[KLUG Members] Routing after validating IP address

[Chris Hansen]

I'm sure it goes without saying, but in lieu of contributing anything 
useful I'll say it anyhow.  If your users are savvy enough to detect 
some special QoS to those IPs it stands to reason that they could just 
MAC spoof.  Rather than some kind of authentication measure as a means 
of enforcement maybe you could look at creating separate network segments. 

I'm mostly sure this isn't the direction you want to go, but might make 
the network segmentation idea seem more attractive:

A paper, "Preventing Theft of Quality of Service on Open Platforms" by a 
couple Dartmouth College students suggest, among other things, 
enforcement through a kernel module utilizing a shared secret at each 
end point.
http://www.cs.dartmouth.edu/~sws/pubs/bs05.pdf

...And then there's always 
http://www.die.net/doc/linux/man/man8/arptables.8.html



Komal wrote:

>I have several machines which have priviledges based on their IP
>address
>like higher bandwidth, outgoing SMTP, etc. Now it is entirely
>possible,
>that when any of these machines are down (typcally at the end of the
>day or early morning), someone in the office can statically set their
>IP address to any of these and enjoy these priviledges.
>
>  
>