[Micronet] New Visitor WiFi Service - Address Ranges

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Richard DeShong-2
I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Richard,

If you have a firewall service that is managed by the Data Center for example, and you intend for your service to only be accessed by "campus" users, then yes, you should request that they deny access from these addresses in the firewall.

Regards

iso


On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]> wrote:
I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Guy D. VINSON
Just curious... what is the intended customer for this service, or rather why is this being done. Don't get me wrong I think free wifi for everyone is great but given that this adds overhead and the history of attempts to cut costs in IT at UC it puzzles me. 

Guy Vinson
Computer Support and Consulting
510-842-7199

On Tue, Oct 14, 2014 at 9:36 AM, Isaac Orr <[hidden email]> wrote:
Hi Richard,

If you have a firewall service that is managed by the Data Center for example, and you intend for your service to only be accessed by "campus" users, then yes, you should request that they deny access from these addresses in the firewall.

Regards

iso


On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]> wrote:
I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Guy,

The amount of overhead that's added here is minimal.  It's incredibly unlikely that usage of CalVisitor would be of a level that would require any upgrades to infrastructure, and our cost for internet traffic is basically "free".  Since CalVisitor overlays on top of all the existing campus WiFi infrastructure, it's just using something that was already in place.  Turning on an open, unauthenticated WiFi SSID is just about the simplest thing you can do in wireless networking, so this also didn't take a lot of technical staff time.

The existing guest wifi system is actually fairly painful to maintain - the captive portals that it uses require more manual maintenance than we are actually able to  give them.  The guest pass system is very painful for anything other than creating one or two passes (and even then it's not great).  For people who have regular guests, run conferences etc (and for us here who have to make sure that such events get their guest passes properly), the existing system has been a real cost in terms of time and support.  We expect that CalVisitor will replace the vast majority of guest pass usage.  We'll eventually replace all of it with CalNet Guest ID's, to eliminate running two separate services that actually do the same thing.

In other words, we think that CalVisitor will actually save the campus time and money. To be honest though, we haven't done an official cost analysis of the benefits.  The service was created based on requests from several departments for a better way to handle guest wifi - in response we came up with the simplest possible solution we could, and implemented it.  Since it's basically centrally funded, the aim of the network group is to do exactly this - deliver services as requested by campus.  (And by the way if anyone has ideas, let us know!).

iso


On Tue, Oct 14, 2014 at 10:30 AM, Guy D. VINSON <[hidden email]> wrote:
Just curious... what is the intended customer for this service, or rather why is this being done. Don't get me wrong I think free wifi for everyone is great but given that this adds overhead and the history of attempts to cut costs in IT at UC it puzzles me. 

Guy Vinson
Computer Support and Consulting
510-842-7199

On Tue, Oct 14, 2014 at 9:36 AM, Isaac Orr <[hidden email]> wrote:
Hi Richard,

If you have a firewall service that is managed by the Data Center for example, and you intend for your service to only be accessed by "campus" users, then yes, you should request that they deny access from these addresses in the firewall.

Regards

iso


On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]> wrote:
I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.





--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Guy D. VINSON
Thank you for the explanation... As I said I was just curios.  

Guy Vinson
Computer support & repair
510-842-7199

On Oct 14, 2014, at 11:11 AM, Isaac Orr <[hidden email]> wrote:

Guy,

The amount of overhead that's added here is minimal.  It's incredibly unlikely that usage of CalVisitor would be of a level that would require any upgrades to infrastructure, and our cost for internet traffic is basically "free".  Since CalVisitor overlays on top of all the existing campus WiFi infrastructure, it's just using something that was already in place.  Turning on an open, unauthenticated WiFi SSID is just about the simplest thing you can do in wireless networking, so this also didn't take a lot of technical staff time.

The existing guest wifi system is actually fairly painful to maintain - the captive portals that it uses require more manual maintenance than we are actually able to  give them.  The guest pass system is very painful for anything other than creating one or two passes (and even then it's not great).  For people who have regular guests, run conferences etc (and for us here who have to make sure that such events get their guest passes properly), the existing system has been a real cost in terms of time and support.  We expect that CalVisitor will replace the vast majority of guest pass usage.  We'll eventually replace all of it with CalNet Guest ID's, to eliminate running two separate services that actually do the same thing.

In other words, we think that CalVisitor will actually save the campus time and money. To be honest though, we haven't done an official cost analysis of the benefits.  The service was created based on requests from several departments for a better way to handle guest wifi - in response we came up with the simplest possible solution we could, and implemented it.  Since it's basically centrally funded, the aim of the network group is to do exactly this - deliver services as requested by campus.  (And by the way if anyone has ideas, let us know!).

iso


On Tue, Oct 14, 2014 at 10:30 AM, Guy D. VINSON <[hidden email]> wrote:
Just curious... what is the intended customer for this service, or rather why is this being done. Don't get me wrong I think free wifi for everyone is great but given that this adds overhead and the history of attempts to cut costs in IT at UC it puzzles me. 

Guy Vinson
Computer Support and Consulting
510-842-7199

On Tue, Oct 14, 2014 at 9:36 AM, Isaac Orr <[hidden email]> wrote:
Hi Richard,

If you have a firewall service that is managed by the Data Center for example, and you intend for your service to only be accessed by "campus" users, then yes, you should request that they deny access from these addresses in the firewall.

Regards

iso


On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]> wrote:
I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.





--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Aaron Russo
In reply to this post by Isaac Orr
Hey Isaac,

Maybe I'm reading things wrong, but the public networks list[1] seems to have this network sized as a /19 and not a /17.

...
SUPERNET             10.105.128.0/19 # supernet - Visitor wifi client subnets
...

Am I missing something?

​Thanks,​

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Aaron

We set aside the entire /17 for expansion and a place we may address
similar services in the future. In fact if you look at the following
networks in that list, you'll see that we've allocated further /22's
for CalVisitor that are beyond the /19.

iso


On Tue, Oct 14, 2014 at 1:47 PM, Aaron Russo <[hidden email]> wrote:

> Hey Isaac,
>
> Maybe I'm reading things wrong, but the public networks list[1] seems to
> have this network sized as a /19 and not a /17.
>
> ...
> SUPERNET             10.105.128.0/19 # supernet - Visitor wifi client
> subnets
> ...
>
> Am I missing something?
>
> Thanks,
>
> Aaron
>
> ftp://net.berkeley.edu/pub/networks.local
>
>
> On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
>>
>> Hi Folks,
>>
>> Of course, being a manager, and not a network engineer, I did not bother
>> checking the subnet maths when making this post, copy and pasting a typo
>> from our documentation.
>>
>> The range
>> 10.105.125.0/17
>> is actually
>> 10.105.128.0/17
>>
>> (Thanks to Mike Howard @ SAIT for pointing this out).
>>
>> iso
>>
>>
>> On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
>>>
>>> Hi Folks,
>>>
>>> In the next few weeks, we'll be deploying CalVisitor, a new WiFi service
>>> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic
>>> (i.e web browsing) access to the internet without requiring authentication
>>> or the creation of a guest account.  Further details will be announced soon.
>>>
>>> In the mean time, I wanted to ensure that the campus technical community
>>> was aware of this change, and had a chance to consider the approach they may
>>> want to take in regards to visitors on this wifi service.
>>>
>>> Users of the CalVisitor service should not be considered to be members of
>>> the campus community in the same way that authenticated users of AirBears
>>> and AirBears2 are. We've set aside specific address ranges for this service.
>>> Operators and administrators of services should decide whether or not to
>>> accept users from these address ranges.
>>>
>>> In other words/TL:DR: the people connecting from the following IP
>>> addresses just walked in off the street.  If you don't trust them, or run a
>>> service that is supposed to be fully accessible to the public, you should
>>> consider blocking them via firewalls or similar means.
>>>
>>> The address ranges are:
>>>
>>> 10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users
>>> will appear from to other on-campus systems and services).
>>> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
>>> will appear to be using these addresses to offsite services).
>>> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>>>
>>> The official source for this list is here:
>>>
>>> https://wikihub.berkeley.edu/x/8wUqBg
>>>
>>>
>>> iso
>>>
>>> --
>>> Isaac Simon Orr
>>> Manager, Network Operations and Services
>>> IST Telecommunications, UC Berkeley
>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>
>>
>>
>>
>> --
>> Isaac Simon Orr
>> Manager, Network Operations and Services
>> IST Telecommunications, UC Berkeley
>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe
>> from its mailing list and how to find out about upcoming meetings, please
>> visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and
>> the list's archives can be browsed and searched on the Internet.  This means
>> these messages can be viewed by (among others) your bosses, prospective
>> employers, and people who have known you in the past.
>>
>



