►
From YouTube: ROS 2 Security Working Group (09 Nov 2021)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
A
D
A
A
All
right
next
item
we
have
david
anthony
who
reached
out
on
the
matrix
security
working
group
room
and
he
wanted
to.
A
E
See
what
else
all
right
I
I
do
have
a
yeah.
So,
first
of
all,
thanks
for
having
me-
and
I
I
appreciate
you
since
I
haven't
been
really
involved
with
the
group-
letting
me
kind
of
jump
in
and
make
a
fool
of
myself.
So
let
me
see
if
I
can
share
a
screen.
So,
oh.
E
I'll
kind
of
preface
this
with
I'm
not
really
a
security
expert,
so
a
lot
of
what
I.
So
if
there
are
things
I'm
just
missing,
I
will
be
happy
to
just
admit
that
I
don't
know
enough
about
ross
to
properly
secure
it,
but
basically
I
hope
everyone
can
see
my
screen.
E
Basically,
what
I've
been
working
on
is
I've
been
porting
a
been
part
of
a
team.
That's
supporting
a
large
ros
one
code
based
ii.
It's
targeting
multiple
ground
platforms.
It
is
an
enormous
legacy.
Application
that's
been
developed
for
a
long
time
and
it's
still
under
active
development
and
experimentation.
So
it's
not
really
a
you
know
like
product,
yet
it's
it's
still
very
much
in
flux,
with
new
capabilities
getting
added
to
it
for
the
us
government.
E
So
we're
still,
you
know
trying
to
figure
out
how
everything's
going
to
work
with
it
and
so
kind
of
in
parallel
with
that,
we've
also
been
looking
at
how
we
can
turn
on
security
for
the
system.
We
largely
didn't
do
anything
with
it
with
ross
one
security.
Just
because
I
mean
I
you're
all
familiar
with
ross
one
security.
E
We
didn't
see
a
big
advantage
at
that
point,
but
now
we're
very
much
interested
in
using
dds
security
and
secure
roster
to
really
lock
this
thing
down,
and
you
know,
and
not
only
secure
the
application,
but
also
try
and
kind
of
get
the
security
processes
integrated
into
our
workflow,
because,
unfortunately,
up
until
now,
we've
just
been
focused
on
development
and
testing
and
haven't
really
the
security
aspect.
Just
haven't
been
a
part
of
our
part
of
our
workflow.
E
So,
for
example,
when
I
say
a
large
system,
for
example,
you
know
we're
thinking
about
ground
vehicles
and
maybe
have
six
or
more
computers.
You
know
a
node
count
into
the
hundreds
with
you
know.
You
know
500
to
1000
topics.
E
Importantly,
we're
probably
going
to
use
multiple
dds
domains
to
kind
of
manage
the
traffic
and
make
everything
manageable
from
a
map
from
a
dds
standpoint,
and
we
really
need
to
restrict
access
between
the
different
systems
and
network
interfaces
on
this
vehicle.
So
we
really
want
to
make
sure
that
everything's
kind
of
isolated.
So
if
one
system
gets
compromised,
you
know
doesn't
take
down
the
entire
vehicle
kind
of
the
other
use
cases
in
the
back
of
our
mind.
Are
things
like
uav
swarms
where
you've
got
dozens
of
uavs,
maybe
with
multiple
computers?
E
You
know
like
a
flight
computer
and
then
maybe
a
sensing
payload
or
a
nvidia
jetson
or
something
doing
you
know,
computer
vision,
tasks
that
need
to
communicate
with
one
or
more
ground
stations,
and
we
really
would
like
to
kind
of
isolate
those
uavs
from
each
other,
while
still
you
know
maintaining
communication
with
the
ground
stations,
so
the
you
know
that
that's
kind
of
like
this,
the
systems
were
kind
of
envisioning
and
thinking
about
and
starting
to
work
with
and
so
yeah.
E
That's
so
that's
kind
of
where
I'm
coming
from
and,
like
I
said,
I'm
not
a
security
expert
either
by
any
means,
but
we
are
very
interested
in
applying
it
to
these
systems
and
so
kind
of
we've
been
doing
some
initial
efforts
into
this
and
kind
of
the
what
we
found.
E
What
we
have
found
from
our
kind
of
developers
that
are
working
with
it
is
they're
really
having
a
hard
time.
Integrating
the
sros
to
into
their
development
workflow
particular
things
we've
we've
encountered.
Are
you
know
when
the
command
line
tools?
When
we
start
talking
about
you
know,
half
those
you
know
trying
to
have
a
half
dozen
computers
that
are
all
you
know,
maybe
configured
differently
or
have
different
policy
configuration.
You
know,
different
computers
are
supposed
to
have
different
levels
of
communication
with
other
computers
you
know
like.
