[unisog] University ResNet IP address Management

Peter John Hill pjhill at u.washington.edu
Tue Jul 24 16:06:17 GMT 2007

Out of all the places I have worked, Carnegie Mellon has the best  


Instead of using the same size network blocks for every dorm, they  
know from historical data how big a subnet should be and track  
closely if they get close to capacity. It is relatively simple for  
them to expand a subnet or move on due to their tools (Netreg).

A new student comes into the dorm, connects their machine to an  
ethernet port or wireless, since that machine is not registered  
(known by MAC addr, not perfect, but good enough to get onto the  
network), the user opens a web page and get redirected to a secure  
web form, their mac address already filled in, complements of the  
dhcp server, which is tightly coupled into the system. The user can  
pick their hostname and choose from allowed subdomains. If they want  
to add a CNAME, or change their TTL, they can. There is no a database  
entry that ties that mac address to a username and a group (from  
LDAP), so that if the machine is found to be infected or doing  
something bad, we know who to contact.

When students later connect to the network they get a dhcp address  
from the available pool, and the dhcp server updates the DNS server  
dynamically with TSIGs...

Requires mysql (or some other sql database with modification), ISC- 
DHCP, BIND, Apache, and Perl.

The system is not designed to do any user authentication once a  
machine is registered... It is to tie a username to a mac address. If  
we find that someone is spoofing a MAC address, we will track down  
the duplicate mac address down to a switchport and investigate. That  
would be treated as an abuse case.

On top of the data in the netreg database, they also put together  
software called Epidemic, or netnotify. It is used to track abuse  
incidents. It can automatically suspend a machine registration (host  
still gets an ip address, but it is filtered on their local router).  
It sends out warning emails, can interact with the switches and  
routers to redirect infected machines to a web site to download  
whatever patch is needed to fix whatever issue is found. The user can  
then rescan their machine from a web page (if remote detection of fix  
is possible) or else click a button saying, yes I cleaned my machine.

Any kind of forging a mac address to get around filters or not  
cleaning your machine but saying to did results in an abuse case.

They also have their bandwidth quota system tied into both netreg and  


Hope at least one thing in here was useful...


On Jul 24, 2007, at 5:33 AM, Fred Portnoy wrote:

> We have allocated a.b.c.0/23 blocks of public address space to our  
> ResNet
> VLANs in residence halls. Students are assigned addresses by DHCP at
> connection time, and are required to authenticate and undergo a host
> integrity check to be allowed full network access. We are currently
> implementing Bradford (today is day two of the implementation team  
> on-site);
> we expect that once students are authenticated and approved by  
> Bradford, and
> are moved into one of the pre-existing ResNet VLANs, they will  
> continue to
> be assigned a DHCP address on the appropriate ResNet VLAN as they  
> have been
> before.
> -fp
> Date: Mon, 23 Jul 2007 10:51:00 -0500
> From: "Jason Murray" <jemurray at zweck.net>
> Subject: [unisog] University ResNet IP address Management
> To: unisog at lists.dshield.org
> Message-ID:
> 	<4fc813b0707230851k695e2023j5b0be8659593b341 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> I am interested in how other Universities are managing (allocating)  
> the IP
> space in their residential halls?
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list