The DDS Security specification includes five security builtin plugins.
Authentication plugin: DDS:Auth:PKI-DH. This plugin provides authentication for each DomainParticipant joining a DDS Domain using a trusted Certificate Authority (CA). Support mutual authentication between DomainParticipants and establish a shared secret.
Access Control plugin: DDS:Access:Permissions. This plugin provides access control to DomainParticipants which perform protected operations.
Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC. This plugin provides authenticated encryption using Advanced Encryption Standard (AES) in Galois Counter Mode (AES-GCM).
Logging plugin: DDS:Logging:DDS_LogTopic. This plugin logs security events.
Data Tagging: DDS:Tagging:DDS_Discovery. This plugin enables the addition of security labels to the data. Thus it is possible to specify classification levels of the data. In the DDS context it can be used as a complement to access control, creating an access control based on data tagging; for message prioritization; and to prevent its use by the middleware to be used instead by the application or service.
Currently the DDS:Tagging:DDS_Discovery plugin is not implemented in Fast DDS. Its implementation is expected for future release of Fast DDS.
In compliance with the DDS Security specification, Fast DDS provides secure communication by implementing pluggable security at three levels: a) DomainParticipants authentication (DDS:Auth:PKI-DH), b) access control of Entities (DDS:Access:Permissions), and c) data encryption (DDS:Crypto:AES-GCM-GMAC). Furthermore, for the monitoring of the security plugins and logging relevant events, Fast DDS implements the logging plugin (DDS:Logging:DDS_LogTopic).
By default, Fast DDS does not compile any security support, but it can be activated adding
-DSECURITY=ON at CMake
For more information about Fast DDS compilation, see Linux installation from sources and Windows installation from sources.
For the full understanding of this documentation it is required the user to have basic knowledge of network security since terms like Certificate Authority (CA), Public Key Infrastructure (PKI), and Diffie-Hellman encryption protocol are not explained in detail. However, it is possible to configure basic system security settings, i.e. authentication, access control and encryption, to Fast DDS without this knowledge.
The following sections describe how to configure each of these properties to set up the Fast DDS security plugins.
- 8.1. Authentication plugin: DDS:Auth:PKI-DH
- 8.2. Access control plugin: DDS:Access:Permissions
- 8.3. Cryptographic plugin: DDS:Crypto:AES-GCM-GMAC
- 8.4. Logging plugin: DDS:Logging:DDS_LogTopic
- 8.5. PKCS#11 support