[Cryptography] "Home router warning: They're riddled with known flaws and run ancient, unpatched Linux"

Sat Jul 11 15:00:24 EDT 2020

| From: Christian Huitema <huitema at huitema.net>

| On 7/10/2020 2:15 PM, Tom Mitchell wrote:

| > No solution is perfect.   All require too much work to configure,
| > backup, audit and maintain.
| 
| Is there a build for the rasp Pi -- or any other hardware -- that is
| specially tuned for this scenario?

I'm not sure what you mean by "for this scenario".

The Raspberry Pi can run OpenWRT, a distro tuned for routers.  Two
wired ethernet interfaces would be useful -- you could use a USB3 to
1G ethernet dongle.

What I use is little PCs with two ethernet interfaces (LAN-facing and
WAN-facing) (more interfaces would sometimes be better). For the last
few years, these have been inexpensive Zotac ZBoxes.  I run stock
Linux distros on them, configured and maintained by me.

I originally used PCs as gateways so that I could run our FreeS/WAN
IPsec implementation on the gateways.  You can get commercial routers
that do IPsec but I don't choose to trust them.

| There are some difficult issues there. The simplest way to do back to
| back router with IPv4 is to do double NAT, which is fine if you want to
| break peer-to-peer applications but not so great if you want to have
| local servers, or make sure audio and video conferences work, etc.

In my area, all the cable modem / router / AP boxes supplied by the
cable company can have all but the modem function turned off.  They
call this "bridge mode", which kind of implies that there is a router
still there but isn't doing anything (the term makes no sense in terms
of modem functionality).

All of the xDSL modem / router / AP boxes that the phone company has
forced on me have supported "bridge mode".

Do the suppliers in your area prevent you using "bridge mode"?  Only
if they do are you forced to double NAT.

| Similarly, you want to be able to distribute IPv6 addresses, and that
| requires either acquiring /64 subnets from the ISP router, or faking
| that with the IPv6 equivalent of proxy ARP. You also want to test and
| configure DNS properly, without falling prey to the ISP's DNS, and also
| without sending all your traffic logs to Google or Cloudflare over DoH.
| Hence the need for a specific project. Is there one already?

I haven't done IPv6 due to laziness.  My cable ISP offers IPv6 subnets
automatically.

I run a recursive DNS server on my gateway.  But my ISP can see the
traffic since it is in the clear.  I don't run PiHole (to blackhole
ad sites) but many do.

All you ask for can be done with a bog standard Linux distro.
Downside: you have to figure it out.