2.1. Network Performance for Security
The following one-to-one tests have been performed by executing an RTI Perftest C++98 Publisher and Subscriber between two nodes, connected to a switch via Ethernet. The communication has been restricted to a single interface and the transport has been set to UDPv4.
These tests are equivalent to the ones performed in the RTI Connext DDS Professional UDPv4 section (Unkeyed, UDPv4 10Gbps Network, C++98), but additionally enabling different Security Profiles.
Find information about the hardware, network, and command-line parameters after each of the tests.
The graph below shows the one-way latency without load between a Publisher and a Subscriber running in two Linux nodes in a 10Gbps network. The numbers have been taken using strict reliable reliability for all the different Security Profiles (described below).
Note
We use the median (50th percentile) instead of the average in order to get a more stable measurement that does not account for spurious outliers. We also calculate the average value and other percentile values, which can be seen in the Detailed Statistics section below.
Detailed Statistics
The following tables contain the raw numbers presented by RTI Perftest. These numbers are the exact output with no further processing.
Not using security libraries
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
20 |
1.1 |
19 |
89 |
20 |
21 |
26 |
50 |
89 |
64 |
20 |
1.2 |
19 |
76 |
20 |
21 |
26 |
50 |
76 |
128 |
21 |
1.2 |
20 |
87 |
20 |
21 |
27 |
50 |
87 |
256 |
21 |
1.2 |
20 |
62 |
21 |
21 |
27 |
51 |
62 |
512 |
22 |
1.0 |
21 |
76 |
21 |
22 |
25 |
50 |
76 |
1024 |
23 |
1.2 |
22 |
79 |
23 |
24 |
30 |
53 |
79 |
2048 |
26 |
1.2 |
25 |
76 |
26 |
26 |
33 |
55 |
76 |
4096 |
32 |
1.1 |
31 |
80 |
32 |
33 |
36 |
61 |
80 |
8192 |
45 |
1.0 |
43 |
96 |
45 |
46 |
49 |
74 |
96 |
16384 |
55 |
1.0 |
54 |
101 |
55 |
56 |
58 |
84 |
101 |
32768 |
74 |
1.1 |
73 |
130 |
74 |
74 |
77 |
109 |
130 |
63000 |
110 |
1.8 |
108 |
172 |
109 |
111 |
116 |
145 |
172 |
No protection
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
20 |
1.1 |
19 |
74 |
20 |
20 |
24 |
49 |
74 |
64 |
20 |
1.0 |
19 |
72 |
20 |
20 |
24 |
50 |
72 |
128 |
20 |
1.1 |
19 |
72 |
20 |
21 |
24 |
50 |
72 |
256 |
21 |
1.1 |
20 |
73 |
21 |
21 |
25 |
51 |
73 |
512 |
22 |
1.2 |
21 |
78 |
21 |
22 |
28 |
51 |
78 |
1024 |
23 |
1.1 |
22 |
84 |
23 |
24 |
27 |
53 |
84 |
2048 |
26 |
1.1 |
25 |
78 |
26 |
26 |
30 |
56 |
78 |
4096 |
33 |
1.4 |
31 |
78 |
32 |
33 |
39 |
62 |
78 |
8192 |
45 |
1.2 |
44 |
95 |
45 |
46 |
51 |
74 |
95 |
16384 |
56 |
1.1 |
54 |
96 |
55 |
56 |
59 |
84 |
96 |
32768 |
74 |
1.3 |
72 |
106 |
73 |
74 |
80 |
102 |
106 |
63000 |
110 |
2.1 |
108 |
164 |
109 |
111 |
117 |
143 |
164 |
RTPS Sign
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
24 |
1.1 |
23 |
78 |
23 |
24 |
28 |
53 |
78 |
64 |
24 |
1.2 |
23 |
80 |
24 |
24 |
29 |
54 |
80 |
128 |
24 |
1.2 |
23 |
78 |
24 |
25 |
30 |
54 |
78 |
256 |
25 |
1.3 |
24 |
77 |
24 |
25 |
31 |
55 |
77 |
512 |
25 |
1.2 |
24 |
81 |
25 |
26 |
30 |
55 |
81 |
1024 |
27 |
1.2 |
26 |
85 |
27 |
28 |
32 |
57 |
85 |
2048 |
30 |
1.3 |
29 |
73 |
30 |
31 |
37 |
60 |
73 |
4096 |
37 |
1.2 |
36 |
97 |
37 |
38 |
43 |
66 |
97 |
8192 |
50 |
1.1 |
49 |
125 |
50 |
51 |
53 |
79 |
125 |
16384 |
63 |
1.1 |
61 |
120 |
63 |
63 |
67 |
91 |
120 |
32768 |
85 |
1.2 |
84 |
128 |
85 |
86 |
90 |
115 |
128 |
63000 |
128 |
2.3 |
126 |
194 |
127 |
129 |
138 |
165 |
194 |
RTPS Encrypt
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
24 |
1.3 |
23 |
79 |
24 |
25 |
31 |
54 |
79 |
64 |
24 |
1.3 |
23 |
81 |
24 |
25 |
31 |
54 |
81 |
128 |
24 |
1.2 |
24 |
76 |
24 |
25 |
29 |
54 |
76 |
256 |
25 |
1.3 |
24 |
81 |
25 |
26 |
32 |
55 |
81 |
512 |
26 |
1.3 |
25 |
82 |
26 |
27 |
33 |
56 |
82 |
1024 |
28 |
1.3 |
27 |
84 |
27 |
28 |
34 |
57 |
84 |
2048 |
31 |
1.3 |
30 |
88 |
30 |
31 |
36 |
60 |
88 |
4096 |
39 |
1.3 |
37 |
94 |
39 |
40 |
44 |
68 |
94 |
8192 |
53 |
1.3 |
51 |
97 |
52 |
53 |
59 |
81 |
97 |
16384 |
66 |
1.2 |
65 |
127 |
66 |
67 |
72 |
95 |
127 |
32768 |
92 |
1.8 |
90 |
127 |
91 |
92 |
99 |
121 |
127 |
63000 |
140 |
2.6 |
137 |
198 |
139 |
144 |
150 |
172 |
198 |
RTPS Sign with Original Auth, Data Encrypt
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
29 |
1.4 |
28 |
79 |
29 |
30 |
36 |
59 |
79 |
64 |
29 |
1.4 |
28 |
85 |
29 |
30 |
36 |
59 |
85 |
128 |
30 |
1.5 |
29 |
92 |
29 |
30 |
37 |
60 |
92 |
256 |
30 |
1.4 |
29 |
97 |
30 |
30 |
37 |
60 |
97 |
512 |
31 |
1.3 |
30 |
87 |
31 |
31 |
38 |
61 |
87 |
1024 |
33 |
1.4 |
32 |
90 |
32 |
33 |
39 |
63 |
90 |
2048 |
36 |
1.4 |
35 |
92 |
36 |
37 |
42 |
66 |
92 |
4096 |
45 |
1.2 |
43 |
100 |
45 |
45 |
49 |
74 |
100 |
8192 |
59 |
1.2 |
57 |
114 |
58 |
59 |
63 |
88 |
114 |
16384 |
74 |
1.4 |
73 |
140 |
74 |
75 |
81 |
105 |
140 |
32768 |
102 |
1.6 |
101 |
161 |
102 |
103 |
110 |
134 |
161 |
63000 |
156 |
2.6 |
153 |
227 |
155 |
158 |
166 |
193 |
227 |
RTPS Sign, Submessage Encrypt with Original Auth, Data Encrypt
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
31 |
1.4 |
30 |
89 |
31 |
32 |
38 |
61 |
89 |
64 |
32 |
1.4 |
30 |
88 |
31 |
32 |
38 |
62 |
88 |
128 |
32 |
1.5 |
31 |
90 |
32 |
33 |
39 |
62 |
90 |
256 |
33 |
1.5 |
31 |
96 |
32 |
33 |
40 |
63 |
96 |
512 |
34 |
1.6 |
32 |
97 |
33 |
34 |
41 |
64 |
97 |
1024 |
36 |
1.6 |
34 |
96 |
35 |
36 |
43 |
66 |
96 |
2048 |
40 |
1.7 |
38 |
96 |
40 |
41 |
48 |
70 |
96 |
4096 |
49 |
1.6 |
46 |
106 |
49 |
49 |
56 |
79 |
106 |
8192 |
64 |
1.2 |
62 |
103 |
64 |
65 |
70 |
94 |
103 |
16384 |
83 |
1.4 |
81 |
124 |
83 |
84 |
90 |
117 |
124 |
32768 |
117 |
1.7 |
115 |
165 |
117 |
118 |
125 |
152 |
165 |
63000 |
183 |
2.9 |
181 |
269 |
182 |
188 |
193 |
223 |
269 |
RTPS Sign, Submessage Encrypt
Sample Size (Bytes) |
Ave (μs) |
Std (μs) |
Min (μs) |
Max (μs) |
50% (μs) |
90% (μs) |
99% (μs) |
99.99% (μs) |
99.9999% (μs) |
---|---|---|---|---|---|---|---|---|---|
32 |
27 |
1.4 |
25 |
83 |
26 |
27 |
33 |
57 |
83 |
64 |
26 |
1.2 |
25 |
76 |
26 |
27 |
32 |
56 |
76 |
128 |
27 |
1.3 |
26 |
85 |
27 |
28 |
34 |
58 |
85 |
256 |
28 |
1.3 |
26 |
92 |
27 |
28 |
34 |
57 |
92 |
512 |
29 |
1.3 |
27 |
95 |
28 |
29 |
33 |
59 |
95 |
1024 |
30 |
1.3 |
29 |
88 |
30 |
31 |
37 |
61 |
88 |
2048 |
34 |
1.4 |
32 |
91 |
33 |
34 |
41 |
63 |
91 |
4096 |
42 |
1.2 |
40 |
99 |
42 |
43 |
47 |
71 |
99 |
8192 |
56 |
1.1 |
55 |
107 |
56 |
57 |
59 |
85 |
107 |
16384 |
72 |
1.2 |
71 |
110 |
72 |
73 |
77 |
102 |
110 |
32768 |
101 |
1.6 |
99 |
145 |
100 |
101 |
108 |
138 |
