We're behind some kind of Cisco routers, and have to connect via the Cisco NAC Agent. The tech support here at my university tell me that if I connect a router "the whole building will lose internet access." I find this really hard to believe, and I'd like to know: 1. Can they tell if I'm using a router and 2. How could they even tell if the router is using NAT?
-
2I don't think it was a 'threat'. I suspect their network, like many others, can't handle a second DHCP server (such as a typical router) suddenly appearing on the network.– RushyoCommented Jan 17, 2011 at 11:36
-
3 answers, with 10 votes but no one upvoted the question; people need to use the upvote more often :) +1 Upvote. In my room I am using a wireless router that is connected to the University Network via ethernet. Ethernet is connected to the WAN port. No problems so far. And I connected a Macbook and an ipod at the same time. I think the key problem you could have is if you don't use the WAN port. But if you use the WAN port you should be fine. Try it.– NerianCommented Jan 19, 2011 at 15:46
-
4I doubt it will bring down the entire network, its just a warning so they can legitimately blame you for any issues if you do go against their warning and policy. No reason to run a router in a dorm, just use a dumb switch if you need more ports.– MoabCommented Jan 19, 2011 at 16:16
-
Are you trying to avoid buying another device? If you have a 4-port DSL or wireless "router", understand that such devices are really switches plus routers. If you disable DHCP on the device, you can plug your school Internet connection into a LAN port, and your other devices into a LAN port, and use it as a switch. Plug nothing into the WAN port.– LawrenceCCommented Apr 27, 2011 at 18:31
Add a comment
|
5 Answers
Adding to PulpSpy's (correct) answer, it's also possible to detect routers (NAT or not) by looking at the TTL field of outgoing IP packets. End stations usually set TTL to a known number, such as 64, 254, or a few other alternatives depending on the OS. When a majority of packets are one less than this, such as 63 and so on, it indicates there was a router hop in between.
-
This can be circumvented by resetting the TTL on the router. Commented Jan 12, 2012 at 5:36
-
@Bogdan Sure. Not many home routers have that capability though, and it breaks IP specs. And then of course they could deploy DPI and catch you by seeing varying HTTP User Agent headers, and a million other ways. :) Commented Jan 12, 2012 at 13:20
Yes they probably can tell. NAT routing will reassign all the port numbers to keep which traffic originated from which computer straight. As a result your traffic will look strange and when more than one computer are connected, they will typically be on adjacent ports. It wouldn't be proof, but enough to attract attention if they were specifically screening for it.
In addition to the TTL already mentioned in the other answers, they could be using the DHCP fingerprint of your router when it'll obtain an IP from it's WAN port.
I know this because I work on the PacketFence open source NAC (a Cisco NAC competitor) and we use such tricks.
Here's the list of recognized DHCP fingerprints in PacketFence: http://packetfence.org/dhcp_fingerprints.conf
We know it's also used by other products.
They can tell if your device is a router if it broadcasts routing packets (RIP, OSPF), and by the MAC address of the external ethernet interface.
Any interface that is broadcasting it's a Cisco device (or other router vendor) will attract attention.
Have fun learning, and try not to get suspended in the process!
answered Jan 16, 2011 at 18:37
I find it hard to believe that the network architects at a university would leave themselves vulnerable to a TOTAL network failure, in the event that a student jacks a router into his dorm room socket. The chance that a student might try such a thing is pretty high (witness this post, for example).
The Occam's razor answer, is that the tech-support guy probably was just trying to scare you, rather than say he just didn't know.
What's more, in a peer-to-peer architecture (unlike, say, SNA where you CAN trash the whole network by pretending to be the NCP), the likelihood of something like a device conflict causing complete network failure is pretty low. It COULD BE that your router would somehow be given (or you define it yourself) the SAME ip address of one of the dorm building's own distribution hubs, but it also COULD BE that an asteroid would hit your building.
But let's assume it does happen: as long as the cisco router doesn't get rebooted, nothing happens, and your router just complains that it can't get a proper connection. Also, the cisco router would probably report the duplicate IP collision in a log somewhere (which operators or network admins would notice).
