Change Campus-wide MTU



  • I work in Information Technology at University of Miami, and a few months ago we received a rather hilarious email from a student. I've snipped parts that aren't pertinent or are too personal.

    To whom it may concern,

    I am trying to connect my Xbox to play Xbox live in my dorm room but the MTU setting is not sufficient.  The minimum MTU setting needed to play on Xbox live is 1364 and I want to know what the setting is now and why I cannot have this setting raised to support Xbox live.  I called the IT department and they told me it is for security purposes but I don't think there is any security issue by playing a video game on Xbox live. If it isn't possible to change the MTU setting for my connection, who can I talk to to make a change for the entire campus.  Videogames are something I enjoy as do many other students living on campus and if we are just playing a videogame and not doing any illegal activity, I see no problem.  Thank you and I look forward to speaking with someone soon.

    Yep, a student asked us if we could change the MTU on the entire campus so he could play XBox Live.
     
    The great part is that the MTU wasn't even the issue. The campus is a standard Ethernet setup, and the MTU is 1500. What's happening is that his XBox isn't registered on our network - we do MAC authentication, as well as user login (captive portal) for dorm and wireless sessions. Without some hacking, it's impossible to get an XBox to do that. There are workarounds that students are doing, and I have seen someone playing XBox Live on campus without a problem - I even played for a little bit. It works fine.

    It's just hilarious that he sent an email to IT asking them to make a change to the entire campus just for him - especially when the change he requested wouldn't have fixed his problem.
     



  • He did correctly state that this isn't just for his benefit.  The real wtf is that IT didn't tell him (or know) that the MTU is set to the standard 1500.



  • [quote user="Pap"]He did correctly state that this isn't just for his benefit.  The real wtf is that IT didn't tell him (or know) that the MTU is set to the standard 1500.[/quote]

     

    Agreed.
     



  • When I went to college, there was no network to sign on to (*feels old*)

    If you don't mind, in this context, what's an 'MTU'?



  • [quote user="snoofle"]

    When I went to college, there was no network to sign on to (feels old)

    If you don't mind, in this context, what's an 'MTU'?

    [/quote]

    Rats - by the time I found it on google, the delete-timeout expired. Sorry.



  • I'm not quite sure why the people he asked didn't know what the MTU is set to. They aren't part of the network group, but I'd think they would have been able to find the MTU anyway. Though, I have seen one of the techs loop two VLANs together during back to school taking down an entire segment of campus while spanning tree kicked in, so I'm not surprised by anything. =P


    The thing that I think is funny is that he asked for us to change the entire campus without even having the slightest clue how complex the network is. I'm also wondering how the guy arrived at the conclusion that the MTU was below 1364 when it isn't.



  • [quote user="Thalagyrt"]I'm also wondering how the guy arrived at the conclusion that the MTU was below 1364 when it isn't.[/quote]

     I'm sure he posted about his inabillity to play on some message board, and someone responded with "Do what I did -- get the admin to make sure the MTU is set higher than 1364"

    This isn't really a WTF -- the perp's a user.  To be a WTF, the perp must be someone who's supposed to know better.

     

    I'd assume you get far stupider questions than this all the time, from people who would probably guess that MTU stands for Metro Transit Union, if you asked.

     

    Anyway, sounds like all he'd really need to do is plug his xbox into a PC set up for Internet Connection Sharing.
     



  • for those whom like me don't know what MTU stands for.
    Apparently it's a limit on the package size a network will handle, if the limit is reached the package get's broken up into smaller packages.

    http://www.webopaedia.com/TERM/M/MTU.html

     Now i know next to nothing about networks and the tubes that connect us to the internet. But how could a game care about the package size? i was always under the impression that lower level drivers cared about such stuff, and applications could care less. (somewhere in a grey past i saw a OSI model or something)

     



  • do you not think that the Xbox has drivers for it's ethernet port?



  • [quote user="Thalagyrt"]What's happening is that his XBox isn't registered on our network - we do MAC authentication, as well as user login (captive portal) for dorm and wireless sessions. Without some hacking, it's impossible to get an XBox to do that. There are workarounds that students are doing, and I have seen someone playing XBox Live on campus without a problem[/quote]

    I don't know why people insist on these "MAC authentication" schemes, it's not like they accomplish anything. When I was a student and faced with one of these things, I just located an old pentium box that was gathering dust, shoved a couple of network cards in it, and set it up as a NAT device to defeat the pesky thing and let me do what I wanted. Nowadays you can buy a combined switch/NAT device on the high street that will do the same thing, such as the ones labelled as a 'firewall/router' from Netgear. That should solve the problem, not really much of a hack.

