Yes, yes, it’s been three months since the provost triumphantly announced that IPv6 will finally be coming to the campus network, and communication about IPv6 on campus goes back much longer than that, but we have yet to see it in a single building (beyond the buildings where students have set up their own tunnels, and who knows if those will even work with the new network). Meanwhile, the NAT was deployed in twelve buildings with same-day notice and no prior communication, leaving some student groups with unreachable servers. If this had anything to do with pushing innovation, don’t you think the priorities and communication pattern would have been a bit different?
The "just" is incorrect. There are four bullets on the slide: DHCP, IPV6, private IPV4/NAT, and firewall. From the diagram it looks to me like even if you move to IPV6 (which, as others have noted, MIT has not yet rolled out, so at this point you can't), you will still be behind the firewall, so setting up a service visible to the Internet will still be more difficult than it used to be.
No. IPv6 is great in concept but the world just isn't ready for it yet. Even our Google Wifi access points don't support IPv6 in their latest firmware, so I have no way of using IPv6 even though Comcast supports it. AWS IPv6 support has been sketchy until only this year. Many parts of the world are happily dancing with their IPv4 NAT and their sysadmins have no incentives to support IPv6 whatsoever.
Forcing people to use anything is never a good way to promote innovation.
I went to MIT for my undergrad and doctoral studies. One of the main reasons I chose MIT over other schools was the ease of availability of static IP addresses, unlimited symmetric gigabit bandwidth, no port restrictions, and other things. I even mentioned this in my undergrad application essay. I built a lot of things with it and learned a lot in my time there. I probably learned more outside of classes than in classes, and I think that's one of the distinguishing aspects of MIT culture.
> Actually... MIT forcing an entire generation of future engineers to deal with IPv6
Then why are they doing NAT?
Edit: Although moving to NAT might push innovation too, or at least some clever hacks. Speaking of that, if you want use a relay to do NAT traversal then is TCP over ARQ (on UDP) as bad as TCP over TCP?
Wow - 2603:4000::/24. That's the largest block of IPv6 addresses I'm aware of being handed out to a single entity.
Normally, ISPs get a /32, from which, they hand out /48s to their customer. And, with pretty much zero paper work, and ISP can get a second /32 (usually adjacent with their first /32 so they can summarize as a /31).
So - an ISP might get 2001:1868::/32 and then hand off 2001:1868:0209::/48 to a customer.
Because a /48 allows 2^16 or 65k networks, each network containing (effectively) an infinite number of hosts, pretty much every single geographic region company can be effectively served with a single /48. The /32 allows the ISP to have 65K customer (each of which has 65K networks).
What on earth is MIT going to do with a 2603:4000::/24? I'd love to hear the story behind why they got such a large block.
It has nothing to do with amounts of addresses, and everything to do with making dividing stuff up for routing easier.
A large ISP entity like comcast or AT&T can now have say a single /16 or /24 allocation and pretty much no matter how much they subdivide up their regional routing, routing to AT&T can easily be coalesced and summarized , and every end customer can still get a /64 till pretty much the end of time.
"The Library has the entire Net 18 address space registered at many hundreds of publishers of licensed e-resources. With no prior notice, we have been forced into non-compliance with our licenses with every such provider."
I wonder what if the publishers actually sued MIT and Amazon, with maybe a injunction preventing Amazon from using the space.
I moved to student housing in Sweden in 2004 when they had aging network infrastructure (all 100 MBit but that also applied to the shared links to the housing areas[0]), and by the next year they just ditched the school-sponsored network and moved to making students pay for third party internet (distribution to rooms was still Ethernet-based but now with a citywide fiber backhaul run by the municipal power company shared by regular apartment buildings).
We got faster service with fewer restrictions (no P2P service filters) for like $10/mo with student pricing, and still with fixed IPs.
I'm not sure why what innovative service a university can provide in this space in 2017?
[0]which meant about 1000 rooms sharing 100MBit internet access. This was somewhat mitigated by local DC++ networks in each housing area to keep piracy downloads off the shared link.
Also, by acting as the ISP, it also gets to be more protective of its log data than an outside provider might be.
It's not that an outside ISP couldn't provide the same level of service and speed at the same or less cost, while protecting the interests of the MIT community, it's just that I don't expect it's as likely.
It's not about what innovate service a university can provide: it is about what kind of innovation the university can help empower its students to make.
> Instead of being renumbered into publicly-accessible IP ranges, IS&T is moving all of campus into RFC-1918 10/8 addresses, and enforcing the campus firewall, which will be made up of Palo Alto 7050 devices, which are best known for their deep-packet inspection feature, App-ID.
