18.7. Security Frequently Asked Questions
What security plugins does Fast DDS offer for secure communication?
Fast DDS offers five built-in security plugins as part of the DDS Security specification:
the Authentication plugin (Authentication plugin: DDS:Auth:PKI-DH) provides authentication between DomainParticipants using a trusted Certificate Authority (CA) and mutual authentication;
the Access Control plugin (Access control plugin: DDS:Access:Permissions) enforces permissions for protected operations;
the Cryptographic plugin (Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC) ensures authenticated encryption and data integrity using AES in Galois Counter Mode (AES-GCM);
the Logging plugin (Logging plugin: DDS:Logging:DDS_LogTopic) logs security-related events.
For further information, refer to Security.
Is the security support configured by default?
No. It must be activated using -DSECURITY=ON
at the CMake configuration step.
For further information, refer to Security.
18.7.1. Authentication
What is the purpose of authentication?
When a DomainParticipant
is either locally created or discovered, it needs to be authenticated in order to be able to communicate in a DDS Domain.
For further information, refer to Authentication plugin: DDS:Auth:PKI-DH.
What happens if the authentication fails?
The remote DomainParticipant
is rejected, therefore communication cannot take place in the DDS Domain for this DomainParticipant.
For further information, refer to Authentication plugin: DDS:Auth:PKI-DH.
How is the DDS:Auth:PKI-DH authentication plugin activated?
By setting the properties()
dds.sec.auth.plugin
with the value`` builtin.PKI-DH
.
For further information, refer to Authentication plugin: DDS:Auth:PKI-DH.
18.7.2. Access control
What is the purpose of access control?
Provides the mechanisms and operations required to validate the DomainParticipant permissions and define access rights over a resource.
For further information, refer to Access control plugin: DDS:Access:Permissions.
Can a DomainParticipant match with a remote DomainParticipant without authentication?
Yes. This can be delimited by the <allow_unauthenticated_participants>
XML element tag.
When it is set to true, the DomainParticipant can match other DomainParticipants without authentication.
For further information, refer to Allow Unauthenticated Participants.
Can the secure channel of the endpoint discovery phase be encrypted?
Yes, if the <discovery_protection_kind>
XML element is set to ENCRYPT.
This is also applicable for Liveliness and RTPS.
For further information, refer to Access control plugin: DDS:Access:Permissions.
How is the access to topics managed?
By applying topic rules to any DataReader or DataWriter associated with a topic that matches the Topic
expression name.
For further information, refer to Topic Rule.
18.7.3. Data encryption
What is the function of the cryptographic plugin in the context of DDS?
The cryptographic plugin provides the tools and operations required to support encryption and decryption, digests computation, message authentication codes computation and verification, key generation, and key exchange for DomainParticipants, DataWriters, and DataReaders.
For further information, refer to Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC.
How is the DDS:Crypto:AES-GCM-GMAC authentication plugin activated?
By setting the properties()
dds.sec.crypto.plugin
with the value builtin.AES-GCM-GMAC
.
Moreover, this plugin needs the activation of the Authentication plugin: DDS:Auth:PKI-DH
and the DDS:Access:Permissions
.
For further information, refer to Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC.
18.7.4. Logging
What is the function of the logging plugin in Fast DDS?
The logging plugin provides the necessary operations to log the security events triggered by the other security plugins supported by Fast DDS.
For further information, refer to Logging plugin: DDS:Logging:DDS_LogTopic.
How is the DDS:Logging:DDS_LogTopic authentication plugin activated?
By setting the properties()
dds.sec.log.plugin
with the value builtin.DDS_LogTopic
.
For further information, refer to Logging plugin: DDS:Logging:DDS_LogTopic.