[Top] [All Lists]

Dynamic access lists

To: netdev@xxxxxxxxxxx
Subject: Dynamic access lists
From: anand@xxxxxxxxxxxxxxxxx (SVR Anand)
Date: Sat, 23 Feb 2002 12:57:23 +0530 (GMT+05:30)
Sender: owner-netdev@xxxxxxxxxxx

I work in one ISP that serves a university campus connected on a LAN, apart 
from many other customers. We have a congested internet access link, thanks to 
the student community. Because of this, customers as well as the university 
faculty are complaining of poor throughputs. One of the professors suggested 
that faculty should be given a better bandwidth by imposing some kind of 
traffic control on the student traffic. In this regard I plan to implement the 
following idea.

I will be happy to receive your feedback. 

Thanks for patiently reading my rather big mail. Hope I could express my idea
clearly, and pardon me if this is not the appropriate mailing list. Thought
this might be of interest to you all!



1. Put a Linux box in the path of the traffic just before it hits the access
   router. After coming up with some packet classification scheme, control the
   rates using Linux TC. 

2. I have observed that packet classification based on pre-registered static 
   IP addresses has many difficulties. These include, 

  i)  Faculty are forced to use the machine they have registered. Maintenance
      of static addresses can be painful because whenever they migrate to 
      another machine, or operate from a different Lab the IP address is going
      to change.
 ii)  Static addressing will not work when DHCP is used
 iii) Students tend to "mis-use" faculty's machine in their absence by using
      masquerading/login mechanisms
  iv) In the long run, there will be many unused stale IP addresses clogging 
      the classifier table which can potentially be exploited

3. To combat the fore mentioned issues, I am thinking of coming up with 
   dynamic access lists with user authentication. There will be a notion of
   "soft session" in the system. It is expected to work as follows.

   - The faculty will initially register themselves with a server by giving 
   - Whenever he/she wants to access network, they will create "soft session"
     by means of authentication by the server. This can happen in the browser 
     environment. During the authentication process, the faculty machine's IP 
     address is obtained and passed onto the Linux box that is running TC
   - Linux box will update the faculty-classifier dynamically

4. After done with net access the faculty is expected to logout of the session.
   The logging out process accordingly removes the entry in the Linux TC.

   - In case the logout is not done explicitly, as it can happen with 
     pre-occupied professors :), a timeout mechanism can be built into the
     system which will automatically purges the IP address of the idle session

I have not mentioned the nitty-gritty details because I wanted to know if 
the basic idea is fine.

<Prev in Thread] Current Thread [Next in Thread>