     (Then later, just for laughs and to send a 'fuck you' to the admins who thought this was a good idea, I rigged the box to change its MAC address to a random value every night and reauthenticate, but that isn't really relevant here)



  • [quote user="asuffield"]

    [quote user="Thalagyrt"]What's happening is
    that his XBox isn't registered on our network - we do MAC
    authentication, as well as user login (captive portal) for dorm and
    wireless sessions. Without some hacking, it's impossible to get an XBox
    to do that. There are workarounds that students are doing, and I have
    seen someone playing XBox Live on campus without a problem[/quote]

    I
    don't know why people insist on these "MAC authentication" schemes,
    it's not like they accomplish anything. When I was a student and faced
    with one of these things, I just located an old pentium box that was
    gathering dust, shoved a couple of network cards in it, and set it up
    as a NAT device to defeat the pesky thing and let me do what I wanted.
    Nowadays you can buy a combined switch/NAT device on the high street
    that will do the same thing, such as the ones labelled as a
    'firewall/router' from Netgear. That should solve the problem, not
    really much of a hack.

     (Then later, just for laughs and to
    send a 'fuck you' to the admins who thought this was a good idea, I
    rigged the box to change its MAC address to a random value every night
    and reauthenticate, but that isn't really relevant here)

    [/quote]

    At
    my university, you get 1 IP address as standard, which their DHCP
    assigns to one mac address. If you change your system you have to use
    the web interface on another system to change the mac. If you want
    extra IP addresses, in theory you need to ask the administration, in
    practice you can go straight to the it techs and they'll do it. I'm not
    sure if they'd register an XBox though. These are global IPs so it's
    not unreasonable for the uni to not want one student to start hogging
    dozens. Use of the university's proxy/cache server seems to be
    optional: since bandwidth limits do not apply to 'internal' bandwidth
    the cache could be useful in that respect, OTOH it probably makes you
    more likely to get caught viewing material that's against the
    regulations.

    The initial setup procedure gives you a temporary address, and when you try to go online, you get diverted to the signup page.


    Wireless
    is handled differently, It's an unencrypted network using VPN to handle
    the security. Anyone can connect but without a VPN account they can
    only see a page telling them they need a VPN account, which if they're
    not at the uni, they won't be able to get.

     AFAIK there's no
    rule against running your own NAT if you do need to run a lot of
    machines. But you're responsible for everything that's done from an IP
    assigned to you, unless you can prove spoofing of course. So you would
    want to be careful if you setup your own wireless access point. Plus
    one thing the it dept. get really annoyed about is when people run
    their own dhcp servers, which causes havoc, and can happen
    accidentally, say if a windows machine with internet connection sharing
    is brought from home and plugged into the uni network.

    Try
    your changing trick, however, and you'll just find yourself unable to
    access the network until you put it back to the real value.
     



  • [quote user="asuffield"]

    [quote user="Thalagyrt"]What's happening is that his XBox isn't registered on our network - we do MAC authentication, as well as user login (captive portal) for dorm and wireless sessions. Without some hacking, it's impossible to get an XBox to do that. There are workarounds that students are doing, and I have seen someone playing XBox Live on campus without a problem[/quote]

    I don't know why people insist on these "MAC authentication" schemes, it's not like they accomplish anything. When I was a student and faced with one of these things, I just located an old pentium box that was gathering dust, shoved a couple of network cards in it, and set it up as a NAT device to defeat the pesky thing and let me do what I wanted. Nowadays you can buy a combined switch/NAT device on the high street that will do the same thing, such as the ones labelled as a 'firewall/router' from Netgear. That should solve the problem, not really much of a hack.

