Go 的 net/http 在 1.22 的 routing 新功能

Gonet/http 在 1.22 引入了更方便的 pattern matching:「Routing Enhancements for Go 1.22」。

用官方的範例,現在可以處理路徑裡的參數了:

http.Handle("GET /posts/{id}", handlePost2)

後續可以透過 PathValue() 取出來:

idString := req.PathValue("id")

而優先順序則是依照吻合度定義:

The precedence rule is simple: the most specific pattern wins. This rule matches our intuition that posts/latests should be preferred to posts/{id}, and /users/{u}/posts/latest should be preferred to /users/{u}/posts/{id}. It also makes sense for methods. For example, GET /posts/{id} takes precedence over /posts/{id} because the first only matches GET and HEAD requests, while the second matches requests with any method.

但是當有重疊卻無法判斷相對吻合度的 rule 被加進去時,會直接 panic()

What if two patterns overlap but neither is more specific? For example, /posts/{id} and /{resource}/latest both match /posts/latest. There is no obvious answer to which takes precedence, so we consider these patterns to conflict with each other. Registering both of them (in either order!) will panic.

這的確是種方法啦... 而且留有之後處理的空間,真的有好的方法就可以把 panic() 的邏輯改成新的共識。

Ubuntu 環境 PPPoE 遇到拿的到 IPv6 address 但是卻不通的問題

Ubuntu 的環境裡透過 PPPoE 上拿 IPv6 address 不是什麼大問題,搜一下大概都可以找到,在 /etc/ppp/options 的最後面加上這串就可以了 (或是在 /etc/ppp/peers/ 裡面的檔案對特定的設定加):

+ipv6 ipv6cp-use-ipaddr

不過我遇到的問題是,ppp0 雖然拿到了 IPv6 address (從 ip addr 或是 ifconfig 可以看到),但 mtr -6 www.google.com 確不通。

找問題時發現 netstat -6rn 有兩筆 IPv6 default gateway,刪掉 enp3s0 的那筆馬上就通了,所以是跟 routing 有關的問題,在本地端收到了 default routing,優先權還比 ppp0 拿到的還高。

因為這台主機是跑 Netplan,所以就用 Netplan 的方式強制關掉本地端的 Router Advertisement (RA):

network:
    version: 2
    renderer: networkd
    ethernets:
        enp3s0:
            accept-ra: false

最後重開機確認後就通了...

25Gbps 的家用 Internet

Hacker News Daily 上看到「25 Gigabit Linux internet router PC build」這個,Hacker News 上的討論在「25 Gigabit Linux internet router PC build (stapelberg.ch)」這邊,文章裡面在講怎麼用 PC 建 25Gbps 的 router,不過大家基本上都是在討論其他事情...

先從服務本身來看,是瑞士的 ISP Init7 提供的服務:「Fiber7-X2」,月繳的話大約是 NTD$2100/month,打開 nerd mode 可以看到說明,是直接給你非 CGNAT 的動態 IPv4 位置以及固定的 IPv6 /48 位置:

The IPv4 address is part of our AS13030 backbone - not a Carrier-Grade-NAT address like with other providers. A fixed IPv4 or a /29 subnet are available for an additional charge. A static IPv6 /48 network is included free of charge. The addressing is done via DHCPv6-PD prefix delegation. Optimal ping times, transparent routing and an open peering policy make Fiber7 the kind of internet offer there always should have been.

另外翻了 FAQ,找到固定 IPv4 位置的價錢:「Can I get static IPv4 addresses?」,一個 IPv4 位置大約是 NTD$7200/year。

另外在「Recommended hardware」這邊看起來應該是沒提供 router,使用者要自己接準備 router 設備直接接,其中 25Gbps 的 Fiber7-X2 規格是:

Fiber7-X2: 25G SFP28 BIDI LR, 10 km, TX1270/RX1330 nm, LC-Simplex, Singlemode

在 ISP 推薦的硬體設備裡,支援 Fiber7-X2 的只有 MikroTik CCR2004-1G-12S +2XS,但只能跑到 15Gbps:

throughput: up to 15 Gbit/sec

難怪作者會想要自己搞 router...

順便查了一下 PCI Express 的速度資料,PCIe 3.0 下 2x 可以到 1.97GB/sec,勉勉強強擦到 25Gbps 的邊邊?文章作者這邊用了 PCIe 3.0 8x 的 Intel XXV710AM2 來解決。

整體裝起來看起來沒什麼問題,只能說是奢侈的煩惱 XD

雙 Gigabit Ethernet 的 RPi CM 4 擴充卡

看到「Dual Gigabit Ethernet Carrier Board for Raspberry Pi Compute Module 4」這個東西,一張可以接 Raspberry Pi Compute Module 4 擴充的母卡。

這張卡有兩個 Gigabit Ethernet (1Gbps),以及兩個 USB 3.0 接口:

然後大家都想到類似的用途了,可以拿來當 router,還可以走 USB 拉出來,接個硬碟當個簡單的 NAS 用用:

The Dual Gigabit Carrier Board powered by Raspberry Pi Compute Module 4 is equipped with Dual Gigabit Ethernet ports and dual USB 3.0 ports, making it suitable for soft router applications, while keeping the hardware to minimal.

