MAILER@VM1.MCGILL.CA (Network Mailer) (06/11/91)
Apologies for the cross-posting. We're starting to get a fair number of requests for SLIP access to our campus network. Hurdles which we've encountered (but haven't yet jumped) include the addressing issue (one subnet per SLIP circuit--fixable if the SLIP circuits all terminate in the same box or you only need terminal SLIP), dynamic IP address assignment for dial-up SLIP (we haven't set up a BOOTP server because 1) we're not sure we want to be in the business of supporting dial-up SLIP access and 2) because we're not sure we want *anyone* to be able to become a full network peer from a dial-up port), and political issues like when a student graduates and leaves the university environment, but wants to retain Internet access... We'd appreciate hearing from other sites which have hopefully arrived at some rational solutions to these problems. Thanks, Robert Craig domain: robert@vm1.mcgill.ca Senior Network Analyst bitnet: robert@mcgill1 McGill University Computing Centre Tel: (514) 398-3710 805 Sherbrooke St. W. FAX: (514) 398-6876 Montreal, Quebec H3A 2K6 CORISQ: (514) 398-RISQ
alberto@cs.umd.edu (Jose Alberto Fernandez R) (06/11/91)
In article <9106101940.aa12919@louie.udel.edu> MAILER@VM1.MCGILL.CA (Network Mailer) writes:
We're starting to get a fair number of requests for SLIP
access to our campus network. Hurdles which we've
encountered (but haven't yet jumped) include
the addressing issue (one subnet per SLIP circuit--fixable if the
SLIP circuits all terminate in the same box or you
only need terminal SLIP),
dynamic IP address assignment
for dial-up SLIP (we haven't set up a BOOTP server because
1) we're not sure we want to be in the business of
supporting dial-up SLIP access and 2) because we're not
sure we want *anyone* to be able to become a full network
peer from a dial-up port),
and political issues like when a student graduates and leaves
the university environment, but wants to retain Internet access...
We'd appreciate hearing from other sites which have hopefully
arrived at some rational solutions to these problems.
I think this is a very interesting issue. Here in Maryland they have
similar concerns. Mostly with the fact that a dial-in person would get
complete network access as a Maryland site, which can be a security
risk.
Is there any accounting or login system for SLIP access?
Here in maryland we have modems connected to annex servers across
campus. Do you think it is possible to login to a machine in the
network (without using SLIP) and then activate an SLIP "circuit" from
the account. Has somebody done something like that?
Jose Alberto.
--
:/ \ Jose Alberto Fernandez R | INTERNET: alberto@cs.umd.edu
:| o o | Dept. of Computer Sc. | BITNET: alberto@cs.umd.edu
:| ^ | University of Maryland | UUCP: {...}!mimsy!alberto
:\ \_/ / College Park, MD 20742 | BILLW@MATHOM.CISCO.COM (William Chops Westfield) (06/12/91)
I think this is a very interesting issue. Here in Maryland they have
similar concerns. Mostly with the fact that a dial-in person would get
complete network access as a Maryland site, which can be a security
risk.
Is there any accounting or login system for SLIP access?
Well, cisco terminal servers (current release) can require a user to
login (username/password) before they can turn SLIP on, another
authentication when they pick their address (hostname(address)/password),
and a final authentication when it actually gets turned on (and off).
Each is independent from the others, and the information provided is
sufficient to maintain a unix-style accounting file.
The next version of software will support access lists on each SLIP
line, contolling where they can send packets to, or receive them from.
PPP provides an authentication option within PPP, but I don't know that
anyone supports it.
SUN SLIP can require that you log in before it gets turned on, I think.
Bill Westfield
cisco Systems.
-------josevela@mtecv2.mty.itesm.mx (Jose Angel Vela Avila) (06/12/91)
alberto@cs.umd.edu (Jose Alberto Fernandez R) writes: >I think this is a very interesting issue. Here in Maryland they have >similar concerns. Mostly with the fact that a dial-in person would get >complete network access as a Maryland site, which can be a security >risk. >Is there any accounting or login system for SLIP access? >Here in maryland we have modems connected to annex servers across >campus. Do you think it is possible to login to a machine in the >network (without using SLIP) and then activate an SLIP "circuit" from >the account. Has somebody done something like that? Yes ! Alberto, here in our Campus I've made some test with SLIP and here is my experience : I try it on 2 machines : a) Vax 6310 from DIGITAL running Ultrix 32 (Ver 3.0) b) RS/6000 from IBM running AIX ( Ver : I don't know, every month it changes ) On the Vax, you have to configure some things to get SLIP working, also you have to RECOMPILE your kernel with the SLIP option included. After that, you can call or connect to your Unix machine, then login with your usual login and password, then if you can login you then just type the command : slattach my_host Where my_host is declared in the data base /etc/sliphosts. Well that was for Ultrix. For the RS/6000 the thing is a little more funny. The procedure is the same for login but not for all the bunch of work I went through to get it work. After many painfull tests, I have to made a very 'interesting' program in sh (shell) that after so many precious tests (slattach don't exit on logout) with a command like this : ifconfig sl0 gateway_address my_address up All this for every new connection. Of course all this after a lot of trouble with all the WELL done commands and programs for serial terminal control. OK, this is just a little taste of SLIP, if you need more information, just drop me an email. Jose A. Vela Avila josevela@mtecv2.mty.itesm.mx
josevela@mtecv2.mty.itesm.mx (Jose Angel Vela Avila) (06/12/91)
Sorry I forgot to say that after login, execute the right command, you must exit from your communication program, then you run your favorite flavor SLIP program. ( I use Clarkson Univ. Comm. Package alias CUTCP over the SLIP packet driver, it works great ). Thats all. Bye. Jose A. Vela Avila josevela@mtecv2.mty.itesm.mx
gordon@FTP.COM (Gordon Lee) (06/12/91)
From: William Chops Westfield <BILLW@mathom.cisco.com>
Well, cisco terminal servers (current release) ...
PPP provides an authentication option within PPP, but I don't know that
anyone supports it.
PC/TCP has provision to respond to authentication protocol packets, but it
will not demand that the peer authorize itself.
}} Gordon Lee FTP Software Inc
}} voice: (617) 246-0900 26 Princess St
}} fax: (617) 245-7943 Wakefield, MA 01880