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Baril
While I am really happy to see progress on the wireless front to make
things a bit easier on campus, I am still befuddled as to why, if you
can set aside subnets for this project, you all cannot seem to come up
with a way to allow departments to use wireless devices (ie: printers,
Apple TV, etc.) similar to the CalVisitor setup. There are so many cost
saving, time saving things we all could be doing if we only had this
capability. Sorry for the rant.....

Best,

Roy

On 10/14/2014 2:25 PM, Isaac Orr wrote:

> Hi Aaron
>
> We set aside the entire /17 for expansion and a place we may address
> similar services in the future. In fact if you look at the following
> networks in that list, you'll see that we've allocated further /22's
> for CalVisitor that are beyond the /19.
>
> iso
>
>
> On Tue, Oct 14, 2014 at 1:47 PM, Aaron Russo <[hidden email]> wrote:
>> Hey Isaac,
>>
>> Maybe I'm reading things wrong, but the public networks list[1] seems to
>> have this network sized as a /19 and not a /17.
>>
>> ...
>> SUPERNET             10.105.128.0/19 # supernet - Visitor wifi client
>> subnets
>> ...
>>
>> Am I missing something?
>>
>> Thanks,
>>
>> Aaron
>>
>> ftp://net.berkeley.edu/pub/networks.local
>>
>>
>> On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
>>> Hi Folks,
>>>
>>> Of course, being a manager, and not a network engineer, I did not bother
>>> checking the subnet maths when making this post, copy and pasting a typo
>>> from our documentation.
>>>
>>> The range
>>> 10.105.125.0/17
>>> is actually
>>> 10.105.128.0/17
>>>
>>> (Thanks to Mike Howard @ SAIT for pointing this out).
>>>
>>> iso
>>>
>>>
>>> On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
>>>> Hi Folks,
>>>>
>>>> In the next few weeks, we'll be deploying CalVisitor, a new WiFi service
>>>> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic
>>>> (i.e web browsing) access to the internet without requiring authentication
>>>> or the creation of a guest account.  Further details will be announced soon.
>>>>
>>>> In the mean time, I wanted to ensure that the campus technical community
>>>> was aware of this change, and had a chance to consider the approach they may
>>>> want to take in regards to visitors on this wifi service.
>>>>
>>>> Users of the CalVisitor service should not be considered to be members of
>>>> the campus community in the same way that authenticated users of AirBears
>>>> and AirBears2 are. We've set aside specific address ranges for this service.
>>>> Operators and administrators of services should decide whether or not to
>>>> accept users from these address ranges.
>>>>
>>>> In other words/TL:DR: the people connecting from the following IP
>>>> addresses just walked in off the street.  If you don't trust them, or run a
>>>> service that is supposed to be fully accessible to the public, you should
>>>> consider blocking them via firewalls or similar means.
>>>>
>>>> The address ranges are:
>>>>
>>>> 10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users
>>>> will appear from to other on-campus systems and services).
>>>> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
>>>> will appear to be using these addresses to offsite services).
>>>> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>>>>
>>>> The official source for this list is here:
>>>>
>>>> https://wikihub.berkeley.edu/x/8wUqBg
>>>>
>>>>
>>>> iso
>>>>
>>>> --
>>>> Isaac Simon Orr
>>>> Manager, Network Operations and Services
>>>> IST Telecommunications, UC Berkeley
>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>
>>>
>>>
>>> --
>>> Isaac Simon Orr
>>> Manager, Network Operations and Services
>>> IST Telecommunications, UC Berkeley
>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list server:
>>>
>>> To learn more about Micronet, including how to subscribe to or unsubscribe
>>> from its mailing list and how to find out about upcoming meetings, please
>>> visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable, and
>>> the list's archives can be browsed and searched on the Internet.  This means
>>> these messages can be viewed by (among others) your bosses, prospective
>>> employers, and people who have known you in the past.
>>>
>
>

--
Roy A. Baril
Director of Technology
Graduate School of Journalism
University of California
121 North Gate Hall
Berkeley, CA 94720
510-643-9215 -- Work
510-643-9136 -- Fax
925-352-9543 -- Cell


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Graham Patterson
In reply to this post by Guy D. VINSON
This a feature those of us supporting museums and other places with significant public presence really welcome. Our visitors do expect it these days.

Graham

Sent from my iPad

On Oct 14, 2014, at 12:14 PM, Guy D. VINSON <[hidden email]> wrote:

Thank you for the explanation... As I said I was just curios.  

Guy Vinson
Computer support & repair
510-842-7199

On Oct 14, 2014, at 11:11 AM, Isaac Orr <[hidden email]> wrote:

Guy,

The amount of overhead that's added here is minimal.  It's incredibly unlikely that usage of CalVisitor would be of a level that would require any upgrades to infrastructure, and our cost for internet traffic is basically "free".  Since CalVisitor overlays on top of all the existing campus WiFi infrastructure, it's just using something that was already in place.  Turning on an open, unauthenticated WiFi SSID is just about the simplest thing you can do in wireless networking, so this also didn't take a lot of technical staff time.

The existing guest wifi system is actually fairly painful to maintain - the captive portals that it uses require more manual maintenance than we are actually able to  give them.  The guest pass system is very painful for anything other than creating one or two passes (and even then it's not great).  For people who have regular guests, run conferences etc (and for us here who have to make sure that such events get their guest passes properly), the existing system has been a real cost in terms of time and support.  We expect that CalVisitor will replace the vast majority of guest pass usage.  We'll eventually replace all of it with CalNet Guest ID's, to eliminate running two separate services that actually do the same thing.

In other words, we think that CalVisitor will actually save the campus time and money. To be honest though, we haven't done an official cost analysis of the benefits.  The service was created based on requests from several departments for a better way to handle guest wifi - in response we came up with the simplest possible solution we could, and implemented it.  Since it's basically centrally funded, the aim of the network group is to do exactly this - deliver services as requested by campus.  (And by the way if anyone has ideas, let us know!).

iso


On Tue, Oct 14, 2014 at 10:30 AM, Guy D. VINSON <[hidden email]> wrote:
Just curious... what is the intended customer for this service, or rather why is this being done. Don't get me wrong I think free wifi for everyone is great but given that this adds overhead and the history of attempts to cut costs in IT at UC it puzzles me. 

Guy Vinson
Computer Support and Consulting
510-842-7199

On Tue, Oct 14, 2014 at 9:36 AM, Isaac Orr <[hidden email]> wrote:
Hi Richard,

If you have a firewall service that is managed by the Data Center for example, and you intend for your service to only be accessed by "campus" users, then yes, you should request that they deny access from these addresses in the firewall.