E
Maybe
we
want
a
computer
vision
system
to
talk
with
one
computer.
That
then
sends
you
know
some
kind
of
processed
version
of
the
computer
vision
imagery.
You
know
like
object,
detect
you
know
doing
whatever
we're
doing
like
pedestrian
detection,
object,
detection,
semantic
segmentation
and
then
sending
that
on
to
you
know
more
of
the
like
path
planning
computer.
E
You
know
we
want
to
kind
of
restrict
the
communication
between
all
those
computers
to
just
the
topics
that
they're
that
are
actually
relevant
to
each
other.
So
we
don't
just
have
a
free-for-all
talking
between
the
systems
and
and
so
kind
of
the
first
feedback
we
got
from
the
developers
are.
The
command
line.
Tools
are
really
hard
to
work
with,
in
this
case,
like
I'll
talk
about
that
a
little
bit
on
our
next
slide,
it's
hard
to
verify
that
the
system
is
properly
configured.
E
Even
when
we
turn
on
the
security
options
you
know
of
the
you
know
we
you
know,
I
I
think
our
first
thing
we
did
was
we
turned
on
security
and
we
were
like
did
that
just
work
and
we
were
really
wondering
you
know:
did
we
actually
have
the
system
even
configured
properly
and
like
I've
noted
a
lot
of
the
people
on
this
project
are
not
security
experts
they're
just
you
know,
they're
pathfinding
experts,
they're
localization
experts
or
computer
vision
experts,
but
they
still
need
to
do
you
know
we
would
still
like
them
involved
with
the
security
process
and
and
be
able
to
effectively.
E
You
know,
add
the
code
they
develop
to
a
secure
system
and
so
kind
of
existing
command
line
tools,
as
I'm
kind
of
paraphrasing
some
of
the
direct
feedback
I
got
one
was
the
cat
felt
like
an
all
or
nothing
thing
like
you
know
they
they
followed
the
roster
tutorial.
They,
you
know,
created
an
enclave.
E
You
know
added
it
to
their
command
line,
launch
arguments
and
then
they
said
well
everything's
encrypted,
but
trying
to
do
more
granular
levels
of
control
felt
like
a
lot
of
effort.
You
know
we're
going
in
and
hand
editing
policies
like
the
governance
and
permissions.xml
files
to
especially
to
work
with
multiple
ros
domains
or
dds
domains.
E
It
took
a
lot
of
effort
to
configure
all
that,
so
we
did
a
lot
of
hand
editing
of
config
files,
which
is
really
tough,
because
that
makes
it
very
hard
for
us
to
replicate
the
environments
like
every
you
know.
If
we've
got
a
dozen
developers
on
the
team.
E
It
was
really
tough
to
get
everybody's
security
environment
set
up
the
same
way
and
then
reproduce
changes
like
when
somebody
made
a
change.
It
was
hard
to
do
it
because
you
know
we,
you
know,
even
if
we
version
control
like
the
xml
files,
that
control
the
policies
and
the
governance
like
you'd
end
up
having
to
regenerate
the
assigned
versions
of
those,
and
it
was
hard
to
verify
the
system
was
configured
as
expected.
Like
you
know,
right
now,
you
know
to
make
sure
that
we
really
had
secured
a
topic.
E
We
would
end
up
looking
at
in
wireshark
to
see
if
it
was
encrypted
or
using
some
of
the
other
linux
system
tools
to
see
you
know
things
were
actually
as
we
thought
they
were
and
so
kind
of
the
overall
consensus
is
yeah.
We
can
do
it,
but
it's
going
to
be
really
tough
to
make
this
part
of
our
normal
workflow
and-
and
I
think,
that's
unfortunate,
you
know
we-
we
really
do
want
secure
systems,
and
you
know
I
think
about
what
happens.
E
If
I
unleash
this
on
a
distributed
team
with,
you
know
dozens
of
developers
and
how
do
we
and
they're
all
you
know
like
when
they
write
a
new
node
that
publishes
new
topics?
How
do
they
get
that
properly
configured
and
then
distribute
those
changes
to
the
other
team
members
and
so
kind
of
the
wish
list
we
kind
of
internally
thought
about
is
one.
It
would
be
really
nice
if
we
had
a
graphical
tool.
E
So,
like
I'm
thinking
like
rqt
graph,
could
I
actually
look
at
the
topics
in
an
rqt
graph
and
see
how
they
are
encrypted
or
make
sure
that
they
are
in
fact
encrypted?
You
know
which
keys
or
enclaves
are
they
using
for
encryption
and,
and
that
fits
into
the
view
of
like
when
we
have
a
developer
that
adds
new
code.
