On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker <[email protected]> wrote: > I really like RPis as a cryptographic tool. The only thing that > would make them better is a second Ethernet interface so they could > be used as a firewall type device.
You can of course use a USB ethernet with them, but to me, they're more a proof of what you can do with a very small bill of materials. If you're designing your own, adding another ethernet (and getting rid of unneeded things like the video adapter) is easy. Custom built hardware will probably be the smartest way to go for an entrepreneur trying to sell these in bulk to people as home gateways anyway -- you want the nice injection molded case, blinkylights and package as well. :) > The main con is that they are not so fast that you want to be > routing packets through them unnecessarily. So they are a great > device to make use of for connection brokering, not such a great > idea to tunnel video packets through them. Not sure that's really true for normal home networks. The current average home NAT box is, in fact, a CPU in this class running Linux, so we have proof of concept of them pushing packets fast enough running in millions of homes. The processors in question are also quite cheap, and only getting cheaper and more powerful -- multicore will be universal before long. > So I would like at minimum such a device to be my DNS + DHCP + PKI > + NTP configuration service and talk a consistent API to the rest > of the network. Not an unreasonable goal -- particular details of what software is running depend on what one's final application mix is. > Putting a mail server on the system as well would be logical, > though it would increase complexity and more moving parts on a > trusted system makes me a little nervous. Modern Linux systems have pretty good MAC and similar security hardening available. They're a pain in the neck to configure, but if you're handing people firmware, that only has to be done once. It isn't perfect but it is better than what almost anyone has at home now or what they rely on elsewhere. (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular platform for such work.) In the long term, of course, I'd like to see the work in seL4 extended to open source systems, but that's a very long term goal. -- Perry E. Metzger [email protected] _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
