Policies & Plans

• Policies & Plans Overview
• U of U Regulations Library

• Campus IT Policies

• • Data Management
  • Information Resources
  • IT Security
  • IT Security Policy FAQs
  • World Wide Web
  • Copyright
  • Electronic Signatures
  • Property Use & Security
  • Network Acceptable Use
  • Peer-to-Peer File Sharing
  • Network Connection (pdf)
  • Network Monitoring (pdf)
  • Wireless Network (pdf)
  • Campus Area Network Service

• Campus IT Plans and Projects

• • IT Strategic Plan (pdf)
  • IT Security Plan (pdf)
  • IT Security Best Practices
  • IP Route Summ. Project

• Operational Documents

• • Surplus Equipment Disposal (pdf)
  • Hard Drive Disposal Standard (pdf)
  • Wiring Design Standards
  • Wiring Standards Practices
  • DNS Best Practices
  • Monitoring & Logging
• Email for Formal University
  Communications
• Directory Services
  Requirements Survey (pdf)
• IT Organization Chart (pdf)
• Leadership Home
• OIT Home

IP Route Summarization Project

Project Summary

Passed by ITAC: 5/12/02

A brief summary of the current use of IP address space at the University of Utah:

The University of Utah has 6 class B (16 bit) networks. Four of these networks are currently used. They are 128.110.0.0, 155.99.0.0, 155.100.0.0 and 155.101.0.0. The unused networks are 155.97.0.0 and 155.98.0.0. The University hospital and clinics have been granted the exclusive use of 155.100.0.0 by the ITAC. The University typically splits up the class B networks into class C sized (24 bit) networks, which are then allocated to colleges and departments by means of a centralized IP allocation service "IPALLOC" which assigns colleges/departments networks on an "as needed", first come-first served basis. The University has used and continues to use Cisco routers for the core of the campus network. The routing protocol used is Cisco's proprietary Enhanced Interior Gateway Router Protocol (EIGRP). EIGRP is a hybrid of link-state and distance vector protocols. It allows for many discontinuous networks to be routed within the campus network without regard to locality and it does not require route summarization.

Proposal

Re-"IP" the campus network to achieve IP route summarization.

Benefits

By having the ability to use an "open standards" based routing protocol it would allow multiple network hardware vendors to bid the next time the campus network is upgraded, saving the University of Utah money and (arguably) getting a better network.

Provide guidance to IPALLOC when distributing IP address space.

More efficient routing at the core of the network.

Challenges

Motivating department and colleges to adopt new IP address space. This could be mitigated to some degree by:

• Placing a DHCP server in each node that would service networks local to that node. Allow LAN managers to edit entries for their respective networks on that server.
• Apply the "new" IP networks to the existing respective router interfaces to aid in the transition to the new space.
• Education and assistance by campus committees, groups and departments such as the IT managers, NetCom, others.
• By starting anew, each department with discontiguous networks may be able to obtain contiguous (CIDR block) networks.
• Centralized NAT services by node that would service networks local to that node. Allow LAN managers to edit entries for their respective networks on that server.

Time and resources required by each LAN manager.

Time and resources required by the campus NOC. For example; the router interface for each LAN would have to be updated with the new IP address networks and access-lists for each department would have to be updated. (This may also sit in the "plus" category).

Implementation Steps

Start routing all of the University's class B networks.

Create a template of distribution to be used by IPALLOC when allocating IP networks. An example of such a template follows:

• Allocate 155.97.0.0 /17 to be used by buildings connected to the Library node.
• Allocate 155.97.192.0 /18 to be used by buildings connected to the Fort node.
• Allocate 155.98.0.0 /17 to be used by buildings connected to the Engineering node.
• Allocate 155.98.192.0 /18 to be used by buildings connected to the B. Hawk node.
• Allocate 155.100.0.0 /17 (continued) to be used the University Hospital and clinics.
• Allocate 155.101.0.0 /17 to be by buildings connected to the Park node.
• Allocate 155.101.128.0 /17 to be used by buildings connected to the EBC node.