We
want
to
make
sure
that
they
can
easily
double
check
that
their.
What
they
did
is
right
and
also
we
want
to.
E
Frankly,
we
want
to
look
at
our
existing
system
and,
as
we
slowly
enable
security
options
for
everything
we
want
to
make
sure
that
we're
we're
getting
everything
locked
down
as
we
expect
we'd.
Also,
you
know
one
of
the
other
things
that
came
up
is
you
know
we
have
continuous
integration
tests
and
deployment.
You
know
through
things
like
docker
containers,.
E
You
know
setting
up
environment
variables,
you
can
figure,
the
security
is
something
we
can
do,
but
we've
already
ran
into
issues
where
somebody
has
a
bug
and
it
turns
into
oh.
Did
you
set
this
environment
variable
properly
in
the
terminal
and
we'd
really
like
to
get
it
more
of
a
programmatic
like
everything
gets
set
through
a
command
line,
or
some
sort
of
you
know
configuration
file
to,
and
you
know
to
make
sure
that
we
can
really
reproduce
our
environments
and
change
them
effectively.
E
One
of
the
other
things
the
developer
brought
up
was,
could
you
know,
could
something
like
rostitude,
node,
info
or
rost2
topic
info?
Show
you
information
about
the
enclaves
that
the
node
is
using,
or
you
know
how
the
or
how
a
publisher
and
subscriber
is
configured
for
encryption
and
down
the
line.
We're
also
thinking
about
things
like
key
management.
You
know:
how
do
we
in
that
uav
swarm
case?
How
do
we
deploy
keys?
You.
E
Keys
to
this
entire
swarm,
that's
you
know
not
involving
a
lot
of
bash
scripts,
and
you
know
copying
over
encryption
keys
one
by
one
or
you
know
very
ad
hoc,
so
yeah,
that's
kind
of
my
sorry
and
that's
kind
of
my.
I
guess
it's
kind
of
my
presentation,
that's
kind
of
what
we
ran
into
and
that's
kind
of
what
we're
thinking
about,
and
I
just
didn't
know
if
the
overall
security
working
group
commit
community
is
is
also
kind
of
thinking
about
these
issues.
E
A
There
thank
you
very
much
for
the
interesting
presentation,
with
the
an
actual,
very
real
use
case.
You're
also
touching
quite
a
few
points
that
we
have
already
discussed
and
some
of
which
are
more
or
less
already
ongoing.
So
before
I
I
leave
the
floor
so
that
others
can
can
react
and
I'm
sure
some
of
them
have
quite
a
few
things
to
say.
A
I
was
wondering
during
your
presentation
if,
if
the
work
that
you
are
doing
is
is
somewhat
part
of
a
larger
project
within
the
ross
industrial
consortium,
we've
seen
that
they
are
touching
the
security
aspects
of
ros
2
as
well
nowadays-
and
I
was
wondering
if
that
was
related,
so.
E
Yeah,
so
we're
we're
not
directly
related.
I
talked
with
ross,
I
quite
a
bit
since
you
know:
we've
got
quite
a
few
other
people
here
at
sweary
yeah.
I
talked
with
matt
robinson,
quite
a
bit
yeah
and
they're.
I
should
have
mentioned
that
too
yeah
they're,
definitely
thinking
about
a
lot
of
the
same
things
too.
A
B
A
Think
and
then
seeing
that
four
of
us,
I
think
it
would
be
interesting
to
to
get
our
two
communities
in
touch
on
those
particular
topics
right.
My
second
question
was
simply
if
you,
if
you
or
your
team,
had
a
look
at
the
links
I
provided
on
the
metrics
room
and
the
work
we
are
doing
on
the
launch,
launch
files
side
of
things.
E
Yeah,
so
I
think
the
launch
files
are
are
yeah,
also
a
great
thing,
yeah,
we're
very
interested
in
all
that.
I
think
that
it's
also
hitting
some
things
that
we
will.
E
You
are
definitely
also
going
to
encounter
right
now,
we're
a
little
stuck
right
now
on
the
launch
system,
just
because
of
difficulties
with
launching
on
multiple
computers,
but
you
know
we're
we're
actively.
A
A
This
solution
that
still
under
development
could
could
answer,
if
not
all
but
most
of
your
issues
right
and
anyone
wants
to.
F
So
I
I
think
what
you've,
which
you
brought
up
is
is
is
quite
relevant
and
pretty
accurate
in
a
sense,
a
lot.
A
lot
of
what
the
working
group
has
sort
of
been
focusing
on
is
the
capability
and
just
like
in
a
lot
of
the
sense
that
security
is
now
possible,
but
it's
not
necessarily
usable
so
that
a
lot
of
the
a
lot
of
the
pieces
and
components
are
there.