145 |
63000 |
155 |
2.9 |
152 |
228 |
154 |
161 |
165 |
194 |
228 |
Perftest Scripts
To produce these tests, we executed RTI Perftest for C++98. The script used to execute the tests can be found here:
1echo EXECUTABLE IS $1
2export executable=$1
3
4echo OUTPUT PATH IS $2
5export output_folder=$2
6export pub_sub="pub"
7export lat_thr="lat"
8export num_reps="1 2 3 4"
9export dataLens="32 64 128 256 512 1024 2048 4096 8192 16384 32768 63000"
10
11if [[ -z "$3" ]]; then
12 echo "You need a third argument with publisher or subscriber"
13 exit -1
14else
15 if [[ "$3" == "publisher" ]]; then
16 echo "Publisher"
17 export pub_sub="pub"
18 elif [[ "$3" == "subscriber" ]]; then
19 echo "Subscriber"
20 export pub_sub="sub"
21 else
22 echo "It must be either publisher or subscriber"
23 exit -1
24 fi
25fi
26
27if [[ -z "$4" ]]; then
28 echo "You need a forth argument with lat or thr"
29 exit -1
30else
31 if [[ "$4" == "thr" ]]; then
32 echo "Throughput test"
33 export ${lat_thr}_thr="thr"
34 elif [[ "$4" == "lat" ]]; then
35 echo "Latency test"
36 export ${lat_thr}_thr="lat"
37 else
38 echo "It must be either lat or thr"
39 exit -1
40 fi
41fi
42
43if [[ -z "$5" ]]; then
44 echo "Using default nics"
45 export nic1=172.16.0.1
46 export nic2=172.16.0.2
47else
48 echo "Using custom nic: $5"
49 export nic1=$5
50 export nic2=$5
51fi
52
53export PATH_TO_GOVERNANCE_FILES_FOLDER=/performance/validation/resources/resource/secure
54
55sudo /set_${lat_thr}_mode.sh
56sleep 5
57
58export exec_time=20
59
60export pub_string="-pub \
61 -transport UDPv4 \
62 -nic $nic1 \
63 -noPrint \
64 -noOutputHeaders \
65 -exec $exec_time \
66 -noXML"
67
68if [[ ${lat_thr} == "lat" ]]; then
69 export pub_string="$pub_string \
70 -latencyTest"
71fi
72
73export sub_string="-sub \
74 -transport UDPv4 \
75 -nic $nic2 \
76 -noPrint \
77 -noOutputHeaders \
78 -noXML"
79
80if [[ "$pub_sub" == "pub" ]]; then
81 echo "Publisher side"
82 export commands_string=${pub_string}
83else
84 echo "Subscriber side"
85 export commands_string=${sub_string}
86fi
87
88mkdir -p $output_folder
89
90echo ">> No Security"
91export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_none.csv
92touch $my_file
93
94export extra_args=""
95for index in ${num_reps}; do
96 for DATALEN in ${dataLens}; do
97 export command="taskset -c 0 \
98 $executable -datalen $DATALEN $commands_string $extra_args"
99 echo $command ---- $index
100 $command >> $my_file;
101 sleep 5;
102 export extra_args=" -noOutputHeaders "
103 done
104done
105sleep 5;
106
107cd /performance/validation/resources
108
109echo ">> No Protection"
110export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_no_protection.csv
111touch $my_file
112export extra_args=""
113for index in ${num_reps}; do
114 for DATALEN in ${dataLens}; do
115 export command="taskset -c 0 \
116 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml $extra_args"
117 echo $command ---- $index
118 $command >> $my_file;
119 sleep 5;
120 export extra_args=" -noOutputHeaders "
121 done
122done
123sleep 5;
124
125echo ">> RTPS Sign"
126export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign.csv
127touch $my_file
128export extra_args=""
129for index in ${num_reps}; do
130 for DATALEN in ${dataLens}; do
131 export command="taskset -c 0 \
132 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml $extra_args"
133 echo $command ---- $index
134 $command >> $my_file;
135 sleep 5;
136 export extra_args=" -noOutputHeaders "
137 done
138done
139sleep 5;
140
141echo ">> RTPS Encrypt"
142export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_encrypt.csv
143touch $my_file
144export extra_args=""
145for index in ${num_reps}; do
146 for DATALEN in ${dataLens}; do
147 export command="taskset -c 0 \
148 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml $extra_args"
149 echo $command ---- $index
150 $command >> $my_file;
151 sleep 5;
152 export extra_args=" -noOutputHeaders "
153 done
154done
155sleep 5;
156
157echo ">> RTPS Sign, Submessage Encrypt"
158export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_submessage_encrypt.csv
159touch $my_file
160export extra_args=""
161for index in ${num_reps}; do
162 for DATALEN in ${dataLens}; do
163 export command="taskset -c 0 \
164 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml $extra_args"
165 echo $command ---- $index
166 $command >> $my_file;
167 sleep 5;
168 export extra_args=" -noOutputHeaders "
169 done
170done
171sleep 5;
172
173echo ">> RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
174export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_submessage_encrypt_orig_data_encrypt.csv
175touch $my_file
176export extra_args=""
177for index in ${num_reps}; do
178 for DATALEN in ${dataLens}; do
179 export command="taskset -c 0 \
180 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml $extra_args"
181 echo $command ---- $index
182 $command >> $my_file;
183 sleep 5;
184 export extra_args=" -noOutputHeaders "
185 done
186done
187sleep 5;
188
189echo ">> RTPS Sign with Original auth, Data Encrypt"
190export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_orig_data_encrypt.csv
191touch $my_file
192export extra_args=""
193for index in ${num_reps}; do
194 for DATALEN in ${dataLens}; do
195 export command="taskset -c 0 \
196 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml $extra_args"
197 echo $command ---- $index
198 $command >> $my_file;
199 sleep 5;
200 export extra_args=" -noOutputHeaders "
201 done
202done
203sleep 5;
Security Profiles
To test different levels of security, we have selected a well-known set
of configurations. These configurations have been defined in the Governance
files
used by RTI Perftest. With these configurations, we have tested the minimum
latency and maximum throughput achievable in different scenarios. The scenarios are
described below.
The profiles we have used are the following:
Not using security libraries
In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what RTI Connext DDS Professional provides in Unkeyed, UDPv4 10Gbps Network, C++98.
No protection
In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
<enable_join_access_control>FALSE</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>FALSE</enable_discovery_protection>
<enable_read_access_control>FALSE</enable_read_access_control>
<enable_write_access_control>FALSE</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign’
This scenario sets the rtps_protection_kind
to SIGN
.
