ipt_ACCOUNT Archives
<prev [Date Index] next>
<prev [Thread Index] next>

Subject: Re: ipt_ACCOUNT ipv6 support

From: Anton Khalikov <anton@xxxxxxxxxxx>
To: ipt_ACCOUNT@xxxxxxxxxxxxxxxxxxxxxxx
Date: Fri, 23 Jan 2015 13:25:21 +0500
Hello Neal

Well, I think it would be crazy if anyone wanted to count ipv6 traffic on per IP basis. It is common for ISPs to assign /64 networks to their customers. So probably ipv6 implementation could take networks instead of individual IPs as arguments.

32 bit counters is a problem but only if you have a saturated 1GE with single IP. If 1GE is distributed between a few IPs, their individual counters rise much slower.

I've never heard about using ipset to track stats but if it possible it would be highly appreciated if you point me to a corresponding man page or article. We typicaly use ipset to filter long lists of random IPs or networks.

23 января 2015 г., 11:56

As I recall from looking at it and my recent experiences, iptACCOUNT will
require a serious rewrite to handle IPv6. It uses a kernel page to store stats
for an IPv4 /24 (bytes & packets; in & out). Since IPv6 addresses are
typically anywhere within a /64, that method becomes unworkable (unthinkable,
really).

Another problem is that it uses 32-bit counters. They roll over in about 34
seconds at saturated gigE speeds. At 10G speeds, they can roll over in barely
more than 3 seconds.

The last problem I can readily identify is that IPv6 uses
- link local addresses
- a prefix for DHCP-assigned addresses
- a prefix for SLAAC addresses
- possibly a prefix for private addresses
That's potentially four addresses per NIC that must be tracked.

I haven't yet thought of a way to modernize iptACCOUNT and remain efficient
That bolt of lightning over my head hasn't flashed on yet.

I seem to recall reading about ipset being enhanced to track per-address
stats. It might be efficient if it was written like the rest of ipset.

Neal

--
ipt_ACCOUNT - see http://www.intra2net.com/en/developer/ipt_ACCOUNT for details.
To unsubscribe send a mail to ipt_ACCOUNT+unsubscribe@xxxxxxxxxxxxxxxxxxxxxxx

23 января 2015 г., 11:24
Hello everyone

I wonder if there are any plans to add ipv6 support to ipt_ACCOUNT? I know there is shiny new nfacct tool but it is useless when it comes to task to count traffic on per host basis on large networks. And also there is conntrack, but again, it becomes useless and even bottleneck during DDoS attacks while ipt_ACCOUNT never failed. ipt_ACCOUNT stayed alive and didn't eat CPU too much even when 1Gbps and 600kpps DDoS happened. So at the moment there is no high performance and low CPU usage substitution for ipt_ACCOUNT from my point of view. You guys did a great job and thank you for that. Would you like to continue?

23 января 2015 г., 11:21
Hello everyone

I wonder if there are any plans to add ipv6 support to ipt_ACCOUNT? I know there is shiny new nfacct tool but it is useless when it comes to task to count traffic on per host basis on large networks. And also there is conntrack, but again, it becomes useless and even bottleneck during DDoS attacks while ipt_ACCOUNT never failed. ipt_ACCOUNT stayed alive and didn't eat CPU too much even when 1Gbps and 600kpps DDoS happened. So at the moment there is no high performance and low CPU usage substitution for ipt_ACCOUNT from my point of view. You guys did a great job and thank you for that. Would you like to continue?


--
Best regards
Anton Khalikov

ipt_ACCOUNT - see http://www.intra2net.com/en/developer/ipt_ACCOUNT for details.
To unsubscribe send a mail to ipt_ACCOUNT+unsubscribe@xxxxxxxxxxxxxxxxxxxxxxx


Current Thread