Are there any plans for security or encryption?

[josephduchesne]

I'm wondering if there are any plans for security and/or encryption to be handled by this library and its protocols?

[BorjaOuterelo]

Hi @josephduchesne.

Currently, we are focusing our efforts on completing our coverage of the OMGs DDS-XRCE standard.
DDS-XRCE standard does not cover how to implement security neither encryption. However, it states that security could be provided at transport-level.

From the XRCE-DDS standard literally:

For applications requiring security there is the “Datagram Transport Layer Security” (DTLS) standard [DTLS] that
provides security in top of UDP/IP. Alternatively UDP may be deployed on a private network (VPN), which provides
security at the IP layer below UDP.

For applications requiring security there is the “Transport Layer Security (TLS)” standard [TLS] that provides security in
top of TCP/IP. Alternatively TCP/IP may be deployed on a private network (VPN), which provides security at the IP
layer below TCP.

Aside from the security and encryption, the standard covers the existence of an access control mechanism over the resources DDS-XRCE.

Do you have a use case for security and encryption?
If you want we can speak on possible steps in these directions.

[gavanderhoorn]

@BorjaOuterelo: has anything changed since you posted your comment?

[pablogs9]

Hello @gavanderhoorn, there are no plans for securitizing XRCE-DDS. By now the better option is to implements a custom transport over TLS.

[gavanderhoorn]

Wouldn't that also encrypt discovery traffic?

(note: this may be a stupid question)

[pablogs9]

In Micro XRCE-DDS you do not have discovery traffic unless discovery profile is enabled.

In this case, the client uses a multicast interface for discovering unicast locators of the agent and being able to connect to it. Usually, the discovery profile is not available for all platforms and transports. It also uses different transport layer.

Does your use case have the need for this discovery process?

[gavanderhoorn]

Does your use case have the need for this discovery process?

It might, yes. But at this point I'm only trying to understand how the various bits and pieces fit together.

[fujitatomoya]

@pablogs9 it has been a few years from previous comment, but no progress on security, right?

security means,

• Authentication, leaf devices / clients should be authenticated during creating the session to the agent.
• Cryptographic, encryption support between client and agent.

[pablogs9]

Hello, @fujitatomoya there have been no efforts in this way on our side.

AFAIK some users implemented some TLS transports using WolfSSL, but those have not been contributed to our repos.

[fujitatomoya]

@pablogs9

i am not sure if enabling security authentication and encryption on micro-xrce-dds would be the best thing, i would also consider that probably having the secured network like VPN underneath would be better for performance and agnostic from framework library.

but if micro-xrce-dds provides those security features, that would be also good option.

anyway, thank you very much for the quick reply!