On Sunday, February 3, 2002, Cameron Kaiser
<spectre(a)stockholm.ptloma.edu> wrote:
> - all
machines legitimately using the network are known as well as
> their ethernet addresses,
> - assign all those legitimate machines an (basically fixed) IP via
> DHCP,
> - for all unregistered machines, offer them IP addresses in the
> 127.0.0.0 range as well as themself as their default router and
> other
> stuff to make their network connection a notwork connection
I kind of like that! No! I *REALLY* like it!
Have you tested this?
We have something like this at PLNU. Unknown MAC addresses get dropped
into
a category where the network will only allow them to connect to the
registration server -- it drops packets bound elsewhere. To register
for a
"fixed IP over DHCP" lease, they have to have their bills paid and their
student ID, SSN, etc., and then they get the DHCP lease for the year
wherever they go on campus. The system is now almost totally automated.
So, an unauthorised laptop connecting on campus basically doesn't work;
their packets end up in /dev/null. There are plenty of public terminals
if
surfin der Veb's all they want to do.
As a colleague of Pete Turnbull (80 miles or so south along the same
network) I can only agree with his comments so far... UK Universities
(and associates) are members of JANET and we have a responsibility to
"control" and "monitor" how our connections are used. If somebody
misuses our IP, we are *expected* to have some idea who might be
responsible. We (at Leicester University at least) don't deliver IP
addresses over RARP/BOOTP/DHCP to unknown MAC addresses.
Cameron's idea is OK but our students are smart enough to work to that
all they need to do is determine the IP address of a networked PC in a
student computing area, unplug the network connection and feed the
appropriate details in as a static address for his/her laptop. If a
student locates a "hot" outlet, it is always possible to enter a random
IP (for the campus network) and use that address to determine the
gateway and steal another IP address.
Blocking packets based on MAC address at switch level (if/when possible)
is not really practical. Teachers must be able to bring in their own
computers into public computer areas to lecture; we even provide a
mechanism for Windows 2000 (no snide comments, please) systems to have
IP in such areas. It is difficult enough to teach highly educated
lecturers that they can't just move one computer from one network outlet
to another *unless they use the mechanism to give them an IP address for
the new location*; requiring lecturers to register their MAC address in
advance just doesn't fit the academic world.
Phil
(not an expert in an IP but pretty clued in on how students misuse
networks)