Then later in the article:
> NAT deployment doesn't benefit the Institute in any way, other than to make things more difficult.
Possibly ignorant question-- could this choice be influenced by the inescapable rise of cheap IoT devices flowing in from China?
I mean if a freshman arrives with a desktop rig they bought purposely to use as an experimental server, and they explicitly register the software using a web form, you can imagine a very loosy-goosy relationship among students and IT built on good faith.
But if a freshman unloads their luggage and a few dozen random internet-connected baubles drop out and start joining the network, what is IT supposed to do? Especially considering MIT probably does a lot of research for DoD...
I'm all for supporting innovation and community services, but I think author is not mentioning other possible causes, like DMCAs, malware and spam (including unintended), which could have damaged the reputation.
I just wonder why MIT didn't give more time to move and why it doesn't provide a replacement in eg cloud credits.
If it went down like it did at CMU, IT polarized into a camp that wanted to maintain the traditional stack and a camp that wanted to tear it down and replace it with contemporary cloud services. When the latter won, they wasted no time in salting the earth of the former's territory.
Disclaimer: I wasn't actually party to any of this, I heard it second hand, corrections welcome.
Many years ago in a past life, I worked on the network security team at the University of Chicago. We had a similar policy (and they may still for all I know) of just being able to requisition publicly routable IPs and run whatever you wanted on them with no default firewall rules applied at the border. Not for nothing did we call this a "target rich environment".
For all of the cool things I got to do (troubleshoot a breakin at the South Pole, send the RIAA a DMCA takedown notice when they stole our content (absolutely the highlight of my career), etc.), we spent the vast majority of our time on nonsense. We processed dumb breakins by the hundreds, had to enforce DMCA takedowns, and the like.
I'm also all for innovation and giving people the freedom to deploy services and innovate, but I would have killed to deploy all IPs by default behind NAT/firewalls and work with researchers to help them understand their responsibilities before giving them public IPs.
Good question indeed. Why didn't MIT give more time to move, and in fact gave absolutely no notice, such that WMBR, the campus radio station, had to scramble to get their online radio back online again?
NAT deployment doesn't benefit the Institute in any way,...
I have often had changes foisted upon me that when I looked at them I could see no benefit. In every instance the 'benefit' I didn't see was one that I typically didn't approve of and so hadn't listed in my set of 'possible benefits'.
From reading the article though it sounds like MIT has had a very open and loosely (if at all) documented set of features around network access. And in today's world network access is many things more than it was 10 years ago. But perhaps the process of going through and documenting all of the things they do was 'too expensive' compared to setting it up the way the institution wanted it to work and then dealing with any fallout as it arose.
Another in a series of signs that the Internet is moving from science project to critical infrastructure.
I wonder if any of this is related to the new NIST Standards[1], which have to be followed by research labs who receive government funding. I could see MIT, already having to retrofit a lot of their research networks, also changing around the network architecture in other places aswell.
How can MIT people use IPv6 when it hasn't been rolled out on campus yet? How does it make any sense to put the campus (Ethernet) network behind a NAT, when MIT still has 18.0.0.0/9, half of what MIT has before but more than plenty to go around?
There are advantages to being on a private network behind a firewall ... and they could still offer a DNS name and routing to your computer if it was on a private network. It's likely that the only difference is that you'd also have to specify what ports you want exposed to the outside world. This is a win for you from a security perspective - having additional layers of security won't hurt you.
Actually I have been experimenting this for my pet projects. Downside is that it's relatively slow but getting "global" address is click (well a few lines of config) away...
When I was at the Institute (80s) the IT services were a barrier to computation. They had their big 390/VM system used for accounting and some course 15 stuff. One intern digitized the Mens et Manus logo and IT excited trumpeted that they had done so -- jeez it had been in a font on the Xerox XGP at the AI lab for what, 15 years at that point?
All of course 6 ignored them, and I don't believe they had any impact with Athena. Certainly they would have been upset by faculty writing the root password on all the whiteboards.
In fact they had nothing to do with IP allocation (I doubt they knew what TCP was). I wonder what bureaucratic maneuvering gave them control of that!
At UCSD we not only got a public IPv4 address for each device but also an automatic *.dynamic.ucsd.edu subdomain assignment based on the device hostname. Came in handy for my Raspberry Pi.
My college didn't have internet campus wise, you had access to a limited, firewalled internet "protected" by Fortinet so i can't feel empathy for the MIT alumni since you can perfectly work without those tools.
I think MIT is in the process of rolling out IPv6 officially. They only got an allocation early last year, and I think right now it is being used on the VPN network.