F
But
the
usability
of
these
tools
is
is
still
lacking
and
I'm
I'm
a
bit
I'm
pretty
interested
in
what
you
kind
of
envision
and
maybe
particular
about
the
the
use
case.
So
so
you're
talking
about
we're
dealing
with
another
ross
community
members
that
are
in
other
domains
such
as
planning
and
perception,
and
so
it's
it's
security
is
somewhat
outside
of
their
their
scope,
but
the
ways
they
they
intend
to
enable
security
features.
B
F
Survey
and
and
assess
the
the
entire
configuration
it's
the
the
bit
about
tracking
the
configuration
and
modifying
it
so
yeah.
I
I
think
our
current
policies
are
fairly
verbose.
F
My
my
hope
my
vision
was
to
sort
of
have
an
end-to-end
automation
scheme
and
the
bit
is
where
I
think
canonical's
been
working
on
the.
F
The
no
no
dl
to
kind
of
co-locate
the
the
information
to
generate
the
policy
as
close
as
possible
to
the
code
base
that
uses
it
so
that
code
location,
would
would
make
it
fairly
easy
to
track
modified
policy
modifications
or,
and
that
would
that
would
be
generated
downstream.
You
know
either
by
your
contingent,
continuous
integration
pipeline
or
your
deployment
pipeline
services.
F
But
could
you
speak
a
little
bit
more
on
like
what
you
think
the
user
the
users
are
sort
of
within
would
anticipate?
Is
there
any
kind
of
equivalent?
You
talked
about
rqt
and
that's
where
our.
F
That
they
think
we
could
follow.
E
Yeah-
and
this
is
where
I'll
be
honest,
not
having
a
deep
security
background.
E
Yeah,
I
I
don't
know
that
we
haven't
have
quite
an
ideal
in
mind
and
and
that's
why
I
was
a
little
I
didn't
want
to
come
in
here
and
just
be
like
complaining
to
be
honest,
because
I
really
do
appreciate
what
the
community
has
done.
I
think
it's
fantastic.
You
know,
I
I
think.
If
there
are
existing
tools,
I
could
use
as
a
basis
we'd
be
really
excited
for
that.
You
know
any
as
standard
as
we
could
get.
E
I
think
we
would
be
happy
to
to
learn
it
and
teach
our
developers
that
you
know
and
honestly
you
know
somebody
said
like:
oh
yeah,
this
tool
exists,
you
just
don't
know
about
it.
I
would
love
to
hear
that
answer
too.
F
I'll
take
a
take
a
sense
of
like
say
your
launch
files
you're
working
with
with
multiple
robots,
and
I'm
assuming
you
have
some
orchestration
means
of
of
instantiating
a
robot
like.
D
E
Right
so
right
now
they
are
definitely
pets
that
we
would
like
to
turn
into
cattle.
D
C
C
Thank
you
for
for
sharing
with
what
you
you
share
by
the
way
super
cool
to
have,
like
other
members
of
the
community,
also
sharing
their
views,
and
I
think
what
the
security
working
group
definitely
at
least
historically,
I
I
felt
it
needed
was
external
input
from
users
from
power
users
like
liqueri,
so
it
would
be
awesome
to
get
more
and
more
of
your
input
in
the
line
that
roughing
was
suggesting
actually
in
terms
of
usability
and
criticism.
So
so
please
don't
don't
be
shy.
C
C
D
C
So
yeah
I
wanted
to
share
with
you
a
thought
and
see
if
it
does
somehow
match
with
what
you
presented,
and
maybe
that
can
get
back
into
the
group
and
somehow
constructively
contribute
which
is-
and
I
brought
this
up
many
months
ago
in
in
a
past
security
meeting,
which
was
that
I
was
feeling
that
for
us
as
a
group
to
advance,
we
had
to
some
somehow
focus
on
a
consistent,
identical
or
similar
use
case,
meaning
that
we
need
to
somehow
define
a
reference
system
and
that
reference
system
needs
to
somehow
be
the
one
that
we
use
to
challenge
it
with
different
security
configurations
to
provide
additional
examples
to
spread
the
word
about
the
work
we
are
doing
proactively
in
that
kind
of
like
base
reference
system
is
also
kind
of
the
like
the
common
ground
for
us
all
to
get
together
on
certain
topics.
C
Right
now,
and
as
far
as
I
know,
though,
jeremy
correct
me,
if
I'm
wrong,
we
don't
really
have
this.
As
far
as
as
I
believe
I
know,
some
other
working
groups
are
working
on
on
this
direction.
Specifically,
I
can
give
you
a
pointer
to
the
one.