不過無線網路的部份得自己搞,在買 RPi CM 4 的時候得選擇有無線網路的版本,母卡 (擴充卡) 本身不負責這塊業務。

翻了一下資料,以前 CM3 (不是 CM3+) 也有廠商推出兩個網路孔的板子,不過當時是兩個 Fast Ethernet (100Mbps):「Compulab IOT-GATE-RPi Industrial IoT Computer is Powered by Raspberry Pi CM3 Module」。

這次推出的板子跑起 software router 效能不知道怎麼樣,單純就可玩性來看似乎是頗有趣東西?

安排路線的服務 Trail Router

Hacker News Daily 上看到的有趣服務,給起點與終點,以及想要有的長度,可以幫你拉一條差不多長度的路徑出來,可以提供給慢跑或是騎腳踏車的人規劃路線:「Trail Router」。

然後發現原來公司對面有 YouBike 站點... XD

這個服務的作者有在 Hacker News 上接受大家的詢問,可以到 Hacker News 上討論的頁面看一下作者的回應:「Show HN: Trail Router – generate running routes that prefer greenery and nature (trailrouter.com)」。

另外值得一提的是,這個服務用了 Mapbox 的圖資 (跟 OpenStreetMap 有關),看起來台北地區的呈現已經遠超過以前「堪用」的程度了,以後如果有需要用到的話可以考慮看看,就不一定要綁在 Google Maps 上了...

D-Link 因為路由器與網路鏡頭不夠安全,被美國聯邦貿易委員會告

FTC 對於 D-Link 產品的安全性不符合宣稱而告下去了:「FTC sues D-Link over router and camera security flaws」。

D-Link claimed its routers were “EASY TO SECURE” with “ADVANCED NETWORK SECURITY,” but the FTC says the company failed to protect its routers and cameras from widely known and reasonably foreseeable risks.

The complaint also says security gaps could allow hackers to watch and record people on their D-Link cameras without their knowledge, target them for theft, or record private conversations.

Linksys 的 WRT54GL

前幾天跟同事聊到 Android 刷機的事情,而最近剛好看到介紹這台無線分享器裡的名機,LinksysWRT54GL:「
The WRT54GL: A 54Mbps router from 2005 still makes millions for Linksys」,第一款被廣泛應用在各種客製化硬體的機器。


取自維基百科的「File:Linksys WRT54G.jpg

從 2005 年開始賣,到現在 2016 年還是繼續在賣,而且這東西支援的無線規格很舊,還比其他的無線分享器貴不少:

Witness the Linksys WRT54GL, the famous wireless router that came out in 2005 and is still for sale. At first glance, there seems to be little reason to buy the WRT54GL in the year 2016. It uses the 802.11g Wi-Fi standard, which has been surpassed by 802.11n and 802.11ac. It delivers data over the crowded 2.4GHz frequency band and is limited to speeds of 54Mbps. You can buy a new router—for less money—and get the benefit of modern standards, expansion into the 5GHz band, and data rates more than 20 times higher.

但不只能賣,還賣的很好:

Despite all that, people still buy the WRT54GL in large enough numbers that Linksys continues to earn millions of dollars per year selling an 11-year-old product without ever changing its specs or design.

量大到 Broadcom 還是繼續支援,然後產品 PM 就抱怨他搞不懂:

"To be honest, it somewhat baffles my mind," Linksys Global Product Manager Vince La Duca told Ars. But production won't stop any time soon as long as Linksys' suppliers, including chipmaker Broadcom, keep selling the parts needed to build the WRT54GL. "We'll keep building it because people keep buying it," La Duca said.

只能說,施主您多保重...

Cisco 釋出偵測是否有被植入後門的程式

前幾天在「在 Cisco Router 上被植入的後門」這邊提到了 Cisco 的 router 被植入後門,剛剛在 Zite 上看到 Cisco 放出檢查程式:「Cisco released a tool to scan for SYNful_Knock implants」。

程式是用 Python 寫的,可以在「Talos Intel - Synful Knock Scanner」這邊取得,但這個網站沒有用 HTTPS 保護,網站上提供的 Hash 簽名也沒有 PGP 簽名的資訊,從無信任起...

找了一下 Cisco 官方的資訊,在「SYNful Knock Scanner」這邊也有提供 Hash,請用這邊的值確認吧,這是目前能做到最好的確認了。

在 Cisco Router 上被植入的後門

FireEye 發表了一篇在 Cisco Router 上發現被植入的後門:「SYNful Knock - A Cisco router implant - Part I」。

發現這些被植入的 router 被散佈在四個地區:

Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.

包括了這幾個型號:

  • Cisco 1841 router
  • Cisco 2811 router
  • Cisco 3825 router

後門的特性是使用特殊的封包啟動:

SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.

最主要的重點是把記憶體保護機制關閉 (都變成 RW):

The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules.

文後也有提到 Cisco 的文章,如何 dump image 分析:「Offline Analysis of IOS Image Integrity」。

Cisco 會將硬體寄送到貨運商,以提高 NSA 攔截安裝後門的難度

在「To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses」這篇看到的報導,出自「Cisco posts kit to empty houses to dodge NSA chop shops」這篇。

去年 Snowden 揭露的資料顯示 NSA 會攔截 Cisco 的硬體,並且在上面安裝後門再打包寄出:「Greenwald alleges NSA tampers with routers to plant backdoors」:

"The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers."

The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.

不過 Cisco 的反應好慢,去年五月就有的消息,現在才提出改善方案。

改善的方法是寄送到集散地,再請人去拿。讓 NSA 之類的單位想要攔截的成本提高。