homepage-data/Projects/HomeRouter
2017-09-17 22:20:37 +01:00

46 lines
2.3 KiB
Text

---
title: Home router
abstract: ![home router](/static/img/homerouter.png)
---
![home router](/static/img/homerouter.png)
This is just a project idea, not (yet) a finished project.
A home router is a computer which manages the Internet uplink for a client, and
provides local connectivity. It is accessible via the Internet, and the
software running on a router needs to be hardened against attackers. Attackers
are searching for flaws in popular routers, because if they can breach their
security, they get access to a large amount of computing and bandwidth
resources.
The home router provides basic network services for the local network, such as a
domain name service (DNS) caching resolver, dynamic host configuration (DHCP),
wireless (using WPA2 and WPS) networks, wired network connectivity,
communication with the service provider (e.g. using PPP and PPPoE) including
authentication, a web server for configuration.
Clients are demanding increasing featuresets, including network storage, voice
over IP (VoIP) endpoint, virtual private network (VPN) integration, data
collector and broker for the Internet of things.
Lots of home routers are currently based on a small Linux distribution, and if a
security issue is discovered in any subsystem, this likely leads to a compromise
of the entire router. Secure update channels may not be available, and even if
so, the fear that updating may introduce unforeseen behaviour keeps people away
from updating their routers.
We would base a router on top of an off-the-shelf arm64 board, where MirageOS is
already running, using kvm as hypervisor. Each network service would run as a
separate virtual machine. Several services are already available as MirageOS
unikernels, such as a caching DNS resolver, a DHCP server, a firewall with NAT, an MQTT implementation,
a web server, ... A secure update channel, based on TUF, is currently under
development.
The infrastructure for distributing binary updates would be some Linux host
which compiles the above mentioned unikernels whenever a dependent library is
updated or changes are rolled out to the unikernel code themselves.
Other required network services which are not yet implemented in OCaml, such as
WPA2 or VoIP, would initially be based on a Linux virtual machine. MirageOS
unikernels and Linux virtual machines can coexist.