On Sun, 14 Mar 2004, Vivien M. wrote:
credibly argue "But I never read this AUP". The web-based DHCP registration system prevents that.
Ok, I'll give that one to you. :) Got me there hehehe Though now we are making the AUP a part of the freshman orientation session so there are no excuses. Plus they agree to it when they place the installation cd in their drive (if they use the installation cd which many don't)
A) It prevents students (or at least, all but the most clueful) from taking multiple IPs and having hubs and such in their rooms
That's protected by port security. Just limit them to one mac address per port. So only the last machine transmitting will get the reply. Works quite well, shut me down for a few days a few years ago when it was first turned on.
B) It makes it very easy to track what MAC address/IP address is which person, as you yourself admitted. Sure, this system requires a bit of effort to set up initially (though I think open source implementations are easily available), but afterwards, you don't need to have your most clueful network engineer dig through to try and figure out which room is what IP. If you lower the clue level required to operate an abuse desk, I would argue you improve its efficiency in many cases...
See this is not something that requires a clueful engineer. Only requires the clueful engineer to create a script that does it all automatically. In fact I've seen the web interface to the whole system. VERY nice. Even tracks changes, so I can tell if the user pulled the cables, swapped ports, did bad stuff and then swapped them back to place the blame on the roommate. I can enter the IP in question and time period and it will then tell me the mac address in question, then it will automatically look up the cable database to return the room, and then it will return the names of the individuals living in the rooms. I argue that the username system has significant problems which can lead to denial of service. What happens when your radius box goes offline? This is what caused me to turn against the offending university. Their authentication box wouldn't stay online and so I'd have to cross my fingers after a reboot to hope that I could get back on the network.
C) It avoids issues of changing ports. Let's say I'm in room 101, and my friend Bob is in room 102. I take my laptop to Bob's room and plug it into the network and go and do something dumb... If you hunt down my MAC address to a particular port, it looks like Bob is the AUP violator. If you have a registration system, you know that this MAC address belongs to me, not Bob.
True true that can happen, but again if I log changes I can tell that someone unplugged their computer and so when Bob gets turned in the judicial system will be able to question what occured...They know it may not be him thats guilty but hopefully he will turn in the offender.
Oh, and what about wireless networks? I have my nice 802.11b card, how do you propose to track that without MAC registration (or hackish VPN systems, which are also deployed in some campuses)?
As for wireless, well yeah we require you to register the mac off your wireless nic. Only macs that are in the database are allowed access. Sure you can spoof someone elses legitmate mac, but thats a different story. At least I have someone I can blame and let him try to deny it through the judicial system. Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself."