Re: Unmetered Net Usage
So it seems to me that within 5 years or so, there ought to be a powerful incentive to wire up apartment complexes and business parks with alternative Internet/Internet-telephone connections, ones which bypass the phoneco for at least the first few hundred feet. This, possibly in concert with a ISDN-driving concentrator or a cable-modem, should reduce the cost of the customer-to-the-ISP line to a very low value.
Jim Bell jimbell@pacifier.com
I can see it now. Apartments full of geeks because the apartments were originally built with 100BaseX to each place and a T3 in the basement going direct to the local ISP. Tack on another $200/month or whatever to the apartment cost ( geeks can afford that for sure ) and one might end up having a pretty nice online melrose place. I wonder if anybody has done that yet... -jon Jon (no h) S. Stevens yanni@clearink.com ClearInk WebMagus http://www.clearink.com/ finger pgp@sparc.clearink.com for pgp pub key We are hiring! http://www.clearink.com/clearink/home/job.html
* I can see it now. Apartments full of geeks because the apartments * were originally built with 100BaseX to each place and a T3 in the * basement going direct to the local ISP. * * Tack on another $200/month or whatever to the apartment cost ( geeks * can afford that for sure ) and one might end up having a pretty nice * online melrose place. * * I wonder if anybody has done that yet... Yes, it has already happened, although in a slightly different context. The Georgia Tech campus dormatories got wired with Ethernet back in 1994, and there was quite a rush by the sizable geek population to get dorm rooms in the buildings slated to get installation first. It worked out quite well, especially the privacy aspects, as the dorm routers encrypted all packets so only the intended Ethernet node could receive it (at least that is what they said). So, in this case it was only 10BaseT and gatech.edu as the ISP, but it still was very neat. -- Ben Combee, Software Developer (Will write assembly code for food) Motorola > MIMS > MSPG > CTSD > Advanced ICs > Austin Design Center E-mail: combee@sso-austin.sps.mot.com Phone: (512) 891-7141
On Tue, 13 Aug 1996, Ben Combee wrote:
installation first. It worked out quite well, especially the privacy aspects, as the dorm routers encrypted all packets so only the intended Ethernet node could receive it (at least that is what they said).
I'm not familiar with the GA Tech network, but they probably didn't "encrypt at the router." They most likely used concentrators which would send a the original packet only to the concentrator port registered for the MAC (layer 2) address involved, and sent a packet with the payload overwritten with "junk" out the other ports, to comply with ethernet rules whereby all devices "see" the packet. Not encryption at all, but it does defeat sniffing (on the local segment only) if configured in this manner. - r.w.
On Tue, 13 Aug 1996, Ben Combee wrote:
Yes, it has already happened, although in a slightly different context. The Georgia Tech campus dormatories got wired with Ethernet back in 1994, and there was quite a rush by the sizable geek
The graduate residences at Stanford were built with 10Base2 in 1986, and 50% of the undergrad dorms were wired with 10BaseT by 1993. So there.
population to get dorm rooms in the buildings slated to get installation first. It worked out quite well, especially the privacy aspects, as the dorm routers encrypted all packets so only the intended Ethernet node could receive it (at least that is what they said).
The "secure hubs" at GATech don't do encryption -- no way could that be done at wire speed. What they do is fill the data portion of the Ethernet packet with nulls. Everyone gets to see the source and destination MAC address and length of every packet, but only the recipient (or a very clever spoofer -- most of the "secure hubs" on the market have a few vulnerabilities) gets the data. If you run a packet sniffer, all you get are CRC errors (in order to maintain wire speed, the non-destination ports don't compute one). As far as real-world geek apartments go, I heard of one in Manhattan that worked exactly as described. I don't know whether they run "secure hubs." Presumably they would -- I can't think of a major manufacturer's manageable 10BaseT hub that lacks MAC address lockout features. OTOH, I've heard tell that several of the residential coax experiments run promiscuously. Everything your neighbor does online, you can see with the right software. -rich
On Tue, 13 Aug 1996, Rich Graves wrote:
On Tue, 13 Aug 1996, Ben Combee wrote:
The "secure hubs" at GATech don't do encryption -- no way could that be done at wire speed. What they do is fill the data portion of the Ethernet packet with nulls. Everyone gets to see the source and destination MAC address and length of every packet, but only the recipient (or a very clever spoofer -- most of the "secure hubs" on the market have a few vulnerabilities) gets the data.
What vulnerabilities? I've heard tell of some(?) that "leak" unscrambled packets if flooded with extreme traffic levels, but have never seen or verified this. Got any specifics?