For everyone talking about this being merely a question of technical updates, it might help to see this in the bigger picture of a pattern of changes going on at MIT.
MIT had a very non-authoritarian, egalitarian culture, as Richard Stallman described it:
"I went to a school [Harvard] with a computer science department that was probably like most of them. There were some professors that were in charge of what was supposed to be done, and there were people who decided who could use what. There was a shortage of terminals for most people, but a lot of the professors had terminals of their own in their offices, which was wasteful, but typical of their attitude. When I visited the Artificial Intelligence lab at MIT I found a spirit that was refreshingly different from that. For example: there, the terminals was thought of as belonging to everyone, and professors locked them up in their offices on pain of finding their doors broken down. I was actually shown a cart with a big block of iron on it, that had been used to break down the door of one professors office, when he had the gall to lock up a terminal." (https://www.gnu.org/philosophy/stallman-kth.html)
In 2004, the MIT AI Lab was "upgraded" to the new Stata Center building, an unwieldy, Frank Gehry-designed monument to a recent MIT president's ego, and the antithesis of what it replaced, Building 20. Building 20 was a utilitarian construction from WW2 with no pretenses of becoming a prized or permanent spot on campus. Instead, its residents helped it organically acquired a character of its own as Wikipedia describes well:
'Due to Building 20's origins as a temporary structure, researchers and other occupants felt free to modify their environment at will. As described by MIT professor Paul Penfield, "Its 'temporary nature' permitted its occupants to abuse it in ways that would not be tolerated in a permanent building. If you wanted to run a wire from one lab to another, you didn't ask anybody's permission — you just got out a screwdriver and poked a hole through the wall." [...] MIT professor Jerome Y. Lettvin once quipped, "You might regard it as the womb of the Institute. It is kind of messy, but by God it is procreative!" [...] Because of its various inconveniences, Building 20 was never considered to be prime space, in spite of its location in the central campus. As a result, Building 20 served as an "incubator" for all sorts of start-up or experimental research, teaching, or student groups. [...] Building 20 was the home of the Tech Model Railroad Club, where many aspects of what later became the hacker culture developed [not to mention pranksters and lock pickers, as well].'
Sadly, the TMRC's elaborate railroad, which exhibited interesting pre-miniaturization computation, didn't survive the dismantling of Building 20 and was eventually replaced with modern components. I also hear the Stata Center has two spires, one maddeningly named after Bill Gates, separating the two fiefdoms of computer science at MIT in glass-paneled offices meant to flatter status-conscious administrative types. Since Frank Gehry's architecture is proprietary and depends on strict tolerances, there's scant building modification going on.
That's why I think you can see these network changes as a tragic continuation of a destruction of the historical character of MIT, even though they may also be necessary.
[+] [-] znpy|8 years ago|reply
MIT is just moving to IPv6.
Actually... MIT forcing an entire generation of future engineers to deal with IPv6... That will literally push innovation.
[+] [-] anderskaseorg|8 years ago|reply
[+] [-] pdonis|8 years ago|reply
The "just" is incorrect. There are four bullets on the slide: DHCP, IPV6, private IPV4/NAT, and firewall. From the diagram it looks to me like even if you move to IPV6 (which, as others have noted, MIT has not yet rolled out, so at this point you can't), you will still be behind the firewall, so setting up a service visible to the Internet will still be more difficult than it used to be.
[+] [-] dheera|8 years ago|reply
Forcing people to use anything is never a good way to promote innovation.
I went to MIT for my undergrad and doctoral studies. One of the main reasons I chose MIT over other schools was the ease of availability of static IP addresses, unlimited symmetric gigabit bandwidth, no port restrictions, and other things. I even mentioned this in my undergrad application essay. I built a lot of things with it and learned a lot in my time there. I probably learned more outside of classes than in classes, and I think that's one of the distinguishing aspects of MIT culture.
[+] [-] cma|8 years ago|reply
[+] [-] hawkling|8 years ago|reply
[+] [-] 0xdeadbeefbabe|8 years ago|reply
Then why are they doing NAT?
Edit: Although moving to NAT might push innovation too, or at least some clever hacks. Speaking of that, if you want use a relay to do NAT traversal then is TCP over ARQ (on UDP) as bad as TCP over TCP?
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] ghshephard|8 years ago|reply
Normally, ISPs get a /32, from which, they hand out /48s to their customer. And, with pretty much zero paper work, and ISP can get a second /32 (usually adjacent with their first /32 so they can summarize as a /31).
So - an ISP might get 2001:1868::/32 and then hand off 2001:1868:0209::/48 to a customer.
