RFC: Zero-configuration Cyphal with named topics

I designed and implemented a simple transport-agnostic extension that works on top of the existing Cyphal transports, adding support for minimalist named topics. I tried not to compromise on Cyphal’s general simplicity and robustness while also avoiding the need for manual configuration. The system is entirely plug-and-play while also supporting instant power-up-and-go, provided that the once automatically established configuration is recovered from non-volatile memory.

Requirements I defined for this work:

• Discriminate data flows using descriptive string names instead of integer port-IDs.

• Allow nodes to join the network with zero prior configuration of the protocol (at least above the physical layer).

• Introduction of new topics and/or nodes must not disturb operation of the existing participants.

• A fully converged network must offer a service quality at least as good as a statically configured network.

• The autoconfiguration protocol must be stateless and must not require central coordinators or special nodes.

• Retain backward compatibility with old Cyphal nodes that do not support named topics.

• Preferably, the background service traffic should be exchanged at a constant rate to simplify latency and throughput analysis.

• Once a stable configuration is found, it should be possible to store it in the non-volatile memory per node for instant recovery after power cycling, bypassing the autoconfiguration stage. Obsolete or incorrect per-node configuration should not affect the rest of the network. This ensures that a vehicular network with named topics will perform identically to a fully statically configured one until its configuration is changed.

• Scalability beyond a thousand of nodes and topics per network.

• The solution should be implementable in under 1k lines of C without dynamic memory or undue computing costs for small nodes.

Stretch goals:

• Support subscriptions with wildcard topic name matching / name substitution. See https://forum.opencyphal.org/t/rfc-add-array-of-ports/1878

The PoC is implemented as a very compact C library in less than 1k SLoC, which I call cy. The library is transport-agnostic and thus requires glue logic to bind it with the specific transport library and platform-specific code underneath in a user-friendly way, so I made another 500-SLoC library specifically for Cyphal/UDP on POSIX, which I call cy_udp (actually it should be renamed into cy_udp_posix). The actual user-facing product is therefore cy_udp, while cy is its core. There should be cy_can as well.

Please look at the PoC, read how it works, and perhaps test it locally here:

Distributed consensus protocols are very hard to get right. It is not impossible that there are major design flaws in my solution, so I would very much welcome an in-depth review and criticism.

Impact on the project

Compatibility with existing nodes is generally not affected. A named-topic-capable node can interact with an old node provided that the topic is pinned, meaning that its name is the subject-ID; e.g., /1234. The range of subject-IDs in [0, 6144) is now dedicated for named topic allocation, while the remaining range in [6144, 8192) is reserved for fixed subject-IDs and pinned topics. It is possible to pin topics anywhere, but it is not recommended as there exist edge cases where it may cause allocation collisions – more on this in the readme.

Libudpard/libcanard/libserard will require a slight extension of their APIs to add optional support for node-ID autoconfiguration and topic allocation collision detection. The overall impact is about 100 SLoC per library. The current PoC works with vanilla libudpard but there is a risk of data misinterpretation; more on this in the README.

The heartbeat message is replaced with a new one, suppose it will be called cyphal.node.Heartbeat. It is obviously wire-compatible with the old heartbeat but it adds more data for the distributed consensus algorithm, which piggybacks on the heartbeat message for simplicity. The exchange rate of the heartbeats should also be increased up to about 10 Hz; even though it is not strictly required for the protocol to function, it speeds up the initial configuration stage.

One undesirable but hard-to-avoid side effect is that every node that wishes to participate in the named topic protocol must process heartbeat messages from all other nodes. In a network with a large number of participants this may be burdensome for small MCUs. I attempted to simplify the heartbeat processing pipeline as much as possible. Right now it amounts to just deserializing the message and searching two binary trees, each topic-count elements large. If a reallocation is needed, a few more tree traversals are added. I am not yet certain how it’s going to scale but I am cautiously optimistic.

Next steps

If this first PoC does not uncover any major design flaws, the next step would be to add support for RPC endpoints, which is much easier because it does not require consensus.

Then we could focus on building compact wrapper libraries with very simple API that combine Cy and one of the libxxxards into atomic packages for various systems and protocols: Cyphal/CAN for SocketCAN, Cyphal/CAN for baremetal environment, Cyphal/UDP for POSIX (which is my cy_udp), Cyphal/UDP for baremetal, etc. The goal here is to achieve a significant simplification of the API and a reduction of the entry barrier.

TL;DR

// SET UP LOCAL NODE:
struct cy_udp_t cy_udp;
cy_err_t res = cy_udp_new(&cy_udp,
                          local_unique_id,  // 64-bit composed of VID+PID+IID
                          "/my_namespace",  // topic name prefix (defaults to "/")
                          (uint32_t[3]){ udp_parse_iface_address("127.0.0.1") },
                          CY_NODE_ID_INVALID, // will self-allocate
                          1000);            // tx queue capacity per interface
if (res < 0) { ... }

// JOIN A TOPIC (to publish and/or subscribe).
// To interface with an old node that does not support named topics, put the subject-ID into the topic name;
// e.g., `/1234`. This will bypass the automatic subject-ID allocation and pin the topic as specified.
struct cy_udp_topic_t my_topic;
cy_err_t res = cy_udp_topic_new(&cy_udp,
                                &my_topic,
                                "my_topic",  // expands into "/my_namespace/my_topic"
                                NULL);
if (res < 0) { ... }