If you run a packet sniffer, all you get are CRC errors (in order to maintain wire speed, the non-destination ports don't compute one).
As far as real-world geek apartments go, I heard of one in Manhattan that worked exactly as described. I don't know whether they run "secure hubs." Presumably they would -- I can't think of a major manufacturer's manageable 10BaseT hub that lacks MAC address lockout features.
Most manufacturers offer SNMP-manageable hubs, but these don't offer MAC-layer security. That usually costs a lot extra. The MAC-layer feature is not widely used.
OTOH, I've heard tell that several of the residential coax experiments run promiscuously. Everything your neighbor does online, you can see with the right software.
If it is Ethernet (or any baseband technology, AFAIK), and on coax, then of course it is "promiscuous." All devices must see the packet; they're on a bus. The 10T hubs also follow the "all devices must see the packet rule", but by design; a packet is received on the "recieve" pair of one port, and transmitted on the "xmit" pairs of all ports. The secure hubs overwrite the data payload with "junk" first - no encryption involved, nothing to crack, and, as you've pointed out, without recomputing CRC. btw - if I were in an apartment environment, I'd want the "secure hubs", and would verify that they're actually in the secure mode. They usually have a "learning" mode, where they simply register the MAC address most recently assigned to each port (sort of like learning bridges - this saves a lot of manual entry). Of course, if left in this mode, they don't do a thing for security. On the flip side, if sucured, and you change network cards, or bring that laptop home from the office, etc. you won't be able to use it without the intervention of the hub's administrator. And yes, packet sniffers are easy to get a hold of; freeware is abundant. Anyone can easily use one on a segment they've got access to. - r.w.
-rich
[Any lingering cypherpunk-relevant curiosity should probably be directed to http://cougar.haverford.edu/resnet96/repeaters.html ] On Wed, 14 Aug 1996, Rabid Wombat wrote:
On Tue, 13 Aug 1996, Rich Graves wrote:
On Tue, 13 Aug 1996, Ben Combee wrote:
The "secure hubs" at GATech don't do encryption -- no way could that be done at wire speed. What they do is fill the data portion of the Ethernet packet with nulls. Everyone gets to see the source and destination MAC address and length of every packet, but only the recipient (or a very clever spoofer -- most of the "secure hubs" on the market have a few vulnerabilities) gets the data.
What vulnerabilities? I've heard tell of some(?) that "leak" unscrambled packets if flooded with extreme traffic levels, but have never seen or verified this. Got any specifics?
Change your MAC address to be the same as the hub's. 3Com recently fixed this. Others might not have.
As far as real-world geek apartments go, I heard of one in Manhattan that worked exactly as described. I don't know whether they run "secure hubs." Presumably they would -- I can't think of a major manufacturer's manageable 10BaseT hub that lacks MAC address lockout features.
Most manufacturers offer SNMP-manageable hubs, but these don't offer MAC-layer security. That usually costs a lot extra. The MAC-layer feature is not widely used.
That was true six months ago, but 3Com, Allied, Cabletron, Synoptics, HP, UB, and others now include it as a matter of course. Asante is the notable exception. There are some kooks out there, like the people at RIT, who think that everyone needs switched ports; and a few cheapskates, like management at a major university in the Palo Alto area, who stick with Asante because it's cheapest, and trust students to be nice (or at least nice enough to get caught).
btw - if I were in an apartment environment, I'd want the "secure hubs", and would verify that they're actually in the secure mode. They usually have a "learning" mode, where they simply register the MAC address most recently assigned to each port (sort of like learning bridges - this saves a lot of manual entry). Of course, if left in this mode, they don't do a thing for security.
Sure they do. You'd have a reasonable assurance that wherever you went, you'd be the only one seeing your packets -- assuming the backbone is secure, which you need to assume anyway if you're not doing packet, session, or application-layer encryption (which is the ultimate goal). The roving portable computer is a pretty common case nowadays. The only thing a static table gets you is intruder control. -rich
Hmm... My old school (Stevens Institute of Technology) did this LONG before 94... Before 90, in fact :) Just a point of reference. (brag brag brag)... Incidentally, there was a REASON it wasn't a neccessarily good idea -- the dropout/flunkout rate was astronomical from everyone netting long before netting was pop-oo-lah. :) Millie. sfuze@tiac.net write me at the above address, not the one this is written from :)
participants (5)
-
<pstira@escape.com> -
combee@sso-austin.sps.mot.com -
Rabid Wombat -
Rich Graves -
Yanni