[25846] in resnet
Re: NAT and RIAA
daemon@ATHENA.MIT.EDU (Paul Seward)
Thu Jan 27 06:05:23 2011
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <FB78E79BF222057D16651535@hatstand>
Date: Thu, 27 Jan 2011 11:05:05 +0000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Paul Seward <paul.seward@BRISTOL.AC.UK>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <LISTSERV%201101261141078494.896C@LISTSERV.ND.EDU>
--On Wednesday, January 26, 2011 11:41:07 -0500 Matt Foreman
<mforeman1@UNL.EDU> wrote:
> The University of Nebraska-Lincoln is trying to find out some information
> about other schools experience with private IP addresses used for their
> ResNet and what experiences these schools have in handling RIAA
> violations.
We don't NAT all of our ResNet, but we do NAT some sections of it.
Much like others have said, we log all NAT translations (build/teardown)
to a couple of syslog boxes and split the logs out hourly to make them
easier to check. If a complaint comes in about one of our NAT addresses
we can then look in the syslogs to identify the private address.
Once we've got that, we use various methods to track that IP back to a
user depending on which is more appropriate. (Eg our wireless ResNet is
802.1x so we can check the radius logs, for other sections of our ResNet
we do static dhcp based on a mac address registration system)
This usually works reasonably well. Occasionally we can't identify a
specific private IP with enough confidence to haul someone in - but this
is usually due to poor reporting from the complaining party.
Typical problems include:
- reports which specify a "port" but don't say if that's source or dest
- we've even had some reports which didn't specify a port of any kind
- reports which don't specify the timezone the timestamp is in
Generally in those cases, we pass the report back to the complainant
and tell them that we can't process it because their reporting isn't
detailed enough. If they want us to take any form of action, they need
to give us the information we need!
So, in summary - log everything, split it out hourly and if you can't
identify someone because the report is incomplete tell them so.
-Paul
----------------------------------------------------------------------
Paul Seward, Network Support Specialist, ResNet, University of Bristol
Paul.Seward@bristol.ac.uk +441179287856 GPG Key ID: E24DA8A2
GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
