Re: Large edu's doing NAT campus wide?

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Jeff mentioned:

#I agree that the security aspects are debatable, but it's inline with
#the conservative nature of security: permit only what's necessary. If a
#device (LOM, KVM, printers, etc) don't need to be globally accessible,
#yadda yadda.

I probably should have mentioned the context for my query: I'm putting
together a talk describing some of the ways in which higher ed system
and network architectures might make attribution of traffic to a
particular individual somewhat tricky w/o the timely and active
participation of the local administrator(s).

That is, there are many entities who seem to assume that IP address plus
time stamp and time zone --> unique individual, and sometimes (when the
end-to-end model holds up, and the stars otherwise align) that can be
true.

On the other hand, I think there may be a growing number of instances
when an IP address plus a time stamp and time zone map to a few hundred
(or thousand) individuals, and reducing the size of that set any further
can only be done if you have access to log files, etc. Examples include:

-- campus wide NATs using just one (or a small number of) shared public
   gateway address

-- large shell account hosts (we could talk about identd I suppose)

-- traffic from campus proxy servers (we could talk about things like
   HTTP_X_FORWARDED_FOR when it is used, I suppose)

etc.

Let me also take this opportunity to thanks all those who sent along
examples of campus-wide NATs...

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/