Because a /48 allows 2^16 or 65k networks, each network containing (effectively) an infinite number of hosts, pretty much every single geographic region company can be effectively served with a single /48. The /32 allows the ISP to have 65K customer (each of which has 65K networks).
What on earth is MIT going to do with a 2603:4000::/24? I'd love to hear the story behind why they got such a large block.
edit: according to https://www.arin.net/fees/fee_schedule.html this is considered a "medium" (WTF?) allocation with a cost of $4k/year.
[+] [-] throwaway2048|8 years ago|reply
A large ISP entity like comcast or AT&T can now have say a single /16 or /24 allocation and pretty much no matter how much they subdivide up their regional routing, routing to AT&T can easily be coalesced and summarized , and every end customer can still get a /64 till pretty much the end of time.
[+] [-] denisu|8 years ago|reply
[+] [-] AndyMcConachie|8 years ago|reply
https://gist.github.com/simonster/e22e50cd52b7dffcf5a4db2b8e...
[+] [-] yuhong|8 years ago|reply
[+] [-] inopinatus|8 years ago|reply
[+] [-] revelation|8 years ago|reply
[+] [-] robertch|8 years ago|reply
[+] [-] kalleboo|8 years ago|reply
We got faster service with fewer restrictions (no P2P service filters) for like $10/mo with student pricing, and still with fixed IPs.
I'm not sure why what innovative service a university can provide in this space in 2017?
[0]which meant about 1000 rooms sharing 100MBit internet access. This was somewhat mitigated by local DC++ networks in each housing area to keep piracy downloads off the shared link.
[+] [-] acrefoot|8 years ago|reply
Also, by acting as the ISP, it also gets to be more protective of its log data than an outside provider might be.
It's not that an outside ISP couldn't provide the same level of service and speed at the same or less cost, while protecting the interests of the MIT community, it's just that I don't expect it's as likely.
[+] [-] juniorpatcher|8 years ago|reply
[+] [-] jancsika|8 years ago|reply
Then later in the article:
> NAT deployment doesn't benefit the Institute in any way, other than to make things more difficult.
Possibly ignorant question-- could this choice be influenced by the inescapable rise of cheap IoT devices flowing in from China?
I mean if a freshman arrives with a desktop rig they bought purposely to use as an experimental server, and they explicitly register the software using a web form, you can imagine a very loosy-goosy relationship among students and IT built on good faith.
But if a freshman unloads their luggage and a few dozen random internet-connected baubles drop out and start joining the network, what is IT supposed to do? Especially considering MIT probably does a lot of research for DoD...
[+] [-] amq|8 years ago|reply
I just wonder why MIT didn't give more time to move and why it doesn't provide a replacement in eg cloud credits.
[+] [-] jjoonathan|8 years ago|reply
Disclaimer: I wasn't actually party to any of this, I heard it second hand, corrections welcome.
[+] [-] davidmr|8 years ago|reply
For all of the cool things I got to do (troubleshoot a breakin at the South Pole, send the RIAA a DMCA takedown notice when they stole our content (absolutely the highlight of my career), etc.), we spent the vast majority of our time on nonsense. We processed dumb breakins by the hundreds, had to enforce DMCA takedowns, and the like.
I'm also all for innovation and giving people the freedom to deploy services and innovate, but I would have killed to deploy all IPs by default behind NAT/firewalls and work with researchers to help them understand their responsibilities before giving them public IPs.
[+] [-] hawkling|8 years ago|reply
[+] [-] fragmede|8 years ago|reply
http://xvm.mit.edu/
[+] [-] 0xdeadbeefbabe|8 years ago|reply
Edit: In the late 80s the morris worm was launched from MIT, but the network admins of the 80s didn't overreact like this. I wonder why.
[+] [-] acrefoot|8 years ago|reply
Things I got to try at MIT that would be a lot harder on AWS:
- set up a TOR exit node
- set up a single-system image cluster across five 1U servers
- set up a ZFS box with RAID-Z and dm-crypt
- played with a real lisp machine
- put a raspberry pi on the internet (something I did for several projects)
[+] [-] imjustapie|8 years ago|reply
[+] [-] ChuckMcM|8 years ago|reply
NAT deployment doesn't benefit the Institute in any way,...
I have often had changes foisted upon me that when I looked at them I could see no benefit. In every instance the 'benefit' I didn't see was one that I typically didn't approve of and so hadn't listed in my set of 'possible benefits'.
From reading the article though it sounds like MIT has had a very open and loosely (if at all) documented set of features around network access. And in today's world network access is many things more than it was 10 years ago. But perhaps the process of going through and documenting all of the things they do was 'too expensive' compared to setting it up the way the institution wanted it to work and then dealing with any fallout as it arose.
