2.1. Network Performance for Security

The following one-to-one tests have been performed by executing an RTI Perftest C++98 Publisher and Subscriber between two nodes, connected to a switch via Ethernet. The communication has been restricted to a single interface and the transport has been set to UDPv4.

These tests are equivalent to the ones performed in the RTI Connext DDS Professional UDPv4 section (Unkeyed, UDPv4 10Gbps Network, C++98), but additionally enabling different Security Profiles.

Find information about the hardware, network, and command-line parameters after each of the tests.

Linux x64

Minimum LatencyMaximum Throughput

The graph below shows the one-way latency without load between a Publisher and a Subscriber running in two Linux nodes in a 10Gbps network. The numbers have been taken using strict reliable reliability for all the different Security Profiles (described below).

Note

We use the median (50th percentile) instead of the average in order to get a more stable measurement that does not account for spurious outliers. We also calculate the average value and other percentile values, which can be seen in the Detailed Statistics section below.

Detailed Statistics

The following tables contain the raw numbers presented by RTI Perftest. These numbers are the exact output with no further processing.

• Not using security libraries

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	20	1.1	19	89	20	21	26	50	89
64	20	1.2	19	76	20	21	26	50	76
128	21	1.2	20	87	20	21	27	50	87
256	21	1.2	20	62	21	21	27	51	62
512	22	1.0	21	76	21	22	25	50	76
1024	23	1.2	22	79	23	24	30	53	79
2048	26	1.2	25	76	26	26	33	55	76
4096	32	1.1	31	80	32	33	36	61	80
8192	45	1.0	43	96	45	46	49	74	96
16384	55	1.0	54	101	55	56	58	84	101
32768	74	1.1	73	130	74	74	77	109	130
63000	110	1.8	108	172	109	111	116	145	172

• No protection

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	20	1.1	19	74	20	20	24	49	74
64	20	1.0	19	72	20	20	24	50	72
128	20	1.1	19	72	20	21	24	50	72
256	21	1.1	20	73	21	21	25	51	73
512	22	1.2	21	78	21	22	28	51	78
1024	23	1.1	22	84	23	24	27	53	84
2048	26	1.1	25	78	26	26	30	56	78
4096	33	1.4	31	78	32	33	39	62	78
8192	45	1.2	44	95	45	46	51	74	95
16384	56	1.1	54	96	55	56	59	84	96
32768	74	1.3	72	106	73	74	80	102	106
63000	110	2.1	108	164	109	111	117	143	164

• RTPS Sign

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	24	1.1	23	78	23	24	28	53	78
64	24	1.2	23	80	24	24	29	54	80
128	24	1.2	23	78	24	25	30	54	78
256	25	1.3	24	77	24	25	31	55	77
512	25	1.2	24	81	25	26	30	55	81
1024	27	1.2	26	85	27	28	32	57	85
2048	30	1.3	29	73	30	31	37	60	73
4096	37	1.2	36	97	37	38	43	66	97
8192	50	1.1	49	125	50	51	53	79	125
16384	63	1.1	61	120	63	63	67	91	120
32768	85	1.2	84	128	85	86	90	115	128
63000	128	2.3	126	194	127	129	138	165	194

• RTPS Encrypt

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	24	1.3	23	79	24	25	31	54	79
64	24	1.3	23	81	24	25	31	54	81
128	24	1.2	24	76	24	25	29	54	76
256	25	1.3	24	81	25	26	32	55	81
512	26	1.3	25	82	26	27	33	56	82
1024	28	1.3	27	84	27	28	34	57	84
2048	31	1.3	30	88	30	31	36	60	88
4096	39	1.3	37	94	39	40	44	68	94
8192	53	1.3	51	97	52	53	59	81	97
16384	66	1.2	65	127	66	67	72	95	127
32768	92	1.8	90	127	91	92	99	121	127
63000	140	2.6	137	198	139	144	150	172	198

• RTPS Sign with Original Auth, Data Encrypt

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	29	1.4	28	79	29	30	36	59	79
64	29	1.4	28	85	29	30	36	59	85
128	30	1.5	29	92	29	30	37	60	92
256	30	1.4	29	97	30	30	37	60	97
512	31	1.3	30	87	31	31	38	61	87
1024	33	1.4	32	90	32	33	39	63	90
2048	36	1.4	35	92	36	37	42	66	92
4096	45	1.2	43	100	45	45	49	74	100
8192	59	1.2	57	114	58	59	63	88	114
16384	74	1.4	73	140	74	75	81	105	140
32768	102	1.6	101	161	102	103	110	134	161
63000	156	2.6	153	227	155	158	166	193	227

