Expose secure communication only with specified entities.

[fujitatomoya]

I do not think this is a bug for sros2, more like a question about practical configuration to support 3rd party device with security enclaves.

System Information

Required Info:

• Operating System:
  • ubuntu 22.04
• Installation type:
  • binary / ros:humble container image
• Version or commit hash:
  • N/A
• DDS implementation:
  • rmw_fastrtps
• Client library (if applicable):
  • N/A

Overview

Requirement

• Only authorized device can see the ROS 2 communication to/from robot.
• For performance consideration, it would be better to keep the localhost communication in robot without secured authentication nor encryption. (basically it uses localhost in robot system, but some specific nodes to be exposed.)
• Only specific entities are exposed to outside of robot system with access control.

[fujitatomoya]

IMO, once the node is bound to the security enclaves, that should be protected by secured network, that means it requires all the other nodes need to be bound to the security enclaves as well. otherwise, they cannot discover the participant at all.

i can think of ROS 2 router, https://docs.vulcanexus.org/en/latest/rst/tutorials/cloud/secure_router/secure_router.html could be the solution for this? this is gonna be extra routing process to bridge localhost communication in the robot and secured communication outside of the robot. but i would like to get feedback from community how people are doing with this kind of situation to support 3rd party device with secured communication.

[ros-discourse]

This issue has been mentioned on ROS Discourse. There might be relevant details there:

https://discourse.ros.org/t/expose-secure-communication-only-with-specified-entities/40957/1

[fujitatomoya]

More technical discussion and experimental trial, eProsima/DDS-Router#484

[fujitatomoya]

i also considered https://eprosima-dds-router.readthedocs.io/en/latest/rst/user_manual/wan_configuration.html,

this WAN configuration is meant to be used for NAT traversal use case, i.g connecting ROS 2 or DDS sites via DDS router in TLS security. our use case is in the same LAN, so that is not best practice to use this configuration...

i think there could be a few downsides for this use case,

• User operational burden: ROS 2 user must set up the DDS Router with provided security data to set up TLS before any ROS 2 development.
• Performance overhead can be expected between 2 router proxies. The major use cases would be topic to be subscribed on user's development PC so that user can see the sensing data or so on, that expects there would be large data payload to be published and subscribed via routers. with certain amount of data size such as images or video streams, this will not be good user experience.