This configuration provides protection against outsiders at the lowest cost.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Encrypt’
This scenario sets the rtps_protection_kind
to ENCRYPT
. This configuration
is similar to the protection TLS
provides.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>ENCRYPT</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN_WITH_ORIGIN_AUTHENTICATION
. It also sets
the data_protection_kind
to ENCRYPT
. This configuration is the common
choice for intra-domain protection and confidentiality.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets
the data_protection_kind
to ENCRYPT
and the metadata_protection_kind
to
ENCRYPT_WITH_ORIGIN_AUTHENTICATION
. This configuration offers the most robust
protection.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets the
metadata_protection_kind
to ENCRYPT
. This configuration allows user data confidentiality
(with insiders protection) while keeping Wireshark capabilities.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
Test Hardware
The following hardware was used to perform these tests:
Linux Nodes
Processor: Intel® Xeon® E-2186G 3.8GHz, 12M cache, 6C/12T, turbo (95W)
RAM: 16GB 2666MT/s DDR4 ECC UDIMM
NIC 1: Intel X550 Dual Port 10GbE BASE-T Adapter, PCIe Full Height
NIC 2: Intel Ethernet I350 Dual Port 1GbE BASE-T Adapter, PCIe Low Profile
OS: Ubuntu 18.04 -- gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Switch
Dell Networking S4048T-ON, 48x 10GBASE-T and 6x 40GbE QSFP+ ports, IO to PSU air, 2x AC PSU, OS9
The graph below shows the expected throughput behavior when performing a 1-1 communication between two Linux nodes in a 10Gbps network. The numbers have been taken using strict reliable reliability for all the different Security Profiles (described below).
Note
By default, RTI Perftest enables batching when performing a Maximum Throughput test. The batching feature allows sending more than one data sample per RTPS packet, improving network performance for small data sizes. See the RTI Connext DDS Core Libraries User’s Manual for more information on batching.
The batch maximum size is set by RTI Perftest to be 8192 bytes; after 8192 bytes, batching is not enabled.
Detailed Statistics
This table contains the raw numbers presented by RTI Perftest. These numbers are the exact output with no further processing.
Not using security libraries
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
93282778 |
4658340 |
1192.5 |
0 |
0.00 |
64 |
83596048 |
4174419 |
2137.3 |
0 |
0.00 |
128 |
72072444 |
3599013 |
3685.4 |
0 |
0.00 |
256 |
55172116 |
2755546 |
5643.4 |
0 |
0.00 |
512 |
38510608 |
1923671 |
7879.4 |
0 |
0.00 |
1024 |
23087896 |
1153352 |
9448.3 |
0 |
0.00 |
2048 |
11952148 |
597040 |
9781.9 |
0 |
0.00 |
4096 |
5987816 |
299090 |
9800.6 |
0 |
0.00 |
8192 |
3004691 |
150222 |
9845.0 |
0 |
0.00 |
16384 |
1508787 |
75433 |
9887.3 |
0 |
0.00 |
32768 |
756050 |
37798 |
9908.6 |
0 |
0.00 |
63000 |
393537 |
19674 |
9916.1 |
0 |
0.00 |
No protection
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
93537022 |
4670959 |
1195.8 |
0 |
0.00 |
64 |
84239398 |
4206491 |
2153.7 |
0 |
0.00 |
128 |
71943818 |
3592436 |
3678.7 |
0 |
0.00 |
256 |
55127209 |
2753067 |
5638.3 |
0 |
0.00 |
512 |
38820544 |
1938952 |
7941.9 |
0 |
0.00 |
1024 |
23312505 |
1164421 |
9538.9 |
0 |
0.00 |
2048 |
11953496 |
597035 |
9781.8 |
0 |
0.00 |
4096 |
5983996 |
299089 |
9800.6 |
0 |
0.00 |
8192 |
3004865 |
150221 |
9844.9 |
0 |
0.00 |
16384 |
1508817 |
75434 |
9887.4 |
0 |
0.00 |
32768 |
756050 |
37798 |
9908.7 |
0 |
0.00 |
63000 |
393541 |
19674 |
9916.1 |
0 |
0.00 |
RTPS Sign
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
89729792 |
4480933 |
1147.1 |
0 |
0.00 |
64 |
78047593 |
3897289 |
1995.4 |
0 |
0.00 |
128 |
65170624 |
3254192 |
3332.3 |
0 |
0.00 |
256 |
47869710 |
2390665 |
4896.1 |
0 |
0.00 |
512 |
32099488 |
1603381 |
