DDS Security

紀錄關於DDS安全性的使用及效能測試

目前有兩個困難

Q1: Windows版VortexLite不能正常的使用加解密

程式執行時會crash，猜測是找不到相對應的openssl library (我安裝了也沒用)

Q2: OpenSplice 與 VortexLite 加密之後不通

因為Splice跟Lite的封包長度似乎不同，猜測是因為這樣所以不通

A.加密前 wireshark 截圖

首先在RTPS Protocol 欄位會看到Vendor ID代表Prismtech的OpenSplice

也就是說只要查這個ID就知道是PT的DDS傳輸

以RoundTrip sample code為例

封包內是有明碼的Topic Name、Partition Name、Topic Type等等的訊息

(在右圖中)甚至Topic的欄位都看得到 (以EDAQ Scan Device Topic為例)

而Topic 的資料內容，也是明碼的

(在左圖)RoundTrip的範例裡，每次payload都是多個k字母組成

(在右圖)EDAQ Scan Device Topic送出來的IP 及 MAC資料都看得到

也就是說資料本身是string型態的東西，是非常容易被看到的

B.加密後 wireshark 截圖

經過DDSI的加密後，雖然VendorID及Topic 的表頭無法遮掩

但是實際的data內容物是被加密的

下圖為加密後的亂碼，封包長度也有比較長

C.How to enable security in VortexLite

以下動作，reader端/writer端都要做

1.modifyxml file

以roundTrip sample為例

需要在PartitionMappings 裡面去填入partition及topic name (即下面code的ping.RoundTrip 及 pong.RoundTrip)

當VortexLite 在處理資料時 , 會依照mapping去做加解密的動作

在Lite提供aes128、aes192、aes256及blowfish等4種加密方式

<DDSI2E>         <Security>             <SecurityProfile Cipher="aes128" CipherKey="ABCDEFABCDEFABCDABCDEFABCDEFABCD" Name="Security1"/>             <SecurityProfile Cipher="aes128" CipherKey="ABCDEFABCDEFABCDABCDEFABCDEFABCF" Name="Security2"/>         </Security>         <Partitioning>             <NetworkPartitions>                 <NetworkPartition Address="224.0.0.1" Name="part_1" SecurityProfile="Security1"/>                 <NetworkPartition Address="224.0.0.2" Name="part_2" SecurityProfile="Security2"/>             </NetworkPartitions>             <PartitionMappings>                 <PartitionMapping DCPSPartitionTopic="ping.RoundTrip" NetworkPartition="part_1"/>                 <PartitionMapping DCPSPartitionTopic="pong.RoundTrip" NetworkPartition="part_2"/>             </PartitionMappings>         </Partitioning> </DDSI2E>

2.install openssl library

sudo apt-get install libssl-dev

3.modify source code and rebuild 

在呼叫dds_init 之前需先呼叫dds_ssl_plugin

dds_ssl_plugin(); dds_init();

Makefile link library 新增dds_ssl及ssl 

然後重新make即可

D.How to enable security in VortexOpenSplice

1.modify the xml file

<OpenSplice>     <Domain>         <Name>ospl_shmem_secure_ddsi</Name>         <Id>0</Id>         <Description>Federated deployment using shared-memory and extended DDSI networking.</Description>         <Database>             <Size>10485760</Size>         </Database>         <Service name="ddsi2e">             <Command>ddsi2e</Command>         </Service>         <Service name="durability">             <Command>durability</Command>         </Service>         <Service name="cmsoap">             <Command>cmsoap</Command>         </Service>     </Domain>     <DDSI2EService name="ddsi2e">         <General>             <NetworkInterfaceAddress>AUTO</NetworkInterfaceAddress>             <AllowMulticast>true</AllowMulticast>             <EnableMulticastLoopback>true</EnableMulticastLoopback>             <CoexistWithNativeNetworking>false</CoexistWithNativeNetworking>         </General>         <Compatibility>             <!-- see the release notes and/or the OpenSplice configurator on DDSI interoperability -->             <StandardsConformance>lax</StandardsConformance>             <!-- the following one is necessary only for TwinOaks CoreDX DDS compatibility -->             <!-- <ExplicitlyPublishQosSetToDefault>true</ExplicitlyPublishQosSetToDefault> -->         </Compatibility>         <Security>             <SecurityProfile Cipher="blowfish" CipherKey="ABCDEFABCDEFABCDABCDEFABCDEFABCD" Name="Security1"/>             <SecurityProfile Cipher="blowfish" CipherKey="ABCDEFABCDEFABCDABCDEFABCDEFABCF" Name="Security2"/>         </Security>         <Partitioning>             <NetworkPartitions>                 <NetworkPartition Address="224.0.0.1" Name="part1" SecurityProfile="Security1"/>                 <NetworkPartition Address="224.0.0.2" Name="part2" SecurityProfile="Security2"/>             </NetworkPartitions>             <PartitionMappings>                 <PartitionMapping DCPSPartitionTopic="ping.RoundTrip" NetworkPartition="part1"/>                 <PartitionMapping DCPSPartitionTopic="pong.RoundTrip" NetworkPartition="part2"/>             </PartitionMappings>         </Partitioning>     </DDSI2EService>     <DurabilityService name="durability">         <ClientDurability enabled="true"/>         <Network>             <Alignment>                 <TimeAlignment>false</TimeAlignment>                 <RequestCombinePeriod>                     <Initial>2.5</Initial>                     <Operational>0.1</Operational>                 </RequestCombinePeriod>             </Alignment>             <WaitForAttachment maxWaitCount="100">                 <ServiceName>ddsi2e</ServiceName>             </WaitForAttachment>         </Network>         <NameSpaces>             <NameSpace name="defaultNamespace">                 <Partition>*</Partition>             </NameSpace>             <Policy alignee="Initial" aligner="true" durability="Durable" nameSpace="defaultNamespace"/>         </NameSpaces>     </DurabilityService>     <TunerService name="cmsoap">         <Server>             <PortNr>50000</PortNr>         </Server>     </TunerService> </OpenSplice>

2.然後重新開啟ospl及 應用程式就好了

OpenSplice似乎是由daemon去控制的，所以要用shared memory

透過IPC shared 給加密的daemon去加解密，因此code不像Lite需要使用別的API及重新編譯

3.OpenSplice的 DDSI-security 似乎跟 Lite不通... 

(可能要問一下PrismTech)

4.OpenSplice還有另一種加密方式是在RTNetworking (參考ospl_shmem_secure_nativeRT.xml)

RTNetworking 是PT自己以UDP建構的protocol，跟DDSI不同

因為RTNetworking只有OpenSplice有支援，不管有沒有加密，若要跟Lite相通就不能使用RTNetworking 

E.效能測試

1.roundtrip

目前因為ARM不支援DDS security ，從VM及MXE200i對測來看，latency會增加25~50 us 

2.throughput