Regards

iso


On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]> wrote:
I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

The range
is actually

(Thanks to Mike Howard @ SAIT for pointing this out).

iso


On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
Hi Folks,

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

The address ranges are:

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).
192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).
2607:f140:6000::/48 (IPv6, for both on and off campus).

The official source for this list is here:



iso

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.





--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
In reply to this post by Baril
Hi Roy,

I'm not certain that i'm clear about what particular
feature/capability you're referring to here, but I'll take a stab at a
couple possible ones:

a) being able to connect devices to wifi without requiring
authentication setup on them.  We don't do this, because we need to be
able to identify the owner of devices on the network for security and
policy purposes.  CalVisitor doesn't have this, but in its place it
has a very draconian security posture - we will disable access for any
device, at any time, for whatever reason we like, permanently.
There's no one you can ask to have the device re-enabled (more details
of this will be in upcoming announcements, probably stated less
harshly, but this is the reality of how we are handling CalVisitor).

b) Being able to connect to devices that advertise their services to
local subnets via multicastDNS style protocols like Bonjour.  The
reason is that this is a very different problem from setting aside
subnets for public wifi.  The wifi system actually is built primarily
around the idea that clients will use it to access resources off the
wifi network - not send data between devices over the wifi.  The other
issue is traffic that crosses from wired to wireless subnets - the
wifi and the wired network in a location are always separate subnets.
The protocols employed by these types of devices are usually not
designed to cross subnets, so some other technology is required to be
implemented to make that work.

The other issue with these protocols is that they are usually not
designed for enterprise environments.  This means that the security
and manageability of them is typically very poor.  Making airplay work
over the campus wifi sounds great, until you realize that a few
thousand people around you can now access your device, with minimal
security barriers.  This isn't a completely unsolvable problem, but it
is one that needs to be addressed.

The fact is that we will most likely eventually come up with a
solution that enables at least some of these types of services -
though you should never expect that you will be able to use every
consumer home networking protocol on a campus network.  You are right
that there is an ease of use issue here that it makes sense to
address. Unfortunately right now there are no really viable wide scale
solutions that are fully baked. Various vendors are working on
solutions, but most of these are quite new, and it will be a while
before they are truly ready for prime time on the sort of scale we
have here.

I hope this explains a little more clearly why solving this problem
isn't as simple as it might seem at first glance (and why we haven't
done it so far).

iso

On Tue, Oct 14, 2014 at 2:44 PM, Baril <[hidden email]> wrote:

> While I am really happy to see progress on the wireless front to make things
> a bit easier on campus, I am still befuddled as to why, if you can set aside
> subnets for this project, you all cannot seem to come up with a way to allow
> departments to use wireless devices (ie: printers, Apple TV, etc.) similar
> to the CalVisitor setup. There are so many cost saving, time saving things
> we all could be doing if we only had this capability. Sorry for the
> rant.....
>
> Best,
>
> Roy
>
>
> On 10/14/2014 2:25 PM, Isaac Orr wrote:
>>
>> Hi Aaron
>>
>> We set aside the entire /17 for expansion and a place we may address
>> similar services in the future. In fact if you look at the following
>> networks in that list, you'll see that we've allocated further /22's
>> for CalVisitor that are beyond the /19.
>>
>> iso
>>
>>
>> On Tue, Oct 14, 2014 at 1:47 PM, Aaron Russo <[hidden email]> wrote:
>>>
>>> Hey Isaac,
>>>
>>> Maybe I'm reading things wrong, but the public networks list[1] seems to
>>> have this network sized as a /19 and not a /17.
>>>
>>> ...
>>> SUPERNET             10.105.128.0/19 # supernet - Visitor wifi client
>>> subnets
>>> ...
>>>
>>> Am I missing something?
>>>
>>> Thanks,
>>>
>>> Aaron
>>>
>>> ftp://net.berkeley.edu/pub/networks.local
>>>
>>>
>>> On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
>>>>
>>>> Hi Folks,
>>>>
>>>> Of course, being a manager, and not a network engineer, I did not bother
>>>> checking the subnet maths when making this post, copy and pasting a typo
>>>> from our documentation.
>>>>
>>>> The range
>>>> 10.105.125.0/17
>>>> is actually
>>>> 10.105.128.0/17
>>>>
>>>> (Thanks to Mike Howard @ SAIT for pointing this out).
>>>>
>>>> iso
>>>>
>>>>
>>>> On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
>>>>>
>>>>> Hi Folks,
>>>>>
>>>>> In the next few weeks, we'll be deploying CalVisitor, a new WiFi
>>>>> service
>>>>> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide
>>>>> basic
>>>>> (i.e web browsing) access to the internet without requiring
>>>>> authentication
>>>>> or the creation of a guest account.  Further details will be announced
>>>>> soon.
>>>>>
>>>>> In the mean time, I wanted to ensure that the campus technical
>>>>> community
>>>>> was aware of this change, and had a chance to consider the approach
>>>>> they may
>>>>> want to take in regards to visitors on this wifi service.
>>>>>
>>>>> Users of the CalVisitor service should not be considered to be members
>>>>> of
>>>>> the campus community in the same way that authenticated users of
>>>>> AirBears
>>>>> and AirBears2 are. We've set aside specific address ranges for this
>>>>> service.
>>>>> Operators and administrators of services should decide whether or not
>>>>> to
>>>>> accept users from these address ranges.
>>>>>
>>>>> In other words/TL:DR: the people connecting from the following IP
>>>>> addresses just walked in off the street.  If you don't trust them, or
>>>>> run a
>>>>> service that is supposed to be fully accessible to the public, you
>>>>> should
>>>>> consider blocking them via firewalls or similar means.
>>>>>
>>>>> The address ranges are:
>>>>>
>>>>> 10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that
>>>>> users
>>>>> will appear from to other on-campus systems and services).
>>>>> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
>>>>> will appear to be using these addresses to offsite services).
>>>>> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>>>>>
>>>>> The official source for this list is here:
>>>>>
>>>>> https://wikihub.berkeley.edu/x/8wUqBg
>>>>>
>>>>>
>>>>> iso
>>>>>
>>>>> --
>>>>> Isaac Simon Orr
>>>>> Manager, Network Operations and Services
>>>>> IST Telecommunications, UC Berkeley
>>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Isaac Simon Orr
>>>> Manager, Network Operations and Services
>>>> IST Telecommunications, UC Berkeley
>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> The following was automatically added to this message by the list
>>>> server:
>>>>
>>>> To learn more about Micronet, including how to subscribe to or
>>>> unsubscribe
>>>> from its mailing list and how to find out about upcoming meetings,
>>>> please
>>>> visit the Micronet Web site:
>>>>
>>>> http://micronet.berkeley.edu
>>>>
>>>> Messages you send to this mailing list are public and world-viewable,
>>>> and
>>>> the list's archives can be browsed and searched on the Internet.  This
>>>> means
>>>> these messages can be viewed by (among others) your bosses, prospective
>>>> employers, and people who have known you in the past.
>>>>
>>
>>
>
> --
> Roy A. Baril
> Director of Technology
> Graduate School of Journalism
> University of California
> 121 North Gate Hall
> Berkeley, CA 94720
> 510-643-9215 -- Work
> 510-643-9136 -- Fax
> 925-352-9543 -- Cell
>



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Baril
Issac,

Thanks for the reply. I am fully aware of what we can't do. My wish list
includes running some kind of "private" or off-the-grid wireless network
in my department to allow us to print to wireless capable printers from
any kind of mobile device. There are many other devices that could be
incorporated into our program if this type of service was available. It
boggles the mind that at a superior learning institution like Berkeley,
we can't seem to figure this out.

Rant over....