6567.4 |
0 |
0.00 |
1024 |
18674328 |
932793 |
7641.4 |
0 |
0.00 |
2048 |
10172624 |
508171 |
8325.9 |
0 |
0.00 |
4096 |
5305932 |
265048 |
8685.1 |
0 |
0.00 |
8192 |
2846161 |
142175 |
9317.6 |
0 |
0.00 |
16384 |
1502337 |
75107 |
9844.5 |
0 |
0.00 |
32768 |
754439 |
37716 |
9887.1 |
0 |
0.00 |
63000 |
393131 |
19652 |
9904.9 |
0 |
0.00 |
RTPS Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
88444169 |
4416444 |
1130.6 |
0 |
0.00 |
64 |
76332269 |
3811662 |
1951.6 |
0 |
0.00 |
128 |
62735430 |
3132612 |
3207.8 |
0 |
0.00 |
256 |
45204000 |
2257430 |
4623.2 |
0 |
0.00 |
512 |
28906161 |
1443842 |
5914.0 |
0 |
0.00 |
1024 |
16934472 |
845943 |
6930.0 |
0 |
0.00 |
2048 |
9251472 |
462161 |
7572.1 |
0 |
0.00 |
4096 |
4806800 |
240172 |
7870.0 |
0 |
0.00 |
8192 |
2638870 |
131823 |
8639.2 |
0 |
0.00 |
16384 |
1501693 |
75070 |
9839.7 |
0 |
0.00 |
32768 |
754292 |
37707 |
9884.8 |
0 |
0.00 |
63000 |
393072 |
19650 |
9903.7 |
0 |
0.00 |
RTPS Sign with Original Auth, Data Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
30647323 |
1530416 |
391.8 |
0 |
0.00 |
64 |
30345344 |
1515355 |
775.9 |
0 |
0.00 |
128 |
26944443 |
1345517 |
1377.8 |
0 |
0.00 |
256 |
22297141 |
1113562 |
2280.6 |
0 |
0.00 |
512 |
15902894 |
794340 |
3253.6 |
0 |
0.00 |
1024 |
10433109 |
521171 |
4269.4 |
0 |
0.00 |
2048 |
5406607 |
270088 |
4425.1 |
0 |
0.00 |
4096 |
2122099 |
106007 |
3473.7 |
0 |
0.00 |
8192 |
1854316 |
92632 |
6470.7 |
0 |
0.00 |
16384 |
1354455 |
67662 |
8868.7 |
0 |
0.00 |
32768 |
753135 |
37643 |
9867.9 |
0 |
0.00 |
63000 |
392765 |
19632 |
9894.9 |
0 |
0.00 |
RTPS Sign, Submessage Encrypt with Original Auth, Data Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
29873465 |
1491632 |
381.9 |
0 |
0.00 |
64 |
27819263 |
1389115 |
711.2 |
0 |
0.00 |
128 |
24565256 |
1226706 |
1256.1 |
0 |
0.00 |
256 |
19779040 |
987741 |
2022.9 |
0 |
0.00 |
512 |
14242565 |
711390 |
2913.9 |
0 |
0.00 |
1024 |
9098034 |
454478 |
3723.1 |
0 |
0.00 |
2048 |
4696232 |
234601 |
3843.7 |
0 |
0.00 |
4096 |
1820386 |
90934 |
2979.7 |
0 |
0.00 |
8192 |
1560443 |
77953 |
5508.7 |
0 |
0.00 |
16384 |
1107046 |
55315 |
7250.4 |
0 |
0.00 |
32768 |
719786 |
35958 |
9426.3 |
0 |
0.00 |
63000 |
392527 |
19612 |
9884.8 |
0 |
0.00 |
RTPS Sign, Submessage Encrypt
Sample Size (Bytes) |
Total Samples |
Avg Samples/s |
Avg Mbps |
Lost Samples |
Lost Samples (%) |
---|---|---|---|---|---|
32 |
86169120 |
4303013 |
1101.6 |
0 |
0.00 |
64 |
73164416 |
3653447 |
1870.6 |
0 |
0.00 |
128 |
57787605 |
2885581 |
2954.8 |
0 |
0.00 |
256 |
40805248 |
2037814 |
4173.4 |
0 |
0.00 |
512 |
25764032 |
1286897 |
5271.1 |
0 |
0.00 |
1024 |
15020960 |
750356 |
6146.9 |
0 |
0.00 |
2048 |
7995336 |
399408 |
6543.9 |
0 |
0.00 |
4096 |
4149661 |
207291 |
6792.5 |
0 |
0.00 |
8192 |
2209967 |
110398 |
7235.1 |
0 |
0.00 |
16384 |
1497868 |
74826 |
9807.7 |
0 |
0.00 |
32768 |
753142 |
37646 |
9868.7 |
0 |
0.00 |
63000 |
392773 |
19633 |
9895.3 |
0 |
0.00 |
Perftest Scripts
To produce these tests, we executed RTI Perftest for C++98. The script used to execute the tests can be found here:
1echo EXECUTABLE IS $1
2export executable=$1
3
4echo OUTPUT PATH IS $2
5export output_folder=$2
6export pub_sub="pub"
7export lat_thr="lat"
8export num_reps="1 2 3 4"
9export dataLens="32 64 128 256 512 1024 2048 4096 8192 16384 32768 63000"
10
11if [[ -z "$3" ]]; then
12 echo "You need a third argument with publisher or subscriber"
13 exit -1
14else
15 if [[ "$3" == "publisher" ]]; then
16 echo "Publisher"
17 export pub_sub="pub"
18 elif [[ "$3" == "subscriber" ]]; then
19 echo "Subscriber"
20 export pub_sub="sub"
21 else
22 echo "It must be either publisher or subscriber"
23 exit -1
24 fi
25fi
26
27if [[ -z "$4" ]]; then
28 echo "You need a forth argument with lat or thr"
29 exit -1
30else
31 if [[ "$4" == "thr" ]]; then
32 echo "Throughput test"
33 export ${lat_thr}_thr="thr"
34 elif [[ "$4" == "lat" ]]; then