     (Then later, just for laughs and to send a 'fuck you' to the admins who thought this was a good idea, I rigged the box to change its MAC address to a random value every night and reauthenticate, but that isn't really relevant here)

    [/quote]

    The NAT would would work fine and we don't really care as long as it doesn't interrupt the rest of the network. As for the MAC authentication, it's for many reasons, but mostly accountability. They actually do accomplish the goal, and do it perfectly, which is to control access to the network. We don't want anyone and their mom coming onto campus and getting access to our network. We also want to be able to trace everything back to an individual user for liability issues. Without the authentication scheme, we can't tell you which student was doing what. When you have 30 thousand machines on the network, all with DHCP, you need to have some way to keep track of them. And yes, that number isn't an exaggeration, we have easily 30 thousand computers on campus.

    Example of why this is good: Student gets on Limewire, starts sharing ten thousand songs across the internet. The RIAA finds out, and sues the school. We don't know who it is, so we have to fight the lawsuit ourselves out of our own pockets. Without the MAC auth and a captive portal, we really have no way to know who was doing the sharing, since the computer and session aren't tied to a user. With the MAC auth and portal, we can tell who each computer belongs to, and we can kill their sessions immediately if we have to. Also, with this, we can simply disable a person if they're causing trouble - before they become a liability to the school and themselves. Our packet shapers look for P2P type traffic and immediately terminates the user's session entirely until they call the help desk and resolve it. All the student will be able to get to is a web page that tells them they've violated the campus computer usage agreement and must call the help desk.

    Doing MAC authentication at a typical business where you have control of every computer in the building is pretty pointless. Doing it on a campus where you don't have control over them is very useful, because you can then hold people accountable for their actions. The whole point isn't to be draconian, it's to have a good means of damage control and damage prevention.



  • Adding to that: As for the changing the MAC, you'd find in the morning that your router would simply not have an IP address, and you wouldn't be able to get online.



  • [quote user="Thalagyrt"][quote user="asuffield"]

    [quote user="Thalagyrt"]What's happening is that his XBox isn't registered on our network - we do MAC authentication, as well as user login (captive portal) for dorm and wireless sessions. Without some hacking, it's impossible to get an XBox to do that. There are workarounds that students are doing, and I have seen someone playing XBox Live on campus without a problem[/quote]

    I don't know why people insist on these "MAC authentication" schemes, it's not like they accomplish anything. When I was a student and faced with one of these things, I just located an old pentium box that was gathering dust, shoved a couple of network cards in it, and set it up as a NAT device to defeat the pesky thing and let me do what I wanted. Nowadays you can buy a combined switch/NAT device on the high street that will do the same thing, such as the ones labelled as a 'firewall/router' from Netgear. That should solve the problem, not really much of a hack.

     (Then later, just for laughs and to send a 'fuck you' to the admins who thought this was a good idea, I rigged the box to change its MAC address to a random value every night and reauthenticate, but that isn't really relevant here)

    [/quote]

    The NAT would would work fine and we don't really care as long as it doesn't interrupt the rest of the network. As for the MAC authentication, it's for many reasons, but mostly accountability. They actually do accomplish the goal, and do it perfectly, which is to control access to the network. We don't want anyone and their mom coming onto campus and getting access to our network. We also want to be able to trace everything back to an individual user for liability issues. Without the authentication scheme, we can't tell you which student was doing what. When you have 30 thousand machines on the network, all with DHCP, you need to have some way to keep track of them. And yes, that number isn't an exaggeration, we have easily 30 thousand computers on campus.

    Example of why this is good: Student gets on Limewire, starts sharing ten thousand songs across the internet. The RIAA finds out, and sues the school. We don't know who it is, so we have to fight the lawsuit ourselves out of our own pockets. Without the MAC auth and a captive portal, we really have no way to know who was doing the sharing, since the computer and session aren't tied to a user. With the MAC auth and portal, we can tell who each computer belongs to, and we can kill their sessions immediately if we have to. Also, with this, we can simply disable a person if they're causing trouble - before they become a liability to the school and themselves. Our packet shapers look for P2P type traffic and immediately terminates the user's session entirely until they call the help desk and resolve it. All the student will be able to get to is a web page that tells them they've violated the campus computer usage agreement and must call the help desk.

    Doing MAC authentication at a typical business where you have control of every computer in the building is pretty pointless. Doing it on a campus where you don't have control over them is very useful, because you can then hold people accountable for their actions. The whole point isn't to be draconian, it's to have a good means of damage control and damage prevention.
    [/quote]

    You wouldn't be an IT admin at Rochester Institue of Techology, because that sounds like the extact policy and setup we have here. The only difference is the Resident Network (RESnet), and the main campus network are seperate, so if you have a laptop, you'll need to register your machine on both. That being said, I have about four devices registered to my account - my MacBook Pro, my T-Mobile MDA, my DS (had to get the MacBook to spoof its MAC Address to match the DS, and then register that to my account), and my Linksys WRT54GS. 



  • [quote user="Michael Casadevall"]

    You wouldn't be an IT admin at Rochester Institue of Techology, because that sounds like the extact policy and setup we have here. The only difference is the Resident Network (RESnet), and the main campus network are seperate, so if you have a laptop, you'll need to register your machine on both. That being said, I have about four devices registered to my account - my MacBook Pro, my T-Mobile MDA, my DS (had to get the MacBook to spoof its MAC Address to match the DS, and then register that to my account), and my Linksys WRT54GS. 
    [/quote]

    University of Miami. And actually the dorm connections and business/school connections are separate. The dorms are on CaneNet, which requires a login and gets private IP space only, and the rest of campus is on our class B subnet for the most part. It's a different registration for each.



  • [quote user="Thalagyrt"]

    The NAT would would work fine and we don't really care as long as it doesn't interrupt the rest of the network. As for the MAC authentication, it's for many reasons, but mostly accountability. They actually do accomplish the goal, and do it perfectly, which is to control access to the network. We don't want anyone and their mom coming onto

    [/quote]

    They do it perfectly?

    What's to prevent someone from collecting a list of MAC addresses from the ARP cache after pinging a couple uni subnets, then using them when their proper owners are offline?



  • You'd still need their campus username and password for the session to be tied to them, which I doubt you'd have. There's a captive portal that authenticates against that.



  • [quote user="Thalagyrt"]Also, with this, we can simply disable a person if they're causing trouble - before they become a liability to the school and themselves.[/quote]

    Exactly how far do you go when you "disable a person"?  Do you chop off their hands?  Gouge out their eyes?

    (Sorry, just couldn't resist.)



  • [quote user="GeekMessage"]

    [quote user="Thalagyrt"]Also, with this, we can simply disable a person if they're causing trouble - before they become a liability to the school and themselves.[/quote]

    Exactly how far do you go when you "disable a person"?  Do you chop off their hands?  Gouge out their eyes?

    (Sorry, just couldn't resist.)

    [/quote]

    Ahahaha! Nah, just block them from getting to anything but one server that basically tells them they've been naughty. Though, chopping off their hands would fix the problem of them violating the usage policy again. ;-)



  • [quote user="Thalagyrt"]Adding to that: As for the changing the MAC, you'd find in the morning that your router would simply not have an IP address, and you wouldn't be able to get online.[/quote]

    You're missing the point. I used random MAC addresses there because I was only trying to demonstrate it. Had I actually been trying to evade the system, I wouldn't have used a random MAC address, I'd have used one from somebody else's system (one that wasn't in use right then, but which was currently authenticated).

    If you want to authenticate users in a university dorm, then you need to authenticate them by network point (this is relatively simple if you have managed switches, and impossible if you don't). The MAC address doesn't tell you anything more than the IP address would, because the users can change both to be whatever they want.

    (I actually maintain a system that authenticates people by their physical connection as part of my day job, in a scenario that is not hugely different from this one)



  • [quote user="asuffield"]You're missing the point. I used random MAC addresses there because I was only trying to demonstrate it. Had I actually been trying to evade the system, I wouldn't have used a random MAC address, I'd have used one from somebody else's system (one that wasn't in use right then, but which was currently authenticated).

    If you want to authenticate users in a university dorm, then you need to authenticate them by network point (this is relatively simple if you have managed switches, and impossible if you don't). The MAC address doesn't tell you anything more than the IP address would, because the users can change both to be whatever they want.

    (I actually maintain a system that authenticates people by their physical connection as part of my day job, in a scenario that is not hugely different from this one)[/quote]

    We use a combination MAC auth on the wireless APs as well as user auth via a Vernier Edgewall on both wired and wireless.

    I think you're missing one of my points. I've mentioned the captive portal at least three times now, I don't see why you seem to think we're only doing MAC authentication. Actually as of right now we only do user authentication in the dorms, because we have fairly old switches in there which we're planning on replacing within the next few months. The MAC auth is only for wireless currently.

    Unless you steal someone else's username and password, you won't be getting online if your username is disabled, and usernames are what we usually disable - not MAC addresses. People won't lend you their username and password because that's the same login info for acccess to the rest of the campus services, and on top of that because everything you do would be tied to their username.



  • [quote user="Thalagyrt"]

    I think you're missing one of my points. I've mentioned the captive portal at least three times now, I don't see why you seem to think we're only doing MAC authentication. Actually as of right now we only do user authentication in the dorms, because we have fairly old switches in there which we're planning on replacing within the next few months. The MAC auth is only for wireless currently.

    Unless you steal someone else's username and password, you won't be getting online if your username is disabled, and usernames are what we usually disable - not MAC addresses. People won't lend you their username and password because that's the same login info for acccess to the rest of the campus services, and on top of that because everything you do would be tied to their username.

    [/quote]

    I don't think anyone's being intentionally obtuse, but you haven't really addressed the issue of using someone else's MAC address.  You've been pretty short on detail describing this "captive portal", but it sounds as if that's where people are redirected after acquiring a network address via DHCP.

    Forget DHCP.  Find a MAC with an attached IP address that becomes available (i.e. the machine is turned off).  That MAC/IP combo is already authenticated.  Set your MAC address and a static IP address to match.  Unless your system attaches the authentication to the physical network port, the machine with the purloined MAC address would already be authenticated.  On a network with 30,000 computers, what are the odds that the hardware is in place to trace each MAC address to a specific port, or even a specific switch?

     

     



  • We all do stupid things in college

    We all do stupid things in college, so we should cut our friend a little slack.

    When I movied in at the beginning of my second year, I plugged my computer into the phone jack. They were right next to each other and they both used RJ-45 connectors (which will accept a standard RJ-11 phone cable). Two of the same part--less complexity from a maintenance perspective.

    Needless to say, my ethernet card was behaving like it had no connection. I went to the "I need help" table with reps from the Registrar, IT, Telecomm, etc. I told the Telecomm guy (whom I happened to know personally in passing) my problem and he politely asked me if I was sure I plugged it into the right jack; then he showed me a photo of the wall unit with ethernet and phone right next to each other. They're labeled of course.

    I felt like an idiot for a couple of days. :^)
     



  • [quote user="Thanny"]

    Forget DHCP.  Find a MAC with an attached IP
    address that becomes available (i.e. the machine is turned off). 
    That MAC/IP combo is already authenticated.  Set your MAC address
    and a static IP address to match.  Unless your system attaches the
    authentication to the physical network port, the machine with the
    purloined MAC address would already be authenticated.

    [/quote]

    Furthermore, if you do attach the authentication to the physical network point, then you no longer care about the MAC addresses. There are several ways to solve this problem effectively, but none of them involve MAC addresses.

    (And physical port authentication is so easy on a large centrally-maintained network that there is absolutely no excuse for not using it - plus it has the advantage that it's completely transparent, and the users are not pestered with unnecessary login dialogs)
     



  • [quote user="asuffield"][quote user="Thanny"]

    Forget DHCP.  Find a MAC with an attached IP
    address that becomes available (i.e. the machine is turned off). 
    That MAC/IP combo is already authenticated.  Set your MAC address
    and a static IP address to match.  Unless your system attaches the
    authentication to the physical network port, the machine with the
    purloined MAC address would already be authenticated.

    [/quote]

    Furthermore, if you do attach the authentication to the physical network point, then you no longer care about the MAC addresses. There are several ways to solve this problem effectively, but none of them involve MAC addresses.

    (And physical port authentication is so easy on a large centrally-maintained network that there is absolutely no excuse for not using it - plus it has the advantage that it's completely transparent, and the users are not pestered with unnecessary login dialogs)
     

    [/quote]

    Yep, however the switches we have in the dorms right now are 10 year old Cabletron junkers that you could probably pick up for like $20 on eBay. They don't even support any form of MAC authentication, and physical port authentication, well, I don't think I need to say any more. We're replacing them this year with brand new Foundry switches, but until then, we have to make do with what we can. I'll bring up the physical port authentication once we get the new switches in, I do believe the Vernier boxes can communicate with the switches and tie a session to a port.


Log in to reply