Best,

Roy
On 10/14/2014 3:44 PM, Isaac Orr wrote:

> Hi Roy,
>
> I'm not certain that i'm clear about what particular
> feature/capability you're referring to here, but I'll take a stab at a
> couple possible ones:
>
> a) being able to connect devices to wifi without requiring
> authentication setup on them.  We don't do this, because we need to be
> able to identify the owner of devices on the network for security and
> policy purposes.  CalVisitor doesn't have this, but in its place it
> has a very draconian security posture - we will disable access for any
> device, at any time, for whatever reason we like, permanently.
> There's no one you can ask to have the device re-enabled (more details
> of this will be in upcoming announcements, probably stated less
> harshly, but this is the reality of how we are handling CalVisitor).
>
> b) Being able to connect to devices that advertise their services to
> local subnets via multicastDNS style protocols like Bonjour.  The
> reason is that this is a very different problem from setting aside
> subnets for public wifi.  The wifi system actually is built primarily
> around the idea that clients will use it to access resources off the
> wifi network - not send data between devices over the wifi.  The other
> issue is traffic that crosses from wired to wireless subnets - the
> wifi and the wired network in a location are always separate subnets.
> The protocols employed by these types of devices are usually not
> designed to cross subnets, so some other technology is required to be
> implemented to make that work.
>
> The other issue with these protocols is that they are usually not
> designed for enterprise environments.  This means that the security
> and manageability of them is typically very poor.  Making airplay work
> over the campus wifi sounds great, until you realize that a few
> thousand people around you can now access your device, with minimal
> security barriers.  This isn't a completely unsolvable problem, but it
> is one that needs to be addressed.
>
> The fact is that we will most likely eventually come up with a
> solution that enables at least some of these types of services -
> though you should never expect that you will be able to use every
> consumer home networking protocol on a campus network.  You are right
> that there is an ease of use issue here that it makes sense to
> address. Unfortunately right now there are no really viable wide scale
> solutions that are fully baked. Various vendors are working on
> solutions, but most of these are quite new, and it will be a while
> before they are truly ready for prime time on the sort of scale we
> have here.
>
> I hope this explains a little more clearly why solving this problem
> isn't as simple as it might seem at first glance (and why we haven't
> done it so far).
>
> iso
>
> On Tue, Oct 14, 2014 at 2:44 PM, Baril <[hidden email]> wrote:
>> While I am really happy to see progress on the wireless front to make things
>> a bit easier on campus, I am still befuddled as to why, if you can set aside
>> subnets for this project, you all cannot seem to come up with a way to allow
>> departments to use wireless devices (ie: printers, Apple TV, etc.) similar
>> to the CalVisitor setup. There are so many cost saving, time saving things
>> we all could be doing if we only had this capability. Sorry for the
>> rant.....
>>
>> Best,
>>
>> Roy
>>
>>
>> On 10/14/2014 2:25 PM, Isaac Orr wrote:
>>> Hi Aaron
>>>
>>> We set aside the entire /17 for expansion and a place we may address
>>> similar services in the future. In fact if you look at the following
>>> networks in that list, you'll see that we've allocated further /22's
>>> for CalVisitor that are beyond the /19.
>>>
>>> iso
>>>
>>>
>>> On Tue, Oct 14, 2014 at 1:47 PM, Aaron Russo <[hidden email]> wrote:
>>>> Hey Isaac,
>>>>
>>>> Maybe I'm reading things wrong, but the public networks list[1] seems to
>>>> have this network sized as a /19 and not a /17.
>>>>
>>>> ...
>>>> SUPERNET             10.105.128.0/19 # supernet - Visitor wifi client
>>>> subnets
>>>> ...
>>>>
>>>> Am I missing something?
>>>>
>>>> Thanks,
>>>>
>>>> Aaron
>>>>
>>>> ftp://net.berkeley.edu/pub/networks.local
>>>>
>>>>
>>>> On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
>>>>> Hi Folks,
>>>>>
>>>>> Of course, being a manager, and not a network engineer, I did not bother
>>>>> checking the subnet maths when making this post, copy and pasting a typo
>>>>> from our documentation.
>>>>>
>>>>> The range
>>>>> 10.105.125.0/17
>>>>> is actually
>>>>> 10.105.128.0/17
>>>>>
>>>>> (Thanks to Mike Howard @ SAIT for pointing this out).
>>>>>
>>>>> iso
>>>>>
>>>>>
>>>>> On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
>>>>>> Hi Folks,
>>>>>>
>>>>>> In the next few weeks, we'll be deploying CalVisitor, a new WiFi
>>>>>> service
>>>>>> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide
>>>>>> basic
>>>>>> (i.e web browsing) access to the internet without requiring
>>>>>> authentication
>>>>>> or the creation of a guest account.  Further details will be announced
>>>>>> soon.
>>>>>>
>>>>>> In the mean time, I wanted to ensure that the campus technical
>>>>>> community
>>>>>> was aware of this change, and had a chance to consider the approach
>>>>>> they may
>>>>>> want to take in regards to visitors on this wifi service.
>>>>>>
>>>>>> Users of the CalVisitor service should not be considered to be members
>>>>>> of
>>>>>> the campus community in the same way that authenticated users of
>>>>>> AirBears
>>>>>> and AirBears2 are. We've set aside specific address ranges for this
>>>>>> service.
>>>>>> Operators and administrators of services should decide whether or not
>>>>>> to
>>>>>> accept users from these address ranges.
>>>>>>
>>>>>> In other words/TL:DR: the people connecting from the following IP
>>>>>> addresses just walked in off the street.  If you don't trust them, or
>>>>>> run a
>>>>>> service that is supposed to be fully accessible to the public, you
>>>>>> should
>>>>>> consider blocking them via firewalls or similar means.
>>>>>>
>>>>>> The address ranges are:
>>>>>>
>>>>>> 10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that
>>>>>> users
>>>>>> will appear from to other on-campus systems and services).
>>>>>> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
>>>>>> will appear to be using these addresses to offsite services).
>>>>>> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>>>>>>
>>>>>> The official source for this list is here:
>>>>>>
>>>>>> https://wikihub.berkeley.edu/x/8wUqBg
>>>>>>
>>>>>>
>>>>>> iso
>>>>>>
>>>>>> --
>>>>>> Isaac Simon Orr
>>>>>> Manager, Network Operations and Services
>>>>>> IST Telecommunications, UC Berkeley
>>>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Isaac Simon Orr
>>>>> Manager, Network Operations and Services
>>>>> IST Telecommunications, UC Berkeley
>>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> The following was automatically added to this message by the list
>>>>> server:
>>>>>
>>>>> To learn more about Micronet, including how to subscribe to or
>>>>> unsubscribe
>>>>> from its mailing list and how to find out about upcoming meetings,
>>>>> please
>>>>> visit the Micronet Web site:
>>>>>
>>>>> http://micronet.berkeley.edu
>>>>>
>>>>> Messages you send to this mailing list are public and world-viewable,
>>>>> and
>>>>> the list's archives can be browsed and searched on the Internet.  This
>>>>> means
>>>>> these messages can be viewed by (among others) your bosses, prospective
>>>>> employers, and people who have known you in the past.
>>>>>
>>>
>> --
>> Roy A. Baril
>> Director of Technology
>> Graduate School of Journalism
>> University of California
>> 121 North Gate Hall
>> Berkeley, CA 94720
>> 510-643-9215 -- Work
>> 510-643-9136 -- Fax
>> 925-352-9543 -- Cell
>>
>
>

--
Roy A. Baril
Director of Technology
Graduate School of Journalism
University of California
121 North Gate Hall
Berkeley, CA 94720
510-643-9215 -- Work
510-643-9136 -- Fax
925-352-9543 -- Cell


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Anna Maurer
In reply to this post by Graham Patterson

I work in Rec Sports and this is wonderful news! Our Event staff will be happy not to have to manage 100’s of guest passes for the various events we host, especially Caltopia.

