Re: Large edu's doing NAT campus wide?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Joe St Sauver wrote:
> On the other hand, I think there may be a growing number of instances
> when an IP address plus a time stamp and time zone map to a few hundred
> (or thousand) individuals, and reducing the size of that set any further
> can only be done if you have access to log files, etc. Examples include:
>
> -- campus wide NATs using just one (or a small number of) shared public
>    gateway address

We are using NAT for our resnet and this drove me nuts until I moved
sensors into the network itseslf
> -- large shell account hosts (we could talk about identd I suppose)

We used to have these and go arond the problem by forcing traffic
through a proxy which used inetd
> -- traffic from campus proxy servers (we could talk about things like
>    HTTP_X_FORWARDED_FOR when it is used, I suppose)

I hate squid logs :(

I've had a couple of half hearted attempts to write scripts that matched
Snort alerts to squid logs to track down machines infected by spyware.
Both times i've given up before producing something useful (clocks never
match exactly :().

How do folk cope with dynamic dhcp ?  At the moment we generally use
static addressing but our network management really like the idea of not
having to keep track of IP address allocations...

With our wireless setup I've got stuff in database which can be queiried
but it isn't that fast.  If someone has come up with a schema and
queries that can identify who was using an IP at a particular time from
table of dhcp and radius records *without* having to sort multiple
results then I'd love to have it :)

Russell.