That's
currently
being
used
in
the
real
time
working
group,
which
is
also
being
considered
in
a
hardware
acceleration
working
group,
so
I'll
I'll,
just
fetch
it.
A
In
the
meantime,
if
you
know
me
and
for
the
for
the
record
that
yes,
that's
a
topic
that
have
came
up
many
times
and
we
even
had
you
know
a
few
invited
guests
that
wanted
to
kickstart,
some
some.
A
Project
in
this
direction-
I'm
thinking,
for
instance,
the
the
movie
group,
the
the
problem-
that
we
did
not
quite
set
our
mind
on
the
on
a
specific
reference,
robot
or
reference
implementation,
and-
and
I
guess
the
main
problem
right
now
is
you
know
cycles.
A
We
don't
have
a
lot
of
investment
in
the
group
yeah
we
and
that
definitely
sounds
like
the
kind
of
project
we
should
be
doing,
because
that
would
you
know,
put
put
the
spotlight
on
on
the
shortcomings
of
the
security
story
in
rough
two,
and
that
would
be
a
great
tutorial
on
an
example
and
showcase
we
internally.
A
C
Terrible
turtlebot
is
great
to
to
be
honest
and,
and
I've
got
a
few
of
those
here
with
me
also
turtlebot
is
great.
I
think
what
what
somehow
we
need
in
here
is,
and
probably
that's
that's
your
call,
jeremy.
We
need
somehow
a
bit
of
leadership
in
here
and
define
you
know.
We're
gonna
grab
like
this
subset
of
the
computational
graph
of
the
turtlebot.
C
Let's
make
that
into
a
reference
system,
or
we
attach
ourselves
to
the
real-time
working
group
reference
system,
which
I
just
pasted
in
the
chat
and
we
we
align
to
it,
but
I
think
I
see
the
problem
you're,
describing
I
also
kind
of
like
pay
attention
to
to
what
picnic
try
to
engage
with,
and
the
same
is
going
to
happen
with
the
knapsack
guys
with
navigation
too,
and
many
many
others
I
mean
these
are
big
projects
with
lots
of
complexity
and,
frankly
speaking,
something
that
that's
somehow
born
from
the
contributions
and
commitment
of
the
folks
in
here.
C
Both
all
of
us,
I
think
it's
what's
probably
gonna,
take
off
down
the
road,
so
turtle
boat
is
awesome.
I
I
love
the
turtle,
but
actually
we
did
community-wise
some
work
in
the
past
around
the
turtle
boat,
aws
and
and
myself
as
part
of
bds
robotics.
We
cooperated
on
on
essentially
doing
threat
modeling.
C
So
that's
that's
a
way
to
go
and
I
guess
we
just
need
to
vote
or
put
it
together.
Rafin.
What's
your
take
so.
F
So
the
the
the
working
yes,
we
were
talking
about
the
the
workshop
that
we
had
a
while
ago
for
using
esros
on
the
turtlebot
too.
So
that's
that's
still
something
repo
I've
been
kind
of
casually
maintaining
and
updating
it
from
to
foxy
to
galactic
to
rolling.
So
you.
F
D
F
All
using
containers-
you
just
you,
know,
pull
it
and
spin
it
up
and
it
starts
a
vibe
session.
It
drops
you
in
with
the
turtlebot
demo.
You
can
flip
whether
you
want
to
use
everything,
security
or
not
or
use
your
custom
profile,
and
what
that's
sort
of
an
insight
is
to
really
the
scale
that
even
modest
ground-based
service
robots
are
kind
of
facilitating
in
terms
of
number
of
topics
and
number
of
nodes
and
and
how
these
raw
graphs
are
composed
with
nodelets
or
compose
nodes,
and
that's
what
that's
been
really
used.
F
Yeah
like,
like
you
know,
victor
said,
these
are
really
useful
for
teasing
out
the
the
use
case
or
the
the
friction
points
and
using
the
esros
tool
so
like
in
particular,
nav2
rolling
is
sort
of
a
moving
target.
You
know
every
time
you
know
pr's
get
merged,
there's
certain
parameters,
get
that
get
renamed
or
nodes
that
get
renamed
or
whatnot.
F
So
that's
like
if
we
were
able
to
get
the
nodelit
or
nodel
format
upstream,
so
the
maintainers
can
start
curating
the
kind
of
interfaces
that
their
standard
libraries
kind
of
expect.
That
would
reduce
you
know
the
burden
on
the
user
and
having
to
audit
compose
and
author
policy
configuration
files.
F
So
I
I
encourage
anyone
that
kind
of
interested
in
what
the
use
case
might
look
like
is
to
go
check
out
the
the
what's:
the
name
of
the
sros
turtlebot
demo.