Reserve 128.110.0.0 for future use.

Reserve 155.99.0.0 for future use.

Set a time for migration to be completed. August 1st, 2004 at which time NOC ceases to route 128.110.0.0 and 155.99.0.0.

The university IP route summarization committee is an ad hoc subcommittee under the direction of ITAC and is comprised of the following individuals:

Pieter Bowman - Mathematics
Joe Breen - Center for High Performance Computing
Todd Green - School of Computing
Chris Hessing - Marriott Library
Brett Jordan - College of Engineering
Chad Lake - School of Computing
Bryan Morris - NetCom (Chair of subcommittee)
Robert Roll - NetCom
Jason Traeden - ITS (Hospital)
Daniel Trentman - Mines and Earth Sciences

Implementing Private IP Address Space At the University of Utah

Network security is an extremely important part of a properly tuned and maintained campus network. Implementing "university wide" network security policies must be balanced with the needs of departments and individual researchers so they remain functional and productive.

It is reasonable for network services, which extend beyond the confines of the university's network, to meet a minimum security criterion. Some of the ways this could be accomplished are:

1. A registration process with the campus NOC could be a criteria which must be met before a service such as WWW would be allowed to extend beyond campus.
2. Utilize firewalls at the departmental level with or without the use of private IP addresses. This option is currently available to all departmental networks.
3. Create a university DMZ to host the services which are heavily used by clients outside the university network. Recent changes in the campus network topology make this possible.
4. Implementation of private IP addresses at the departmental/college level. This option is currently available to all departmental networks.
5. Implementation of private IP addresses - University wide.

As part of the campus IP route summarization discussion we addressed whether option 5 (above) is feasible to implement. The following are some of the pros and cons of a "university wide" implementation of private IP addresses.

"Pros" of private IP addressing campus wide

Control on all IP network traffic coming in and going out of the University.

Allow unlimited IP growth within the University. However if a "one to one" implementation were used this would not be true.

One place to block access to and from the WAN (already have this at the WAN routers) but more control would be available.

Automatic protection of machines that do not have the need to access the Internet.

"Cons" of private IP addressing campus wide using NAT/firewall

(NOTE: the term firewall is used because some of the limitations actually are firewall limitations and not just NAT.)

Firewall boxes are expensive

• Expensive to purchase.
• Extra hardware that requires maintenance and service contracts.
• Requires NOC to enter every new machine on campus that needs access to the internet.
• Each machine that comes up or goes down requires entry or deletion.

NAT causes additional latency which may inhibit some types of traffic or render it unusable.

• Need testing for accurate results

Firewalls limit bandwidth

• current firewalls have difficulty achieving bandwidth up to a gigabit.
• only a couple of vendors available
• aggregating bandwidth beyond a gig becomes even more difficult
• PIX 535 provides 9 Gig interfaces but only a bit more than one gigabit actual throughput.
  http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/535_ds.htm
• Even more drastic limitations with VPN support.
  - PIX 535 95Mbps of 3DES VPN.
  http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/
• Requires additional daughtercard.
  http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/535_ds.htm

Firewall limits concurrent connections

• PIX 535 only allows 500,000 connections.
  http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/

Perception of limitations on academic freedom

• Faculty/researchers want to utilize the network unencumbered as much as possible.

Increased complexity of troubleshooting campus connection to Internet/Internet2 Abilene

• when problems occur, is it the NAT translation, or is it...?
  - are we running static NAT addresses?
  - are we running dynamic NAT addresses?

Security

• Harder for security purposes
  - If using dynamic NAT addressing, tracking down internal
  perpetrators becomes potentially more difficult.
• Static addressing does not allow for any additional security unless one is protecting the box port by port.
  - ACLs can accomplish this task.

Campus will have redundant links to it's service provider and therefore will require redundant firewall/NAT services.

• Cost doubled.
• PIX 535 acts in hot standby fail-over mode.