35 echo "Latency test"
36 export ${lat_thr}_thr="lat"
37 else
38 echo "It must be either lat or thr"
39 exit -1
40 fi
41fi
42
43if [[ -z "$5" ]]; then
44 echo "Using default nics"
45 export nic1=172.16.0.1
46 export nic2=172.16.0.2
47else
48 echo "Using custom nic: $5"
49 export nic1=$5
50 export nic2=$5
51fi
52
53export PATH_TO_GOVERNANCE_FILES_FOLDER=/performance/validation/resources/resource/secure
54
55sudo /set_${lat_thr}_mode.sh
56sleep 5
57
58export exec_time=20
59
60export pub_string="-pub \
61 -transport UDPv4 \
62 -nic $nic1 \
63 -noPrint \
64 -noOutputHeaders \
65 -exec $exec_time \
66 -noXML"
67
68if [[ ${lat_thr} == "lat" ]]; then
69 export pub_string="$pub_string \
70 -latencyTest"
71fi
72
73export sub_string="-sub \
74 -transport UDPv4 \
75 -nic $nic2 \
76 -noPrint \
77 -noOutputHeaders \
78 -noXML"
79
80if [[ "$pub_sub" == "pub" ]]; then
81 echo "Publisher side"
82 export commands_string=${pub_string}
83else
84 echo "Subscriber side"
85 export commands_string=${sub_string}
86fi
87
88mkdir -p $output_folder
89
90echo ">> No Security"
91export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_none.csv
92touch $my_file
93
94export extra_args=""
95for index in ${num_reps}; do
96 for DATALEN in ${dataLens}; do
97 export command="taskset -c 0 \
98 $executable -datalen $DATALEN $commands_string $extra_args"
99 echo $command ---- $index
100 $command >> $my_file;
101 sleep 5;
102 export extra_args=" -noOutputHeaders "
103 done
104done
105sleep 5;
106
107cd /performance/validation/resources
108
109echo ">> No Protection"
110export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_no_protection.csv
111touch $my_file
112export extra_args=""
113for index in ${num_reps}; do
114 for DATALEN in ${dataLens}; do
115 export command="taskset -c 0 \
116 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml $extra_args"
117 echo $command ---- $index
118 $command >> $my_file;
119 sleep 5;
120 export extra_args=" -noOutputHeaders "
121 done
122done
123sleep 5;
124
125echo ">> RTPS Sign"
126export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign.csv
127touch $my_file
128export extra_args=""
129for index in ${num_reps}; do
130 for DATALEN in ${dataLens}; do
131 export command="taskset -c 0 \
132 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml $extra_args"
133 echo $command ---- $index
134 $command >> $my_file;
135 sleep 5;
136 export extra_args=" -noOutputHeaders "
137 done
138done
139sleep 5;
140
141echo ">> RTPS Encrypt"
142export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_encrypt.csv
143touch $my_file
144export extra_args=""
145for index in ${num_reps}; do
146 for DATALEN in ${dataLens}; do
147 export command="taskset -c 0 \
148 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml $extra_args"
149 echo $command ---- $index
150 $command >> $my_file;
151 sleep 5;
152 export extra_args=" -noOutputHeaders "
153 done
154done
155sleep 5;
156
157echo ">> RTPS Sign, Submessage Encrypt"
158export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_submessage_encrypt.csv
159touch $my_file
160export extra_args=""
161for index in ${num_reps}; do
162 for DATALEN in ${dataLens}; do
163 export command="taskset -c 0 \
164 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml $extra_args"
165 echo $command ---- $index
166 $command >> $my_file;
167 sleep 5;
168 export extra_args=" -noOutputHeaders "
169 done
170done
171sleep 5;
172
173echo ">> RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
174export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_submessage_encrypt_orig_data_encrypt.csv
175touch $my_file
176export extra_args=""
177for index in ${num_reps}; do
178 for DATALEN in ${dataLens}; do
179 export command="taskset -c 0 \
180 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml $extra_args"
181 echo $command ---- $index
182 $command >> $my_file;
183 sleep 5;