F
I'll
I'll
also
be,
I
think,
maybe
running
by
picnic
headquarters
next
week,
and
so
maybe
I
can
try
and
get
a
hackathon
going
on
with
them
where,
because
I,
I
think,
it'd
be
nice
to
have
some
core
use
cases,
but
one
may
not
be
just
enough
like
we'll
have
one
that's
like
your
classic
ground-based
turtle,
bot
one
that
may
be
your
mobile
arm
and
then
one
I'd
like
to
have
maybe
like
a
swarm
example,
something
like
we
we've
seen
with
the
today's
presentation
where
they
had
a
use
case
of
multiple
robots.
F
One
thing
I'd
like
to
hear
a
lot
more
about
is
like
how
are
you
using
multiple
domains
are
using.
I
think,
a
recent
project
I've
seen
on
the
ross2
repositories
domain,
bridging.
So
I
guess
that
was
a
a
need
that
would
need
to
fulfilled
what
are
you
guys
doing
there.
E
Yeah
yeah,
so
that's
exactly
what
we're
using
we're
using
the
domain
bridge
and
so
we're
using
it
for
two
a
couple
reasons:
one:
is
it
just
overall
network
management?
It's
a
lot
easier
to
you
know,
restrict
the
domains
just
so
we
can
get
a
you
know.
E
You
know
limit
the
scope
of
our
of
our
communications,
the
other
thing
long
long
term
we're
really
believing
that
to
get
dds
to
be
as
performant
as
we
need.
It.
We've
been
advised
by
dds
vendors
that
we're
going
to
need
to
use
separate
domain
or
dds
domains
on
our
system
just
to
get
it
to
perform.
E
Well,
in
particular,
things
like
you
know
the
node
discovery
and
things
like
that,
if
you
can
restrict
it
to
a
single
domain,
it's
going
to
be
a
lot
more
efficient
and
you
know:
we've
we've
had
some
conversations
with
like
rti
and
when
we
talked
about
our
our
system,
architecture
they're,
like
yeah,
you're,
probably
going
to
need
to
use
the
dds.
You
know
multiple
dds
domains
just
to
keep
traffic
manageable
and
your
system
performing
like
you
want
it
to
so.
F
This
this
is
a
small
side
that
I've
I've
been
meaning
to
bring
up
with.
The
middleware
group
is
the
the
use
case
of
sworn
robots
with
rost2
and
the
scalability
issues
and
using
domains
like
domains
are
really
nice
and
like
it's
a
hard
cutoff
that
limits
the
discovery
overflow
of,
like
you
know,
and
avoiding
crosstalk,
but
at
least
from
the
specs
perspective,
there's
a
finite
number
of
domains.
F
So,
like
you
have
a
warehouse
of
robots,
that's
like
hundreds
of
robots,
you've,
you've
exhausted
the
number
of
domains
that
you
could,
and
I
guess
at
that
point
maybe
you'd
already
be
doing
subnets
on
your
network,
so
you
could
maybe
isolate
them
on
the
physical
network
layer,
but
I
I
always
thought
there
would
be
this
there's.
F
Maybe
another
approach
of
partitioning
the
dds
domains
for
large
scale
swarms
I
felt
like
dds
perpetitions
were
a
fairly
good
fit,
particularly
because
they
can
be
cons
and
they
can
be
considered
directly
in
the
access
control
so
from
a
dds
security
perspective,
they're
fairly
transparent
with
dds
bridging.
I
think
it
adds
a
whole
new
like
layer
of
complexity.
In
terms
of
suddenly
your
configuration
files,
the
access
policy
and
permissions
you
set
are
a
lot
more
flexible
than
maybe
you
anticipate.
So
if
you,
if
you're
like
from,
if.
D
F
To
guarantee
security,
but
I.
A
Sorry
guys,
I'm
I'm
very
sorry
to
to
interrupt
but
time
time
is
flying
and
we
have
still
two
to
item
to
to
race
what
I
what
I
would
propose
that
the
next
next
month
meeting
will
be
entirely
dedicated
to
discussing
an
actual
example.
A
F
As
as
just
an
action
item,
I
would
like
to
encourage
folks
to
to
maybe
bring
their
own
kind
of
small
toy
example
to
the
candidate
like
what
they,
what
they'd
like
to
see
for
like
either
swarm
robots
or
composing.
The
navigation
movement
like
some
really.
D
A
A
B
For
those
I
don't
know,
if
you
remember,
but
just
a
quick
recap:
kalian
and
his
group
unique,
were
asking
for
support
for
pikachu
11
urls
on
the
security
properties
which
currently
nor
frost
soon
or
the
the
middlewares,
the
middle
implementations
to
support.
So
we
stepped
up,
and
they
said
that
we
could
add
that
support
for
fast,
fast
dds.
B
All
the
implementation
is
already
in
place.
There
is
a
pull
request,
waiting
to
be
merged
into
our
master
branch.
The
only
thing,
that's
that
that
is
waiting
is
for
all
the
tests
to
be
included
in
our
in
our
ci
environment.
B
The
test
is,
they
are
already
already
done,
but
this
integration
in
the
in
the
environment
and
in
the
is
missing,
and
we
don't
want
to
make
the
merge
until
that's
that's
in
place,
so
I'm
guessing
that
it
will
be
delivered
officially
on
our
next
mine
or
released
at
the
end
of
december.
I
think
that
will
be
version
2.5
and
on
the
other
hand,
we
have
this.
B
B
Some
design
in
order
to
how
we
can
integrate
all
this
support
into
the
current
enclave
architecture
of
of
securos
that
was
proposed
to
the
india
rust
to
design
a
repository,
which
was,
I
think
it
was
already
approved,
and
there
is
also
a
pull
request
for
the
fast
rtgs
rmw
implementation.
In
order
to
support
this,
which
integrates
nicely
with
the
implementation
that
we
did
in
in
fast
ets.
B
So
everything
is
in
place.
The
only
thing
that's
missing,
as
I
said,
is
to
make
the
final
merge
to
the
master
branch
in
our
site
in.
D
B
Particular
side
and
also
the
pull
request
that
we
made
to
the
rmw
implementation
to
be
merged
and
just
as
a
side
note,
we
are
also
preparing
for
ford
niger
for
kalyan
and
his
team
demo,
so
that
they
can
showcase
all
these
new
features
to
their
clients,
and
I
think
that
maybe
it
would
be
also
good
if,
when
this
team
was
prepared,
we
can
showcase
it
here
in
the
in
the
working
group.
This
is
planned,
I
think,
for
the
end
of
december.
B
So
probably
it
could
be
showed
to
you
guys
at
morris
like
in
next
january
or
at
the
beginning
of
next
year.
If
that's
okay
with
you
but
yeah,
that's
that's!
Basically,
all
the
updates
that
we
have.
B
I
will
I
will
just
post
in
the
in
the
message
in
the
chat,
the
the
link
to
the
pull
requests
to
for
you.
A
Thanks
so
rafin
is
asking
if
we
can
link
the
the
slides
from
today's
presentation
david,
if
you,
if
you
agree
your
your
slides.
D
A
C
Yeah
real
quick,
thank
you,
jeremy,
so
super
quick,
so
there's
a
number
of
upcoming
talks
about
security
in
different
forms.
C
A
few
of
those
will
be
given
in
the
ros
industrial
conference
flavor
in
europe,
which
will
happen
in
december
early
december
and
then
there's
just
ongoing
conferences,
as
in
any
other
field
in
security
all
the
way
or
all
through
the
year,
we're
giving
a
number
of
them
in
upcoming
venues.
The
next
one
is
in
black
hat,
and
I'm
sharing
it
link
here
in
the
chat
for
those
of
you
that
are
not
familiar
with
black
hat.
C
It's
possibly
one
of
the
biggest
and
most
popular
forums
for
cyber
security
overall,
specifically
treating
aspects
related
to
offensive
cyber
security,
though
defensive
topics
are
also
widely
treated
in
this
particular
talk
where
we're,
essentially
speaking
about
dds,
because
often
people
essentially
new
to
security
or
neutral
roads
to
assume
somehow
because
of
the
marketing
that
we've
been
giving,
which
is
great,
but
still
somehow
misleading-
that
by
just
applying
the
rust
to
security
abstractions.
C
On
top
of
the
dds
security
plugins,
you
just
right
away
gain
security,
however,
as
probably
most
of
you
are
aware,
as
of
now,
security
is
not
a
product
that
you
just
patch
or
apply
once
and
that's
it
you
you
get
secure,
it's
actually
a
process
and
you
need
to
care
about
it
over
and
over
and
over,
and
there
are
methods
to
do
so,
both
defensively
and
offensively.
In
this
case,
we
are
tackling
the
problem
from
an
offensive
perspective
with
a
group.
This
group
is
represented
by
essentially
dds
vendors.
C
We
had
80
link
in
the
group
researching
with
us.
We
have
also
tx1,
which
is
a
big
cyber
security,
firm
trend
micro,
which
is
another
huge
cyber
security,
firm
ads
robotics,
which
is
the
site
that
I
I
participated
in
at
the
time,
and
this
has
gone
for
quite
a
few
months.
It's
been
going
on
for
for
quite
a
while.
