User Installed Network Equipment Policy

IST Communication and Network Services

~~28 Aug~~15 October 2002

I1. . Background

The University of California Berkeley campus maintains a campus-wide data communication network designed to encompass computers in all campus departments and to support communications among them. The IST Communication and Network Services (CNS) department is responsible for the installation and operation of that network and for the campus connections to regional and national networks via the Internet.

The communications service that CNS offers includes wiring and other communications technology and extends to the network wall jack for every computer on campus. The service is defined this way to ensure that any properly formed Internet Protocol (IP) packet sent from the attached computer through that "communications connection" will be delivered to its destination, and vice versa.

Standards for the architecture and implementation of the campus network include topology, wiring, wireless spectrum, interconnection electronics, and specific network technologies that are needed broadly across the campus. As the steward of the campus network infrastructure, CNS must ensure that these standards are followed.

The following document describes the Campus policies regarding User Installed Network Equipment on CNS supported networks.

The intent of this policy is to allow a department to extend the network (at its expense) in order to

- increase flexibility of connection moves and changes,

- or provide services CNS cannot support,

without decreasing the operational stability of the network or CNS's ability to support it.

In addition, use of and access to the network is governed by University Policies including but not limited to:

- Campus Computer Use Policy

- UC Electronic Communications Policy (ECP)

- Interim E-Berkeley Policy

It is incumbent on campus departments to ensure that use of network connections under its control comply with university policies. This includes appropriate use, user authentication and accountability among others. Specifically, from the Campus Computer Use Policy, "Guidelines for Administering Appropriate Use of Campus Computing and Network Services"

1) Regular Authorizations:

Providers must have in place a process for authorizing any use of their services. (The mechanism for providing access will be referred to in these Guidelines as an Account). For each Account, an individual who is affiliated with UCB must be identified as the User.

From the UC Electronic Communications Policy (ECP):

C. ALLOWABLE USERS

1.University Users. University students, faculty, staff, and others affiliated with the University (including those in program, contract, or license relationships with the University) may, as authorized by the Chancellor, be eligible to use University electronic communications resources and services for purposes in accordance with Sections III.D, Allowable Use.

2.Public Users. Persons and organizations that are not University Users may only access University electronic communications resources or services under programs sponsored by the University or any of its sub-units, as authorized by the Chancellor, or for the Office of the President, the Senior Vice President, Business and Finance, for purposes of such public access in accordance with Section III.D, Allowable Use.

3.Transient Users. Users whose electronic communications merely transit University facilities as a result of network routing protocols are not considered "Users" for the purposes of this Policy.

And in ECP's Attachment 2 "Implementation Guidelines":

Campus guidelines should begin from the assumption that the level of access granted University Users of electronic communications resources terminates when the user's affiliation with the University ends. Exceptions may be made when extending this level of access serves the University's mission and does not constitute competition with commercial service providers.

A Campus department must employ user authentication and accounting or tracking methods in the administration of its network connections.

~~II.~~2. Definitions

A2.1 . General

Host: A computer or other device connected to the campus network.

Network Equipment: A device that repeats network signals or forwards frames or packets between portions of the network. Examples are hubs, bridges, switches and routers. See Types of Network Equipment, below.

Network or subnet: the portion of the campus network bounded by a router interface. On campus these are commonly called "subnets".

Shared 10 Mb/s network: all hosts on the network share 10 Mb/s of network bandwidth. Each host sees all traffic on its shared segment, regardless of the destination of the packets.

Fully Switched Ethernet networks: There must be no shared 10 Mb/s segments within the network in order for it to be considered fully switched. This refers to FastEthernet, Gigabit Ethernet and 10 Gigabit Ethernet. Each host is connected to an Ethernet switch. Each host sees only the packets addressed to it.

B2.2 . Types of User Installed Network Equipment

There are three basic types of network equipment:

2.2.1 . Repeater: An OSI network model Layer 2 device that repeats network signals. Ethernet hubs are repeaters.

The IEEE specification for Ethernet is very clear about the use of repeaters. There can only be five segments and four repeaters between any two hosts on a segment. In addition, only three of those segments can have host connections, the rest must be linking segments. The segments must be within the length restrictions appropriate for the physical media: 500 meters for 10base5 (thick coax), 500 meters for 10baseFL (fiber) and 100 meters for 10baseT (UTP) cable. This is commonly known as the "repeater rule."

This ensures that two hosts that transmit packets at the same time will detect the collision within the first 64 bytes of the packet. If the segment is out of specification by having too many segments or segments that are too long, collision detection will not occur and network performance will severely degrade. User installed hubs can, and frequently do, take a network out of Ethernet specification.