• RTPS Sign, Submessage Encrypt with Original Auth, Data Encrypt

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	31	1.4	30	89	31	32	38	61	89
64	32	1.4	30	88	31	32	38	62	88
128	32	1.5	31	90	32	33	39	62	90
256	33	1.5	31	96	32	33	40	63	96
512	34	1.6	32	97	33	34	41	64	97
1024	36	1.6	34	96	35	36	43	66	96
2048	40	1.7	38	96	40	41	48	70	96
4096	49	1.6	46	106	49	49	56	79	106
8192	64	1.2	62	103	64	65	70	94	103
16384	83	1.4	81	124	83	84	90	117	124
32768	117	1.7	115	165	117	118	125	152	165
63000	183	2.9	181	269	182	188	193	223	269

• RTPS Sign, Submessage Encrypt

Sample Size (Bytes)	Ave (μs)	Std (μs)	Min (μs)	Max (μs)	50% (μs)	90% (μs)	99% (μs)	99.99% (μs)	99.9999% (μs)
32	27	1.4	25	83	26	27	33	57	83
64	26	1.2	25	76	26	27	32	56	76
128	27	1.3	26	85	27	28	34	58	85
256	28	1.3	26	92	27	28	34	57	92
512	29	1.3	27	95	28	29	33	59	95
1024	30	1.3	29	88	30	31	37	61	88
2048	34	1.4	32	91	33	34	41	63	91
4096	42	1.2	40	99	42	43	47	71	99
8192	56	1.1	55	107	56	57	59	85	107
16384	72	1.2	71	110	72	73	77	102	110
32768	101	1.6	99	145	100	101	108	138	145
63000	155	2.9	152	228	154	161	165	194	228

Perftest Scripts

To produce these tests, we executed RTI Perftest for C++98. The script used to execute the tests can be found here:

echo EXECUTABLE IS $1
export executable=$1

echo OUTPUT PATH IS $2
export output_folder=$2
export pub_sub="pub"
export lat_thr="lat"
export num_reps="1 2 3 4"
export dataLens="32 64 128 256 512 1024 2048 4096 8192 16384 32768 63000"

if [[ -z "$3" ]]; then
    echo "You need a third argument with publisher or subscriber"
    exit -1
else
    if [[ "$3" == "publisher" ]]; then
        echo "Publisher"
        export pub_sub="pub"
    elif [[ "$3" == "subscriber" ]]; then
        echo "Subscriber"
        export pub_sub="sub"
    else
        echo "It must be either publisher or subscriber"
        exit -1
    fi
fi

if [[ -z "$4" ]]; then
    echo "You need a forth argument with lat or thr"
    exit -1
else
    if [[ "$4" == "thr" ]]; then
        echo "Throughput test"
        export ${lat_thr}_thr="thr"
    elif [[ "$4" == "lat" ]]; then
        echo "Latency test"
        export ${lat_thr}_thr="lat"
    else
        echo "It must be either lat or thr"
        exit -1
    fi
fi

if [[ -z "$5" ]]; then
    echo "Using default nics"
    export nic1=172.16.0.1
    export nic2=172.16.0.2
else
    echo "Using custom nic: $5"
    export nic1=$5
    export nic2=$5
fi

export PATH_TO_GOVERNANCE_FILES_FOLDER=/performance/validation/resources/resource/secure

sudo /set_${lat_thr}_mode.sh
sleep 5

export exec_time=20

export pub_string="-pub \
        -transport UDPv4 \
        -nic $nic1 \
        -noPrint \
        -noOutputHeaders \
        -exec $exec_time \
        -noXML"

if [[ ${lat_thr} == "lat" ]]; then
    export pub_string="$pub_string \
        -latencyTest"
fi

export sub_string="-sub \
        -transport UDPv4 \
        -nic $nic2 \
        -noPrint \
        -noOutputHeaders \
        -noXML"

if [[ "$pub_sub" == "pub" ]]; then
    echo "Publisher side"
    export commands_string=${pub_string}
else
    echo "Subscriber side"
    export commands_string=${sub_string}
fi

mkdir -p $output_folder

echo ">> No Security"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_none.csv
touch $my_file

export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

cd /performance/validation/resources

echo ">> No Protection"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_no_protection.csv
touch $my_file
export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_.xml $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

echo ">> RTPS Sign"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign.csv
touch $my_file
export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSign.xml $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

echo ">> RTPS Encrypt"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_encrypt.csv
touch $my_file
export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSEncrypt.xml $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

echo ">> RTPS Sign, Submessage Encrypt"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_submessage_encrypt.csv
touch $my_file
export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_SignEncryptSubmessage.xml $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

echo ">> RTPS Sign, Submessage Encrypt with original auth, Data Encrypt"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_submessage_encrypt_orig_data_encrypt.csv
touch $my_file
export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignEncryptSubmessageWithOrigAuthEncryptData.xml $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

echo ">> RTPS Sign with Original auth, Data Encrypt"
export my_file=$output_folder/${lat_thr}_${pub_sub}_unkeyed_rel_security_rtps_sign_orig_data_encrypt.csv
touch $my_file
export extra_args=""
for index in ${num_reps}; do
    for DATALEN in ${dataLens}; do
        export command="taskset -c 0 \
        $executable -datalen $DATALEN $commands_string -secureGovernanceFile $PATH_TO_GOVERNANCE_FILES_FOLDER/signed_PerftestGovernance_RTPSSignWithOrigAuthEncryptData.xml $extra_args"
        echo $command ---- $index
        $command >> $my_file;
        sleep 5;
        export extra_args=" -noOutputHeaders "
    done
done
sleep 5;

