[Cryptography] Using Raspberry Pis
Perry E. Metzger
perry at piermont.com
Mon Aug 26 17:43:08 EDT 2013
On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker
<hallam at gmail.com> wrote:
> I really like RPis as a cryptographic tool. The only thing that
> would make them better is a second Ethernet interface so they could
> be used as a firewall type device.
You can of course use a USB ethernet with them, but to me, they're
more a proof of what you can do with a very small bill of materials.
If you're designing your own, adding another ethernet (and getting
rid of unneeded things like the video adapter) is easy.
Custom built hardware will probably be the smartest way to go for an
entrepreneur trying to sell these in bulk to people as home gateways
anyway -- you want the nice injection molded case, blinkylights and
package as well. :)
> The main con is that they are not so fast that you want to be
> routing packets through them unnecessarily. So they are a great
> device to make use of for connection brokering, not such a great
> idea to tunnel video packets through them.
Not sure that's really true for normal home networks. The current
average home NAT box is, in fact, a CPU in this class running Linux,
so we have proof of concept of them pushing packets fast enough
running in millions of homes. The processors in question are also
quite cheap, and only getting cheaper and more powerful -- multicore
will be universal before long.
> So I would like at minimum such a device to be my DNS + DHCP + PKI
> + NTP configuration service and talk a consistent API to the rest
> of the network.
Not an unreasonable goal -- particular details of what software is
running depend on what one's final application mix is.
> Putting a mail server on the system as well would be logical,
> though it would increase complexity and more moving parts on a
> trusted system makes me a little nervous.
Modern Linux systems have pretty good MAC and similar security
hardening available. They're a pain in the neck to configure, but if
you're handing people firmware, that only has to be done once. It
isn't perfect but it is better than what almost anyone has at home
now or what they rely on elsewhere.
(I would prefer to see hybrid capability systems in such
applications, like Capsicum, though I don't think any such have been
ported to Linux and that's a popular platform for such work.)
In the long term, of course, I'd like to see the work in seL4
extended to open source systems, but that's a very long term goal.
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list