 

Question – we’ve added about 6-7 Airbears access points specifically for coverage during Caltopia. Will we need to make any changes to these points to be able to use CalVisitor? Forgive me if it’s an odd question – I’m not a wireless expert.

 

Anna

Rec Sports

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Graham A PATTERSON
Sent: Tuesday, October 14, 2014 3:21 PM
To: Guy D. VINSON
Cc: group Micronet-UCB user microcomputer support
Subject: Re: [Micronet] New Visitor WiFi Service - Address Ranges

 

This a feature those of us supporting museums and other places with significant public presence really welcome. Our visitors do expect it these days.

 

Graham

Sent from my iPad


On Oct 14, 2014, at 12:14 PM, Guy D. VINSON <[hidden email]> wrote:

Thank you for the explanation... As I said I was just curios.  

Guy Vinson

Computer support & repair

510-842-7199


On Oct 14, 2014, at 11:11 AM, Isaac Orr <[hidden email]> wrote:

Guy,

 

The amount of overhead that's added here is minimal.  It's incredibly unlikely that usage of CalVisitor would be of a level that would require any upgrades to infrastructure, and our cost for internet traffic is basically "free".  Since CalVisitor overlays on top of all the existing campus WiFi infrastructure, it's just using something that was already in place.  Turning on an open, unauthenticated WiFi SSID is just about the simplest thing you can do in wireless networking, so this also didn't take a lot of technical staff time.

 

The existing guest wifi system is actually fairly painful to maintain - the captive portals that it uses require more manual maintenance than we are actually able to  give them.  The guest pass system is very painful for anything other than creating one or two passes (and even then it's not great).  For people who have regular guests, run conferences etc (and for us here who have to make sure that such events get their guest passes properly), the existing system has been a real cost in terms of time and support.  We expect that CalVisitor will replace the vast majority of guest pass usage.  We'll eventually replace all of it with CalNet Guest ID's, to eliminate running two separate services that actually do the same thing.

 

In other words, we think that CalVisitor will actually save the campus time and money. To be honest though, we haven't done an official cost analysis of the benefits.  The service was created based on requests from several departments for a better way to handle guest wifi - in response we came up with the simplest possible solution we could, and implemented it.  Since it's basically centrally funded, the aim of the network group is to do exactly this - deliver services as requested by campus.  (And by the way if anyone has ideas, let us know!).

 

iso

 

 

On Tue, Oct 14, 2014 at 10:30 AM, Guy D. VINSON <[hidden email]> wrote:

Just curious... what is the intended customer for this service, or rather why is this being done. Don't get me wrong I think free wifi for everyone is great but given that this adds overhead and the history of attempts to cut costs in IT at UC it puzzles me. 


Guy Vinson

Computer Support and Consulting

510-842-7199

 

On Tue, Oct 14, 2014 at 9:36 AM, Isaac Orr <[hidden email]> wrote:

Hi Richard,

 

If you have a firewall service that is managed by the Data Center for example, and you intend for your service to only be accessed by "campus" users, then yes, you should request that they deny access from these addresses in the firewall.

 

Regards

 

iso

 

 

On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]> wrote:

I manage several servers in the data center.  They have what I call the "basic" firewall service of only allowing IP connections from "on campus" addresses.  This is not part of the OS filewall rules.

 

How does this affect these servers?  Do I have to make a request to have these IP's added to prohibit access?

 

On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:

Hi Folks,

 

Of course, being a manager, and not a network engineer, I did not bother checking the subnet maths when making this post, copy and pasting a typo from our documentation.

 

The range

is actually

 

(Thanks to Mike Howard @ SAIT for pointing this out).

 

iso

 

 

On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:

Hi Folks,

 

In the next few weeks, we'll be deploying CalVisitor, a new WiFi service aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic (i.e web browsing) access to the internet without requiring authentication or the creation of a guest account.  Further details will be announced soon.

 

In the mean time, I wanted to ensure that the campus technical community was aware of this change, and had a chance to consider the approach they may want to take in regards to visitors on this wifi service.

 

Users of the CalVisitor service should not be considered to be members of the campus community in the same way that authenticated users of AirBears and AirBears2 are. We've set aside specific address ranges for this service.  Operators and administrators of services should decide whether or not to accept users from these address ranges.

 

In other words/TL:DR: the people connecting from the following IP addresses just walked in off the street.  If you don't trust them, or run a service that is supposed to be fully accessible to the public, you should consider blocking them via firewalls or similar means.

 

The address ranges are:

 

10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users will appear from to other on-campus systems and services).

192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will appear to be using these addresses to offsite services).

2607:f140:6000::/48 (IPv6, for both on and off campus).

 

The official source for this list is here:

 

 

 

iso

 

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



 

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



 

--

Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
164 Chavez Student Center, Berkeley, CA, 94720-4220
510-642-5123     asc.berkeley.edu



 

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]



-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 



 

--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Anna,

It's our plan to enable CalVisitor wherever we have
AirBears/AirBears2.  All campus managed access points will be
configured automatically for the new service, so you shouldn't have to
do anything.

iso


On Tue, Oct 14, 2014 at 4:11 PM, Anna Maurer <[hidden email]> wrote:

