From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 38874202224 for ; Wed, 13 Jun 2012 12:57:36 -0700 (PDT) Received: by wibhn6 with SMTP id hn6so4666532wib.10 for ; Wed, 13 Jun 2012 12:57:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=41WqjTxGc8DWn6lt3XJ5ISvGiHGivWl5oJmIej7eiu4=; b=BL8CDJnZIdxf8mfGd9fGDAV3R0VPp3qDzRO490Vr3C2JBFFuOJCDNSyGdiT6f1Rm9P opNz5IxzaHypFnhaJO0NNTCGjNDIXjmQKUZJTYMdu4h63oh9Tg/CZQyhDArcb9f2r3gB nla1SNQHFg43VmJwSjXTLoqOptFhoqqyo4i24sc7dzZUaAOFewKYXsAFmXtW4YF14TEx YMiRn7dARJfjMkdms4VnCQgG6SxBhqorBRe8e9WMaiyG4kdXJoHDbD020VRUfq2YgXzH CkY+jbpDPy/WQEQzo7X4vtVtkNnu/7PRRCnk8PQctEzA/qNU18EvE3/2kWQzsyoXM/uD CIGw== MIME-Version: 1.0 Received: by 10.180.84.35 with SMTP id v3mr40339314wiy.20.1339617453005; Wed, 13 Jun 2012 12:57:33 -0700 (PDT) Received: by 10.223.103.199 with HTTP; Wed, 13 Jun 2012 12:57:32 -0700 (PDT) In-Reply-To: <1339616960.68548755@apps.rackspace.com> References: <4FD7E443.7000304@gmail.com> <4FD7EFC2.4010609@freedesktop.org> <1339554171.637719702@apps.rackspace.com> <4FD7FAEA.80500@freedesktop.org> <1339616960.68548755@apps.rackspace.com> Date: Wed, 13 Jun 2012 15:57:32 -0400 Message-ID: From: Dave Taht To: dpreed@reed.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] making cerowrt chattier X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2012 19:57:41 -0000 My intent was to limit it to the "secure" interfaces only, but on by defaul= t, not running as root, and requiring a username/password to use regardless. (I am similarly blocking port 81 and the samba ports to the secure interfaces on my next attempt at a release) Other suggestions as to improving security overall - while still improving end to end connectivity greatly appreciated! One of the more controversial ideas discussed on this list earlier was the concept of making the guest network a nearly default free zone, and allowing advanced protocols such as hip, sctp, etc, through on ipv6 by default. On Wed, Jun 13, 2012 at 3:49 PM, wrote: > Can we clarify what this is to be used for? I assume it will be defaulted > off.=A0 Not sure I want my router to send messages to people I don't know= , or > be reachable by people I don't know. > > > > Anyway, just a personal reaction. > > > > -----Original Message----- > From: "Dave Taht" > Sent: Tuesday, June 12, 2012 11:09pm > To: "Jim Gettys" > Cc: dpreed@reed.com, cerowrt-devel@lists.bufferbloat.net > Subject: Re: [Cerowrt-devel] making cerowrt chattier > > On Tue, Jun 12, 2012 at 10:28 PM, Jim Gettys wrote: >> On 06/12/2012 10:22 PM, dpreed@reed.com wrote: >>> >>> I have an awkward worry that the functionality here is expanding to >>> fill all possible space on the machine, so it is less a router than a >>> complete "home appliance". > > I guess I'm way ahead of you guys, and should have just deployed the > thing and awaited feedback. The jabber server I have working runs out > of xinetd (so no memory use when not used), and eats less than 100k of > ram per invocation. For more details on in.jabberd and related tools > see: > > http://inetdxtra.sourceforge.net/ > > There is of course an old aphorism that all programs expand until they > can send mail (which ssmtp can do, btw). While I miss the days where > email was the one constant in the universe, lacking secure > authentication and verification as well as direct p2p access in the > current standards is a real problem that has too many overlapping > means to solve at the present time. > > I miss email direct to my machine. And netnews for that matter. > (cerowrt has leafnode as an optional package btw), but I wasn't > planning to solve that problem this year. > >>> >>> >>> >>> On a machine that has almost no internal isolation capabilities, >>> lurking potential alignment bugs whenever the kernel is updated by the >>> x86 maintainers, vulnerable to the first compromised service, it may >>> be a bit risky to load on to the system every app except the kitchen >>> sink. > > I am concerned about most embedded appliances (not just routers) > running nearly every service as root. While cerowrt takes more steps > than most to remedy this (named is in a jail, the web server doesn't > run as root, etc), more work is needed on the configuration web server > among other subsystems. I wish certs weren't such a PITA, for example. > >>> >>> >>> >>> My personal bias would be to make a darn good router, and leave the >>> other stuff entirely out of the picture. > > My personal bias is toward making a darn good router that *stays one* > and better, improves over time, and that is one motivation towards > making it chattier in some form. Other ideas include adopting a > hip-like protocol to allow remote access to a user selected > independent provider of security services. > > In the time we've been working on cerowrt (well over a year now) there > have been over 8 major CVEs to deal with that I can think of off the > top of my head. Some means of pushing out security updates in > particular, in a sane manner, is needed, and a little user > intervention required now and then. > >> >> I mostly agree with you, particularly when it comes to running a chat >> server. >> >> But we've identified a number of situations where having the router be >> able to inform you of goings ons/events is needed. One other low tech >> solution is sending email, but you also have a configuration problem >> then (as you will for a chat service too, of course, unless you run via >> multicast, and I doubt if anything but a Linux system will receive those >> without fuss). >> >> That's why I sent a pointer to telepathy; it allows you to send messages >> to a bunch of different back ends, and stays out of the server >> business. =A0And it's being used on embedded systems (though I don't kno= w >> if they go as small as what a typical home router is today). >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0- Jim > > I will look over telepathy. IRC, as the other major chat standard, would > be nice to support. As well as bonjour. > > > -- > Dave T=E4ht > SKYPE: davetaht > http://ronsravings.blogspot.com/ --=20 Dave T=E4ht SKYPE: davetaht http://ronsravings.blogspot.com/