Netfilter Performance when using MAC filter

Netfilter Performance when using MAC filter

[Babu Skeitson]

Hello everyone.
I'm thinking about implementing iptables MAC Address filtering (-m mac
--mac-source xx:xx....) in my network.
*BUT* I have a big network, with ~ 4000 internal hosts/IPs that will
be filtered via MAC, and I'm not sure about the performance of this
filtering.
Is the speed/performance the same for Mac filtering and IP filtering?
Or the MAC filtering (because it's more complex maybe?) is slower and
add overhead in a huge network.
Thanks in advance for any help.

Best,

Babu

Re: Netfilter Performance when using MAC filter

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 1054 bytes --]


On Wed, 2007-10-31 at 14:23 -0200, Babu Skeitson wrote:
> Hello everyone.
> I'm thinking about implementing iptables MAC Address filtering (-m mac
> --mac-source xx:xx....) in my network.
> *BUT* I have a big network, with ~ 4000 internal hosts/IPs that will
> be filtered via MAC, and I'm not sure about the performance of this
> filtering.

Are the 4000 hosts on the same network/vlan as the box running iptables?

If so, you can do MAC filtering (performance shouldn't matter as the MAC
address is in the link header), if not MAC filtering won't buy you much,
the layer2 address will always be the same.

This is essentially the difference between ARP and IP, or switching and
routing if you prefer.

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Netfilter Performance when using MAC filter

[Grant Taylor]

On 10/31/07 13:26, Matt Zagrabelny wrote:
> If so, you can do MAC filtering (performance shouldn't matter as the 
> MAC address is in the link header), if not MAC filtering won't buy 
> you much, the layer2 address will always be the same.

Agreed.

However this can also be extended to help prevent spoofing in a routed 
network.  If you know that a given subnet is available via a given 
router or routers you can only accept the packet if the source IP is 
coming from said router's MAC address.  Thus preventing someone else in 
a different subnet from spoofing the source IP address.  Or for those of 
us who like to run basic layer 3 filtering on all routers that would 
prevent such spoofed addresses, you can prevent someone from spoofing IP 
addresses with in the core network, i.e. backbone LAN trying to claim to 
be someone else.

This can and will work fairly well, though you have to be aware that 
this is in effect if you ever change MAC addresses of routers.

If you are going to go this route, I'd suggest that you use your own 
private OUI MAC addresses on routers.  This way you know that you need 
to alter the MAC on the routers when you put them in place to support 
your security model.

> This is essentially the difference between ARP and IP, or switching 
> and routing if you prefer.

*nod*

Or brouting (bridging / routing combination) if you so choose to go there.



Grant. . . .

Re: Netfilter Performance when using MAC filter

[Pascal Hambourg]

Hello,

Matt Zagrabelny a écrit :
> 
> If so, you can do MAC filtering (performance shouldn't matter as the MAC
> address is in the link header)

Can you please elaborate about the relationship beween filtering 
performance and the address layer ?

Re: Netfilter Performance when using MAC filter

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 1178 bytes --]


On Wed, 2007-10-31 at 20:19 +0100, Pascal Hambourg wrote:
> Hello,
> 
> Matt Zagrabelny a écrit :
> > 
> > If so, you can do MAC filtering (performance shouldn't matter as the MAC
> > address is in the link header)
> 
> Can you please elaborate about the relationship beween filtering 
> performance and the address layer ?

There is nothing to elaborate on. ;)

The frame contains the MAC address. This is what iptables will be
looking at. If the box running iptables is on the same network/vlan as
the rest of the traffic it is expecting to filter, then it will have MAC
addresses of actual hosts, however, if traffic is coming from a
different network/vlan then said traffic will have been routed and the
frame will have changed, thus the MAC address will be the MAC of the
network boundary, namely the router/gateway.

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Netfilter Performance when using MAC filter

[Pascal Hambourg]

Matt Zagrabelny a écrit :
> On Wed, 2007-10-31 at 20:19 +0100, Pascal Hambourg wrote:
> 
>>Matt Zagrabelny a écrit :
>>
>>>If so, you can do MAC filtering (performance shouldn't matter as the MAC
>>>address is in the link header)
>>
>>Can you please elaborate about the relationship beween filtering 
>>performance and the address layer ?
> 
> There is nothing to elaborate on. ;)
> 
> The frame contains the MAC address. This is what iptables will be
> looking at. If the box running iptables is on the same network/vlan as
> the rest of the traffic it is expecting to filter, then it will have MAC
> addresses of actual hosts, however, if traffic is coming from a
> different network/vlan then said traffic will have been routed and the
> frame will have changed, thus the MAC address will be the MAC of the
> network boundary, namely the router/gateway.

Sorry, but I still do not see the point in "performance shouldn't matter 
as the MAC address is in the link header". Performance (read : speed) is 
mostly related to the number of rules, isn't it ?

Re: Netfilter Performance when using MAC filter

[Matt Zagrabelny]

[-- Attachment #1: Type: text/plain, Size: 1792 bytes --]


On Thu, 2007-11-01 at 11:05 +0100, Pascal Hambourg wrote:
> Matt Zagrabelny a écrit :
> > On Wed, 2007-10-31 at 20:19 +0100, Pascal Hambourg wrote:
> > 
> >>Matt Zagrabelny a écrit :
> >>
> >>>If so, you can do MAC filtering (performance shouldn't matter as the MAC
> >>>address is in the link header)
> >>
> >>Can you please elaborate about the relationship beween filtering 
> >>performance and the address layer ?
> > 
> > There is nothing to elaborate on. ;)
> > 
> > The frame contains the MAC address. This is what iptables will be
> > looking at. If the box running iptables is on the same network/vlan as
> > the rest of the traffic it is expecting to filter, then it will have MAC
> > addresses of actual hosts, however, if traffic is coming from a
> > different network/vlan then said traffic will have been routed and the
> > frame will have changed, thus the MAC address will be the MAC of the
> > network boundary, namely the router/gateway.
> 
> Sorry, but I still do not see the point in "performance shouldn't matter 
> as the MAC address is in the link header". Performance (read : speed) is 
> mostly related to the number of rules, isn't it ?

Okay, I see now. Performance would be related to the number of rules
that each packet needs to be tested against not against the criterion of
the match. Caveat: perhaps layer7 matching would be slower or using the
owner module, I don't know about these modules.

-- 
Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Netfilter Performance when using MAC filter

[Pascal Hambourg]

Matt Zagrabelny a écrit :
> 
> Okay, I see now. Performance would be related to the number of rules
> that each packet needs to be tested against not against the criterion of
> the match.

One suggestion : if performance happens to be an issue, it might be 
worth using ipset and the 'set' match instead of the 'mac' match.