184 export extra_args=" -noOutputHeaders "
185 done
186done
187sleep 5;
188
189echo ">> RTPS Sign with Original auth, Data Encrypt"
190export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_orig_data_encrypt.csv
191touch $my_file
192export extra_args=""
193for index in ${num_reps}; do
194 for DATALEN in ${dataLens}; do
195 export command="taskset -c 0 \
196 $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml $extra_args"
197 echo $command ---- $index
198 $command >> $my_file;
199 sleep 5;
200 export extra_args=" -noOutputHeaders "
201 done
202done
203sleep 5;
Security Profiles
To test different levels of security, we have selected a well-known set
of configurations. These configurations have been defined in the Governance
files
used by RTI Perftest. With these configurations, we have tested the minimum
latency and maximum throughput achievable in different scenarios. The scenarios are
described below.
The profiles we have used are the following:
Not using security libraries
In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what RTI Connext DDS Professional provides in Unkeyed, UDPv4 10Gbps Network, C++98.
No protection
In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
<enable_join_access_control>FALSE</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>FALSE</enable_discovery_protection>
<enable_read_access_control>FALSE</enable_read_access_control>
<enable_write_access_control>FALSE</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign’
This scenario sets the rtps_protection_kind
to SIGN
.
This configuration provides protection against outsiders at the lowest cost.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Encrypt’
This scenario sets the rtps_protection_kind
to ENCRYPT
. This configuration
is similar to the protection TLS
provides.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>ENCRYPT</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN_WITH_ORIGIN_AUTHENTICATION
. It also sets
the data_protection_kind
to ENCRYPT
. This configuration is the common
choice for intra-domain protection and confidentiality.
The governance profile used in this scenario is the following:
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>NONE</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets
the data_protection_kind
to ENCRYPT
and the metadata_protection_kind
to
ENCRYPT_WITH_ORIGIN_AUTHENTICATION
. This configuration offers the most robust
protection.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
RTPS ‘Sign,’ Submessage ‘Encrypt’
This scenario sets the rtps_protection_kind
to SIGN
. It also sets the
metadata_protection_kind
to ENCRYPT
. This configuration allows user data confidentiality
(with insiders protection) while keeping Wireshark capabilities.
The governance profile used in this scenario is the following:
<?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<id_range>
<min>0</min>
</id_range>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>false</enable_join_access_control>
<discovery_protection_kind>NONE</discovery_protection_kind>
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>false</enable_discovery_protection>
<enable_liveliness_protection>false</enable_liveliness_protection>
<enable_read_access_control>false</enable_read_access_control>
<enable_write_access_control>false</enable_write_access_control>
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
Test Hardware
The following hardware was used to perform these tests:
Linux Nodes
Processor: Intel® Xeon® E-2186G 3.8GHz, 12M cache, 6C/12T, turbo (95W)
RAM: 16GB 2666MT/s DDR4 ECC UDIMM
NIC 1: Intel X550 Dual Port 10GbE BASE-T Adapter, PCIe Full Height
NIC 2: Intel Ethernet I350 Dual Port 1GbE BASE-T Adapter, PCIe Low Profile
OS: Ubuntu 18.04 -- gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Switch
Dell Networking S4048T-ON, 48x 10GBASE-T and 6x 40GbE QSFP+ ports, IO to PSU air, 2x AC PSU, OS9