Limitation of supported protocols

• IPSec AH breaks over NAT.
• Depends on encryption of source address and destination address.
• Private addresses within NAT are not the same destination/source.
• Some firewall equipment has problems with simple GRE tunnels.
• Multicast support available on limited number of firewalls.
• PIX supports stub multicast routing.
• Does not seem to support full MSDP/PIM/MBGP.
• Does support IGMP forwarding.
• Useful on edge only --> need more research.
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm#20915
• Some research entities have voice conference software that currently does not work over NAT boxes.
  - reference: School of Computing

Buildings Connected to Nodes

Buildings connected to Park Building

Demark Bldg Demark Bldg #
Park 001
Park-ACS 001
David G. Hall 003
Kingsbury Hall 004
Museum Nat. Hist. 005
Steward Bldg 006
Life Science Bldg 007
Alfred Emery Bldg 008
North Physics 010
William Browning Bldg 011
LeRoy Cowles Bldg 013
Talmage Bldg 014
Performing Art Bldg 017
INSCC 019
Military Science Bldg 023
Student Services Bldg 040
Naval Science 043
Office Bldg 044
Bookstore 067
Aline Wilmot Skaggs Bldg 082
Biology Bldg 084
Development Office Bldg 124
Kennecott Bldg 372

Buildings connected to Merrill Engineer

Demark Bldg Demark Bldg #
EMRO 056
HEDCO 057
Mine Department 060
EMRL 061
EMCB 063
Merrill Engineer 064
Kennecott Bldg 372
Space Planning 680
Sponsored Projects 684

Buildings connected to Marriott Library

Demark Bldg Demark Bldg #
Social Work 026
Marriott Center for Dance 028
Einar Nielsen Field House 029
Rice-Eccles Stadium 032
Price Museum 035
Museum of Fine Arts 036
Architecture Bldg 037
Art Bldg 038
LNCO 049
Sill House 051
Alumni House 052
Orson Spenser Hall 054
Milton Bennion Hall 065
Pioneer Memorial Theater 066
Law Library 072
Law Bldg 073
Business College 074
FAMB 076
CRCC 077
Marriott Library 086
Chemistry Bldg 087
Public Safety 301
High Temp Bldg 303
Physical Plant 305

Buildings connected to Eccles Broadcast Center

Demark Bldg Demark Bldg #
Union Building 053
Jon Huntsman Center 090
HYPER North 092
Burdbige Center 098
Virginia Tanner Dance 101
ANNEX 105
Balliff Hall 155
VanCott Hall 168
Demark Bldg Demark Bldg #
Eccles broadcast Center 179
Austin Hall 181
High Temp Bldg 302
University Services Bldg 350
RMCOEH 512
Hospital ARUP 521
Eccles Institute of Human Gen 533
Huntsman Cancer Inst 555
Biomedical Polymers 570
Animal Resource Center 587
Wasatch Clinics 685

Buildings connected to Fort

Demark Bldg Demark Bldg #
Environmental Health 605
Officer Circle 606
Officer Circle 607
Officer Circle 608
Officer Circle 609
Officer Circle 610
Officer Circle 611
Officer Circle 612
Officer Circle 613
Officer Circle 614
Officer Circle 615
Officer Circle 649
Fort Douglas Bath House 650
Fort Douglas House 659
Fort Douglas Lib 676
Guest House 800
Chapel Glenn 802
Chapel Glenn 804
Gate Way 806
Gate Way 807
Sage Point 810
Sage Point 811
Sage Point 812
Sage Point 813
Sage Point 814
Heritage Center 815
Benchmark 820
Benchmark 821
Benchmark 822
Shoreline Ridge 825
Shoreline Ridge 826
Shoreline Ridge 827
Shoreline Ridge 828
Shoreline Ridge 829
Shoreline Ridge 830

Buildings connected to Black-Hawk

Demark Bldg Demark Bldg #
University Student Apartment 721
University Student Apartment 763
University Student Apartment 770
423 Wakara Way 856
421 Wakara Way 857
SARCOS 864
375 Chipeeta Way 876
615 Arapeen 886
675 Arapeen 887

Core Route Summarization Diagram