2.2.2 . Bridge or switch: An OSI network Layer 2 device that forwards Ethernet frames based on datalink layer or MAC addresses. Each port on a bridge is in a different collision domain. The term “bridge” usually applies to a device with a small number of ports connecting shared Ethernet segments. Bridges with many ports connected primarily to individual hosts are generally called “switches”. This document will use the terms “bridge” and “switch” interchangeably.

2.2.3 . Router: A network device that operates at Layer 3; that forwards packets based on their network layer address. It may or may not participate in a Routing Protocol, e.g., RIP, OSPF. It may use Network Address Translation (NAT) to allow many hosts on an “inside” interface to share a single or small number of IP addresses visible to the “outside” network.

Other devices include firewalls, proxy servers, load balancers, wireless access points, and other "middle" boxes. Such devices sit between the network and an end host and operate transparently with the exception of the service they provide be it security or address translation or load balancing. Whether a given device is a hub, switch, or router depends on the specific device, and often on the details of how the device is configured.

3.~~III~~ . Policies

3.1A . Shared networks

With one exception, users are not allowed to install network equipment on shared networks.

If you have installed a hub or switch in your lab or office, please disconnect it. If you need additional connections in the lab or office, please file a CNS service order to obtain additional connections. See "CNS Shopping Cart", http://sagebrush.berkeley.edu/cgi-bin/ws515/sc.r.

If, in the course of trouble-shooting a local network problem, Network Operations Personnel find user-installed network equipment, they will disconnect it or ask that the department do so. They will cease working on the trouble ticket until all user-installed network equipment is removed. See "CNS Network Trouble Reporting" for more information, http://www.net.berkeley.edu/trouble/.

If the cause of the problem is determined to be user-installed network equipment, Network Operations personnel will disconnect it and bill the department time and materials for the trouble ticket response.

3.1.1 . General reasons for this policy

3.1.1.1a . Topology

Shared 10 Mb/s networks are comprised of Ethernet hubs which may not track Ethernet MAC addresses, making it difficult to determine the location of user-installed network equipment. CNS maintains documentation of its equipment and a network's topology for design and trouble-shooting purposes. The addition of untraceable network equipment on a subnet renders this information useless, and will impede trouble-shooting.

3.1.1.2b . Malfunctioning equipment

Malfunctioning Ethernet equipment, whether it is a host Ethernet NIC card or user-installed network equipment, may generate errors that will propagate throughout the local network. CNS installs network equipment with proven reliability and network management capabilities, making it possible to diagnose problems quickly and easily. CNS can help users diagnose errors stemming from faulty Ethernet NIC cards, provided that they are connected to CNS-managed equipment. Inexpensive, unmanageable network equipment may introduce errors that are difficult to track down.

3.1.2 . Problems with specific types of device.

3.1.2.1a . Hubs

User installed hubs on shared 10 Mb/s segments will in all likelihood violate the IEEE "repeater rule", and introduce late collisions and other serious Ethernet errors. The result is degraded network performance for all users on the local network. Do not install hubs on shared 10 Mb/s segments.

3.1.2.2b. Switches, wireless access points, and other devices

While other devices will not violate the IEEE "repeater rule", they increase the number of hosts that can connect to a given shared segment. Therefore, they are capable of generating more traffic than the 10 Mb/s shared segment to which they are attached can handle.

3.1.3. Exception: Host Cluster Firewalls

User-installed firewalls are generally discouraged on shared networks, but may be permitted because they can provide some security benefits at a relatively low cost. The "Host Cluster" design is described in the Firewall Task Force documentation at http://fwtf.berkeley.edu. Essentially it is a design whereby a user-installed firewall is connected to a CNS supported wall jack in order to protect hosts within that room or lab. The following restrictions apply:

- The subnet must contain hosts belonging only to a single department.

- The subnet must have no more than 120 hosts connected to it. This corresponds to a subnet with a /25 subnetwork mask.

- While more than one "Host Cluster" firewall can be installed on a subnet, no more than 10 hosts total may be placed behind the firewall(s). The intent is to ensure that a "Host Cluster" firewall and the hosts behind do not swamp the shared 10Mb/s subnet.

- CNS will not assign IP addresses for hosts behind the firewall; this implies that the firewall will do NAT.

In addition, user-installed firewalls on shared nets must conform to part 2, Requirements, of the following section, Fully switched networks.

3.2B. Fully switched networks

Users may be allowed to install network equipment on a fully switched network.

