18.7. Security Frequently Asked Questions

What security plugins does Fast DDS offer for secure communication?


Fast DDS offers five built-in security plugins as part of the DDS Security specification: the Authentication plugin (Authentication plugin: DDS:Auth:PKI-DH) provides authentication between DomainParticipants using a trusted Certificate Authority (CA) and mutual authentication; the Access Control plugin (Access control plugin: DDS:Access:Permissions) enforces permissions for protected operations; the Cryptographic plugin (Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC) ensures authenticated encryption and data integrity using AES in Galois Counter Mode (AES-GCM); the Logging plugin (Logging plugin: DDS:Logging:DDS_LogTopic) logs security-related events. For further information, refer to Security.


Is the security support configured by default?


No. It must be activated using -DSECURITY=ON at the CMake configuration step. For further information, refer to Security.


18.7.1. Authentication

What is the purpose of authentication?


When a DomainParticipant is either locally created or discovered, it needs to be authenticated in order to be able to communicate in a DDS Domain. For further information, refer to Authentication plugin: DDS:Auth:PKI-DH.


What happens if the authentication fails?


The remote DomainParticipant is rejected, therefore communication cannot take place in the DDS Domain for this DomainParticipant. For further information, refer to Authentication plugin: DDS:Auth:PKI-DH.


How is the DDS:Auth:PKI-DH authentication plugin activated?


By setting the properties() dds.sec.auth.plugin with the value`` builtin.PKI-DH. For further information, refer to Authentication plugin: DDS:Auth:PKI-DH.


What is the process for generating and managing security certificates for the Authentication plugin?


The process for generating and managing security certificates for the Authentication plugin involves creating and managing X.509 certificates. First, since multiple certificates will need to be issued, one for each of the DomainParticipants, a dedicated CA is set up, and the CA’s certificate is installed as the root key of all DomainParticipants. Thus, the DomainParticipants will accept all certificates issued by our own CA. To create a proprietary CA certificate, a configuration file must first be written with the CA information. After writing the configuration file, the certificate is generates using the Elliptic Curve Digital Signature Algorithm (ECDSA). As was done for the CA, a DomainParticipant certificate configuration file needs to be created first. After writing the DomainParticipant certificate configuration file, the X.509 certificate is generated using ECDSA, for a DomainParticipant. Finally, the CRL is created. This is a list of the X.509 certificates revoked by the certificate issuing CA before they reach their expiration date. Any certificate that is on this list will no longer be trusted. For further information, refer to Generation of X.509 certificates.


18.7.2. Access control

What is the purpose of access control?


Provides the mechanisms and operations required to validate the DomainParticipant permissions and define access rights over a resource. For further information, refer to Access control plugin: DDS:Access:Permissions.


How is the DDS:Access:Permissions authentication plugin activated?


By setting the properties() dds.sec.access.plugin with the value builtin.Access-Permissions. For further information, refer to Access control plugin: DDS:Access:Permissions.


Can a DomainParticipant match with a remote DomainParticipant without authentication?


Yes. This can be delimited by the <allow_unauthenticated_participants> XML element tag. When it is set to true, the DomainParticipant can match other DomainParticipants without authentication. For further information, refer to Allow Unauthenticated Participants.


Can the secure channel of the endpoint discovery phase be encrypted?


Yes, if the <discovery_protection_kind> XML element is set to ENCRYPT. This is also applicable for Liveliness and RTPS. For further information, refer to Access control plugin: DDS:Access:Permissions.


How is the access to topics managed?


By applying topic rules to any DataReader or DataWriter associated with a topic that matches the Topic expression name. For further information, refer to Topic Rule.


What is the purpose of a DomainParticipant Permissions Document in the DDS:Auth:PKI-DH plugin?


The permissions document is an XML file that contains the permissions of a DomainParticipant and binds them to the DomainParticipant distinguished name defined in the DDS:Auth:PKI-DH plugin. For further information, refer to DomainParticipant Permissions Document.


What are the main components of a DomainParticipant Permissions document in DDS?


There are several sections. Grant Section, delimited by the <grant> XML element tag, including the subject name, validity, and rules. Domains sections, delimited by the XML element <domains>, identifying the collection of DDS Domains to which the rule applies. Allowed/Denied Actions sections for publishing, subscribing, relaying, topics, and partitions. For further information, refer to DomainParticipant Permissions Document.


18.7.3. Data encryption

What is the function of the cryptographic plugin in the context of DDS?


The cryptographic plugin provides the tools and operations required to support encryption and decryption, digests computation, message authentication codes computation and verification, key generation, and key exchange for DomainParticipants, DataWriters, and DataReaders. For further information, refer to Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC.


How is the DDS:Crypto:AES-GCM-GMAC authentication plugin activated?


By setting the properties() dds.sec.crypto.plugin with the value builtin.AES-GCM-GMAC. Moreover, this plugin needs the activation of the Authentication plugin: DDS:Auth:PKI-DH and the DDS:Access:Permissions. For further information, refer to Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC.


18.7.4. Logging

What is the function of the logging plugin in Fast DDS?


The logging plugin provides the necessary operations to log the security events triggered by the other security plugins supported by Fast DDS. For further information, refer to Logging plugin: DDS:Logging:DDS_LogTopic.


How is the DDS:Logging:DDS_LogTopic authentication plugin activated?


By setting the properties() dds.sec.log.plugin with the value builtin.DDS_LogTopic. For further information, refer to Logging plugin: DDS:Logging:DDS_LogTopic.