On 6/11/13, Majdi S. Abbas <msa@latt.net> wrote:
On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
All of the above plus very poorly managed network / network security. (sadly a Given(tm) for anything ending dot-e-d-u.) a) why are *printers* given public IPs? and b) why are internet hosts allowed to talk to them? I actually *very* surprised your printers are still functional if the whole internet can reach them.
Who really has a solid motive to make them stop working (other than a printer manufacturer who wants to sell them more) ?
Guess what, they have /16s, they use them, and they like the ability to print from one side of campus to the other. Are you suggesting gigantic NATs with 120,000 students and faculty behind them?
A per-building NAT would work, with static translations for printers in that building, and an ACL with an allow list including IPsec traffic to the printer from the campus' IP range. They don't have to use NAT though to avoid unnecessary exposure of services on internal equipment to the larger world.
I have a hard time blaming a school for this. I have an easy time wondering why printer manufacturers are including chargen support in firmware.
They probably built their printer on top of a general purpose or embedded OS they purchased from someone else, or reused, that included an IP stack -- as well as other features that were unnecessary for their use case. Or the chargen tool may have been used during stress tests to verify proper networking, and that the IP stack processed bits without corrupting them; with the manufacturer forgetting/neglecting to turn off the unnecessary feature, forgetting to remove/disable that bit of software, or seeing no need to, before mass producing.
--msa -- -JH