C
The
first
bits
are
being
presented
in
just
a
very
very
few
days,
the
11th
actually
so
a
couple
of
days
from
today,
and
we
are
disclosing
and
first
showing
how
essentially,
we
found
more
than
10
security
vulnerabilities
in
dds,
various
of
which
are
critical
of
critical
scoring,
which
means
essentially,
above
typically,
nine.
C
But
we
also
find
a
few
above
eight
if
you're
familiar
with
cvss,
they
affect
all
of
the
dds
implementations
we
analyzed,
which
are
essentially
the
three
open
source
ones
and
the
three
most
popular
proprietary
ones,
including
rti's,
core
dx
and
a
few
others.
Of
course.
That
also
applies
to
approximates
80
links
and
a
few
others,
and
it
shows
really
nicely
and
really
directly
how
security
needs
to
be
considered
end
to
end
and
way
way
beyond.
Essentially,
some
of
the
aspects
we're
typically
discussing
here.
C
So
my
proposal
to
the
group
was
if
such
topics
are
interesting.
I
can
possibly,
of
course
bring
myself
and
also
maybe
bring
a
few
other
of
the
authors
who
participate
in
this
research
and
try
to
give
a
20
minute
session
in
here
and
give
you
kind
of
like
a
heads
up
about
it
again.
This
is
happening
in
two
days
and
I'm
not
really
sure.
When
is
the
next
security
working
group
meeting
that
we
could
schedule
it
in
the
future?
I
just
wanted
to
at
least
bring
the
opportunity
in
here.
C
D
A
C
Month
sounds
good
yeah,
so
if
we
can
book-
and
you
tell
me
jeremiah
how
much
time
we
have
and
I'll
schedule
things
I'll
accommodate
whatever
time
you
give
me
like,
if
it's
10,
we
will
do
it
in
10.
If
we
have
15,
we
will
do
it
in
15..
Whatever
and
again
we
we
will
try
to
keep
it
high
level,
but
also
the
plan
is
to
release
details
about
disclosures
and
how
you
can
actually
trigger
each
one
of
these
flows.
C
I'll
just
leave
you
with
a
pull
request,
which
you
may
find
interesting
so
federico,
and
I
coded
a
scopy
layer
which
implements
a
dissector
of
rtps.
C
In
a
nutshell,
what
that
means
is
that
you
can
really
easily
dissect
whatever
network
packages
from
rtps,
which
means
any
rush
to
interaction
right
now.
Our
current
implementation
of
the
dissector
does
not
include
dds
security.
I
have
one
in
my
local
development
station
that
does
include
some
aspects
of
the
dds
security,
plugging
and
specification
and
spec
overall,
but
it's
not
it's
not
pushed
publicly
yet.
C
There
we
go
yeah,
so
that's
that's
it
and
that's
a
great
starting
point
for
anyone.
That's
caring
about!
Also
this
topic
you
can
play
around.
You
can
do
quick,
sniffers
of
traffic.
You
can
enable
encryption
and
you
can
see
how
still
you
get
some
information
out
of
it.
You
can
try
to
break
some
of
the
fields
so
both
for
dds
vendors,
security,
researchers
and
defenders.
This
is
typically
the
way
things
work
from
a
dissection
and
research
perspective.
So
encouraging
you
to
take
a
look
at
there
and
I'll
try.
C
A
Attending
your
talk,
black
hat
so
looking
forward
to
it.
C
You'll
enjoy
you,
you
won't
be
disappointed,
so
we
can.
I
mean
there
are
things
we
still
can't
disclose,
but
I
can
give
you
I
can
give
you
something
interesting,
which
is
that
we
are
being
blocked
by
governmental
organizations
not
to
do
full
disclosure,
because
apparently
we
hit
flaws
that
are
being
used
by
military
contractors
and
that's
raise
things
like
heavily
so
so
it's
been
a
fun
story
from
a
research
perspective,
but
I
think
from
from
so
from
a
user
perspective.
A
Right
we're
looking
forward
to
to
your
presentation.
A
I
will
allocate
you
20
minutes
and
if
you
need
more,
just
just
let
me
know
and-
and
I
think
it
would
be
interesting
also
too
to
know
the
the
backstory
behind
the
work
itself
and
how
that
that
plays
with
government
agencies.
A
A
All
right
folks,
we
are
just
on
time,
so
I
propose
we
stop
here
for
for
today,
as
I
told
you
earlier,
I
will
be
setting
up
a
shared
document
to
pour
ideas
on
on
the
reference
device
and
see
if
we
can.
If
we
can
actually
agree
on
something
and
as
usual,
I
will
be
cleaning
up
the
agenda.
It's
always
the
same
link
and
if
you
have
any
anything
that
you
want
to
to
discuss
or
anything
that
you
want
to
to
present
just
feel
free
to
to
add
it
to
the
agenda.