> I work in Rec Sports and this is wonderful news! Our Event staff will be
> happy not to have to manage 100’s of guest passes for the various events we
> host, especially Caltopia.
>
>
>
> Question – we’ve added about 6-7 Airbears access points specifically for
> coverage during Caltopia. Will we need to make any changes to these points
> to be able to use CalVisitor? Forgive me if it’s an odd question – I’m not a
> wireless expert.
>
>
>
> Anna
>
> Rec Sports
>
>
>
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Graham A
> PATTERSON
> Sent: Tuesday, October 14, 2014 3:21 PM
> To: Guy D. VINSON
> Cc: group Micronet-UCB user microcomputer support
> Subject: Re: [Micronet] New Visitor WiFi Service - Address Ranges
>
>
>
> This a feature those of us supporting museums and other places with
> significant public presence really welcome. Our visitors do expect it these
> days.
>
>
>
> Graham
>
> Sent from my iPad
>
>
> On Oct 14, 2014, at 12:14 PM, Guy D. VINSON <[hidden email]> wrote:
>
> Thank you for the explanation... As I said I was just curios.
>
> Guy Vinson
>
> Computer support & repair
>
> 510-842-7199
>
>
> On Oct 14, 2014, at 11:11 AM, Isaac Orr <[hidden email]> wrote:
>
> Guy,
>
>
>
> The amount of overhead that's added here is minimal.  It's incredibly
> unlikely that usage of CalVisitor would be of a level that would require any
> upgrades to infrastructure, and our cost for internet traffic is basically
> "free".  Since CalVisitor overlays on top of all the existing campus WiFi
> infrastructure, it's just using something that was already in place.
> Turning on an open, unauthenticated WiFi SSID is just about the simplest
> thing you can do in wireless networking, so this also didn't take a lot of
> technical staff time.
>
>
>
> The existing guest wifi system is actually fairly painful to maintain - the
> captive portals that it uses require more manual maintenance than we are
> actually able to  give them.  The guest pass system is very painful for
> anything other than creating one or two passes (and even then it's not
> great).  For people who have regular guests, run conferences etc (and for us
> here who have to make sure that such events get their guest passes
> properly), the existing system has been a real cost in terms of time and
> support.  We expect that CalVisitor will replace the vast majority of guest
> pass usage.  We'll eventually replace all of it with CalNet Guest ID's, to
> eliminate running two separate services that actually do the same thing.
>
>
>
> In other words, we think that CalVisitor will actually save the campus time
> and money. To be honest though, we haven't done an official cost analysis of
> the benefits.  The service was created based on requests from several
> departments for a better way to handle guest wifi - in response we came up
> with the simplest possible solution we could, and implemented it.  Since
> it's basically centrally funded, the aim of the network group is to do
> exactly this - deliver services as requested by campus.  (And by the way if
> anyone has ideas, let us know!).
>
>
>
> iso
>
>
>
>
>
> On Tue, Oct 14, 2014 at 10:30 AM, Guy D. VINSON <[hidden email]>
> wrote:
>
> Just curious... what is the intended customer for this service, or rather
> why is this being done. Don't get me wrong I think free wifi for everyone is
> great but given that this adds overhead and the history of attempts to cut
> costs in IT at UC it puzzles me.
>
>
> Guy Vinson
>
> Computer Support and Consulting
>
> 510-842-7199
>
>
>
> On Tue, Oct 14, 2014 at 9:36 AM, Isaac Orr <[hidden email]> wrote:
>
> Hi Richard,
>
>
>
> If you have a firewall service that is managed by the Data Center for
> example, and you intend for your service to only be accessed by "campus"
> users, then yes, you should request that they deny access from these
> addresses in the firewall.
>
>
>
> Regards
>
>
>
> iso
>
>
>
>
>
> On Mon, Oct 13, 2014 at 8:13 PM, Richard DESHONG <[hidden email]>
> wrote:
>
> I manage several servers in the data center.  They have what I call the
> "basic" firewall service of only allowing IP connections from "on campus"
> addresses.  This is not part of the OS filewall rules.
>
>
>
> How does this affect these servers?  Do I have to make a request to have
> these IP's added to prohibit access?
>
>
>
> On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
>
> Hi Folks,
>
>
>
> Of course, being a manager, and not a network engineer, I did not bother
> checking the subnet maths when making this post, copy and pasting a typo
> from our documentation.
>
>
>
> The range
>
> 10.105.125.0/17
>
> is actually
>
> 10.105.128.0/17
>
>
>
> (Thanks to Mike Howard @ SAIT for pointing this out).
>
>
>
> iso
>
>
>
>
>
> On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
>
> Hi Folks,
>
>
>
> In the next few weeks, we'll be deploying CalVisitor, a new WiFi service
> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide basic
> (i.e web browsing) access to the internet without requiring authentication
> or the creation of a guest account.  Further details will be announced soon.
>
>
>
> In the mean time, I wanted to ensure that the campus technical community was
> aware of this change, and had a chance to consider the approach they may
> want to take in regards to visitors on this wifi service.
>
>
>
> Users of the CalVisitor service should not be considered to be members of
> the campus community in the same way that authenticated users of AirBears
> and AirBears2 are. We've set aside specific address ranges for this service.
> Operators and administrators of services should decide whether or not to
> accept users from these address ranges.
>
>
>
> In other words/TL:DR: the people connecting from the following IP addresses
> just walked in off the street.  If you don't trust them, or run a service
> that is supposed to be fully accessible to the public, you should consider
> blocking them via firewalls or similar means.
>
>
>
> The address ranges are:
>
>
>
> 10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that users
> will appear from to other on-campus systems and services).
>
> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor will
> appear to be using these addresses to offsite services).
>
> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>
>
>
> The official source for this list is here:
>
>
>
> https://wikihub.berkeley.edu/x/8wUqBg
>
>
>
>
>
> iso
>
>
>
> --
> Isaac Simon Orr
> Manager, Network Operations and Services
> IST Telecommunications, UC Berkeley
> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>
>
>
>
>
> --
> Isaac Simon Orr
> Manager, Network Operations and Services
> IST Telecommunications, UC Berkeley
> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
>
>
>
> --
>
> Richard DeShong, Systems Analyst, Athletic Study Center, U.C.Berkeley
> 164 Chavez Student Center, Berkeley, CA, 94720-4220
> 510-642-5123     asc.berkeley.edu
>
>
>
>
>
> --
> Isaac Simon Orr
> Manager, Network Operations and Services
> IST Telecommunications, UC Berkeley
> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
>
>
>
>
>
> --
> Isaac Simon Orr
> Manager, Network Operations and Services
> IST Telecommunications, UC Berkeley
> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Lawrence Huntley SWEET
In reply to this post by Baril
Hi Gentlemen,

Back when I was at the Bus. School, I had a working prototype of a print server that connected LAN based printers to mobile clients over an "off-grid" wireless link that broadcasted it's services over bonjour.

I left shortly thereafter; and I don't think it's been employed. We had an uphill battle trying to legitimize a bonjour installation to the campus community. 

It worked well in the manicured contexts of testing , but in retrospect, I think it needed a platform neutral (mono would probably do) app that, once loaded: 1) would hook the main print routines on the clients and then temporarily connect to the off-grid ssid for the duration of the job, and 2) After which it would switch back to the previously active interface.

Many congrats on the guest wireless rollout. Awesome news for the campus!

Lawrence

Lawrence Sweet
AP III .-|-. SAIT
510 -612-6180
Una mentira dijo a menudo bastante se convierte en la verdad.

On Tue, Oct 14, 2014 at 4:07 PM, Baril <[hidden email]> wrote:
Issac,

Thanks for the reply. I am fully aware of what we can't do. My wish list
includes running some kind of "private" or off-the-grid wireless network
in my department to allow us to print to wireless capable printers from
any kind of mobile device. There are many other devices that could be
incorporated into our program if this type of service was available. It
boggles the mind that at a superior learning institution like Berkeley,
we can't seem to figure this out.

Rant over....