Security Profiles

To test different levels of security, we have selected a well-known set of configurations. These configurations have been defined in the Governance files used by RTI Perftest. With these configurations, we have tested the minimum latency and maximum throughput achievable in different scenarios. The scenarios are described below.

The profiles we have used are the following:

• Not using security libraries

In this scenario, RTI Security Plugins is not being used, therefore the performance is the same as what RTI Connext DDS Professional provides in Unkeyed, UDPv4 10Gbps Network, C++98.

• No protection

In this scenario, Security Plugins are enabled but no protection is provided at any level. This, as well as the previous scenario, is used as a way to calibrate the impact of using Security Plugins even when no security measures are applied.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>TRUE</allow_unauthenticated_participants>
        <enable_join_access_control>FALSE</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>NONE</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>FALSE</enable_discovery_protection>
            <enable_read_access_control>FALSE</enable_read_access_control>
            <enable_write_access_control>FALSE</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

• RTPS ‘Sign’

This scenario sets the rtps_protection_kind to SIGN. This configuration provides protection against outsiders at the lowest cost.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

• RTPS ‘Encrypt’

This scenario sets the rtps_protection_kind to ENCRYPT. This configuration is similar to the protection TLS provides.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>ENCRYPT</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>NONE</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

• RTPS ‘Sign with Original Authentication’ and Data ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN_WITH_ORIGIN_AUTHENTICATION. It also sets the data_protection_kind to ENCRYPT. This configuration is the common choice for intra-domain protection and confidentiality.

The governance profile used in this scenario is the following:

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>NONE</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

• RTPS ‘Sign,’ Submessage ‘Encrypt with Original Authentication,’ and Data ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN. It also sets the data_protection_kind to ENCRYPT and the metadata_protection_kind to ENCRYPT_WITH_ORIGIN_AUTHENTICATION. This configuration offers the most robust protection.

The governance profile used in this scenario is the following:

<?xml version="1.0" encoding="UTF-8"?>

<dds>
    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>ENCRYPT_WITH_ORIGINAL_AUTHENTICATION</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

• RTPS ‘Sign,’ Submessage ‘Encrypt’

This scenario sets the rtps_protection_kind to SIGN. It also sets the metadata_protection_kind to ENCRYPT. This configuration allows user data confidentiality (with insiders protection) while keeping Wireshark capabilities.

The governance profile used in this scenario is the following:

<?xml version="1.0" encoding="UTF-8"?>

<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:noNamespaceSchemaLocation="dds_security_governance.xsd">

    <domain_access_rules>
      <domain_rule>
        <domains>
          <id_range>
            <min>0</min>
          </id_range>
        </domains>
        <allow_unauthenticated_participants>false</allow_unauthenticated_participants>
        <enable_join_access_control>false</enable_join_access_control>
        <discovery_protection_kind>NONE</discovery_protection_kind>
        <liveliness_protection_kind>NONE</liveliness_protection_kind>
        <rtps_protection_kind>SIGN</rtps_protection_kind>
        <topic_access_rules>
          <topic_rule>
            <topic_expression>*</topic_expression>
            <enable_discovery_protection>false</enable_discovery_protection>
            <enable_liveliness_protection>false</enable_liveliness_protection>
            <enable_read_access_control>false</enable_read_access_control>
            <enable_write_access_control>false</enable_write_access_control>
            <metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
            <data_protection_kind>ENCRYPT</data_protection_kind>
          </topic_rule>
        </topic_access_rules>
      </domain_rule>
    </domain_access_rules>
</dds>

Test Hardware

The following hardware was used to perform these tests:

Linux Nodes

Processor: Intel® Xeon® E-2186G 3.8GHz, 12M cache, 6C/12T, turbo (95W)
RAM: 16GB 2666MT/s DDR4 ECC UDIMM
NIC 1: Intel X550 Dual Port 10GbE BASE-T Adapter, PCIe Full Height
NIC 2: Intel Ethernet I350 Dual Port 1GbE BASE-T Adapter, PCIe Low Profile
OS: Ubuntu 18.04 -- gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

Switch

Dell Networking S4048T-ON, 48x 10GBASE-T and 6x 40GbE QSFP+ ports, IO to PSU air, 2x AC PSU, OS9