The College Student Market

[Ken Diliberto]

Andrew Dorsett wrote:

> On Sun, 14 Mar 2004, Sean Donelan wrote:
>
> > A student in a college dorm room with an uncontrolled DHCP address may not
> > be able to run a server, even though they have more than enough symetric
> > Gig-ethernet bandwidth and you know what dorm it is physically located
> > because all student servers look alike. On the other hand, a mobile
> This is a topic I get very soap-boxish about.  I have too many problems
> with providers who don't understand the college student market.  I can
> think of one university who requires students to login through a web
> portal before giving them a routable address.  This is such a waste of
> time for both parties.  Sure it makes tracking down the abusers much
> easier, but is it worth the time and effort to manage?  This is a very
> legitimate idea for public portals in common areas, but not in dorm rooms.
> In a dorm room situation or an apartment situation, you again know the
> physical port the DHCP request came in on.  You then know which room that
> port is connected to and you therefore have a general idea of who the
> abuser is.  So whats the big deal if you turn off the ports to the room
> until the users complain and the problem is resolved?
>
> I guess this requires very detailed cable map databases and is something
> some providers are relunctant to develop.  Scary thought.....
>
> Andrew
I'm curious about the concept of "College Student Market".  We have 
several thousand students in our dorms who only have two choices for 
Internet service - our dedicated Ethernet or their dial-up (which they 
would have to pay for).  We firewall them, packet shape them and don't 
pay much attention when they saturate their router.  Housing has a 
choice to use campus services or go outside for Internet service - a 
much more expensive choice considering the amount they pay the campus.

We respond to complaints about abusers on the ResNet by first disabling 
the port.  This is considered a strike against the resident for an AUP 
violation.  In theory, three strikes and they're out.

After we upgrade the ResNet equipment, we're planning on 802.1x 
authentication on the port.  I'm toying with suggesting certificates so 
we can simply revoke a cert if someone is a serious abuser which could 
(in theory) deny their workstation (laptop in most cases) access to the 
campus network.  The problem with this idea is the amount of overhead 
required to manage the certificate infrastructure.

As to the question of "is it worth the time and effort to manage", I 
think yes.  When the SQL Slammer worm hit last year, I put blocks at the 
border and blocks between subnets to contain the problem as best I could 
for two reasons (well, could be more but this is all I'm going to point 
out):
1 - Maintaining the usability of the campus network.
2 - Protecting the Internet in general from us.

How many ISP's care about either?  How many won't do either because it 
would affect their bottom line?

Back to the original topic.  We have a fairly good cable map.  We can 
track DHCP and can even black hole a MAC address so it can't get an 
address.  Why would we want a user to authenticate to the network?  It 
adds accountability and a little more paranoia that if they do something 
they shouldn't, they'll get caught and we'll turn them off.

Remember:  If you ask a student about their Internet access, you'll hear 
that it's free and they shouldn't be restricted as to what they can do.

Ken