Best,

Roy
On 10/14/2014 3:44 PM, Isaac Orr wrote:
> Hi Roy,
>
> I'm not certain that i'm clear about what particular
> feature/capability you're referring to here, but I'll take a stab at a
> couple possible ones:
>
> a) being able to connect devices to wifi without requiring
> authentication setup on them.  We don't do this, because we need to be
> able to identify the owner of devices on the network for security and
> policy purposes.  CalVisitor doesn't have this, but in its place it
> has a very draconian security posture - we will disable access for any
> device, at any time, for whatever reason we like, permanently.
> There's no one you can ask to have the device re-enabled (more details
> of this will be in upcoming announcements, probably stated less
> harshly, but this is the reality of how we are handling CalVisitor).
>
> b) Being able to connect to devices that advertise their services to
> local subnets via multicastDNS style protocols like Bonjour.  The
> reason is that this is a very different problem from setting aside
> subnets for public wifi.  The wifi system actually is built primarily
> around the idea that clients will use it to access resources off the
> wifi network - not send data between devices over the wifi.  The other
> issue is traffic that crosses from wired to wireless subnets - the
> wifi and the wired network in a location are always separate subnets.
> The protocols employed by these types of devices are usually not
> designed to cross subnets, so some other technology is required to be
> implemented to make that work.
>
> The other issue with these protocols is that they are usually not
> designed for enterprise environments.  This means that the security
> and manageability of them is typically very poor.  Making airplay work
> over the campus wifi sounds great, until you realize that a few
> thousand people around you can now access your device, with minimal
> security barriers.  This isn't a completely unsolvable problem, but it
> is one that needs to be addressed.
>
> The fact is that we will most likely eventually come up with a
> solution that enables at least some of these types of services -
> though you should never expect that you will be able to use every
> consumer home networking protocol on a campus network.  You are right
> that there is an ease of use issue here that it makes sense to
> address. Unfortunately right now there are no really viable wide scale
> solutions that are fully baked. Various vendors are working on
> solutions, but most of these are quite new, and it will be a while
> before they are truly ready for prime time on the sort of scale we
> have here.
>
> I hope this explains a little more clearly why solving this problem
> isn't as simple as it might seem at first glance (and why we haven't
> done it so far).
>
> iso
>
> On Tue, Oct 14, 2014 at 2:44 PM, Baril <[hidden email]> wrote:
>> While I am really happy to see progress on the wireless front to make things
>> a bit easier on campus, I am still befuddled as to why, if you can set aside
>> subnets for this project, you all cannot seem to come up with a way to allow
>> departments to use wireless devices (ie: printers, Apple TV, etc.) similar
>> to the CalVisitor setup. There are so many cost saving, time saving things
>> we all could be doing if we only had this capability. Sorry for the
>> rant.....
>>
>> Best,
>>
>> Roy
>>
>>
>> On 10/14/2014 2:25 PM, Isaac Orr wrote:
>>> Hi Aaron
>>>
>>> We set aside the entire /17 for expansion and a place we may address
>>> similar services in the future. In fact if you look at the following
>>> networks in that list, you'll see that we've allocated further /22's
>>> for CalVisitor that are beyond the /19.
>>>
>>> iso
>>>
>>>
>>> On Tue, Oct 14, 2014 at 1:47 PM, Aaron Russo <[hidden email]> wrote:
>>>> Hey Isaac,
>>>>
>>>> Maybe I'm reading things wrong, but the public networks list[1] seems to
>>>> have this network sized as a /19 and not a /17.
>>>>
>>>> ...
>>>> SUPERNET             10.105.128.0/19 # supernet - Visitor wifi client
>>>> subnets
>>>> ...
>>>>
>>>> Am I missing something?
>>>>
>>>> Thanks,
>>>>
>>>> Aaron
>>>>
>>>> ftp://net.berkeley.edu/pub/networks.local
>>>>
>>>>
>>>> On Mon, Oct 13, 2014 at 4:25 PM, Isaac Orr <[hidden email]> wrote:
>>>>> Hi Folks,
>>>>>
>>>>> Of course, being a manager, and not a network engineer, I did not bother
>>>>> checking the subnet maths when making this post, copy and pasting a typo
>>>>> from our documentation.
>>>>>
>>>>> The range
>>>>> 10.105.125.0/17
>>>>> is actually
>>>>> 10.105.128.0/17
>>>>>
>>>>> (Thanks to Mike Howard @ SAIT for pointing this out).
>>>>>
>>>>> iso
>>>>>
>>>>>
>>>>> On Mon, Oct 13, 2014 at 2:22 PM, Isaac Orr <[hidden email]> wrote:
>>>>>> Hi Folks,
>>>>>>
>>>>>> In the next few weeks, we'll be deploying CalVisitor, a new WiFi
>>>>>> service
>>>>>> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide
>>>>>> basic
>>>>>> (i.e web browsing) access to the internet without requiring
>>>>>> authentication
>>>>>> or the creation of a guest account.  Further details will be announced
>>>>>> soon.
>>>>>>
>>>>>> In the mean time, I wanted to ensure that the campus technical
>>>>>> community
>>>>>> was aware of this change, and had a chance to consider the approach
>>>>>> they may
>>>>>> want to take in regards to visitors on this wifi service.
>>>>>>
>>>>>> Users of the CalVisitor service should not be considered to be members
>>>>>> of
>>>>>> the campus community in the same way that authenticated users of
>>>>>> AirBears
>>>>>> and AirBears2 are. We've set aside specific address ranges for this
>>>>>> service.
>>>>>> Operators and administrators of services should decide whether or not
>>>>>> to
>>>>>> accept users from these address ranges.
>>>>>>
>>>>>> In other words/TL:DR: the people connecting from the following IP
>>>>>> addresses just walked in off the street.  If you don't trust them, or
>>>>>> run a
>>>>>> service that is supposed to be fully accessible to the public, you
>>>>>> should
>>>>>> consider blocking them via firewalls or similar means.
>>>>>>
>>>>>> The address ranges are:
>>>>>>
>>>>>> 10.105.125.0/17 (Campus Routable 1918 - this is the IPv4 range that
>>>>>> users
>>>>>> will appear from to other on-campus systems and services).
>>>>>> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
>>>>>> will appear to be using these addresses to offsite services).
>>>>>> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>>>>>>
>>>>>> The official source for this list is here:
>>>>>>
>>>>>> https://wikihub.berkeley.edu/x/8wUqBg
>>>>>>
>>>>>>
>>>>>> iso
>>>>>>
>>>>>> --
>>>>>> Isaac Simon Orr
>>>>>> Manager, Network Operations and Services
>>>>>> IST Telecommunications, UC Berkeley
>>>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Isaac Simon Orr
>>>>> Manager, Network Operations and Services
>>>>> IST Telecommunications, UC Berkeley
>>>>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>> The following was automatically added to this message by the list
>>>>> server:
>>>>>
>>>>> To learn more about Micronet, including how to subscribe to or
>>>>> unsubscribe
>>>>> from its mailing list and how to find out about upcoming meetings,
>>>>> please
>>>>> visit the Micronet Web site:
>>>>>
>>>>> http://micronet.berkeley.edu
>>>>>
>>>>> Messages you send to this mailing list are public and world-viewable,
>>>>> and
>>>>> the list's archives can be browsed and searched on the Internet.  This
>>>>> means
>>>>> these messages can be viewed by (among others) your bosses, prospective
>>>>> employers, and people who have known you in the past.
>>>>>
>>>
>> --
>> Roy A. Baril
>> Director of Technology
>> Graduate School of Journalism
>> University of California
>> 121 North Gate Hall
>> Berkeley, CA 94720
>> 510-643-9215 -- Work
>> 510-643-9136 -- Fax
>> 925-352-9543 -- Cell
>>
>
>

--
Roy A. Baril
Director of Technology
Graduate School of Journalism
University of California
121 North Gate Hall
Berkeley, CA 94720
510-643-9215 -- Work
510-643-9136 -- Fax
925-352-9543 -- Cell



-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Adam Cohen
In reply to this post by Isaac Orr
everybody here is strongly positive about doing away with Airbears guest accounts

could you explain what you meant by:
"We'll eventually replace all of it with CalNet Guest ID's, to eliminate running two separate services that actually do the same thing."

--
Adam Cohen / IT Manager
Energy Biosciences Institute / UC Berkeley
2151 Berkeley Way, Room 212-A / 510-642-7709
http://www.energybiosciencesinstitute.org

On Wed, Oct 15, 2014 at 12:40 PM, <[hidden email]> wrote:
>
> The existing guest wifi system is actually fairly painful to maintain - the
> captive portals that it uses require more manual maintenance than we are
> actually able to  give them.  The guest pass system is very painful for
> anything other than creating one or two passes (and even then it's not
> great).  For people who have regular guests, run conferences etc (and for us
> here who have to make sure that such events get their guest passes
> properly), the existing system has been a real cost in terms of time and
> support.  We expect that CalVisitor will replace the vast majority of guest
> pass usage.  We'll eventually replace all of it with CalNet Guest ID's, to
> eliminate running two separate services that actually do the same thing.
>
> In other words, we think that CalVisitor will actually save the campus time
> and money. To be honest though, we haven't done an official cost analysis of
> the benefits.  The service was created based on requests from several
> departments for a better way to handle guest wifi - in response we came up
> with the simplest possible solution we could, and implemented it.  Since
> it's basically centrally funded, the aim of the network group is to do
> exactly this - deliver services as requested by campus.  (And by the way if
> anyone has ideas, let us know!).
>



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Adam,

The existing Guest Account system provides access to AirBears (but not
AirBears2) and Campus Remote Access VPN.

