[Cryptography] "Home router warning: They're riddled with known flaws and run ancient, unpatched Linux"

Jeremy Stanley fungi at yuggoth.org
Sat Jul 11 10:05:41 EDT 2020


On 2020-07-10 21:31:34 -0700 (-0700), Christian Huitema wrote:
[...]
> Is there a build for the rasp Pi -- or any other hardware -- that is
> specially tuned for this scenario?

I don't know how many network interfaces you can cram into a Pi and
still get decent performance, but there are plenty of relatively
inexpensive SBCs out there designed for network applications which
ship with 3+ Ethernet interfaces on-board. You can get radio modules
for them which are well-supported by Linux and *BSDs, and some also
have switch modules available if you need more interfaces than can
reasonably be handled across the system bus.

> There are some difficult issues there. The simplest way to do back to
> back router with IPv4 is to do double NAT, which is fine if you want to
> break peer-to-peer applications but not so great if you want to have
> local servers, or make sure audio and video conferences work, etc.

I'm not sure why that sounds simple, unless you're expecting to have
an operating system on the gateway which can't isolate traffic
between interfaces.

> Similarly, you want to be able to distribute IPv6 addresses, and that
> requires either acquiring /64 subnets from the ISP router, or faking
> that with the IPv6 equivalent of proxy ARP.

For me that's a few lines of configuration for dhcpcd, and enabling
rad on the inside interfaces. Then dhcpcd takes care of requesting
/64 nets for each inside interface from my ISP and then allocating
them so rad can announce them on each of my LANs (I wish they'd get
with the times and let me request a single /56 to carve up, but
honestly at this point I'm just thrilled this ISP has working
DHCP6-PD at all).

> You also want to test and configure DNS properly, without falling
> prey to the ISP's DNS, and also without sending all your traffic
> logs to Google or Cloudflare over DoH.

With unbound listening as a recursive resolver on the router's
internal interfaces, I can set it in dhcpd and also still override
specific hostnames associated with any systems for which I want to
give static leases (even though it's not authoritative for those
domains).

> Hence the need for a specific project. Is there one already?

Any general-purpose *nix should do if you choose an appropriate
device. If you're looking for one with a fancy Web interface
specific to this purpose, then maybe PfSense, but there are quite a
few like that to choose from really. Perhaps what's actually missing
isn't hardware or software, but some standardized network models,
configuration and wiring diagrams? The "hard" part is teaching basic
networking concepts to the layman, they're going to just want simple
instructions on how and where to connect things.

Then again, this is precisely what a number of the SO/HO router
companies are selling, and to get back to the original point, what
they're doing a terrible job of is keeping the software and firmware
updated on their customers' devices. In what ways would this project
succeed where they're failing? Operating system and firmware updates
can go disastrously if you lose power at the wrong moment, and even
"unbrickable" boards still usually need you to open up the case and
plug in an override BIOS to be able to boot far enough to reflash
everything, so automatic updates are likely the hardest part if you
want to avoid leaving someone with no Internet access to even look
up how to recover their Internet access.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200711/96eb9e17/attachment.sig>


More information about the cryptography mailing list