[unisog] University ResNet IP address Management
Peter John Hill
pjhill at u.washington.edu
Tue Jul 24 16:06:17 GMT 2007
Out of all the places I have worked, Carnegie Mellon has the best
Instead of using the same size network blocks for every dorm, they
know from historical data how big a subnet should be and track
closely if they get close to capacity. It is relatively simple for
them to expand a subnet or move on due to their tools (Netreg).
A new student comes into the dorm, connects their machine to an
ethernet port or wireless, since that machine is not registered
(known by MAC addr, not perfect, but good enough to get onto the
network), the user opens a web page and get redirected to a secure
web form, their mac address already filled in, complements of the
dhcp server, which is tightly coupled into the system. The user can
pick their hostname and choose from allowed subdomains. If they want
to add a CNAME, or change their TTL, they can. There is no a database
entry that ties that mac address to a username and a group (from
LDAP), so that if the machine is found to be infected or doing
something bad, we know who to contact.
When students later connect to the network they get a dhcp address
from the available pool, and the dhcp server updates the DNS server
dynamically with TSIGs...
Requires mysql (or some other sql database with modification), ISC-
DHCP, BIND, Apache, and Perl.
The system is not designed to do any user authentication once a
machine is registered... It is to tie a username to a mac address. If
we find that someone is spoofing a MAC address, we will track down
the duplicate mac address down to a switchport and investigate. That
would be treated as an abuse case.
On top of the data in the netreg database, they also put together
software called Epidemic, or netnotify. It is used to track abuse
incidents. It can automatically suspend a machine registration (host
still gets an ip address, but it is filtered on their local router).
It sends out warning emails, can interact with the switches and
routers to redirect infected machines to a web site to download
whatever patch is needed to fix whatever issue is found. The user can
then rescan their machine from a web page (if remote detection of fix
is possible) or else click a button saying, yes I cleaned my machine.
Any kind of forging a mac address to get around filters or not
cleaning your machine but saying to did results in an abuse case.
They also have their bandwidth quota system tied into both netreg and
Hope at least one thing in here was useful...
On Jul 24, 2007, at 5:33 AM, Fred Portnoy wrote:
> We have allocated a.b.c.0/23 blocks of public address space to our
> VLANs in residence halls. Students are assigned addresses by DHCP at
> connection time, and are required to authenticate and undergo a host
> integrity check to be allowed full network access. We are currently
> implementing Bradford (today is day two of the implementation team
> we expect that once students are authenticated and approved by
> Bradford, and
> are moved into one of the pre-existing ResNet VLANs, they will
> continue to
> be assigned a DHCP address on the appropriate ResNet VLAN as they
> have been
> Date: Mon, 23 Jul 2007 10:51:00 -0500
> From: "Jason Murray" <jemurray at zweck.net>
> Subject: [unisog] University ResNet IP address Management
> To: unisog at lists.dshield.org
> <4fc813b0707230851k695e2023j5b0be8659593b341 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> I am interested in how other Universities are managing (allocating)
> the IP
> space in their residential halls?
> unisog mailing list
> unisog at lists.dshield.org
More information about the unisog