[NNagain] upgrading old routers to modern, secure FOSS

Jack Haverty jack at 3kitty.org
Mon Oct 23 14:53:09 EDT 2023 

On 10/23/23 10:58, Dave Taht via Nnagain wrote:
> I wish that the city-dwellers of BEAD so in love with fiber would 
> insert 70ms of rural delay into all their testing.
FYI, in case someone wants to pursue such real-world testing....

When we were testing TCP/IP software about 40 years ago there was a 
similar problem of how to do tests in a lab which realistically 
simulated real-world conditions.   We created a software tool called 
"Flakeway" which enable traffic flows to be delayed, duplicated, 
re-ordered, deleted or mangled.   That enabled realistic testing even 
when the machines being tested were all in a lab connected to the same LAN.

That software is long gone, but might be easily rewritten today.  It was 
literally a weekend hack.   Here's how it worked.

The basic design took advantage of a "feature" of the IP protocols. When 
an IP datagram is to be sent to another computer on the same Ethernet, 
the IP address isn't big enough to encode the Ethernet address.  So the 
ARP mechanism is used to get the appropriate mapping between an IP 
address and the required Ethernet address for the destination host.  The 
sender issues an ARP request that says "Where is IP address x.x.x.x"?  
The computer which is configured as that IP address responds with "It's 
me, and my Ethernet address is xx:xx:xx:xx:xx:xx"

When the Flakeway, running on some other computer on the same LAN, saw 
such an ARP exchange for a traffic flow it was supposed to manipulate, 
it would immediately send it's own ARP response, saying "No, it's me, 
and my Ethernet address is..."

We discovered that most computers simply believed the latest ARP 
information it received.   So it was easy for the Flakeway to insert 
itself into any IP traffic flow and do its work, without any changes to 
software in any other computer.  It was handy not only for testing but 
also for diagnosing all sorts of problems, simply capturing the traffic 
flows for later analysis (similar to wireshark).

That was all done in the IPV4 world, 40+ years ago, so I'm not sure how 
it might relate to today's Internet.   We reported this "feature" to 
IETF and some IEEE 802.x committee as a likely vulnerability, but I'm 
not sure if anything changed.

But something similar might be possible in today's world to improve 
real-world testing?

Jack Haverty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/nnagain/attachments/20231023/82c40a6c/attachment.html>

More information about the Nnagain mailing list