Another in a series of signs that the Internet is moving from science project to critical infrastructure.
[+] [-] compuguy|8 years ago|reply
[+] [-] jpace121|8 years ago|reply
[1]:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP...
[+] [-] hawkling|8 years ago|reply
Besides, what kind of controlled unclassified information could possibly be residing on dormitory networks?
[+] [-] lucb1e|8 years ago|reply
[+] [-] betaby|8 years ago|reply
[+] [-] imjustapie|8 years ago|reply
[+] [-] imjustapie|8 years ago|reply
[+] [-] smoyer|8 years ago|reply
[+] [-] Dryken|8 years ago|reply
[+] [-] unsignedint|8 years ago|reply
Actually I have been experimenting this for my pet projects. Downside is that it's relatively slow but getting "global" address is click (well a few lines of config) away...
[+] [-] imjustapie|8 years ago|reply
[+] [-] gumby|8 years ago|reply
All of course 6 ignored them, and I don't believe they had any impact with Athena. Certainly they would have been upset by faculty writing the root password on all the whiteboards.
In fact they had nothing to do with IP allocation (I doubt they knew what TCP was). I wonder what bureaucratic maneuvering gave them control of that!
[+] [-] mintplant|8 years ago|reply
[+] [-] SadWebDeveloper|8 years ago|reply
[+] [-] jonbarker|8 years ago|reply
[+] [-] compuguy|8 years ago|reply
[+] [-] api|8 years ago|reply
[+] [-] achernya|8 years ago|reply
Unfortunately, IPv6 deployment is still below 20% (as measured by Google, https://www.google.com/intl/en/ipv6/statistics.html) so a publically-accessible IPv6 address is not yet sufficient.
[+] [-] imjustapie|8 years ago|reply
[+] [-] cxseven|8 years ago|reply
MIT had a very non-authoritarian, egalitarian culture, as Richard Stallman described it:
"I went to a school [Harvard] with a computer science department that was probably like most of them. There were some professors that were in charge of what was supposed to be done, and there were people who decided who could use what. There was a shortage of terminals for most people, but a lot of the professors had terminals of their own in their offices, which was wasteful, but typical of their attitude. When I visited the Artificial Intelligence lab at MIT I found a spirit that was refreshingly different from that. For example: there, the terminals was thought of as belonging to everyone, and professors locked them up in their offices on pain of finding their doors broken down. I was actually shown a cart with a big block of iron on it, that had been used to break down the door of one professors office, when he had the gall to lock up a terminal." (https://www.gnu.org/philosophy/stallman-kth.html)
In 2004, the MIT AI Lab was "upgraded" to the new Stata Center building, an unwieldy, Frank Gehry-designed monument to a recent MIT president's ego, and the antithesis of what it replaced, Building 20. Building 20 was a utilitarian construction from WW2 with no pretenses of becoming a prized or permanent spot on campus. Instead, its residents helped it organically acquired a character of its own as Wikipedia describes well:
'Due to Building 20's origins as a temporary structure, researchers and other occupants felt free to modify their environment at will. As described by MIT professor Paul Penfield, "Its 'temporary nature' permitted its occupants to abuse it in ways that would not be tolerated in a permanent building. If you wanted to run a wire from one lab to another, you didn't ask anybody's permission — you just got out a screwdriver and poked a hole through the wall." [...] MIT professor Jerome Y. Lettvin once quipped, "You might regard it as the womb of the Institute. It is kind of messy, but by God it is procreative!" [...] Because of its various inconveniences, Building 20 was never considered to be prime space, in spite of its location in the central campus. As a result, Building 20 served as an "incubator" for all sorts of start-up or experimental research, teaching, or student groups. [...] Building 20 was the home of the Tech Model Railroad Club, where many aspects of what later became the hacker culture developed [not to mention pranksters and lock pickers, as well].'
Sadly, the TMRC's elaborate railroad, which exhibited interesting pre-miniaturization computation, didn't survive the dismantling of Building 20 and was eventually replaced with modern components. I also hear the Stata Center has two spires, one maddeningly named after Bill Gates, separating the two fiefdoms of computer science at MIT in glass-paneled offices meant to flatter status-conscious administrative types. Since Frank Gehry's architecture is proprietary and depends on strict tolerances, there's scant building modification going on.
That's why I think you can see these network changes as a tragic continuation of a destruction of the historical character of MIT, even though they may also be necessary.
More info about Building 20:
http://web.archive.org/web/20011215020413/http://rleweb.mit....
http://web.archive.org/web/20060912140051/http://www.eecs.mi...
http://tech.mit.edu/V123/N40/40stata.40n.html