Expose secure communication only with specified entities.

[fujitatomoya]

I do not think this is a bug for sros2, more like a question about practical configuration to support 3rd party device with security enclaves.

System Information

Required Info:

• Operating System:
  • ubuntu 22.04
• Installation type:
  • binary / ros:humble container image
• Version or commit hash:
  • N/A
• DDS implementation:
  • rmw_fastrtps
• Client library (if applicable):
  • N/A

Overview

Requirement

• Only authorized device can see the ROS 2 communication to/from robot.
• For performance consideration, it would be better to keep the localhost communication in robot without secured authentication nor encryption. (basically it uses localhost in robot system, but some specific nodes to be exposed.)
• Only specific entities are exposed to outside of robot system with access control.

[fujitatomoya]

IMO, once the node is bound to the security enclaves, that should be protected by secured network, that means it requires all the other nodes need to be bound to the security enclaves as well. otherwise, they cannot discover the participant at all.

i can think of ROS 2 router, https://docs.vulcanexus.org/en/latest/rst/tutorials/cloud/secure_router/secure_router.html could be the solution for this? this is gonna be extra routing process to bridge localhost communication in the robot and secured communication outside of the robot. but i would like to get feedback from community how people are doing with this kind of situation to support 3rd party device with secured communication.

[ros-discourse]

This issue has been mentioned on ROS Discourse. There might be relevant details there:

https://discourse.ros.org/t/expose-secure-communication-only-with-specified-entities/40957/1

[fujitatomoya]

More technical discussion and experimental trial, eProsima/DDS-Router#484