Recently, the CalNet IAM group started providing a guest CalNet ID
service - this allows you to sponsor a longer term visitor to campus
for a CalNet ID in cases where the visitor doesn't meet the normal
criteria for a campus affiliation that automatically grants a CalNet
ID.

The CalVisitor wifi service will provide a basic level of WiFi access,
but as mentioned, doesn't consider you to be a part of the campus
community in any way.  Our plan is to eventually replace the existing
Guest Account system for AirBears and VPN with the use of CalNet guest
IDs, providing access to AirBears, AirBears2 and the remote access
VPN, for those visitors who have a closer relationship to campus than
just casual visitors.  We expect though that the vast majority of
guests and visitors will be fine just using CalVisitor for their
connectivity needs while on campus.

iso



On Wed, Oct 15, 2014 at 2:55 PM, Adam Cohen <[hidden email]> wrote:

> everybody here is strongly positive about doing away with Airbears guest
> accounts
>
> could you explain what you meant by:
> "We'll eventually replace all of it with CalNet Guest ID's, to eliminate
> running two separate services that actually do the same thing."
>
> --
> Adam Cohen / IT Manager
> Energy Biosciences Institute / UC Berkeley
> 2151 Berkeley Way, Room 212-A / 510-642-7709
> http://www.energybiosciencesinstitute.org
>
> On Wed, Oct 15, 2014 at 12:40 PM, <[hidden email]>
> wrote:
>>
>> >
>> > The existing guest wifi system is actually fairly painful to maintain -
>> > the
>> > captive portals that it uses require more manual maintenance than we are
>> > actually able to  give them.  The guest pass system is very painful for
>> > anything other than creating one or two passes (and even then it's not
>> > great).  For people who have regular guests, run conferences etc (and
>> > for us
>> > here who have to make sure that such events get their guest passes
>> > properly), the existing system has been a real cost in terms of time and
>> > support.  We expect that CalVisitor will replace the vast majority of
>> > guest
>> > pass usage.  We'll eventually replace all of it with CalNet Guest ID's,
>> > to
>> > eliminate running two separate services that actually do the same thing.
>> >
>> > In other words, we think that CalVisitor will actually save the campus
>> > time
>> > and money. To be honest though, we haven't done an official cost
>> > analysis of
>> > the benefits.  The service was created based on requests from several
>> > departments for a better way to handle guest wifi - in response we came
>> > up
>> > with the simplest possible solution we could, and implemented it.  Since
>> > it's basically centrally funded, the aim of the network group is to do
>> > exactly this - deliver services as requested by campus.  (And by the way
>> > if
>> > anyone has ideas, let us know!).
>> >
>>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe
> from its mailing list and how to find out about upcoming meetings, please
> visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and
> the list's archives can be browsed and searched on the Internet.  This means
> these messages can be viewed by (among others) your bosses, prospective
> employers, and people who have known you in the past.
>



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Graham Patterson
In reply to this post by Isaac Orr

CalVisitor just popped up on our wireless. Needless to say I am fielding
questions. 30 seconds warning would have been nice 8-)


Graham


On 10/13/14 2:22 PM, Isaac Orr wrote:

> Hi Folks,
>
> In the next few weeks, we'll be deploying CalVisitor, a new WiFi service
> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide
> basic (i.e web browsing) access to the internet without requiring
> authentication or the creation of a guest account.  Further details will
> be announced soon.
>
> In the mean time, I wanted to ensure that the campus technical community
> was aware of this change, and had a chance to consider the approach they
> may want to take in regards to visitors on this wifi service.
>
> Users of the CalVisitor service should not be considered to be members
> of the campus community in the same way that authenticated users of
> AirBears and AirBears2 are. We've set aside specific address ranges for
> this service.  Operators and administrators of services should decide
> whether or not to accept users from these address ranges.
>
> In other words/TL:DR: the people connecting from the following IP
> addresses just walked in off the street.  If you don't trust them, or
> run a service that is supposed to be fully accessible to the public, you
> should consider blocking them via firewalls or similar means.
>
> The address ranges are:
>
> 10.105.125.0/17 <http://10.105.125.0/17> (Campus Routable 1918 - this is
> the IPv4 range that users will appear from to other on-campus systems
> and services).
> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
> will appear to be using these addresses to offsite services).
> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>
> The official source for this list is here:
>
> https://wikihub.berkeley.edu/x/8wUqBg
>
>
> iso
>
> --
> Isaac Simon Orr
> Manager, Network Operations and Services
> IST Telecommunications, UC Berkeley
> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
> <mailto:[hidden email]>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>


--
Graham Patterson, Systems Administrator
Lawrence Hall of Science, UC Berkeley   510-643-2222
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] New Visitor WiFi Service - Address Ranges

Isaac Orr
Hi Graham,

Yeah, we are working on an announcement but had rollout plans already.
I agree this could have happened with a little more coordination (my
fault).  There will be some stuff up by the end of the week to point
users to.  We wanted to move ahead because we were already turning the
service on sporadically around campus to support particular units and
events which was becoming difficult.

iso


On Tue, Oct 28, 2014 at 3:32 PM, Graham Patterson <[hidden email]> wrote:

>
> CalVisitor just popped up on our wireless. Needless to say I am fielding
> questions. 30 seconds warning would have been nice 8-)
>
>
> Graham
>
>
> On 10/13/14 2:22 PM, Isaac Orr wrote:
>> Hi Folks,
>>
>> In the next few weeks, we'll be deploying CalVisitor, a new WiFi service
>> aimed at visitors to the UC Berkeley campus.  CalVisitor will provide
>> basic (i.e web browsing) access to the internet without requiring
>> authentication or the creation of a guest account.  Further details will
>> be announced soon.
>>
>> In the mean time, I wanted to ensure that the campus technical community
>> was aware of this change, and had a chance to consider the approach they
>> may want to take in regards to visitors on this wifi service.
>>
>> Users of the CalVisitor service should not be considered to be members
>> of the campus community in the same way that authenticated users of
>> AirBears and AirBears2 are. We've set aside specific address ranges for
>> this service.  Operators and administrators of services should decide
>> whether or not to accept users from these address ranges.
>>
>> In other words/TL:DR: the people connecting from the following IP
>> addresses just walked in off the street.  If you don't trust them, or
>> run a service that is supposed to be fully accessible to the public, you
>> should consider blocking them via firewalls or similar means.
>>
>> The address ranges are:
>>
>> 10.105.125.0/17 <http://10.105.125.0/17> (Campus Routable 1918 - this is
>> the IPv4 range that users will appear from to other on-campus systems
>> and services).
>> 192.31.105.128/25 (This is the NAT range for IPv4 - users of CalVisitor
>> will appear to be using these addresses to offsite services).
>> 2607:f140:6000::/48 (IPv6, for both on and off campus).
>>
>> The official source for this list is here:
>>
>> https://wikihub.berkeley.edu/x/8wUqBg
>>
>>
>> iso
>>
>> --
>> Isaac Simon Orr
>> Manager, Network Operations and Services
>> IST Telecommunications, UC Berkeley
>> P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]
>> <mailto:[hidden email]>
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>
>
> --
> Graham Patterson, Systems Administrator
> Lawrence Hall of Science, UC Berkeley   510-643-2222
> "...past the iguana, the tyrannosaurus, the mastodon, the mathematical
> puzzles, and the meteorite..." - directions to my office.
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



--
Isaac Simon Orr
Manager, Network Operations and Services
IST Telecommunications, UC Berkeley
P: +1 510 643 9837 C: +1 510 517 9408 E: [hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
12