ROS2 Security

Compared with ROS, ROS2 take more secure communication into consideration at the beginning of its design which will be built upon the Data Distribution System (DDS) specified by OMG and DDS defines security mechanisms in its DDS Security Spec. However, in ROS2 DDS is wrapped by a very thin (e.g feature-lean) layer which does not necessarily allow the use of all DDS features. In addition, not all DDS implementations also include the DDS security features. The default transport implementation wrapped in ROS2 is Fast RTPS which does not implement the whole DDS specification but only the RTPS transport layer. This layer however, does not specify any security by itself, is this supposed to be added by DDS ”on-top” ?

I saw there is SROS2 (https://github.com/ros2/sros2) which provides the tools and instructions to use ROS2 on top of DDS-Security, will it be the official branch to enable ROS2 security separately?

Anyway, what’s the current plan or target for ROS2 inherent security ?

please help clarify/share if any guy know more details :slight_smile: , thanks !

2 Likes

Thanks for your interest in the security of ROS 2! We share your interest in this topic, and want ROS 2 security features to be available “from day one.”

In fact, as of very recently, Fast-RTPS now includes the Authentication and Encryption plugins of the DDS-Security standard:
http://docs.eprosima.com/en/latest/security.html
This version of Fast-RTPS is distributed with the Beta 2 version of ROS 2, which was released last month (June 2017).

We intend to support security features that can pass through the various adapter layers in ROS 2 and target both open-source middlewares (e.g., Fast-RTPS) as well as various proprietary middlewares (e.g., RTI Connext Secure) as our resources permit.

The work in the SROS 2 branches was merged into the “mainline” ROS 2 trees last month, just before the release of Beta 2.

Cheers!

2 Likes

Thank you for your sharing, @codebot could you please share me more details regarding the following points:

for example, where to find the detail to learn more technical detail :smile:

As for SROS2, now it’s merged into the ROS2 mainline, does this mean that the mainline is always enough to use the ROS2 security features from the current to the future ? or the further development will continue on SROS2 when necessary but merge the work on SROS2 into the mainline at a certain ROS2 release milestone? thank you !

Thanks for you interest in ROS 2 security!

The sros2 repository is mostly to provide tools to generate and manage security files more easily. The support for DDS-Security has been added within the core of ROS2 itself (you can find the set of changes on various repository on this issue). DDS-Security support is now a “core” feature of ROS 2 and will be developed and integrated following the same process as any other ROS 2 features.
So ROS2 will always ship with DDS-Security support from now on.

Are you looking for details about DDS-Security itself ? or how DDS-Security is wrapped in the ROS2 interface ?

If the former, I think that the best resources are the DDS-Security specification provided by OMG. For details about specific implementations, refer to the vendor’s DDS-Security section here for Fast-RTPS, through the RTI Portal for Connext (the information is not public AFAIK).

If the latter, the set of pull requests referenced in #339 will give context about how the security parameters are passed down the layers of the ROS2 stack. In brief you can decide to create a secure node in ROS2 by simply defining environment variables, the user code itself is exactly the same.
The RCL layer will ensure that the directory to find the security files exists and pass it to the rmw_ layer. Each rmw implementation will use it’s own logic to find the specific files and configure the participant accordingly (see rmw_fastrtps_cpp and rmw_connext_cpp to see how ot’s done for the 2 currenty supported vendors). Once the participant created with these settings, the DDS implementation will take care of performing the authentication / encryption / access control functions.

Hope this helps

1 Like