641 |
1040585 |
2131.1 |
0 |
0.00 |
512 |
22920059 |
763461 |
3127.1 |
0 |
0.00 |
1024 |
14959267 |
498325 |
4082.3 |
0 |
0.00 |
8192 |
2945603 |
99854 |
6456.4 |
0 |
0.00 |
63000 |
589091 |
19632 |
9894.9 |
0 |
0.00 |
RTPS Sign, Submessage Encrypt with Original Auth, Data Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
40614122 |
1352547 |
346.3 |
0 |
0.00 |
64 |
38870551 |
1294503 |
662.8 |
0 |
0.00 |
128 |
34787098 |
1158536 |
1186.3 |
0 |
0.00 |
256 |
28890082 |
962163 |
1970.5 |
0 |
0.00 |
512 |
20427807 |
680438 |
2787.1 |
0 |
0.00 |
1024 |
13080131 |
435722 |
3569.4 |
0 |
0.00 |
8192 |
2514797 |
79156 |
5551.8 |
0 |
0.00 |
63000 |
588667 |
19612 |
9884.9 |
0 |
0.00 |
RTPS Sign, Submessage Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
100000000 |
4298332 |
1100.4 |
0 |
0.00 |
64 |
100000000 |
3641538 |
1864.5 |
0 |
0.00 |
128 |
85236338 |
2838707 |
2906.8 |
0 |
0.00 |
256 |
59374784 |
1977547 |
4050.0 |
0 |
0.00 |
512 |
37833377 |
1260226 |
5161.9 |
0 |
0.00 |
1024 |
21141856 |
704279 |
5769.5 |
0 |
0.00 |
8192 |
3282022 |
109332 |
7165.2 |
0 |
0.00 |
63000 |
589102 |
19633 |
9895.3 |
0 |
0.00 |
Perftest Scripts
To produce these tests, we executed RTI Perftest for C++98. The exact commands used can be found here:
Publisher Side
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | sudo /set_thr_mode.sh
echo EXECUTABLE IS $1
export executable=$1
echo OUTPUT PATH IS $2
export output_folder=$2
export exec_time=30
export nic=172.16.0.1
export pub_string="-pub \
-transport UDPv4 \
-nic $nic \
-noPrint \
-noOutputHeaders \
-exec $exec_time \
-noXML"
mkdir -p $output_folder
echo ">> UNKEYED BE"
export my_file=$output_folder/thr_udpv4_pub_unkeyed_be.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -best $pub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> UNKEYED REL"
export my_file=$output_folder/thr_udpv4_pub_unkeyed_rel.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000 100000 500000 1048576 1548576 4194304 10485760; do
export command="taskset -c 0 \
$executable $pub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> KEYED BE"
export my_file=$output_folder/thr_udpv4_pub_keyed_be.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -best -keyed -instances 100000 $pub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 3;
done
sleep 5;
echo ">> KEYED REL"
export my_file=$output_folder/thr_udpv4_pub_keyed_rel.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -keyed -instances 100000 $pub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 3;
done
|
Subscriber Side
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | sudo /set_thr_mode.sh
echo EXECUTABLE IS $1
export executable=$1
echo OUTPUT PATH IS $2
export output_folder=$2
export nic=172.16.0.2
export sub_string="-sub \
-transport UDPv4 \
-nic $nic \
-noPrint \
-noOutputHeaders \
-noXML"
mkdir -p $output_folder
echo ">> UNKEYED BE"
export my_file=$output_folder/thr_udpv4_sub_unkeyed_be.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -best $sub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 10;
done
sleep 5;
echo ">> UNKEYED REL"
export my_file=$output_folder/thr_udpv4_sub_unkeyed_rel.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000 100000 500000 1048576 1548576 4194304 10485760; do
export command="taskset -c 0 \
$executable $sub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 10;
done
sleep 5;
echo ">> KEYED BE"
export my_file=$output_folder/thr_udpv4_sub_keyed_be.csv
touch $my_file
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -best -keyed -instances 100000 $sub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 10;
done
sleep 5;
echo ">> KEYED REL"
touch $my_file
export my_file=$output_folder/thr_udpv4_sub_keyed.csv
for DATALEN in 32 64 128 256 512 1024 8192 63000; do
export command="taskset -c 0 \
$executable -keyed -instances 100000 $sub_string -datalen $DATALEN"
echo $command
$command >> $my_file;
sleep 10;
done
|
Security Profiles
To test different levels of security, we have selected a well-known set
of configurations. These configurations have been defined in the Governance
files
used by RTI Perftest. With these configurations, we have tested the minimum
latency and maximum throughput achievable in different scenarios. The scenarios are
described below.
The profiles we have used are the following:
Not using security libraries
In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what RTI Connext DDS Professional provides in Unkeyed, UDPv4 10Gbps Network, C++98.
No protection
In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
<enable_join_access_control>FALSE</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>FALSE</enable_discovery_protection>
<enable_read_access_control>FALSE</enable_read_access_control>
<enable_write_access_control>FALSE</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign’
This scenario sets the rtps_protection_kind
to SIGN
.
This configuration provides protection against outsiders at the lowest cost.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Encrypt’
This scenario sets the rtps_protection_kind
to ENCRYPT
. This configuration
is similar to the protection TLS
provides.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>ENCRYPT</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN_WITH_ORIGIN_AUTHENTICATION
. It also sets
the data_protection_kind
to ENCRYPT
. This configuration is the common
choice for intra-domain protection and confidentiality.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets
the data_protection_kind
to ENCRYPT
and the metadata_protection_kind
to
ENCRYPT_WITH_ORIGIN_AUTHENTICATION
. This configuration offers the most robust
protection.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets the
metadata_protection_kind
to ENCRYPT
. This configuration allows user data confidentiality
(with insiders protection) while keeping Wireshark capabilities.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
Test Hardware
The following hardware was used to perform these tests:
Linux Nodes
Processor: Intel® Xeon® E-2186G 3.8GHz, 12M cache, 6C/12T, turbo (95W)
RAM: 16GB 2666MT/s DDR4 ECC UDIMM
NIC 1: Intel X550 Dual Port 10GbE BASE-T Adapter, PCIe Full Height
NIC 2: Intel Ethernet I350 Dual Port 1GbE BASE-T Adapter, PCIe Low Profile
OS: Ubuntu 18.04 -- gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Switch
Dell Networking S4048T-ON, 48x 10GBASE-T and 6x 40GbE QSFP+ ports, IO to PSU air, 2x AC PSU, OS9