Andrew Dorsett wrote:
On Sun, 14 Mar 2004, Sean Donelan wrote:
A student in a college dorm room with an uncontrolled DHCP address may not be able to run a server, even though they have more than enough symetric Gig-ethernet bandwidth and you know what dorm it is physically located because all student servers look alike. On the other hand, a mobile
This is a topic I get very soap-boxish about. I have too many problems with providers who don't understand the college student market. I can think of one university who requires students to login through a web portal before giving them a routable address. This is such a waste of time for both parties. Sure it makes tracking down the abusers much easier, but is it worth the time and effort to manage? This is a very legitimate idea for public portals in common areas, but not in dorm rooms. In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
I guess this requires very detailed cable map databases and is something some providers are relunctant to develop. Scary thought.....
Andrew
I'm curious about the concept of "College Student Market". We have several thousand students in our dorms who only have two choices for Internet service - our dedicated Ethernet or their dial-up (which they would have to pay for). We firewall them, packet shape them and don't pay much attention when they saturate their router. Housing has a choice to use campus services or go outside for Internet service - a much more expensive choice considering the amount they pay the campus. We respond to complaints about abusers on the ResNet by first disabling the port. This is considered a strike against the resident for an AUP violation. In theory, three strikes and they're out. After we upgrade the ResNet equipment, we're planning on 802.1x authentication on the port. I'm toying with suggesting certificates so we can simply revoke a cert if someone is a serious abuser which could (in theory) deny their workstation (laptop in most cases) access to the campus network. The problem with this idea is the amount of overhead required to manage the certificate infrastructure. As to the question of "is it worth the time and effort to manage", I think yes. When the SQL Slammer worm hit last year, I put blocks at the border and blocks between subnets to contain the problem as best I could for two reasons (well, could be more but this is all I'm going to point out): 1 - Maintaining the usability of the campus network. 2 - Protecting the Internet in general from us. How many ISP's care about either? How many won't do either because it would affect their bottom line? Back to the original topic. We have a fairly good cable map. We can track DHCP and can even black hole a MAC address so it can't get an address. Why would we want a user to authenticate to the network? It adds accountability and a little more paranoia that if they do something they shouldn't, they'll get caught and we'll turn them off. Remember: If you ask a student about their Internet access, you'll hear that it's free and they shouldn't be restricted as to what they can do. Ken