

Why ISPs shouldn't ban MAC addresses - Shenglong
http://shenglong.posterous.com/why-isps-shouldnt-ban-mac-addresses

======
oasisbob
I think this article misses the point.

Yes, MAC addresses are not to be trusted. They can be easily changed. However,
the corollary to "you shouldn't blacklist MAC addresses" is "you shouldn't
whitelist them either." Great, you just threw out DHCP, and are going down the
network access control blackhole. (802.1X supplicants for everybody!)

Most ISPs don't put multiple clients in a layer-2 domain, you can't trust it.
So, most ISPs already don't trust MAC addresses, nor do they care.

On a college campus, things are different, and locking down the network can
only go so far technologically. You need technical measures and good
communication to cover 98% of the users (IDS, automatic quarantine systems,
simple registration), accommodation for the 1.9% of technically
inquisitive/advanced users (forums, workarounds for edge cases), and a big
stick for the remaining 0.1%.

When I was at WWU, they ran a very liberal network. You could change your MAC
address (as long as it wasn't taken from another user), you could run your own
WiFi (as long as you took responsibility for it), you could run servers, and
almost no protocol was banned (although it might be throttled.) But use
someone else's credentials or interfere with the functioning of the network?
Stick time.

Sounds like the problem at this school is bad communication, and not having a
holistic network management system. Not surprising: they're both hard, and
most schools don't invest the time with any serious effort.

... and don't get me started on the campuses that ban IRC.

------
aphyr
Absolutely have to send a message to your network administrator, but can't
find her? Target several local hosts (this works quicker with an IDS in the
mix) with xmas packets, and place your message in the body. Send 'em once
every five seconds or so, preferably in the afternoon when they should be
awake. If that doesn't seem to get anyone's attention, start a rogue DHCP
server which issues DHCPOFFERS with "Oy, why is 05:23:a3:bb:40 banned? --room
201" in the message field.

If they're worth their salt, the network admin will see it light up in their
packet dump, and resolve any problems you're having. With fire.

~~~
dopo
"xmas UDP packets" does not compute... Xmas only has meaning in the context of
TCP.

~~~
pavel_lishin
What are xmas packets?

~~~
there
a packet with all options "lit up". like sending a tcp packet with SYN, FIN,
PSH and URG all set.

------
smallblacksun
That's a whole lotta words to say "Because they can easily be spoofed".

~~~
sukuriant
But it was a fun story, and you'll remember it better now, probably :)

------
dfc
Banning MAC addresses is a must for large univerities (and probably any large
network where you have frequent guests and do not have employer/employee power
relations).

Yes you can change your MAC address. But this type of policy is in place in
order to stop misconfigured machines or malware ridden machines from
connecting to the network.

~~~
shabble
Still, at least it's an improvement on the system my university network
imposed, which required pre-registration of your MAC address for your assigned
room port. Any other MAC detected would immediately block the port at the
switch level (and require a helpdesk call, and up to 3 days wait) to fix.

It taught me some useful things about the linux system init process, and where
to stick the mac spoofing setup call though, so not a total loss

------
trotsky
Sure you can spoof MAC's but most people won't, so it's an easy solution that
works for most incidents. No telling why you are getting banned over and over,
but if it's for a legitimate reason that you're unaware of you're certainly
not going to be getting much understanding by the time an ops person has had
to figure out what's going on and manually turn off the port.

------
ghshephard
Sounds like his system has been tripping an IDS and being flagged for malware.
Changing the MAC address (which, in some environments, is a violation of the
Acceptable Use Policy) will just result in the new MAC address being banned as
well, if that is the case.

------
jtdowney
Years ago I worked for the ResNet team at Purdue University and some of the
items in the story were similar. I can relate to the posters pain but I've
also been on the other side.

We had an entirely automated system to temporarily block users who exceeded
their bandwidth limit. When that happened we brought down the port on the
switch. If they moved to a different port we brought it down as well. If they
had changed their MAC they would have to associate it with their username
(using our home grown NAC) and then we would block them then.

As for support we had standard hours for a helpdesk staffed by students.

------
jesboat
has the author, who appears to read hn and hopefully therefore this,
considered that the reasons for the apparently automatic ban might be malware
on the machine?

~~~
Shenglong
Yes I have. However, I don't frequent any dangerous sites much, and my
computer it's terribly vulnerable. I've done full scans with MWB and AVG, and
I've checked my data in/out rates.

~~~
pak
Try hooking your computer up through a hub or something and use WireShark on
your traffic. You never know on a Windows box. I've had deeply rootkitted
machines that didn't get picked up by any scans.

In any case, I'd recommend against changing your MAC address because when you
do get a hold of the network admins they may be rather disgruntled that you're
violating network policy (almost any university that registers MACs prohibits
MAC spoofing, otherwise you could just use the MAC of somebody that you saw on
a different subnet).

------
pavel_lishin
Have you considered escalating this past the engineers, and to the Dean of
your school?

Alternatively, if you could find out _his or her_ MAC address...