3.2.1 General

Unlike shared 10 Mb/s networks, fully switched Ethernet networks have several features that make it possible to allow some types of user-installed network equipment.

3.2.1.1a. Topology

Switches maintain MAC address tables, making it possible for Network Operations Personnel to determine where user-installed network equipment is connected, as well as the hosts behind the user-installed switch. CNS can therefore find equipment that may be generating or experiencing problems.

3.2.1.2b . Isolation of Malfunctioning equipment

Most Ethernet errors will not be forwarded by a switch, thereby protecting the rest of the local network from faulty equipment.

3.2.1.3c . Ethernet Specifications

Since each connection on a switch is a separate collision domain, a user-installed hub cannot take the network out of specification. It will not violate the "repeater rule."

3.2.2 . Requirements

Nevertheless, CNS discourages the installation of non-CNS managed equipment. If a department chooses to install its own networking equipment, it must adhere to the following requirements.

3.2.2.1a . Cabling Specifications

EIA/TIA 568 Commercial Building Telecommunications Wiring Standard specifies 90 meters for horizontal cabling, and a total of 10 meters for work area and telecommunications closet patch and jumper cables. To maintain this standard for the connection from a user-installed network device to the CNS-installed switch, the maximum allowable length from the wall jack to the user-installed network equipment is 5 meters.

In addition, category 5 (or better) cable must be used.

3.2.2.2b . No cascades

Users may install their own network equipment to allow multiple hosts to make use of a single CNS-supported network connection. Only a single user-installed network device may be connected to any network port.

3.2.2.3c . One room

Hosts connected to user-installed hubs, switches, and firewalls must reside in the same room as the user-installed device. For example, a collection of computers in a lab may be connected to a switch installed in that lab. But a user-installed switch may not be used to support connections in several different offices. The intent is to disallow and discourage non-standard ad-hoc wiring.

3.2.2.4d . Trouble-shooting

CNS will trouble-shoot a problem to the wall jack. CNS is not responsible for managing or trouble-shooting user-installed network equipment, nor the hosts connected behind it. In the course of diagnosing a problem, CNS Network Operations personnel may request that user-installed network equipment be removed.

3.2.2.4e . Consultation

If you have questions regarding user installed network equipment please contact CNS Network Operations Center, at noc@berkeley.edu.

3.2.3 . Switches and Hubs

User installed Ethernet switches and hubs may be installed on fully switched Ethernet networks provided that restrictions and requirements outlined in this document are followed. To obtain IP addresses for your additional hosts, contact hostmaster@nic.berkeley.edu. Provide the location (building, room, cable ID) of the device and the number of additional connections it provides. If you are unsure whether your subnet is fully switched, contact hostmaster@nic.berkeley.edu. Should IP addresses for user installed devices exhaust the available IPs on the subnet the next step will be installing a new subnet. This involves opening a project with CNS, contact cns-projects@uclink.berkeley.edu, and must be paid for by the department.

3.3C . Additional policies on specific devices

3.3.1. Wireless Access Points

3.3.1.1 General

A "wireless access point" ("AP" for short) in the context of this document is a device that supports one of the "wireless Ethernet" standards: 802.11, 802.11a, 802.11b. It allows users with appropriate NICs to communicate with other hosts on the network without having to make physical connections to a network jack.

Most APs can be configured to act as bridges (directing packets based on MAC address) or as routers (using IP addresses). As routers, most APs perform NAT.

3.3.1.2 Restrictions

Users may connect wireless APs on fully switched subnets, subject to the same restrictions as wired bridges, switches, and NAT boxes. The "no cascade" rule applies, so point-to-point wireless links to remote wireless (or wired) network connections are not permitted.

There are some additional considerations for APs, because potential users do not need physical access to an AP in order to use it. AP administrators

- must employ user authentication and accountability

- ensure that their APs do not interfere with CNS-installed wireless APs

- should ensure end-to-end encryption or disclose the lack of security of wireless traffic.

3.3.1.3 c. Requirements

IP addresses: Because APs do not have a defined number of end-user "connections", CNS will not issue IP addresses for users of user-installed wireless APs. This effectively means that such wireless APs must be configured to do NAT.

Network access: Users who install their own APs are responsible for ensuring that users of their APs conform to the UC Electronic Communications Policy. Some form of user authentication is required. Restricting access to a known set of wireless NICs based on MAC address is the minimum level of authentication allowed.

Interference: CNS is installing wireless APs at various sites around campus, and these take precedence over any user-installed APs. If an AP interferes with a CNS-supported wireless installation, the owner of that AP must take action to eliminate the interference, up to and including removing the AP.

