DDS Security Does not work With Router DDS

[hugo-hernandez1]

Description

Hi eProsima team,

I am deploying a multi-cluster architecture using DDS Router to bridge two completely independent Kubernetes clusters over a WAN link. The communication uses a TCP tunnel with TLS.

Everything works perfectly when DDS Security is disabled. However, when I enable DDS Security, the discovery process fails across the WAN link, even though local discovery within each cluster works fine.

Expected behavior

When DDS Security is enabled, the DDS Router should forward/relay the encrypted discovery traffic across the TCP WAN link so that the Publisher in Cluster A can discover the Subscriber in Cluster B.

Actual behavior

• Without DDS Security: Perfect communication. TLS WAN tunnel connects, discovery propagates, and data flows.

• With DDS Security: Local pods discover each other, but cross-cluster discovery fails. The Publisher and Subscriber never match.

I analyzed the traffic and noticed that the DDS Router is NOT sending its security profile/handshake over the WAN connection. The WAN participant of the router seems to present itself as "non-secure", causing the remote Discovery Server/Router to ignore or reject the connection based on the Governance rules.

Steps to reproduce

• Deploy Cluster 1 (PUB1) with a local Discovery Server, a Publisher, and a DDS Router (DS Client + WAN TCP Server).

• Deploy Cluster 2 (MID) with a local Discovery Server, a Subscriber, and a DDS Router (DS Client + WAN TCP Client).

• Enable DDS Security (PKI-DH, Access-Permissions, AES-GCM-GMAC) on all entities.

Environment:

• OS: Ubuntu / Kubernetes

• DDS Router version: v3.0.0 (using docker image hhlh1/ubuntu-fastdds-suite:v3.2.2-secure).

• Fast DDS version: version: 3.0.2 (used by publishers and subscribers and the previous docker image) and version 3.2.2 (for discovery server and trough hhlh1/ubuntu-fastdds:v3.2.2).

Attached Files

I have attached the configuration files used for this setup (the YAML/XML, Governance, and Permissions).

Pub1 files

• dds-apps-split-hello-world-publisher.yaml

• dds-router-pub.yaml

• dds-discovery-server-pub.yaml

• router_pub_permissions.xml

• publisher_permissions.xml

Mid files

• dds-apps-split-hello-world-subscriber.yaml

• dds-router-mid.yaml

• dds-discovery-server-sub.yaml

• router_mid_permissions.xml

• subscriber_permissions.xml

Common files

• governance.xml

• server_permissions.xml

[juanlofer-eprosima]

Hi @hugo-hernandez1, DDS security is a feature only supported by XML participants, so my suggestion is that you either choose TLS (WAN participant) or DDS security (XML participant) for the WAN channel. If going for the second option, you should then only provide the "profile" tag to XML participants, and you should also be removing the 'is_default_profile="true"' from you XML profiles. Note that this implies that both WAN settings (initial peers locators, listening locators, etc.) and Discovery Server ones would need to be added to your profiles together with the security configuration. You can find the relevant information in Fast-DDS documentation. Hope that helps.

[hugo-hernandez1]

Thank you very much for the quick response and for pointing that out! It makes perfect sense. I will switch to an XML participant, remove the is_default_profile="true", and combine the WAN transport and security settings in the profiles.