General description

From the point of view of the ADS protocol, "ADS-over-MQTT" is a new transport channel. This means that precisely the same ADS commands are transmitted over MQTT as over other communication protocols.

To do this the TwinCAT router establishes a connection to the broker in order to send and also receive ADS protocol commands.
The end point of the broker is thus configured on the local device. The result of this is that the 1:1 relationship of an ADS route is only created in the interaction with the matching broker.

This document provides an overview of the usage possibilities as well as a technical description of how a "virtual ADS network" can be configured over an MQTT message broker.

Benefits of an MQTT-based ADS network

Subnets, NAT-based networks and firewalls:
Incoming TCP/IP connections are used in both directions in a classic ADS setup. This makes it necessary for the devices to be located in the same network in the normal case. In distributed systems with different subnets this leads to complex configurations in order to make the ADS routes usable.
In the case of MQTT-based ADS networks, only an outgoing TCP/IP connection is used by the devices. This allows the broker in the higher-level network to broker between all devices.
Due to the outgoing connections, a typical firewall can be used and no incoming ports need to be registered.
Access control:
After creating the appropriate routes, bidirectional communication can be executed in a classic ADS setup.
An access by device A, which accesses B, also allows device B to access A.
The MQTT-based ADS network can be configured so that device A can access B, but not the other way around.
Security / encryption:
The communication from TwinCAT to the broker can be encrypted by TLS (with certificates or PreSharedKey (PSK)).

The increased administrative effort should be regarded as disadvantageous. However, this would be reduced to a reasonably low level per device in a larger network.

Notice

ADS access means full access

As described in Security Advisory 2017-01, ADS offers full access to a device.
Secure ADS offers authorization as well as encryption for the communication; therefore, it represents a transport encryption. Hence, if an ADS route exists, then full access exists.
Dedicated, role-related access to individual files is offered by solutions such as OPC-UA.