Insecurity: wireless traffic is not secure. Current technologies such as WEP are easily compromised. Users should be informed of this vulnerability and be encouraged to take appropriate steps such as using end-to-end encryption such as SSH, SSL, IPSec.

3.3.2 . Firewalls

Firewalls protecting individual hosts, or small clusters of hosts, may be connected to fully switched networks, provided they conform to the requirements for user-installed hubs, switches and NAT boxes on switched networks. The "Host Cluster" design is described in the Firewall Task Force documentation at http://fwtf.berkeley.edu. Essentially it is a design whereby a user-installed firewall is connected to a CNS supported wall jack in order to protect hosts within that room or lab.

Modern network switches typically have 24 (or more) ports. Most firewalls do not; they are intended to be used with hubs or switches to connect multiple hosts to the firewall. For this reason, a firewall device and a single network hub (or switch) will be considered a single "device" for the purposes of the "no cascades" rule.

CNS will not exchange routing information with user-installed firewalls. Bridging or transparent firewalls, where both protected and unprotected sides of the firewall are on the same IP subnet, are permitted, and will be handled in the same manner as user-installed hubs and switches~~: Notify CNS at [TBD address] of the firewall's location and number of host connections~~.

NAT firewalls (protected connections use private address space) are also permitted. Bridging firewalls are preferred since, in general, they allow CNS to do more detailed troubleshooting. However, departmental security concerns may dictate the use of NAT.

3.3.3 . Routers

User installation of a router is generally not allowed.

3.3.3.1 Router between two (or more) CNS managed networks.

Regardless of the type of local network, installation of a Layer 3 device that attempts to participate in campus routing protocols or forwards packets between two CNS managed networks is strictly not allowed. CNS is the sole campus entity responsible for routing within the campus network.

3.3.3.2 Multi-homed host between two (or more) CNS managed networks.

~~Under certain circumstances it may be beneficial for a department to have a multi-homed server. However, the multi-homed server~~Multi-homed servers present security and operational challenges for both the administrator of the multi-homed system and for other users on the network. Multi-homed servers can break local routing and disrupt network connectivity

for any other hosts on the local network.

In addition, for edge networks, campus routers are configured to drop packets that appear to originate from a network other than the router interface on which the packet was received. This is a protection against spoofed packets and frequently causes problems for multi-homed servers.

For these reasons, campus administrators are discouraged from multi-homing their machines. Under certain circumstances, the benefits of operating a multi-homed server outweigh the problems. In such circumstances, the following guidelines apply:

- CNS staff (contact noc@berkeley.edu) should be consulted before the server is multi-homed. This is both to make an exception to the policy discouraging use of multi-homed servers and to re-configure campus routers so that the server will work properly.

- The multi-homed server must not forward packets from one network to another. This can interfere with CNS operations personnel trouble-shooting network problems. It is also widely considered to be a security risk.

- Nor should it transmit route announcements, which may cause other hosts' off-network communication to fail. CNS routers will not accept route information from any user-installed router.

3.3.3.3 Network Address Translator (NAT), Firewall using NAT.

As appropriate for host cluster firewalls or other circumstances a department may install a NAT device or firewall using NAT as long as it forwards packets only between a CNS managed net and private network(s) using private IP address space.

3.4D . User installed cross-connections are strictly not allowed.

Users should not have access to telecommunications closets. This violates campus computer and network security policy. Should they find themselves in communications closet, they should resist the urge to activate connections by installing cross-connects from CNS network equipment to installed wiring. Instead, they should exit the closet and file a CNS service request form to activate the connection. See the CNS "Shopping Cart" to order new connections, http://sagebrush.berkeley.edu/cgi-bin/ws515/sc.r?SCREEN=store.

Normally a CNS connection terminates in a wall-jack. However in some installations, such as machine rooms, the connection terminates in a rack or cabinet. The CNS supported network includes this cable and its RJ-45 connector. Modifications to this cable or its termination are not allowed.

4IV. Comments

If you have questions about any of these policies please send email to: CNS Network Operations Center, noc@berkeley.edu.

5V. References

Charles Spurgeon's Ethernet Web Site http://wwwhost.ots.utexas.edu/ethernet/ethernet-home.html

EIA (Electronics Industries Alliance) Web Page

http://www.eia.org/

IEEE Web Page

http://ieee.org/

TIA (Telecommunications Industries Association) Web Page http://www.tiaonline.org/

Firewall Task Force

http://fwtf.berkeley.edu)

6VI. Glossary

Bridge - An OSI network Layer 2 device that forwards Ethernet frames based on datalink layer or MAC addresses. Each port on abridge is in a different collision domain.

