Secure DDS interoperability | Connection issues with RTI Connext [3539] #250
Comments
|
Hi ruffsl, We know about these secure connectivity issues. The Security spec has evolved from the very first release, and we need to update slightly our implementation and run a set of interoperability tests to ensure compatibility. This is planned for this year. |
|
Hi @ruffsl , As an update, we finished today the update to the latest security spec. and we will run the DDS Security interoperability tests next week. |
|
It nice to see that #275 has now landed, however, I was trying out interoperability with a fresh source build, and I still can't get the two RMW implementations to communicate. Are there some new changes that need to be done to rmw_fastrtps done prior? Here is a dockerized example use can use to test it out interoperability. Just swap out the install to instead build from source, using https://raw.githubusercontent.com/ros2/ros2/master/ros2.repos |
|
Hi @ruffsl #275 has landed on develop. We are merging into master through #304 and applying some changes to rmw_fastrtps on ros2/rmw_fastrtps#233 We still have some cmake related issues to be solved in order for the new release to work with ROS2. When those are solved we will report back here. |
|
@MiguelCompany , thanks for the correction, before I was attempting to use the wrong branches. I've since tested interoperability again using #304 and ros2/rmw_fastrtps#233. All builds fine, but when I use Looking with the debugger, I see these error messages are originating from:
|
|
@ruffsl It seems you are using the only case that the official tests doesn't cover: Full RTPS message protection without encryption (authentication only). I will address this today but, in the meantime, could you try with other protection kind? |
|
@MiguelCompany , I tried changing <?xml version="1.0" encoding="utf-8"?>
<dds>
<domain_access_rules>
<domain_rule>
<domains>
<id>0</id>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>true</enable_join_access_control>
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<rtps_protection_kind>ENCRYPT</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>true</enable_discovery_protection>
<enable_liveliness_protection>true</enable_liveliness_protection>
<enable_read_access_control>true</enable_read_access_control>
<enable_write_access_control>true</enable_write_access_control>
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds> |
|
Now I'm getting a number of errors using only Update we'll I can't reproduce the errors above from a clean docker image, but even a fresh docker image Connext and Fast-RTPS still don't seem interoperable via secure DDS. I modified a branch to build the entire stack from source and launch an interoperable example via docker-compose. See the README for details. https://github.com/ruffsl/ros2_docker_demos/tree/fastrtps-1.7.0/sros2 |
|
Hi @ruffsl We have fixed a few things and release 1.7 is ready to be merged. The errors shown on your last comment have been fixed, and I have checked direct communications with connext. Please test on your side |
|
Latest attempt using the gist from the CI tested here,
[1] [2] |
|
@MiguelCompany , using the latest pull from the PR above, I'm still experiencing the same issues: mainly FastRTPS can publish and subscribe to FastRTPS and Connext, but Connext can still not subscribe to FastRTPS one-on-one. No error or warnings, just silence from Connext subscribes printing to stdout. However, upon starting a FastRTPS subscriber to join an existing Connext publisher and subscriber, Connext will output the following to stdout: governance.xml used: <?xml version="1.0" encoding="UTF-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<id>0</id>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>true</enable_join_access_control>
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>true</enable_discovery_protection>
<enable_liveliness_protection>true</enable_liveliness_protection>
<enable_read_access_control>true</enable_read_access_control>
<enable_write_access_control>true</enable_write_access_control>
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds> |
|
@ruffsl Could you please also share the permissions files being used? |
|
See example keystore here: https://github.com/ruffsl/keymint_ws/tree/master/install |
richiware
changed the title
|
I've repeated the previous test with the latest ros2 master branches, as of writing. When a FastRTP listener connects to a Connext talker, Connext prints out some warnings during the handshake although the subscription overall is successful: However, when a FastRTP talker joins in with a Connext talker and listener, both the Connext talker and listener print errors that the security handshake has failed, and the Connext listener does not subscribe to the FastRTP talker at all. The Error message sequent from the Connext talker: And the error message sequent from the Connext listener: |
|
How is the status of this issue?
I can still send and receive the message. vice versa. like @MiguelCompany Does that mean, that you have already solved this interoperability issue with connext? |
|
@Yingliangzhe Thanks for testing. I do think this should have been solved. But I would like @ruffsl to confirm and to close this issue if he thinks everything is ok now. |
I haven't looked at it too closely yet, but when using the exact same security files, I'm not able to get Fast-RTPS and Connext to talk to each other using the default security plugins provided by each vendor. Thus SROS2 users are limited in not able to use mix with other rwm implementations at runtime.
To isolate this issue from SROS2, I went and modified the eProsima ShapesDemo to use the same files like so: ruffsl/ShapesDemo@176c79c
Example files:
https://github.com/ros2/system_tests/tree/0bd47e8892a450ffb293eac7a89e30499fc35a88/test_security/test/test_security_files/publisher
Across eProsima ShapesDemo instances, it all works fine, but between Fast-RTPS and Connext, neither ever connect to each other's shape topics, even though they connect fine when security is disabled.
The text was updated successfully, but these errors were encountered: