48 lines
2.3 KiB
Text
48 lines
2.3 KiB
Text
|
---
|
||
|
title: Home router
|
||
|
author: someone
|
||
|
abstract: ![home router](/static/img/homerouter.png)
|
||
|
---
|
||
|
|
||
|
![home router](/static/img/homerouter.png)
|
||
|
|
||
|
This is just a project idea, not (yet) a finished project.
|
||
|
|
||
|
A home router is a computer which manages the Internet uplink for a client, and
|
||
|
provides local connectivity. It is accessible via the Internet, and the
|
||
|
software running on a router needs to be hardened against attackers. Attackers
|
||
|
are searching for flaws in popular routers, because if they can breach their
|
||
|
security, they get access to a large amount of computing and bandwidth
|
||
|
resources.
|
||
|
|
||
|
The home router provides basic network services for the local network, such as a
|
||
|
domain name service (DNS) caching resolver, dynamic host configuration (DHCP),
|
||
|
wireless (using WPA2 and WPS) networks, wired network connectivity,
|
||
|
communication with the service provider (e.g. using PPP and PPPoE) including
|
||
|
authentication, a web server for configuration.
|
||
|
|
||
|
Clients are demanding increasing featuresets, including network storage, voice
|
||
|
over IP (VoIP) endpoint, virtual private network (VPN) integration, data
|
||
|
collector and broker for the Internet of things.
|
||
|
|
||
|
Lots of home routers are currently based on a small Linux distribution, and if a
|
||
|
security issue is discovered in any subsystem, this likely leads to a compromise
|
||
|
of the entire router. Secure update channels may not be available, and even if
|
||
|
so, the fear that updating may introduce unforeseen behaviour keeps people away
|
||
|
from updating their routers.
|
||
|
|
||
|
We would base a router on top of an off-the-shelf arm64 board, where MirageOS is
|
||
|
already running, using kvm as hypervisor. Each network service would run as a
|
||
|
separate virtual machine. Several services are already available as MirageOS
|
||
|
unikernels, such as a caching DNS resolver, a DHCP server, a firewall with NAT, an MQTT implementation,
|
||
|
a web server, ... A secure update channel, based on TUF, is currently under
|
||
|
development.
|
||
|
|
||
|
The infrastructure for distributing binary updates would be some Linux host
|
||
|
which compiles the above mentioned unikernels whenever a dependent library is
|
||
|
updated or changes are rolled out to the unikernel code themselves.
|
||
|
|
||
|
Other required network services which are not yet implemented in OCaml, such as
|
||
|
WPA2 or VoIP, would initially be based on a Linux virtual machine. MirageOS
|
||
|
unikernels and Linux virtual machines can coexist.
|