[ros-users] [Discourse.ros.org] [Next Generation ROS] DDS Security Specification

Morgan Quigley ros.discourse at gmail.com
Fri Dec 23 19:56:06 UTC 2016




Hi Steve,

Thanks for the question! And yes! Security of great interest to many of us. We are actively iterating with some ideas for how to integrate ROS 2 with DDS-Security. Everything is very much under construction at the moment, of course, but there are a few "sros2" branches that are getting closer to being a usable prototype.

We have been trying to put all of the security-related stuff in the `rcl` or lower layers. The goal is that the higher layers (i.e. the vast majority of code) won't need any changes, since at least in theory, the security features are implemented by the middlewares and shouldn't clutter up the application code which is only dealing with highly abstracted views of middleware. At the moment, you can set an environment variable called `ROS_SECURITY_ROOT` before running ROS 2 nodes, to point to a path in your filesystem where it can find the necessary piles of keys and configuration files for DDS-Security to do its thing.

At the moment the prototype only works with RTI Connext Secure, but we are taking pains to implement this in `rcl` in a way that could (in theory) be applied to any middleware, DDS or not, and certainly any vendor of DDS-Security, since it's really just passing a path from the filesystem down, and the `rmw` implementation do whatever it wants, ideally following a simple set of conventions for how to contruct filenames from that path so that, for example, DDS-Security governance and permissions files can be used by more than one vendor.

We are assembling our prototype in the 'sros2' repo in the ROS 2 organization:

https://github.com/ros2/sros2

It includes a vcs repos file to check out of a bunch of sros2 branches. We're currently working on a few python scripts to make it easier to generate all of the certificates/keys and DDS-Security configuration files, and distribute them using ssh/scp. It's not polished yet, but I expect it will get there in a week or two.

I'll let the eProsima folks chime in, if they want to describe their plans for DDS-Security in FastRTPS.

Cheers!






---
[Visit Topic](https://discourse.ros.org/t/dds-security-specification/1015/2) or reply to this email to respond.




More information about the ros-users mailing list