Implementation of online arbiter in SROS/SROS2

I am very interested in the proposal of adding access control policy into ROS on the SROS website. In particular, I find the “online arbiter” concept quite interesting and would like to research more on it. I am wondering if the online arbiter has been implemented in the current SROS/SROS2 code base. I looked at the ros_comm repo (sros branch) before but could not find relevant code pieces for the implementation of online arbiter. If not yet, is there any plan to implement an online arbiter in SROS/SROS2?

Please help clarify/share if any guy know more details :slight_smile: . Thanks!

Cross post ROS2 Security which could be helpful:

… sros2 repository is mostly to provide tools to generate and manage security files more easily. The support for DDS-Security has been added within the core of ROS2 itself …

1 Like

Thanks @hongkedavid for your interest in ROS/ROS2 and security.

There is no plan to implement an online arbiter in ROS 2 at the moment. As ROS 2 is focused on decentralized communication, there is no ROS master anymore and all the policy evaluation and authorization is done directly between nodes. Adding a central component that knows all the policies of the system, override node access control policy resolution and that can modify them at runtime would be both challenging to implement in DDS and have several severe drawbacks that don’t play well with a secure distributed system:

  • Introduce a single point of failure as taking it down would prevent communication if the arbiter approval is required to establish communication
  • Store all the policy information of the system in a single place rather than distribute it
  • Force every node to establish additional communication channels and adds network overhead to communicate with the arbiter.

Regarding SROS: I don’t think any work has been done in that direction. Currently the sros master enforces the policies defined in the certificates.

Hope this helps,

I see. Thanks very much for your information! That really helps answer my question.