// SUBSCRIBE TO TOPIC (nothing needs to be done if we want to publish):
struct cy_subscription_t my_subscription;
cy_err_t res = cy_udp_subscribe(&my_topic,
                                &my_subscription,
                                1024 * 1024,                       // extent (max message size)
                                CY_TRANSFER_ID_TIMEOUT_DEFAULT_us, // going to remove this
                                on_message_received_callback);
if (res < 0) { ... }

// SPIN THE EVENT LOOP
while (true) {
    const cy_err_t err_spin = cy_udp_spin_once(&cy_udp);
    if (err_spin < 0) { ... }

    // PUBLISH MESSAGES (no need to do anything else unlike in the case of subscription)
    // Optionally we can check if the local node has a node-ID. It will automatically appear
    // if not given explicitly at startup in a few seconds. If a collision is discovered,
    // it will briefly disappear and re-appear again a few seconds later.
    if (cy_has_node_id(&cy_udp.base)) {
        char msg[256];
        sprintf(msg, "I am %016llx. time=%lld us", (unsigned long long)cy_udp.base.uid, (long long)now);
        const struct cy_payload_t payload = { .data = msg, .size = strlen(msg) };
        const cy_err_t            pub_res = cy_udp_publish(&my_topic, now + 100000, payload);
        if (pub_res < 0) { ... }
    }
}

Related posts

• Using UAVCAN as a general purpose CAN(FD) Embedded DCPS Middleware?
• RFC: add array of ports

Now, building a ROS 2 middleware based on Cyphal is entirely within reach. Here is an interesting article on the subject: ROS 2 Over Email: rmw_email, an Actual Working RMW Implementation – Christophe Bédard. Do we have any volunteers?

UTF-8?

Yes, but this proposal seems worthy of discussing as part of a minor version bumb of v1 (v1.1).

Why not separate this into a new message to to allow 1Hz heartbeats where dynamic configuration is not used? Furthermore, we’d want to stop sending these messages after an initial configuration phase, right?

The acceptable character set is currently very conservative and follows DDS — [0-9a-zA-Z_], plus separators /, plus local node replacement ~. We might extend it in the future. The encoding is utf8 for future compatibility even though we’re only using ASCII for now.

Okay, but then we need to release v1.0-beta first?

1. Every subscription requires memory, so from the standpoint of smaller nodes it is desirable to have one subscription rather than two.
2. There is some intersection between the fields carried by the heartbeat and the CRDT gossip message; specifically, they both need the 64-bit UID of the sender.
3. It is computationally cheaper to handle one large message than two smaller messages.

It’s possible, but I don’t want it to be the default behavior. We should be able to repair the network should it become partitioned and then de-partitioned (departitioning may cause conflicts that require CRDT traffic to resolve). Plus I want the network to be continuously introspectable. The gossip messages allow one to observe the topics and how they are used by each participant.

As a follow-up to the call, I want to emphasize that switching to named topics does not increase the network utilization beyond the fixed-rate background CRDT gossip traffic (that sits on top of heartbeats). We certainly do not transmit the topic name with each transfer. The CRDT finds a unique subject-ID for every topic, and each node that publishes or subscribes to a given topic will have a replica of the relevant part of the global mapping table (topic name → subject-ID) stored locally.

Instead of recommending 10 Hz heartbeats, we could keep them at 1 Hz but instead allow unscheduled heartbeats if the CRDT detects a collision (multiple topics on the same subject-ID) or a divergence (multiple subject-IDs on the same topic). This will increase the gossip traffic during the autoconfiguration stage, but then it will drop back down to 1 Hz/node until someone wants to join the network.

To run the example app locally, build it (should work on any POSIX):

git clone https://github.com/pavel-kirienko/cy --recursive
cd cy
mkdir build && cd build && cmake ..
make -j10

And run a few nodes like this, from the build/examples directory:

# Publish on /my_namespace/foo and subscribe to /my_namespace/bar
./udp_node iface=127.0.0.1 ns=/my_namespace pub=foo sub=bar

# Subscribe to /my_namespace/foo and publish to /my_namespace/bar and also /baz
./udp_node iface=127.0.0.1 ns=/my_namespace sub=foo pub=bar pub=/baz

The examples are built with debugging options by default that 1. maximize collisions by forcing each topic to prefer the same subject-ID of zero (which creates 6144 times more collisions compared to an ordinary network, so you can see the scaling effects), and 2. moves the heartbeat traffic to /8191 instead of the default /7509 so that you could subscribe to it using Yakut (PyCyphal does not really allow overriding the heartbeat type so the subject needs to be different for better observability). These options can be disabled here:

You can look at what’s happening in the network using Wireshark with @erik.rainey’s plugins.

I would like to also talk about named RPC endpoints. RPC might look similar to subjects in Cyphal v1.0, but in v1.1, once we add named resources, significant differences will emerge. I would like to share some thoughts on this, but before we do that, I want to ensure that we are all roughly on the same page about the current approach to implementing named topics. The key features of my proposed named topics architecture are that the solution is decentralized, eventually convergent, and under the CAP model it sacrifices consistency for availability and partition tolerance. And, well, per my design intention it has to be under 1k SLoC in C.