[KLUG Members] Routing after validating IP address
Chris Hansen
chris at tweakerpad.com
Wed Nov 23 05:43:54 EST 2005
I'm sure it goes without saying, but in lieu of contributing anything
useful I'll say it anyhow. If your users are savvy enough to detect
some special QoS to those IPs it stands to reason that they could just
MAC spoof. Rather than some kind of authentication measure as a means
of enforcement maybe you could look at creating separate network segments.
I'm mostly sure this isn't the direction you want to go, but might make
the network segmentation idea seem more attractive:
A paper, "Preventing Theft of Quality of Service on Open Platforms" by a
couple Dartmouth College students suggest, among other things,
enforcement through a kernel module utilizing a shared secret at each
end point.
http://www.cs.dartmouth.edu/~sws/pubs/bs05.pdf
...And then there's always
http://www.die.net/doc/linux/man/man8/arptables.8.html
Komal wrote:
>I have several machines which have priviledges based on their IP
>address
>like higher bandwidth, outgoing SMTP, etc. Now it is entirely
>possible,
>that when any of these machines are down (typcally at the end of the
>day or early morning), someone in the office can statically set their
>IP address to any of these and enjoy these priviledges.
>
>
>
More information about the Members
mailing list