Collision Domain - The portion of a network where host A can detect that host B is transmitting, therefore host A should wait. Or, the portion of a network where both host A and host B can detect that they have transmitted at the same time and a collision has occurred. They will both stop, back off and retransmit a random interval later. Collision Domains are bounded by routers or switches. A single Ethernet segment or multiple segments linked with repeaters is a network that functions as a single collision domain.

Hub - A network device that provides multiple connections to shared 10 Mb/s Ethernet networks. Hubs are repeaters.

Layer 2 - Datalink layer of the OSI network model. E.g., Ethernet, FDDI, Token-Ring, FastEthernet.)

Layer 3 - Network layer of the OSI network model. This is the layer where packets are forwarded based on the network or internetwork address, e.g., IP, IPX.

MAC - Media Access Control addresses, data link layer addresses, e.g., Ethernet addresses.

Multi-homed - A host attached to more than one network. A multi-homed host should not route packets from one network to another.

Repeater - An OSI network model Layer 2 devices that repeat network signals, e.g., hubs.

Router - A network device that operates at Layer 3; that forwards packets based on their network layer address. It may or may not participate in a Routing Protocol, e.g., RIP, OSPF.

Segment - Usually refers to an Ethernet segment, a collision domain. Segments are bounded by bridges or switches.

Shared - All devices within the network segment share the bandwidth; are part of the same collision domain; typically used when referring to traditional 10 Mb/s Ethernet.

Switched - Refers to FastEthernet at either 10 Mb/s or 100 Mb/s speeds, Gigabit and 10 Gigabit Ethernet. Each device on the network is in its own collision domain and does not share bandwidth with other devices. Ethernet switches are multi-port bridges.

Switch - A multi-port bridge. Refers to Fast Ethernet, Gigabit and 10 Gigabit Ethernet network equipment. Individual FastEthernet ports can operate at 10 Mb/s or 100 Mb/s. Individual Gigabit Ethernet and 10 GE equipment ports operate at 1 gigabits/s (1000 Mb/s) and 10 gigabits/s (10,000 Mb/s). A gigabit is one billion bits.

Network - Refers to an IP network or subnet, a portion of the network with the same network address space. Networks are bounded by routers and contain one or more segments. They are usually referred to by the beginning of the address space and a subnet mask, e.g., 128.32.136.0/24 or 169.229.64.128/25.

Firewall - A firewall system blocks, redirects, monitors or permits network connections between two networks, a public or unsecured network and a secure network. It is a special purpose device that physically sits between the two networks. It may be a Layer 2 device or bridging firewall, or it may be a Layer 3 device and forward IP packets between networks.

NAT - Network Address Translation, Network Address Translator. RFC1631. Mechanism translating private IP addresses (RFC1918) to public IP, or globally routable IP addresses. Private IP addresses may be mapped one-to-one with public addresses or the NAT device may translate one or a small number of public addresses to the many private addresses.

Load Balancer - A device that distributes traffic to a set of servers in order to balance demand and workload and provide a more robust service.

Middle Boxes - Devices such as Firewalls, NAT, Load balancers, and Proxy servers, that sit between the network and the end host and provide a service.

Proxy Server - Intermediary server that acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them on, possibly after translation, to other servers. A proxy interprets, and, if necessary, rewrites a request message before forwarding it.

Private Networks - In a private network, CNS and the department agree on a demarcation point. CNS's responsibility for the network ends at the demarcation point. Everything behind the demarcation is supported by the department.

Private IP addresses - Defined by RFC1918. Routers do not forward route information regarding private IP address space, making devices using such networks unreachable from the global Internet.

RFC 1918 Addresses - see Private IP addresses.

Publicly addressable - globally routable IP addresses, i.e., not Private IP addresses.

IP Address - 32-bit address assigned to hosts using TCP/IP. An IP address is written as 4 octets separated by periods (dotted decimal format). Each address consists of a network number, an optional subnetwork number, and a host number. The network and subnetwork numbers together are used for routing, and the host number is used to address an individual host within the network or subnetwork. A subnet mask is used to extract network and subnetwork information from the IP address. Also called an Internet address, e.g., 123.32.254.10.

Subnet - Subnetwork. In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by a network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. Subnetwork IP addresses are usually represented by the beginning of the network address followed by the subnetwork mask, e.g., 128.32.206.128/25.

Subnet mask - 32-bit address mask used in IP to indicate the bits of an IP address that are being used for the subnet address. Usually represented as dotted decimal, e.g., 255.255.255.128 or a slash followed by the number of bits that are set in the mask, e.g., /25.