search

eProsima / Micro-XRCE-DDS

An XRCE DDS implementation. Looking for commercial support? Contact info@eprosima.com
Apache License 2.0
158 stars 15 forks source link

Are there any plans for security or encryption? #24

Open josephduchesne opened 5 years ago

josephduchesne commented 5 years ago

I'm wondering if there are any plans for security and/or encryption to be handled by this library and its protocols?

BorjaOuterelo commented 5 years ago

Hi @josephduchesne.

Currently, we are focusing our efforts on completing our coverage of the OMGs DDS-XRCE standard. DDS-XRCE standard does not cover how to implement security neither encryption. However, it states that security could be provided at transport-level.

From the XRCE-DDS standard literally:

For applications requiring security there is the “Datagram Transport Layer Security” (DTLS) standard [DTLS] that provides security in top of UDP/IP. Alternatively UDP may be deployed on a private network (VPN), which provides security at the IP layer below UDP.

For applications requiring security there is the “Transport Layer Security (TLS)” standard [TLS] that provides security in top of TCP/IP. Alternatively TCP/IP may be deployed on a private network (VPN), which provides security at the IP layer below TCP.

Aside from the security and encryption, the standard covers the existence of an access control mechanism over the resources DDS-XRCE.

Do you have a use case for security and encryption? If you want we can speak on possible steps in these directions.

gavanderhoorn commented 3 years ago

@BorjaOuterelo: has anything changed since you posted your comment?

pablogs9 commented 3 years ago

Hello @gavanderhoorn, there are no plans for securitizing XRCE-DDS. By now the better option is to implements a custom transport over TLS.

gavanderhoorn commented 3 years ago

Wouldn't that also encrypt discovery traffic?

(note: this may be a stupid question)

pablogs9 commented 3 years ago

In Micro XRCE-DDS you do not have discovery traffic unless discovery profile is enabled.

In this case, the client uses a multicast interface for discovering unicast locators of the agent and being able to connect to it. Usually, the discovery profile is not available for all platforms and transports. It also uses different transport layer.

Does your use case have the need for this discovery process?

gavanderhoorn commented 3 years ago

Does your use case have the need for this discovery process?

It might, yes. But at this point I'm only trying to understand how the various bits and pieces fit together.

fujitatomoya commented 7 months ago

@pablogs9 it has been a few years from previous comment, but no progress on security, right?

security means,

pablogs9 commented 7 months ago

Hello, @fujitatomoya there have been no efforts in this way on our side.

AFAIK some users implemented some TLS transports using WolfSSL, but those have not been contributed to our repos.

fujitatomoya commented 7 months ago

@pablogs9

i am not sure if enabling security authentication and encryption on micro-xrce-dds would be the best thing, i would also consider that probably having the secured network like VPN underneath would be better for performance and agnostic from framework library.

but if micro-xrce-dds provides those security features, that would be also good option.

anyway, thank you very much for the quick reply!