[Cryptography] "Home router warning: They're riddled with known flaws and run ancient, unpatched Linux"

[Christian Huitema]

On 7/10/2020 2:15 PM, Tom Mitchell wrote:
> On Thu, Jul 9, 2020 at 3:17 PM Henry Baker <hbaker1 at pipeline.com> wrote:
>> (snip)
> .......
>> So here's my suggestion:
>>
>> * cable modem with 10-12 year-old never-updated Linux connected via Ethernet;
>>   disable wifi HW on this device (or better: buy a cable modem w/o wifi at all)
>> * Raspberry Pi 4 acting as NAT/router/DoH DNS/... connected via Ethernet
> I like the Pi-4 a lot.
>
> For about the same money look at the
>   Ubiquiti Advanced Gigabit Ethernet Router -- MIPS based with some
> hardware help for packet moving.  Yes linux. Yes bug history.
>
> Wifi transmitter and receivers can be sourced and upgraded on their
> own time scale.
>
> Those that can should have wired links in their home or office.
>
> No solution is perfect.   All require too much work to configure,
> backup, audit and maintain.

Is there a build for the rasp Pi -- or any other hardware -- that is
specially tuned for this scenario?

There are some difficult issues there. The simplest way to do back to
back router with IPv4 is to do double NAT, which is fine if you want to
break peer-to-peer applications but not so great if you want to have
local servers, or make sure audio and video conferences work, etc.
Similarly, you want to be able to distribute IPv6 addresses, and that
requires either acquiring /64 subnets from the ISP router, or faking
that with the IPv6 equivalent of proxy ARP. You also want to test and
configure DNS properly, without falling prey to the ISP's DNS, and also
without sending all your traffic logs to Google or Cloudflare over DoH.
Hence the need for a specific project. Is there one already?

-- Christian Huitema


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200710/a3963757/attachment.htm>