[LARTC] Q: best solution to stop traffic to huge amount of unregistered hosts

[Karl Gaissmaier <karl.gaissmaier@rz.uni-ulm.de>]

Hi

perhaps someone else already had the same problem.

Problem description:

I'm running a class B University network with approx 10k hosts
attached. I would now like to stop traffic from and to hosts
in my network not already registered in my DNS server.

This means I've to handle with approx 50k rules|routes. Sure
I can summarize the unalloctaed address space a little bit
with masks to approx 30k rules, anyway this seems to be a problem.

Question:

What will be the best solution between the different choices
netfilter/iptables, ip route(s) ... type prohibit and
tc filter ... u32 ... police 0kbps

netfilter/iptables doesn't seem to scale well and the only
match module "pool" which is able to deal with pools of addresses
seemes to stay in alpha state.


With ip route I think I have to describe all unregistered hosts
to stop traffic and not the smaller amount of registered hosts.
Does the FIB and route cache scale well to approx 30k routes?

Is it possible and more performant to use tc to throttle down
traffic to unregistered hosts already in the ingress lane
without hitting the routing and netfilter engine with this
traffic? Does tc scale well with this huge amount addresses/masks?

How could this be handled with tc?

Regards and thanks in advance for any hint
	Charly

P.S. Speed is important, this linux router/firewall connects
Gigabit Ethernet networks

-- 
Karl Gaissmaier          Computing Center,University of Ulm,Germany
Email:karl.gaissmaier@rz.uni-ulm.de          Network Administration
Tel.: ++49 731 50-22499
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/